[Openswan Users] NAT & noNAT

Paul Wouters paul at xelerance.com
Wed Sep 21 13:56:23 EDT 2011 

On Wed, 21 Sep 2011, Pete Ashdown wrote:

> 
> I still can't get noNAT to work with nat_traversal=yes and L2TP-PSK-NAT configured.  As soon as I change nat_traversal to no and comment L2TP-PSK-NAT, it works fine.  The logs
> show that NAT is not detected, but L2TP-PSK-noNAT is not being considered when using a public IP address:
> 
> "L2TP-PSK-NAT"[3] 198.X.X.168 #9: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): no NAT detected

No NAT.

> "L2TP-PSK-NAT"[3] 198.X.X.168 #9: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
> "L2TP-PSK-NAT"[3] 198.X.X.168 #9: STATE_MAIN_R2: sent MR2, expecting MI3
> "L2TP-PSK-NAT"[3] 198.X.X.168 #9: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
> "L2TP-PSK-NAT"[3] 198.X.X.168 #9: Main mode peer ID is ID_IPV4_ADDR: '198.X.X.168'
> "L2TP-PSK-NAT"[3] 198.X.X.168 #9: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
> "L2TP-PSK-NAT"[3] 198.X.X.168 #9: new NAT mapping for #9, was 198.X.X.168:500, now 198.X.X.168:4500

But here the port changes from 500 to 4500, suggesting NAT?

> "L2TP-PSK-NAT"[3] 198.X.X.168 #9: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1024}
> "L2TP-PSK-NAT"[3] 198.X.X.168 #9: the peer proposed: 74.X.X.1/32:17/1701 -> 198.X.X.168/32:17/0
> "L2TP-PSK-NAT"[3] 198.X.X.168 #9: cannot respond to IPsec SA request because no connection is known for 74.X.X.1<74.X.X.1>[+S=C]:17/1701...198.X.X.168[+S=C]:17/57507

Do you have rightprotoport=17/%any ?

> After I set nat_traversal=no and comment out L2TP-PSK-NAT, it looks like this:
> 
> "L2TP-PSK-noNAT"[1] 198.X.X.168 #1: responding to Main Mode from unknown peer 198.X.X.168
> "L2TP-PSK-noNAT"[1] 198.X.X.168 #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
> "L2TP-PSK-noNAT"[1] 198.X.X.168 #1: STATE_MAIN_R1: sent MR1, expecting MI2
> "L2TP-PSK-noNAT"[1] 198.X.X.168 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
> "L2TP-PSK-noNAT"[1] 198.X.X.168 #1: STATE_MAIN_R2: sent MR2, expecting MI3
> "L2TP-PSK-noNAT"[1] 198.X.X.168 #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
> "L2TP-PSK-noNAT"[1] 198.X.X.168 #1: Main mode peer ID is ID_IPV4_ADDR: '198.X.X.168'
> "L2TP-PSK-noNAT"[1] 198.X.X.168 #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
> "L2TP-PSK-noNAT"[1] 198.X.X.168 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1024}
> "L2TP-PSK-noNAT"[1] 198.X.X.168 #1: the peer proposed: 74.X.X.1/32:17/1701 -> 198.X.X.168/32:17/0
> "L2TP-PSK-noNAT"[1] 198.X.X.168 #2: responding to Quick Mode proposal {msgid:0b67d6a3}
> "L2TP-PSK-noNAT"[1] 198.X.X.168 #2:     us: 74.X.X.1<74.X.X.1>[+S=C]:17/1701
> "L2TP-PSK-noNAT"[1] 198.X.X.168 #2:   them: 198.X.X.168[+S=C]:17/0
> "L2TP-PSK-noNAT"[1] 198.X.X.168 #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
> "L2TP-PSK-noNAT"[1] 198.X.X.168 #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
> "L2TP-PSK-noNAT"[1] 198.X.X.168 #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
> "L2TP-PSK-noNAT"[1] 198.X.X.168 #2: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0x0c04d426 <0x253046ff xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=none DPD=none}

I'm a little confused why that works

Is this a recent openswan?

Paul

More information about the Users mailing list