не могу поднять туннель, проходящий через 2 ната (убрать их нельзя)
помогите найти, где затык?
схема такая:
сервер оренсван 1.0.9 (int 10.83.0.А, ext 10.83.200.A)

cisco 1 (int 10.83.200.B)

cisco 2 (NAT, int 10.83.200.C, ext X.Y.W.S)

internet

cisco 3 (NAT, int 10.83.D.E, ext X.Y.W.Z)

клиент Sonicwall vpnclient 8.0 (int 10.83.D.F)

раньше все работало, но после замены сервера нет (делал другой человек, была другая версия

FreeSwan, конфиг и сертификаты я взял с него)
конфиг опенсвана:
# basic configuration
config setup
        # THIS SETTING MUST BE CORRECT or almost nothing will work;
        # чfaultroute is okay for most simple cases.
        interfaces=чfaultroute
        # Debug-logging controls:  "none" for (almost) none, "all" f
        klipsdebug=none
        plutodebug=none
        # Use auto= parameters in conn descriptions to control start
        plutoload=%search
        plutostart=%search
        plutowait=no
        # Close down old connection when new one using same ID shows
        uniqueids=yes
        nat_traversal=yes

# defaults for subsequent connection descriptions
conn чfault
        # How persistent to be in (re)keying negotiations (0 means v
        keyingtries=0
        # RSA authentication with keys from DNS.
        authby=rsasig
        auth=esp
        #$leftrsasigkey=%dns
        #ightrsasigkey=%dns
        compress=yes
        pfs=yes
        disablearrivalcheck=yes
        keyexchange=ike
        keylife=24h
        #aggrmode=yes
        #rekey=no
conn upfr24
        type=tunnel
        left=чfaultroute
        leftsubnet=10.83.0.0/255.255.255.0
        leftcert=mvCert.der
        leftrsasigkey=нrt
        leftid=X.Y.W.S             (cisco 2 ext)
        right=X.Y.W.Z         (cisco 3 ext)
        rightsubnet=10.83.D.F/255.255.255.255
        rightrsasigkey=нrt
        rightid="/C=RU/ля ля ля..."
        compress=no
        auto=start

вот лог с сервера:

Jun  8 09:27:38 ibm320 pluto[3056]: "upfr24" #1: initiating Main Mode
Jun  8 09:27:38 ibm320 pluto[3056]: "upfr24" #1: received Vendor ID payload [dra
ft-ietf-ipsec-nat-t-ike-00]
Jun  8 09:27:38 ibm320 pluto[3056]: "upfr24" #1: transition from state STATE_MAI
N_I1 to state STATE_MAIN_I2
Jun  8 09:27:39 ibm320 pluto[3056]: "upfr24" #1: ignoring Vendor ID payload [47b
be7c993f1fc13b4e6d0db565c68e5010201010201010310382e302e302028...]
Jun  8 09:27:39 ibm320 pluto[3056]: "upfr24" #1: ignoring Vendor ID payload [da8
e937880010000]
Jun  8 09:27:39 ibm320 pluto[3056]: "upfr24" #1: ignoring Vendor ID payload [XAU
TH]
Jun  8 09:27:39 ibm320 pluto[3056]: "upfr24" #1: NAT-Traversal: Result using dra
ft-ietf-ipsec-nat-t-ike-00/01: both are NATed
Jun  8 09:27:39 ibm320 pluto[3056]: "upfr24" #1: Warning: peer is NATed but sour
ce port is still udp/500. Ipsec-passthrough NAT device suspected -- NAT-T may no
t work.
Jun  8 09:27:39 ibm320 pluto[3056]: "upfr24" #1: transition from state STATE_MAI
N_I2 to state STATE_MAIN_I3
Jun  8 09:27:39 ibm320 pluto[3056]: "upfr24" #1: Main mode peer ID is ID_DER_ASN
1_DN: 'C=RU, .........'
Jun  8 09:27:39 ibm320 pluto[3056]: "upfr24" #1: crl update is overdue since Dec
19 06:32:35 UTC 2003
Jun  8 09:27:39 ibm320 pluto[3056]: "upfr24" #1: crl update is overdue since Dec
19 06:32:35 UTC 2003
Jun  8 09:27:39 ibm320 pluto[3056]: "upfr24" #1: transition from state STATE_MAI
N_I3 to state STATE_MAIN_I4
Jun  8 09:27:39 ibm320 pluto[3056]: "upfr24" #1: ISAKMP SA established
Jun  8 09:27:39 ibm320 pluto[3056]: "upfr24" #2: initiating Quick Mode RSASIG+EN
CRYPT+TUNNEL+PFS+DISABLEARRIVALCHECK
Jun  8 09:27:39 ibm320 pluto[3056]: "upfr24" #3: responding to Quick Mode
Jun  8 09:27:39 ibm320 pluto[3056]: "upfr24" #3: transition from state (null) to
state STATE_QUICK_R1
Jun  8 09:27:39 ibm320 pluto[3056]: "upfr24" #2: IKE message has the Commit Flag
set but Pluto doesn't implement this feature; ignoring flag
Jun  8 09:27:40 ibm320 pluto[3056]: "upfr24" #2: transition from state STATE_QUI
CK_I1 to state STATE_QUICK_I2
Jun  8 09:27:40 ibm320 pluto[3056]: "upfr24" #2: sent QI2, IPsec SA established
Jun  8 09:27:40 ibm320 pluto[3056]: "upfr24" #3: transition from state STATE_QUI
CK_R1 to state STATE_QUICK_R2
Jun  8 09:27:40 ibm320 pluto[3056]: "upfr24" #3: IPsec SA established

