Discussion:
[Openswan Users] Re: NAT Traversal support with openswan (which draft version initiator/responder?)
Xiaoming Yu
2004-06-17 17:28:07 UTC
Permalink
I did some search on google and got some idea on this error message. It
could mean I don't have a connection set up from the NAT box (it was set up
to connect to the one behind NAT). If this is true, somehow I need to put
the IP of NAT box in the config file, which is not realistic in the real
scenario. I am wondering if I can put some type of wildcard in the
ipsec.conf file, so the connection can be used for all the connection
matching the wild card. Seems to be it is a reasonable requirement. This
should be a general freeswan question, but mostly run into this when NAT-T
is required? Any thoughts?

Also my questions in the previous note about NAT-T support with Openswan
are still valid? Thanks.

Xiaoming Yu
Dept. MR6, VPN Development
IBM Rochester, MN
Phone: (507)253-5829
Email: ***@us.ibm.com






Xiaoming
Yu/Rochester/IBM
To
06/17/2004 11:26
AM cc

Subject
NAT Traversal support with openswan
(which draft version
initiator/responder?)









Has anybody here tried NAT-T with Linux as the responder? Without NAT,
every thing works fine, tunnel established. Once I put a NAT box in front
the client (an IBM iSeries server), it won't work. I got the following
message from security log. Does anybody know if Openswan support NAT-T as
responder? If so, which draft version does it support? What's "no
connection has been authorized" mean? How can I get more detailed message,
such as why it doesn't like the message etc? Or even dig into the source
code? (where is it?)

Really appreciate your help and expertise!

Jun 17 11:15:14 vpn pluto[9229]: | **parse ISAKMP Message:
Jun 17 11:15:14 vpn pluto[9229]: | initiatorcookie:
Jun 17 11:15:14 vpn pluto[9229]: | 6f 2a a8 c3 9b20 c7 b9
Jun 17 11:15:14 vpn pluto[9229]: | respondercookie:
Jun 17 11:15:14 vpn pluto[9229]: | 00 00 00 00 0000 00 00
Jun 17 11:15:14 vpn pluto[9229]: | next payloadtype: ISAKMP_NEXT_SA
Jun 17 11:15:14 vpn pluto[9229]: | ISAKMP version:ISAKMP Version 1.0
Jun 17 11:15:14 vpn pluto[9229]: | exchange type:ISAKMP_XCHG_IDPROT
Jun 17 11:15:14 vpn pluto[9229]: | flags: none
Jun 17 11:15:14 vpn pluto[9229]: | message ID: 0000 00 00
Jun 17 11:15:14 vpn pluto[9229]: | length: 196
Jun 17 11:15:14 vpn pluto[9229]: | ***parse ISAKMP Security Association
Payload:Jun 17 11:15:14 vpn pluto[9229]: | next payload type:
ISAKMP_NEXT_VID
Jun 17 11:15:14 vpn pluto[9229]: | length: 148
Jun 17 11:15:14 vpn pluto[9229]: | DOI:ISAKMP_DOI_IPSEC
Jun 17 11:15:14 vpn pluto[9229]: | ***parse ISAKMPVendor ID Payload:
Jun 17 11:15:14 vpn pluto[9229]: | next payloadtype: ISAKMP_NEXT_NONE
Jun 17 11:15:14 vpn pluto[9229]: | length: 20
Jun 17 11:15:14 vpn pluto[9229]: packet from9.5.56.169:6062: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Jun 17 11:15:14 vpn pluto[9229]: packet from
9.5.56.169:6062: initial Main Mode message received on
9.10.109.122:500 but no connection has been authorized
Jun 17 11:15:14 vpn pluto[9229]: | next event EVENT_REINIT_SECRET in 2974
seconds

Thanks again.

