[Openswan Users] Doubt when configuring NAT-T

Henrique Machado henrique.cicuto at gmail.com
Mon Aug 18 01:26:11 EDT 2008 

Good evening

For almost a year we've been using Openswan + IPSec to create a VPN
between our two offices. One is running Suse 9.3 + Openswan 2.2.0 and
the other Debian 4.0rc3 + Openswan 2.4.6.
For that period of time, the design of the topology was be:


192.168.X.X/24 <===> 192.168.X.1/24 || 200.XX.XX.XX <===> INTERNET
<===> 189.YY.YY.YY || 192.168.Y.1/23 <===> 192.168.Y.Y/23
Network A                                OPENSWAN SERVER A
                                             OPENSWAN SERVER B
            Network B

And it has worked pretty well so far.
Now, we had a change in our design:

192.168.X.X/24 <==> 192.168.X.1/24 || 200.XX.XX.XX <==> INTERNET <==>
189.YY.YY.YY || 10.Y.Y.1 <==> 10.Y.Y.2 || 192.168.Y.1/23
<==>192.168.Y.Y/23
Network A                         OPENSWAN SERVER A
                                             FW
     OPENSWAN SERVER B              Network B


The OpenSwan Server B is now behind a FW, and this FW NATs all connections.
I tried activating NAT-T to try and make it work, but I couldn't. I
added to my ipsec.conf the lines "nat_traversal=yes", "leftid" and
forceencaps=yes, the rest I kept the same. Server A is set to
auto=start and Server B to auto=add
Now it looks like this, in both A & B OpenSwan Server:


----------------------------------------------------------------
config setup
        plutostderrlog=/var/log/secure
        nat_traversal=yes
        nhelpers=0

conn <conn_name>
        left=10.Y.Y.2
        leftid=189.YY.YY.YY
        leftsubnet=192.168.Y.Y/23
        leftnexthop=%defaultroute
        leftrsasigkey=<B_key>
        right=200.X.X.X
        rightsubnet=192.168.X.X/24
        rightnexthop=%defaultroute
        rightrsasigkey=<A_key>
        forceencaps=yes
        auto=add

include /etc/ipsec.d/examples/no_oe.conf
----------------------------------------------------------------

Here's some output from /var/log/secure (Server A):
ERROR: "<conn_name>" #1: sendto on ethX to 10.Y.Y.2:500 failed in
main_outI1. Errno 1: Operation not permitted
ERROR: "<conn_name>" #1: sendto on ethX to 10.Y.Y.2:500 failed in
EVENT_RETRANSMIT. Errno 1: Operation not permitted
ERROR: "<conn_name>" #1: sendto on ethX to 10.Y.Y.2:500 failed in
EVENT_RETRANSMIT. Errno 1: Operation not permitted
"<conn_name>" #1: max number of retransmissions (2) reached
STATE_MAIN_I1.  No response (or no acceptable response) to our first
IKE message
"<conn_name>" #1: starting keying attempt 2 of at most 3
"<conn_name>" #2: initiating Main Mode to replace #1
ERROR: "<conn_name>" #2: sendto on ethX to 10.Y.Y.2:500 failed in
main_outI1. Errno 1: Operation not permitted
ERROR: "<conn_name>" #2: sendto on ethX to 10.Y.Y.2:500 failed in
EVENT_RETRANSMIT. Errno 1: Operation not permitted
ERROR: "<conn_name>" #2: sendto on ethX to 10.Y.Y.2:500 failed in
EVENT_RETRANSMIT. Errno 1: Operation not permitted


I tried switching the left and leftid options, and I got the following output:

Server A:
"<conn_name>" #1: initiating Main Mode
"<conn_name>" #1: ERROR: asynchronous network error report on eth0 for
message to 189.YY.YY.YY port 500, complainant 189.YY.YY.YY: Connection
refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
"<conn_name>" #1: max number of retransmissions (2) reached
STATE_MAIN_I1.  No response (or no acceptable response) to our first
IKE message
"<conn_name>" #1: starting keying attempt 2 of at most 3
"<conn_name>" #2: initiating Main Mode to replace #1

Server B:
packet from 200.XX.XX.XX:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-03] method set to=108
packet from 200.XX.XX.XX:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 108
packet from 200.XX.XX.XX:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-00]
packet from 200.XX.XX.XX:500: initial Main Mode message received on
10.Y.Y.2:500 but no connection has been authorized

I tried reading the OpenSwan docs, and all it said was to add those
lines I mentioned above (except for forceencaps, I put that on my
own).
Most likely I configured something pretty simple completely wrong, but
I don't have much knowledge of Openswan and IPSec. I really need some
help with this. This VPN is quite vital for our network, and it must
be put online.

I appreciate everyone's attention.

Henrique Cicuto

More information about the Users mailing list