<br><font size=2 face="sans-serif">Hi,</font>
<br>
<br><font size=2 face="sans-serif"> I had followed your suggestions
to upgrade my xp box to sp2 and open </font><font size=2><tt>4500/udp</tt></font><font size=2 face="sans-serif">
( even i allow all traffic), but this doesn't work ! The ISAKMP SA is also
established . but i still couldn't talk with remote host behind my vpn
gateway</font><font size=2><tt>(kernel 2.4.20-8, openswan-1.0.8 with NATTraversal
feature ).</tt></font>
<br><font size=2><tt> The www.openswan.org recommend me to
use openswan-1.0.8 , they say it is most stable one , as our environment
is a production system .</tt></font>
<br><font size=2><tt> Because my road-worrior(windows
xp box) behind a cisco router (which has nat set properly), so why i enable
NAT Traversal on my linux gateway . my topology is :</tt></font>
<br>
<br><font size=2><tt>xpbox---cisco router-------internet -----------redhat
linux gateway( with iptables and openswan)--------remote host</tt></font>
<br>
<br>
<br><font size=2><tt>communication between xpbox and remote box on a security
tunnel is my purpose , example: run some client program to access application
server on the remote host . </tt></font>
<br>
<br><font size=2><tt>like before , i always get negotiating ip security
and then request timed out , maybe first request timed out then negotiating
ip security . I don't know why ? I really worry about this . for
your review : i paste some information , hope it can give you some hints
!</tt></font>
<br>
<br><font size=2><tt>[root@localhost rc.d]# ipsec barf </tt></font>
<br>
<br><font size=2><tt>Feb 2 02:22:19 localhost pluto[11566]: ike_alg_register_hash():
Activating OAKLEY_SHA2_512: Ok (ret=0)</tt></font>
<br><font size=2><tt>Feb 2 02:22:19 localhost pluto[11566]: ike_alg_register_enc():
Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)</tt></font>
<br><font size=2><tt>Feb 2 02:22:19 localhost pluto[11566]: ike_alg_register_enc():
Activating OAKLEY_SSH_PRIVATE_65289: Ok (ret=0)</tt></font>
<br><font size=2><tt>Feb 2 02:22:19 localhost pluto[11566]: Changing
to directory '/etc/ipsec.d/cacerts'</tt></font>
<br><font size=2><tt>Feb 2 02:22:19 localhost pluto[11566]:
loaded cacert file 'cacert.pem' (1359 bytes)</tt></font>
<br><font size=2><tt>Feb 2 02:22:19 localhost pluto[11566]: Changing
to directory '/etc/ipsec.d/crls'</tt></font>
<br><font size=2><tt>Feb 2 02:22:19 localhost pluto[11566]:
loaded crl file 'crl.pem' (540 bytes)</tt></font>
<br><font size=2><tt>Feb 2 02:22:19 localhost pluto[11566]: OpenPGP
certificate file '/etc/pgpcert.pgp' not found</tt></font>
<br><font size=2><tt>Feb 2 02:22:19 localhost pluto[11566]: | from
whack: got --esp=3des</tt></font>
<br><font size=2><tt>Feb 2 02:22:19 localhost pluto[11566]: | from
whack: got --ike=3des</tt></font>
<br><font size=2><tt>Feb 2 02:22:19 localhost pluto[11566]:
loaded host cert file '/etc/ipsec.d/gateway.ensemble.com.pem' (3745 bytes)</tt></font>
<br><font size=2><tt>Feb 2 02:22:19 localhost pluto[11566]: added
connection description "roadworrior-net"</tt></font>
<br><font size=2><tt>Feb 2 02:22:19 localhost pluto[11566]: listening
for IKE messages</tt></font>
<br><font size=2><tt>Feb 2 02:22:19 localhost pluto[11566]: adding
interface ipsec0/eth0 218.106.186.84</tt></font>