Xiaoming Yu
Dept. MR6, VPN Development
IBM Rochester, MN
Phone: (507)253-5829
Email: ***@us.ibm.com
Paul Wouters
2004-06-17 17:48:26 UTC
Permalink
Post by Xiaoming Yu
I did some search on google and got some idea on this error message. It
could mean I don't have a connection set up from the NAT box (it was set up
to connect to the one behind NAT). If this is true, somehow I need to put
the IP of NAT box in the config file, which is not realistic in the real
scenario. I am wondering if I can put some type of wildcard in the
ipsec.conf file, so the connection can be used for all the connection
matching the wild card. Seems to be it is a reasonable requirement. This
should be a general freeswan question, but mostly run into this when NAT-T
is required? Any thoughts?
right=%any
Post by Xiaoming Yu
Has anybody here tried NAT-T with Linux as the responder?
Many people run VPN servers based on Openswan with nat-t support for roaming
ADSL/dialup/gprs machines. Mostly using X.509 certificates, but you should
be able to use the right/left ids in raw rsa key as well.
Post by Xiaoming Yu
responder? If so, which draft version does it support? What's "no
connection has been authorized" mean?
It couldn't match the src-dst request with one of its loaded conn definitions.
With nat-t this is usually a problem with people forgetting to add
nat_traversal=yes, or with missing/invalid virtual_private or subnetwithin
settings.

Paul
g***@agilemovement.it
2004-06-17 18:59:42 UTC
Permalink
Post by Xiaoming Yu
I tried %any in the config file and it found a connection and went a step
further. But it failed to find the preshared key in the ipsec.secrets
because I am stilling using the private IP there. Previous argument will
apply there since the server doesn't have the knowledge of NAT before the
packets come in, so I also need to use wildcard. I used %any to replace the
ip address for the remote side, but still failed with "no preshared key
found" error. How can I overcome this? Thanks.
Xiaoming,

I think I'm in the same configuration as you. My configuration works (but I am
using certificates rather than preshared keys). Perhaps looking at my conf
files will help?

Conf file for nat'd server:

config setup
interfaces="ipsec0=eth1"
klipsdebug=none
plutodebug=none
plutoload=%search
plutostart=%search
uniqueids=yes
nat_traversal=yes

conn %default
#keyingretries=0
leftid="C=IT, ST=MI, L=Milano, O=cofax roaming user, OU=cofax,
CN=new_milano_cert, Email=***@cofax.it"
left=192.168.0.1
leftnexthop=192.168.0.254
disablearrivalcheck=yes
authby=rsasig
keyexchange=ike
ikelifetime=240m
keylife=60m
rekey=yes
pfs=yes
compress=no
leftcert=certs/swanCert.pem
auto=start

conn milano-roma
right=83.x.x.x
rightsubnet=10.10.15.0/24
rightid="C=IT, ST=Roma, L=Roma, O=Cofax Roma, OU=Cofax Roma,
CN=roma_cofax, Email=***@cofax.it"
authby=rsasig
rightrsasigkey=%cert
leftrsasigkey=%cert
auto=start
pfs=yes

conf file for none nat'd server:

config setup
interfaces="ipsec0=eth1"
klipsdebug=none
plutodebug="parsing control"
plutoload=%search
plutostart=%search
uniqueids=yes
nat_traversal=yes

virtual_private=%v4:192.168.1.0/24,%v4:192.168.0.0/24,%v4:1.1.206.0/24,%v4:10.10.14.0/24,%v4:10.10.15.0/24

# Global connection defaults

conn %default
#keyingretries=0
disablearrivalcheck=yes
authby=rsasig
keyexchange=ike
ikelifetime=240m
keylife=60m
rekey=yes
pfs=yes
compress=no
left=83.x.x.x
leftnexthop=83.x.x.x
leftsubnet=10.10.15.0/24
leftrsasigkey=%cert
leftid="C=IT, ST=Roma, L=Roma, O=Cofax Roma, OU=Cofax Roma,
CN=roma_cofax, Email=***@cofax.it"
leftcert=certs/swanCert.pem
auto=add

conn milano-roma
type=tunnel
leftsubnet=10.10.15.0/24
right=%any
rightrsasigkey=%cert
rightid="C=IT, ST=MI, L=Milano, O=cofax roaming user, OU=cofax,
CN=new_milano_cert, Email=***@cofax.it"
auto=add
rightsubnet=vhost:%no,%priv
Xiaoming Yu
2004-06-17 18:34:58 UTC
Permalink
Paul:

I tried %any in the config file and it found a connection and went a step
further. But it failed to find the preshared key in the ipsec.secrets
because I am stilling using the private IP there. Previous argument will
apply there since the server doesn't have the knowledge of NAT before the
packets come in, so I also need to use wildcard. I used %any to replace the
ip address for the remote side, but still failed with "no preshared key
found" error. How can I overcome this? Thanks.

