[prev in list] [next in list] [prev in thread] [next in thread] 

List:       strongswan-users
Subject:    [strongSwan] Problem with Windows 2000 client behind NAT
From:       andreas.steffen () strongsec ! net (Andreas Steffen)
Date:       2004-10-09 15:46:25
Message-ID: 4167EBA9.30004 () strongsec ! net
[Download RAW message or body]

Windows 2000 has a problem with your subset definitions. Please
check the oakley.log for errors. The fact that strongswan can initiate
a connection in the presence of NAT to Windows 2000 at all indicates
that you have in fact IPsec passthrough in place. Could you try to
initiate the connection from the Win 2000 side. You could then find
out what subnet definition W2k wants.

Andreas

Jos? Antonio Becerra Permuy wrote:
> Hi everybody!
> I have setup StrongSwan 2.2.1 (2.2.2 starting today) to make a VPN between a 
> LAN with a Linux (Mandrake) firewall, and several Windows machines in the 
> Internet. The VPN is working right if the Windows machine is directly 
> connected to Internet, but I have problems if there is a ADSL router doing 
> NAT between the Internet and the Windows machine.
> 
> This is the relevant part of /etc/ipsec.conf:
> 
> version 2.0
> config setup
>         nat_traversal=yes
> conn %default
>         left=%defaultroute
>         leftcert=allplasCert.pem
>         rightrsasigkey=%cert
> conn allplasnet-luvenfor
>         leftsubnet=10.0.0.0/8
>         also=allplas-luvenfor
> conn allplas-luvenfor
>         right=xx.xx.xxx.xx
>         rightsubnet=192.168.0.0/24
>         rightid="C=ES, ST=Lugo, O=Allplas, CN=luvenfor.allplas.com, 
> E=root@luvenfor.allplas.com"
>         auto=start
> 
> And this is the error (from ipsec barf):
> 
> Oct  7 18:13:13 firewall pluto[9127]: "allplas-luvenfor" #1: initiating Main 
> Mode
> Oct  7 18:16:23 firewall pluto[9127]: "allplas-luvenfor" #1: ignoring Vendor 
> ID payload [MS NT5 ISAKMPOAKLEY 00000002]
> Oct  7 18:16:23 firewall pluto[9127]: "allplas-luvenfor" #1: ignoring Vendor 
> ID payload [FRAGMENTATION]
> Oct  7 18:16:23 firewall pluto[9127]: "allplas-luvenfor" #1: received Vendor 
> ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
> Oct  7 18:16:23 firewall pluto[9127]: "allplas-luvenfor" #1: enabling possible 
> NAT-traversal with method RFC XXXX (NAT-Traversal)
> Oct  7 18:16:23 firewall pluto[9127]: "allplas-luvenfor" #1: NAT-Traversal: 
> Only 0 NAT-D - Aborting NAT-Traversal negociation
> Oct  7 18:16:24 firewall pluto[9127]: "allplas-luvenfor" #1: Peer ID is 
> ID_DER_ASN1_DN: 'C=ES, ST=Lugo, O=Allplas, CN=luvenfor.allplas.com, 
> E=root@luvenfor.allplas.com'
> Oct  7 18:16:24 firewall pluto[9127]: "allplas-luvenfor" #1: issuer crl not 
> found
> Oct  7 18:16:24 firewall pluto[9127]: "allplas-luvenfor" #1: ISAKMP SA 
> established
> Oct  7 18:16:24 firewall pluto[9127]: "allplas-luvenfor" #8: initiating Quick 
> Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
> Oct  7 18:16:24 firewall pluto[9127]: "allplas-luvenfor" #1: ignoring 
> informational payload, type NO_PROPOSAL_CHOSEN
> Oct  7 18:16:24 firewall pluto[9127]: "allplas-luvenfor" #1: ignoring 
> informational payload, type NO_PROPOSAL_CHOSEN
> Oct  7 18:17:34 firewall pluto[9127]: "allplas-luvenfor" #8: max number of 
> retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our 
> first Quick Mode message: perhaps peer likes no proposal
> 
> In this case, the Windows Machine is a 2000 Server with SP3 and the NAT-T 
> patch. The ADSL router forwards UDP 500 and 4500 to this machine.
> Does anybody know why "NAT-Traversal: Only 0 NAT-D - Aborting NAT-Traversal 
> negociation"?
> The ADSL router supports IPsec pass through, may be this is a problem?
> Regards and thank you very much!
> _______________________________________________
> Users mailing list
> Users@lists.strongswan.org
> http://lists.strongswan.org/mailman/listinfo/users


-- 
=======================================================================
Andreas Steffen                   e-mail: andreas.steffen@strongsec.com
strongSec GmbH                    home:   http://www.strongsec.com
Alter Z?richweg 20                phone:  +41 1 730 80 64
CH-8952 Schlieren (Switzerland)   fax:    +41 1 730 80 65
==========================================[strong internet security]===

[prev in list] [next in list] [prev in thread] [next in thread]