[Openswan Users] Ipsec restart needed, after Vista with AssumeUDP=0 try, from behind a NAT
FLOC'H Tanguy
t.floch at sofrel.com
Mon Dec 14 08:12:51 EST 2009
Hello,
Any idea about this problem ?
I have tried to play with the "keylife" and "ikelifetime" settings, hopping that I could open a new Ipsec session when the timeout has occurred ...
but I'm still not able to establish a new connection, after one "failure because of missing registry key" try.
Best regards,
Tanguy Floc'h
-----Message d'origine-----
De : users-bounces at openswan.org [mailto:users-bounces at openswan.org] De la part de FLOC'H Tanguy
Envoyé : mercredi 2 décembre 2009 18:08
À : users at openswan.org
Objet : [Openswan Users] Ipsec restart needed,after Vista with AssumeUDP=0 try, from behind a NAT
Hi !
I'm currently using Openswan 2.4.15 and Xl2tpd 1.2.4 as VPN Server, for roadwarrior clients (XP SP2 / Vista)
I'm using PSK.
Both Clients and VPN server are located behind a NAT (see schematic bellow).
This configuration is working great, with AssumeUDPEncapsulationContextOnSendRule=2 on XP / Vista clients.
Because of the "roadwarriors behind the same NAT" issue, I can only connect 1 client at a time, which is normal.
The problem I'm facing is:
If I try to connect from computer "Vista 2" (on which the AssumeUDPEncapsulationContextOnSendRule has not been set),
then I can't connect anymore from "Vista 1" or "XP 1". (even if I wait ~ 1 hour)
It seems like the previous "Vista 2" connection failure keeps the Ipsec session 'opened' ... so I can't establish a new connection from the same "public" IP address (ie: 192.168.1.2 here).
If I want to establish a new connection from "XP 1" or "Vista 1", the only solution is to restart ipsec.
Can this problem be fixed, by editing ipsec.conf ? Or is it an openswan problem ?
Network:
(consider 192.168.1.x as a public network, i.e. Internet)
____________________________________________________________________________________________________
| |
| >> Roadwarrior clients side << |
| |
| XP 1 [172.17.20.226] -------------+ |
| AssumeUDP.. = 2 | "Public" network GW (NAT) |
| | |
| Vista 1 [172.17.23.11] -----------+--[172.17.0.1] - [192.168.1.2] =====("Public Network").. |
| AssumeUDP.. = 2 | |
| | |
| Vista 2 [172.17.20.91] -----------+ |
| AssumeUDP.. NOT SET |
| |
| |
| |
| >> VPN Server Side << |
| |
| "Public" network GW (NAT) +------ [192.168.0.3] VPN Server |
| DNAT UDP:500,4500 > 192.168.0.3 | |
| | |
| ..("Public Network") ===== [192.168.1.1] - [192.168.0.1] ---------+ |
| | |
| | |
|____________________________________________________________________________________________________|
> Scenario 1 (Vista 2 - XP 1 - ipsec restart - XP 1)
Pluto.log: http://docs.google.com/View?id=dc52kj55_8cdv9wjvf
Ipsec barf: http://docs.google.com/View?id=dc52kj55_7czwqp5hh
> Scenario 2 (Vista 2 - Vista 1 - ipsec restart - Vista 1)
Pluto.log: http://docs.google.com/View?id=dc52kj55_6fp64nrfq
Ipsec barf: http://docs.google.com/View?id=dc52kj55_5gjtg9ddn
My ipsec.conf:
config setup
interfaces=%defaultroute
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:172.17.0.0/16,%v4:192.168.0.0/16,%v4:!192.168.0.0/24
plutodebug=none
plutostderrlog=/var/log/pluto.log
conn L2TP-PSK
#
authby=secret
pfs=no
rekey=no
keyingtries=3
# VPN Server IP on the LAN
left=192.168.0.3
# LAN GW IP
leftnexthop=192.168.0.1
leftprotoport=17/1701
#
right=%any
rightprotoport=17/%any
rightsubnet=vhost:%no,%priv
#
auto=add
# Disable opportunistic encryption.
include /etc/ipsec/ipsec.d/examples/no_oe.conf
Best regards,
Tanguy Floc'h
_______________________________________________
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
More information about the Users
mailing list