From: Matthew G. <mg...@sh...> - 2006-09-12 09:30:33
|
Shahim wrote: > Hi, > > I have been struggling trying to get IPSec working. I am trying to get a > plain IPSec connection to a server described below. This is the first > time I do this and I think that I included most of the relevant information. > > It appears that I am having a problem with NAT. If I am understanding > the logs correctly, it appears that the client is not using NAT-T. I > think I setup IPSec transport mode on the Windows client (I didn't > choose tunnel option). I am not trying to use a VPN connection, I just > want to protect traffic from the client to the server. I am trying this > at home but I want to later be able to use the same setup on the road. > You will probably have better luck with tunnel mode. Racoon doesn't handle the NAT original address payloads that I believe would be required to get transport mode working over a NAT. I took a quick glance and this was the only reference I could find in isakmp_quick.c #ifdef ENABLE_NATT case ISAKMP_NPTYPE_NATOA_DRAFT: case ISAKMP_NPTYPE_NATOA_RFC: /* Ignore original source/destination messages*/ break; #endif > > Sep 11 13:42:17 lt1 racoon: DEBUG: begin. > Sep 11 13:42:17 lt1 racoon: DEBUG: seen nptype=8(hash) > Sep 11 13:42:17 lt1 racoon: DEBUG: seen nptype=1(sa) > Sep 11 13:42:17 lt1 racoon: DEBUG: seen nptype=10(nonce) > Sep 11 13:42:17 lt1 racoon: DEBUG: seen nptype=5(id) > Sep 11 13:42:17 lt1 racoon: DEBUG: seen nptype=5(id) > Sep 11 13:42:17 lt1 racoon: DEBUG: seen nptype=131(nat-oa) > Sep 11 13:42:17 lt1 racoon: DEBUG: succeed. > > Sep 11 13:42:17 lt1 racoon: ERROR: ignore the packet, received unexpecting payload type 131. > Sep 11 13:42:17 lt1 racoon: ERROR: failed to pre-process packet. > Type 131 is the NAT original address payload I mentioned. Tunnel mode should work fine. I'm not sure when natt support was introduced so you may need a newer version of ipsec-tools as Brian suggested. Hope this helps, -Matthew |