[Openswan Users] problems with nat-t

danny dan danny71395 at gmail.com
Thu Sep 18 04:23:32 EDT 2008 

i  have tried to implement vpn remote access from my home to my office...

i already buy the book building integrated virtual private network with
openswan...

but i still have problems to make a connection to my office..

for your information..my network structure is like this..

roadwarrior======outside network====firewall====DMZ====vpnserver

this is my ipsec.conf..

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        interfaces="ipsec1=eth1"
      #  interfaces=%defaultroute
        # plutodebug / klipsdebug = "all", "none" or a combation from below:
        # "raw crypt parsing emitting control klips pfkey natt x509 private"
        # eg: plutodebug="control parsing"
        #
        # ONLY enable plutodebug=all or klipsdebug=all if you are a
developer !!
        #
        # NAT-TRAVERSAL support, see README.NAT-Traversal
        nat_traversal=yes
        virtual_private=%v4:
219.93.36.0/24,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.1.0/24
        plutodebug=none
        plutostderrlog=/var/log/pluto.log
        #
        # enable this if you see "failed to find any available worker"
        # nhelpers=0
        # uniqueids=yes

# Add connections here

conn %default
      authby=rsasig
      keyingtries=1
      compress=yes
      disablearrivalcheck=no
      ikelifetime=1h

leftrsasigkey=0sAQNVXmjfKU5XMZqIGYQD5qtn7FpL9Fq0kgXTOnbLp1Lz1mib1xK39xzM+4d/y2qEkYal2HNf+EXuDj2ZXKIGbePXBVLZOLiSR00N1o8Nk9qYkXffi75yK24HxwgJRtC5In6lev7APqa6bufEnylDInXXa4KZ4WKkvOIK+2IQWTqxUsmKuM1Wn2/1TdHQbKJzeCzyLCk3fFDmRW74hj/YGag0uUxT6sRQ1Pl1woIQK3PoBaz7uutTwcwzmbjKw58qrqGL2I4xkWsHHpFWZMzwdwYlfyVj/8SjGFBAvaS2Axea4Ow6dKn9L4tGih4urjaT/p/lWM5fLxR2MTapsTS6Kt2WaAciJ7kEUGOoFHOmz+8xXDol
    # leftcert=/etc/ipsec.d/private/mykey.pem

rightrsasigkey=0sAQNVXmjfKU5XMZqIGYQD5qtn7FpL9Fq0kgXTOnbLp1Lz1mib1xK39xzM+4d/y2qEkYal2HNf+EXuDj2ZXKIGbePXBVLZOLiSR00N1o8Nk9qYkXffi75yK24HxwgJRtC5In6lev7APqa6bufEnylDInXXa4KZ4WKkvOIK+2IQWTqxUsmKuM1Wn2/1TdHQbKJzeCzyLCk3fFDmRW74hj/YGag0uUxT6sRQ1Pl1woIQK3PoBaz7uutTwcwzmbjKw58qrqGL2I4xkWsHHpFWZMzwdwYlfyVj/8SjGFBAvaS2Axea4Ow6dKn9L4tGih4urjaT/p/lWM5fLxR2MTapsTS6Kt2WaAciJ7kEUGOoFHOmz+8xXDol
      auto=ignore


    #conn roadwarrior-all
    #     leftsubnet=0.0.0.0/0
    #     also=roadwarrior

conn road
     type=tunnel
    forceencaps=yes
     left=219.93.36.214
   # left=%defaultroute
    leftcert=mycert.pem
    leftid="C=MY, ST=Selangor, O=Scan Berhad, OU=Isd, CN=vpnserver, E=.net"
   #  leftid=@vpnserver.scan-associates.net
   # leftnexthop=219.93.36.xxx
     right=60.54.220.178
   # right=%any
   # rightsubnet=vhost:%no,%priv
     rightprotoport=17/1701
   # rightnexthop=%defaultroute
     leftprotoport=17/1701
     leftsubnet=192.168.1.0/24
     esp=aes128-sha1
     ike=aes128-sha
     rightid="C=MY, ST=Selangor, O=Scan Berhad, OU=Isd, CN=vpnserver, E="
     pfs=no
     dpddelay=40
     dpdtimeout=130
     dpdaction=clear
     leftupdown=/opt/commsmundi/htdocs/networking/scripts/monitor_vpn.sh
     rightupdown=/opt/commsmundi/htdocs/networking/scripts/monitor_vpn.sh
     auto=add



#conn roadwarrior-l2tp
   #      ike=aes128-md5-modp1024
   #      esp=aes128-md5
   #      type=transport
   #      auth=esp
       #left=192.168.1.74
   #      left=219.xx.36.xxx
     #leftcert=mycert.pem
   #      leftprotoport=17/1701
   #      right=219.93.152.23
     #right=219.xx.36.xxx
   #      rightprotoport=17/1701
   #      pfs=no
   #      auto=add


#conn roadwarrior-l2tp-oldwin
 #        left=219.xx.36.xxx
      # left=%defaultroute
 #       leftcert=mycert.pem
 #       leftprotoport=17/0
 #       right=219.95.57.226
 #       rightprotoport=17/1701
 #       rightsubnet=vhost:%no,%priv
 #       pfs=no
 #       auto=add

conn block
     auto=ignore

conn private
     auto=ignore

conn private-or-clear
     auto=ignore

conn clear-or-private
     auto=ignore

conn clear
     auto=ignore

conn packetdefault
     auto=ignore

# sample VPN connections, see /etc/ipsec.d/examples/

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf




when i tried to up the connection..

this is the error log on the pluto.log

"road" #4: initiating Main Mode
"road" #4: ERROR: asynchronous network error report on eth1 (sport=500) for
message to 60.54.220.178 port 500, complainant 60.54.220.178: Connection
refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
"road" #4: ERROR: asynchronous network error report on eth1 (sport=500) for
message to 60.54.220.178 port 500, complainant 60.54.220.178: Connection
refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
"road" #4: max number of retransmissions (2) reached STATE_MAIN_I1.  No
response (or no acceptable response) to our first IKE message
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080918/60634d42/attachment.html

More information about the Users mailing list