(super-) freswan UDP NAT-T connection problem

(super-) freswan UDP NAT-T connection problem

Post by Hugo Kawamorita de Sou » Fri, 27 Jun 2003 22:15:37



Hello,

I trying to setup a IPSec site-to-site VPN between 2 Linux boxes (
RedHat 9.0 and 7.2 with based kernels 2.4.20-18.9 and 2.4.20-18.7)
using Super-Freeswan 1.99.7.3 (super-freeswan-1.99.7.3).

I was able to establish the VPN WITHOUT the UDP/ESP NAT-T.
However I would like (need) to enable the NAT-T, but I couldn't.

There 4 Linux boxes in the setup: 2 VPN gateways in the ends and other
2 linux routers in the middle(one of this is doing SNAT in one
direction):

 LEFT       LEFT GW       RIGHT GW          RIGHT
A.B.C.15    A.B.C.24      A.E.C.16         A.E.C.1
   |        A.D.C.24      A.D.C.16            |
   |           |         ( SNAT <- )          |
   |           |             |                |
   |           |             |                |
   -----------| Encore switching Hub |---------

The 2 Linux GWs in the middle both have virtual interface eth0:0 to
simulate different networks.

The SNAT maps the right IP (A.E.C.1) to RIGHT GW's outgoing IP
(A.D.C.16) when RIGHT send packets to the left side.

Well, I try to establish the NAT-T VPN, I get the following message on
/var/log/secure:

Jun 25 18:44:46 w3 pluto[2131]: packet from A.D.C.16:500: initial Main
Mode message received on A.B.C.15:500 but no connection has been
authorized
Jun 25 18:45:26 w3 pluto[2131]: packet from A.D.C.16:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Jun 25 18:45:26 w3 pluto[2131]: packet from A.D.C.16:500: ignoring
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
Jun 25 18:45:26 w3 pluto[2131]: packet from A.D.C.16:500: ignoring
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Jun 25 18:45:26 w3 pluto[2131]: packet from A.D.C.16:500: initial Main
Mode message received on A.B.C.15:500 but no connection has been
authorized

Here follow my ipsec.conf:

# basic configuration
config setup
        # THIS SETTING MUST BE CORRECT or almost nothing will work;
        # %defaultroute is okay for most simple cases.
        interfaces="ipsec0=eth0"
        # Debug-logging controls:  "none" for (almost) none, "all" for
lots.
        klipsdebug=none
        plutodebug=none
        # Use auto= parameters in conn descriptions to control startup
actions.
        plutoload=%search
        plutostart=%search
        # Close down old connection when new one using same ID shows
up.
        uniqueids=yes
        # Enabling NAT Transversal
        nat_traversal=yes

# defaults for subsequent connection descriptions
# (these defaults will soon go away)
conn %default
        keyingtries=0
        disablearrivalcheck=no
        authby=rsasig
        leftrsasigkey=%dnsondemand
        rightrsasigkey=%dnsondemand

# NAT-T Test : w3 - liberty - ariane(NAT) - salyut
conn w3-liberty-ariane-salyut
        left=A.B.C.15
        leftsubnet=X.Y.W.Z/26

     leftrsasigkey=0sAQOM1bhgZXn6AfYpDE2fiuo6UFJm5EUzwH0ogORlxMP6ek6m2UGzjdgJOsugsIdlTpcFtTlAMrQO
hDp+ya4zXmXmJ2oyadA/QY/XkAq4MENtJ9Yk/W5z2C9zfaZ882BJKMWQ37mQhwgAYA4Sa3rVb2miQ7C+g1aRZfhKjUiuZJ+UQYNV
oV4HLJUPVVfwJESFXhnDPtZP4W4WM2OpIuz9CB1h0/AseJilMC71D+hgDnqAEYAPsxqdCIaPPtVr3vYJ05L1FvNNNqJIz/VxGgTm
u4HAtOcotiTlXH21fqJlRksR2rUUJY/kXZ2qX619FOV7MzfUwjxm+GxcFSwqwBcdEa/3sI65+R4aESVXIXmuE9kHXwFT
        leftnexthop=A.B.C.24
        right=A.E.C.1
        rightsubnet=M.N.O.P/24

rightrsasigkey=0sAQO+MzC+QX/cazunQ16NnO1XnAiAMzRiOie/YEJpFjjIImImkZVsxSZVKXm7jKvbj48SDts+SjU
/N1kx0RJsRnd20JrcMeR4lJyEitbRRjr36+rbIPWFRqpqEFxhZYHE0suyNyKlB6KE3LjgJNxbRjHkTWXOIQbjnkE/AeZ8sWsll/M
cren/q/KbU5R1WJi1WmmX+vfa/wNBGFGgvHULEl1rV7Q6lABmerbug9aQrLAFuwy7oZ8bQRrFrjqoPLlE/Fvqd2kVBnrTycmZWZw
B09TY0OB1ehddeSrn61c4RVZv/U4uQN7t08NBux4X8JqS6By59WmC2aVvcv+q+pK/UXviBWua+Q331JQUgIxiBvywwwTX
        rightnexthop=A.E.C.16
        auto=add

I would to have any documentation/info/HOWTO/guide/tutorial about the
NAT-T patch setup.
And also, any help will be be very appreciated, since now.

Regards,

Hugo K.S.