[Openswan Users] Help with NAT-T

Tim Garton tim.garton at monsoonworks.com
Tue Mar 4 14:28:38 EST 2008 

All,
    I've been trying to get NAT-T working for a couple hours now and 
can't seem to get it to work.  Was hoping someone out there might be 
able to shed some light on what I'm doing wrong.  Here's the setup:

Server: Ubuntu 6.04
Client: Ubuntu 7.10 that's behind a NAT firewall

10.255.82.112        Client
      |
10.255.82.1          NAT Firewall
60.60.60.60
      |
  Internet
      |
50.50.50.50          Server
10.10.0.1
      |
10.10.0.0/19         Internal LAN

For the client config I have:
version 2.0
config setup
        nat_traversal=yes

conn myconn
        left=10.255.82.112
        leftid=@client
        leftsubnet=10.255.82.112/32
        leftrsasigkey=...
        leftnexthop=%defaultroute
        right=50.50.50.50
        rightsubnet=10.10.0.0/19
        rightid=@server
        rightrsasigkey=...
        rightnexthop=%defaultroute
        auto=start

include /etc/ipsec.d/examples/no_oe.conf

For the server config I have:
version 2.0
config setup
        plutodebug="control parsing"
        nat_traversal=yes
        
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12,%v4:!10.10.0.0/19,%v4:!10.100.0.0/24

conn myconn
        left=%any
        leftid=@client
        leftsubnet=10.255.82.112/32
        leftrsasigkey=...
        leftnexthop=%defaultroute
        right=50.50.50.50
        rightsubnet=10.10.0.0/19
        rightid=@server
        rightrsasigkey=...
        rightnexthop=%defaultroute
        auto=add

include /etc/ipsec.d/examples/no_oe.conf


The VPN connection appears to be established just fine, but it only 
seems to work one way: Client->Server.  From the client I can connect to 
any machine on the Internal LAN behind the server just fine.  However, I 
can't connect from a machine on the Internal LAN to the client.  
Furthermore, a tcpdump run on the server seems to indicate that traffic 
going from the Internal LAN to the client is encapsulated in UDP but not 
set to port 4500, instead it is sent to some random high numbered port:

tcpdump of ping from the client to the Internal LAN:
11:18:41.051227 IP (tos 0x0, ttl  43, id 75, offset 0, flags [DF], 
proto: UDP (17), length: 160) 60.60.60.60.4500 > 50.50.50.50.4500: 
UDP-encap: ESP(spi=0xc58688da,seq=0x122), length 132
11:18:41.051227 IP (tos 0x0, ttl  64, id 9, offset 0, flags [DF], proto: 
ICMP (1), length: 84) 10.255.82.112 > 10.10.1.24: ICMP echo request, id 
28220, seq 10, length 64
11:18:41.051896 IP (tos 0x0, ttl  64, id 25265, offset 0, flags [none], 
proto: UDP (17), length: 160) 50.50.50.50.4500 > 60.60.60.60.4500: 
UDP-encap: ESP(spi=0x3b4c1984,seq=0x54d), length 132

tcpdump of ping from the Internal LAN to the client:
11:21:24.149565 IP (tos 0x0, ttl  64, id 25417, offset 0, flags [none], 
proto: UDP (17), length: 160) 50.50.50.50.4500 > 60.60.60.60.56238: 
UDP-encap: ESP(spi=0x3b4c1984,seq=0x5e5), length 132


As you can see, here it is sent to port 56238.  Anyone have any idea 
what I've done wrong?  Thanks.

Tim



-- 
*Tim Garton*
Systems Administrator
Monsoon, Inc.

e-mail: tim.garton at monsoonworks.com <mailto:tim.garton at monsoonworks.com>
tel: 503.239.1055 x812 | fax: 503.239.1056
www.monsoonworks.com <http://www.monsoonworks.com>

This communication may contain confidential information. If you are not 
the intended recipient or believe that you have received this 
communication in error, please reply to the sender indicating that fact 
and delete the copy you received. In addition, you should not print, 
copy, retransmit, disseminate or otherwise use the information contained 
in this communication unless otherwise expressly indicated.

More information about the Users mailing list