[Openswan Users] NAT configuration question ...

Swartz, Patrick H Patrick.Swartz at firstdata.com
Tue Feb 22 16:48:06 EST 2011 

I made the changes according to your suggestion, except swapped right/left because in my setup the RIGHT is behind the NAT.
diagram --
LEFT								RIGHT
rhel5gp1 (eth1-172.27.10.2)	<router/NAT-T>	rhel5secr (eth0-192.168.10.2)
						1:1 NAT-192.168.10.2:172.27.10.4

Router is a Cisco2811 w/this configuration
interface FastEthernet0
 ip address 172.27.10.1 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet1
 ip address 192.168.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto

Red Hat 5.4 
Linux Openswan U2.6.14/K2.6.18-164.el5 (netkey)

conn rhel5secr-rhel5gp1
        connaddrfamily=ipv4
        type=tunnel
        authby=secret
        left=172.27.10.2
        right=192.168.10.2
        esp=3des
        keyexchange=ike
        pfs=no
        auto=start

Here is my log from the Public side (in my layout -- LEFT)

Feb 22 11:27:37 rhel5gp1 pluto[19007]: "rhel5secr-rhel5gp1": request to add a prospective erouted policy with netkey kernel --- experimental
Feb 22 11:27:37 rhel5gp1 pluto[19007]: "rhel5secr-rhel5gp1" #1: initiating Main Mode
Feb 22 11:28:47 rhel5gp1 pluto[19007]: "rhel5secr-rhel5gp1" #1: max number of retransmissions (2) reached STATE_MAIN_I1.  No response (or no acceptable response) to our first IKE message
Feb 22 11:28:47 rhel5gp1 pluto[19007]: "rhel5secr-rhel5gp1" #1: starting keying attempt 2 of at most 3
Feb 22 11:28:47 rhel5gp1 pluto[19007]: "rhel5secr-rhel5gp1" #2: initiating Main Mode to replace #1
Feb 22 11:29:11 rhel5gp1 pluto[19007]: packet from 172.27.10.4:500: received Vendor ID payload [Openswan (this version) 2.6.14 ]
Feb 22 11:29:11 rhel5gp1 pluto[19007]: packet from 172.27.10.4:500: received Vendor ID payload [Dead Peer Detection]
Feb 22 11:29:11 rhel5gp1 pluto[19007]: packet from 172.27.10.4:500: received Vendor ID payload [RFC 3947] method set to=109
Feb 22 11:29:11 rhel5gp1 pluto[19007]: packet from 172.27.10.4:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109
Feb 22 11:29:11 rhel5gp1 pluto[19007]: packet from 172.27.10.4:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
Feb 22 11:29:11 rhel5gp1 pluto[19007]: packet from 172.27.10.4:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
Feb 22 11:29:11 rhel5gp1 pluto[19007]: packet from 172.27.10.4:500: initial Main Mode message received on 172.27.10.2:500 but no connection has been authorized with policy=PSK
Feb 22 11:29:21 rhel5gp1 pluto[19007]: packet from 172.27.10.4:500: received Vendor ID payload [Openswan (this version) 2.6.14 ]
Feb 22 11:29:21 rhel5gp1 pluto[19007]: packet from 172.27.10.4:500: received Vendor ID payload [Dead Peer Detection]
Feb 22 11:29:21 rhel5gp1 pluto[19007]: packet from 172.27.10.4:500: received Vendor ID payload [RFC 3947] method set to=109
Feb 22 11:29:21 rhel5gp1 pluto[19007]: packet from 172.27.10.4:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109
Feb 22 11:29:21 rhel5gp1 pluto[19007]: packet from 172.27.10.4:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
Feb 22 11:29:21 rhel5gp1 pluto[19007]: packet from 172.27.10.4:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
Feb 22 11:29:21 rhel5gp1 pluto[19007]: packet from 172.27.10.4:500: initial Main Mode message received on 172.27.10.2:500 but no connection has been authorized with policy=PSK
Feb 22 11:29:41 rhel5gp1 pluto[19007]: packet from 172.27.10.4:500: received Vendor ID payload [Openswan (this version) 2.6.14 ]
Feb 22 11:29:41 rhel5gp1 pluto[19007]: packet from 172.27.10.4:500: received Vendor ID payload [Dead Peer Detection]
Feb 22 11:29:41 rhel5gp1 pluto[19007]: packet from 172.27.10.4:500: received Vendor ID payload [RFC 3947] method set to=109
Feb 22 11:29:41 rhel5gp1 pluto[19007]: packet from 172.27.10.4:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109
Feb 22 11:29:41 rhel5gp1 pluto[19007]: packet from 172.27.10.4:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
Feb 22 11:29:41 rhel5gp1 pluto[19007]: packet from 172.27.10.4:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
Feb 22 11:29:41 rhel5gp1 pluto[19007]: packet from 172.27.10.4:500: initial Main Mode message received on 172.27.10.2:500 but no connection has been authorized with policy=PSK
Feb 22 11:29:57 rhel5gp1 pluto[19007]: "rhel5secr-rhel5gp1" #2: max number of retransmissions (2) reached STATE_MAIN_I1.  No response (or no acceptable response) to our first IKE message
Feb 22 11:29:57 rhel5gp1 pluto[19007]: "rhel5secr-rhel5gp1" #2: starting keying attempt 3 of at most 3
Feb 22 11:29:57 rhel5gp1 pluto[19007]: "rhel5secr-rhel5gp1" #3: initiating Main Mode to replace #2
Feb 22 11:30:21 rhel5gp1 pluto[19007]: packet from 172.27.10.4:500: received Vendor ID payload [Openswan (this version) 2.6.14 ]
Feb 22 11:30:21 rhel5gp1 pluto[19007]: packet from 172.27.10.4:500: received Vendor ID payload [Dead Peer Detection]
Feb 22 11:30:21 rhel5gp1 pluto[19007]: packet from 172.27.10.4:500: received Vendor ID payload [RFC 3947] method set to=109
Feb 22 11:30:21 rhel5gp1 pluto[19007]: packet from 172.27.10.4:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109
Feb 22 11:30:21 rhel5gp1 pluto[19007]: packet from 172.27.10.4:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
Feb 22 11:30:21 rhel5gp1 pluto[19007]: packet from 172.27.10.4:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
Feb 22 11:30:21 rhel5gp1 pluto[19007]: packet from 172.27.10.4:500: initial Main Mode message received on 172.27.10.2:500 but no connection has been authorized with policy=PSK
Feb 22 11:30:31 rhel5gp1 pluto[19007]: packet from 172.27.10.4:500: received Vendor ID payload [Openswan (this version) 2.6.14 ]
Feb 22 11:30:31 rhel5gp1 pluto[19007]: packet from 172.27.10.4:500: received Vendor ID payload [Dead Peer Detection]
Feb 22 11:30:31 rhel5gp1 pluto[19007]: packet from 172.27.10.4:500: received Vendor ID payload [RFC 3947] method set to=109
Feb 22 11:30:31 rhel5gp1 pluto[19007]: packet from 172.27.10.4:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109
Feb 22 11:30:31 rhel5gp1 pluto[19007]: packet from 172.27.10.4:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
Feb 22 11:30:31 rhel5gp1 pluto[19007]: packet from 172.27.10.4:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
Feb 22 11:30:31 rhel5gp1 pluto[19007]: packet from 172.27.10.4:500: initial Main Mode message received on 172.27.10.2:500 but no connection has been authorized with policy=PSK


