[leaf-user] VPN with ipsec

theoleyre fabrice Tue, 19 Oct 2004 06:39:35 -0700

Hi,

I installed a vpn server on my leaf box for the road
warriors connections :
_____________       __________       
____________________
|   Client (winxp)| --- |     Internet   |-----|   
Leaf Berring Uclib 2.2 |
|____________|       |__________|      
|___________________|


I use ipsec, ipsecx509,...and set a valid ipsec.conf.
I authenticate my clients with x509 certificates, with
a common CA.
All works (SA established,  ping between the Leaf box
and the client via the ipsec tunnel, valid ipsec
eroute....)

But (of course, something goes wrong), I have some
clients which are behind a NAT :
_____________       _____________        __________   
    ____________________
|   Client (winxp)| ---- |   NAT Router   |--- |    
Internet   |-----|    Leaf Berring Uclib 2.2 |
|____________|        |_____________|     |__________|
      |___________________|

And these clients don't connect to the leaf box (exit
after the STATE_MAIN_R2 Phase, for details see below).
The clients use the vpn package for Windows XP
furnished by http://vpn.ebootis.de/.
However, I set  "nat_traversal=yes "  in the
ipsec.conf file.
And in the "/var/log/auth.log" file,  the client is
detected as behing a nat  "peer is NATED"

Do I forget a manipulation to allow the connections
from clients behind a NAT ?


Regards,

Fabrice





content of the end of the  /var/log/auth.log file :
Oct 19 13:35:56 citi-firewall pluto[3622]: | 
Oct 19 13:35:56 citi-firewall pluto[3622]: | *time to
handle event
Oct 19 13:35:56 citi-firewall pluto[3622]: | event
after this is EVENT_NAT_T_KEEPALIVE in 10 seconds
Oct 19 13:35:56 citi-firewall pluto[3622]: | handling
event EVENT_RETRANSMIT for 82.24.1.15 "test-fw" #8
Oct 19 13:35:56 citi-firewall pluto[3622]: | sending
236 bytes for EVENT_RETRANSMIT through eth0 to
82.24.1.15:500:
Oct 19 13:35:56 citi-firewall pluto[3622]: |   c8 af
dc c0  18 3a 07 0f  b6 2f 63 55  32 c8 17 dd
***
Oct 19 13:35:56 citi-firewall pluto[3622]: |   f6 be
b7 35  a9 73 8e 6d  5f 00 00 00
Oct 19 13:35:56 citi-firewall pluto[3622]: | inserting
event EVENT_RETRANSMIT, timeout in 20 seconds for #8
Oct 19 13:35:56 citi-firewall pluto[3622]: | next
event EVENT_NAT_T_KEEPALIVE in 10 seconds
Oct 19 13:36:06 citi-firewall pluto[3622]: | 
Oct 19 13:36:06 citi-firewall pluto[3622]: | *time to
handle event
Oct 19 13:36:06 citi-firewall pluto[3622]: | event
after this is EVENT_RETRANSMIT in 10 seconds
Oct 19 13:36:06 citi-firewall pluto[3622]: | next
event EVENT_RETRANSMIT in 10 seconds for #8
Oct 19 13:36:16 citi-firewall pluto[3622]: | 
Oct 19 13:36:16 citi-firewall pluto[3622]: | *time to
handle event
Oct 19 13:36:16 citi-firewall pluto[3622]: | event
after this is EVENT_SHUNT_SCAN in 39 seconds
Oct 19 13:36:16 citi-firewall pluto[3622]: | handling
event EVENT_RETRANSMIT for 82.24.1.15 "test-fw" #8
Oct 19 13:36:16 citi-firewall pluto[3622]: | sending
236 bytes for EVENT_RETRANSMIT through eth0 to
82.24.1.15:500:
Oct 19 13:36:16 citi-firewall pluto[3622]: |   c8 af
dc c0  18 3a 07 0f  b6 2f 63 55  32 c8 17 dd
***
Oct 19 13:36:16 citi-firewall pluto[3622]: |   f6 be
b7 35  a9 73 8e 6d  5f 00 00 00
Oct 19 13:36:16 citi-firewall pluto[3622]: | inserting
event EVENT_RETRANSMIT, timeout in 40 seconds for #8
Oct 19 13:36:16 citi-firewall pluto[3622]: | next
event EVENT_SHUNT_SCAN in 39 seconds
Oct 19 13:36:55 citi-firewall pluto[3622]: | 
Oct 19 13:36:55 citi-firewall pluto[3622]: | *time to
handle event
Oct 19 13:36:55 citi-firewall pluto[3622]: | event
after this is EVENT_RETRANSMIT in 1 seconds
Oct 19 13:36:55 citi-firewall pluto[3622]: | inserting
event EVENT_SHUNT_SCAN, timeout in 120 seconds
Oct 19 13:36:55 citi-firewall pluto[3622]: | scanning
for shunt eroutes
Oct 19 13:36:55 citi-firewall pluto[3622]: | next
event EVENT_RETRANSMIT in 1 seconds for #8
Oct 19 13:36:56 citi-firewall pluto[3622]: | 
Oct 19 13:36:56 citi-firewall pluto[3622]: | *time to
handle event
Oct 19 13:36:56 citi-firewall pluto[3622]: | event
after this is EVENT_SHUNT_SCAN in 119 seconds
Oct 19 13:36:56 citi-firewall pluto[3622]: | handling
event EVENT_RETRANSMIT for 82.24.1.15 "test-fw" #8
Oct 19 13:36:56 citi-firewall pluto[3622]:
"test-fw"[6] 82.24.1.15 #8: max number of
retransmissions (2) reached STATE_MAIN_R2
Oct 19 13:36:56 citi-firewall pluto[3622]: | ICOOKIE: 
c8 af dc c0  18 3a 07 0f
Oct 19 13:36:56 citi-firewall pluto[3622]: | RCOOKIE: 
b6 2f 63 55  32 c8 17 dd
Oct 19 13:36:56 citi-firewall pluto[3622]: | peer:  52
e0 79 97
Oct 19 13:36:56 citi-firewall pluto[3622]: | state
hash entry 18
Oct 19 13:36:56 citi-firewall pluto[3622]:
"test-fw"[6] 82.24.1.15: deleting connection "test-fw"
instance with peer 82.24.1.15
Oct 19 13:36:56 citi-firewall pluto[3622]: |
alg_info_delref() alg_info->ref_cnt=1
Oct 19 13:36:56 citi-firewall pluto[3622]: |
alg_info_delref() alg_info->ref_cnt=1
Oct 19 13:36:56 citi-firewall pluto[3622]: | next
event EVENT_SHUNT_SCAN in 119 seconds



        

        
                
Vous manquez d’espace pour stocker vos mails ? 
Yahoo! Mail vous offre GRATUITEMENT 100 Mo !
Créez votre Yahoo! Mail sur http://fr.benefits.yahoo.com/

Le nouveau Yahoo! Messenger est arrivé ! Découvrez toutes les nouveautés pour 
dialoguer instantanément avec vos amis. A télécharger gratuitement sur 
http://fr.messenger.yahoo.com


-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] VPN with ipsec

Reply via email to