Hello Troy, > #4: NAT-Traversal: Transport mode disabled due to security concerns
means that the option ./configure --enable-nat-transport is not active. Regards Andreas On 22.09.2010 20:20, Troy Telford wrote: > I've got a working Openswan setup (backed up, of course). I decided to give > strongSwan a try, and choose whichever I liked better... > > It also gives me confidence the certificates, etc. working properly. (Though > logfiles help that too...) > > For the moment, my clients are mainly L2TP clients - having the built-in > client for Windows, OS X, and iOS devices helps... So getting that working > properly is the highest priority (and since that's in the IKEv1 realm, > Openswan fits the need nicely already...) I'm also a bit curious about which > handles the L2TP connections better with regards to clients behind NAT, etc... > > With strongSwan, however, I'm having trouble getting connected. > > I've used 'plutodebug="control controlmore" to get more debugging info, and > here's the bits I think are interesting: (I can send more if needed, > though...) > > All the certs and CA validate: > Sep 22 11:40:13 pilot pluto[8140]: | certificate is valid > Sep 22 11:40:13 pilot pluto[8140]: | issuer cacert found > Sep 22 11:40:13 pilot pluto[8140]: | certificate signature is valid > Sep 22 11:40:13 pilot pluto[8140]: | crl signature is valid > Sep 22 11:40:13 pilot pluto[8140]: | crl is valid: until Oct 06 13:04:05 2010 > Sep 22 11:40:13 pilot pluto[8140]: | certificate is good > > Phase I seems to complete: > Sep 22 11:40:13 pilot pluto[8140]: "roadwarrior"[2] 72.254.127.191:4500 #3: > sent MR3, ISAKMP SA established > > And next, the part that I think is the problem: > Sep 22 11:40:13 pilot pluto[8140]: "roadwarrior-l2tp"[2] 72.254.127.191:4500 > #4: NAT-Traversal: Transport mode disabled due to security concerns > Sep 22 11:40:13 pilot pluto[8140]: "roadwarrior-l2tp"[2] 72.254.127.191:4500 > #4: sending encrypted notification BAD_PROPOSAL_SYNTAX to 72.254.127.191:4500 > > The "BAD_PROPOSAL_SYNTAX" and Transport mode error happens with both the > certificate-based 'roadwarrior-l2tp' connection, and with the PSK-based > 'roadwarrior-l2tp-psk' connections. > > (Note, some coments are not in the actual file, but are there for your > benefit...) > > I'm using packages from Debian (sid), kernel 2.6.32, and strongSwan 4.4.1. > > My config: > > config setup > # plutodebug=all > # plutodebug="control controlmore" > crlcheckinterval="30" > strictcrlpolicy=yes > cachecrls=yes > nat_traversal=yes > virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:! > 192.168.1.0/26,%v4:!192.168.2.0/24,%v4:!192.168.3.0/24 > interfaces=%defaultroute > charonstart=yes > plutostart=yes > > conn %default > keyingtries=1 > type=tunnel > ike=aes128-sha1-modp1536,aes192-sha1-modp1536,aes256-sha1-modp1536 > esp=aes128-sha1-modp1536,aes192-sha1-modp1536,aes256-sha1-modp1536 > compress=yes > left=%defaultroute > leftsubnet=my_hostname.net/32 # This is dyndns assigned, so it's not > # static :( > right=%any > dpddelay=30 > dpdtimeout=120 > dpdaction=clear > pfs=yes > > conn roadwarrior-l2tp > type=transport > leftprotoport=17/1701 > rightprotoport=17/%any > rightsubnet=vhost:%no,%priv > pfs=no > also=roadwarrior > > conn roadwarrior > authby=rsasig > leftrsasigkey=%cert > rightrsasigkey=%cert > leftcert=pilotCert.pem > left...@my_hostname > rightid="C=CO, ST=State, O=My Organization, OU=My OrgUnit, CN=*, E=*" > rightca=%same > auto=add > > # for iOS VPNs... > conn roadwarrior-l2tp-psk > type=transport > authby=secret > leftprotoport=17/1701 > rightprotoport=17/%any > rightsubnet=vhost:%no,%priv > pfs=no > auto=add ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
