[Openswan Users] Can't get NAT traversal to work
David J Craigon
david at craigon.co.uk
Tue Jan 6 06:51:34 EST 2009
Sorry- lent on the send button :-(. So to summarise, I'm using PSK and NAT
traversal isn't working- see my original error logs at the end.
Any help would be much appreciated.
2009/1/6 David J Craigon <david at craigon.co.uk>
> Could anyone help me with this? Just to summarise- I'm using PSK, and
>
> 2009/1/4 David J Craigon <david at craigon.co.uk>
>
> Hi,
>>
>> Thanks for the reply, but it still doesn't work for me. I'm not totally
>> sure what the difference is between the config you've given me, and the one
>> I'm using- as far as I can tell I _am_ using PSK- I got the codes from ipsec
>> showhost key.
>>
>> Thanks,
>>
>> David
>>
>> 2009/1/2 Paul Wouters <paul at xelerance.com>
>>
>> On Thu, 1 Jan 2009, David J Craigon wrote:
>>>
>>> > Anyway, I cannot get NAT traversal to work. My setup is as follows- I
>>> want
>>> > to get a VPN running between two hosts both running Openswan. One is on
>>> the
>>> > internet and has a public IP address, and is running Fedora 9. The
>>> other is
>>> > my laptop sat at home behind a NAT running Fedora 10.
>>>
>>> I have a similar setup on my laptop, where I tunnel my own /29 onto my
>>> laptop.
>>>
>>> > conn host-to-host
>>> > left=192.168.2.34
>>> > leftid=81.76.68.138
>>> > leftnexthop=192.168.2.1
>>> > leftsubnet=192.168.2.0/24
>>> > leftrsasigkey=blah blah blah
>>> > right=94.102.146.99 # Remote vitals
>>> > rightid=94.102.146.99
>>> > rightsubnet=94.102.146.96/29
>>> > rightrsasigkey=blah blah blah
>>> > rightnexthop=94.102.146.97 # correct in many situations
>>> > auto=add # authorizes but doesn't start this
>>> > # connection at startup
>>>
>>> With both ends being openswan, ditch PSK and use raw RSA. eg:
>>>
>>> authby=rsasig
>>> leftrsasigkey=XXXX
>>> rightrsasigkey=YYY
>>> leftid=@laptop
>>> rightid=@server
>>> left=%defaultroute
>>>
>>> get the rsasigkey lines using: ipsec showhostkey --left (--right) on the
>>> two machines. This will avoid PSK authentication by IP while having other
>>> IP's due to NAT.
>>>
>>> >
>>> > When I do on the box behind the NAT I get:
>>> >
>>> > [root at localhost log]# ipsec auto --up host-to-host
>>> > 104 "host-to-host" #1: STATE_MAIN_I1: initiate
>>> > 010 "host-to-host" #1: STATE_MAIN_I1: retransmission; will wait 20s for
>>> > response
>>> >
>>> >
>>> > and I see in /etc/secure on the remote box:
>>> > Jan 1 11:14:57 server pluto[17123]: packet from 81.76.68.138:500:
>>> ignoring
>>> > unknown Vendor ID payload [4f457d5a765a404d5b4f5744]
>>> > Jan 1 11:14:57 server pluto[17123]: packet from 81.76.68.138:500:
>>> received
>>> > Vendor ID payload [Dead Peer Detection]
>>> > Jan 1 11:14:57 server pluto[17123]: packet from 81.76.68.138:500:
>>> received
>>> > Vendor ID payload [RFC 3947] method set to=109
>>> > Jan 1 11:14:57 server pluto[17123]: packet from 81.76.68.138:500:
>>> received
>>> > Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already
>>> > using method 109
>>> > Jan 1 11:14:57 server pluto[17123]: packet from 81.76.68.138:500:
>>> received
>>> > Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but
>>> already
>>> > using method 109
>>> > Jan 1 11:14:57 server pluto[17123]: packet from 81.76.68.138:500:
>>> received
>>> > Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already
>>> > using method 109
>>> > Jan 1 11:14:57 server pluto[17123]: packet from 81.76.68.138:500:
>>> initial
>>> > Main Mode message received on 94.102.146.99:500 but no connection has
>>> been
>>> > authorized with policy=RSASIG
>>>
>>> You are missing authby=secret to use PSK's on the laptop.
>>>
>>> Paul
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20090106/e425bb15/attachment.html
More information about the Users
mailing list