[Openswan Users] NAT on both sides

simon charles charlessimon at hotmail.com
Tue Jan 27 01:05:50 EST 2009 

Andy !
        Here is one of the ways to get this to work:-
server ipsec.conf:
version 2.0     # conforms to second version of ipsec.conf specification
# basic configuration
config setup
        protostack=netkey
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.1.0/24
 
conn road
        authby=secret
        pfs=no
        rekey=no
        keyingtries=3
 
        left=%defaultroute
        leftsubnet=192.168.1.0/24
        leftprotoport=17/%any
        leftid=209.240.239.188 # Add a connection identifier for server
 
        right=%any
        rightprotoport=17/%any
        rightid=@myRW01 # Add a connection identifier for the client
 
        auto=add
 
client ipsec.conf:
version 2.0     # conforms to second version of ipsec.conf specification
# basic configuration
config setup
        protostack=netkey
        nat_traversal=yes
        virtual_private=%v4:192.168.0.0/16
 
conn WFC
        authby=secret
        pfs=no
        rekey=yes
        keyingtries=3
        type=transport
 
        left=192.168.0.3
        leftprotoport=17/1701
        leftid=@myRW01 # Add connection identifier for the client
 
        right=209.240.239.188
        rightsubnet=192.168.1.0/24
        rightprotoport=17/1701
        
        
 
        auto=addChanges to /etc/ipsec.secrets file on the server

@myRW01 209.240.239.188 : PSK "somesecretphrase01"
@myRW01 192.168.1.2 : PSK "somesecretphrase01"

     Hope that helps !

- Simon Charles - 




> Date: Mon, 26 Jan 2009 19:11:21 -0600
> From: gohanman at gmail.com
> To: users at openswan.org
> Subject: [Openswan Users] NAT on both sides
> 
> I'm trying to set up a connection with both ends behind NAT. I must be
> missing something because I just cannot get it to work. Set up is like
> this:
> 
> openswan server 192.168.1.2
> router 1.2.3.4
> (internet)
> router w/ dynamic ip
> openswan client 192.168.0.3
> 
> The router at 1.2.3.4 is passing IP 50, UDP 500, and UDP 4500 to 192.168.1.2
> 
> server ipsec.conf:
> version 2.0     # conforms to second version of ipsec.conf specification
> # basic configuration
> config setup
>         protostack=netkey
>         nat_traversal=yes
>         virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.1.0/24
> 
> conn road
>         authby=secret
>         pfs=no
>         rekey=no
>         keyingtries=3
> 
>         left=%defaultroute
>         leftsubnet=192.168.1.0/24
>         leftprotoport=17/%any
> 
>         right=%any
>         rightprotoport=17/%any
> 
>         auto=add
> 
> client ipsec.conf:
> version 2.0     # conforms to second version of ipsec.conf specification
> # basic configuration
> config setup
>         protostack=netkey
>         nat_traversal=yes
>         virtual_private=%v4:192.168.0.0/16
> 
> conn WFC
>         authby=secret
>         pfs=no
>         rekey=yes
>         keyingtries=3
>         type=transport
> 
>         left=192.168.0.3
>         leftprotoport=17/1701
> 
>         right=209.240.239.188
>         rightsubnet=192.168.1.0/24
>         rightprotoport=17/1701
> 
>         auto=add
> 
> As given, when I try to bring up the connection from the client side I get this:
> 003 "WFC" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal):
> both are NATed
> 108 "WFC" #1: STATE_MAIN_I3: sent MI3, expecting MR3
> 003 "WFC" #1: received Vendor ID payload [CAN-IKEv2]
> 003 "WFC" #1: we require peer to have ID '209.240.239.188', but peer
> declares '192.168.1.2'
> 218 "WFC" #1: STATE_MAIN_I3: INVALID_ID_INFORMATION
> 
> So both NATs are recognized, but it still objects to the IP mismatch.
> 
> If I add rightid=192.168.1.2 to the client's ipsec.conf, I get this
> error on the server side:
> Jan 26 19:04:44 key pluto[15093]: "road"[2] 68.112.168.88 #4:
> STATE_MAIN_R3: sent MR3, ISAKMP SA established
> {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha
> group=modp2048}
> Jan 26 19:04:44 key pluto[15093]: "road"[2] 68.112.168.88 #4: the peer
> proposed: 192.168.1.0/24:17/0 -> 192.168.0.3/32:17/0
> Jan 26 19:04:44 key pluto[15093]: "road"[2] 68.112.168.88 #4: cannot
> respond to IPsec SA request because no connection is known for
> 192.168.1.0/24===192.168.1.2[+S=C]:17/%any...68.112.168.88[192.168.0.3,+S=C]:17/%any===192.168.0.3/32
> Jan 26 19:04:44 key pluto[15093]: "road"[2] 68.112.168.88 #4: sending
> encrypted notification INVALID_ID_INFORMATION to 68.112.168.88:4500
> 
> I'm honestly not sure if that's any closer. I tried specifying ids on
> both ends with @ notation, but that gives the same error as using
> rightid=192.168.1.2 (except with ids listed in the error).
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20090127/d7746e12/attachment-0001.html

More information about the Users mailing list