Hello,
after getting rid of some initial problems with my firewall :-) and some "playing" around with ipsec.conf settings, I'm currently testing Super FreeS/Wan 1.99.7.3 with NAT. My test setup is the following:
(x = 192.169)
FreeS/Wan Router doing FreeS/Wan "Server" NAT to x.245.18 "Client" x.245.23 ----- x.245.18 x.201.18 ----- x.201.81
All three boxes are Linux 2.4.x. When I'm disabling NAT on the router I can establish an ESP tunnel from x.201.81 without any problems. But when I enable NAT on the router box with
iptables -t nat -A POSTROUTING -s 192.169.201.0/24 -d 192.169.245.0/24 \
-o eth1 -j SNAT --to-source 192.169.245.18without touching the configuration the tunnel does not get established. Of course NAT-T is compiled into the kernel and I have
nat_traversal=yes
in ipsec.conf.
Here's some output from syslog:
Aug 12 15:53:47 vpn1 ipsec__plutorun: Starting Pluto subsystem...
Aug 12 15:53:47 vpn1 pluto[8676]: Starting Pluto (FreeS/WAN Version super-freeswan-1.99.7.3)
Aug 12 15:53:47 vpn1 pluto[8676]: including X.509 patch with traffic selectors (Version 0.9.31)
Aug 12 15:53:47 vpn1 pluto[8676]: including NAT-Traversal patch (Version 0.5a)
Aug 12 15:53:47 vpn1 pluto[8676]: ike_alg_register_enc(): Activating
OAKLEY_AES_CBC: Ok (ret=0)
Aug 12 15:53:47 vpn1 pluto[8676]: ike_alg_register_enc(): Activating
OAKLEY_BLOWFISH_CBC: Ok (ret=0)
Aug 12 15:53:47 vpn1 pluto[8676]: ike_alg_register_enc(): Activating
OAKLEY_CAST_CBC: Ok (ret=0)
Aug 12 15:53:47 vpn1 pluto[8676]: ike_alg_register_enc(): Activating
OAKLEY_SERPENT_CBC: Ok (ret=0)
Aug 12 15:53:47 vpn1 pluto[8676]: ike_alg_register_hash():
Activating OAKLEY_SHA2_256: Ok (ret=0)
Aug 12 15:53:47 vpn1 pluto[8676]: ike_alg_register_hash():
Activating OAKLEY_SHA2_512: Ok (ret=0)
Aug 12 15:53:47 vpn1 pluto[8676]: ike_alg_register_enc():
Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
Aug 12 15:53:47 vpn1 pluto[8676]: ike_alg_register_enc():
Activating OAKLEY_SSH_PRIVATE_65289: Ok (ret=0)
Aug 12 15:53:47 vpn1 pluto[8676]: Changing to directory '/etc/ipsec.d/cacerts'
Aug 12 15:53:47 vpn1 pluto[8676]: Warning: empty directory
Aug 12 15:53:47 vpn1 pluto[8676]: Changing to directory '/etc/ipsec.d/crls'
Aug 12 15:53:47 vpn1 pluto[8676]: Warning: empty directory
Aug 12 15:53:47 vpn1 pluto[8676]: OpenPGP certificate file '/etc/pgpcert.pgp' not found
Aug 12 15:53:47 vpn1 pluto[8676]: | from whack: got --esp=twofish256-sha1
Aug 12 15:53:47 vpn1 pluto[8676]: | from whack: got --ike=3des
Aug 12 15:53:47 vpn1 pluto[8676]: added connection description "samplehth"
Aug 12 15:53:47 vpn1 pluto[8676]: listening for IKE messages
Aug 12 15:53:47 vpn1 pluto[8676]: adding interface ipsec0/eth0 192.169.245.23
Aug 12 15:53:47 vpn1 pluto[8676]: adding interface ipsec0/eth0 192.169.245.23:4500
Aug 12 15:53:47 vpn1 pluto[8676]: loading secrets from "/etc/ipsec.secrets"
Aug 12 15:54:12 vpn1 pluto[8676]: packet from 192.169.245.18:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Aug 12 15:54:12 vpn1 pluto[8676]: packet from 192.169.245.18:500: ignoring
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
Aug 12 15:54:12 vpn1 pluto[8676]: packet from 192.169.245.18:500: ignoring
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Aug 12 15:54:12 vpn1 pluto[8676]: "samplehth"[1] 192.169.245.18 #1: responding
to Main Mode from unknown peer 192.169.245.18
