NAT Traversal?

[Anonymous]

After fiddling with the racoon.conf, I was able to tunnel through to our SonicWall SOHO-3. When I try to ping the router, though, I get the following on the server log: “NAT Discovery : Peer IPSec Security Gateway doesn’t support VPN NAT Traversal”. I got the same message when I tried VPN Tracker. Any way around this (other than connecting directly to my single public IP)?

Thanks.

[Anonymous]

Oh, basically anything — ping, telnet, http — nothing works. All I get is this log entry on the server (VPN box). As I understand, if there is no NAT traversal, nothing will work (unsless I connect directly to my single IP). Is this correct, or am I confused?

Topology here at home is: OS X Jaguar 10.2.5 running on a 17″ Ti-book, wireless access using older Airport connected to my cable modem. I also have a Win2K box that works just fine with the VPN using SonicWall’s client software, and it is also wireless using the same Airport.

Thanks again for the help.

[Anonymous]

I followed the “Flying racoons part 3” article to the letter. Here is the relevant stuff from the server log:

05/07/2003 16:17:12.848IKE negotiation complete. Adding IPSec SA. (Phase 2) 192.168.0.170 68.71.28.149 ESP:3DES, HMAC_SHA1, lifeSeconds=30 Local SPI:0x8cfe0f20 Remote SPI:0xdb20683

05/07/2003 16:17:12.848IKE Responder: Accepting IPSec proposal (Phase 2) 68.71.28.149 192.168.0.170 192.168.1.123/32 -> 192.168.10.0/24

05/07/2003 16:17:12.784IKE Responder: Received Quick Mode Request (Phase 2) 68.71.28.149 192.168.0.170

05/07/2003 16:17:12.784IKE Responder: Aggressive Mode complete (Phase 1) 68.71.28.149 192.168.0.170 3DES SHA1 Group 2 lifeSeconds=60

05/07/2003 16:17:12.672NAT Discovery : Peer IPSec Security Gateway doesn’t support VPN NAT Traversal 192.168.0.170 68.71.28.149

05/07/2003 16:17:12.384IKE Responder: Received Aggressive Mode request (Phase 1) 68.71.28.149 192.168.0.170

My internal IP here at home is 192.168.1.123. The remote private network is 192.168.10.0/24. Everything looks good, but I can’t ping or do anything — no NAT traversal (see log entry above).

Please send the beta to [email protected]. Thanks.

[opus]

This isn’t an error of any sort or anything you need to worry about usually.

What NAT Traversal (NAT-T) actually is is a method of encapsulating IPSec packets within UDP packets. This is done because many NAT routers, especially older ones, will not pass IPSec properly.

All that the log message you are seeing means is that the device the SonicWALL is attempting to negotiate an IPSec connection with (in your case, the Mac) does not support NAT-T. IPSec packets will be sent normally, without being encapsulated within UDP.

This is explained in SonicWALL’s FAQs.

The log info you show indicates that the IKE negotiation is completing just fine. There’s nothing wrong with your VaporSec config. My conclusion is that the problem is your home’s NAT gateway. I’d lay odds that if you set up the Mac with a public IP or behind a more current NAT router it would work fine.

The reason the PC works fine is because the SonicWALL VPN client you are using does support NAT-T and is therefore able to get around the NAT router’s IPSec incompatibility.

[Anonymous]

Thanks for the tip — I actually arrived at the same conclusion last night. The only thing that has me doubting is that my router is an Apple airport (older model), and I’ve been told that this configuration should work. I will be testing this theory tonight when I get home, as I also have a linksys router that does support IPSec passthrough. I’ll post a follow-up with the results.

[Anonymous]

Just an update for the curious — the Airport base station was the culprit. Once I hooked up my LinkSys router and set up the Airport as just a WAP (not routing), I was able to tunnel in. Thanks again for all the help.

[Author]

Posts