[Openswan Users] NAT on both sides

Andy Theuninck gohanman at gmail.com
Mon Jan 26 20:11:21 EST 2009 

I'm trying to set up a connection with both ends behind NAT. I must be
missing something because I just cannot get it to work. Set up is like
this:

openswan server 192.168.1.2
router 1.2.3.4
(internet)
router w/ dynamic ip
openswan client 192.168.0.3

The router at 1.2.3.4 is passing IP 50, UDP 500, and UDP 4500 to 192.168.1.2

server ipsec.conf:
version 2.0     # conforms to second version of ipsec.conf specification
# basic configuration
config setup
        protostack=netkey
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.1.0/24

conn road
        authby=secret
        pfs=no
        rekey=no
        keyingtries=3

        left=%defaultroute
        leftsubnet=192.168.1.0/24
        leftprotoport=17/%any

        right=%any
        rightprotoport=17/%any

        auto=add

client ipsec.conf:
version 2.0     # conforms to second version of ipsec.conf specification
# basic configuration
config setup
        protostack=netkey
        nat_traversal=yes
        virtual_private=%v4:192.168.0.0/16

conn WFC
        authby=secret
        pfs=no
        rekey=yes
        keyingtries=3
        type=transport

        left=192.168.0.3
        leftprotoport=17/1701

        right=209.240.239.188
        rightsubnet=192.168.1.0/24
        rightprotoport=17/1701

        auto=add

As given, when I try to bring up the connection from the client side I get this:
003 "WFC" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal):
both are NATed
108 "WFC" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "WFC" #1: received Vendor ID payload [CAN-IKEv2]
003 "WFC" #1: we require peer to have ID '209.240.239.188', but peer
declares '192.168.1.2'
218 "WFC" #1: STATE_MAIN_I3: INVALID_ID_INFORMATION

So both NATs are recognized, but it still objects to the IP mismatch.

If I add rightid=192.168.1.2 to the client's ipsec.conf, I get this
error on the server side:
Jan 26 19:04:44 key pluto[15093]: "road"[2] 68.112.168.88 #4:
STATE_MAIN_R3: sent MR3, ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha
group=modp2048}
Jan 26 19:04:44 key pluto[15093]: "road"[2] 68.112.168.88 #4: the peer
proposed: 192.168.1.0/24:17/0 -> 192.168.0.3/32:17/0
Jan 26 19:04:44 key pluto[15093]: "road"[2] 68.112.168.88 #4: cannot
respond to IPsec SA request because no connection is known for
192.168.1.0/24===192.168.1.2[+S=C]:17/%any...68.112.168.88[192.168.0.3,+S=C]:17/%any===192.168.0.3/32
Jan 26 19:04:44 key pluto[15093]: "road"[2] 68.112.168.88 #4: sending
encrypted notification INVALID_ID_INFORMATION to 68.112.168.88:4500

I'm honestly not sure if that's any closer. I tried specifying ids on
both ends with @ notation, but that gives the same error as using
rightid=192.168.1.2 (except with ids listed in the error).

More information about the Users mailing list