[Openswan Users] Help with NAT-T

Paul Wouters paul at xelerance.com
Wed Mar 5 16:03:27 EST 2008 

On Wed, 5 Mar 2008, Tim Garton wrote:

> I forgot to include the versions of openswan being run - 2.4.4 on the
> server and 2.4.6 on the client.

Upgrading to 2.4.12 is advised here.

> >     I've been trying to get NAT-T working for a couple hours now and
> > can't seem to get it to work.  Was hoping someone out there might be
> > able to shed some light on what I'm doing wrong.  Here's the setup:

> > config setup
> >         nat_traversal=yes

> > conn myconn
> >         left=10.255.82.112

You would use left=%defaultroute here to make it work everywhere.

> >         leftid=@client
> >         leftsubnet=10.255.82.112/32

Do not use leftsubnet when you just want to do NAT-T as the client


> >         leftrsasigkey=...
> >         leftnexthop=%defaultroute
> >         right=50.50.50.50
> >         rightsubnet=10.10.0.0/19
> >         rightid=@server
> >         rightrsasigkey=...
> >         rightnexthop=%defaultroute
> >         auto=start
> >
> > include /etc/ipsec.d/examples/no_oe.conf
> >
> > For the server config I have:
> > version 2.0
> > config setup
> >         plutodebug="control parsing"
> >         nat_traversal=yes
> >
> > virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12,%v4:!10.10.0.0/19,%v4:!10.100.0.0/24
> >
> > conn myconn
> >         left=%any
> >         leftid=@client
> >         leftsubnet=10.255.82.112/32

that needs to be:

	leftsubnet=vhost:%priv,%no

> >         leftrsasigkey=...
> >         leftnexthop=%defaultroute
> >         right=50.50.50.50
> >         rightsubnet=10.10.0.0/19
> >         rightid=@server
> >         rightrsasigkey=...
> >         rightnexthop=%defaultroute
> >         auto=add

If you still get problems, switch "left" and "right" on the server, so you
are using right=%any instead of left=%any


> > tcpdump of ping from the Internal LAN to the client:
> > 11:21:24.149565 IP (tos 0x0, ttl  64, id 25417, offset 0, flags [none],
> > proto: UDP (17), length: 160) 50.50.50.50.4500 > 60.60.60.60.56238:
> > UDP-encap: ESP(spi=0x3b4c1984,seq=0x5e5), length 132

> > As you can see, here it is sent to port 56238.  Anyone have any idea
> > what I've done wrong?  Thanks.

There is NAT-T, which is udp encapsulation used. Your client used a
random source port to connect to port 4500 (and/or a NAT device changed
that port). It's normal.

Paul

More information about the Users mailing list