[Openswan Users] Openswan-nat-draytek problems
users-bounces at lists.openswan.org
users-bounces at lists.openswan.org
Tue May 24 05:21:02 EDT 2016
Rescued from the spam bucket. Please remember to subscribe to the mailing list before posting to it.
From: "megalooser at gmail.com" <megalooser at gmail.com>
Subject: Openswan-nat-draytek problems
Date: May 24, 2016 at 5:20:25 AM EDT
To: users at lists.openswan.org
Hi all!
I have a problem with ipsec connection to the draytek router from my virtual machine behind NAT.
ipsec.conf config:
config setup
plutodebug=all
plutostderrlog=/var/log/pluto.log
klipsdebug=all
protostack=netkey
nat_traversal=yes
oe=off
interfaces=%defaultroute
virtual_private=%v4:10.5.5.0/24,%v4:192.168.1.0/24
conn test
type=tunnel
authby=secret
auto=start
dpdaction=restart
pfs=yes
ikelifetime=28800s
keylife=3600s
left=192.168.1.83
leftid=93.170.104.146
leftsourceip=192.168.1.83
leftsubnet=192.168.1.0/24
right=91.224.248.173
rightsubnet=10.5.5.0/24
ipsec.secrets
93.170.104.146 %any : PSK "secretkey"
tcpdump on the gateway
13:10:08.750505 IP 192.168.1.83.isakmp > 91.224.248.173.isakmp: isakmp: phase 1 I ident
13:10:08.794034 IP 91.224.248.173.isakmp > 192.168.1.83.isakmp: isakmp: phase 1 R ident
13:10:08.796666 IP 192.168.94.83.isakmp > 91.224.248.173.isakmp: isakmp: phase 1 I ident
13:10:09.226684 IP 91.224.248.173.isakmp > 192.168.94.83.isakmp: isakmp: phase 1 R ident
13:10:09.231093 IP 192.168.1.83.ipsec-nat-t > 91.224.248.173.ipsec-nat-t: NONESP-encap: isakmp: phase 1 I ident[E]
13:10:09.731791 IP 192.168.1.83.ipsec-nat-t > 91.224.248.173.ipsec-nat-t: NONESP-encap: isakmp: phase 1 I ident[E]
13:10:10.232527 IP 192.168.1.83.ipsec-nat-t > 91.224.248.173.ipsec-nat-t: NONESP-encap: isakmp: phase 1 I ident[E]
13:10:11.233722 IP 192.168.1.83.ipsec-nat-t > 91.224.248.173.ipsec-nat-t: NONESP-encap: isakmp: phase 1 I ident[E]
13:10:12.268506 IP 91.224.248.173.isakmp > 192.168.1.83.isakmp: isakmp: phase 1 R ident
13:10:13.235952 IP 192.168.1.83.ipsec-nat-t > 91.224.248.173.ipsec-nat-t: NONESP-encap: isakmp: phase 1 I ident[E]
13:10:17.240151 IP 192.168.1.83.ipsec-nat-t > 91.224.248.173.ipsec-nat-t: NONESP-encap: isakmp: phase 1 I ident[E]
13:10:18.273611 IP 91.224.248.173.isakmp > 192.168.1.83.isakmp: isakmp: phase 1 R ident
13:10:25.248161 IP 192.168.1.83.ipsec-nat-t > 91.224.248.173.ipsec-nat-t: NONESP-encap: isakmp: phase 1 I ident[E]
13:10:41.260592 IP 192.168.1.83.ipsec-nat-t > 91.224.248.173.ipsec-nat-t: NONESP-encap: isakmp: phase 1 I ident[E]
and at pluto.log:
max number of retransmissions (8) reached STATE_MAIN_I3. Possible authentication failure: no acceptable response to our first encrypted message
On the draytek router (Dial-In Settings):
Allowed Dial-in Type
- IPsec Tunnel
- Peer ID is specified
IKE Authentication Method
- PSK is specified
- Local ID
- Alternative Subject Name First selected
- IPsec Security Method
- Medium(AH) enabled
- Hight(ESP) enabled
- DES enabled
- 3DES enabled
- AES enabled
TCP/IP Network Settings
- My WAN IP 0.0.0.0
- Remote Gateway IP: 93.170.104.146
- Remote Network IP: 192.168.1.0
- Remote Network Mask: 255.255.255.0
- Local Network IP: 10.5.5.0
- Local Network Mask: 255.255.255.0
ports 500 and 4500 seems opened
Can anyone of you show me where I'm wrong?
Any help is much appreciated.
Thank you all!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20160524/c36dba23/attachment.html>
More information about the Users
mailing list