<br><font size=2><tt>Feb 2 02:22:19 localhost pluto[11566]: adding
interface ipsec0/eth0 218.106.186.84:4500</tt></font>
<br><font size=2><tt>Feb 2 02:22:19 localhost pluto[11566]: loading
secrets from "/etc/ipsec.secrets"</tt></font>
<br><font size=2><tt>Feb 2 02:22:19 localhost pluto[11566]:
loaded private key file '/etc/ipsec.d/private/gateway.ensemble.com.key'
(1683 bytes)</tt></font>
<br><font size=2><tt>Feb 2 02:26:44 localhost pluto[11566]: packet
from 219.239.37.132:18641: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY
00000004]</tt></font>
<br><font size=2><tt>Feb 2 02:26:44 localhost pluto[11566]: packet
from 219.239.37.132:18641: ignoring Vendor ID payload [FRAGMENTATION]</tt></font>
<br><font size=2><tt>Feb 2 02:26:44 localhost pluto[11566]: packet
from 219.239.37.132:18641: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]</tt></font>
<br><font size=2><tt>Feb 2 02:26:44 localhost pluto[11566]: packet
from 219.239.37.132:18641: ignoring Vendor ID payload [26244d38eddb61b3172a36e3d0cfb819]</tt></font>
<br><font size=2><tt>Feb 2 02:26:44 localhost pluto[11566]: "roadworrior-net"[1]
219.239.37.132:18641 #1: responding to Main Mode from unknown peer 219.239.37.132:18641</tt></font>
<br><font size=2><tt>Feb 2 02:26:44 localhost pluto[11566]: "roadworrior-net"[1]
219.239.37.132:18641 #1: transition from state (null) to state STATE_MAIN_R1</tt></font>
<br><font size=2><tt>Feb 2 02:26:44 localhost pluto[11566]: "roadworrior-net"[1]
219.239.37.132:18641 #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03:
peer is NATed</tt></font>
<br><font size=2><tt>Feb 2 02:26:44 localhost pluto[11566]: "roadworrior-net"[1]
219.239.37.132:18641 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2</tt></font>
<br><font size=2><tt>Feb 2 02:26:44 localhost pluto[11566]: "roadworrior-net"[1]
219.239.37.132:18641 #1: Main mode peer ID is ID_DER_ASN1_DN: 'C=CN, ST=BJ,
L=BJ, O=Ensemble International, OU=System department, CN=WINHOST, E=coffeeboy7411@ensemble.com.cn'</tt></font>
<br><font size=2><tt>Feb 2 02:26:44 localhost pluto[11566]: "roadworrior-net"[2]
219.239.37.132:18641 #1: deleting connection "roadworrior-net"
instance with peer 219.239.37.132</tt></font>
<br><font size=2><tt>Feb 2 02:26:44 localhost pluto[11566]: "roadworrior-net"[2]
219.239.37.132:18641 #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3</tt></font>
<br><font size=2><tt>Feb 2 02:26:44 localhost pluto[11566]: | NAT-T:
new mapping 219.239.37.132:18641/18642)</tt></font>
<br><font size=2><tt>Feb 2 02:26:44 localhost pluto[11566]: "roadworrior-net"[2]
219.239.37.132:18642 #1: sent MR3, ISAKMP SA established</tt></font>
<br><font size=2><tt>Feb 2 02:26:44 localhost pluto[11566]: "roadworrior-net"[2]
219.239.37.132:18642 #2: responding to Quick Mode</tt></font>
<br><font size=2><tt>Feb 2 02:26:44 localhost pluto[11566]: "roadworrior-net"[2]
219.239.37.132:18642 #2: transition from state (null) to state STATE_QUICK_R1</tt></font>
<br><font size=2><tt>Feb 2 02:26:45 localhost pluto[11566]: "roadworrior-net"[2]
219.239.37.132:18642 #2: transition from state STATE_QUICK_R1 to state
STATE_QUICK_R2</tt></font>
<br><font size=2><tt>Feb 2 02:26:45 localhost pluto[11566]: "roadworrior-net"[2]
219.239.37.132:18642 #2: IPsec SA established</tt></font>
