'[strongSwan] Internet satellite link.'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       strongswan-users
Subject:    [strongSwan] Internet satellite link.
From:       andreas.steffen () strongsec ! net (Andreas Steffen)
Date:       2004-05-06 18:41:07
Message-ID: 409A6A9E.20600 () strongsec ! net
[Download RAW message or body]

It seems that FW1 never receives IKE message MI3. What does
the log on the other gateway say? Is MI3 sent? It might be that
the MTU over the satellite link is smaller than over the DSL link.
If you are using large X.509 certificates than this might lead
to IP fragments which get discarded so that the complete IKE
message never reaches its destination.

Regards

Andreas

Carles Xavier Munyoz Bald? wrote:

> Hi,
> I have two lilnux boxes with FreeS/WAN and NAT-Traversal compiled in.
> One of them is behind a NAT router that connects to the Internet using a
> satellite link, and the other has its own public IP behind a DSL router.
> 
> I have tried the connection of the NATed linux box using a DSL router and all
> goes fine, but when I use the satellite link router, I get the errors:
> [...]
> May  4 13:54:21 FW1 pluto[16116]: packet from 81.47.250.201:1623: received
> Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
> 
> May  4 13:54:21 FW1 pluto[16116]: packet from 81.47.250.201:1623: ignoring
> Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
> 
> May  4 13:54:21 FW1 pluto[16116]: packet from 81.47.250.201:1623: ignori
> ng Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
> 
> May  4 13:54:21 FW1 [16116]: "vpn1"[9] 81.47.250.201:1623 #40: responding to
> Main Mode from unknown peer 81.47.250.201:1623
> 
> May  4 13:54:22 FW1 pluto[16116]: "vpn1"[9] 81.47.250.201:1623 #40:
> NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
> 
> May  4 13:55:32 FW1 pluto[16116]: "vpn1"[9] 81.47.250.201:1623 #40: max number
> of retransmissions (2) reached STATE_MAIN_R2
> 
> May  4 13:55:32 FW1 pluto[16116]: "vpn1"[9] 81.47.250.201:1623: deleting
> connection "vpn1" instance with peer 81.47.250.201 {isakmp=#0/ipsec=#0}
> [...]
> 
> I believe that there is no difference between the DSL NAT router and the
> satellite link NAT router, isn't it ?
> Which may be the problem ?
> 
> Greetings.
> ---
> Carles Xavier Munyoz Bald?
> carles@unlimitedmail.org
> http://www.unlimitedmail.net/

======================================================================Andreas Steffen \
e-mail: andreas.steffen@strongsec.com strongSec GmbH                    home:   \
http://www.strongsec.com Alter Z?richweg 20                phone:  +41 1 730 80 64
CH-8952 Schlieren (Switzerland)   fax:    +41 1 730 80 65
==========================================[strong internet security]==


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic