[Openswan Users] UDP 4500 CAN'T reach after some time

Paul Wouters paul at nohats.ca
Tue Feb 7 14:39:56 EST 2012 

On Tue, 7 Feb 2012, Zhiping Liu wrote:

> 1. Connection topology
> connection 1: Server A-->GWA-----INTERNET------------Server B.
> connection 2: Server C-->GWB-----INTERNET------------GWA-->ServerA
> 
> 2. Connection 1 config file on Server A:
> 
> conn STEST2
>         type = tunnel
>         auto = start
>         keyexchange = ike
>         authby = secret
>         auth = esp
>         esp = 3DES-MD5
>         ike = 3DES-MD5-MODP1024
>         aggrmode = yes
>         pfs = yes
>         left = %defaultroute
>         right = #SERVER B IP#
>         leftid = @y
>         rightid = @x
>         dpddelay = 30
>         dpdtimeout = 120
>         dpdaction = restart_by_peer
>         leftsubnets = {x.x.x.x/x.x.x.x}
>         rightsubnets = { x.x.x.x/x.x.x.x }
> #
> 
> 
> 3. Connection 1 config file on Server B:
> 
> conn STEST2
>         type = tunnel
>         auto = add
>         keyexchange = ike
>         authby = secret
>         auth = esp
>         esp = 3DES-MD5
>         ike = 3DES-MD5-MODP1024
>         aggrmode = yes
>         pfs = yes
>         left = %defaultroute
>         right = 0.0.0.0

0.0.0.0 is wrong. It should be #SERVER B IP#. If NATed, it should be the
real action private IP on the box, not the IP of the NAT box.

>         leftid = @x
>         rightid = @y
>         dpddelay = 30
>         dpdtimeout = 120
>         dpdaction = hold
>         leftsubnets = { {x.x.x.x/x.x.x.x }
>         rightsubnets = { {x.x.x.x/x.x.x.x }
> 
> 
> Because Server C have to connect to Server A,so I have natted port 500 and 4500 to Server A on GWA.
> 
> In the begging,everything is fine,IPSEC SA Established,ping success from each side to other side,but after a day or two,connection 1 is down.
> 
> 4.  I checked the tunnel status on Server A and Server  B.
>     Server A shows ipsec phase2
>     Server B show ipsec phase1.

You will need to ensure that the boxes behind NAT have rekey=no. also
configs with left=localip and right=0.0.0.0 (or %any) need to have
rekey=no.

I am not sure I understand you NATing port 4500 onto 500 or something.
You should map them one to one, eg let 500 go to 500 and 4500 to 4500.

It might help if you draw some ascii diagrams because I'm still unsure
I understand your deployment.

Paul

More information about the Users mailing list