<br><font size=2><tt>Feb 2 02:27:12 localhost pluto[11566]: "roadworrior-net"[2]
219.239.37.132:18642 #2: nat_traversal_new_mapping: address change currently
not supported [219.239.37.132:18642,219.239.37.131:45193]</tt></font>
<br><font size=2><tt>+ _________________________ date</tt></font>
<br><font size=2><tt>+ date</tt></font>
<br><font size=2><tt>Wed Feb 2 02:27:34 CST 2005</tt></font>
<br><font size=2><tt>[root@localhost rc.d]# </tt></font>
<br>
<br>
<br><font size=2><tt>can you also check the ipsec.conf for me , thanks
a million !</tt></font>
<br>
<br>
<br><font size=3><tt>linux side ipsec.conf:</tt></font>
<br>
<br><font size=3><tt>config setup</tt></font>
<br><font size=3><tt> </tt></font>
<br><font size=3><tt> interfaces="ipsec0=eth0"</tt></font>
<br><font size=3><tt> nat_traversal=yes</tt></font>
<br><font size=3><tt> virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16</tt></font>
<br><font size=3><tt> klipsdebug=none</tt></font>
<br><font size=3><tt> plutodebug=none</tt></font>
<br><font size=3><tt> plutoload=%search</tt></font>
<br><font size=3><tt> plutostart=%search</tt></font>
<br><font size=3><tt> plutowait=no</tt></font>
<br><font size=3><tt> uniqueids=yes</tt></font>
<br><font size=3><tt>conn %default</tt></font>
<br>
<br><font size=3><tt> keyingtries=1</tt></font>
<br><font size=3><tt> compress=yes</tt></font>
<br><font size=3><tt> disablearrivalcheck=no</tt></font>
<br><font size=3><tt> authby=rsasig</tt></font>
<br><font size=3><tt> leftrsasigkey=%cert</tt></font>
<br><font size=3><tt> rightrsasigkey=%cert</tt></font>
<br>
<br><font size=3><tt>conn roadworrior-net</tt></font>
<br><font size=3><tt> left=68.106.186.85</tt></font>
<br><font size=3><tt> leftnexthop=68.106.186.81</tt></font>
<br><font size=3><tt> leftsubnet=192.168.0.0/16</tt></font>
<br><font size=3><tt> leftcert=gateway.semble.com.pem</tt></font>
<br><font size=3><tt> right=%any</tt></font>
<br><font size=3><tt> rightsubnet=vhost:%no,%priv</tt></font>
<br><font size=3><tt> auto=add</tt></font>
<br><font size=3><tt> pfs=yes</tt></font>
<br>
<br><font size=3><tt>windows side ipsec.conf</tt></font>
<br><font size=3><tt>conn roadwarrior</tt></font>
<br><font size=3><tt> left=68.106.186.85</tt></font>
<br><font size=3><tt> leftsubnet=192.168.0.0/16</tt></font>
<br><font size=3><tt> right=%any</tt></font>
<br><font size=3><tt> rightca="C=CN, S=BJ, L=BJ, O=semble International,
OU=System department, CN=FIREWALL, E=lidong.li@ensemble.com.cn"</tt></font>
<br><font size=3><tt> network=auto</tt></font>
<br><font size=3><tt> auto=start</tt></font>
<br><font size=3><tt> pfs=yes</tt></font>
<br>
<br>
<br>
<br>
<br>
<br><font size=2 face="sans-serif">tony<br>
<br>
Best Regards,<br>
<br>
</font>
<br>
<br>
<br>
<table width=100%>
<tr valign=top>
<td width=40%><font size=1 face="sans-serif"><b>Nate Carlson <natecars@natecarlson.com></b>
</font>
<p><font size=1 face="sans-serif">2005-02-01 23:35</font>
<td width=59%>
<table width=100%>
<tr>
<td>
<div align=right><font size=1 face="sans-serif">To</font></div>
<td valign=top><font size=1 face="sans-serif">lidongli@ensemble.com.cn</font>
<tr>
<td>
<div align=right><font size=1 face="sans-serif">cc</font></div>
<td valign=top>
<tr>
<td>
<div align=right><font size=1 face="sans-serif">Subject</font></div>