Xiaoming Yu
Dept. MR6, VPN Development
IBM Rochester, MN
Phone: (507)253-5829
Email: ***@us.ibm.com






Paul Wouters
<***@xelerance.c
om> To
Xiaoming Yu/Rochester/***@IBMUS
06/17/2004 12:48 cc
PM ***@lists.openswan.org
Subject
Re: [Openswan Users] Re: NAT
Traversal support with openswan
(which draft version
initiator/responder?)
Post by Xiaoming Yu
I did some search on google and got some idea on this error message. It
could mean I don't have a connection set up from the NAT box (it was set
up
Post by Xiaoming Yu
to connect to the one behind NAT). If this is true, somehow I need to put
the IP of NAT box in the config file, which is not realistic in the real
scenario. I am wondering if I can put some type of wildcard in the
ipsec.conf file, so the connection can be used for all the connection
matching the wild card. Seems to be it is a reasonable requirement. This
should be a general freeswan question, but mostly run into this when
NAT-T
Post by Xiaoming Yu
is required? Any thoughts?
right=%any
Post by Xiaoming Yu
Has anybody here tried NAT-T with Linux as the responder?
Many people run VPN servers based on Openswan with nat-t support for
roaming
ADSL/dialup/gprs machines. Mostly using X.509 certificates, but you should
be able to use the right/left ids in raw rsa key as well.
Post by Xiaoming Yu
responder? If so, which draft version does it support? What's "no
connection has been authorized" mean?
It couldn't match the src-dst request with one of its loaded conn
definitions.
With nat-t this is usually a problem with people forgetting to add
nat_traversal=yes, or with missing/invalid virtual_private or subnetwithin
settings.

Paul
Michael Richardson
2004-06-17 18:58:53 UTC
Permalink
References:
<OF26B886EF.1DF41818-ON86256EB6.0065AC54-***@us.ibm.com>
X-Mailer: MH-E 7.4.2; nmh 1.0.4+dev; XEmacs 21.4 (patch 6)
Date: Thu, 17 Jun 2004 14:58:53 -0400
Message-ID: <***@marajade.sandelman.ottawa.on.ca>
From: Michael Richardson <***@sandelman.ottawa.on.ca>
cc: ***@lists.openswan.org
cc: Paul Wouters <***@xelerance.com>
X-BeenThere: ***@lists.openswan.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Discussion list for Openswan users <users.lists.openswan.org>
List-Unsubscribe: <http://lists.openswan.org/mailman/listinfo/users>,
<mailto:users-***@lists.openswan.org?subject=unsubscribe>
List-Archive: <http://lists.openswan.org/pipermail/users>
List-Post: <mailto:***@lists.openswan.org>
List-Help: <mailto:users-***@lists.openswan.org?subject=help>
List-Subscribe: <http://lists.openswan.org/mailman/listinfo/users>,
<mailto:users-***@lists.openswan.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Jun 2004 18:44:29 -0000
Xiaoming> I tried %any in the config file and it found a connection
Xiaoming> and went a step further. But it failed to find the
Xiaoming> preshared key in the ipsec.secrets because I am stilling
Xiaoming> using the private IP there. Previous argument will apply

Don't use PSK with NAT-T.

Use pre-exchanged RSA-keys, or X.509 only.

--
] "Elmo went to the wrong fundraiser" - The Simpson | firewalls [
] Michael Richardson, Xelerance Corporation, Ottawa, ON |net architect[
] ***@xelerance.com http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
Paul Wouters
2004-06-17 20:48:22 UTC
Permalink
Post by Michael Richardson
Xiaoming> I tried %any in the config file and it found a connection
Xiaoming> and went a step further. But it failed to find the
Xiaoming> preshared key in the ipsec.secrets because I am stilling
Xiaoming> using the private IP there. Previous argument will apply
Don't use PSK with NAT-T.
Use pre-exchanged RSA-keys, or X.509 only.
And if you use a rightid and leftid, the connections will be found
regardless of the IP and wether or not the connection is NATed.

