[Openswan Users] Can't get NAT traversal to work

Paul Wouters paul at xelerance.com
Thu Jan 1 19:59:22 EST 2009 

On Thu, 1 Jan 2009, David J Craigon wrote:

> Anyway, I cannot get NAT traversal to work. My setup is as follows- I want
> to get a VPN running between two hosts both running Openswan. One is on the
> internet and has a public IP address, and is running Fedora 9. The other is
> my laptop sat at home behind a NAT running Fedora 10.

I have a similar setup on my laptop, where I tunnel my own /29 onto my laptop.

> conn host-to-host
>     left=192.168.2.34
>     leftid=81.76.68.138
>     leftnexthop=192.168.2.1
>     leftsubnet=192.168.2.0/24
>  leftrsasigkey=blah blah blah
>     right=94.102.146.99               # Remote vitals
>     rightid=94.102.146.99
>     rightsubnet=94.102.146.96/29
>     rightrsasigkey=blah blah blah
>     rightnexthop=94.102.146.97     # correct in many situations
>     auto=add                       # authorizes but doesn't start this
>                                    # connection at startup

With both ends being openswan, ditch PSK and use raw RSA. eg:

	authby=rsasig
	leftrsasigkey=XXXX
	rightrsasigkey=YYY
	leftid=@laptop
	rightid=@server
	left=%defaultroute

get the rsasigkey lines using: ipsec showhostkey --left (--right) on the
two machines. This will avoid PSK authentication by IP while having other
IP's due to NAT.

> 
> When I do on the box behind the NAT I get:
> 
> [root at localhost log]# ipsec auto --up host-to-host
> 104 "host-to-host" #1: STATE_MAIN_I1: initiate
> 010 "host-to-host" #1: STATE_MAIN_I1: retransmission; will wait 20s for
> response
> 
> 
> and I see in /etc/secure on the remote box:
> Jan  1 11:14:57 server pluto[17123]: packet from 81.76.68.138:500: ignoring
> unknown Vendor ID payload [4f457d5a765a404d5b4f5744]
> Jan  1 11:14:57 server pluto[17123]: packet from 81.76.68.138:500: received
> Vendor ID payload [Dead Peer Detection]
> Jan  1 11:14:57 server pluto[17123]: packet from 81.76.68.138:500: received
> Vendor ID payload [RFC 3947] method set to=109
> Jan  1 11:14:57 server pluto[17123]: packet from 81.76.68.138:500: received
> Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already
> using method 109
> Jan  1 11:14:57 server pluto[17123]: packet from 81.76.68.138:500: received
> Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already
> using method 109
> Jan  1 11:14:57 server pluto[17123]: packet from 81.76.68.138:500: received
> Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already
> using method 109
> Jan  1 11:14:57 server pluto[17123]: packet from 81.76.68.138:500: initial
> Main Mode message received on 94.102.146.99:500 but no connection has been
> authorized with policy=RSASIG

You are missing authby=secret to use PSK's on the laptop.

Paul

More information about the Users mailing list