[Openswan Users] Problems, I think NAT related

Peter McGill petermcgill at goco.net
Fri Nov 2 14:02:10 EDT 2007


Well for starters your openswan ipsec.conf should have left=192.168.1.65 not left=10.0.5.12, and should have plutodebug=none.
 
Peter McGill
 


  _____  

From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On Behalf Of Mark Hayward
Sent: November 2, 2007 1:24 PM
To: users at openswan.org
Subject: [Openswan Users] Problems, I think NAT related



Hi,

Please help me! 

 

Here is my setup:

 

10.0.5.0/24 ------10.0.5.12(OpenSwan)192.168.1.65-----192.168.1.254(speedtouch)
86.148.87.91------------(Internet)--------80.102.114.86(IPCOP)192.168.3.149---------192.168.2.0/24

 

 

However, when I start the connection from Openswan, I get the following from IPCOP logs:

 

packet from 86.148.87.91:49179: initial Main Mode message received on 80.102.114.86:500 but no connection has been authorized with
policy=PSK

 

 

Am I receiving this error because the port that openswan is sending from is 49179? Or is it down to some other problem? How would I
fix it?

 

Here is the config from ipcop:

 

config setup

        interfaces="%defaultroute "

        klipsdebug="none"

        plutodebug="none"

        plutoload=%search

        plutostart=%search

        uniqueids=yes

        nat_traversal=yes

 
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.3.0/255.255.255.0,%v4:!192.168.4.0/255.255.254.0,%v
4:!10.0.5.0/255.255.255.0

 

conn %default

        keyingtries=0

        disablearrivalcheck=no

 

conn manchester #RED

        left=cardiffadmin.demon.co.uk

        leftnexthop=%defaultroute

        leftsubnet=192.168.2.0/255.255.254.0

        right=86.148.87.91

        rightsubnet=10.0.5.0/255.255.255.0

        rightnexthop=%defaultroute

        leftid="@80.102.114.86"

        rightid="@86.148.87.91"

        ike=aes128-sha-modp1536,aes128-sha-modp1024,aes128-md5-modp1536,aes128-md5-modp1024,3des-sha-modp1536,3des-sha$

        esp=aes128-sha1,aes128-md5,3des-sha1,3des-md5

        ikelifetime=1h

        keylife=8h

        aggrmode=yes

        dpddelay=30

        dpdtimeout=120

        dpdaction=restart

        pfs=no

        authby=secret

        auto=start

 

 

My ipsec.secrets from IPcop looks like this:

 

@80.102.114.86 @86.148.87.91 : PSK 'password'

 

 

Here is the config from the Openswan box:

 

version 2.0     # conforms to second version of ipsec.conf specification

 

# basic configuration

config setup

        # plutodebug / klipsdebug = "all", "none" or a combation from below:

        # "raw crypt parsing emitting control klips pfkey natt x509 private"

        # eg:

        # plutodebug="control parsing"

        #

        # Only enable klipsdebug=all if you are a developer

        #

        # NAT-TRAVERSAL support, see README.NAT-Traversal

        nat_traversal=yes

        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.0.5.0/24

        #

        # enable this if you see "failed to find any available worker"

        nhelpers=0

        plutodebug="all"

        uniqueids=yes

 

# Add connections here

conn vpnserver

        right=80.102.114.86

        rightnexthop=%defaultroute

        rightsubnet=192.168.2.0/255.255.254.0

        left=10.0.5.12

        leftsubnet=10.0.5.0/255.255.255.0

        leftnexthop=%defaultroute

        leftid="@86.148.87.91"

        rightid="@80.102.114.86"

        ike=aes

        esp=aes

        ikelifetime=1h

        keylife=8h

        dpddelay=30

        dpdtimeout=120

        dpdaction=restart

        pfs=yes

        authby=secret

 

 

My ipsec.secrets for openswan looks like this:

: PSK "password"

 

 

 

 

 

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20071102/f744f377/attachment-0001.html 


More information about the Users mailing list