[Openswan Users] FC6 iptables problem

[wangxx at jmu.edu]

You are right. The problem is not with NAT but something else.

It is _not_ the firewall either as the error remains even 
after I turned iptables off.

I dumped all the traffic on the server and noticed that the 
server does not send out a single packet after IPsec SA was 
reportedly established.

Weird.

Steve

---- Original message ----
>Date: Fri, 23 Mar 2007 21:29:13 +0100 (CET)
>From: Paul Wouters <paul at xelerance.com>  
>Subject: RE: [Openswan Users] FC6 iptables problem  
>To: Xunhua Wang <wangxx at jmu.edu>
>Cc: users at openswan.org
>
>On Fri, 23 Mar 2007, Xunhua Wang wrote:
>
>> Ok. I may have found the reason but it is not clear where 
to fix it. My
>> Windows IPsec/L2TP client is behind a NAT (its IP address 
is 192.168.1.103)
>> but the IPsec SA does _not_ report it (see below).
>
>It does:
>
>> Mar 23 15:38:32 Newton pluto[2816]: "roadwarrior"[5] 
76.104.101.6 #5:
>> NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-
02/03: peer is NATed
>
>> Mar 23 15:38:32 Newton pluto[2816]: | NAT-T: new mapping
>> 76.104.101.6:500/1468)
>
>> 76.104.101.6 #6: STATE_QUICK_R2: IPsec SA established 
{ESP=>0x61a49581
>> <0xb9b65f0b xfrm=3DES_0-HMAC_MD5 NATD=76.104.101.6:1468 
DPD=none}
>
>The UDP port 4500 of your ipsec client is natted to port 
1468 on the NAT
>router at 76.104.101.6.
>
>> Mar 23 15:38:37 Newton pluto[2816]: ERROR: asynchronous 
network error report
>> on eth1 (sport=4500) for message to 76.104.101.6 port 
1468, complainant
>> 134.126.34.124: No route to host [errno 113, origin ICMP 
type 3 code 1 (not
>> authenticated)]
>
>However, it seems openswan is not able to send a packet from 
its IP on port
>4500 to 76.104.101.6 port 1468. Either a firewall rule, or a 
broken NAT
>router.
>
>Paul