NATing IPsec Server using Ipatbles
Hi all,
I am trying to configure an Ipsec VPN (PSK) On Centos 5.4 Machine.The Ipsec server is setup behind Firewall and ports were redirected to internal Server(192.168.2.100).The details of the Gateway machine were,
eth0 --> Public IP
eth1---> 192.168.2.81
Ipsec Configuration
version 2.0
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.1.0/24,%v4:!192.168.2.0/24
conn %default
keyingtries=3
compress=yes
disablearrivalcheck=no
authby=secret
type=tunnel
keyexchange=ike
ikelifetime=240m
keylife=60m
conn l2tp-psk
pfs=no
left=192.168.2.100
leftnexthop=192.168.2.81
leftprotoport=17/1701
right=%any
rightprotoport=17/1701
rightsubnet=vhost:%no,%priv
auto=add
For the sake of testing i have disabled other firewall rules and only redirection is enabled. The firewall rules on Gateway Machine were,
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A PREROUTING -i eth0 -p udp --dport 4500 -j DNAT --to 192.168.2.100
iptables -t nat -A PREROUTING -i eth0 -p udp --dport 500 -j DNAT --to 192.168.2.100
When i try to connect from Client its showing error,
104 "L2TP-PSK-CLIENT" #20: STATE_MAIN_I1: initiate
003 "L2TP-PSK-CLIENT" #20: ignoring unknown Vendor ID payload [4f457e717f6b5a4e727d576b]
003 "L2TP-PSK-CLIENT" #20: received Vendor ID payload [Dead Peer Detection]
106 "L2TP-PSK-CLIENT" #20: STATE_MAIN_I2: sent MI2, expecting MR2
108 "L2TP-PSK-CLIENT" #20: STATE_MAIN_I3: sent MI3, expecting MR3
003 "L2TP-PSK-CLIENT" #20: received Vendor ID payload [CAN-IKEv2]
003 "L2TP-PSK-CLIENT" #20: we require peer to have ID 'Public IP XXX', but peer declares '192.168.2.100'
218 "L2TP-PSK-CLIENT" #20: STATE_MAIN_I3: INVALID_ID_INFORMATION
and from the Logs from Ipsec server,
"STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha group=modp2048}
next payload type of ISAKMP Hash Payload has an unknown value: 63
malformed payload in packet"
it seems connection is established but the problem with POSTROUTING on Gateway machine.How can i Succssfully redirect and Postroute IPsec server on Gateway machine.
|