[Openswan Users] Help with NAT-T

Tim Garton tim.garton at monsoonworks.com
Wed Mar 5 13:41:25 EST 2008 

I forgot to include the versions of openswan being run - 2.4.4 on the 
server and 2.4.6 on the client.

Tim Garton wrote:
> All,
>     I've been trying to get NAT-T working for a couple hours now and 
> can't seem to get it to work.  Was hoping someone out there might be 
> able to shed some light on what I'm doing wrong.  Here's the setup:
>
> Server: Ubuntu 6.04
> Client: Ubuntu 7.10 that's behind a NAT firewall
>
> 10.255.82.112        Client
>       |
> 10.255.82.1          NAT Firewall
> 60.60.60.60
>       |
>   Internet
>       |
> 50.50.50.50          Server
> 10.10.0.1
>       |
> 10.10.0.0/19         Internal LAN
>
> For the client config I have:
> version 2.0
> config setup
>         nat_traversal=yes
>
> conn myconn
>         left=10.255.82.112
>         leftid=@client
>         leftsubnet=10.255.82.112/32
>         leftrsasigkey=...
>         leftnexthop=%defaultroute
>         right=50.50.50.50
>         rightsubnet=10.10.0.0/19
>         rightid=@server
>         rightrsasigkey=...
>         rightnexthop=%defaultroute
>         auto=start
>
> include /etc/ipsec.d/examples/no_oe.conf
>
> For the server config I have:
> version 2.0
> config setup
>         plutodebug="control parsing"
>         nat_traversal=yes
>         
> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12,%v4:!10.10.0.0/19,%v4:!10.100.0.0/24
>
> conn myconn
>         left=%any
>         leftid=@client
>         leftsubnet=10.255.82.112/32
>         leftrsasigkey=...
>         leftnexthop=%defaultroute
>         right=50.50.50.50
>         rightsubnet=10.10.0.0/19
>         rightid=@server
>         rightrsasigkey=...
>         rightnexthop=%defaultroute
>         auto=add
>
> include /etc/ipsec.d/examples/no_oe.conf
>
>
> The VPN connection appears to be established just fine, but it only 
> seems to work one way: Client->Server.  From the client I can connect to 
> any machine on the Internal LAN behind the server just fine.  However, I 
> can't connect from a machine on the Internal LAN to the client.  
> Furthermore, a tcpdump run on the server seems to indicate that traffic 
> going from the Internal LAN to the client is encapsulated in UDP but not 
> set to port 4500, instead it is sent to some random high numbered port:
>
> tcpdump of ping from the client to the Internal LAN:
> 11:18:41.051227 IP (tos 0x0, ttl  43, id 75, offset 0, flags [DF], 
> proto: UDP (17), length: 160) 60.60.60.60.4500 > 50.50.50.50.4500: 
> UDP-encap: ESP(spi=0xc58688da,seq=0x122), length 132
> 11:18:41.051227 IP (tos 0x0, ttl  64, id 9, offset 0, flags [DF], proto: 
> ICMP (1), length: 84) 10.255.82.112 > 10.10.1.24: ICMP echo request, id 
> 28220, seq 10, length 64
> 11:18:41.051896 IP (tos 0x0, ttl  64, id 25265, offset 0, flags [none], 
> proto: UDP (17), length: 160) 50.50.50.50.4500 > 60.60.60.60.4500: 
> UDP-encap: ESP(spi=0x3b4c1984,seq=0x54d), length 132
>
> tcpdump of ping from the Internal LAN to the client:
> 11:21:24.149565 IP (tos 0x0, ttl  64, id 25417, offset 0, flags [none], 
> proto: UDP (17), length: 160) 50.50.50.50.4500 > 60.60.60.60.56238: 
> UDP-encap: ESP(spi=0x3b4c1984,seq=0x5e5), length 132
>
>
> As you can see, here it is sent to port 56238.  Anyone have any idea 
> what I've done wrong?  Thanks.
>
> Tim
>
>
>

More information about the Users mailing list