Paul
Xiaoming Yu
2004-06-17 20:50:37 UTC
Permalink
Thanks for the reply from you and Mike. You two basically point to the same
conclusion, that is use RSA instead of preshared key. That makes sense
since the NAT won't alter the RSA signature, while preshared key query
depends on the IP address that is modified by the NAT box.

My only problem is certificate is more complicated than preshared key, and
I haven't fully understand (or read thoroughly) what I should do if the
other side is not a Linux, for example, an IBM iSeries. Instead of get a
real certificate, can I create the RSA signature on Linux for both sides
and export to the other non-Linux platform?

Also, I do know a lot of other vendors support the wildcard preshared key
for this kind of scenario in case server has no prior knowledge of the
clients, like Cisco router and IBM iSeries. Is this the conclusion openswan
has no such capability with preshared key?

Thank you so much.

Xiaoming Yu
Dept. MR6, VPN Development
IBM Rochester, MN
Phone: (507)253-5829
Email: ***@us.ibm.com






<***@agile
movement.it>
To
06/17/2004 01:59 Xiaoming Yu/Rochester/***@IBMUS,
PM "Paul Wouters" <***@xelerance.com>
cc
<***@lists.openswan.org>
Subject
Re: [Openswan Users] Re: NAT
Traversal support with openswan
(which draft version
initiator/responder?)
Post by Xiaoming Yu
I tried %any in the config file and it found a connection and went a step
further. But it failed to find the preshared key in the ipsec.secrets
because I am stilling using the private IP there. Previous argument will
apply there since the server doesn't have the knowledge of NAT before the
packets come in, so I also need to use wildcard. I used %any to replace
the
Post by Xiaoming Yu
ip address for the remote side, but still failed with "no preshared key
found" error. How can I overcome this? Thanks.
Xiaoming,

I think I'm in the same configuration as you. My configuration works (but I
am
using certificates rather than preshared keys). Perhaps looking at my conf
files will help?

Conf file for nat'd server:

config setup
interfaces="ipsec0=eth1"
klipsdebug=none
plutodebug=none
plutoload=%search
plutostart=%search
uniqueids=yes
nat_traversal=yes

conn %default
#keyingretries=0
leftid="C=IT, ST=MI, L=Milano, O=cofax roaming user, OU=cofax,
CN=new_milano_cert, Email=***@cofax.it"
left=192.168.0.1
leftnexthop=192.168.0.254
disablearrivalcheck=yes
authby=rsasig
keyexchange=ike
ikelifetime=240m
keylife=60m
rekey=yes
pfs=yes
compress=no
leftcert=certs/swanCert.pem
auto=start

conn milano-roma
right=83.x.x.x
rightsubnet=10.10.15.0/24
rightid="C=IT, ST=Roma, L=Roma, O=Cofax Roma, OU=Cofax Roma,
CN=roma_cofax, Email=***@cofax.it"
authby=rsasig
rightrsasigkey=%cert
leftrsasigkey=%cert
auto=start
pfs=yes

conf file for none nat'd server:

config setup
interfaces="ipsec0=eth1"
klipsdebug=none
plutodebug="parsing control"
plutoload=%search
plutostart=%search
uniqueids=yes
nat_traversal=yes

virtual_private=%v4:192.168.1.0/24,%v4:192.168.0.0/24,%v4:1.1.206.0
/24,%v4:10.10.14.0/24,%v4:10.10.15.0/24

