[Openswan Users] Openswan ipsec Nat-traversal errors

yepee.boum yepee.boum at laposte.net
Mon Aug 10 11:53:34 EDT 2009 

Hi,

To try to resolve my problem, i compiled the latest version (2.6.22) of openswan on my Debian Lenny. I set the same configuration as my precedent mail.

I can establish a vpn connection in local but not through internet.

When i type the command "/etc/init.d/ipsec start" this message appear:

/etc/var/log/daemon.log
-------------------------------------------------------------
Aug 10 15:51:29 serveurVpn ipsec_setup: Starting Openswan IPsec U2.6.22/K2.6.26-2-686...
Aug 10 15:51:29 serveurVpn ipsec_setup: Using NETKEY(XFRM) stack
Aug 10 15:51:31 serveurVpn ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
Aug 10 15:51:31 serveurVpn ipsec_setup: ...Openswan IPsec started
Aug 10 15:51:33 serveurVpn ipsec__plutorun: 002 loading certificate from vpn-cert.pem 
Aug 10 15:51:33 serveurVpn ipsec__plutorun: 002 loaded host cert file '/etc/ipsec.d/certs/vpn-cert.pem' (1131 bytes)
Aug 10 15:51:33 serveurVpn ipsec__plutorun: 002 added connection description "vpn-l2tp-XP"
Aug 10 15:51:33 serveurVpn ipsec__plutorun: 003 NAT-Traversal: Trying new style NAT-T
Aug 10 15:51:33 serveurVpn ipsec__plutorun: 003 NAT-Traversal: ESPINUDP(1) setup failed for new style NAT-T family IPv4 (errno=19)
Aug 10 15:51:33 serveurVpn ipsec__plutorun: 003 NAT-Traversal: Trying old style NAT-T
-------------------------------------------------------------


Did you have already had this message before? How do you explain it? Do you think that this message is the reason of my problem?

Thanks

Paul


> Message du 07/08/09 19:04
> De : "yepee.boum" 
> A : users at openswan.org
> Copie à : 
> Objet : [Openswan Users] Openswan ipsec Nat-traversal errors
>
> 
> Hi everibody,
> 
> I'm trying to do a roadwarrior ipsec/L2tp vpn between a windows XP sp2 client and a debian Lenny server. I installed openswan 2.4.12 (present in the reposetory of debian) i didn't install openswan-moduls because i want to use NETKEY.
> 
> I pass the configuration of the VPN between two local networks: 
> 
> client -----> VPN_serveur -----> Local network
> 
> Unfortunately it doesn't work when i do the same thing with a client who uses internet to establish a connection to the server. I think that i have got some troubles with NAT-Traversal, even if i set the option nat_traversal=yes in the ipsec.conf file.
> 
> roadwarrior_client ----------> NAT --->INTERNET -------> NAT---> VPN_serveur ----------> local network
> 
> Do you have any suggestions to solve this error:
> 
> Aug 7 18:07:45 serveurVpn pluto[10259]: "vpn-l2tp-XP"[1] 80.*.173.59 #6: ERROR: asynchronous network error report on eth0 (sport=500) for message to 80.*.173.59 port 5740, complainant 192.168.4.244: No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]
> 
> Thanks by advance
> 
> 
> Paul
> 
> 
> 
> 
> 
> /etc/ipsec.conf
> ---------------------------------------------------------
> version 2.0 # conforms to second version of ipsec.conf specification
> 
> 
> config setup
> interfaces="ipsec0=eth0"
> #plutodebug="all" 
> overridemtu=1440
> rp_filter=0
> nat_traversal=yes #en standrard pour tous les types de connexions
> keep_alive=yes
> virtual_private=%v4:10.0.0.0/8,%4:172.16.40.0/24 #,%v4:193.168.0.0/16 #on autorise les classes privées sauf la classe 172.16.0.0/12 à venir au travers d'un NAT-T
> nhelpers=0
> uniqueids=yes
> #forwardcontrol=yes
> 
> conn %default
> left=192.168.4.244 #adresse exterieur du serveur
> keyingtries=3 #on lmimite à 3 le nombre de tentative d'echange de clé
> compress=no
> disablearrivalcheck=no
> leftsendcert=always #le certificat est toujours envoyé
> leftcert=vpn-cert.pem
> leftrsasigkey=%cert
> rightca=%same
> rightrsasigkey=%cert
> dpddelay=30
> dpdtimeout=60
> dpdaction=hold
> authby=rsasig
> type=tunnel
> conn vpn-l2tp-XP
> #leftid=192.168.4.244
> leftprotoport=udp/1701 #accepte uniquement les flux l2tp sur udp
> rightprotoport=udp/1701 #accepte uniquement les flux l2tp sur udp
> rightsubnet=vhost:%priv,%no #accepte un client derriere un NAT ou une ip publique
> right=%any #le client possede une ip dynamique ou inconnue
> rightid="/C=FR/ST=*************/O=*******/OU=XP/CN=*/E=*" #identifiant de connexion
> auto=add
> pfs=no
> 
> 
> 
> 


 Créez votre adresse électronique prenom.nom at laposte.net 
 1 Go d'espace de stockage, anti-spam et anti-virus intégrés.

More information about the Users mailing list