[Openswan Users] NAT-T and Transport mode not working?

Michael.Karlinsky at tieto.com Michael.Karlinsky at tieto.com
Tue Jan 5 03:51:29 EST 2010 

Hi All,
there still seems to be a problem regarding NAT-T and Transport-Mode.

My setup:
A: 192.168.0.10 <--> NAT-Router: 172.30.64.140 (DHCP) <--> B: 172.30.64.190
Both systems running a recent SUSE Linux Kernel:

A: Linux Openswan U2.6.24rc5/K2.6.27.39-0.2-pae (netkey)
B: Linux Openswan U2.6.24rc5/K2.6.27.39-0.2-default (netkey)

I use the following configuration for A and B:

A:

conn konnektor
        left=192.168.0.10
        leftrsasigkey=%cert
        leftcert=konnektor001.NK.rel234.labKompCA01.valid.cer
        leftid=%fromcert
        leftprotoport=17/1701

        right=172.30.64.190
        rightrsasigkey=%cert
        rightcert=ipsectest.VPNK.rel234.labKompCA01.valid.cer
        rightid=%fromcert
        rightprotoport=17/1701

        auto=start

        authby=rsasig
        pfs=yes
        rekey=yes

        dpddelay=60
        dpdtimeout=10
        dpdaction=hold

        ike=aes256-sha1-modp1536
        ikelifetime=86400s
        phase2alg=aes256-sha1
        keylife=3600s

        #type=transport
        type=tunnel

B:

conn vpnk
        left=%any
        leftrsasigkey=%cert
        leftprotoport=17/1701
        leftsubnet=vhost:%priv

        right=172.30.64.190
        rightrsasigkey=%cert
        rightcert=ipsectest.VPNK.rel234.labKompCA01.valid.cer
        rightid=%fromcert
        rightprotoport=17/1701

        auto=add

        authby=rsasig
        pfs=yes
        rekey=yes

        dpddelay=60
        dpdtimeout=10
        dpdaction=hold

        ike=aes256-sha1-modp1536
        ikelifetime=86400s
        phase2alg=aes256-sha1
        keylife=3600s

        #type=transport
        type=tunnel

Using Tunnel Mode all is fine.

Jan  5 09:27:51 ipsectest pluto[26734]: "vpnk"[2] 172.30.64.140 #2: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0x4555e56f <0xdc695732 xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=172.30.64.140:65193 DPD=enabled}
[...]
Jan  5 09:28:07 ipsectest pppd[26778]: PAP peer authentication succeeded for gemuser
Using Transport Mode IPSec is still OK, but no PPP connection is possible.

Hope you can help. If you need more info and logfiles please tell me and I will provide them.

Kind regards,
Michael Karlinsky
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20100105/20c9b1bc/attachment.html

More information about the Users mailing list