From: Mark Weaver (mark_at_npsl.co.uk)
Date: Sat Nov 30 2002 - 15:43:10 CET
I've tried this and I can get through the diagnostics, get a tunnel up, and
then all the packets seem to get dropped on the floor.
This is made more difficult by the fact that some percentage of the time I
get a blue screen in sshipsec.sys. I posted a bug report about this around
a week ago to SSH but haven't had any feedback. Without NAT-T, no
explosion, so my suspicion is that Sentinel does not support this properly.
Mark
> -----Original Message-----
> From: users-admin_at_lists.freeswan.org
> [mailto:users-admin_at_lists.freeswan.org]On Behalf Of Jussi Torhonen
> Sent: 29 November 2002 08:46
> To: Users_at_lists.freeswan.org
> Cc: Andreas Steffen; mlafon_at_arkoon.net
> Subject: [Users] Sample config for NAT-T + DHCP-over-IPSec - anyone?
>
>
> I'm using FreeS/WAN 1.99, x509patch 0.9.15, algo patch 0.8.0, delete SA
> notification patch, dhcprelay 0.3.1 and finally NAT-T patch v0.4. I've
> succeeded getting NAT-T to work with our SSH Sentinel VPN client, when
> no virtual IP is used or when Manual virtual IP addressing is used. Just
> added 'nat_traversal=yes' under 'config setup'.
>
> But I cannot get it working with DHCP-over-IPSec. I guess someone has
> made it here, so would you please quote your ipsec.conf for such a
> Roadwarrior gateway supporting AES, DHCP-over-IPSec and NAT-T. I've
> tried the following configuration. Note, that an internal DHCP server
> gives virtual ip addresses from 10.2.67.0/24 subnet. It's RW gateway and
> remote private network is 'leftsubnet=0.0.0.0/0' so we may have a routed
> subnets there as well (I mean not only a single 192.168.1.0/24 subnet).
>
> Without NAT-T my DHCP-over-IPSec works beautifully, so this is not a
> dhcprelay nor dhcpd issue.
>
>
> # /etc/ipsec.conf - FreeS/WAN IPsec configuration file
>
> config setup
> interfaces=%defaultroute
> klipsdebug=none
> plutodebug=none
> plutoload=%search
> uniqueids=yes
> # enable nat-t support:
> nat_traversal=yes
>
> conn %default
> keyingtries=1
> disablearrivalcheck=no
> authby=secret
> keyexchange=ike
> ikelifetime=240m
> keylife=60m
> pfs=yes
> compress=no
> left=%defaultroute
> auto=add
>
> conn dhcp
> type=tunnel
> rekey=no
> ikelifetime=60s
> keylife=20s
> rekeymargin=10s
> right=%any
> leftsubnet=0.0.0.0/0
> leftprotoport=udp/bootps
> rightprotoport=udp/bootpc
> auth=esp
> esp=aes128-md5
> ike=aes128-md5
>
> conn rw-psk-3des-doi
> type=tunnel
> authby=secret
> right=%any
> auth=esp
> esp=aes128-md5
> ike=aes128-md5
> # remote network for sentinel vpn rule:
> leftsubnet=0.0.0.0/0
> # virtual ip address scope for sentinel remote clients:
> rightsubnetwithin=10.2.67.0/24
>
> # end of /etc/ipsec.conf
>
>
> Regards,
> Jussi
>
> --
> SSH Communications Security Corp, http://www.ssh.com
> SSH Sentinel VPN Client, http://www.ipsec.com
>
>
> _______________________________________________
> Users mailing list
> Users_at_lists.freeswan.org
> http://lists.freeswan.org/mailman/listinfo/users
>
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.5 : Tue Dec 03 2002 - 05:21:02 CET