[Openswan Users] openswan to natted road warrior

Michael Chesterton chesty at chesterton.id.au
Fri Mar 23 05:53:51 EDT 2012 

I don't know where to start. Say I have:

[openswan]1.1.1.1-----(internet)-------2.2.2.1[NAT]10.1.1.1----(3g)----10.1.1.2[router]192.168.1.1---

I don't care about reaching 192.168.1.1 at this stage, I want to be
able to manage the router from the internet.
2.2.2.1 is dynamic (I think it is anyway, lets say that it is), it will
change,
and 10.1.1.2 is dynamic (I think it is anyway, lets say that it is), it
will change.
In all the reading I've being doing, I can't see how the router gets an IP
address
that I can ping from openswan.

The last thing I read was:
https://www.openswan.org/projects/openswan/wiki/L2TPIPsec_configuration_using_openswan_and_xl2tpd
Is that the way to go?

There's another complication, the router is using ipsec-tools,
and there's no shell access, you get given a web interface.
I've read ipsec-tool does/doesn't work with openswan.

This is my openswan config so far

conn test
        left=1.1.1.1
        right=%any
        rightsubnet=vhost:%priv,%no
        rightid=@test
        authby=secret
        auto=add

the last line in the logs on openswan is
Mar 23 20:41:59 test pluto[19649]: "test"[34] 2.2.2.1 #35: STATE_MAIN_R2:
sent MR2, expecting MI3

the last few lines on the router are
Jan  1 14:32:21 racoon: INFO: KA list add: 10.1.1.2[4500]->1.1.1.1[4500]
Jan  1 14:32:31 racoon: NOTIFY: the packet is retransmitted by 1.1.1.1[500]
(2).
Jan  1 14:32:50 racoon: ERROR: phase2 negotiation failed due to time up
waiting for phase1. ESP 1.1.1.1[0]->10.1.1.2[0]
Jan  1 14:32:50 racoon: INFO: delete phase 2 handler.
Jan  1 14:32:51 racoon: NOTIFY: the packet is retransmitted by 1.1.1.1[500]
(2).
Jan  1 14:33:11 racoon: ERROR: phase1 negotiation failed due to time up.
946ecdab9f845724:e3344e9bbd45ab7d
Jan  1 14:33:11 racoon: INFO: KA remove: 10.1.1.2[4500]->1.1.1.1[4500]
Jan  1 14:33:11 admin_user: ipsec_count=0

So it looks like openswan is sending some sort of message (MR2) and the
router is ignoring it
or doesn't receive it?

Apologies for the redacted ip addresses, hopefully you can still work out
what's going on and get
me a clue stick.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.openswan.org/pipermail/users/attachments/20120323/05426432/attachment-0001.html>

More information about the Users mailing list