[Openswan Users] ESPINUDP

Cameron Childress childc2 at gmail.com
Mon Apr 12 01:30:57 EDT 2010


Hey everyone.
I'm trying to set up openswan on ubuntu 9.10 and can't get
UDP encapsulation to work.
I found this in my logs:
"Apr 11 23:36:19 mufasa ipsec_setup: Stopping Openswan IPsec...
Apr 11 23:36:20 mufasa ipsec_setup: ...Openswan IPsec stopped
Apr 11 23:36:20 mufasa ipsec_setup: Starting Openswan IPsec
U2.6.22/K2.6.31-20-generic-pae...
Apr 11 23:36:20 mufasa ipsec_setup: Using NETKEY(XFRM) stack
Apr 11 23:36:20 mufasa ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
Apr 11 23:36:20 mufasa ipsec_setup: ...Openswan IPsec started
Apr 11 23:36:20 mufasa ipsec__plutorun: 002 added connection description
"rw-win"
Apr 11 23:36:20 mufasa ipsec__plutorun: 002 added connection description
"rw-mac"
Apr 11 23:36:20 mufasa ipsec__plutorun: 002 added connection description
"roadwarrior"
Apr 11 23:36:20 mufasa ipsec__plutorun: 003 NAT-Traversal: Trying new style
NAT-T
Apr 11 23:36:20 mufasa ipsec__plutorun: 003 NAT-Traversal: ESPINUDP(1) setup
failed for new style NAT-T family IPv4 (errno=19)
Apr 11 23:36:20 mufasa ipsec__plutorun: 003 NAT-Traversal: Trying old style
NAT-T"

Here's my ipsec.conf:
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.16 2005/07/26 12:29:45 ken Exp $

# This file:  /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5


version 2.0 # conforms to second version of ipsec.conf specification

# basic configuration
config setup
# Do not set debug options to debug configuration issues!
# plutodebug / klipsdebug = "all", "none" or a combation from below:
# "raw crypt parsing emitting control klips pfkey natt x509 dpd private"
# eg:
# plutodebug="control parsing"
#
# enable to get logs per-peer
# plutoopts="--perpeerlog"
#
# Again: only enable plutodebug or klipsdebug when asked by a developer
#
# interfaces="ipsec0=eth0"
# NAT-TRAVERSAL support, see README.NAT-Traversal
nat_traversal=yes
# exclude networks used on server side by adding %v4:!a.b.c.0/24
virtual_private=%v4:
10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.0.33.0/24
# OE is now off by default. Uncomment and change to on, to enable.
oe=off
# which IPsec stack to use. netkey,klips,mast,auto or none
protostack=netkey
#include /etc/ipsec.d/l2tp-psk.conf
# Add connections here

# sample VPN connection
# for more examples, see /etc/ipsec.d/examples/
#conn sample
# # Left security gateway, subnet behind it, nexthop toward right.
# left=10.0.0.1
# leftsubnet=172.16.0.0/24
# leftnexthop=10.22.33.44
# # Right security gateway, subnet behind it, nexthop toward left.
# right=10.12.12.1
# rightsubnet=192.168.0.0/24
# rightnexthop=10.101.102.103
# # To authorize this connection, but not actually start it,
# # at startup, uncomment this.
# #auto=start

conn %default
keyingtries=3
# compress=yes
disablearrivalcheck=no
keyexchange=ike
ikelifetime=240m
keylife=60m

conn rw-win
leftprotoport=17/1701
rightprotoport=17/1701
also=roadwarrior

conn rw-mac
leftprotoport=17/1701
rightprotoport=17/%any
also=roadwarrior

conn roadwarrior
auto=add
authby=secret
pfs=no
type=transport
rekey=no
keyingtries=3
left=%defaultrote
leftnexthop=72.231.160.1
# leftprotoport=17/1701
# leftsubnet=10.0.33.0/24
right=%any
rightnexthop=%defaultroute
# rightsubnet=vhost:%no,%priv
# rightprotoport=17/%any
forceencaps=yes

Does anyone know how to get UDP encapsulation to work?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20100412/7091b4b9/attachment.html 


More information about the Users mailing list