[Openswan Users] Problem with Nating Ipsec Server

Ajayaghosh ajayan4 at gmail.com
Tue Jun 1 17:39:08 EDT 2010 

         I am trying to configure an Ipsec VPN On Centos 5.4 Machine.The
Ipsec server is setup behind Firewall and ports were redirected  to
internal Server(192.168.2.100).The detailes of the Gateway machine were,

eth0 --> Public IP
eth1---> 192.168.2.81

Ipsec Configuration

version 2.0
config setup
        interfaces=%defaultroute
        klipsdebug=none
        plutodebug=none
        nat_traversal=yes
        virtual_private=%v4:
10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.1.0/24,%v4:!192.168.2.0/24
conn %default
        keyingtries=3
        compress=yes
        disablearrivalcheck=no
        authby=secret
        type=tunnel
        keyexchange=ike
        ikelifetime=240m
        keylife=60m

conn l2tp-psk
        pfs=no
        left=192.168.2.100
        leftnexthop=192.168.2.81
        leftprotoport=17/1701
        right=%any
        rightprotoport=17/1701
        rightsubnet=vhost:%no,%priv
        auto=add

For thae sake of testing i have disbaled other firewall rules and only
redirection is enabled. The firewall rules on Gateway Machine were,

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A PREROUTING -i eth0 -p udp --dport 4500 -j DNAT --to
192.168.2.100
iptables -t nat -A PREROUTING -i eth0 -p udp --dport  500 -j DNAT --to
192.168.2.100

                        When i try to connect from Client its showing error,
104 "L2TP-PSK-CLIENT" #20: STATE_MAIN_I1: initiate
003 "L2TP-PSK-CLIENT" #20: ignoring unknown Vendor ID payload
[4f457e717f6b5a4e727d576b]
003 "L2TP-PSK-CLIENT" #20: received Vendor ID payload [Dead Peer Detection]
106 "L2TP-PSK-CLIENT" #20: STATE_MAIN_I2: sent MI2, expecting MR2
108 "L2TP-PSK-CLIENT" #20: STATE_MAIN_I3: sent MI3, expecting MR3
003 "L2TP-PSK-CLIENT" #20: received Vendor ID payload [CAN-IKEv2]
003 "L2TP-PSK-CLIENT" #20: we require peer to have ID 'Public IP XXX', but
peer declares '192.168.2.100'
218 "L2TP-PSK-CLIENT" #20: STATE_MAIN_I3: INVALID_ID_INFORMATION

                                          and  from the Logs from Ipsec
server,

"STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=aes_128 prf=oakley_sha group=modp2048}
next payload type of ISAKMP Hash Payload has an unknown value: 63
 malformed payload in packet"

                       it seems connection is established but the problem
with POSTROUTING on Gateway machine.How can i Succssfully redirect and
Postroute IPsec server on Gateway machine.

Thanks
Ajayan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20100602/2e20aed4/attachment.html

More information about the Users mailing list