Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 1 subscriber
  • Views 1180 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

L2TP/IPsec with Astaro NATed

addrockk
I'm having some trouble getting L2TP/IPsec working on my ASG when it's behind a NAT. I've tried it with the other end both NATed and unNATed, but I get the same error.  I think the NAT that my Astaro is behind has NAT-T turned on, and also IKE, ESP, and AH allowed through explicitly. However, when I attempt to connect from any client I get: 
2011:05:18-16:08:08 gateway pluto[6678]: "S_REF_moWquEVXTx"[6] 208.105.104.57 #36: NAT-Traversal: Result using RFC 3947: i am NATed

2011:05:18-16:08:09 gateway pluto[6678]: "S_REF_moWquEVXTx"[6] 208.105.104.57 #36: Peer ID is ID_IPV4_ADDR: '208.105.104.57'

2011:05:18-16:08:09 gateway pluto[6678]: | NAT-T: new mapping 208.105.104.57:500/4500)

2011:05:18-16:08:09 gateway pluto[6678]: "S_REF_moWquEVXTx"[6] 208.105.104.57:4500 #36: sent MR3, ISAKMP SA established

2011:05:18-16:08:09 gateway pluto[6678]: "S_REF_moWquEVXTx"[6] 208.105.104.57:4500 #36: cannot respond to IPsec SA request because no connection is known for /32===10.66.128.5(astaro's external interface):4500[10.66.128.5]:17/1701...208.105.104.57:4500[208.105.104.57]:17/%any

2011:05:18-16:08:09 gateway pluto[6678]: "S_REF_moWquEVXTx"[6] 208.105.104.57:4500 #36: sending encrypted notification INVALID_ID_INFORMATION to 208.105.104.57:4500


Can anyone shed some light on what's going on from that section of logs? (I can provide more if you think it will help). Is my upstream/NAT set up right, or do I have to get them to fix something? 

TIA,
Adam


This thread was automatically locked due to age.
Parents
  • 0
    Hi,

    In IPsec connecting, when you use the authentication by preshared key, ASG cannot be put behind NAT.
    When preshared key is used, ASG checks IP.
    Because IP that other box has accessed and IP of ASG are different, it becomes an error.
    This can be solved by using RSA or X509 in IPSecVPN. 
    I guess that it is possible to solve  by using X509 for L2TP/IPSec.
    However, I have not tried this.
Reply
  • 0
    Hi,

    In IPsec connecting, when you use the authentication by preshared key, ASG cannot be put behind NAT.
    When preshared key is used, ASG checks IP.
    Because IP that other box has accessed and IP of ASG are different, it becomes an error.
    This can be solved by using RSA or X509 in IPSecVPN. 
    I guess that it is possible to solve  by using X509 for L2TP/IPSec.
    However, I have not tried this.
Children
No Data