# Global connection defaults

conn %default
#keyingretries=0
disablearrivalcheck=yes
authby=rsasig
keyexchange=ike
ikelifetime=240m
keylife=60m
rekey=yes
pfs=yes
compress=no
left=83.x.x.x
leftnexthop=83.x.x.x
leftsubnet=10.10.15.0/24
leftrsasigkey=%cert
leftid="C=IT, ST=Roma, L=Roma, O=Cofax Roma, OU=Cofax Roma,
CN=roma_cofax, Email=***@cofax.it"
leftcert=certs/swanCert.pem
auto=add

conn milano-roma
type=tunnel
leftsubnet=10.10.15.0/24
right=%any
rightrsasigkey=%cert
rightid="C=IT, ST=MI, L=Milano, O=cofax roaming user, OU=cofax,
CN=new_milano_cert, Email=***@cofax.it"
auto=add
rightsubnet=vhost:%no,%priv
Xiaoming Yu
2004-06-17 21:01:32 UTC
Permalink
One more comment on this subject. Even when we decide to use certificate
with leftid, rightid, if this is still a client server scenario, and I have
multiple clients. On the server side, do i have to set up multiple
connections in the config file, one for each client with unique
certificate? Is that just easier to use one preshared key, at least fro
testing? I know in real life, probably worth it because of the security
benefit.

Thanks.

Xiaoming





Paul Wouters
<***@xelerance.c
om> To
Michael Richardson
06/17/2004 03:48 <***@sandelman.ottawa.on.ca>
PM cc
Xiaoming Yu/Rochester/***@IBMUS,
***@lists.openswan.org
Subject
Re: [Openswan Users] Re: NAT
Traversal support with openswan
(which draft version
initiator/responder?)
Post by Michael Richardson
Xiaoming> I tried %any in the config file and it found a connection
Xiaoming> and went a step further. But it failed to find the
Xiaoming> preshared key in the ipsec.secrets because I am stilling
Xiaoming> using the private IP there. Previous argument will apply
Don't use PSK with NAT-T.
Use pre-exchanged RSA-keys, or X.509 only.
And if you use a rightid and leftid, the connections will be found
regardless of the IP and wether or not the connection is NATed.

Paul
Paul Wouters
2004-06-17 22:18:28 UTC
Permalink
Post by Xiaoming Yu
Thanks for the reply from you and Mike. You two basically point to the same
conclusion, that is use RSA instead of preshared key. That makes sense
since the NAT won't alter the RSA signature, while preshared key query
depends on the IP address that is modified by the NAT box.
My only problem is certificate is more complicated than preshared key, and
I haven't fully understand (or read thoroughly) what I should do if the
We did not say X509 certificates. We said "raw rsa keys"

Just run 'ipsec showhostkey --left' (or right) on both ands and put the output
lines in the conn, so you get something like:

conn connname
left=193.110.157.5
leftid=@myleftboxid
leftrsasigkey=0sAQOARC9BlnBd3LedOM70oF3d57/nwzx4F5tWEtdWcecTquefc6hnu3Kxa32rJ4cLxmmK4ugfKx/a7CRBuxhGRS4MTOu2gPNpUNRecpIJcyg51D6CyDh9JrvfjFOCzIGOQyQku4xfR9rjZ2j3DGHWDZzW6YQPK3oZMBb+gPhEWhrR+avdPp+f7doUiMidUNrO6TwN/IMpJAC2lxw7jfupOvevDxsqx5OCN+qak+d8m9ueoixX4/fMlMTOUIXtKDeij+Y+faAOICEl+ZSRBhpMlvjT3AyjFZFPbms+9jCR04VcYESPYLM8xHa1Pn2OqQrLp5dMt0Uv+sAnL2/zOCwJpQ2IuTiFFhtyFQGOXrvu8G6Iv6z7
right=193.110.157.1
rightid=@myrightboxid
rightrsasigkey=0sAQOARC9BlnBd3LedOM70oF3d57/nwzx4F5tWEtdWcecTquefc6hnu3Kxa32rJ4cLxmmK4ugfKx/a7CRBuxhGRS4MTOu2gPNpUNRecpIJcyg51D6CyDh9JrvfjFOCzIGOQyQku4xfR9rjZ2j3DGHWDZzW6YQPK3oZMBb+gPhEWhrR+avdPp+f7doUiMidUNrO6TwN/IMpJAC2lxw7jfupOvevDxsqx5OCN+qak+d8m9ueoixX4/fMlMTOUIXtKDeij+Y+faAOICEl+ZSRBhpMlvjT3AyjFZFPbms+9jCR04VcYESPYLM8xHa1Pn2OqQrLp5dMt0Uv+sAnL2/zOCwJpQ2IuTiFFhtyFQGOXrvu8G6Iv6z7
authby=rsasig
auto=route

