[Openswan Users] 2.6.18/l2tp/nat access for iphone - by-the-book setup SA issues...

Achim Moller netcom2002 at gmxpro.de
Thu Nov 6 09:22:46 EST 2008


> What happens when you use rightsubnet=vhost:%priv ?
No change.

I have this config setup:

config setup
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.10.10.0/24

Some messsages from the log. To me it seems that NAT-T is on and also properly detected (right?)

pluto[20511]: Starting Pluto (Openswan Version 2.6.18; Vendor ID OE}ZvZ at M[OWD) pid:20511
pluto[20511]: Setting NAT-Traversal port-4500 floating to on
pluto[20511]:    port floating activation criteria nat_t=1/port_float=1
pluto[20511]:    including NAT-Traversal patch (Version 0.6c)
pluto[20511]: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): both are NATed
....
pluto[20511]: "L2TP-PSK-XNAT"[2] yy.yy.yy.yy #1: the peer proposed: xx.xx.xx.xx/32:17/1701 -> zz.zz.zz.zz/32:17/0
pluto[20511]: "L2TP-PSK-XNAT"[2] yy.yy.yy.yy#2:     us: xx.xx.xx.xx<xx.xx.xx.xx>[+S=C]:17/1701
pluto[20511]: "L2TP-PSK-XNAT"[2] yy.yy.yy.yy#2:   them: yy.yy.yy.yy[zz.zz.zz.zz,+S=C]:17/53017===?
pluto[20511]: "L2TP-PSK-XNAT"[2] yy.yy.yy.yy #2: pfkey_lib_debug:pfkey_address_build: address is NULL
pluto[20511]: "L2TP-PSK-XNAT"[2] yy.yy.yy.yy #2: building of pfkey_nat_t_oa Add ESP SA esp.e90b7cf at yy.yy.yy.yy failed, code -22
pluto[20511]: | failed to install outgoing SA: 0






-------- Original-Nachricht --------
> Datum: Thu, 6 Nov 2008 09:10:32 -0500 (EST)
> Von: Paul Wouters <paul at xelerance.com>
> An: Achim Moller <netcom2002 at gmxpro.de>
> CC: users at openswan.org
> Betreff: Re: [Openswan Users] 2.6.18/l2tp/nat access for iphone - by-the-book setup SA issues...

> On Thu, 6 Nov 2008, Achim Moller wrote:
> 
> > I was trying to setup an l2tp/ipsec setup for iphone roadwarriors (nat
> and non-nat), but using
> > the setup as explained in the Openswan book does not work as expected
> from the ipsec side:
> 
> People have reported problems with iphones, though not this one.
> 
> > (using latest Openswan 2.6.18 on Linux kernel 2.6.27-2/klips/nat-t
> patch)
> 
> > And using a "rightprotoport=17/0" creates messages
> > >>>cannot respond to IPsec SA request because no connection is known for
> >
> xx.xx.xx.xx<xx.xx.xx.xx>[+S=C]:17/1701...yy.yy.yy.yy[zz.zz.zz.zz,+S=C]:17
> > /53022===zz.zz.zz.zz/32<<
> 
> Are you sure you have NAT-T enabled using nat_traversal=yes, and having
> a valid virtual_private on the server?
> 
> > left=xx.xx.xx.xx
> > leftprotoport=17/1701
> > right=%any
> > rightprotoport=17/0
> > #rightprotoport=17/%any
> > rightsubnet=vhost:%priv,%no
> 
> What happens when you use rightsubnet=vhost:%priv ?
> 
> Paul


More information about the Users mailing list