то есть типа установлено соединение, но пинги с сервера на клиент (на 192.168.D.F) не идут,

а с клиента на сервер (на 192.168.0.А) идут (tracert находит 192.168.0.А на четвертом хопе,

до четвертого одни звезды)

вывод tcpdump -i eth1 src X.Y.W.Z   (Cisco3 ext)
09:36:01.941136 **.ru.isakmp > 10.83.200.A.isakmp: isakmp: phase 1 I iden
t: [|sa]
09:36:11.306903 **.ru.isakmp > 10.83.200.A.isakmp: isakmp: phase 1 ? iden
t: [|sa]
09:36:11.479699 **.ru.isakmp > 10.83.200.A.isakmp: isakmp: phase 1 ? iden
t: [|cr]
09:36:11.856809 **.ru.isakmp > 10.83.200.A.isakmp: isakmp: phase 1 ? iden
t[E]: [encrypted id] (frag 11400:1328@0+)
09:36:11.856919 **.ru > 10.83.200.A: udp (frag 11400:20@1328)
09:36:12.181531 **.ru.isakmp > 10.83.200.A.isakmp: isakmp: phase 2/others
? oakley-quick[EC]: [encrypted hash]
09:36:13.625977 **.ru.isakmp > 10.83.200.A.isakmp: isakmp: phase 2/others
? none[E]: [encrypted #82]
09:36:14.622172 **.ru.isakmp > 10.83.200.A.isakmp: isakmp: phase 2/others
? #58[]: [|#85]
09:36:15.620202 **.ru.isakmp > 10.83.200.A.isakmp: isakmp: phase 2/others
? #114[]: [|#15]
09:36:16.621788 **.ru.isakmp > 10.83.200.A.isakmp: isakmp: phase 2/others
? #7[EC]: [encrypted #189]
09:36:17.619646 **.ru.isakmp > 10.83.200.A.isakmp: isakmp: phase 2/others
? #152[C]: [|#101]

вывод tcpdump -i eth1 src 192.168.200.A    (сервер ext)
09:32:28.527202 10.83.200.A.isakmp > **.ru.isakmp: isakmp: phase 1 I iden
t: [|sa] (DF)
09:32:28.867820 10.83.200.A.isakmp > **.ru.isakmp: isakmp: phase 1 I iden
t: [|ke] (DF)
09:32:29.258838 10.83.200.A.isakmp > **.ru.isakmp: isakmp: phase 1 I iden
t[E]: [encrypted id] (DF)
09:32:29.776442 10.83.200.A.isakmp > **.ru.isakmp: isakmp: phase 2/others
I oakley-quick[E]: [encrypted hash] (DF)
09:32:30.250533 10.83.200.A.isakmp > **.ru.isakmp: isakmp: phase 2/others
I oakley-quick[E]: [encrypted hash] (DF)
09:32:31.768216 10.83.200.A.isakmp > **.ru.isakmp: isakmp: phase 2/others
? #158[C]: [|ke]
09:32:32.776634 10.83.200.A.isakmp > **.ru.isakmp: isakmp: phase 2/others
? #255[E]: [encrypted #61]
09:32:33.792164 10.83.200.A.isakmp > **.ru.isakmp: isakmp: phase 2/others
? #104[C]: [|#133]
09:32:34.805680 10.83.200.A.isakmp > **.ru.isakmp: isakmp: phase 2/others
? #248[E]: [encrypted #101]

ifconfig
ipsec0    ....
          inet addr:10.83.200.A  Mask:255.255.255.0
          UP RUNNING NOARP  MTU:16260  Metric:1
          RX packets:245 errors:0 dropped:0 overruns:0 frame:0
          TX packets:231 errors:0 dropped:14 overruns:0 carrier:0
          collisions:0 txqueuelen:10
          RX bytes:14756 (14.4 Kb)  TX bytes:32802 (32.0 Kb)

пингую клиента с сервера - исходящие пакеты дропаются, останавливаю пинги - счетчик дроппед перестает расти

• IPSec туннель через двойной NAT не поднимается, cheetah80, 10:25 , 08-Июн-05, (1)