From: Jussi Torhonen (jt_at_ssh.com)
Date: Fri Nov 29 2002 - 14:57:07 CET
mlafon_at_arkoon.net wrote:
>
> I have not NAT-T+DHCPoIPSEC sample config but i have made it
> working once.
>
> Try to add rightsubnetwithin=0.0.0.0/0 in your 'conn dhcp'.
>
> If this doesn't work, send me the error message (surely a
> 'no connection found for...')
Added that one but it did not help:
Nov 29 15:24:18 joutsen pluto[8058]: packet from 172.16.13.254:500:
ignoring Vendor ID payload [SSH Sentinel 1.4]
Nov 29 15:24:18 joutsen pluto[8058]: packet from 172.16.13.254:500:
ignoring Vendor ID payload [draft-stenberg-ipsec-nat-traversal-01]
Nov 29 15:24:18 joutsen pluto[8058]: packet from 172.16.13.254:500:
ignoring Vendor ID payload [draft-stenberg-ipsec-nat-traversal-02]
Nov 29 15:24:18 joutsen pluto[8058]: packet from 172.16.13.254:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Nov 29 15:24:18 joutsen pluto[8058]: "dhcp"[1] 172.16.13.254 #1:
responding to Main Mode from unknown peer 172.16.13.254
Nov 29 15:24:18 joutsen pluto[8058]: "dhcp"[1] 172.16.13.254 #1:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-00: peer is NATed
Nov 29 15:24:18 joutsen pluto[8058]: "dhcp"[1] 172.16.13.254 #1:
ignoring informational payload, type IPSEC_INITIAL_CONTACT
Nov 29 15:24:18 joutsen pluto[8058]: "dhcp"[1] 172.16.13.254 #1: Peer ID
is ID_IPV4_ADDR: '172.16.2.27'
Nov 29 15:24:18 joutsen pluto[8058]: "rw-psk-3des-doi"[1] 172.16.13.254
#1: deleting connection "dhcp" instance with peer 172.16.13.254
Nov 29 15:24:18 joutsen pluto[8058]: "rw-psk-3des-doi"[1] 172.16.13.254
#1: sent MR3, ISAKMP SA established
Nov 29 15:24:18 joutsen pluto[8058]: "rw-psk-3des-doi"[1] 172.16.13.254
#1: cannot respond to IPsec SA request because no connection is known
for
0.0.0.0/0===172.16.13.9:17/67...172.16.13.254[172.16.2.27]:17/68==={172.16.2.27/32}
Nov 29 15:24:18 joutsen pluto[8058]: "rw-psk-3des-doi"[1] 172.16.13.254
#1: sending encrypted notification INVALID_ID_INFORMATION to
172.16.13.254:500
So I have SSH Sentinel client at 172.16.2.27/24, NAT'ting def-gw at
172.16.2.254, public IP of the router 172.16.13.254/24 and FreeSWAN/eth0
at 172.16.13.9. Right now I'm using
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file
config setup
interfaces=%defaultroute
klipsdebug=none
# klipsdebug=all
plutodebug=none
# plutodebug=all
plutoload=%search
uniqueids=yes
# enable nat-t:
nat_traversal=yes
conn %default
keyingtries=1
disablearrivalcheck=no
authby=secret
keyexchange=ike
ikelifetime=240m
keylife=60m
pfs=yes
compress=no
left=%defaultroute
auto=add
conn dhcp
type=tunnel
rekey=no
ikelifetime=60s
keylife=20s
rekeymargin=10s
right=%any
leftsubnet=0.0.0.0/0
leftprotoport=udp/bootps
rightprotoport=udp/bootpc
auth=esp
esp=aes128-md5
ike=aes128-md5
# enable nat-t:
rightsubnetwithin=0.0.0.0/0
conn rw-psk-3des-doi
type=tunnel
authby=secret
right=%any
auth=esp
esp=aes128-md5
ike=aes128-md5
# remote network for sentinel vpn rule:
leftsubnet=0.0.0.0/0
# virtual ip address scope for sentinel remote clients:
rightsubnetwithin=10.2.67.0/24
# end of /etc/ipsec.conf
Note, that if I disable those 'enable nat-t' add-ons, DHCP-over-IPSec
works nicely. If I forget D-o-I and use Manual virtual IP addressing,
NAT-T works well with configuration
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
plutoload=%search
uniqueids=yes
nat_traversal=yes
conn %default
keyingtries=1
disablearrivalcheck=no
authby=secret
keyexchange=ike
ikelifetime=240m
keylife=60m
pfs=yes
compress=no
left=%defaultroute
auto=add
conn rw-psk-aes-manual
type=tunnel
right=%any
auth=esp
esp=aes128-md5
ike=aes128-md5
# remote network for sentinel vpn rule:
leftsubnet=0.0.0.0/0
# virtual ip address scope for sentinel remote clients:
rightsubnetwithin=10.2.67.0/24
# end of /etc/ipsec.conf
Regards,
Jussi
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.5 : Sat Nov 30 2002 - 05:21:00 CET