theoleyre fabrice wrote:
Hi,
I installed a vpn server on my leaf box for the road
warriors connections :
_____________ __________ ____________________
| Client (winxp)| --- | Internet |-----| Leaf Berring Uclib 2.2 |
|____________| |__________| |___________________|
I use ipsec, ipsecx509,...and set a valid ipsec.conf. I authenticate my clients with x509 certificates, with a common CA. All works (SA established, ping between the Leaf box and the client via the ipsec tunnel, valid ipsec eroute....)
But (of course, something goes wrong), I have some
clients which are behind a NAT :
_____________ _____________ __________ ____________________
| Client (winxp)| ---- | NAT Router |--- | Internet |-----| Leaf Berring Uclib 2.2 |
|____________| |_____________| |__________|
|___________________|
And these clients don't connect to the leaf box (exit after the STATE_MAIN_R2 Phase, for details see below). The clients use the vpn package for Windows XP furnished by http://vpn.ebootis.de/. However, I set "nat_traversal=yes " in the ipsec.conf file. And in the "/var/log/auth.log" file, the client is detected as behing a nat "peer is NATED"
Do I forget a manipulation to allow the connections from clients behind a NAT ?
I haven't worked with IPSec NAT traversal, but IIRC it's simply sending the protocol 50/51 traffic via UDP port 500, and *BOTH* ends have to be configured properly to do this (I don't believe it auto-negotiates).
Is your winxp client set to use NAT traversal?
Also, do you have any logs from the winxp side, and maybe some earlier logs from the LEAF side?
With what you provided, it's hard to tell how much worked properly at the initial connection setup, but it looks like your LEAF box is trying to send UDP port 500 'keep-alive' packets to the far end (to prevent the connection masquerading in your NAT router from timing out) and it never gets a response (strongly suggesting the winxp box isn't properly configured for NAT traversal IPSec).
-- Charles Steinkuehler [EMAIL PROTECTED]
------------------------------------------------------- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
