[Openswan Users] NAT Problem?

Miguel Ángel Domínguez Durán mdominguez at cherrytel.com
Wed Mar 9 12:20:13 CET 2005


Thank you! I'll try to locate that patch.
I'll keep you informed.

UN CORDIAL SALUDO

Miguel Ángel Domínguez Durán.
Departamento Técnico.
Cherrytel Comunicaciones, S.L.
mdominguez at cherrytel.com
http://www.cherrytel.com/
Tlf. 902 115 673
Fax 952218170
----- Original Message ----- 
From: "Paul Wouters" <paul at xelerance.com>
To: "Miguel Ángel Domínguez Durán" <mdominguez at cherrytel.com>
Cc: <users at openswan.org>; "Michael Richardson" <mcr at xelerance.com>
Sent: Wednesday, March 09, 2005 12:13 PM
Subject: Re: [Openswan Users] NAT Problem?


> On Wed, 9 Mar 2005, Miguel Ángel Domínguez Durán wrote:
>
> This looks like the NAT-OA bug in XP. Someone posted a patch that seemed
> to fix this, which is still being reviewed by us. You can try out the 
> patch,
> which should be someone in the archive of the dev list.
>
> Paul
>
>> The log at /var/secure is:
>> Mar  9 11:40:12 vpn ipsec__plutorun: Starting Pluto subsystem...
>> Mar  9 11:40:13 vpn pluto[2086]: Starting Pluto (Openswan Version 2.3.0
>> X.509-1.5.4 PLUTO_USES_KEYRR)
>> Mar  9 11:40:13 vpn pluto[2086]: Setting port floating to on
>> Mar  9 11:40:13 vpn pluto[2086]: port floating activate 1/1
>> Mar  9 11:40:13 vpn pluto[2086]:   including NAT-Traversal patch (Version
>> 0.6c)
>> Mar  9 11:40:13 vpn pluto[2086]: ike_alg_register_enc(): Activating
>> OAKLEY_AES_CBC: Ok (ret=0)
>> Mar  9 11:40:13 vpn pluto[2086]: starting up 1 cryptographic helpers
>> Mar  9 11:40:13 vpn pluto[2086]: started helper pid=2133 (fd:6)
>> Mar  9 11:40:13 vpn pluto[2086]: Using Linux 2.6 IPsec interface code
>> Mar  9 11:40:14 vpn pluto[2086]: Changing to directory
>> '/etc/ipsec.d/cacerts'
>> Mar  9 11:40:14 vpn pluto[2086]:   loaded CA cert file 'cacert.pem' (1334
>> bytes)
>> Mar  9 11:40:14 vpn pluto[2086]: Could not change to directory
>> '/etc/ipsec.d/aacerts'
>> Mar  9 11:40:14 vpn pluto[2086]: Could not change to directory
>> '/etc/ipsec.d/ocspcerts'
>> Mar  9 11:40:14 vpn pluto[2086]: Changing to directory 
>> '/etc/ipsec.d/crls'
>> Mar  9 11:40:14 vpn pluto[2086]:   loaded crl file 'crl.pem' (536 bytes)
>> Mar  9 11:40:14 vpn pluto[2086]:   loaded host cert file
>> '/etc/ipsec.d/certs/vpncert.pem' (3605 bytes)
>> Mar  9 11:40:14 vpn pluto[2086]:   loaded host cert file
>> '/etc/ipsec.d/certs/windowsxp.pem' (3557 bytes)
>> Mar  9 11:40:14 vpn pluto[2086]: added connection description "windows"
>> Mar  9 11:40:14 vpn pluto[2086]: listening for IKE messages
>> Mar  9 11:40:14 vpn pluto[2086]: adding interface eth1/eth1 10.9.200.10
>> Mar  9 11:40:14 vpn pluto[2086]: adding interface eth1/eth1 
>> 10.9.200.10:4500
>> Mar  9 11:40:14 vpn pluto[2086]: adding interface eth0/eth0 213.9.234.19
>> Mar  9 11:40:14 vpn pluto[2086]: adding interface eth0/eth0
>> 213.9.234.19:4500
>> Mar  9 11:40:14 vpn pluto[2086]: adding interface lo/lo 127.0.0.1
>> Mar  9 11:40:14 vpn pluto[2086]: adding interface lo/lo 127.0.0.1:4500
>> Mar  9 11:40:14 vpn pluto[2086]: adding interface lo/lo ::1
>> Mar  9 11:40:14 vpn pluto[2086]: loading secrets from 
>> "/etc/ipsec.secrets"
>> Mar  9 11:40:14 vpn pluto[2086]:   loaded private key file
>> '/etc/ipsec.d/private/vpnkey.pem' (1643 bytes)
>> Mar  9 11:41:36 vpn pluto[2086]: packet from 213.9.234.24:500: ignoring
>> Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
>> Mar  9 11:41:36 vpn pluto[2086]: packet from 213.9.234.24:500: ignoring
>> Vendor ID payload [FRAGMENTATION]
>> Mar  9 11:41:36 vpn pluto[2086]: packet from 213.9.234.24:500: received
>> Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
>> Mar  9 11:41:36 vpn pluto[2086]: packet from 213.9.234.24:500: ignoring
>> Vendor ID payload [Vid-Initial-Contact]
>> Mar  9 11:41:36 vpn pluto[2086]: "windows"[1] 213.9.234.24 #1: responding 
>> to
>> Main Mode from unknown peer 213.9.234.24
>> Mar  9 11:41:36 vpn pluto[2086]: "windows"[1] 213.9.234.24 #1: transition
>> from state STATE_MAIN_R0 to state STATE_MAIN_R1
>> Mar  9 11:41:36 vpn pluto[2086]: "windows"[1] 213.9.234.24 #1:
>> NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is 
>> NATed
>> Mar  9 11:41:36 vpn pluto[2086]: "windows"[1] 213.9.234.24 #1: transition
>> from state STATE_MAIN_R1 to state STATE_MAIN_R2
>> Mar  9 11:41:36 vpn pluto[2086]: "windows"[1] 213.9.234.24 #1: next 
>> payload
>> type of ISAKMP Hash Payload has an unknown value: 232
>> Mar  9 11:41:36 vpn pluto[2086]: "windows"[1] 213.9.234.24 #1: malformed
>> payload in packet
>> Mar  9 11:41:36 vpn pluto[2086]: "windows"[1] 213.9.234.24 #1: sending
>> notification PAYLOAD_MALFORMED to 213.9.234.24:500
>> Mar  9 11:42:46 vpn pluto[2086]: "windows"[1] 213.9.234.24 #1: max number 
>> of
>> retransmissions (2) reached STATE_MAIN_R2
>> Mar  9 11:42:46 vpn pluto[2086]: "windows"[1] 213.9.234.24: deleting
>> connection "windows" instance with peer 213.9.234.24 {isakmp=#0/ipsec=#0}
>>
>> Hope you can throw some light into this.
>> Thank you very much.
>>
>> UN CORDIAL SALUDO
>>
>> Miguel Ángel Domínguez Durán.
>> Departamento Técnico.
>> Cherrytel Comunicaciones, S.L.
>> mdominguez at cherrytel.com
>> http://www.cherrytel.com/
>> Tlf. 902 115 673
>> Fax 952218170
>> ----- Original Message ----- 
>> From: "Paul Wouters" <paul at xelerance.com>
>> To: "Miguel Ángel Domínguez Durán" <mdominguez at cherrytel.com>
>> Cc: <users at openswan.org>
>> Sent: Tuesday, March 08, 2005 1:47 PM
>> Subject: Re: [Openswan Users] NAT Problem?
>>
>>
>> > On Tue, 8 Mar 2005, Miguel Ángel Domínguez Durán wrote:
>> >
>> >>       nat_traversal=yes
>> >
>> > you might want virtual_private= ?
>> >
>> >> conn windows
>> >>       auto=add
>> >>       auth=rsasig
>> >>       left=213.9.x.x
>> >>       leftcert=vpncert.pem
>> >>       leftid="C=ES, ST=MALAGA, L=MALAGA, O=CHERRYTEL COMUNICACIONES 
>> >> S.L.,
>> >> CN=vpn"
>> >>       right=%any
>> >>       rightcert=windowsxp.pem
>> >>       rightid="C=ES, ST=MALAGA, L=MALAGA, O=Prueba, CN=prueba"
>> >>       pfs=yes
>> >>       keyingtries=0
>> >
>> > this is a tunnel to 1 IP only, since there is no leftsubnet.
>> >
>> >> The ipsec.conf in the windows machine contains the following:
>> >> conn windows
>> >>       left=%any
>> >>       leftid="C=ES, ST=MALAGA, L=MALAGA, O=Prueba, CN=prueba"
>> >>       right=213.9.x.x
>> >>       rightsubnet=*
>> >
>> > this implies the server should have leftsubnet=0.0.0.0/0
>> >
>> > If you want ALL traffic to go to the server, use the leftsubnet line.
>> > If you don't, remove the rightsubnet line.
>> > If you meant to connect top just some ip network at the server, use 
>> > that
>> > as right/leftsubnet and exlude it from NAT in virtual_private.
>> >
>> > Paul
>>
>
> 



More information about the Users mailing list