[Openswan Users] problems with nat-t
Janantha Marasinghe
janantha at techcert.lk
Thu Sep 18 04:28:35 EDT 2008
"Connection refused " seems like your firewall is not permitting things
to flow. What is your iptables config?
danny dan wrote:
> i have tried to implement vpn remote access from my home to my office...
>
> i already buy the book building integrated virtual private network
> with openswan...
>
> but i still have problems to make a connection to my office..
>
> for your information..my network structure is like this..
>
> roadwarrior======outside network====firewall====DMZ====vpnserver
>
> this is my ipsec.conf..
>
> version 2.0 # conforms to second version of ipsec.conf specification
>
> # basic configuration
> config setup
> interfaces="ipsec1=eth1"
> # interfaces=%defaultroute
> # plutodebug / klipsdebug = "all", "none" or a combation from
> below:
> # "raw crypt parsing emitting control klips pfkey natt x509
> private"
> # eg: plutodebug="control parsing"
> #
> # ONLY enable plutodebug=all or klipsdebug=all if you are a
> developer !!
> #
> # NAT-TRAVERSAL support, see README.NAT-Traversal
> nat_traversal=yes
>
> virtual_private=%v4:219.93.36.0/24,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.1.0/24
> <http://219.93.36.0/24,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:%21192.168.1.0/24>
> plutodebug=none
> plutostderrlog=/var/log/pluto.log
> #
> # enable this if you see "failed to find any available worker"
> # nhelpers=0
> # uniqueids=yes
>
> # Add connections here
>
> conn %default
> authby=rsasig
> keyingtries=1
> compress=yes
> disablearrivalcheck=no
> ikelifetime=1h
>
> leftrsasigkey=0sAQNVXmjfKU5XMZqIGYQD5qtn7FpL9Fq0kgXTOnbLp1Lz1mib1xK39xzM+4d/y2qEkYal2HNf+EXuDj2ZXKIGbePXBVLZOLiSR00N1o8Nk9qYkXffi75yK24HxwgJRtC5In6lev7APqa6bufEnylDInXXa4KZ4WKkvOIK+2IQWTqxUsmKuM1Wn2/1TdHQbKJzeCzyLCk3fFDmRW74hj/YGag0uUxT6sRQ1Pl1woIQK3PoBaz7uutTwcwzmbjKw58qrqGL2I4xkWsHHpFWZMzwdwYlfyVj/8SjGFBAvaS2Axea4Ow6dKn9L4tGih4urjaT/p/lWM5fLxR2MTapsTS6Kt2WaAciJ7kEUGOoFHOmz+8xXDol
> # leftcert=/etc/ipsec.d/private/mykey.pem
>
> rightrsasigkey=0sAQNVXmjfKU5XMZqIGYQD5qtn7FpL9Fq0kgXTOnbLp1Lz1mib1xK39xzM+4d/y2qEkYal2HNf+EXuDj2ZXKIGbePXBVLZOLiSR00N1o8Nk9qYkXffi75yK24HxwgJRtC5In6lev7APqa6bufEnylDInXXa4KZ4WKkvOIK+2IQWTqxUsmKuM1Wn2/1TdHQbKJzeCzyLCk3fFDmRW74hj/YGag0uUxT6sRQ1Pl1woIQK3PoBaz7uutTwcwzmbjKw58qrqGL2I4xkWsHHpFWZMzwdwYlfyVj/8SjGFBAvaS2Axea4Ow6dKn9L4tGih4urjaT/p/lWM5fLxR2MTapsTS6Kt2WaAciJ7kEUGOoFHOmz+8xXDol
> auto=ignore
>
>
> #conn roadwarrior-all
> # leftsubnet=0.0.0.0/0 <http://0.0.0.0/0>
> # also=roadwarrior
>
> conn road
> type=tunnel
> forceencaps=yes
> left=219.93.36.214 <http://219.93.36.214>
> # left=%defaultroute
> leftcert=mycert.pem
> leftid="C=MY, ST=Selangor, O=Scan Berhad, OU=Isd, CN=vpnserver,
> E=.net"
> # leftid=@vpnserver.scan-associates.net
> <http://vpnserver.scan-associates.net>
> # leftnexthop=219.93.36.xxx
> right=60.54.220.178 <http://60.54.220.178>
> # right=%any
> # rightsubnet=vhost:%no,%priv
> rightprotoport=17/1701
> # rightnexthop=%defaultroute
> leftprotoport=17/1701
> leftsubnet=192.168.1.0/24 <http://192.168.1.0/24>
> esp=aes128-sha1
> ike=aes128-sha
> rightid="C=MY, ST=Selangor, O=Scan Berhad, OU=Isd, CN=vpnserver, E="
> pfs=no
> dpddelay=40
> dpdtimeout=130
> dpdaction=clear
> leftupdown=/opt/commsmundi/htdocs/networking/scripts/monitor_vpn.sh
> rightupdown=/opt/commsmundi/htdocs/networking/scripts/monitor_vpn.sh
> auto=add
>
>
>
> #conn roadwarrior-l2tp
> # ike=aes128-md5-modp1024
> # esp=aes128-md5
> # type=transport
> # auth=esp
> #left=192.168.1.74 <http://192.168.1.74>
> # left=219.xx.36.xxx
> #leftcert=mycert.pem
> # leftprotoport=17/1701
> # right=219.93.152.23 <http://219.93.152.23>
> #right=219.xx.36.xxx
> # rightprotoport=17/1701
> # pfs=no
> # auto=add
>
>
> #conn roadwarrior-l2tp-oldwin
> # left=219.xx.36.xxx
> # left=%defaultroute
> # leftcert=mycert.pem
> # leftprotoport=17/0
> # right=219.95.57.226 <http://219.95.57.226>
> # rightprotoport=17/1701
> # rightsubnet=vhost:%no,%priv
> # pfs=no
> # auto=add
>
> conn block
> auto=ignore
>
> conn private
> auto=ignore
>
> conn private-or-clear
> auto=ignore
>
> conn clear-or-private
> auto=ignore
>
> conn clear
> auto=ignore
>
> conn packetdefault
> auto=ignore
>
> # sample VPN connections, see /etc/ipsec.d/examples/
>
> #Disable Opportunistic Encryption
> include /etc/ipsec.d/examples/no_oe.conf
>
>
>
>
> when i tried to up the connection..
>
> this is the error log on the pluto.log
>
> "road" #4: initiating Main Mode
> "road" #4: ERROR: asynchronous network error report on eth1
> (sport=500) for message to 60.54.220.178 <http://60.54.220.178> port
> 500, complainant 60.54.220.178 <http://60.54.220.178>: Connection
> refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
> "road" #4: ERROR: asynchronous network error report on eth1
> (sport=500) for message to 60.54.220.178 <http://60.54.220.178> port
> 500, complainant 60.54.220.178 <http://60.54.220.178>: Connection
> refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
> "road" #4: max number of retransmissions (2) reached STATE_MAIN_I1.
> No response (or no acceptable response) to our first IKE message
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
--
-----------------------------------------------------
Best Regards
Janantha Marasinghe
No virus found in this outgoing message.
Checked by AVG - http://www.avg.com
Version: 8.0.138 / Virus Database: 270.6.21/1677 - Release Date: 9/17/2008 5:07 PM
-------------- next part --------------
A non-text attachment was scrubbed...
Name: janantha.vcf
Type: text/x-vcard
Size: 371 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20080918/eae752d2/attachment.vcf
More information about the Users
mailing list