[Openswan Users] Unable to connect from behind NATed connection

Leigh Sharpe lsharpe at pacificwireless.com.au
Tue Aug 18 20:23:19 EDT 2009 

Hi all,
 I'm having a hell of a time getting an L2TP/IPSEC connection when my
client is behind NAT.
 
I'm using the following configs:
 
ipsec.conf:
-----
version 2.0     # conforms to second version of ipsec.conf specification
 
# basic configuration
config setup
        # plutodebug / klipsdebug = "all", "none" or a combation from
below:
        # "raw crypt parsing emitting control klips pfkey natt x509
private"
        # eg: plutodebug="control parsing"
        #
        # ONLY enable plutodebug=all or klipsdebug=all if you are a
developer !!
        #
        # NAT-TRAVERSAL support, see README.NAT-Traversal
        nat_traversal=yes
 
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:
!172.16.1.0/24
        #
        # enable this if you see "failed to find any available worker"
        nhelpers=0
 
# Add connections here
 
# sample VPN connections, see /etc/ipsec.d/examples/
include /etc/ipsec.d/examples/l2tp-psk.conf
 
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
----
 
l2tp-psk.conf:
---------
conn L2TP-PSK-NAT
        rightsubnet=vhost:%priv
        also=L2TP-PSK-noNAT
 
conn L2TP-PSK-noNAT
        #
        # Configuration for one user with any type of IPsec/L2TP client
        # including the updated Windows 2000/XP (MS KB Q818043), but
        # excluding the non-updated Windows 2000/XP.
        #
        #
        # Use a Preshared Key. Disable Perfect Forward Secrecy.
        #
        # PreSharedSecret needs to be specified in /etc/ipsec.secrets as
        # YourIPAddress  %any: "sharedsecret"
        authby=secret
        pfs=no
        auto=add
        keyingtries=3
        # we cannot rekey for %any, let client rekey
        rekey=no
        type=transport
        #
        #left=%defaultroute
        # or you can use: left=YourIPAddress
        left=202.134.34.214
        leftnexthop=202.134.34.213
        # For updated Windows 2000/XP clients,
        # to support old clients as well, use leftprotoport=17/%any
        leftprotoport=17/1701
        #
        # The remote user.
        #
        right=%any
        # Using the magic port of "0" means "any one single port". This
is
        # a work around required for Apple OSX clients that use a
randomly
        # high port, but propose "0" instead of their port.
        rightprotoport=17/0
---------
 
I am able to connect OK when my client is not NATed, but when the same
machine is placed behind NAT, I can't connect. All I get in
/var/log/syslog is:
 
Aug 19 10:12:44 smtp xl2tpd[3139]: control_finish: Peer requested tunnel
10 twice, ignoring second one.
Aug 19 10:12:45 smtp xl2tpd[3139]: control_finish: Peer requested tunnel
10 twice, ignoring second one.
Aug 19 10:12:49 smtp xl2tpd[3139]: Maximum retries exceeded for tunnel
4588.  Closing.
Aug 19 10:12:49 smtp xl2tpd[3139]: Connection 10 closed to
123.208.64.224, port 1701 (Timeout)
Aug 19 10:12:49 smtp xl2tpd[3139]: control_finish: Peer requested tunnel
10 twice, ignoring second one.
Aug 19 10:12:54 smtp xl2tpd[3139]: Unable to deliver closing message for
tunnel 4588. Destroying anyway.