Paul
--
<Reverend> IRC is just multiplayer notepad.
Paul Wouters
2004-06-17 22:20:42 UTC
Permalink
Post by Xiaoming Yu
One more comment on this subject. Even when we decide to use certificate
with leftid, rightid, if this is still a client server scenario, and I have
multiple clients. On the server side, do i have to set up multiple
connections in the config file, one for each client with unique
certificate? Is that just easier to use one preshared key, at least fro
testing? I know in real life, probably worth it because of the security
benefit.
When using raw rsa keys you will need to make a conn for each client-server.
There are ways to minimize the writing/changing you need to do by including
one conn into another conn definition with the also= construct. See the
ipsec.conf man page.

With X.509 certificates, you should only need one conn accepting all
certificates signed by a certain CA.

Paul
Xiaoming Yu
2004-06-17 22:24:21 UTC
Permalink
Paul: thanks for all your replies.

But what if the other system is non-Linux platform? I am not sure this way
of generating SA signature is universal, isn't it? Say is there a
corresponding application or command I can run to generate the key on other
platforms?

Xiaoming






Paul Wouters
<***@xelerance.c
om> To
Xiaoming Yu/Rochester/***@IBMUS
06/17/2004 05:18 cc
PM ***@agilemovement.it,
<***@lists.openswan.org>
Subject
Re: [Openswan Users] Re: NAT
Traversal support with openswan
(which draft version
initiator/responder?)
Post by Xiaoming Yu
Thanks for the reply from you and Mike. You two basically point to the
same
Post by Xiaoming Yu
conclusion, that is use RSA instead of preshared key. That makes sense
since the NAT won't alter the RSA signature, while preshared key query
depends on the IP address that is modified by the NAT box.
My only problem is certificate is more complicated than preshared key,
and
Post by Xiaoming Yu
I haven't fully understand (or read thoroughly) what I should do if the
We did not say X509 certificates. We said "raw rsa keys"

Just run 'ipsec showhostkey --left' (or right) on both ands and put the
output
lines in the conn, so you get something like:

conn connname
left=193.110.157.5
leftid=@myleftboxid

leftrsasigkey=0sAQOARC9BlnBd3LedOM70oF3d57/nwzx4F5tWEtdWcecTquefc6hnu3Kxa32rJ4cLxmmK4ugfKx/a7CRBuxhGRS4MTOu2gPNpUNRecpIJcyg51D6CyDh9JrvfjFOCzIGOQyQku4xfR9rjZ2j3DGHWDZzW6YQPK3oZMBb+gPhEWhrR+avdPp+f7doUiMidUNrO6TwN/IMpJAC2lxw7jfupOvevDxsqx5OCN+qak+d8m9ueoixX4/fMlMTOUIXtKDeij+Y+faAOICEl+ZSRBhpMlvjT3AyjFZFPbms+9jCR04VcYESPYLM8xHa1Pn2OqQrLp5dMt0Uv+sAnL2/zOCwJpQ2IuTiFFhtyFQGOXrvu8G6Iv6z7

right=193.110.157.1
rightid=@myrightboxid

rightrsasigkey=0sAQOARC9BlnBd3LedOM70oF3d57/nwzx4F5tWEtdWcecTquefc6hnu3Kxa32rJ4cLxmmK4ugfKx/a7CRBuxhGRS4MTOu2gPNpUNRecpIJcyg51D6CyDh9JrvfjFOCzIGOQyQku4xfR9rjZ2j3DGHWDZzW6YQPK3oZMBb+gPhEWhrR+avdPp+f7doUiMidUNrO6TwN/IMpJAC2lxw7jfupOvevDxsqx5OCN+qak+d8m9ueoixX4/fMlMTOUIXtKDeij+Y+faAOICEl+ZSRBhpMlvjT3AyjFZFPbms+9jCR04VcYESPYLM8xHa1Pn2OqQrLp5dMt0Uv+sAnL2/zOCwJpQ2IuTiFFhtyFQGOXrvu8G6Iv6z7

