[Openswan Users] NAT-Traversal issue

Ozai ozai.tien at gmail.com
Tue Nov 5 10:17:03 UTC 2013


Hi Sirs,

I setup a openswan VPN client behind the NAT.The test environment is as below.
It did not work.The traffic did not seem to pass to server.
I got a message like "NAT-Traversal: ESPINUDP(1) not supported by kernel for family IPv4".
It seem the NAT Traversal issue.What kernel feature do I need to enable?or anything else I need to check?
Can someone point me in the right direction?Please help,Thank's.


   2.6.38 client--------------------NAT------------------ 2.6.38 Server
192.168.15.x          192.168.11.x             192.17.200.x               192.168.12.x



Nov  5 10:01:11 daemon err ipsec_setup: Starting Openswan IPsec U2.6.38/K2.6.30...
Nov  5 10:01:11 daemon err ipsec_setup: Using NETKEY(XFRM) stack
Nov  5 10:01:13 authpriv err ipsec__plutorun: Starting Pluto subsystem...
Nov  5 10:01:13 user warn syslog: adjusting ipsec.d to /var/ipsec.d
Nov  5 10:01:13 authpriv warn pluto[11706]: WARNING: 1DES is enabled
Nov  5 10:01:13 authpriv warn pluto[11706]: LEAK_DETECTIVE support [disabled]
Nov  5 10:01:13 authpriv warn pluto[11706]: OCF support for IKE [disabled]
Nov  5 10:01:13 authpriv warn pluto[11706]: NSS support [disabled]
Nov  5 10:01:13 authpriv warn pluto[11706]: HAVE_STATSD notification support not compiled in
Nov  5 10:01:13 authpriv warn pluto[11706]: Setting NAT-Traversal port-4500 floating to on
Nov  5 10:01:13 authpriv warn pluto[11706]:    port floating activation criteria nat_t=1/port_float=1
Nov  5 10:01:13 authpriv warn pluto[11706]:    NAT-Traversal support  [enabled]
Nov  5 10:01:13 authpriv warn pluto[11706]: using /dev/urandom as source of random entropy
Nov  5 10:01:13 daemon err ipsec__plutorun: adjusting ipsec.d to /var/ipsec.d
Nov  5 10:01:13 authpriv warn pluto[11706]: starting up 1 cryptographic helpers
Nov  5 10:01:13 authpriv warn pluto[11711]: using /dev/urandom as source of random entropy
Nov  5 10:01:13 authpriv warn pluto[11706]: started helper pid=11711 (fd:6)
Nov  5 10:01:13 daemon err ipsec_setup: ...Openswan IPsec started
Nov  5 10:01:15 authpriv warn pluto[11706]: Could not change to directory '/var/ipsec.d/cacerts': No such file or directory
Nov  5 10:01:15 authpriv warn pluto[11706]: Could not change to directory '/var/ipsec.d/aacerts': No such file or directory
Nov  5 10:01:15 authpriv warn pluto[11706]: Could not change to directory '/var/ipsec.d/ocspcerts': No such file or directory
Nov  5 10:01:15 authpriv warn pluto[11706]: Could not change to directory '/var/ipsec.d/crls': 2 No such file or directory
Nov  5 10:01:15 authpriv warn pluto[11706]: added connection description "test"
Nov  5 10:01:15 daemon err ipsec__plutorun: 002 added connection description "test"
Nov  5 10:01:15 authpriv warn pluto[11706]: listening for IKE messages
Nov  5 10:01:15 authpriv warn pluto[11706]: NAT-Traversal: ESPINUDP(1) not supported by kernel for family IPv4
Nov  5 10:01:15 authpriv warn pluto[11706]: adding interface eth0.1/eth0.1 192.168.11.2:500
Nov  5 10:01:15 daemon err ipsec__plutorun: 003 NAT-Traversal: ESPINUDP(1) not supported by kernel for family IPv4
Nov  5 10:01:15 authpriv warn pluto[11706]: NAT-Traversal: ESPINUDP(2) not supported by kernel for family IPv4
Nov  5 10:01:15 authpriv warn pluto[11706]: NAT-Traversal port floating turned off
Nov  5 10:01:15 daemon err ipsec__plutorun: 003 NAT-Traversal: ESPINUDP(2) not supported by kernel for family IPv4
Nov  5 10:01:15 authpriv warn pluto[11706]: NAT-Traversal is turned OFF due to lack of KERNEL support: 0/0
Nov  5 10:01:15 authpriv warn pluto[11706]: adding interface eth0.1/eth0.1 192.168.11.2:4500
Nov  5 10:01:15 authpriv warn pluto[11706]: adding interface br0/br0 192.168.15.254:500
Nov  5 10:01:15 authpriv warn pluto[11706]: adding interface lo/lo 127.0.0.1:500
Nov  5 10:01:15 authpriv warn pluto[11706]: adding interface lo/lo ::1:500
Nov  5 10:01:15 authpriv warn pluto[11706]: loading secrets from "/var/ipsec.secrets"
Nov  5 10:01:17 authpriv warn pluto[11706]: "test": deleting connection
Nov  5 10:01:17 authpriv warn pluto[11706]: added connection description "test"
Nov  5 10:01:18 authpriv warn pluto[11706]: "test" #1: initiating Main Mode
Nov  5 10:01:18 authpriv warn pluto[11706]: "test" #1: received Vendor ID payload [Openswan (this version) 2.6.38 ]
Nov  5 10:01:18 authpriv warn pluto[11706]: "test" #1: received Vendor ID payload [Dead Peer Detection]
Nov  5 10:01:18 authpriv warn pluto[11706]: "test" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Nov  5 10:01:18 authpriv warn pluto[11706]: "test" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Nov  5 10:01:18 authpriv warn pluto[11706]: "test" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Nov  5 10:01:18 authpriv warn pluto[11706]: "test" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Nov  5 10:01:18 authpriv warn pluto[11706]: "test" #1: ignoring informational payload, type INVALID_ID_INFORMATION msgid=00000000
Nov  5 10:01:18 authpriv warn pluto[11706]: "test" #1: received and ignored informational message


config setup
                nat_traversal=yes
                keep_alive=60
                oe=off
                protostack=netkey
                interfaces=%defaultroute

conn test
                left=192.168.11.2
                leftsubnet=192.168.15.0/24
                rightsubnet=192.168.12.0/24
                connaddrfamily=ipv4
                right=192.17.200.110
                ike=3des-md5;modp1024!
                ikelifetime=480m
                type=tunnel
                salifetime=60m
                phase2alg=3des-hmac_md5!
                pfs=no
                phase2=esp
                keyexchange=ike
                authby=secret
                auto=add

Best Regards,
Ozai
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20131105/c03b1ef6/attachment.html>


More information about the Users mailing list