And in /var/log/auth.log, I get:
Aug 19 10:12:40 smtp pluto[8135]: packet from 123.208.64.224:500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Aug 19 10:12:40 smtp pluto[8135]: packet from 123.208.64.224:500:
ignoring Vendor ID payload [FRAGMENTATION]
Aug 19 10:12:40 smtp pluto[8135]: packet from 123.208.64.224:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set
to=106
Aug 19 10:12:40 smtp pluto[8135]: packet from 123.208.64.224:500:
ignoring Vendor ID payload [Vid-Initial-Contact]
Aug 19 10:12:40 smtp pluto[8135]: "L2TP-PSK-noNAT"[1] 123.208.64.224 #1:
responding to Main Mode from unknown peer 123.208.64.224
Aug 19 10:12:40 smtp pluto[8135]: "L2TP-PSK-noNAT"[1] 123.208.64.224 #1:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Aug 19 10:12:40 smtp pluto[8135]: "L2TP-PSK-noNAT"[1] 123.208.64.224 #1:
STATE_MAIN_R1: sent MR1, expecting MI2
Aug 19 10:12:40 smtp pluto[8135]: packet from 123.208.64.224:500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Aug 19 10:12:40 smtp pluto[8135]: packet from 123.208.64.224:500:
ignoring Vendor ID payload [FRAGMENTATION]
Aug 19 10:12:40 smtp pluto[8135]: packet from 123.208.64.224:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set
to=106
Aug 19 10:12:40 smtp pluto[8135]: packet from 123.208.64.224:500:
ignoring Vendor ID payload [Vid-Initial-Contact]
Aug 19 10:12:40 smtp pluto[8135]: "L2TP-PSK-noNAT"[1] 123.208.64.224 #2:
responding to Main Mode from unknown peer 123.208.64.224
Aug 19 10:12:40 smtp pluto[8135]: "L2TP-PSK-noNAT"[1] 123.208.64.224 #2:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Aug 19 10:12:40 smtp pluto[8135]: "L2TP-PSK-noNAT"[1] 123.208.64.224 #2:
STATE_MAIN_R1: sent MR1, expecting MI2
Aug 19 10:12:41 smtp pluto[8135]: "L2TP-PSK-noNAT"[1] 123.208.64.224 #1:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is
NATed
Aug 19 10:12:41 smtp pluto[8135]: "L2TP-PSK-noNAT"[1] 123.208.64.224 #1:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Aug 19 10:12:41 smtp pluto[8135]: "L2TP-PSK-noNAT"[1] 123.208.64.224 #1:
STATE_MAIN_R2: sent MR2, expecting MI3
Aug 19 10:12:41 smtp pluto[8135]: "L2TP-PSK-noNAT"[1] 123.208.64.224 #1:
Main mode peer ID is ID_FQDN: '@omnibook'
Aug 19 10:12:41 smtp pluto[8135]: "L2TP-PSK-noNAT"[1] 123.208.64.224 #1:
switched from "L2TP-PSK-noNAT" to "L2TP-PSK-noNAT"
Aug 19 10:12:41 smtp pluto[8135]: "L2TP-PSK-noNAT"[2] 123.208.64.224 #1:
I did not send a certificate because I do not have one.
Aug 19 10:12:41 smtp pluto[8135]: "L2TP-PSK-noNAT"[2] 123.208.64.224 #1:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Aug 19 10:12:41 smtp pluto[8135]: "L2TP-PSK-noNAT"[2] 123.208.64.224 #1:
STATE_MAIN_R3: sent MR3, ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
group=modp2048}
Aug 19 10:12:41 smtp pluto[8135]: "L2TP-PSK-noNAT"[2] 123.208.64.224 #3:
responding to Quick Mode {msgid:be9e674c}
Aug 19 10:12:41 smtp pluto[8135]: "L2TP-PSK-noNAT"[2] 123.208.64.224 #3:
transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Aug 19 10:12:41 smtp pluto[8135]: "L2TP-PSK-noNAT"[2] 123.208.64.224 #3:
STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Aug 19 10:12:42 smtp pluto[8135]: "L2TP-PSK-noNAT"[2] 123.208.64.224 #3:
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Aug 19 10:12:42 smtp pluto[8135]: "L2TP-PSK-noNAT"[2] 123.208.64.224 #3:
STATE_QUICK_R2: IPsec SA established {ESP=>0xb746ef51 <0x747a600c
xfrm=3DES_0-HMAC_MD5 NATD=123.208.64.224:4500 DPD=none}
Aug 19 10:13:17 smtp pluto[8135]: "L2TP-PSK-noNAT"[2] 123.208.64.224 #1:
received Delete SA(0xb746ef51) payload: deleting IPSEC State #3
Aug 19 10:13:17 smtp pluto[8135]: "L2TP-PSK-noNAT"[2] 123.208.64.224 #1:
received and ignored informational message
Aug 19 10:13:17 smtp pluto[8135]: "L2TP-PSK-noNAT"[2] 123.208.64.224 #1:
received Delete SA payload: deleting ISAKMP State #1
Aug 19 10:13:17 smtp pluto[8135]: "L2TP-PSK-noNAT"[2] 123.208.64.224:
deleting connection "L2TP-PSK-noNAT" instance with peer 123.208.64.224
{isakmp=#0/ipsec=#0}
Aug 19 10:13:17 smtp pluto[8135]: packet from 123.208.64.224:4500:
received and ignored informational message
Aug 19 10:13:50 smtp pluto[8135]: "L2TP-PSK-noNAT"[1] 123.208.64.224 #2:
max number of retransmissions (2) reached STATE_MAIN_R1
Aug 19 10:13:50 smtp pluto[8135]: "L2TP-PSK-noNAT"[1] 123.208.64.224:
deleting connection "L2TP-PSK-noNAT" instance with peer 123.208.64.224
{isakmp=#0/ipsec=#0}

 
Now this bit strikes me as odd:
 
> switched from "L2TP-PSK-noNAT" to "L2TP-PSK-noNAT"
 
Shouldn't it be switching from "L2TP-PSK-noNAT" to "L2TP-PSK-NAT"?
 
 
I started this exercise with Debian Etch, and I've upgraded to Lenny in
case I had come across a bug which has been already fixed. Ultimately,
however, it needs to run on Etch.
I've also done the same on a seperate machine running Etch and I get the
same results, so I've mis-configured something somewhere, I just can't
see where.
I've tried with both l2tpd and xl2tpd, but I get the same results.
Any suggestions?
 
 
Regards,
             Leigh
 
Leigh Sharpe
Network Systems Engineer
Pacific Wireless
Ph +61 3 9584 8966
Mob 0408 009 502
Helpdesk 1300 300 616
email lsharpe at pacificwireless.com.au
<blocked::blocked::mailto:lsharpe at pacificwireless.com.au> 
web www.pacificwireless.com.au
<blocked::blocked::http://www.pacificwireless.com.au/> 
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20090819/c700ba60/attachment-0001.html

More information about the Users mailing list