[Openswan Users] NAT-T and Transport mode not working?
Michael.Karlinsky at tieto.com
Michael.Karlinsky at tieto.com
Fri Jan 8 04:21:23 EST 2010
Hi all,
just want to add that I tried
rightprotoport=17/%any
instead of
rightprotoport=17/1701
as suggested above. No change.
Kind regards,
Michael Karlinsky
________________________________
From: users-bounces at openswan.org [users-bounces at openswan.org] On Behalf Of Michael.Karlinsky at tieto.com [Michael.Karlinsky at tieto.com]
Sent: Tuesday, January 05, 2010 9:51 AM
To: users at openswan.org
Subject: [Openswan Users] NAT-T and Transport mode not working?
Hi All,
there still seems to be a problem regarding NAT-T and Transport-Mode.
My setup:
A: 192.168.0.10 <--> NAT-Router: 172.30.64.140 (DHCP) <--> B: 172.30.64.190
Both systems running a recent SUSE Linux Kernel:
A: Linux Openswan U2.6.24rc5/K2.6.27.39-0.2-pae (netkey)
B: Linux Openswan U2.6.24rc5/K2.6.27.39-0.2-default (netkey)
I use the following configuration for A and B:
A:
conn konnektor
left=192.168.0.10
leftrsasigkey=%cert
leftcert=konnektor001.NK.rel234.labKompCA01.valid.cer
leftid=%fromcert
leftprotoport=17/1701
right=172.30.64.190
rightrsasigkey=%cert
rightcert=ipsectest.VPNK.rel234.labKompCA01.valid.cer
rightid=%fromcert
rightprotoport=17/1701
auto=start
authby=rsasig
pfs=yes
rekey=yes
dpddelay=60
dpdtimeout=10
dpdaction=hold
ike=aes256-sha1-modp1536
ikelifetime=86400s
phase2alg=aes256-sha1
keylife=3600s
#type=transport
type=tunnel
B:
conn vpnk
left=%any
leftrsasigkey=%cert
leftprotoport=17/1701
leftsubnet=vhost:%priv
right=172.30.64.190
rightrsasigkey=%cert
rightcert=ipsectest.VPNK.rel234.labKompCA01.valid.cer
rightid=%fromcert
rightprotoport=17/1701
auto=add
authby=rsasig
pfs=yes
rekey=yes
dpddelay=60
dpdtimeout=10
dpdaction=hold
ike=aes256-sha1-modp1536
ikelifetime=86400s
phase2alg=aes256-sha1
keylife=3600s
#type=transport
type=tunnel
Using Tunnel Mode all is fine.
Jan 5 09:27:51 ipsectest pluto[26734]: "vpnk"[2] 172.30.64.140 #2: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0x4555e56f <0xdc695732 xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=172.30.64.140:65193 DPD=enabled}
[...]
Jan 5 09:28:07 ipsectest pppd[26778]: PAP peer authentication succeeded for gemuser
Using Transport Mode IPSec is still OK, but no PPP connection is possible.
Hope you can help. If you need more info and logfiles please tell me and I will provide them.
Kind regards,
Michael Karlinsky
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20100108/f3a97124/attachment.html
More information about the Users
mailing list