<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=gb2312">
<META content="MSHTML 6.00.2800.1400" name=GENERATOR></HEAD>
<BODY>
<DIV><SPAN class=390240303-11032004><FONT size=2>Hi All,</FONT></SPAN></DIV>
<DIV><SPAN class=390240303-11032004><FONT size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=390240303-11032004><FONT size=2>Following the Jacco's page, I
setup a L2TP/IPSEC VPN.</FONT></SPAN></DIV>
<DIV><SPAN class=390240303-11032004><FONT size=2>My case is: Our VPN
roadwarriors( winXp,2000) that is in public network, or behind a NAT device, our
VPN server is in public network. VPN clients can access our internal network by
L2TP/IPSEC connection.</FONT></SPAN></DIV>
<DIV><SPAN class=390240303-11032004>
<DIV><SPAN class=390240303-11032004><FONT size=2>Now it is running, the clients
behind one NAT device also can . Thanks to Jacco and you
all!</FONT></SPAN></DIV>
<DIV><SPAN class=390240303-11032004><FONT size=2>I am using: Openswan Version
1.0.1rc2 including X.509 patch with traffic selectors (Version 0.9.37)
and NAT-Traversal patch (Version 0.6)</FONT></SPAN></DIV>
<DIV><SPAN class=390240303-11032004><FONT size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=390240303-11032004><FONT size=2>I tried to let a roadwarrior(
winXp,2000) behind two NATs(that says, it can reach Internet through Two
NATs) access internal network by L2TP/IPSEC, our VPN server is in Public
network. But I failed.</FONT></SPAN></DIV>
<DIV><SPAN class=390240303-11032004><FONT size=2>Behind one NAT is OK, but
Behind Two NATs is failed. Here is the failed logs;</FONT></SPAN></DIV>
<DIV><SPAN class=390240303-11032004><FONT size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=390240303-11032004>
<DIV><SPAN class=812004805-27022004><FONT size=2>Feb 27 20:37:55 vpngw
pluto[3370]: packet from a.b.c.d:500: ignoring Vendor ID payload [MS NT5
ISAKMPOAKLEY 00000004]<BR>Feb 27 20:37:55 vpngw pluto[3370]: packet from
a.b.c.d:500: ignoring Vendor ID payload [FRAGMENTATION]<BR>Feb 27 20:37:55 vpngw
pluto[3370]: packet from a.b.c.d:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n]<BR>Feb 27 20:37:55 vpngw pluto[3370]: packet
from a.b.c.d:500: ignoring Vendor ID payload [26244d38eddb61b3...]<BR>Feb 27
20:37:55 vpngw pluto[3370]: "L2TP-CERT-orgWIN2KXP"[3] a.b.c.d #3: responding to
Main Mode from unknown peer a.b.c.d<BR>Feb 27 20:37:55 vpngw pluto[3370]:
"L2TP-CERT-orgWIN2KXP"[3] a.b.c.d #3: transition from state (null) to state
STATE_MAIN_R1<BR>Feb 27 20:37:56 vpngw pluto[3370]: packet from a.b.c.d:500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]<BR>Feb 27 20:37:56
vpngw pluto[3370]: packet from a.b.c.d:500: ignoring Vendor ID payload
[FRAGMENTATION]<BR>Feb 27 20:37:56 vpngw pluto[3370]: packet from a.b.c.d:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]<BR>Feb 27 20:37:56
vpngw pluto[3370]: packet from a.b.c.d:500: ignoring Vendor ID payload
[26244d38eddb61b3...]<BR>Feb 27 20:37:56 vpngw pluto[3370]:
