[Openswan Users] Host-to-host connection with SAref without tunneling

Daniel Cave dan.cave at me.com
Fri Jan 18 14:34:18 EST 2013

Have you enabled ip.forwarding in /etc/sysctl.conf ? 

also, have you done ipsec auto verify ?

On 18 Jan 2013, at 10:46, Eduard Veleba wrote:

> Hello,
> I need to set up host-to-host IPsec encrypted (ESP) connection without any VPN (just „plain“ transport mode). There’s our server with public IP address on the left side and many clients (with different OS) with different IP addresses (some of them on public addresses, some of them behind NAT, some of them even behind the very same NAT).
> As I need to handle multiple clients behind the same NAT, I assume I need to use MAST stack and SAref patched kernel. I have now both functional (kernel is patched and I can modprobe ipsec without problems) and command „ipsec verify“ shows „OK“ for SAref support as well.
> I don’t want to use L2TP or any other tunneling, I just need to secure connection to that single IP address (server address) with ESP.
> My ipsec.conf looks like this (our IP address replaced with
> version 2.0
> config setup
>     nat_traversal=yes
>     protostack=mast
>     virtual_private=%v4:,%v4:!
> conn host-to-host
>     authby=secret
>     pfs=no
>     auto=add
>     keyingtries=3
>     rekey=no
>     sareftrack=yes
>     overlapip=yes
>     dpddelay=10
>     dpdtimeout=90
>     dpdaction=clear
>     ikelifetime=8h
>     keylife=1h
>     type=transport
>     left=
>     right=%any
> And when I start Openswan, clients are able to associate (I see multiple SAs), but ping doesn’t work. Mast interface looks like this:
> mast0     Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
>           UP RUNNING NOARP  MTU:16260  Metric:1
>           RX packets:0 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:10
>           RX bytes:26840 (26.2 KiB)  TX bytes:0 (0.0 B)
> The strange thing is I can see ping requests on mast0 with tcpdump and also if I change stack from MAST to KLIPS or NETKEY, everything works well (except only one client behind each NAT can connect, I assume that SAref is supported only in MAST stack).
> What may I be doing wrong? Are my assumptions about the need of using MAST stack correct or can I get SAref support with KLIPS stack somehow?
> Thanks!
> Eduard Veleba
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20130118/f539c608/attachment.html>

More information about the Users mailing list