[Openswan Users] Ipsec/l2tp server behind nat, again(2)
Brad Johnson
bjohnson at astrocorp.com
Wed Oct 8 12:18:36 EDT 2008
If incoming packets to OpenSwan are being DNAT''ed (port forwarded) by
the NAT device, how could OpenSwan possibly realize it is being
contacted via 12.34.112.177?
I think you may need to add a leftid to your server config, like this maybe:
leftid=12.34.112.177
Just an idea.
...Brad
Lux wrote:
> Hi all
>
> Sorry for opening a third thread on the same issue, but I'm still unable to
> get a working l2tp/ipsec server behind nat, and I begin to wonder if anyone
> has got it working with Openswan 2.6.x.
>
> I just upgraded to Openswan 2.6.18 and switched from PSK to certificate
> authentication, with no results.
>
> My setup is this:
>
> Openswan/xl2tpd server
> Real IP address
> 192.168.0.100
> |
> |
> 192.168.0.254
> NAT router
> 12.34.112.177
> |
> |
> .....
> Internet
> .....
> |
> |
> Road warrior
> Client with
> 192.168.1.100
>
> In simple words, the server with IP 192.168.0.100 is visible to the outside
> world through 12.34.112.177.
> When I try to connect, I find in the Openswan logs:
>
> | find_host_pair: comparing to 192.168.0.100:500 0.0.0.0:500
> | checking hostpair 192.168.0.100/32 -> 0.0.0.0/32 is found
> | match_id a=C=IT, ST=RE, L=Reggio Emilia, O=Lux Servizi, CN=Lux,
> E=xxxxx at iotti.biz
> | b=(none)
> | results matched
> | trusted_ca called with a=C=IT, ST=RE, L=Reggio Emilia, O=Lux Servizi,
> CN=lux CA, E=xxxxx at iotti.biz b=C=IT, ST=RE, L=Reggio Emilia, O=Lux Servizi,
> CN=lux CA, E=xxxxx at iotti.biz
> | fc_try trying roadwarrior-l2tp:12.34.112.177/32:17/1701 ->
> 192.168.1.100/32:17/1701(virt) vs roadwarrior-l2tp:192.168.0.100/32:17/1701
> -> 0.0.0.0/32:17/1701(virt)
> | our client(192.168.0.100/32) not in our_net (12.34.112.177/32)
> ...
> "roadwarrior-l2tp"[2] 79.7.5.10 #1: cannot respond to IPsec SA request
> because no connection is known for
> 12.34.112.177/32===192.168.0.100<192.168.0.100>[+S=C]:17/1701...79.7.5.10[C=
> IT, ST=RE, L=Reggio Emilia, O=Lux Servizi, CN=Lux,
> E=xxxxx at iotti.biz,+S=C]:17/1701===192.168.1.100/32
>
> Looking at the line "our client(192.168.0.100/32) not in our_net
> (12.34.112.177/32)" it seems that Openswan is unable to realize that, due to
> nat translation, it is being contacted via the public IP address
> 12.34.112.177), and that this public IP is simply the IP that was reserved
> for Openswan itself.
>
> I tried with and without type=transport obtaining the same result.
>
> Any ideas to get this to work?
>
> My config :
>
> version 2.0
>
> config setup
> plutodebug="parsing emitting lifecycle dns oppo control controlmore
> pfkey nattraversal x509"
> dumpdir=/tmp
> interfaces=%defaultroute
> nat_traversal=yes
>
> virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192
> .168.0.0/24
> protostack=netkey
>
> conn %default
> keyingtries=1
> compress=yes
> disablearrivalcheck=no
> authby=rsasig
> leftrsasigkey=%cert
> rightrsasigkey=%cert
>
> conn roadwarrior-l2tp
> authby=rsasig
> pfs=no
> auto=add
> rekey=no
> ikelifetime=8h
> keylife=1h
> type=transport
> left=192.168.0.100
> leftnexthop=192.168.0.254
> leftrsasigkey=%cert
> leftcert=localhost.crt
> leftprotoport=17/1701
> right=%any
> rightca=%same
> rightrsasigkey=%cert
> rightprotoport=17/1701
> rightsubnet=vhost:%no,%priv
>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
More information about the Users
mailing list