NAT-T and openswan ?

• Previous message: Kent West: "Re: Real Debian LiveCD?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: Thu, 2 Sep 2004 13:54:04 +1000
To: debian-user@lists.debian.org

Hi all,

I'm trying out NAT-T and I'm finding the following problem.

I have a NAT firewall in between my VPN gateway [1] and another VPN endpoint
box [2] (specifically and IPCop 1.3.0 box - it is such a box for ease of
configuration at the remote end by the remote people).

  +-----+ +-----------+ +----+
  | 1 | <- switch --| Firewall | --switch-> | 2 |
  +-----+ +-----------+ +----+
<-10.0.3.1
  10.0.2.2-> <-10.0.2.1
                            NAT
                          10.0.0.2-> <-10.0.0.3
                                                 10.0.1.1->

Machine 1 is nat'd, while 2 is not (2 is simulting a remote end point).
Machine 1 is running a 2.6 kernel with OpenSWan 2.1.5, machine 2 is
running IPCop1.3.0 with SuperFreeSwan 1.99_kb2c

What I'm seeing in terms of packet flow is they try to negotiate an SA,
but get a no-proposal-chosen response from the remote end.

The configs that I have for them are :

config setup
    interfaces="..."
    nat_traversal=yes
    virtual_private=vnet:%all

conn %default
    keyingtries=0

conn test
    authby=secret
    left=10.0.2.2
    leftnexthop=%direct
    compress=no
    leftsubnet=10.0.3.0/24
    right=10.0.0.3
    rightsubnet=10.0.1.0/24
    rightnexthop=%direct
    auto=start

Any help is appreciated. Cheers,
Dave

-- 
Dave Harrison, Systems Administrator, Sensory Networks
    email:          David.Harrison@sensorynetworks.com
    phone:          [W] +61-2-8302-2700 
    fingerprint:    E29F 2D6A FA27 5B0B B429  F8D3 5318 22D6 E775 2241
-- 
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

• Previous message: Kent West: "Re: Real Debian LiveCD?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]