Note: This archive passes through spamassassin. Every mail marked with the subject "*****SPAM*****" has exceed a certain threshold of spam-like behaviour.

Re: [Users] Try again, ESP + transport mode + x509 + NAT]

From: Andreas Steffen (andreas.steffen_at_strongsec.com)
Date: Thu Apr 18 2002 - 16:50:53 CEST

Next message: Mike Thomas: "Re: [Users] Try again, ESP + transport mode + x509 + NAT]"
Previous message: kristian nordal: "[Users] scsi core error"
In reply to: Mike Thomas: "[Users] Try again, ESP + transport mode + x509 + NAT]"
Next in thread: Mike Thomas: "Re: [Users] Try again, ESP + transport mode + x509 + NAT]"
Reply: Mike Thomas: "Re: [Users] Try again, ESP + transport mode + x509 + NAT]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

It seems as if your WinClient is proposing a tunnel connection during
quick mode since according to

>cannot respond to IPsec SA request because no connection is known
for 64.1.1.2...64.1.1.1[C=CA, ST=Some-State, O=BEDARRA, CN=WinClient]
===192.168.1.3/32

it wants a subnet 192.168.1.3/32 behind 64.1.1.1, so there must
be both an inner and outer IP header.

Why not define instead:

conn trans_cert
     right=%any
     rightid="@C=CA, ST=Some-State, O=BEDARRA, CN=WinClient"
     rightsubnet=192.168.1.3/32
     authby=rsasig
     pfs=yes
     type=tunnel
     auto=add

With this the outer IP source address can be arbitrary and different
from the inner IP source address (which is actually the IP of the
host before the NAT box doing the IPsec passthrough)

Regards

Andreas

Mike Thomas wrote:
>
> Didn't recevie so much as a flame on my first post so I will try again.
> If I am just being a moron attempting this feel free to point that out<g>.
>
> TIA,
>
> Mike.
>
> -------- Original Message --------
> Subject: ESP + transport mode + x509 + NAT
> Date: Tue, 16 Apr 2002 10:36:23 -0400
> From: "Mike Thomas" <mike_at_bedarra.com>
> To: <users_at_lists.freeswan.org>
>
> Hi all,
>
> I have been using Freeswan via tunnel mode for some time with much success.
> Thanks for great software as well as all the help provided along the way.
> Presently I am trying to remove the rightsubnet statements I need in a
> tunnel connection description in order for users behind a NAT box to
> connect.
>
> In reading some IPSec info I was under the impression that an ESP transport
> mode connection would be able to do this, but in tests this does not appear
> to be the case. Below is the connection description I am using and the
> snippet from the barf. The connection below works when the server and client
> are on the same subnet.
>
> TIA for any help/criticism/pointers,
>
> Mike.
>
> conn %default
> # How persistent to be in (re)keying negotiations (0 means very).
> keyingtries=0
> leftrsasigkey=%cert
> rightrsasigkey=%cert
> left=64.1.1.2
>
> conn trans_cert
> right=%any
> rightid="@C=CA, ST=Some-State, O=BEDARRA, CN=WinClient"
> authby=rsasig
> pfs=yes
> type=transport
> auto=add
>
> Apr 15 22:54:14 linux Pluto[1640]: "trans_cert" #1: responding to Main Mode
> from
> unknown peer 64.1.1.1
> Apr 15 22:54:14 linux Pluto[1640]: "trans_cert" #1: Peer ID is
> ID_DER_ASN1_DN: '
> C=CA, ST=Some-State, O=BEDARRA, CN=WinClient'
> Apr 15 22:54:14 linux Pluto[1640]: "trans_cert" #1: Next CRL update expected
> Apr 15 22:54:14 linux Pluto[1640]: "trans_cert" #1: Next CRL update expected
> Apr 15 22:54:14 linux Pluto[1640]: "trans_cert" #1: STATE_MAIN_R3: sent MR3,
> ISA
> KMP SA established
> Apr 15 22:54:15 linux Pluto[1640]: "trans_cert" #2: cannot respond to IPsec
> SA r
> equest because no connection is known for 64.1.1.2...64.1.1.1[C=CA,
> ST=Some-Stat
> e, O=BEDARRA, CN=WinClient]===192.168.1.3/32
> Apr 15 22:54:16 linux Pluto[1640]: "trans_cert" #1: Quick Mode I1 message is
> una
> cceptable because it uses a previously used Message ID 0x227e935c (perhaps
> this
> is a duplicated packet)
> Apr 15 22:55:52 linux Pluto[1640]: shutting down
> Apr 15 22:55:52 linux Pluto[1640]: forgetting secrets
> Apr 15 22:55:52 linux Pluto[1640]: "trans_cert": deleting connection
> "trans_cert
> " instance with peer 64.1.1.1
> Apr 15 22:55:52 linux Pluto[1640]: "trans_cert" #1: deleting state
> (STATE_MAIN_R
> 3)
> Apr 15 22:55:52 linux Pluto[1640]: "trans_cert": deleting connection
> Apr 15 22:55:52 linux Pluto[1640]: shutting down interface ipsec0/eth0
> 64.1.1.2
> + _________________________
> + date
> Tue Apr 16 10:01:59 EDT 2002
>
> _______________________________________________
> Users mailing list
> Users_at_lists.freeswan.org
> http://lists.freeswan.org/mailman/listinfo/users

-- 
======================================================================
Andreas Steffen                 e-mail: andreas.steffen_at_strongsec.com
strongSec GmbH                  phone:  +41 76 340 25 56
Alter Zürichweg 20              home:   http://www.strongsec.com
CH-8952 Schlieren (Switzerland)
==========================================[strong internet security]==
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

Next message: Mike Thomas: "Re: [Users] Try again, ESP + transport mode + x509 + NAT]"
Previous message: kristian nordal: "[Users] scsi core error"
In reply to: Mike Thomas: "[Users] Try again, ESP + transport mode + x509 + NAT]"
Next in thread: Mike Thomas: "Re: [Users] Try again, ESP + transport mode + x509 + NAT]"
Reply: Mike Thomas: "Re: [Users] Try again, ESP + transport mode + x509 + NAT]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:19:52 CEST