Note: This archive passes through spamassassin. Every mail marked with the subject "*****SPAM*****" has exceed a certain threshold of spam-like behaviour.

Re: [Users] IKE source port aother than 500

From: Andreas Steffen (andreas.steffen_at_zhwin.ch)
Date: Thu Mar 14 2002 - 17:23:14 CET

Next message: Joe Patterson: "RE: [Users] where does crypto.o come from?"
Previous message: Bo Byrd: "[Users] IKE/pluto not present?"
In reply to: Roland Gafner: "RE: [Users] IKE source port aother than 500"
Next in thread: Roland Gafner: "RE: [Users] IKE source port aother than 500"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Roland Gafner wrote:
>
> Grüezi Andreas,
>
> thanks for replying.
>
> >In the case of NAT you must declare the inner IP address
> >explicitely
> >
> > left=%any
> > leftsubnet=<inner IP address>/32
>
> I just added "leftsubnet=my.int.ip.addr/32" to my gateways ipsec.conf, so it looks like this:
>
> conn %default
> keyingtries=1
> #disablearrivalcheck=no
> authby=rsasig
> leftrsasigkey=%cert
> rightrsasigkey=%cert
> right=217.162.69.72
> rightsubnet=192.168.0.0/24
> rightid="C=CH,ST=Zurich,O=Roland Gafner,OU=fw02,CN=Roland Gafner,Email=roland.gafner_at_gmx.net"
>
> conn notebook_client_behind_masq_firewall
> left=%any
> leftsubnet=my.int.ip.addr/32
> auto=add
>
> With my.int.ip.addr being the internal ip of the client.
> Maybe I still got something wrong , because I still get this log entry :
>
> ignoring Vendor ID payload
> initial Main Mode message received on 217.162.69.72:500 but no connection has been authorized
> ignoring Delete SA payload
>
> And when sniffing on the freeSwan gateways external address I see the IKE requests coming from :
>
> masq.firewall.ip.address:any_port======>217.162.69.72:500
>
FreeS/WAN requires the source IKE port to be UDP 500, too:

masq.firewall.ip.address:500======>217.162.69.72:500

Therefore you must map port 500 of your NAT device transparently to port 500
to the host you want to start the IPsec tunnel from.

> Wth masq.firewall.ip.address being the external ip of our masquerading firewall.
> But I don't see any replys back from the gateway to the masq_firewall, just the log entries.
>
> Any Ideas would be very much appreciated.
>
> brgds
> Roland

======================================================================
Andreas Steffen e-mail: andreas.steffen_at_zhwin.ch
Zuercher Hochschule Winterthur home: http://www.zhwin.ch/~sna/
CH-8401 Winterthur (Switzerland) phone: +41 76 340 25 56
===============================================================[ZHW]==
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

Next message: Joe Patterson: "RE: [Users] where does crypto.o come from?"
Previous message: Bo Byrd: "[Users] IKE/pluto not present?"
In reply to: Roland Gafner: "RE: [Users] IKE source port aother than 500"
Next in thread: Roland Gafner: "RE: [Users] IKE source port aother than 500"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:19:42 CEST