[Openswan Users] Openswan behind NAT

andrew colin andrew.colin at gmail.com
Thu Jan 22 07:07:34 EST 2009 

Hi All,


I have been battling with this for days, am not sure where it is
actually possible as all the posts i have come across do NOT provide a
solution.

My setup is like this


client (10.161.11.2) -------------(10.161.3.39) | NAT Device | (public
ip) ========== dynamic public ip | NAT Device
|(192.168.1,1)----------------| Openswan | (192.168.1.2)

My ipsec.conf is below

version 2.0

config setup
        interfaces=%defaultroute
        protostack=netkey
        #plutodebug=all
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.1.0/24

conn %default
        keyingtries=1
        compress=yes
        disablearrivalcheck=no
        authby=rsasig
        leftrsasigkey=%cert
        rightrsasigkey=%cert

conn roadwarrior-net
        leftsubnet=192.168.1.0/24
        also=roadwarrior

conn roadwarrior-all
        leftsubnet=0.0.0.0/0
        also=roadwarrior

conn roadwarrior
        left=192.168.1.2
        leftnexthop=192.168.1.1
        leftcert=kudusoft.home.topdog-software.com.pem
        right=%any
        rightsubnet=vhost:%no,%priv
        rightprotoport=17/1701
        leftprotoport=17/1701
        auto=add
        pfs=yes

conn roadwarrior-l2tp
        type=transport
        left=192.168.1.2
        leftnexthop=192.168.1.1
        leftcert=kudusoft.home.topdog-software.com.pem
        leftprotoport=17/1701
        right=%any
        rightprotoport=17/1701
        rightsubnet=vhost:%no,%priv
        pfs=no

conn roadwarrior-l2tp-oldwin
        left=192.168.1.2
        leftnexthop=192.168.1.1
        leftcert=kudusoft.home.topdog-software.com.pem
        leftprotoport=17/0
        right=%any
        rightprotoport=17/1701
        rightsubnet=vhost:%no,%priv
        pfs=no
        auto=add

conn block
        auto=ignore

conn private
        auto=ignore

conn private-or-clear
        auto=ignore

conn clear-or-private
        auto=ignore

conn clear
        auto=ignore

conn packetdefault
        auto=ignore


I keep getting the error below no matter how i change the
configuration, which was originally PSK based.

Jan 22 13:52:00 kudusoft pluto[15493]: "roadwarrior-net"[2]
196.37.xxx.xxx #1: Applying workaround for MS-818043 NAT-T bug
Jan 22 13:52:00 kudusoft pluto[15493]: "roadwarrior-net"[2]
196.37.xxx.xxx #1: IDci was FQDN: \304\037!\353, using
NAT_OA=10.161.11.2/32 as IDci
Jan 22 13:52:00 kudusoft pluto[15493]: "roadwarrior-net"[2]
196.37.xxx.xxx #1: the peer proposed: 196.31.xxx.xxx/32:17/1701 ->
10.161.11.2/32:17/1701
Jan 22 13:52:00 kudusoft pluto[15493]: "roadwarrior-net"[2]
196.37.xxx.xxx #1: cannot respond to IPsec SA request because no
connection is known for
196.31.xxx.xxx/32===192.168.1.2<192.168.1.2>[+S=C]:17/1701...196.37.xxx.xxx[C=ZA,
ST=Gauteng, L=Johannesburg, O=Topdog-software.com,
CN=hacher.xxxxxxx.co.za,+S=C]:17/1701===10.161.11.2/32
Jan 22 13:52:00 kudusoft pluto[15493]: "roadwarrior-net"[2]
196.37.xxx.xxx #1: sending encrypted notification
INVALID_ID_INFORMATION to 196.37.xxx.xxx:50450


I am beginning to think it is impossible to run openswan behind NAT,

Any pointers would be helpful, thanks in advance



-- 
"Dru"
To follow the path, look to the master, follow the master, walk with
the master, see through the master, become the master. (zen)
http://www.topdog.za.net/

More information about the Users mailing list