[Openswan Users] OpenSwan not working with nat-t

CrashOverload at gmx.de CrashOverload at gmx.de
Tue Apr 14 04:20:38 EDT 2009 

Hi Paul,

this is a part of the secure logfile:

 inserting event EVENT_SA_REPLACE, timeout in 27725 seconds for #2
| event added after event EVENT_REINIT_SECRET
 "vpn-redworks" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP/NAT=>0xca1df845 <0x22700df0 xfrm=3$
 | modecfg pull: noquirk policy:push not-client
 | phase 1 is done, looking for phase 2 to unpend
 | * processed 1 messages from cryptographic helpers
 | next event EVENT_PENDING_PHASE2 in 106 seconds

And this the output of ip xfrm state:

src 112.113.114.115 (remote public ip) dst 192.168.168.66 (local private ip)
        proto esp spi 0x22700df0 reqid 16385 mode tunnel
        replay-window 32
        auth hmac(sha1) 0x20417d18bd651f435ee96845a6058b51cb921821
        enc cbc(des3_ede) 0x99b0cd88db71c82880e87e4c4613a4f7ed9151b75264ca2e
src 192.168.168.66 dst 112.113.114.115
        proto esp spi 0xca1df845 reqid 16385 mode tunnel
        replay-window 32
        auth hmac(sha1) 0x28b66b32cef690d5380aeed723b641eb717be6f1
        enc cbc(des3_ede) 0xa2057e29b0054b0c052b169f34a0c3ba51d82daa642a9259


Thanks for your help. Do you need something more?

-----Ursprüngliche Nachricht-----
Von: Paul Wouters [mailto:paul at xelerance.com]
Gesendet: Dienstag, 7. April 2009 03:32
An: CrashOverload at gmx.de
Cc: users at openswan.org
Betreff: Re: [Openswan Users] OpenSwan not working with nat-t

On Mon, 6 Apr 2009, CrashOverload at gmx.de wrote:

> I got only the following information about encryption and that the remote
gateway is supporting NAT-T:
> 3 des  sha1 group 2

> And that´s my part of the vpn:

> conn vpn
>        auth=esp
>        authby=secret
>        auto=add
>        forceencaps=yes
>        left=77.88.99.21        #Local Public IP
>        leftid=77.88.99.21
>        leftsubnet=192.168.168.66/32
>        pfs=yes
>        right=112.113.114.115   #Remote Public IP
>        rightid=112.113.114.115
>        rightsubnet=192.168.156.55/32
>        type=tunnel

So add:

     ike=3des-sha1-modp1024
     esp=3des-sha1

> Is there anything in the configuration missing or wrong?

show the logs with the errors?

Paul
-- 
Neu: GMX FreeDSL Komplettanschluss mit DSL 6.000 Flatrate + Telefonanschluss für nur 17,95 Euro/mtl.!* http://dslspecial.gmx.de/freedsl-surfflat/?ac=OM.AD.PD003K11308T4569a

More information about the Users mailing list