[Openswan Users] NAT problem??
Peter McGill
petermcgill at goco.net
Tue Jul 10 09:27:26 EDT 2007
> -----Original Message-----
> Date: Tue, 10 Jul 2007 14:40:21 +0200
> From: " Rafa? Radecki " <radecki.rafal at gmail.com>
> Subject: [Openswan Users] NAT problem??
> To: users at openswan.org
>
> Hello. I have two gateways which have Openswan installed on
> them. My config
> file is like this:
>
> # basic configuration
> config setup
> # plutodebug / klipsdebug = "all", "none" or a
> combation from below:
> # "raw crypt parsing emitting control klips pfkey
> natt x509 private"
> # eg:
> # plutodebug="control parsing"
> #
> # Only enable klipsdebug=all if you are a developer
> #
> # NAT-TRAVERSAL support, see README.NAT-Traversal
> nat_traversal=yes
>
> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0
> .0/12<http://10.0.0.0/8,%25v4:192.168.0.0/16,%25v4:172.16.0.0/12>
> #
> # enable this if you see "failed to find any available worker"
> nhelpers=0
>
> # Add connections here
> conn gda-war
> left=192.168.2.133
> leftsubnet= 172.16.1.0/24
> leftid=@vpn2
> leftrsasigkey=0sAQ...
> leftnexthop=%defaultroute
> #leftnexthop= 172.16.2.1
> right=192.168.2.183
> rightsubnet=172.16.2.0/24
> rightid=@vpn1
> rightrsasigkey=0sAQ...
> rightnexthop=%defaultroute
> #rightnexthop= 172.16.1.1
> keyingtries=2
> auto=start
> # sample VPN connections, see /etc/ipsec.d/examples/
>
> #Disable Opportunistic Encryption
> include /etc/ipsec.d/examples/no_oe.conf
>
> Gateway 1 (vpn1): eth0: 192.168.2.183 eth1: 172.16.1.1
> laptop-connected-to-eth0: 172.16.1.2
> Gateway 2 (vpn2): eth0: 192.168.2.133 eth1: 172.16.2.1
> laptop-connected-to-eth0: 172.16.2.2
> Output of command ipsec verify:
>
> Checking your system to see if IPsec got installed and
> started correctly:
> Version check and ipsec on-path [OK]
> Linux Openswan U2.4.6/K2.6.18-4-686 (netkey)
> Checking for IPsec support in kernel [OK]
> NETKEY detected, testing for disabled ICMP send_redirects [OK]
> NETKEY detected, testing for disabled ICMP accept_redirects [OK]
> Checking for RSA private key (/etc/ipsec.secrets) [OK]
> Checking that pluto is running [OK]
> Two or more interfaces found, checking IP forwarding [OK]
> Checking NAT and MASQUERADEing
> Checking for 'ip' command [OK]
> Checking for 'iptables' command [OK]
> Opportunistic Encryption Support
> [DISABLED]
>
> Output of command ipsec auto --up gda-war:
>
> vpn2:/usr/share/doc/openswan/doc# ipsec auto --up gda-war
> 117 "gda-war" #3: STATE_QUICK_I1: initiate
> 004 "gda-war" #3: STATE_QUICK_I2: sent QI2, IPsec SA established
> {ESP=>0xae5372fe <0xb05cebcf xfrm=AES_0-HMAC_SHA1 NATD=none DPD=none}
> vpn2:/usr/share/doc/openswan/doc#
>
> Output of command route:
>
> vpn2:/etc/apt# route
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric
> Ref Use
> Iface
> 172.16.2.0 tygrys.olimp.dg 255.255.255.0 UG 0
> 0 0 eth0
> 192.168.2.0 * 255.255.255.0 U 0
> 0 0 eth0
> 172.16.1.0 * 255.255.255.0 U 0
> 0 0 eth1
> default tygrys.olimp.dg 0.0.0.0 UG 0
> 0 0 eth0
> vpn2:/etc/apt#
>
> The problem is that two laptops connected to eth1 interfaces on both
> gateways can't ping each other. When i use tcpdump -n -i eth0
> there are no
> ESP packets in the output despite the fact that the ping
> command is active
> all the time.
>
> Laptop 1 (172.16.2.2 , Win2K): ping -t 172.16.1.2
> Laptop 2 (172.16.1.2, Win2K): ping -t 172.16.2.2
>
> I tried many things but can't find the bug. Every help will be greatly
> appreciated;-)
Alright, from you configs, it looks like your connecting the both to
The 192.168.2.x LAN for testing, and not using internet connections?
Is that correct, or do you have 192.168.2.x behind two different internet
Routers?
Are you allowing traffic through your firewall, I'd guess that iptables
Is dropping the packets.
You need to allow -p 50, -p udp --dport 500 and -p udp --sport 500.
(ESP and ISAKMP; IPSec)
You'll also need to allow the LAN to LAN traffic (the pings) and not NAT it.
There is plenty of examples of how to do this, just search the list for them.
Peter
More information about the Users
mailing list