Timothy J. Massey wrote:
Hello!
This is the *last* thing I need to work, and I'm ready to take over the world! Or something...
I've got multiple subnet-to-subnet and subnet-to-host IPSec tunnels working, with both plain RSA keys as well as certs. I've tested it with Leaf firewall clients, Windows 2000 IPSec client and SSH Sentinel client. Everything works fine, as long as there is no NAT.
I've tried to make either the SSH Sentinel client or the Windows IPSec client (with NAT-T update) work through a Linksys router (BEFSR41). No joy.
I've got nat_traversal=yes on my Leaf configuration. I've tried it with the Linksys with IPSec Passthrough on and off, with SSH Sentinel with NAT-T on and off, and with Windows 2000 IPSec both before and after the NAT-T patch. None of them work.
The error I get most commonly is "no suitable connection for <subnet IP> ==> <Firewall IP> => <cert info> => <remote IP> => <Cert ID>". *All* of the information is correct. If I run it not through the NAT, it works fine, but add NAT and it's no dice.
I don't use nat traversal, but from what I understand of how it works, I cah provide a few pointers which might help:
- You need to expressly enable nat traversal on *BOTH* ends of the link, as I don't think this is something that gets auto-negotiated.
- If you're trying to use the Linksys IPSec 'passthrough' mode, you would *NOT* use nat_traversal (ie: they're two different solutions to the same problem). Specifically, try with nat_traversal=no on the LEAF side, and the IPSec Passthrough on the Linksys enabled.
- If the linksys side is running nat traversal and initiating the connection (ie: the linksys end has a dynamic IP), there should be no need to forward UDP port 500.
- If your LEAF side is initiating a connection to the linksys end, you'll need to port-forward UDP port 500 to the appropriate system behind the linksys firewall.
HTH...
-- Charles Steinkuehler [EMAIL PROTECTED]
------------------------------------------------------- This SF.Net email is sponsored by: InterSystems CACHE FREE OODBMS DOWNLOAD - A multidimensional database that combines robust object and relational technologies, making it a perfect match for Java, C++,COM, XML, ODBC and JDBC. www.intersystems.com/match8 ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
