[Openswan Users] Problems, I think NAT related
Peter McGill
petermcgill at goco.net
Fri Nov 2 14:02:10 EDT 2007
Well for starters your openswan ipsec.conf should have left=192.168.1.65 not left=10.0.5.12, and should have plutodebug=none.
Peter McGill
_____
From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On Behalf Of Mark Hayward
Sent: November 2, 2007 1:24 PM
To: users at openswan.org
Subject: [Openswan Users] Problems, I think NAT related
Hi,
Please help me!
Here is my setup:
10.0.5.0/24 ------10.0.5.12(OpenSwan)192.168.1.65-----192.168.1.254(speedtouch)
86.148.87.91------------(Internet)--------80.102.114.86(IPCOP)192.168.3.149---------192.168.2.0/24
However, when I start the connection from Openswan, I get the following from IPCOP logs:
packet from 86.148.87.91:49179: initial Main Mode message received on 80.102.114.86:500 but no connection has been authorized with
policy=PSK
Am I receiving this error because the port that openswan is sending from is 49179? Or is it down to some other problem? How would I
fix it?
Here is the config from ipcop:
config setup
interfaces="%defaultroute "
klipsdebug="none"
plutodebug="none"
plutoload=%search
plutostart=%search
uniqueids=yes
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.3.0/255.255.255.0,%v4:!192.168.4.0/255.255.254.0,%v
4:!10.0.5.0/255.255.255.0
conn %default
keyingtries=0
disablearrivalcheck=no
conn manchester #RED
left=cardiffadmin.demon.co.uk
leftnexthop=%defaultroute
leftsubnet=192.168.2.0/255.255.254.0
right=86.148.87.91
rightsubnet=10.0.5.0/255.255.255.0
rightnexthop=%defaultroute
leftid="@80.102.114.86"
rightid="@86.148.87.91"
ike=aes128-sha-modp1536,aes128-sha-modp1024,aes128-md5-modp1536,aes128-md5-modp1024,3des-sha-modp1536,3des-sha$
esp=aes128-sha1,aes128-md5,3des-sha1,3des-md5
ikelifetime=1h
keylife=8h
aggrmode=yes
dpddelay=30
dpdtimeout=120
dpdaction=restart
pfs=no
authby=secret
auto=start
My ipsec.secrets from IPcop looks like this:
@80.102.114.86 @86.148.87.91 : PSK 'password'
Here is the config from the Openswan box:
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# plutodebug / klipsdebug = "all", "none" or a combation from below:
# "raw crypt parsing emitting control klips pfkey natt x509 private"
# eg:
# plutodebug="control parsing"
#
# Only enable klipsdebug=all if you are a developer
#
# NAT-TRAVERSAL support, see README.NAT-Traversal
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.0.5.0/24
#
# enable this if you see "failed to find any available worker"
nhelpers=0
plutodebug="all"
uniqueids=yes
# Add connections here
conn vpnserver
right=80.102.114.86
rightnexthop=%defaultroute
rightsubnet=192.168.2.0/255.255.254.0
left=10.0.5.12
leftsubnet=10.0.5.0/255.255.255.0
leftnexthop=%defaultroute
leftid="@86.148.87.91"
rightid="@80.102.114.86"
ike=aes
esp=aes
ikelifetime=1h
keylife=8h
dpddelay=30
dpdtimeout=120
dpdaction=restart
pfs=yes
authby=secret
My ipsec.secrets for openswan looks like this:
: PSK "password"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20071102/f744f377/attachment-0001.html
More information about the Users
mailing list