LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 06-01-2010, 05:36 PM   #1
ajayan
Member
 
Registered: Dec 2007
Posts: 89

Rep: Reputation: 16
NATing IPsec Server using Ipatbles


Hi all,
I am trying to configure an Ipsec VPN (PSK) On Centos 5.4 Machine.The Ipsec server is setup behind Firewall and ports were redirected to internal Server(192.168.2.100).The details of the Gateway machine were,

eth0 --> Public IP
eth1---> 192.168.2.81

Ipsec Configuration

version 2.0
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.1.0/24,%v4:!192.168.2.0/24
conn %default
keyingtries=3
compress=yes
disablearrivalcheck=no
authby=secret
type=tunnel
keyexchange=ike
ikelifetime=240m
keylife=60m

conn l2tp-psk
pfs=no
left=192.168.2.100
leftnexthop=192.168.2.81
leftprotoport=17/1701
right=%any
rightprotoport=17/1701
rightsubnet=vhost:%no,%priv
auto=add

For the sake of testing i have disabled other firewall rules and only redirection is enabled. The firewall rules on Gateway Machine were,

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A PREROUTING -i eth0 -p udp --dport 4500 -j DNAT --to 192.168.2.100
iptables -t nat -A PREROUTING -i eth0 -p udp --dport 500 -j DNAT --to 192.168.2.100

When i try to connect from Client its showing error,
104 "L2TP-PSK-CLIENT" #20: STATE_MAIN_I1: initiate
003 "L2TP-PSK-CLIENT" #20: ignoring unknown Vendor ID payload [4f457e717f6b5a4e727d576b]
003 "L2TP-PSK-CLIENT" #20: received Vendor ID payload [Dead Peer Detection]
106 "L2TP-PSK-CLIENT" #20: STATE_MAIN_I2: sent MI2, expecting MR2
108 "L2TP-PSK-CLIENT" #20: STATE_MAIN_I3: sent MI3, expecting MR3
003 "L2TP-PSK-CLIENT" #20: received Vendor ID payload [CAN-IKEv2]
003 "L2TP-PSK-CLIENT" #20: we require peer to have ID 'Public IP XXX', but peer declares '192.168.2.100'
218 "L2TP-PSK-CLIENT" #20: STATE_MAIN_I3: INVALID_ID_INFORMATION

and from the Logs from Ipsec server,

"STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha group=modp2048}
next payload type of ISAKMP Hash Payload has an unknown value: 63
malformed payload in packet"

it seems connection is established but the problem with POSTROUTING on Gateway machine.How can i Succssfully redirect and Postroute IPsec server on Gateway machine.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
L2TP/IPSec/openswan server for iphone help ShadowHywind Linux - Server 3 01-25-2010 05:31 PM
Openswan IPSEC server prashanlk Linux - Networking 3 12-11-2007 11:13 PM
ipsec server on debian cristina_crow Linux - Networking 0 11-23-2007 03:14 AM
IPsec VPN - Dynamic Server IP, NAT, etc. jantman Linux - Networking 3 01-16-2007 01:11 AM
Running IPSEC vpn server ? winxandlinx Linux - Security 1 10-11-2006 06:41 AM


All times are GMT -5. The time now is 08:16 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration