[Openswan Users] How to configure nat_traversal in /etc/ipsec.conf
tony.blue.mailinglist at gmx.de
tony.blue.mailinglist at gmx.de
Sun Jan 6 15:28:46 EST 2013
Hello,
I try to connect my iPhone through a vpn (IPsec/L2TP) tunnel
1.) within the mobile Internet and
2) within my Wlan.
The network structure looks like this:
LAN (192.168.0.X)
|
iPhone (192.168.4.3) --- Wlan --- Router/Firewall (192.168.4.254) ---
Internet (dynamic IP) --- iPhone (dynamic IP)
| | | |
+----- VPN2 (ipsec/l2tp)
--------------+ +--- VPN1 (ipsec/l2tp)
-----------------------------+
If I use nat_traversal=yes VPN1 runs, but VPN2 does not work.
If I use nat_traversal=no VPN1 does not work, but VPN2 runs.
How can I configure opsenswan, that VPN1 and VPN2 are running?
----> /etc/ipsec.conf
version 2.0 # conforms to second version of ipsec.conf specification
config setup
nat_traversal=yes
nhelpers=0
oe=off
protostack=netkey
# Add connections here
conn L2TP-PSK # VPN1
authby=secret
pfs=no
rekey=no
keyingtries=3
left=%defaultroute
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
rightsubnetwithin=0.0.0.0/0
auto=add
conn L2TP-PSK-WLAN # VPN2
authby=secret
pfs=no
rekey=no
keyingtries=3
left=192.168.4.254
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
rightsubnetwithin=0.0.0.0/0
auto=add
---> /etc/ipsec.secret
include /var/lib/openswan/ipsec.secrets.inc
(ppp0) XX.XX.XX.XX %any: PSK "secret1"
(wlan) 192.168.4.254 %any: PSK "secret2"
---> /var/log/auth.log with nat_traversal=yes + try to connect VPN2:
Jan 6 20:42:55 micky pluto[7159]: "L2TP-PSK-WLAN"[2] 192.168.4.3 #12:
responding to Main Mode from unknown peer 192.168.4.3
Jan 6 20:42:55 micky pluto[7159]: "L2TP-PSK-WLAN"[2] 192.168.4.3 #12:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jan 6 20:42:55 micky pluto[7159]: "L2TP-PSK-WLAN"[2] 192.168.4.3 #12:
STATE_MAIN_R1: sent MR1, expecting MI2
Jan 6 20:42:55 micky pluto[7159]: "L2TP-PSK-WLAN"[2] 192.168.4.3 #12:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): no NAT
detected
Jan 6 20:42:55 micky pluto[7159]: "L2TP-PSK-WLAN"[2] 192.168.4.3 #12:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jan 6 20:42:55 micky pluto[7159]: "L2TP-PSK-WLAN"[2] 192.168.4.3 #12:
STATE_MAIN_R2: sent MR2, expecting MI3
Jan 6 20:42:55 micky pluto[7159]: "L2TP-PSK-WLAN"[2] 192.168.4.3 #12:
ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
Jan 6 20:42:55 micky pluto[7159]: "L2TP-PSK-WLAN"[2] 192.168.4.3 #12:
Main mode peer ID is ID_IPV4_ADDR: '192.168.4.3'
Jan 6 20:42:55 micky pluto[7159]: "L2TP-PSK-WLAN"[2] 192.168.4.3 #12:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jan 6 20:42:55 micky pluto[7159]: "L2TP-PSK-WLAN"[2] 192.168.4.3 #12:
new NAT mapping for #12, was 192.168.4.3:500, now 192.168.4.3:4500
Jan 6 20:42:55 micky pluto[7159]: "L2TP-PSK-WLAN"[2] 192.168.4.3 #12:
STATE_MAIN_R3: sent MR3, ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1024}
Jan 6 20:42:56 micky pluto[7159]: "L2TP-PSK-WLAN"[2] 192.168.4.3 #12:
the peer proposed: 192.168.4.254/32:17/1701 -> 192.168.4.3/32:17/0
Jan 6 20:42:56 micky pluto[7159]: "L2TP-PSK-WLAN"[2] 192.168.4.3 #13:
ENCAPSULATION_MODE_UDP_TRANSPORT_RFC must only be used if NAT-Traversal
is detected
Jan 6 20:42:56 micky pluto[7159]: "L2TP-PSK-WLAN"[2] 192.168.4.3 #13:
sending encrypted notification BAD_PROPOSAL_SYNTAX to 192.168.4.3:4500
Jan 6 20:42:59 micky pluto[7159]: "L2TP-PSK-WLAN"[2] 192.168.4.3 #12:
the peer proposed: 192.168.4.254/32:17/1701 -> 192.168.4.3/32:17/52511
...
Jan 6 20:43:23 micky pluto[7159]: "L2TP-PSK-WLAN"[2] 192.168.4.3 #22:
ENCAPSULATION_MODE_UDP_TRANSPORT_RFC must only be used if NAT-Traversal
is detected
Jan 6 20:43:23 micky pluto[7159]: "L2TP-PSK-WLAN"[2] 192.168.4.3 #22:
sending encrypted notification BAD_PROPOSAL_SYNTAX to 192.168.4.3:4500
Jan 6 20:43:26 micky pluto[7159]: "L2TP-PSK-WLAN"[2] 192.168.4.3 #12:
received Delete SA payload: deleting ISAKMP State #12
Jan 6 20:43:26 micky pluto[7159]: "L2TP-PSK-WLAN"[2] 192.168.4.3:
deleting connection "L2TP-PSK-WLAN" instance with peer 192.168.4.3
{isakmp=#0/ipsec=#0}
Jan 6 20:43:26 micky pluto[7159]: packet from 192.168.4.3:4500:
received and ignored informational message
-----> /etc/ipsec.conf:
# /etc/ipsec.conf - Openswan IPsec configuration file
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# plutodebug / klipsdebug = "all", "none" or a combation from
below:
# "raw crypt parsing emitting control klips pfkey natt x509
private"
# eg: plutodebug="control parsing"
#
# ONLY enable plutodebug=all or klipsdebug=all if you are a
developer !!
#
# NAT-TRAVERSAL support, see README.NAT-Traversal
nat_traversal=yes
#
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
#
# enable this if you see "failed to find any available worker"
nhelpers=0
oe=off
protostack=netkey
# Add connections here
conn L2TP-PSK
authby=secret
pfs=no
rekey=no
keyingtries=3
left=%defaultroute
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
rightsubnetwithin=0.0.0.0/0
auto=add
# sample VPN connections, see /etc/ipsec.d/examples/
#Disable Opportunistic Encryption
# include /etc/ipsec.d/examples/no_oe.conf
conn L2TP-PSK-WLAN
authby=secret
pfs=no
rekey=no
keyingtries=3
left=192.168.4.254
# leftnexthop=%defaultroute
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
rightsubnetwithin=0.0.0.0/0
auto=add
# sample VPN connections, see /etc/ipsec.d/examples/
#Disable Opportunistic Encryption
# include /etc/ipsec.d/examples/no_oe.conf
More information about the Users
mailing list