This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Problem with Routing and NAT

Hello,

following Problem:

our ASL: Static IP 87.234.245.186, external; 192.168.122.0/24 internal,

remote site: static IP 80.85.192.136, 129.149.33.0/24 internal

configured a PSK VPN, with Type ist Standart for Site to site-VPN, turned Auto Packet-Filter off, because we only need SSH. turned Strict Routing off, Local Endpoint ist my external Interfaces, remote Endpoint is the defined remote IP-Adress, Local Subnet is my internal interface, remote subnet is the defined Internal subnet from the remote side.

Problem: the remote Site can not route our net into the remote net, so we have to turn off NAT for the VPN. Only our external IP shoud appear at the remote Site.

Question: How can we configure the ASL not to show the internal Network at the remote side.

the ISAKMP SA is up and green, but the IPSEC SA is only Yellow and not comming up. I copy the Status-output here:

000
000 "S_otto__neu_0": 192.168.122.0/24===87.234.245.186...80.85.192.36===129.149.33.0/24; unrouted; eroute owner: #0
000 "S_otto__neu_0":     srcip=unset; dstip=unset; srcup=/opt/_updown.classic 2>/tmp/log 1>/tmp/log; dstup=/opt/_updown.classic 2>/tmp/log 1>/tmp/log;
000 "S_otto__neu_0":   ike_life: 7800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "S_otto__neu_0":   policy: PSK+ENCRYPT+TUNNEL+UP; prio: 24,24; interface: eth0;
000 "S_otto__neu_0":   dpd: action:restart; delay:30; timeout:120;
000 "S_otto__neu_0":   newest ISAKMP SA: #1; newest IPsec SA: #0;
000 "S_otto__neu_0":   IKE algorithms wanted: 5_000-1-2, flags=-strict
000 "S_otto__neu_0":   IKE algorithms found:  5_192-1_128-2,
000 "S_otto__neu_0":   IKE algorithm newest: 3DES_CBC_192-MD5-MODP1024
000 "S_otto__neu_0":   ESP algorithms wanted: 3_000-1, flags=-strict
000 "S_otto__neu_0":   ESP algorithms loaded: 3_000-1, flags=-strict
000
000 #3: "S_otto__neu_0":500 STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_RETRANSMIT in 6s; nodpd
000 #1: "S_otto__neu_0":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 6753s; newest ISAKMP; nodpd
000

thanks for any Help

This thread was automatically locked due to age.

Parents

0 drees over 19 years ago

One end or the other is not completely happy with the VPN settings. What do the VPN log files say?
Cancel
Vote Up 0 Vote Down

Cancel
0 herbstortwin over 19 years ago in reply to drees

Hello,

here are the output from the IPSEC LOG:

2006:08:08-19:19:35 (none) pluto[11378]: "S_otto__neu_0" #1447: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
2006:08:08-19:19:35 (none) pluto[11378]: "S_otto__neu_0" #1447: starting keying attempt 1433 of an unlimited number
2006:08:08-19:19:35 (none) pluto[11378]: "S_otto__neu_0" #1448: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP to replace #1447 {using isakmp#1414}
2006:08:08-19:20:45 (none) pluto[11378]: "S_otto__neu_0" #1448: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
2006:08:08-19:20:45 (none) pluto[11378]: "S_otto__neu_0" #1448: starting keying attempt 1434 of an unlimited number
2006:08:08-19:20:45 (none) pluto[11378]: "S_otto__neu_0" #1449: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP to replace #1448 {using isakmp#1414}
2006:08:08-19:21:55 (none) pluto[11378]: "S_otto__neu_0" #1449: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
2006:08:08-19:21:55 (none) pluto[11378]: "S_otto__neu_0" #1449: starting keying attempt 1435 of an unlimited number
2006:08:08-19:21:55 (none) pluto[11378]: "S_otto__neu_0" #1450: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP to replace #1449 {using isakmp#1414}

and here are teh output from the VPN Status Windows:

