[Openswan Users] ERROR: asynchronous network error report on eth1 (sport=4500) for message to 76.104.101.6 port 1325, complainant 134.126.34.124: No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)

[Paul Wouters]

On Wed, 28 Mar 2007, Xunhua Wang wrote:

>
> I have a Fedora Core 6 box and have installed "Linux Openswan
> U2.4.7/K2.6.20-1.2925.fc6 (netkey)" and xl2tpd-1.1.09 on it. This box has
> two network interfaces, eth0 for internal connection and eth1 for external
> connection (which has a public IP address).
>
> Using a MS Windows 2000 client with L2TP/IPsec combination, I can connect to
> the Linux box and obtain an internal IP address in the following two cases:
>
> 1) Case 1: the client has a public IP address
> 2) Case 2: the client is behind a NAT and this NAT allows outgoing UDP
> packets to keep their source port 4500 (this was observed in the server
> log).
>
> However, if I put the client behind _another_ NAT, which maps the source
> port of outgoing UDP packets from 4500 to 1325, I got the following error in
> the server log: "ERROR: asynchronous network error report on eth1
> (sport=4500) for message to 76.104.101.6 port 1325, complainant
> 134.126.34.124: No route to host [errno 113, origin ICMP type 3 code 1 (not
> authenticated)"

Are you sure this is just the result of being behind two nats, and not the result
of having "two clients behind the same nat device"? (eg the nat mapping
survived in yours tests?)

I just checked and noticed that openswan-2/testing/pluto/nat-double-01 is planned
but was never finished. So we do need to add a test case for this.

Paul