Hi !<br>
<br>
I'm trying to get a connection with NATed clients using either Linux/Openswan and Windows 2000/XP.<br>
<br>
I've followed the instructions from <a href="http://www.natecarlson.com/linux/ipsec-x509.php">http://www.natecarlson.com/linux/ipsec-x509.php</a>. <br>
<br>
I have to mention that we had SuSE linux 9.0 with FreeSwan 1.99 + X.509
Patch, and it was running smoothly for over a year with NATed and
non-NATed clients. Now, we upgraded to Fedora Core 4 running Openswan
2.4.4 and the VPNs connections are not working. Only works if the
client is not NATed.<br>
<br>
I'm using X.509 certificates (the same certificates used with SuSE and FreeSWAN). Here is my configuration:<br>
<br>
version 2.0<br>
<br>
config setup<br>
interfaces=%defaultroute<br>
nat_traversal=yes<br>
virtual_private=%v4:<a href="http://10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "10.0.0.0" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16</a><br>
<br>
conn %default<br>
keyingtries=1<br>
compress=yes<br>
disablearrivalcheck=no<br>
authby=rsasig<br>
leftrsasigkey=%cert<br>
rightrsasigkey=%cert<br>
<br>
conn block<br>
auto=ignore<br>
<br>
conn private<br>
auto=ignore<br>
<br>
conn private-or-clear<br>
auto=ignore<br>
<br>
conn clear-or-private<br>
auto=ignore<br>
<br>
conn clear<br>
auto=ignore<br>
<br>
conn packetdefault<br>
auto=ignore<br>
<br>
conn roadwarrior-net<br>
leftsubnet=(local ip net)/(local subnet)<br>
also=roadwarrior<br>
<br>
conn roadwarrior<br>
left=%defaultroute<br>
leftcert=(vpn gateway x.509 certificate file)<br>
right=%any<br>
rightsubnet=vhost:%no,%priv<br>
auto=add<br>
pfs=yes<br>
<br>
So, when i try to initiate a manual connection from a Linux NATed client, here are the steps:<br>
<br>
ipsec auto --verbose --up roadwarrior<br>
002 "roadwarrior" #1: initiating Main Mode<br>
104 "roadwarrior" #1: STATE_MAIN_I1: initiate<br>
003 "roadwarrior" #1: ignoring unknown Vendor ID payload [4f45647c6b5d646e6a744347]<br>
003 "roadwarrior" #1: received Vendor ID payload [Dead Peer Detection]<br>
003 "roadwarrior" #1: received Vendor ID payload [RFC 3947] method set to=109<br>
002 "roadwarrior" #1: enabling possible NAT-traversal with method 3<br>
002 "roadwarrior" #1: transition from state STATE_MAIN_I1 to state
STATE_MAIN_I2106 "roadwarrior" #1: STATE_MAIN_I2: sent MI2, expecting
MR2<br>
003 "roadwarrior" #1: NAT-Traversal: Result using 3: i am NATed<br>
002 "roadwarrior" #1: I am sending my cert<br>
002 "roadwarrior" #1: I am sending a certificate request<br>
002 "roadwarrior" #1: transition from state STATE_MAIN_I2 to state
STATE_MAIN_I3108 "roadwarrior" #1: STATE_MAIN_I3: sent MI3, expecting
MR3<br>
003 "roadwarrior" #1: discarding duplicate packet; already STATE_MAIN_I3<br>
010 "roadwarrior" #1: STATE_MAIN_I3: retransmission; will wait 20s for response<br>
003 "roadwarrior" #1: discarding duplicate packet; already STATE_MAIN_I3<br>
010 "roadwarrior" #1: STATE_MAIN_I3: retransmission; will wait 40s for response<br>
031 "roadwarrior" #1: max number of retransmissions (2) reached
STATE_MAIN_I3. Possible authentication failure: no acceptable response
to our first encrypted message<br>
<br>
And, on the gateway side (which it's not NATed) here is the log:<br>
<br>
Jan 30 14:30:33 zeus pluto[8239]: packet from x.y.z.w:500: ignoring unknown Vendor ID payload [4f457a7d4646466667725f65]<br>
Jan 30 14:30:33 zeus pluto[8239]: packet from x.y.z.w:500: received Vendor ID payload [Dead Peer Detection]<br>
Jan 30 14:30:33 zeus pluto[8239]: packet from x.y.z.w:500: received Vendor ID payload [RFC 3947] method set to=109<br>
Jan 30 14:30:33 zeus pluto[8239]: packet from x.y.z.w:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already
using method 109<br>
Jan 30 14:30:33 zeus pluto[8239]: packet from x.y.z.w:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already
using method 109<br>
Jan 30 14:30:33 zeus pluto[8239]: packet from x.y.z.w:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]<br>
Jan 30 14:30:33 zeus pluto[8239]: "roadwarrior"[1] x.y.z.w #1: responding to Main Mode from unknown peer <a href="http://201.240.76.12"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "201.240.76.12" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 201.240.76.12</a><br>
Jan 30 14:30:33 zeus pluto[8239]: "roadwarrior"[1] x.y.z.w #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1<br>
Jan 30 14:30:33 zeus pluto[8239]: "roadwarrior"[1] x.y.z.w #1: STATE_MAIN_R1: sent MR1, expecting MI2<br>
Jan 30 14:30:34 zeus pluto[8239]: "roadwarrior"[1] x.y.z.w #1: NAT-Traversal: Result using 3: peer is NATed<br>
Jan 30 14:30:34 zeus pluto[8239]: "roadwarrior"[1] x.y.z.w #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2<br>
Jan 30 14:30:34 zeus pluto[8239]: "roadwarrior"[1] x.y.z.w #1: STATE_MAIN_R2: sent MR2, expecting MI3<br>
Jan 30 14:31:44 zeus pluto[8239]: "roadwarrior"[1] x.y.z.w #1: max number of retransmissions (2) reached STATE_MAIN_R2<br>
Jan 30 14:31:44 zeus pluto[8239]: "roadwarrior"[1] x.y.z.w: deleting
connection "roadwarrior" instance with peer x.y.z.w {isakmp=#0/ipsec=#0}<br>
<br>
So, it seems the Main Initiator Phase 3 from the client, does not reach
the VPN gateway, the Client says it sent it, but the Gateway claims
it'is missing.<br>
<br>
NATed IPsec<br>
Client
Gateway<br>
<pre> MI1 ----------><br> <---------- MR1<br> MI2 ----------> <br> <---------- MR2<br> MI3 ----------> ( LOST ! )<br> <---------- MR3 ( NEVER COMES ! )<br>
<br>However, if i move this client, to a non-NATed connection, the connection success.<br></pre>
<h4><a name="struct.exchange"></a></h4>
I've been playing around for 3 or 4 days, and i really can't sleep. I would appreciate any help you could give me.<br>
<br>
Thanks in advance.<br>