[Openswan Users] NAT-T and Transport mode not working?
No body ist Perfect
news.listener at gmail.com
Tue Jan 5 13:35:36 EST 2010
Hi !
Post you conf files openswan and xl2tpd version and log fron xl2tpd too
thanks
Am 05.01.2010 09:51, schrieb Michael.Karlinsky at tieto.com:
> Hi All,
> there still seems to be a problem regarding NAT-T and Transport-Mode.
> My setup:
> A: 192.168.0.10 <--> NAT-Router: 172.30.64.140 (DHCP) <--> B: 172.30.64.190
> Both systems running a recent SUSE Linux Kernel:
> A: Linux Openswan U2.6.24rc5/K2.6.27.39-0.2-pae (netkey)
> B: Linux Openswan U2.6.24rc5/K2.6.27.39-0.2-default (netkey)
> I use the following configuration for A and B:
> A:
> conn konnektor
> left=192.168.0.10
> leftrsasigkey=%cert
> leftcert=konnektor001.NK.rel234.labKompCA01.valid.cer
> leftid=%fromcert
> leftprotoport=17/1701
> right=172.30.64.190
> rightrsasigkey=%cert
> rightcert=ipsectest.VPNK.rel234.labKompCA01.valid.cer
> rightid=%fromcert
> rightprotoport=17/1701
> auto=start
> authby=rsasig
> pfs=yes
> rekey=yes
> dpddelay=60
> dpdtimeout=10
> dpdaction=hold
> ike=aes256-sha1-modp1536
> ikelifetime=86400s
> phase2alg=aes256-sha1
> keylife=3600s
> #type=transport
> type=tunnel
> B:
> conn vpnk
> left=%any
> leftrsasigkey=%cert
> leftprotoport=17/1701
> leftsubnet=vhost:%priv
> right=172.30.64.190
> rightrsasigkey=%cert
> rightcert=ipsectest.VPNK.rel234.labKompCA01.valid.cer
> rightid=%fromcert
> rightprotoport=17/1701
> auto=add
> authby=rsasig
> pfs=yes
> rekey=yes
> dpddelay=60
> dpdtimeout=10
> dpdaction=hold
> ike=aes256-sha1-modp1536
> ikelifetime=86400s
> phase2alg=aes256-sha1
> keylife=3600s
> #type=transport
> type=tunnel
> Using Tunnel Mode all is fine.
> Jan 5 09:27:51 ipsectest pluto[26734]: "vpnk"[2] 172.30.64.140 #2:
> STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0x4555e56f
> <0xdc695732 xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=172.30.64.140:65193
> DPD=enabled}
> [...]
> Jan 5 09:28:07 ipsectest pppd[26778]: PAP peer authentication succeeded
> for gemuser
> Using Transport Mode IPSec is still OK, but no PPP connection is possible.
>
> Hope you can help. If you need more info and logfiles please tell me and
> I will provide them.
> Kind regards,
> Michael Karlinsky
>
>
>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
More information about the Users
mailing list