From: John A. Sullivan III (john.sullivan_at_nexusmgmt.com)
Date: Sat Sep 07 2002 - 05:50:09 CEST
I'm still learning my way around but I'll take a few guesses. I would
think that you will need to treat the gav office like a Road Warrior.
That is, you will not be able to initiate to it since you don't know
it's public address. I think you're on the right track in the 10.74.220
config by specifying right=%any. I suppose you could lock it down
tighter by specifying a rightid and using the ID passed in the cert
exchange. I would think you will want to include the
rightsubnet=vnet:%4:192.168.2.0/24 (not sure of the syntax off-hand) to
allow traffic from the gav subnet. I'm not sure if you'll need a
separate connection definition for the 10.74.204.220 interface.
I'm not sure if you have a problem in the gav config. I've never used
Free S/WAN as a NAT-T client so I'm not sure what right should be. Sorry
I can't be of more help but I haven't tried what you are doing - John
HORACIO DIAZ REQUEJO wrote:
>Hi all:
>
> I m trying to connect two freeswan boxes across natted conection. I aplied bufix patch ( thanks to Mathieu Lafon for the hint ) + nat-02 + x509 to freeswan 1.97 and kernel 2.4.18, but I get an error from syslog file on the office box when I m trying to connect from the remote site. The error is:
>
>Sep 6 18:57:57 firewall Pluto[6602]: packet from 200.34.192.21:61000: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
>Sep 6 18:57:57 firewall Pluto[6602]: "gav" 200.34.192.21 #1: responding to Main Mode from unknown peer 200.34.192.21:61000
>Sep 6 18:57:59 firewall Pluto[6602]: "gav" 10.74.204.250 #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-00: peer is NATed
>Sep 6 18:58:01 firewall Pluto[6602]: "gav" 10.74.204.250 #1: Peer ID is ID_IPV4_ADDR: '10.74.204.222'
>Sep 6 18:58:01 firewall Pluto[6602]: "gav" 10.74.204.250 #1: deleting connection "gav" instance with peer 200.34.192.21
>Sep 6 18:58:01 firewall Pluto[6602]: "gav" 10.74.204.250 #1: sent MR3, ISAKMP SA established
>Sep 6 18:58:04 firewall Pluto[6602]: "gav" 10.74.204.250 #1: cannot respond to IPsec SA request because no connection is known for 200.36.139.135...200.34.192.21:61000[10.74.204.222]===192.168.2.0/24
>
> My scenario is the following:
>
>
>10.74.220.0/24 Office LAN
> |
>10.74.220.254 - Internal IP
> |
>200.xx.xx.135 - external IP
> |
>200.xx.xx.133 - Router
> |
> | Internet
> |
>???.???.???.??? - Nat from Cable company ( it change from time to time )
> |
>10.74.204.220 - External IP
> |
>192.168.2.254 - Internal IP
> |
>192.168.2.0/24 Remote Office LAN
>
>--------------- MY CONFIG FILE FOR 10.74.220 BOX IS
>
>config setup
> interfaces="ipsec0=eth2"
> klipsdebug=all
> # klipsdebug=none
> plutodebug=all
> #plutodebug=none
> plutoload=%search
> plutostart=%search
> uniqueids=yes
> nat_traversal=yes
>
># defaults for subsequent connection descriptions
>conn %default
> keyingtries=1
> authby=secret
>
>conn gav
> left=200.36.139.135
> leftsubnet=10.74.220.0/0
> leftnexthop=200.36.139.133
> right=%any
> keyexchange=ike
> keylife=8h
> pfs=no
> type=tunnel
> auto=add
>
>------------------ MY CONFIG FILE FOR 10.74.204 BOX IS
>
># Basic Configuracion
>config setup
> interfaces="ipsec0=eth0"
> klipsdebug=all
> # klipsdebug=none
> plutodebug=all
> #plutodebug=none
> plutoload=%search
> plutostart=%search
> uniqueids=yes
> nat_traversal=yes
>
># defaults for subsequent connection descriptions
>conn %default
> keyingtries=1
> authby=secret
>
>conn gav
> right=10.74.204.222
> rightsubnet=192.168.2.0/24
> left=200.36.139.135
> keyexchange=ike
> keylife=8h
> pfs=yes
> type=tunnel
> auto=add
>
>
>----------
>
>
>Any ideas ??
>
>Thanks for your help !!!!
>
>Regards,
>
>Horacio Diaz
>
>_______________________________________________
>Users mailing list
>Users_at_lists.freeswan.org
>http://lists.freeswan.org/mailman/listinfo/users
>
>
-- John A. Sullivan III Group Technology Director Nexus Management +1 207-985-7880 john.sullivan_at_nexusmgmt.com_______________________________________________ Users mailing list Users_at_lists.freeswan.org http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.4 : Sun Sep 08 2002 - 05:19:58 CEST