[Users] Thanks Andreas + NAT problem

From: Mark van Proctor (mark_at_metech.com.au)
Date: Tue Nov 26 2002 - 10:13:08 CET

• Next message: Falk Siemonsmeier: "[Users] shared secrets in roadwarrior setup"
• Previous message: Grallert Stephan: "AW: [VF][Users] OT:Worm-Klez"
• In reply to: Andreas Steffen: "Re: [Users] Win2K <-> FreSWAN repeating problem (ISAKMP SA not established)"
• Next in thread: Andreas Steffen: "Re: [Users] Thanks Andreas + NAT problem"
• Reply: Andreas Steffen: "Re: [Users] Thanks Andreas + NAT problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Thanks again Andreas!
You really are a great help!

Another problem that has just arrisen is how to implement a vpn client
behind a nat.
I've tried looking through the documentation for this because I'm sure its a
common issue, but can't seem to find an actual explanation of how to set it
up.
My server is currently also behind NAT but that was easy, on the client side
you simply use the public IP as the address and the private subnet as the
subnet.
I would like to know, however, how to allow a client behind nat. Because
these clients are road warriors and because they are accessing the internet
through DSL-type connections that have dynamic ips and nat / port forwarding
built into the router i am getting totally stuck. This means very little
configurability - can forward ports, but not much else.
Does this mean I need to use the "tunnel through UDP" or whatever it was,
patch?
Does this affect EVERY connection? What if i want other connections to be
done normally, and only maybe 1 to be done tunnelled through UDP?
Any ideas would be greatly appreciated thanks!!
Mark

----- Original Message -----
From: "Andreas Steffen" <andreas.steffen_at_strongsec.net>
To: "Mark van Proctor" <mark_at_metech.com.au>
Cc: <users_at_lists.freeswan.org>
Sent: Tuesday, November 26, 2002 4:56 PM
Subject: Re: [Users] Win2K <-> FreSWAN repeating problem (ISAKMP SA not
established)

> Mark van Proctor wrote:
> > Thanks Andreas,
> > I actually found the problem in the end - After upgrading the server I
had
> > remade its Authentication certificate differently and the "subject" was
> > different for my windows ipsec.conf.
> > This upgrade to redhat 8 and freeswan 1.99 also rectified my winXP
problems.
> >
> > I do, however, have a quick openSSL query which I understand if you cant
(or
> > dont have time to) answer but thought I would ask anyway while I am
emailing
> > you - how do you revoke a certificate and add it to the CRL?
> >
>
> Revocation: openssl ca -revoke badCert.pem
>
> Update CRL: openssl ca -gencrl -out crl.pem
>
> PEM to binary: openssl crl -in crl.pem -outform der -out cert.crl
>
>
> Regards
>
> Andreas
>
> > Thanks!!
> >
> > Mark
> >
> > ----- Original Message -----
> > From: "Andreas Steffen" <andreas.steffen_at_strongsec.net>
> > To: "Mark van Proctor" <mark_at_metech.com.au>
> > Cc: <users_at_lists.freeswan.org>
> > Sent: Monday, November 25, 2002 11:25 PM
> > Subject: Re: [Users] Win2K <-> FreSWAN repeating problem (ISAKMP SA not
> > established)
> >
> >
> >
> >>Mark van Proctor wrote:
> >>
> >>>Hi people.
> >>>I have seen a number of people emailing requests for help with ISAKMP
SA
> >>
> > not
> >
> >>>establishing correctly
> >>>The actual error being: "encrypted Informational Exchange message is
> >>
> > invalid
> >
> >>>because it is for incomplete ISAKMP SA"
> >>>I have, however, seen absolutely no responses or instructions on how to
> >>>resolve this.
> >>
> >>This notification message is always a sure sign that a problem occurred
on
> >>the peer side (in your case Wk2). Usually this a certificate or private
> >
> > key
> >
> >>problem. Please activate the oakley.log via the Windows registry and
look
> >>for errors.
> >>
> >>
> >>>Please could someone help?
> >>>I am using Win2K with the ipsec tool created by Marcus. I am using
> >>
> > RedHat
> >
> >>>8.0 with FreeSWAN 1.99 installed via pre-patched RPM from
> >>
> > www.freeswan.ca
> >
> >>>I used to use 1.97 on RedHat 7.3 and the connection worked. After
> >>
> > upgrading,
> >
> >>>I had to create new x509 certificates and now nothing works. I dont
know
> >>
> > if
> >
> >>>it is the x509 certificates or what, because nothing has changed on the
> >>>Win2k side (it used to work...).
> >>>Please help,
> >>>thanks.
> >>>
> >>>Mark
> >>>
> >>>Mark van Proctor
> >>>Systems Administrator
> >>>Metech Pty Ltd
> >>>24 Moreau Mews
> >>>Applecross WA 6153
> >>>Ph: 9316 6600
> >>>Fax: 9316 6699
> >>>Mobile: 0411 749 282
> >>>mark_at_metech.com.au
>
> ======================================================================
> Andreas Steffen e-mail: andreas.steffen_at_strongsec.com
> strongSec GmbH phone: +41 76 340 25 56
> Alter Zürichweg 20 home: http://www.strongsec.com
> CH-8952 Schlieren (Switzerland)
> ==========================================[strong internet security]==
>

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• Next message: Falk Siemonsmeier: "[Users] shared secrets in roadwarrior setup"
• Previous message: Grallert Stephan: "AW: [VF][Users] OT:Worm-Klez"
• In reply to: Andreas Steffen: "Re: [Users] Win2K <-> FreSWAN repeating problem (ISAKMP SA not established)"
• Next in thread: Andreas Steffen: "Re: [Users] Thanks Andreas + NAT problem"
• Reply: Andreas Steffen: "Re: [Users] Thanks Andreas + NAT problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.5 : Wed Nov 27 2002 - 05:20:51 CET