Aug 12 15:54:12 vpn1 pluto[8676]: "samplehth"[1] 192.169.245.18 #1: NAT-Traversal:
Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
Aug 12 15:54:12 vpn1 pluto[8676]: "samplehth"[1] 192.169.245.18 #1: Main mode peer
ID is ID_IPV4_ADDR: '192.169.201.81'
Aug 12 15:54:12 vpn1 pluto[8676]: "samplehth"[2] 192.169.245.18 #1: deleting connection
"samplehth" instance with peer 192.169.245.18
Aug 12 15:54:12 vpn1 pluto[8676]: | NAT-T: new mapping 192.169.245.18:500/4500)
Aug 12 15:54:12 vpn1 pluto[8676]: "samplehth"[2] 192.169.245.18:4500 #1: sent MR3,
ISAKMP SA established
Aug 12 15:54:12 vpn1 pluto[8676]: "samplehth"[2] 192.169.245.18:4500 #1: cannot
respond to IPsec SA request because no connection is known for
192.169.245.23:4500...192.169.245.18:4500[192.169.201.81]===192.169.201.81/32
Aug 12 15:54:12 vpn1 pluto[8676]: "samplehth"[2] 192.169.245.18:4500 #1: sending
encrypted notification INVALID_ID_INFORMATION to 192.169.245.18:4500
Aug 12 15:54:22 vpn1 pluto[8676]: "samplehth"[2] 192.169.245.18:4500 #1: Quick Mode
I1 message is unacceptable because it uses a previously used Message ID 0x78e6f301
(perhaps this is a duplicated packet)
Aug 12 15:54:22 vpn1 pluto[8676]: "samplehth"[2] 192.169.245.18:4500 #1: sending
encrypted notification INVALID_MESSAGE_ID to 192.169.245.18:4500
Aug 12 15:54:34 vpn1 pluto[8676]: "samplehth"[2] 192.169.245.18:4500 #1: received
Delete SA payload: deleting ISAKMP State #1
Aug 12 15:54:34 vpn1 pluto[8676]: "samplehth"[2] 192.169.245.18:4500: deleting
connection "samplehth" instance with peer 192.169.245.18
Aug 12 15:54:34 vpn1 pluto[8676]: packet from 192.169.245.18:4500: received and
ignored informational messageAug 12 15:55:34 vpn1 pluto[8676]: shutting down
Aug 12 15:55:34 vpn1 pluto[8676]: forgetting secrets
Aug 12 15:55:34 vpn1 pluto[8676]: "samplehth": deleting connection
Aug 12 15:55:34 vpn1 pluto[8676]: shutting down interface ipsec0/eth0 192.169.245.23
Aug 12 15:55:34 vpn1 pluto[8676]: shutting down interface ipsec0/eth0 192.169.245.23
And here the ipsec.conf on the client side:
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file
config setup
interfaces="ipsec0=eth0"
klipsdebug=none
plutodebug=none
plutoload=%search
plutostart=%search
plutowait=no
uniqueids=yes
nat_traversal=yesconn %default
keyingtries=0
keylife=60mconn samplehth
type=tunnel
left=192.169.245.23
right=192.169.201.81
rightnexthop=192.169.201.18
esp=3des
pfs=yes
auto=routeThe only differences on the "server" side are that "right" is set to "%any", rightnexthop is not set, and "auto" is set to "add". On the server side, I have this entry in ipsec.secrets:
192.169.245.23 %any: PSK "testing"
while I have this one on the client side:
192.169.201.81 192.169.245.23: PSK "testing"
What's the problem with my setup? Seems like the peers are correctly recognizing that right is NATted, but then??? Are there any more settings to make?? This settings work without NAT, just with forwarding between the hosts...an there's no firewalling on one of the three hosts (except of course ip_conntrack on the NAT router ;-) )
Sorry for again whining for your help :-) any tipps appreciated. If some more information is needed, please let me know!
Thanks!!
Sven
_______________________________________________ FreeS/WAN Users mailing list [EMAIL PROTECTED] https://mj2.freeswan.org/cgi-bin/mj_wwwusr