authby=rsasig
auto=route

Paul
--

<Reverend> IRC is just multiplayer notepad.
Paul Wouters
2004-06-17 23:03:44 UTC
Permalink
Post by Xiaoming Yu
But what if the other system is non-Linux platform? I am not sure this way
of generating SA signature is universal, isn't it? Say is there a
corresponding application or command I can run to generate the key on other
platforms?
Then for now you are stuck with X.509 certificates.

Perhaps IKEv2 fixes some of this. Michael?

Paul
Ken Bantoft
2004-06-18 01:13:55 UTC
Permalink
Post by Paul Wouters
Post by Xiaoming Yu
I did some search on google and got some idea on this error message. It
could mean I don't have a connection set up from the NAT box (it was set up
to connect to the one behind NAT). If this is true, somehow I need to put
the IP of NAT box in the config file, which is not realistic in the real
scenario. I am wondering if I can put some type of wildcard in the
ipsec.conf file, so the connection can be used for all the connection
matching the wild card. Seems to be it is a reasonable requirement. This
should be a general freeswan question, but mostly run into this when NAT-T
is required? Any thoughts?
right=%any
Post by Xiaoming Yu
Has anybody here tried NAT-T with Linux as the responder?
Many people run VPN servers based on Openswan with nat-t support for roaming
ADSL/dialup/gprs machines. Mostly using X.509 certificates, but you should
be able to use the right/left ids in raw rsa key as well.
RSASig works perfectly - I do this daily. I have 2 X.509 and 2 RSASig
tunnels that I connect to from behind all sorts of hostile NAT boxes.
Post by Paul Wouters
Post by Xiaoming Yu
responder? If so, which draft version does it support? What's "no
connection has been authorized" mean?
It couldn't match the src-dst request with one of its loaded conn definitions.
With nat-t this is usually a problem with people forgetting to add
nat_traversal=yes, or with missing/invalid virtual_private or subnetwithin
settings.
or rightsubnet=vhost:%no,%priv missing on the respondor side.

Ken
Xiaoming Yu
2004-06-18 15:03:55 UTC
Permalink
Thank you all for all the answers provided. Looks like preshared key is not
a good option to deal with multiple clients. I read an article saying that
%any can be used in the ipsec.secrets file too, but no detail about it. Can
I use something like x.x.x.x %any: PSK "test". where x.x.x.x is the server
IP address? So when the Linux server tries to find an matching preshared
key, it always find a match here? I tried this but seems not work. Can
anybody shed some light on using %any in ipsec.secrets?

Another thing I saw confused me a lot. As I mentioned above, once I change
one IP to %any in the secrets file, didn't work. Then I want to change
back to an IP address (the IP of NAT box), to cheat a little assuming then
it should find the match. But I still saw in the security log "cannot
authenticate, not preshared key found for x.x.x.x and %any" Obvious it
still remembers the old %any. I tried every thing I can think of
(delete/recreate a new file, reload the connection, restart openswan), but
sill not work. I haven't done a reboot, but I hope it is not necessary? Any
suggestion here?

Thanks so much again for any feedback?

Xiaoming Yu
Dept. MR6, VPN Development
IBM Rochester, MN
Phone: (507)253-5829
Email: ***@us.ibm.com






Paul Wouters
<***@xelerance.c
om> To
Xiaoming Yu/Rochester/***@IBMUS
06/17/2004 06:03 cc
PM ***@lists.openswan.org
Subject
Re: [Openswan Users] Re: NAT
Traversal support with openswan
(which draft version
initiator/responder?)
Post by Xiaoming Yu
But what if the other system is non-Linux platform? I am not sure this
way
Post by Xiaoming Yu
of generating SA signature is universal, isn't it? Say is there a
corresponding application or command I can run to generate the key on
other
Post by Xiaoming Yu
platforms?
Then for now you are stuck with X.509 certificates.

