[Openswan Users] IKEv2 connection attempt through a NAT device

Willie Gillespie wgillespie+openswan at es2eng.com
Sat Jun 19 01:29:51 EDT 2010


I hope this is the right place to ask questions.

I decided to experiment with Windows 7 and Openswan with IKEv2.  I could have my connection configuration messed up, but I can't even seem to get that far in testing.

My Windows 7 client machine is behind a NAT box, which is changing the source port and I believe it is causing the problem.  First, take a look at the below log snippet:

Openswan is 2.2.2.2, The external IP of the NAT is 8.8.8.8; I left the port numbers alone.  "no connection found" is all you see if not looking at the debug logs.




added connection description "IKEv2-Cert"
| 192.168.1.0/24===2.2.2.2<2.2.2.2>[@host.example.com,+S=C]...%any[+S=C]
| ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1; policy: RSASIG+ENCRYPT+TUNNEL+IKEv2ALLOW+IKEv2Init

... snipped until in the connection attempt ...

| processing payload: ISAKMP_NEXT_v2N (len=28)
| find_host_connection2 called from ikev2parent_inI1outR1, me=2.2.2.2:500 him=8.8.8.8:70 policy=IKEv2ALLOW
| find_host_pair: comparing to 2.2.2.2:500 0.0.0.0:500
| find_host_pair_conn (find_host_connection2): 2.2.2.2:500 8.8.8.8:70 -> hp:none
| searching for connection with policy = IKEv2ALLOW
| find_host_connection returns empty
| no connection found



Since the client's NAT box is changing the source port from UDP/500 to UDP/70 (this obviously changes each time) is that why it's not matching my connection of [left: 2.2.2.2, right: %any]?

Thanks for your time.

Willie



More information about the Users mailing list