[Openswan Users] Can't get NAT traversal to work

David J Craigon david at craigon.co.uk
Sun Jan 4 17:34:56 EST 2009 

Hi,

Thanks for the reply, but it still doesn't work for me. I'm not totally sure
what the difference is between the config you've given me, and the one I'm
using- as far as I can tell I _am_ using PSK- I got the codes from ipsec
showhost key.

Thanks,

David

2009/1/2 Paul Wouters <paul at xelerance.com>

> On Thu, 1 Jan 2009, David J Craigon wrote:
>
> > Anyway, I cannot get NAT traversal to work. My setup is as follows- I
> want
> > to get a VPN running between two hosts both running Openswan. One is on
> the
> > internet and has a public IP address, and is running Fedora 9. The other
> is
> > my laptop sat at home behind a NAT running Fedora 10.
>
> I have a similar setup on my laptop, where I tunnel my own /29 onto my
> laptop.
>
> > conn host-to-host
> >     left=192.168.2.34
> >     leftid=81.76.68.138
> >     leftnexthop=192.168.2.1
> >     leftsubnet=192.168.2.0/24
> >  leftrsasigkey=blah blah blah
> >     right=94.102.146.99               # Remote vitals
> >     rightid=94.102.146.99
> >     rightsubnet=94.102.146.96/29
> >     rightrsasigkey=blah blah blah
> >     rightnexthop=94.102.146.97     # correct in many situations
> >     auto=add                       # authorizes but doesn't start this
> >                                    # connection at startup
>
> With both ends being openswan, ditch PSK and use raw RSA. eg:
>
>        authby=rsasig
>        leftrsasigkey=XXXX
>        rightrsasigkey=YYY
>        leftid=@laptop
>        rightid=@server
>        left=%defaultroute
>
> get the rsasigkey lines using: ipsec showhostkey --left (--right) on the
> two machines. This will avoid PSK authentication by IP while having other
> IP's due to NAT.
>
> >
> > When I do on the box behind the NAT I get:
> >
> > [root at localhost log]# ipsec auto --up host-to-host
> > 104 "host-to-host" #1: STATE_MAIN_I1: initiate
> > 010 "host-to-host" #1: STATE_MAIN_I1: retransmission; will wait 20s for
> > response
> >
> >
> > and I see in /etc/secure on the remote box:
> > Jan  1 11:14:57 server pluto[17123]: packet from 81.76.68.138:500:
> ignoring
> > unknown Vendor ID payload [4f457d5a765a404d5b4f5744]
> > Jan  1 11:14:57 server pluto[17123]: packet from 81.76.68.138:500:
> received
> > Vendor ID payload [Dead Peer Detection]
> > Jan  1 11:14:57 server pluto[17123]: packet from 81.76.68.138:500:
> received
> > Vendor ID payload [RFC 3947] method set to=109
> > Jan  1 11:14:57 server pluto[17123]: packet from 81.76.68.138:500:
> received
> > Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already
> > using method 109
> > Jan  1 11:14:57 server pluto[17123]: packet from 81.76.68.138:500:
> received
> > Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already
> > using method 109
> > Jan  1 11:14:57 server pluto[17123]: packet from 81.76.68.138:500:
> received
> > Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already
> > using method 109
> > Jan  1 11:14:57 server pluto[17123]: packet from 81.76.68.138:500:
> initial
> > Main Mode message received on 94.102.146.99:500 but no connection has
> been
> > authorized with policy=RSASIG
>
> You are missing authby=secret to use PSK's on the laptop.
>
> Paul
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20090104/a062a6f1/attachment.html

More information about the Users mailing list