[Openswan Users] Help getting Nat to work...
Scott Savarese
openswan at scottsavarese.com
Mon Nov 17 20:33:17 EST 2008
I'm trying to set up a VPN between my Mac laptop to my server. I have
two configurations I want to support, one when I am not at home and the
other for when I am. The server is at home and is on 192.168.2.2. I have
two vlan's. My laptop can be somewhere on the 192.168.1 subnet. There is
one public IP so it will be NAT'd at the firewall (a linux openwrt
router). I remove the nat_traversal, virtual_private and the rightsubnet
lines from the configuration below and I can connect when at home. As
soon as I add the nat_traversal line in, I get the below error. Adding
in the virtual_private and rightsubnet doesn't help. I'm hoping it is
something easy. Can y'all help?
Thanks,
Scott
Nov 17 19:55:53 server pluto[30127]: "roadwarrior"[1] 192.168.1.173 #13:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Nov 17 19:55:53 server pluto[30127]: "roadwarrior"[1] 192.168.1.173 #13:
new NAT mapping for #13, was 192.168.1.173:500, now 192.168.1.173:4500
Nov 17 19:55:53 server pluto[30127]: "roadwarrior"[1] 192.168.1.173 #13:
STATE_MAIN_R3: sent MR3, ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
group=modp1024}
Nov 17 19:55:53 server pluto[30127]: "roadwarrior"[1] 192.168.1.173 #13:
ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
Nov 17 19:55:53 server pluto[30127]: "roadwarrior"[1] 192.168.1.173 #13:
received and ignored informational message
Nov 17 19:55:54 server pluto[30127]: "roadwarrior"[1] 192.168.1.173 #13:
the peer proposed: 192.168.2.2/32:17/1701 -> 192.168.1.173/32:17/0
Nov 17 19:55:54 server pluto[30127]: "roadwarrior"[1] 192.168.1.173 #14:
ENCAPSULATION_MODE_UDP_TRANSPORT must only be used if NAT-Traversal is
detected
Nov 17 19:55:54 server pluto[30127]: "roadwarrior"[1] 192.168.1.173 #14:
sending encrypted notification BAD_PROPOSAL_SYNTAX to 192.168.1.173:4500
Nov 17 19:56:04 server pluto[30127]: "roadwarrior"[1] 192.168.1.173 #13:
the peer proposed: 192.168.2.2/32:17/1701 -> 192.168.1.173/32:17/49647
Nov 17 19:56:04 server pluto[30127]: "roadwarrior"[1] 192.168.1.173 #15:
ENCAPSULATION_MODE_UDP_TRANSPORT must only be used if NAT-Traversal is
detected
Nov 17 19:56:04 server pluto[30127]: "roadwarrior"[1] 192.168.1.173 #15:
sending encrypted notification BAD_PROPOSAL_SYNTAX to 192.168.1.173:4500
Nov 17 19:56:14 server pluto[30127]: "roadwarrior"[1] 192.168.1.173 #13:
the peer proposed: 192.168.2.2/32:17/1701 -> 192.168.1.173/32:17/49647
Nov 17 19:56:14 server pluto[30127]: "roadwarrior"[1] 192.168.1.173 #16:
ENCAPSULATION_MODE_UDP_TRANSPORT must only be used if NAT-Traversal is
detected
Nov 17 19:56:14 server pluto[30127]: "roadwarrior"[1] 192.168.1.173 #16:
sending encrypted notification BAD_PROPOSAL_SYNTAX to 192.168.1.173:4500
# /etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual: ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/ ending in .conf
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# Debug-logging controls: "none" for (almost) none, "all" for lots.
# klipsdebug=none
# plutodebug="control parsing"
# For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
protostack=netkey
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.2.0/24
include /etc/ipsec.d/*.conf
From roadwarrior.conf:
conn roadwarrior
left=192.168.2.2
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
rightsubnet=vhost:%priv,%no
authby=secret
pfs=no
More information about the Users
mailing list