"L2TP-CERT-orgWIN2KXP"[3] a.b.c.d #4: responding to Main Mode from unknown peer
a.b.c.d<BR>Feb 27 20:37:56 vpngw pluto[3370]: "L2TP-CERT-orgWIN2KXP"[3] a.b.c.d
#4: transition from state (null) to state STATE_MAIN_R1<BR>Feb 27 20:37:57 vpngw
pluto[3370]: "L2TP-CERT-orgWIN2KXP"[3] a.b.c.d #3: NAT-Traversal: Result using
draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed<BR>Feb 27 20:37:57 vpngw
pluto[3370]: "L2TP-CERT-orgWIN2KXP"[3] a.b.c.d #3: transition from state
STATE_MAIN_R1 to state STATE_MAIN_R2<BR>Feb 27 20:37:57 vpngw pluto[3370]:
"L2TP-CERT-orgWIN2KXP"[3] a.b.c.d #3: Main mode peer ID is ID_DER_ASN1_DN:
'C=CN, ST=Beijing, L=BJ, O=abcd, OU=Tech, CN=tom.abcd.net, <A
href="mailto:E=tom@abcd.net'">E=tom@abcd.net'</A><BR>Feb 27 20:37:57 vpngw
pluto[3370]: "L2TP-CERT-orgWIN2KXP"[4] a.b.c.d #3: transition from state
STATE_MAIN_R2 to state STATE_MAIN_R3<BR>Feb 27 20:37:57 vpngw pluto[3370]: |
NAT-T: new mapping a.b.c.d:500/65202)<BR>Feb 27 20:37:57 vpngw pluto[3370]:
"L2TP-CERT-orgWIN2KXP"[4] a.b.c.d:65202 #3: sent MR3, ISAKMP SA
established<BR>:$<BR>Feb 27 20:38:04 vpngw pluto[3370]:
"L2TP-CERT-orgWIN2KXP"[4] a.b.c.d:65202 #3: discarding duplicate packet --
exhausted retransmission; already STATE_MAIN_R3<BR>Feb 27 20:38:28 vpngw last
message repeated 2 times<BR>Feb 27 20:39:00 vpngw pluto[3370]:
"L2TP-CERT-orgWIN2KXP"[4] a.b.c.d:65202 #3: next payload type of ISAKMP Hash
Payload has an unknown value: 118<BR>Feb 27 20:39:00 vpngw pluto[3370]:
"L2TP-CERT-orgWIN2KXP"[4] a.b.c.d:65202 #3: malformed payload in packet<BR>Feb
27 20:39:00 vpngw pluto[3370]: "L2TP-CERT-orgWIN2KXP"[4] a.b.c.d:65202 #3:
sending notification PAYLOAD_MALFORMED to a.b.c.d:65202<BR>Feb 27 20:39:06 vpngw
pluto[3370]: "L2TP-CERT-orgWIN2KXP"[3] a.b.c.d:65202 #4: max number of
retransmissions (2) reached STATE_MAIN_R1<BR>Feb 27 20:39:06 vpngw pluto[3370]:
"L2TP-CERT-orgWIN2KXP"[3] a.b.c.d:65202: deleting connection
"L2TP-CERT-oWIN2KXP" instance with peer a.b.c.d</FONT></SPAN></DIV>
<DIV><SPAN class=812004805-27022004><FONT size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=812004805-27022004><SPAN class=390240303-11032004><FONT
size=2>My question is , Does the current NAT-T patch support behind two
NATs?</FONT></SPAN></SPAN></DIV>
<DIV><SPAN class=812004805-27022004><SPAN class=390240303-11032004><FONT
size=2>If not, have any workaround way?</FONT></SPAN></SPAN></DIV>
<DIV><SPAN class=812004805-27022004><SPAN class=390240303-11032004><FONT
size=2></FONT></SPAN></SPAN> </DIV>
<DIV><SPAN class=812004805-27022004><SPAN class=390240303-11032004><FONT
size=2>Any help , comments will be appreciated!</FONT></SPAN></SPAN></DIV>
<DIV><SPAN class=812004805-27022004><SPAN class=390240303-11032004><FONT
size=2></FONT></SPAN></SPAN> </DIV>
<DIV><SPAN class=812004805-27022004><SPAN class=390240303-11032004><FONT
size=2>ZJ</FONT></SPAN></SPAN></DIV></SPAN></DIV></SPAN></DIV></BODY></HTML>