<td valign=top><font size=1 face="sans-serif">Re: help ,Urgent! IPsec SA
is established,trouble with pinging ando the
rtraffic</font></table>
<br>
<table>
<tr valign=top>
<td>
<td></table>
<br></table>
<br>
<br>
<br><font size=2><tt>On Tue, 1 Feb 2005 lidongli@ensemble.com.cn wrote:<br>
> I'm currently in the middle of setting up an IPSec connection which
will <br>
> have a road warrior (running Windows XP) connecting to a Redhat 9.0
box <br>
> (kernel 2.4.20-8, openswan-1.0.8 with NATTraversal feature )<br>
<br>
Just curious, any reason you're not using a more recent version (2.2.x)
of <br>
Openswan? The 1.x versions work fine, they are just old. :)<br>
<br>
> what's more about access control, for roadworrior, on the cisco router
, <br>
> there is no restriction for internal clients ; on the linux box ,UDP
<br>
> 500, ESP(50),AH(51) had been allowed from and to the internet , accepted
<br>
> by output, input, and forward chain in iptables .<br>
<br>
Have you allowed 4500/udp? If you are using NAT Traversal, that port is
<br>
also required.<br>
<br>
> I've set up the IPSec connection using the snap-in in MMC ,When I
ping <br>
> from the Windows box, it shows "Negotiating IP Security",
followed by <br>
> request timed out. It doesn't matter how long I try, I keep getting
<br>
> request timed out.<br>
<br>
Check the logs in event viewer - they will often indicate what the problem
<br>
is (in a lot nicer format than the oakley logs, too!)<br>
<br>
> To verify that I have rightca set properly, follow these instructions:<br>
<...><br>
> It should be right , but I still get the request timed out ! :)<br>
<br>
OK, that's good!<br>
<br>
> 219.239.37.131:58868 #3: initiating Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS
to replace #2<br>
> Feb 1 01:36:26 localhost pluto[319]: ERROR: "roadworrior-net"[2]
219.239.37.131:58868 #3: sendto on eth0 to 219.239.37.131:58868 failed
in quick_outI1. Errno 1: Operation not permitted<br>
><br>
> IPsec SA is indeed established, but I couldn't ping the internal box
<br>
> behind Redhat gateway from the Roadworrior. pings in both directions
<br>
> can not work properly.<br>
<br>
It's failing to get to Main Mode, which is where you can actually exchange
<br>
packets.<br>
<br>
A few suggestions:<br>
<br>
- Make sure the XP box is at SP2<br>
- Run tcpdump on eth0 of the Linux box, and see what type of packets flow<br>
across when it's trying to initialize main mode<br>
- Try opening 4500/udp or disabling NAT Traversal.<br>
<br>
> I hope some one out there will have suggestions on solving this, as
I'm <br>
> beginning to tear my hair out. I just paste ipsec.conf on linux side
and <br>
> ipsec.conf windows xp side here for solving problem .<br>
<br>
Let me know if this doesn't help!<br>
<br>
------------------------------------------------------------------------<br>
| nate carlson | natecars@natecarlson.com | http://www.natecarlson.com
|<br>
| depriving some poor village of its idiot since 1981
|<br>
------------------------------------------------------------------------<br>
</tt></font>
<br>
<br><font size=2 face="sans-serif">lilidong<br>
Ensemble International Ltd..<br>
Tel: 8610-82782892 ext. 319<br>
Fax: 8610-82783467<br>
http://www.ensembleintl.com<br>
Best Regards,<br>
<br>
</font>