From: John A. Sullivan III (John.Sullivan_at_nexusmgmt.com)
Date: Tue Jul 30 2002 - 17:03:33 CEST
I would imagine the NAT is at fault. I assume it is Network Address
Port Translation as opposed to a strict one-to-one NAT. The packet that
arrives will not have the internal address but the public address of the
NAT device. Even if you did manage an IKE exchange, the IPSec packets
would have no way of being mapped back to the originating address (there
are no ports to map).
I would suggest looking at the NAT Traversal packages and
DHCP-over-IPSec. I think you can find various versions at
www.strongsec.com and open-source.arkoon.com. I haven't played with
them yet (that's this week's project :-) ). Hope this helps - John
On Tue, 2002-07-30 at 09:20, Rohit Peyyeti wrote:
> Hello:
>
> I need setup freeswan 1.98b on one of my RedHat linux box. Everything
> seems to
> run fine. Here is how my ipsec.conf looks like:
>
> conn %default
> keyingtries=1
> authby=secret
> left=<Private gateway IP address>
> auto=add
>
> conn my-roadwarrior-connection
> type=tunnel
> leftnexthop=<Next hop from the gateway to my ISP>
> leftsubnet=0.0.0.0/0
> right=%any
> keyexchange=ike
> keylife=60m
> pfs=yes
> compress=no
> authby=secret
>
> This connection works perfectly file. I'm able to get connected to the
> VPN
> server and also browse some locally hosted websites when connected using
>
> a dialup.
>
> But for my next requirement, my client wants to get connected to this
> VPN
> server. But he is on cable internet and is connected to a router which
> actually proxy his requets to the internet (NAT). Here is how his
> connection
> looks like:
>
> conn client-from-home
> type=tunnel
> leftnexthop=<Next hop from the gateway to my ISP>
> leftsubnet=0.0.0.0/0
> right=<My client's private IP address>
> rightsubnet=<My Client's local subnet>
> rightnexthop=<next home from my clients gateway>
> keyexchange=ike
> keylife=60m
> pfs=yes
> compress=no
> authby=secret
>
> I use pre-shared keys. When my client tries to connect, this is what it
> gets
> printed in /var/log/secure
>
> Jul 29 13:09:34 plasma pluto[12524]: "my-roadwarrior-connection"[5]
> XXX.XXX.XXX.XX #22: Peer ID is ID_IPV4_ADDR: '192.168.246.7'
> Jul 29 13:09:34 plasma pluto[12524]: "my-roadwarrior-connection"[5]
> XXX.XXX.XXX.XX #22: no suitable connection for peer '192.168.246.7'
>
> my client uses SSH Sentinel to connect to Freeswan VPN server. But looks
> like it is taking 'my-roadwarrior-connection'
> connection from ipsec.conf instead of 'client-from-home'. Is there
> anything which I'm missing. Please let
> me know even if I made stupid mistake somewhere ;-)
>
> Reagrds,
> Rohit Peyyeti
>
-- John A. Sullivan III Group Technology Director Nexus Management +1 207-985-7880 John.Sullivan_at_nexusmgmt.com_______________________________________________ Users mailing list Users_at_lists.freeswan.org http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.4 : Mon Aug 05 2002 - 21:01:34 CEST