LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
Reload this Page NATing IPsec Server using Ipatbles
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 06-01-2010, 04:36 PM   #1
ajayan
Member
 
Registered: Dec 2007
Posts: 89

Rep: Reputation: 16
NATing IPsec Server using Ipatbles

Hi all,
I am trying to configure an Ipsec VPN (PSK) On Centos 5.4 Machine.The Ipsec server is setup behind Firewall and ports were redirected to internal Server(192.168.2.100).The details of the Gateway machine were,

eth0 --> Public IP
eth1---> 192.168.2.81

Ipsec Configuration

version 2.0
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.1.0/24,%v4:!192.168.2.0/24
conn %default
keyingtries=3
compress=yes
disablearrivalcheck=no
authby=secret
type=tunnel
keyexchange=ike
ikelifetime=240m
keylife=60m

conn l2tp-psk
pfs=no
left=192.168.2.100
leftnexthop=192.168.2.81
leftprotoport=17/1701
right=%any
rightprotoport=17/1701
rightsubnet=vhost:%no,%priv
auto=add

For the sake of testing i have disabled other firewall rules and only redirection is enabled. The firewall rules on Gateway Machine were,

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A PREROUTING -i eth0 -p udp --dport 4500 -j DNAT --to 192.168.2.100
iptables -t nat -A PREROUTING -i eth0 -p udp --dport 500 -j DNAT --to 192.168.2.100

When i try to connect from Client its showing error,
104 "L2TP-PSK-CLIENT" #20: STATE_MAIN_I1: initiate
003 "L2TP-PSK-CLIENT" #20: ignoring unknown Vendor ID payload [4f457e717f6b5a4e727d576b]
003 "L2TP-PSK-CLIENT" #20: received Vendor ID payload [Dead Peer Detection]
106 "L2TP-PSK-CLIENT" #20: STATE_MAIN_I2: sent MI2, expecting MR2
108 "L2TP-PSK-CLIENT" #20: STATE_MAIN_I3: sent MI3, expecting MR3
003 "L2TP-PSK-CLIENT" #20: received Vendor ID payload [CAN-IKEv2]
003 "L2TP-PSK-CLIENT" #20: we require peer to have ID 'Public IP XXX', but peer declares '192.168.2.100'
218 "L2TP-PSK-CLIENT" #20: STATE_MAIN_I3: INVALID_ID_INFORMATION

and from the Logs from Ipsec server,

"STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha group=modp2048}
next payload type of ISAKMP Hash Payload has an unknown value: 63
malformed payload in packet"

it seems connection is established but the problem with POSTROUTING on Gateway machine.How can i Succssfully redirect and Postroute IPsec server on Gateway machine.
 
  


Reply



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
L2TP/IPSec/openswan server for iphone help ShadowHywind Linux - Server 3 01-25-2010 04:31 PM
Openswan IPSEC server prashanlk Linux - Networking 3 12-11-2007 10:13 PM
ipsec server on debian cristina_crow Linux - Networking 0 11-23-2007 02:14 AM
IPsec VPN - Dynamic Server IP, NAT, etc. jantman Linux - Networking 3 01-16-2007 12:11 AM
Running IPSEC vpn server ? winxandlinx Linux - Security 1 10-11-2006 05:41 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 11:34 PM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration