[Openswan Users] UDP 4500 CAN'T reach after some time
Paul Wouters
paul at nohats.ca
Tue Feb 7 14:39:56 EST 2012
On Tue, 7 Feb 2012, Zhiping Liu wrote:
> 1. Connection topology
> connection 1: Server A-->GWA-----INTERNET------------Server B.
> connection 2: Server C-->GWB-----INTERNET------------GWA-->ServerA
>
> 2. Connection 1 config file on Server A:
>
> conn STEST2
> type = tunnel
> auto = start
> keyexchange = ike
> authby = secret
> auth = esp
> esp = 3DES-MD5
> ike = 3DES-MD5-MODP1024
> aggrmode = yes
> pfs = yes
> left = %defaultroute
> right = #SERVER B IP#
> leftid = @y
> rightid = @x
> dpddelay = 30
> dpdtimeout = 120
> dpdaction = restart_by_peer
> leftsubnets = {x.x.x.x/x.x.x.x}
> rightsubnets = { x.x.x.x/x.x.x.x }
> #
>
>
> 3. Connection 1 config file on Server B:
>
> conn STEST2
> type = tunnel
> auto = add
> keyexchange = ike
> authby = secret
> auth = esp
> esp = 3DES-MD5
> ike = 3DES-MD5-MODP1024
> aggrmode = yes
> pfs = yes
> left = %defaultroute
> right = 0.0.0.0
0.0.0.0 is wrong. It should be #SERVER B IP#. If NATed, it should be the
real action private IP on the box, not the IP of the NAT box.
> leftid = @x
> rightid = @y
> dpddelay = 30
> dpdtimeout = 120
> dpdaction = hold
> leftsubnets = { {x.x.x.x/x.x.x.x }
> rightsubnets = { {x.x.x.x/x.x.x.x }
>
>
> Because Server C have to connect to Server A,so I have natted port 500 and 4500 to Server A on GWA.
>
> In the begging,everything is fine,IPSEC SA Established,ping success from each side to other side,but after a day or two,connection 1 is down.
>
> 4. I checked the tunnel status on Server A and Server B.
> Server A shows ipsec phase2
> Server B show ipsec phase1.
You will need to ensure that the boxes behind NAT have rekey=no. also
configs with left=localip and right=0.0.0.0 (or %any) need to have
rekey=no.
I am not sure I understand you NATing port 4500 onto 500 or something.
You should map them one to one, eg let 500 go to 500 and 4500 to 4500.
It might help if you draw some ascii diagrams because I'm still unsure
I understand your deployment.
Paul
More information about the Users
mailing list