[Openswan Users] Can't get NAT traversal to work

David J Craigon david at craigon.co.uk
Thu Jan 1 06:20:10 EST 2009 

Hello,

Happy new year! What do you do when you are off on your holidays? Naturally,
I play with VPNs. :-)

Anyway, I cannot get NAT traversal to work. My setup is as follows- I want
to get a VPN running between two hosts both running Openswan. One is on the
internet and has a public IP address, and is running Fedora 9. The other is
my laptop sat at home behind a NAT running Fedora 10.

I've successfully created a VPN between two hosts on the same subnet (behind
the NAT). So now I'm trying to get NAT traversal to work.

Here is my config file:

-----------------------
version    2.0    # conforms to second version of ipsec.conf specification

config setup
    protostack=netkey
    nat_traversal=yes

conn host-to-host
    left=192.168.2.34
    leftid=81.76.68.138
    leftnexthop=192.168.2.1
    leftsubnet=192.168.2.0/24
 leftrsasigkey=blah blah blah
    right=94.102.146.99               # Remote vitals
    rightid=94.102.146.99
    rightsubnet=94.102.146.96/29
    rightrsasigkey=blah blah blah
    rightnexthop=94.102.146.97     # correct in many situations
    auto=add                       # authorizes but doesn't start this
                                   # connection at startup


---------------------

When I do on the box behind the NAT I get:

[root at localhost log]# ipsec auto --up host-to-host
104 "host-to-host" #1: STATE_MAIN_I1: initiate
010 "host-to-host" #1: STATE_MAIN_I1: retransmission; will wait 20s for
response


and I see in /etc/secure on the remote box:
Jan  1 11:14:57 server pluto[17123]: packet from 81.76.68.138:500: ignoring
unknown Vendor ID payload [4f457d5a765a404d5b4f5744]
Jan  1 11:14:57 server pluto[17123]: packet from 81.76.68.138:500: received
Vendor ID payload [Dead Peer Detection]
Jan  1 11:14:57 server pluto[17123]: packet from 81.76.68.138:500: received
Vendor ID payload [RFC 3947] method set to=109
Jan  1 11:14:57 server pluto[17123]: packet from 81.76.68.138:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already
using method 109
Jan  1 11:14:57 server pluto[17123]: packet from 81.76.68.138:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already
using method 109
Jan  1 11:14:57 server pluto[17123]: packet from 81.76.68.138:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already
using method 109
Jan  1 11:14:57 server pluto[17123]: packet from 81.76.68.138:500: initial
Main Mode message received on 94.102.146.99:500 but no connection has been
authorized with policy=RSASIG


Any ideas? Thanks in advance,

David
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20090101/7b8aa327/attachment.html

More information about the Users mailing list