Perhaps IKEv2 fixes some of this. Michael?

Paul
Nate Carlson
2004-06-18 15:26:27 UTC
Permalink
Post by Xiaoming Yu
Thank you all for all the answers provided. Looks like preshared key is
not a good option to deal with multiple clients.
Very true - I avoid PSK if at all possible, and use X.509.
Post by Xiaoming Yu
I read an article saying that %any can be used in the ipsec.secrets file
too, but no detail about it. Can I use something like x.x.x.x %any: PSK
"test". where x.x.x.x is the server IP address? So when the Linux server
tries to find an matching preshared key, it always find a match here? I
tried this but seems not work. Can anybody shed some light on using %any
in ipsec.secrets?
That should work fine. What error do you get?
Post by Xiaoming Yu
Another thing I saw confused me a lot. As I mentioned above, once I
change one IP to %any in the secrets file, didn't work. Then I want to
change back to an IP address (the IP of NAT box), to cheat a little
assuming then it should find the match. But I still saw in the security
log "cannot authenticate, not preshared key found for x.x.x.x and %any"
Obvious it still remembers the old %any. I tried every thing I can think
of (delete/recreate a new file, reload the connection, restart
openswan), but sill not work. I haven't done a reboot, but I hope it is
not necessary? Any suggestion here?
Hmm, that's odd - are you still referencing %any in ipsec.conf, or did you
also change it to the remote IP?
Post by Xiaoming Yu
Dept. MR6, VPN Development
IBM Rochester, MN
Hey, neat, a couple hours southeast of me. :)

------------------------------------------------------------------------
| nate carlson | ***@natecarlson.com | http://www.natecarlson.com |
| depriving some poor village of its idiot since 1981 |
------------------------------------------------------------------------
Nate Carlson
2004-06-18 15:26:27 UTC
Permalink
Thanks so much.

Xiaoming

Message: 4
Date: Fri, 18 Jun 2004 10:26:27 -0500 (CDT)
From: Nate Carlson <***@natecarlson.com>
Subject: Re: [Openswan Users] Re: NAT Traversal support with openswan
(which draft version initiator/responder?)
To: ***@lists.openswan.org
Message-ID:
<Pine.LNX.4.58.0406181022570.17985
@conformity.technicality.org>
Content-Type: TEXT/PLAIN; charset=US-ASCII
Post by Xiaoming Yu
Thank you all for all the answers provided. Looks like preshared key is
not a good option to deal with multiple clients.
Very true - I avoid PSK if at all possible, and use X.509.
Post by Xiaoming Yu
I read an article saying that %any can be used in the ipsec.secrets file
too, but no detail about it. Can I use something like x.x.x.x %any: PSK
"test". where x.x.x.x is the server IP address? So when the Linux server
tries to find an matching preshared key, it always find a match here? I
tried this but seems not work. Can anybody shed some light on using %any
in ipsec.secrets?
That should work fine. What error do you get?
Post by Xiaoming Yu
Another thing I saw confused me a lot. As I mentioned above, once I
change one IP to %any in the secrets file, didn't work. Then I want to
change back to an IP address (the IP of NAT box), to cheat a little
assuming then it should find the match. But I still saw in the security
log "cannot authenticate, not preshared key found for x.x.x.x and %any"
Obvious it still remembers the old %any. I tried every thing I can think
of (delete/recreate a new file, reload the connection, restart
openswan), but sill not work. I haven't done a reboot, but I hope it is
not necessary? Any suggestion here?
Hmm, that's odd - are you still referencing %any in ipsec.conf, or did you
also change it to the remote IP?
Post by Xiaoming Yu
Dept. MR6, VPN Development
IBM Rochester, MN
Hey, neat, a couple hours southeast of me. :)

------------------------------------------------------------------------
| nate carlson | ***@natecarlson.com | http://www.natecarlson.com |
| depriving some poor village of its idiot since 1981 |
------------------------------------------------------------------------

Xiaoming Yu
Dept. MR6, VPN Development
IBM Rochester, MN
Phone: (507)253-5829
Email: ***@us.ibm.com

Loading...