[Openswan Users] NAT on both sides

Andy Theuninck gohanman at gmail.com
Tue Jan 27 10:59:25 EST 2009


I'd prefer to avoid using IDs on the client side because I don't think
I can set a client ID on WinXP or OSX. Ideally, something like this:
http://www.jacco2.dds.nl/networking/openswan-l2tp.html#serverNATed

One thing I can't figure out is: should the NAT device in front of my
server being forwarding UDP 500/4500 and IP 50, or does NAT-T
eliminate the need to do that?

On Tue, Jan 27, 2009 at 12:05 AM, simon charles
<charlessimon at hotmail.com> wrote:
> Andy !
>         Here is one of the ways to get this to work:-
>
> server ipsec.conf:
> version 2.0     # conforms to second version of ipsec.conf specification
> # basic configuration
> config setup
>         protostack=netkey
>         nat_traversal=yes
>
> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.1.0/24
>
> conn road
>         authby=secret
>         pfs=no
>         rekey=no
>         keyingtries=3
>
>         left=%defaultroute
>         leftsubnet=192.168.1.0/24
>         leftprotoport=17/%any
>         leftid=209.240.239.188 # Add a connection identifier for server
>
>         right=%any
>         rightprotoport=17/%any
>         rightid=@myRW01 # Add a connection identifier for the client
>
>         auto=add
>
> client ipsec.conf:
> version 2.0     # conforms to second version of ipsec.conf specification
> # basic configuration
> config setup
>         protostack=netkey
>         nat_traversal=yes
>         virtual_private=%v4:192.168.0.0/16
>
> conn WFC
>         authby=secret
>         pfs=no
>         rekey=yes
>         keyingtries=3
>         type=transport
>
>         left=192.168.0.3
>         leftprotoport=17/1701
>         leftid=@myRW01 # Add connection identifier for the client
>
>         right=209.240.239.188
>         rightsubnet=192.168.1.0/24
>         rightprotoport=17/1701
>
>
>
>         auto=add
>
> Changes to /etc/ipsec.secrets file on the server
>
> @myRW01 209.240.239.188 : PSK "somesecretphrase01"
> @myRW01 192.168.1.2 : PSK "somesecretphrase01"
>
>      Hope that helps !
>
> - Simon Charles -
>
>
>
>
>> Date: Mon, 26 Jan 2009 19:11:21 -0600
>> From: gohanman at gmail.com
>> To: users at openswan.org
>> Subject: [Openswan Users] NAT on both sides
>>
>> I'm trying to set up a connection with both ends behind NAT. I must be
>> missing something because I just cannot get it to work. Set up is like
>> this:
>>
>> openswan server 192.168.1.2
>> router 1.2.3.4
>> (internet)
>> router w/ dynamic ip
>> openswan client 192.168.0.3
>>
>> The router at 1.2.3.4 is passing IP 50, UDP 500, and UDP 4500 to
>> 192.168.1.2
>>
>> server ipsec.conf:
>> version 2.0 # conforms to second version of ipsec.conf specification
>> # basic configuration
>> config setup
>> protostack=netkey
>> nat_traversal=yes
>>
>> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.1.0/24
>>
>> conn road
>> authby=secret
>> pfs=no
>> rekey=no
>> keyingtries=3
>>
>> left=%defaultroute
>> leftsubnet=192.168.1.0/24
>> leftprotoport=17/%any
>>
>> right=%any
>> rightprotoport=17/%any
>>
>> auto=add
>>
>> client ipsec.conf:
>> version 2.0 # conforms to second version of ipsec.conf specification
>> # basic configuration
>> config setup
>> protostack=netkey
>> nat_traversal=yes
>> virtual_private=%v4:192.168.0.0/16
>>
>> conn WFC
>> authby=secret
>> pfs=no
>> rekey=yes
>> keyingtries=3
>> type=transport
>>
>> left=192.168.0.3
>> leftprotoport=17/1701
>>
>> right=209.240.239.188
>> rightsubnet=192.168.1.0/24
>> rightprotoport=17/1701
>>
>> auto=add
>>
>> As given, when I try to bring up the connection from the client side I get
>> this:
>> 003 "WFC" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal):
>> both are NATed
>> 108 "WFC" #1: STATE_MAIN_I3: sent MI3, expecting MR3
>> 003 "WFC" #1: received Vendor ID payload [CAN-IKEv2]
>> 003 "WFC" #1: we require peer to have ID '209.240.239.188', but peer
>> declares '192.168.1.2'
>> 218 "WFC" #1: STATE_MAIN_I3: INVALID_ID_INFORMATION
>>
>> So both NATs are recognized, but it still objects to the IP mismatch.
>>
>> If I add rightid=192.168.1.2 to the client's ipsec.conf, I get this
>> error on the server side:
>> Jan 26 19:04:44 key pluto[15093]: "road"[2] 68.112.168.88 #4:
>> STATE_MAIN_R3: sent MR3, ISAKMP SA established
>> {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha
>> group=modp2048}
>> Jan 26 19:04:44 key pluto[15093]: "road"[2] 68.112.168.88 #4: the peer
>> proposed: 192.168.1.0/24:17/0 -> 192.168.0.3/32:17/0
>> Jan 26 19:04:44 key pluto[15093]: "road"[2] 68.112.168.88 #4: cannot
>> respond to IPsec SA request because no connection is known for
>>
>> 192.168.1.0/24===192.168.1.2[+S=C]:17/%any...68.112.168.88[192.168.0.3,+S=C]:17/%any===192.168.0.3/32
>> Jan 26 19:04:44 key pluto[15093]: "road"[2] 68.112.168.88 #4: sending
>> encrypted notification INVALID_ID_INFORMATION to 68.112.168.88:4500
>>
>> I'm honestly not sure if that's any closer. I tried specifying ids on
>> both ends with @ notation, but that gives the same error as using
>> rightid=192.168.1.2 (except with ids listed in the error).
>> _______________________________________________
>> Users at openswan.org
>> http://lists.openswan.org/mailman/listinfo/users
>> Building and Integrating Virtual Private Networks with Openswan:
>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>


More information about the Users mailing list