[Openswan Users] Can't get NAT traversal to work
David J Craigon
david at craigon.co.uk
Tue Jan 6 06:50:42 EST 2009
Could anyone help me with this? Just to summarise- I'm using PSK, and
2009/1/4 David J Craigon <david at craigon.co.uk>
> Hi,
>
> Thanks for the reply, but it still doesn't work for me. I'm not totally
> sure what the difference is between the config you've given me, and the one
> I'm using- as far as I can tell I _am_ using PSK- I got the codes from ipsec
> showhost key.
>
> Thanks,
>
> David
>
> 2009/1/2 Paul Wouters <paul at xelerance.com>
>
> On Thu, 1 Jan 2009, David J Craigon wrote:
>>
>> > Anyway, I cannot get NAT traversal to work. My setup is as follows- I
>> want
>> > to get a VPN running between two hosts both running Openswan. One is on
>> the
>> > internet and has a public IP address, and is running Fedora 9. The other
>> is
>> > my laptop sat at home behind a NAT running Fedora 10.
>>
>> I have a similar setup on my laptop, where I tunnel my own /29 onto my
>> laptop.
>>
>> > conn host-to-host
>> > left=192.168.2.34
>> > leftid=81.76.68.138
>> > leftnexthop=192.168.2.1
>> > leftsubnet=192.168.2.0/24
>> > leftrsasigkey=blah blah blah
>> > right=94.102.146.99 # Remote vitals
>> > rightid=94.102.146.99
>> > rightsubnet=94.102.146.96/29
>> > rightrsasigkey=blah blah blah
>> > rightnexthop=94.102.146.97 # correct in many situations
>> > auto=add # authorizes but doesn't start this
>> > # connection at startup
>>
>> With both ends being openswan, ditch PSK and use raw RSA. eg:
>>
>> authby=rsasig
>> leftrsasigkey=XXXX
>> rightrsasigkey=YYY
>> leftid=@laptop
>> rightid=@server
>> left=%defaultroute
>>
>> get the rsasigkey lines using: ipsec showhostkey --left (--right) on the
>> two machines. This will avoid PSK authentication by IP while having other
>> IP's due to NAT.
>>
>> >
>> > When I do on the box behind the NAT I get:
>> >
>> > [root at localhost log]# ipsec auto --up host-to-host
>> > 104 "host-to-host" #1: STATE_MAIN_I1: initiate
>> > 010 "host-to-host" #1: STATE_MAIN_I1: retransmission; will wait 20s for
>> > response
>> >
>> >
>> > and I see in /etc/secure on the remote box:
>> > Jan 1 11:14:57 server pluto[17123]: packet from 81.76.68.138:500:
>> ignoring
>> > unknown Vendor ID payload [4f457d5a765a404d5b4f5744]
>> > Jan 1 11:14:57 server pluto[17123]: packet from 81.76.68.138:500:
>> received
>> > Vendor ID payload [Dead Peer Detection]
>> > Jan 1 11:14:57 server pluto[17123]: packet from 81.76.68.138:500:
>> received
>> > Vendor ID payload [RFC 3947] method set to=109
>> > Jan 1 11:14:57 server pluto[17123]: packet from 81.76.68.138:500:
>> received
>> > Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already
>> > using method 109
>> > Jan 1 11:14:57 server pluto[17123]: packet from 81.76.68.138:500:
>> received
>> > Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but
>> already
>> > using method 109
>> > Jan 1 11:14:57 server pluto[17123]: packet from 81.76.68.138:500:
>> received
>> > Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already
>> > using method 109
>> > Jan 1 11:14:57 server pluto[17123]: packet from 81.76.68.138:500:
>> initial
>> > Main Mode message received on 94.102.146.99:500 but no connection has
>> been
>> > authorized with policy=RSASIG
>>
>> You are missing authby=secret to use PSK's on the laptop.
>>
>> Paul
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20090106/08532e88/attachment-0001.html
More information about the Users
mailing list