[Openswan Users] NAT on both sides
Andy Theuninck
gohanman at gmail.com
Mon Jan 26 20:11:21 EST 2009
I'm trying to set up a connection with both ends behind NAT. I must be
missing something because I just cannot get it to work. Set up is like
this:
openswan server 192.168.1.2
router 1.2.3.4
(internet)
router w/ dynamic ip
openswan client 192.168.0.3
The router at 1.2.3.4 is passing IP 50, UDP 500, and UDP 4500 to 192.168.1.2
server ipsec.conf:
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
protostack=netkey
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.1.0/24
conn road
authby=secret
pfs=no
rekey=no
keyingtries=3
left=%defaultroute
leftsubnet=192.168.1.0/24
leftprotoport=17/%any
right=%any
rightprotoport=17/%any
auto=add
client ipsec.conf:
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
protostack=netkey
nat_traversal=yes
virtual_private=%v4:192.168.0.0/16
conn WFC
authby=secret
pfs=no
rekey=yes
keyingtries=3
type=transport
left=192.168.0.3
leftprotoport=17/1701
right=209.240.239.188
rightsubnet=192.168.1.0/24
rightprotoport=17/1701
auto=add
As given, when I try to bring up the connection from the client side I get this:
003 "WFC" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal):
both are NATed
108 "WFC" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "WFC" #1: received Vendor ID payload [CAN-IKEv2]
003 "WFC" #1: we require peer to have ID '209.240.239.188', but peer
declares '192.168.1.2'
218 "WFC" #1: STATE_MAIN_I3: INVALID_ID_INFORMATION
So both NATs are recognized, but it still objects to the IP mismatch.
If I add rightid=192.168.1.2 to the client's ipsec.conf, I get this
error on the server side:
Jan 26 19:04:44 key pluto[15093]: "road"[2] 68.112.168.88 #4:
STATE_MAIN_R3: sent MR3, ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha
group=modp2048}
Jan 26 19:04:44 key pluto[15093]: "road"[2] 68.112.168.88 #4: the peer
proposed: 192.168.1.0/24:17/0 -> 192.168.0.3/32:17/0
Jan 26 19:04:44 key pluto[15093]: "road"[2] 68.112.168.88 #4: cannot
respond to IPsec SA request because no connection is known for
192.168.1.0/24===192.168.1.2[+S=C]:17/%any...68.112.168.88[192.168.0.3,+S=C]:17/%any===192.168.0.3/32
Jan 26 19:04:44 key pluto[15093]: "road"[2] 68.112.168.88 #4: sending
encrypted notification INVALID_ID_INFORMATION to 68.112.168.88:4500
I'm honestly not sure if that's any closer. I tried specifying ids on
both ends with @ notation, but that gives the same error as using
rightid=192.168.1.2 (except with ids listed in the error).
More information about the Users
mailing list