[Openswan Users] Problems with NAT'd Windows clients
Marc Fisher
m4fisher at gmail.com
Sat Oct 17 05:47:52 EDT 2009
hi,
thanks very much for the solution Paul! There is one catch though, while
it works fine on the xp machine it still fails on vista
Comparing /var/log/secure output of both clients gives these extra lines
when connecting
<------
received Vendor ID payload [RFC 3947] method set to=109
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106,
but already using method 109
------>
I think this is because Vista supports this RFC and XP doesn't.
Unfortunately I have no idea what is the difference between method 109
and 106 so it's hard to say whether this is relevant.
Also Vista client produces this line while XP doesn't
<---------
NAT-Traversal: received 2 NAT-OA. using first, ignoring others
--------->
The Vista client no longer sends ICMP port 1701 unreachable, but this is
negligible change. The new logs and barf are here:
http://ioudas.net/tcpdump2.txt
http://ioudas.net/barf2.txt
config remains the same:
http://ioudas.net/conf.txt
Is there anyone who got nat-t working with windows Vista? I would be
very interested to hear from them and possibly see their config.
Thanks,
Peter
Paul Wouters wrote:
> On Thu, 15 Oct 2009, Marc Fisher wrote:
>
>> I've been trying to get NAT-T working for nat'd windows XP and Vista
>> clients for several days now. It works fine without NAT, but when
>> the client is nat'd it fails after the tunnel is established.
>> I tried both PSK and X.509, several openswan versions (I've been told
>> on irc that NAT-T is broken for 2.6.x version) , even strongswan,
>> it's always the same result (after getting through all the other
>> errors):
>> After the tunnel is established the server initiates the l2tp conn
>> instead of the client, while the client keeps sending UDP-encapsulated
>> packets and ICMP port 1701 unreachable messages to the server. This
>> goes on until both ends timeout.
>
> Replace your openswan 2.4.x _updown script with the one from openswan
> 2.6.x.
> I've attached a copy for you. This will be in
> /usr/local/lib/ipsec/_updown
>
> Paul
More information about the Users
mailing list