Here is a log from the RIGHT side (NAT side)

Feb 22 12:54:56 rhel5secr pluto[18478]: "rhel5secr-rhel5gp1": request to add a prospective erouted policy with netkey kernel --- experimental
Feb 22 12:54:56 rhel5secr pluto[18478]: "rhel5secr-rhel5gp1" #1: initiating Main Mode
Feb 22 12:56:06 rhel5secr pluto[18478]: "rhel5secr-rhel5gp1" #1: max number of retransmissions (2) reached STATE_MAIN_I1.  No response (or no acceptable response) to our first IKE message
Feb 22 12:56:06 rhel5secr pluto[18478]: "rhel5secr-rhel5gp1" #1: starting keying attempt 2 of at most 3
Feb 22 12:56:06 rhel5secr pluto[18478]: "rhel5secr-rhel5gp1" #2: initiating Main Mode to replace #1
Feb 22 12:57:16 rhel5secr pluto[18478]: "rhel5secr-rhel5gp1" #2: max number of retransmissions (2) reached STATE_MAIN_I1.  No response (or no acceptable response) to our first IKE message
Feb 22 12:57:16 rhel5secr pluto[18478]: "rhel5secr-rhel5gp1" #2: starting keying attempt 3 of at most 3
Feb 22 12:57:16 rhel5secr pluto[18478]: "rhel5secr-rhel5gp1" #3: initiating Main Mode to replace #2
Feb 22 12:58:26 rhel5secr pluto[18478]: "rhel5secr-rhel5gp1" #3: max number of retransmissions (2) reached STATE_MAIN_I1.  No response (or no acceptable response) to our first IKE message

Patrick Swartz
UNIX Planning & Engineering (DSUSSE)
First Data 
402-777-7337 desk
402-201-1192 Company cell
402-871-8981 Personal cell


-----Original Message-----
From: Willie Gillespie [mailto:wgillespie+openswan at es2eng.com] 
Sent: Tuesday, February 22, 2011 2:59 PM
To: Swartz, Patrick H
Cc: users at openswan.org
Subject: Re: [Openswan Users] NAT configuration question ...

> -----Original Message-----
> From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On
> Behalf Of Swartz, Patrick H
> Sent: Tuesday, February 22, 2011 2:33 PM
> To: users at openswan.org
> Subject: Re: [Openswan Users] 2.6.33 fix for compile
> failurewithoutUSE_EXTRACRYPTO=true
>
> Hi All,
>
> Was hoping the list would be so kind to help me better understand the
> proper configuration when one side is behind a NAT router.
>
> Here is what I have so far (which of course isn't working ...)

I apologize I didn't really look too closely over your config, but 
here's a general rule for working behind NATs.

On the LEFT machine, where the left machine is behind the NAT:
left = your local IP address (192.168.x, etc)
right = the PUBLIC IP address of right

Maybe that will help you.  If not, do you have some log excerpts you can 
show from when it fails?  Then I can look at your config and the logs a 
little more in depth later.


-----------------------------------------
The information in this message may be proprietary and/or
confidential, and protected from disclosure.  If the reader of this
message is not the intended recipient, or an employee or agent
responsible for delivering this message to the intended recipient,
you are hereby notified that any dissemination, distribution or
copying of this communication is strictly prohibited. If you have
received this communication in error, please notify First Data
immediately by replying to this message and deleting it from your
computer.

More information about the Users mailing list