Hi, I installed a vpn server on my leaf box for the road warriors connections : _____________ __________ ____________________ | Client (winxp)| --- | Internet |-----| Leaf Berring Uclib 2.2 | |____________| |__________| |___________________|
I use ipsec, ipsecx509,...and set a valid ipsec.conf. I authenticate my clients with x509 certificates, with a common CA. All works (SA established, ping between the Leaf box and the client via the ipsec tunnel, valid ipsec eroute....) But (of course, something goes wrong), I have some clients which are behind a NAT : _____________ _____________ __________ ____________________ | Client (winxp)| ---- | NAT Router |--- | Internet |-----| Leaf Berring Uclib 2.2 | |____________| |_____________| |__________| |___________________| And these clients don't connect to the leaf box (exit after the STATE_MAIN_R2 Phase, for details see below). The clients use the vpn package for Windows XP furnished by http://vpn.ebootis.de/. However, I set "nat_traversal=yes " in the ipsec.conf file. And in the "/var/log/auth.log" file, the client is detected as behing a nat "peer is NATED" Do I forget a manipulation to allow the connections from clients behind a NAT ? Regards, Fabrice content of the end of the /var/log/auth.log file : Oct 19 13:35:56 citi-firewall pluto[3622]: | Oct 19 13:35:56 citi-firewall pluto[3622]: | *time to handle event Oct 19 13:35:56 citi-firewall pluto[3622]: | event after this is EVENT_NAT_T_KEEPALIVE in 10 seconds Oct 19 13:35:56 citi-firewall pluto[3622]: | handling event EVENT_RETRANSMIT for 82.24.1.15 "test-fw" #8 Oct 19 13:35:56 citi-firewall pluto[3622]: | sending 236 bytes for EVENT_RETRANSMIT through eth0 to 82.24.1.15:500: Oct 19 13:35:56 citi-firewall pluto[3622]: | c8 af dc c0 18 3a 07 0f b6 2f 63 55 32 c8 17 dd *** Oct 19 13:35:56 citi-firewall pluto[3622]: | f6 be b7 35 a9 73 8e 6d 5f 00 00 00 Oct 19 13:35:56 citi-firewall pluto[3622]: | inserting event EVENT_RETRANSMIT, timeout in 20 seconds for #8 Oct 19 13:35:56 citi-firewall pluto[3622]: | next event EVENT_NAT_T_KEEPALIVE in 10 seconds Oct 19 13:36:06 citi-firewall pluto[3622]: | Oct 19 13:36:06 citi-firewall pluto[3622]: | *time to handle event Oct 19 13:36:06 citi-firewall pluto[3622]: | event after this is EVENT_RETRANSMIT in 10 seconds Oct 19 13:36:06 citi-firewall pluto[3622]: | next event EVENT_RETRANSMIT in 10 seconds for #8 Oct 19 13:36:16 citi-firewall pluto[3622]: | Oct 19 13:36:16 citi-firewall pluto[3622]: | *time to handle event Oct 19 13:36:16 citi-firewall pluto[3622]: | event after this is EVENT_SHUNT_SCAN in 39 seconds Oct 19 13:36:16 citi-firewall pluto[3622]: | handling event EVENT_RETRANSMIT for 82.24.1.15 "test-fw" #8 Oct 19 13:36:16 citi-firewall pluto[3622]: | sending 236 bytes for EVENT_RETRANSMIT through eth0 to 82.24.1.15:500: Oct 19 13:36:16 citi-firewall pluto[3622]: | c8 af dc c0 18 3a 07 0f b6 2f 63 55 32 c8 17 dd *** Oct 19 13:36:16 citi-firewall pluto[3622]: | f6 be b7 35 a9 73 8e 6d 5f 00 00 00 Oct 19 13:36:16 citi-firewall pluto[3622]: | inserting event EVENT_RETRANSMIT, timeout in 40 seconds for #8 Oct 19 13:36:16 citi-firewall pluto[3622]: | next event EVENT_SHUNT_SCAN in 39 seconds Oct 19 13:36:55 citi-firewall pluto[3622]: | Oct 19 13:36:55 citi-firewall pluto[3622]: | *time to handle event Oct 19 13:36:55 citi-firewall pluto[3622]: | event after this is EVENT_RETRANSMIT in 1 seconds Oct 19 13:36:55 citi-firewall pluto[3622]: | inserting event EVENT_SHUNT_SCAN, timeout in 120 seconds Oct 19 13:36:55 citi-firewall pluto[3622]: | scanning for shunt eroutes Oct 19 13:36:55 citi-firewall pluto[3622]: | next event EVENT_RETRANSMIT in 1 seconds for #8 Oct 19 13:36:56 citi-firewall pluto[3622]: | Oct 19 13:36:56 citi-firewall pluto[3622]: | *time to handle event Oct 19 13:36:56 citi-firewall pluto[3622]: | event after this is EVENT_SHUNT_SCAN in 119 seconds Oct 19 13:36:56 citi-firewall pluto[3622]: | handling event EVENT_RETRANSMIT for 82.24.1.15 "test-fw" #8 Oct 19 13:36:56 citi-firewall pluto[3622]: "test-fw"[6] 82.24.1.15 #8: max number of retransmissions (2) reached STATE_MAIN_R2 Oct 19 13:36:56 citi-firewall pluto[3622]: | ICOOKIE: c8 af dc c0 18 3a 07 0f Oct 19 13:36:56 citi-firewall pluto[3622]: | RCOOKIE: b6 2f 63 55 32 c8 17 dd Oct 19 13:36:56 citi-firewall pluto[3622]: | peer: 52 e0 79 97 Oct 19 13:36:56 citi-firewall pluto[3622]: | state hash entry 18 Oct 19 13:36:56 citi-firewall pluto[3622]: "test-fw"[6] 82.24.1.15: deleting connection "test-fw" instance with peer 82.24.1.15 Oct 19 13:36:56 citi-firewall pluto[3622]: | alg_info_delref() alg_info->ref_cnt=1 Oct 19 13:36:56 citi-firewall pluto[3622]: | alg_info_delref() alg_info->ref_cnt=1 Oct 19 13:36:56 citi-firewall pluto[3622]: | next event EVENT_SHUNT_SCAN in 119 seconds Vous manquez d’espace pour stocker vos mails ? Yahoo! Mail vous offre GRATUITEMENT 100 Mo ! Créez votre Yahoo! Mail sur http://fr.benefits.yahoo.com/ Le nouveau Yahoo! Messenger est arrivé ! Découvrez toutes les nouveautés pour dialoguer instantanément avec vos amis. A télécharger gratuitement sur http://fr.messenger.yahoo.com ------------------------------------------------------- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html