From: Mick <mic...@gm...> - 2012-01-17 23:50:23
|
On Tuesday 17 Jan 2012 21:11:44 Athanasios Douitsis wrote: > Yes, I was referring to the anonymous remote section. This is a road > warrior VPN setup, so adding a specific IP address won't make much sense. Oh! I'm sorry I seem to have misunderstood your set up. You are right, if we're talking about a roadwarrior then the gateway should have: remote anonymous {..... since the roadwarrior's IP will change regularly. > Unless you mean that I should try it as a test. This will do no harm if you know the roadwarrior IP address and can access the gateway to configure it at that time. > As for your previous email: > > -Since the VPN client devices will be initiating connections, passive makes > sense on the server, no? Yes. Also you'll need to set exchange_mode aggressive; on the gateway. > -I thinks it does complete phase 1 and phase 2. I always get the login > dialog on the device, successfully login (using radius on the server side, > I can see the access accept process) and then get the MOTD message as well. > I think that IKE works ok. I didn't know that you got that far! However, is the radius server only accessible via the LAN, or is it also Internet facing? If it is only accessible via the LAN then yes, Phase 1 is completed (or hybrid authentication wouldn't kick in). If you reach IKE Phase 2 you should see a message about Quick Mode in the racoon logs. > Besides, like I said, when the client is behind > a NAT *everything runs fine (!!!)* and I see connectivity from inside the > VPN connection. Is this the same client machine with exactly the same configuration? > One more thought that I had today is that I'm using nat-t force after all, > so the mac/iOS client shouldn't really be sending ESP packets towards the > server, am I correct? I mean, since NAT-T is forced, it should always > tunnel traffic through UDP port 4500, right? So I am a little puzzled as to > why the client devices choose to send ESP packets instead of UDP packets. The transaction starts on UDP port 500, then NAT-T is negotiated and packets start being transmitted through UDP port 4500. The ESP packet is encapsulated in UDP - the two work together by having a UDP header to allow the packet to go through UDP port 4500. It's not instead of, but rather it is within UDP. Any firewalls on the gateway should allow UPD packets in through ports 500 and 4500. Also make sure that at your gateway you have allowed packet forwarding from the pool of LAN addresses that the VPN clients are using (e.g. 172.16.1.0/24) to the pool of addresses of your LAN behind the gateway (e.g. 192.168.0.0/24). Sorry we've gone around in circles, I did not understand (and perhaps still don't fully) your complete set up. -- Regards, Mick |