Re: [Users] Problem with FreeSWAN + NAT Traversal (Windows Clientover NAT device)

Thu, 14 Aug 2003 11:52:56 -0700 

Am Mit, 2003-08-13 um 00.03 schrieb Slawko:
> Situation:
> [FreeSWAN]  <internet> [IpSec Client]   -- everytging is OK.
> [FreeSWAN]  <internet> [NAT] [IpSec Client]   -- ping NOT OK :(  but ipsec
> connection is established correctly (QUICK & MAIN MODE)
> Freeswan version 2.0 with x.509 + NAT-T patch
>
> In log everything seems to be ok:
> ..
> (config)nat_traversal=yes
> (log) NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer
is
> NATed
>
> but what can be wrong ??? PLEASE, HELP ME ...
|Routing? Firewalling? Please post you configuration.

Is there shouldn't be that packet (for ex. ping) on NAT pc should be in UDP
protocol (not in IP-SIPP like I have)
Clent IpSec ..... NAT PC .... <internet>.......FreesWan.

Clent send packet well to the NAT PC but nat PC doesn't know that there are
packet for FreesWan (I do not have access to the NAT pc (gateway)) and do
not sent them through DialUp device. (IP-SIPP from unknown port)
In my opinion NAT-T patch  for freeswan should make that packet ESP are
packed to UDP and not make problem on routers on the way to Freeswan.
This thing should be negotiated while estabilishing connection ?!
If I have public IP there is no problem, problem is only from local ex.
192.168.0.2. Packet from 0.2 goes to the gateway 192.168.0.1 and lose on it.

On client side:

conn rw-new
 auto=start
 left=%any
 leftsubnet=172.16.1.2/32    - client PC
 leftid='C=PL, ...'
 right=xx.xx.xx.xx
 rightnexthop=xx.xx.xx.yy
 rightsubnet=xx.xx.xx.xx/32
 rightcert=freeswan-cert.pem

FreesWan side:
config setup
        interfaces="ipsec0=eth1"
        klipsdebug=all
        plutodebug=all
        uniqueids=yes
        nat_traversal=yes

conn rw-new
    #type=tunnel
    auto=add
    pfs=yes
    #authby=rsasig
    #keyingtries=0
    #keyexchange=ike
    ikelifetime=240m
    keylife=60m
    left=%any
    leftsubnet=172.16.1.2/32
    #leftupdown=/usr/local/lib/ipsec/_updown   - doesn't marrter if it is
running or not
    right=xx.xx.xx.xx
    rightsubnet=xx.xx.xx.xx/32
    rightnexthop=xx.xx.xx.yy
    rightcert=freeswan-cert.pem
    leftcert=client-cert.pem





_______________________________________________
FreeS/WAN Users mailing list
[EMAIL PROTECTED]
https://mj2.freeswan.org/cgi-bin/mj_wwwusr

Reply via email to