000
000 "S_otto__neu_0": 192.168.122.0/24===87.234.245.186...80.85.192.36===129.149.33.0/24; unrouted; eroute owner: #0
000 "S_otto__neu_0":     srcip=unset; dstip=unset; srcup=/opt/_updown.classic 2>/tmp/log 1>/tmp/log; dstup=/opt/_updown.classic 2>/tmp/log 1>/tmp/log;
000 "S_otto__neu_0":   ike_life: 7800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "S_otto__neu_0":   policy: PSK+ENCRYPT+TUNNEL+UP; prio: 24,24; interface: eth0;
000 "S_otto__neu_0":   dpd: action:restart; delay:30; timeout:120;
000 "S_otto__neu_0":   newest ISAKMP SA: #1414; newest IPsec SA: #0;
000 "S_otto__neu_0":   IKE algorithms wanted: 5_000-1-2, flags=-strict
000 "S_otto__neu_0":   IKE algorithms found:  5_192-1_128-2,
000 "S_otto__neu_0":   IKE algorithm newest: 3DES_CBC_192-MD5-MODP1024
000 "S_otto__neu_0":   ESP algorithms wanted: 3_000-1, flags=-strict
000 "S_otto__neu_0":   ESP algorithms loaded: 3_000-1, flags=-strict
000
000 #1451: "S_otto__neu_0":500 STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_RETRANSMIT in 5s; nodpd
000 #1414: "S_otto__neu_0":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 4706s; newest ISAKMP; nodpd
000

Thanks for any help
Cancel
Vote Up 0 Vote Down

Cancel
0 drees over 19 years ago in reply to herbstortwin

The logs indicate that the remote side is not responding to the IPSEC establish requests, are you sure that the encryption and network parameters match on both sides? What type of machine is your remote VPN endpoint?
Cancel
Vote Up 0 Vote Down

Cancel
0 herbstortwin over 19 years ago in reply to drees

Hello,

thanks for reply, Sorry but i cant tell you whats on the other site, because its a high Security ([:D] ) area. Whatever this means.

The Problem is that the other Site will not route our internal Net in there Internal net. I have to make Nat inside the VPN. It is not allowed to come with private IP´s. Every thing has to go over the external IP from us.

Can i do this with a source-Nat?

Thanks for Help
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 herbstortwin over 19 years ago in reply to drees

Hello,

thanks for reply, Sorry but i cant tell you whats on the other site, because its a high Security ([:D] ) area. Whatever this means.

The Problem is that the other Site will not route our internal Net in there Internal net. I have to make Nat inside the VPN. It is not allowed to come with private IP´s. Every thing has to go over the external IP from us.

Can i do this with a source-Nat?

Thanks for Help
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 drees over 19 years ago in reply to herbstortwin

Ok, I think I understand your problem.

ASL Side:
VPN Net: 192.168.122.0/24
VPN Endpoint: 87.234.245.186

"Secure" Side:
VPN Net: 129.149.33.0/24
VPN Endpoint: 80.85.192.36

But you want to NAT 192.168.122.0/24 behind 87.234.245.186 before routing over the VPN. So that means your VPN Net should be set to 87.234.245.186/32, not the private network.

I'm not sure how NAT + VPN will work, I have not tried it, so hopefully it will just work. [:)]

Keep in mind that because of the NAT, you essentially can only initiate connections over the VPN from the NATed network to 129.149.33.0/24, any thing in 129.149.33.0/24 trying to reach 192.168.122.0/24 will naturally fail unless you do some reverse NAT for specific ports.
Cancel
Vote Up 0 Vote Down

Cancel
0 herbstortwin over 19 years ago in reply to drees

Thanks for the Help, i try this out und hope it works![:)]
Cancel
Vote Up 0 Vote Down

Cancel
0 drees over 19 years ago in reply to herbstortwin

BTW, your problem sounds the same as the one in this thread, you may need additional NAT rules as described in the thread:

Unable to Access External IP Addy from Internal Network - VERY CONFUSED
Cancel
Vote Up 0 Vote Down

Cancel