(super-) freswan UDP NAT-T connection problem

From: Hugo Kawamorita de Souza (hugo_at_icaro.com.br)
Date: 06/26/03 

Date: 26 Jun 2003 06:15:37 -0700

Hello,

I trying to setup a IPSec site-to-site VPN between 2 Linux boxes (
RedHat 9.0 and 7.2 with based kernels 2.4.20-18.9 and 2.4.20-18.7)
using Super-Freeswan 1.99.7.3 (super-freeswan-1.99.7.3).

I was able to establish the VPN WITHOUT the UDP/ESP NAT-T.
However I would like (need) to enable the NAT-T, but I couldn't.

There 4 Linux boxes in the setup: 2 VPN gateways in the ends and other
2 linux routers in the middle(one of this is doing SNAT in one
direction):

 LEFT LEFT GW RIGHT GW RIGHT
A.B.C.15 A.B.C.24 A.E.C.16 A.E.C.1
   | A.D.C.24 A.D.C.16 |
   | | ( SNAT <- ) |
   | | | |
   | | | |
   -----------| Encore switching Hub |---------

The 2 Linux GWs in the middle both have virtual interface eth0:0 to
simulate different networks.

The SNAT maps the right IP (A.E.C.1) to RIGHT GW's outgoing IP
(A.D.C.16) when RIGHT send packets to the left side.

Well, I try to establish the NAT-T VPN, I get the following message on
/var/log/secure:

Jun 25 18:44:46 w3 pluto[2131]: packet from A.D.C.16:500: initial Main
Mode message received on A.B.C.15:500 but no connection has been
authorized
Jun 25 18:45:26 w3 pluto[2131]: packet from A.D.C.16:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Jun 25 18:45:26 w3 pluto[2131]: packet from A.D.C.16:500: ignoring
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
Jun 25 18:45:26 w3 pluto[2131]: packet from A.D.C.16:500: ignoring
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Jun 25 18:45:26 w3 pluto[2131]: packet from A.D.C.16:500: initial Main
Mode message received on A.B.C.15:500 but no connection has been
authorized

Here follow my ipsec.conf:

# basic configuration
config setup
        # THIS SETTING MUST BE CORRECT or almost nothing will work;
        # %defaultroute is okay for most simple cases.
        interfaces="ipsec0=eth0"
        # Debug-logging controls: "none" for (almost) none, "all" for
lots.
        klipsdebug=none
        plutodebug=none
        # Use auto= parameters in conn descriptions to control startup
actions.
        plutoload=%search
        plutostart=%search
        # Close down old connection when new one using same ID shows
up.
        uniqueids=yes
        # Enabling NAT Transversal
        nat_traversal=yes

# defaults for subsequent connection descriptions
# (these defaults will soon go away)
conn %default
        keyingtries=0
        disablearrivalcheck=no
        authby=rsasig
        leftrsasigkey=%dnsondemand
        rightrsasigkey=%dnsondemand

# NAT-T Test : w3 - liberty - ariane(NAT) - salyut
conn w3-liberty-ariane-salyut
        left=A.B.C.15
        leftsubnet=X.Y.W.Z/26
        leftid=@X.Y.W.Z.domain.com.br
     leftrsasigkey=0sAQOM1bhgZXn6AfYpDE2fiuo6UFJm5EUzwH0ogORlxMP6ek6m2UGzjdgJOsugsIdlTpcFtTlAMrQO
hDp+ya4zXmXmJ2oyadA/QY/XkAq4MENtJ9Yk/W5z2C9zfaZ882BJKMWQ37mQhwgAYA4Sa3rVb2miQ7C+g1aRZfhKjUiuZJ+UQYNV
oV4HLJUPVVfwJESFXhnDPtZP4W4WM2OpIuz9CB1h0/AseJilMC71D+hgDnqAEYAPsxqdCIaPPtVr3vYJ05L1FvNNNqJIz/VxGgTm
u4HAtOcotiTlXH21fqJlRksR2rUUJY/kXZ2qX619FOV7MzfUwjxm+GxcFSwqwBcdEa/3sI65+R4aESVXIXmuE9kHXwFT
        leftnexthop=A.B.C.24
        right=A.E.C.1
        rightsubnet=M.N.O.P/24
        rightid=@salyut.domain.com.br
rightrsasigkey=0sAQO+MzC+QX/cazunQ16NnO1XnAiAMzRiOie/YEJpFjjIImImkZVsxSZVKXm7jKvbj48SDts+SjU
/N1kx0RJsRnd20JrcMeR4lJyEitbRRjr36+rbIPWFRqpqEFxhZYHE0suyNyKlB6KE3LjgJNxbRjHkTWXOIQbjnkE/AeZ8sWsll/M
cren/q/KbU5R1WJi1WmmX+vfa/wNBGFGgvHULEl1rV7Q6lABmerbug9aQrLAFuwy7oZ8bQRrFrjqoPLlE/Fvqd2kVBnrTycmZWZw
B09TY0OB1ehddeSrn61c4RVZv/U4uQN7t08NBux4X8JqS6By59WmC2aVvcv+q+pK/UXviBWua+Q331JQUgIxiBvywwwTX
        rightnexthop=A.E.C.16
        auto=add

I would to have any documentation/info/HOWTO/guide/tutorial about the
NAT-T patch setup.
And also, any help will be be very appreciated, since now.

Regards,

Hugo K.S.

Relevant Pages

  • Re: Port Forwarding?
    ... Here is my current setup at home. ... D-Link Wireless Router ... The term "Virtual Server" is D-Link speak for port forwarding. ... supports VPN passthru, so you'll have to setup a VPN client on the ...
    (microsoft.public.windowsxp.network_web)
  • Re: How to configure for Two different IP subnets
    ... Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net ... I realize this is actually way more than I need for my setup, ... setting up a server is more than I even actually need. ... server with the outside Wan coming into one and the network setup on the ...
    (microsoft.public.windows.server.networking)
  • Dlink DI-804HV <-> DI-804HV VPN Blues
    ... I am having no end of problems trying to get what should be a simple VPN ... The basic setup is as follows: ... Office Network: ... The remote site, 211.47.129.10 uses a cable modem which is connected to the ...
    (comp.dcom.vpn)
  • Re: VPN through Linksys BEFSX41 VPN - Error 721
    ... I went back to Linksys site/knowledge base articles and did some ... Please follow these instructions to setup the router to ... And instructed to FWD port 47 and 1723 to the server, ... > VPN connections, both to other SX41s and to server-side ...
    (microsoft.public.windows.server.sbs)
  • Another VPN Question
    ... trying to setup VPN, but still not quite getting it. ... SBS2003 Standard and another server running Server 2K3 Standard. ... static IP address (provided by comcast), ... I can connect via VPN on the inside of the network, ...
    (microsoft.public.windows.server.sbs)