[Openswan Users] Host-to-host connection with SAref without tunneling

Eduard Veleba eduard.veleba at emtc.cz
Fri Jan 18 05:46:19 EST 2013 

Hello,

 

I need to set up host-to-host IPsec encrypted (ESP) connection without any
VPN (just "plain" transport mode). There's our server with public IP address
on the left side and many clients (with different OS) with different IP
addresses (some of them on public addresses, some of them behind NAT, some
of them even behind the very same NAT).

 

As I need to handle multiple clients behind the same NAT, I assume I need to
use MAST stack and SAref patched kernel. I have now both functional (kernel
is patched and I can modprobe ipsec without problems) and command "ipsec
verify" shows "OK" for SAref support as well.

 

I don't want to use L2TP or any other tunneling, I just need to secure
connection to that single IP address (server address) with ESP.

 

My ipsec.conf looks like this (our IP address replaced with 1.2.3.4):



version 2.0

 

config setup

    nat_traversal=yes

    protostack=mast

    virtual_private=%v4:1.2.3.4/32,%v4:!0.0.0.0/0

 

conn host-to-host

    authby=secret

    pfs=no

    auto=add

    keyingtries=3

    rekey=no

    sareftrack=yes

    overlapip=yes

    dpddelay=10

    dpdtimeout=90

    dpdaction=clear

    ikelifetime=8h

    keylife=1h

    type=transport

    left=1.2.3.4

    right=%any

 

And when I start Openswan, clients are able to associate (I see multiple
SAs), but ping doesn't work. Mast interface looks like this:

 

mast0     Link encap:UNSPEC  HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          UP RUNNING NOARP  MTU:16260  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:10
          RX bytes:26840 (26.2 KiB)  TX bytes:0 (0.0 B)

 

The strange thing is I can see ping requests on mast0 with tcpdump and also
if I change stack from MAST to KLIPS or NETKEY, everything works well
(except only one client behind each NAT can connect, I assume that SAref is
supported only in MAST stack).

 

What may I be doing wrong? Are my assumptions about the need of using MAST
stack correct or can I get SAref support with KLIPS stack somehow?

 

Thanks!

 

  _____  

Eduard Veleba

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20130118/b6765101/attachment.html>

More information about the Users mailing list