[Openswan Users] FC6 iptables problem

Paul Wouters paul at xelerance.com
Fri Mar 23 16:29:13 EDT 2007


On Fri, 23 Mar 2007, Xunhua Wang wrote:

> Ok. I may have found the reason but it is not clear where to fix it. My
> Windows IPsec/L2TP client is behind a NAT (its IP address is 192.168.1.103)
> but the IPsec SA does _not_ report it (see below).

It does:

> Mar 23 15:38:32 Newton pluto[2816]: "roadwarrior"[5] 76.104.101.6 #5:
> NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed

> Mar 23 15:38:32 Newton pluto[2816]: | NAT-T: new mapping
> 76.104.101.6:500/1468)

> 76.104.101.6 #6: STATE_QUICK_R2: IPsec SA established {ESP=>0x61a49581
> <0xb9b65f0b xfrm=3DES_0-HMAC_MD5 NATD=76.104.101.6:1468 DPD=none}

The UDP port 4500 of your ipsec client is natted to port 1468 on the NAT
router at 76.104.101.6.

> Mar 23 15:38:37 Newton pluto[2816]: ERROR: asynchronous network error report
> on eth1 (sport=4500) for message to 76.104.101.6 port 1468, complainant
> 134.126.34.124: No route to host [errno 113, origin ICMP type 3 code 1 (not
> authenticated)]

However, it seems openswan is not able to send a packet from its IP on port
4500 to 76.104.101.6 port 1468. Either a firewall rule, or a broken NAT
router.

Paul


More information about the Users mailing list