Menu
▾
▴
Re: [Ipsec-tools-devel] Problem with WinXP client, racoon or NAT?
|
From: Matthew G. <mg...@sh...> - 2006-09-12 09:30:33
|
Shahim wrote:
> Hi,
>
> I have been struggling trying to get IPSec working. I am trying to get a
> plain IPSec connection to a server described below. This is the first
> time I do this and I think that I included most of the relevant information.
>
> It appears that I am having a problem with NAT. If I am understanding
> the logs correctly, it appears that the client is not using NAT-T. I
> think I setup IPSec transport mode on the Windows client (I didn't
> choose tunnel option). I am not trying to use a VPN connection, I just
> want to protect traffic from the client to the server. I am trying this
> at home but I want to later be able to use the same setup on the road.
>
You will probably have better luck with tunnel mode. Racoon doesn't
handle the NAT original address payloads that I believe would be
required to get transport mode working over a NAT. I took a quick glance
and this was the only reference I could find in isakmp_quick.c
#ifdef ENABLE_NATT
case ISAKMP_NPTYPE_NATOA_DRAFT:
case ISAKMP_NPTYPE_NATOA_RFC:
/* Ignore original source/destination messages*/
break;
#endif
>
> Sep 11 13:42:17 lt1 racoon: DEBUG: begin.
> Sep 11 13:42:17 lt1 racoon: DEBUG: seen nptype=8(hash)
> Sep 11 13:42:17 lt1 racoon: DEBUG: seen nptype=1(sa)
> Sep 11 13:42:17 lt1 racoon: DEBUG: seen nptype=10(nonce)
> Sep 11 13:42:17 lt1 racoon: DEBUG: seen nptype=5(id)
> Sep 11 13:42:17 lt1 racoon: DEBUG: seen nptype=5(id)
> Sep 11 13:42:17 lt1 racoon: DEBUG: seen nptype=131(nat-oa)
> Sep 11 13:42:17 lt1 racoon: DEBUG: succeed.
>
> Sep 11 13:42:17 lt1 racoon: ERROR: ignore the packet, received unexpecting payload type 131.
> Sep 11 13:42:17 lt1 racoon: ERROR: failed to pre-process packet.
>
Type 131 is the NAT original address payload I mentioned. Tunnel mode
should work fine. I'm not sure when natt support was introduced so you
may need a newer version of ipsec-tools as Brian suggested.
Hope this helps,
-Matthew
|