[Openswan Users] Doubt when configuring NAT-T

Henrique Machado henrique.cicuto at gmail.com
Mon Aug 18 06:54:46 EDT 2008


Greetings

Just now I saw that my "drawing" went kind of "fuzzy".
Well, today I tried a new combination. And to my surprise it worked
right away o.O

In Openswan Server A I kept the configuration as it was before:
"left=189.Y.Y.Y"
no "leftid"
Kept the "forceencaps" and "nat_traversal" options.

In Openswan Server B (the one behind the firewall) the ipsec.conf is
as I described previously.
I didn´t think it was that easy.
Guess I just needed a good night sleep.

Thanks to everyone who read this thread.

Henrique Cicuto


2008/8/18 Henrique Machado <henrique.cicuto at gmail.com>:
> Good evening
>
> For almost a year we've been using Openswan + IPSec to create a VPN
> between our two offices. One is running Suse 9.3 + Openswan 2.2.0 and
> the other Debian 4.0rc3 + Openswan 2.4.6.
> For that period of time, the design of the topology was be:
>
>
> 192.168.X.X/24 <===> 192.168.X.1/24 || 200.XX.XX.XX <===> INTERNET
> <===> 189.YY.YY.YY || 192.168.Y.1/23 <===> 192.168.Y.Y/23
> Network A                                OPENSWAN SERVER A
>                                             OPENSWAN SERVER B
>            Network B
>
> And it has worked pretty well so far.
> Now, we had a change in our design:
>
> 192.168.X.X/24 <==> 192.168.X.1/24 || 200.XX.XX.XX <==> INTERNET <==>
> 189.YY.YY.YY || 10.Y.Y.1 <==> 10.Y.Y.2 || 192.168.Y.1/23
> <==>192.168.Y.Y/23
> Network A                         OPENSWAN SERVER A
>                                             FW
>     OPENSWAN SERVER B              Network B
>
>
> The OpenSwan Server B is now behind a FW, and this FW NATs all connections.
> I tried activating NAT-T to try and make it work, but I couldn't. I
> added to my ipsec.conf the lines "nat_traversal=yes", "leftid" and
> forceencaps=yes, the rest I kept the same. Server A is set to
> auto=start and Server B to auto=add
> Now it looks like this, in both A & B OpenSwan Server:
>
>
> ----------------------------------------------------------------
> config setup
>        plutostderrlog=/var/log/secure
>        nat_traversal=yes
>        nhelpers=0
>
> conn <conn_name>
>        left=10.Y.Y.2
>        leftid=189.YY.YY.YY
>        leftsubnet=192.168.Y.Y/23
>        leftnexthop=%defaultroute
>        leftrsasigkey=<B_key>
>        right=200.X.X.X
>        rightsubnet=192.168.X.X/24
>        rightnexthop=%defaultroute
>        rightrsasigkey=<A_key>
>        forceencaps=yes
>        auto=add
>
> include /etc/ipsec.d/examples/no_oe.conf
> ----------------------------------------------------------------
>
> Here's some output from /var/log/secure (Server A):
> ERROR: "<conn_name>" #1: sendto on ethX to 10.Y.Y.2:500 failed in
> main_outI1. Errno 1: Operation not permitted
> ERROR: "<conn_name>" #1: sendto on ethX to 10.Y.Y.2:500 failed in
> EVENT_RETRANSMIT. Errno 1: Operation not permitted
> ERROR: "<conn_name>" #1: sendto on ethX to 10.Y.Y.2:500 failed in
> EVENT_RETRANSMIT. Errno 1: Operation not permitted
> "<conn_name>" #1: max number of retransmissions (2) reached
> STATE_MAIN_I1.  No response (or no acceptable response) to our first
> IKE message
> "<conn_name>" #1: starting keying attempt 2 of at most 3
> "<conn_name>" #2: initiating Main Mode to replace #1
> ERROR: "<conn_name>" #2: sendto on ethX to 10.Y.Y.2:500 failed in
> main_outI1. Errno 1: Operation not permitted
> ERROR: "<conn_name>" #2: sendto on ethX to 10.Y.Y.2:500 failed in
> EVENT_RETRANSMIT. Errno 1: Operation not permitted
> ERROR: "<conn_name>" #2: sendto on ethX to 10.Y.Y.2:500 failed in
> EVENT_RETRANSMIT. Errno 1: Operation not permitted
>
>
> I tried switching the left and leftid options, and I got the following output:
>
> Server A:
> "<conn_name>" #1: initiating Main Mode
> "<conn_name>" #1: ERROR: asynchronous network error report on eth0 for
> message to 189.YY.YY.YY port 500, complainant 189.YY.YY.YY: Connection
> refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
> "<conn_name>" #1: max number of retransmissions (2) reached
> STATE_MAIN_I1.  No response (or no acceptable response) to our first
> IKE message
> "<conn_name>" #1: starting keying attempt 2 of at most 3
> "<conn_name>" #2: initiating Main Mode to replace #1
>
> Server B:
> packet from 200.XX.XX.XX:500: received Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-03] method set to=108
> packet from 200.XX.XX.XX:500: received Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 108
> packet from 200.XX.XX.XX:500: received Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-00]
> packet from 200.XX.XX.XX:500: initial Main Mode message received on
> 10.Y.Y.2:500 but no connection has been authorized
>
> I tried reading the OpenSwan docs, and all it said was to add those
> lines I mentioned above (except for forceencaps, I put that on my
> own).
> Most likely I configured something pretty simple completely wrong, but
> I don't have much knowledge of Openswan and IPSec. I really need some
> help with this. This VPN is quite vital for our network, and it must
> be put online.
>
> I appreciate everyone's attention.
>
> Henrique Cicuto
>


More information about the Users mailing list