[Openswan Users] Nat traversal "sort of" works/fails

Jim Blake jim at blakes.homeip.net
Thu Jun 7 17:46:55 EDT 2007 

I have an OpenSwan box set up with a link to a Linux box running Shorewall
as a NAT-ing firewall. On the "inside" of the NAT-ing firewall, I have
another OpenSwan box, like this:

SWAN------------------ROUTER---------------------DEBIAN
10.0.0.100        10.0.0.1/192.168.123.1         192.168.123.1
        "Internet"        /     "Private Network"


my ipsec.conf file is shown below:


version 2.0     # conforms to second version of ipsec.conf specification

config setup
         interfaces=%defaultroute
        # klipsdebug=all
        # plutodebug=control
        # plutodebug / klipsdebug = "all", "none" or a combation from below:
        # "raw crypt parsing emitting control klips pfkey natt x509 private"
        # eg: plutodebug="control parsing"
        #
        # Only enable klipsdebug=all if you are a developer
        #
        # NAT-TRAVERSAL support, see README.NAT-Traversal
        nat_traversal=yes
        # virtual_private=%v4:10.0.0.0/24,%v4:192.168.123.0/24
        #
        # enable this if you see "failed to find any available worker"
        # nhelpers=0

conn %default
        authby=rsasig

conn swan
        left=10.0.0.100
        leftid=@swan.blakes.homeip.net
        rightrsasigkey=0sAQOgW3.....
        right=192.168.123.100
        rightid=@debian.blakes.homeip.net
        leftrsasigkey=0sAQO....
        auto=add

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf


When I try to initiate a link with :

swan:/home/jim# ipsec auto --up swan

I get the following:

104 "swan" #1: STATE_MAIN_I1: initiate
003 "swan" #1: received Vendor ID payload [Openswan (this version) 2.4.6 
X.509-1.5.4 LDAP_V3 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]
003 "swan" #1: received Vendor ID payload [Dead Peer Detection]
003 "swan" #1: received Vendor ID payload [RFC 3947] method set to=110
106 "swan" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "swan" #1: NAT-Traversal: Result using 3: no NAT detected
108 "swan" #1: STATE_MAIN_I3: sent MI3, expecting MR3
004 "swan" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG
cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1536}
117 "swan" #2: STATE_QUICK_I1: initiate
004 "swan" #2: STATE_QUICK_I2: sent QI2, IPsec SA established
{ESP=>0x3cc26147 <0x13c5b6d7 xfrm=AES_0-HMAC_SHA1 NATD=none DPD=none}


Now I have enabled NAT traversal on both systems, I have a Shorewall box
(of which I am *very* familiar) doing NAT in the middle and set up to
allow 50/UDP500/UDP4500 in both directions, and as you can see, I get:

"003 "swan" #1: NAT-Traversal: Result using 3: no NAT detected"

When I ping 192.168.123.100 from swan, I get no response. When I try to
ping 192.168.123.1 from swan, I get a "network unreachable" response.

The Routing table on Swan that looks like this:

swan:/home/jim# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.123.100 *               255.255.255.255 UH    0      0        0 eth0
10.0.0.0        *               255.255.255.0   U     0      0        0 eth0
default         10.0.0.1        0.0.0.0         UG    0      0        0 eth0

Anyone care to suggest what I'm doing wrong


Thanks
Jim

More information about the Users mailing list