NAT-T and openswan ?

To: debian-user@lists.debian.org
Subject: NAT-T and openswan ?
From: Dave Harrison <David.Harrison@sensorynetworks.com>
Date: Thu, 2 Sep 2004 13:54:04 +1000
Message-id: <[🔎] 20040902035404.GA18231@sensorynetworks.com>

Hi all,

I'm trying out NAT-T and I'm finding the following problem.

I have a NAT firewall in between my VPN gateway [1] and another VPN endpoint
box [2] (specifically and IPCop 1.3.0 box - it is such a box for ease of
configuration at the remote end by the remote people).

  +-----+              +-----------+            +----+
  |  1  |  <- switch --| Firewall  | --switch-> | 2  |
  +-----+              +-----------+            +----+
<-10.0.3.1
  10.0.2.2->           <-10.0.2.1
                            NAT
                          10.0.0.2->           <-10.0.0.3
                                                 10.0.1.1->

Machine 1 is nat'd, while 2 is not (2 is simulting a remote end point).
Machine 1 is running a 2.6 kernel with OpenSWan 2.1.5, machine 2 is
running IPCop1.3.0 with SuperFreeSwan 1.99_kb2c

What I'm seeing in terms of packet flow is they try to negotiate an SA,
but get a no-proposal-chosen response from the remote end.

The configs that I have for them are :

config setup
    interfaces="..."
    nat_traversal=yes
    virtual_private=vnet:%all

conn %default
    keyingtries=0

conn test
    authby=secret
    left=10.0.2.2
    leftnexthop=%direct
    compress=no
    leftsubnet=10.0.3.0/24
    right=10.0.0.3
    rightsubnet=10.0.1.0/24
    rightnexthop=%direct
    auto=start

Any help is appreciated. Cheers,
Dave

-- 
Dave Harrison, Systems Administrator, Sensory Networks
    email:          David.Harrison@sensorynetworks.com
    phone:          [W] +61-2-8302-2700 
    fingerprint:    E29F 2D6A FA27 5B0B B429  F8D3 5318 22D6 E775 2241

Reply to:

Prev by Date: Re: Real Debian LiveCD?
Next by Date: Re: Can't dial up
Previous by thread: Re: debian system download
Next by thread: test msg
Index(es):
- Date
- Thread