[Openswan Users] NAT & noNAT
Pete Ashdown
pashdown at xmission.com
Wed Sep 21 11:15:21 EDT 2011
I still can't get noNAT to work with nat_traversal=yes and L2TP-PSK-NAT
configured. As soon as I change nat_traversal to no and comment
L2TP-PSK-NAT, it works fine. The logs show that NAT is not detected, but
L2TP-PSK-noNAT is not being considered when using a public IP address:
"L2TP-PSK-NAT"[3] 198.X.X.168 #9: NAT-Traversal: Result using
draft-ietf-ipsec-nat-t-ike (MacOS X): no NAT detected
"L2TP-PSK-NAT"[3] 198.X.X.168 #9: transition from state STATE_MAIN_R1 to
state STATE_MAIN_R2
"L2TP-PSK-NAT"[3] 198.X.X.168 #9: STATE_MAIN_R2: sent MR2, expecting MI3
"L2TP-PSK-NAT"[3] 198.X.X.168 #9: ignoring informational payload, type
IPSEC_INITIAL_CONTACT msgid=00000000
"L2TP-PSK-NAT"[3] 198.X.X.168 #9: Main mode peer ID is ID_IPV4_ADDR:
'198.X.X.168'
"L2TP-PSK-NAT"[3] 198.X.X.168 #9: transition from state STATE_MAIN_R2 to
state STATE_MAIN_R3
"L2TP-PSK-NAT"[3] 198.X.X.168 #9: new NAT mapping for #9, was
198.X.X.168:500, now 198.X.X.168:4500
"L2TP-PSK-NAT"[3] 198.X.X.168 #9: STATE_MAIN_R3: sent MR3, ISAKMP SA
established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha
group=modp1024}
"L2TP-PSK-NAT"[3] 198.X.X.168 #9: the peer proposed: 74.X.X.1/32:17/1701 ->
198.X.X.168/32:17/0
"L2TP-PSK-NAT"[3] 198.X.X.168 #9: cannot respond to IPsec SA request
because no connection is known for
74.X.X.1<74.X.X.1>[+S=C]:17/1701...198.X.X.168[+S=C]:17/57507
After I set nat_traversal=no and comment out L2TP-PSK-NAT, it looks like this:
"L2TP-PSK-noNAT"[1] 198.X.X.168 #1: responding to Main Mode from unknown
peer 198.X.X.168
"L2TP-PSK-noNAT"[1] 198.X.X.168 #1: transition from state STATE_MAIN_R0 to
state STATE_MAIN_R1
"L2TP-PSK-noNAT"[1] 198.X.X.168 #1: STATE_MAIN_R1: sent MR1, expecting MI2
"L2TP-PSK-noNAT"[1] 198.X.X.168 #1: transition from state STATE_MAIN_R1 to
state STATE_MAIN_R2
"L2TP-PSK-noNAT"[1] 198.X.X.168 #1: STATE_MAIN_R2: sent MR2, expecting MI3
"L2TP-PSK-noNAT"[1] 198.X.X.168 #1: ignoring informational payload, type
IPSEC_INITIAL_CONTACT msgid=00000000
"L2TP-PSK-noNAT"[1] 198.X.X.168 #1: Main mode peer ID is ID_IPV4_ADDR:
'198.X.X.168'
"L2TP-PSK-noNAT"[1] 198.X.X.168 #1: transition from state STATE_MAIN_R2 to
state STATE_MAIN_R3
"L2TP-PSK-noNAT"[1] 198.X.X.168 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA
established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha
group=modp1024}
"L2TP-PSK-noNAT"[1] 198.X.X.168 #1: the peer proposed: 74.X.X.1/32:17/1701
-> 198.X.X.168/32:17/0
"L2TP-PSK-noNAT"[1] 198.X.X.168 #2: responding to Quick Mode proposal
{msgid:0b67d6a3}
"L2TP-PSK-noNAT"[1] 198.X.X.168 #2: us: 74.X.X.1<74.X.X.1>[+S=C]:17/1701
"L2TP-PSK-noNAT"[1] 198.X.X.168 #2: them: 198.X.X.168[+S=C]:17/0
"L2TP-PSK-noNAT"[1] 198.X.X.168 #2: transition from state STATE_QUICK_R0 to
state STATE_QUICK_R1
"L2TP-PSK-noNAT"[1] 198.X.X.168 #2: STATE_QUICK_R1: sent QR1, inbound IPsec
SA installed, expecting QI2
"L2TP-PSK-noNAT"[1] 198.X.X.168 #2: transition from state STATE_QUICK_R1 to
state STATE_QUICK_R2
"L2TP-PSK-noNAT"[1] 198.X.X.168 #2: STATE_QUICK_R2: IPsec SA established
transport mode {ESP=>0x0c04d426 <0x253046ff xfrm=AES_256-HMAC_SHA1
NATOA=none NATD=none DPD=none}
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110921/ecf248f4/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 254 bytes
Desc: OpenPGP digital signature
Url : http://lists.openswan.org/pipermail/users/attachments/20110921/ecf248f4/attachment-0001.bin
More information about the Users
mailing list