- The topology:<br><br>Windows XP SP2 - user A <-----> NAT (NAT-Traversal enabled) <-----> (public IP address) OpenSwan 2.4.9 <br>Windows XP SP2 - user B<br>(private IP segment - <a href="http://10.1.1.0/24">
10.1.1.0/24</a>)<br><br>- Description<br>(1) This is a case of L2TP over PSK-based IPsec. OpenSwan 2.4.9 and xl2tpd 1.1.11 are used.<br>OpenSwan is running on OpenWRT Linux 2.4.30 + KLIPS.<br>(2) User A first initiate the L2TP/IPsec connection and the connection is established successfully.
<br>(3) User B secondly tries to connect but fails.<br>(4) NAT device is an OpenWRT WhiteRussian RC5.<br>(4) If user A and user B are not under the same NAT, both can connect to OpenSwan successfully.<br><br>- <br><br>- Config
<br><<<<<<<<<<<<<<<<<<<<<ipsec.conf>>>>>>>>>>>>>>>>>><br>version 2.0<br>nat_traversal=yes<br>nhelpers=0<br>
<br>conn L2TP-PSK<br> authby=secret<br> pfs=no<br> rekey=no<br> keyingtries=3<br> left=%defaultroute<br> leftprotoport=17/1701<br> right=%any<br> rightprotoport=17/%any
<br> auto=add<br># sample VPN connections, see /etc/ipsec.d/examples/<br><br>#Disable Opportunistic Encryption<br>include /etc/ipsec.d/examples/no_oe.conf<br><br><<<<<<<<<<<<<<<<<<<<<
ipsec.secrets>>>>>>>>>>>>>>>>>><br>x.x.x.x %any : PSK "ezpacket"<br><br>- Logs<br><br>===============> User A<br><4>Sep 28 19:09:05 (none) pluto[13205]: packet from
<a href="http://220.133.111.25:500">220.133.111.25:500</a>: ignoring<br> Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]<br><4>Sep 28 19:09:05 (none) pluto[13205]: packet from <a href="http://220.133.111.25:500">220.133.111.25:500
</a>: ignoring<br> Vendor ID payload [FRAGMENTATION]<br><4>Sep 28 19:09:05 (none) pluto[13205]: packet from <a href="http://220.133.111.25:500">220.133.111.25:500</a>: received<br> Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
<br><4>Sep 28 19:09:05 (none) pluto[13205]: packet from <a href="http://220.133.111.25:500">220.133.111.25:500</a>: ignoring<br> Vendor ID payload [Vid-Initial-Contact]<br><4>Sep 28 19:09:05 (none) pluto[13205]: "L2TP-PSK"[3]
<a href="http://220.133.111.25">220.133.111.25</a> #3: respond<br>ing to Main Mode from unknown peer <a href="http://220.133.111.25">220.133.111.25</a><br><4>Sep 28 19:09:05 (none) pluto[13205]: "L2TP-PSK"[3]
<a href="http://220.133.111.25">220.133.111.25</a> #3: transit<br>ion from state STATE_MAIN_R0 to state STATE_MAIN_R1<br><4>Sep 28 19:09:05 (none) pluto[13205]: "L2TP-PSK"[3] <a href="http://220.133.111.25">
220.133.111.25</a> #3: STATE_M<br>AIN_R1: sent MR1, expecting MI2<br><4>Sep 28 19:09:06 (none) pluto[13205]: "L2TP-PSK"[3] <a href="http://220.133.111.25">220.133.111.25</a> #3: NAT-Tra<br>versal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
<br><4>Sep 28 19:09:06 (none) pluto[13205]: "L2TP-PSK"[3] <a href="http://220.133.111.25">220.133.111.25</a> #3: WARNING<br>: calc_dh_shared(): for OAKLEY_GROUP_MODP2048 took 220000 usec<br><4>Sep 28 19:09:06 (none) pluto[13205]: "L2TP-PSK"[3]
<a href="http://220.133.111.25">220.133.111.25</a> #3: transit<br>ion from state STATE_MAIN_R1 to state STATE_MAIN_R2<br><4>Sep 28 19:09:06 (none) pluto[13205]: "L2TP-PSK"[3] <a href="http://220.133.111.25">
220.133.111.25</a> #3: STATE_M<br>AIN_R2: sent MR2, expecting MI3<br><4>Sep 28 19:09:07 (none) pluto[13205]: "L2TP-PSK"[3] <a href="http://220.133.111.25">220.133.111.25</a> #3: Main mo<br>de peer ID is ID_FQDN: '@700m'
<br><4>Sep 28 19:09:07 (none) pluto[13205]: "L2TP-PSK"[3] <a href="http://220.133.111.25">220.133.111.25</a> #3: switche<br>d from "L2TP-PSK" to "L2TP-PSK"<br><4>Sep 28 19:09:07 (none) pluto[13205]: "L2TP-PSK"[4]
<a href="http://220.133.111.25">220.133.111.25</a> #3: deletin<br>g connection "L2TP-PSK" instance with peer <a href="http://220.133.111.25">220.133.111.25</a> {isakmp=#0/ipsec=#0}<br><4>Sep 28 19:09:07 (none) pluto[13205]: "L2TP-PSK"[4]
<a href="http://220.133.111.25">220.133.111.25</a> #3: I did n<br>ot send a certificate because I do not have one.<br><4>Sep 28 19:09:07 (none) pluto[13205]: "L2TP-PSK"[4] <a href="http://220.133.111.25">220.133.111.25
</a> #3: transit<br>ion from state STATE_MAIN_R2 to state STATE_MAIN_R3<br><4>Sep 28 19:09:07 (none) pluto[13205]: "L2TP-PSK"[4] <a href="http://220.133.111.25">220.133.111.25</a> #3: STATE_M<br>AIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley
<br>_3des_cbc_192 prf=oakley_sha group=modp2048}<br><4>Sep 28 19:09:07 (none) pluto[13205]: "L2TP-PSK"[4] <a href="http://220.133.111.25">220.133.111.25</a> #4: respond<br>ing to Quick Mode {msgid:f4dafcdf}
<br><4>Sep 28 19:09:07 (none) pluto[13205]: "L2TP-PSK"[4] <a href="http://220.133.111.25">220.133.111.25</a> #4: transit<br>ion from state STATE_QUICK_R0 to state STATE_QUICK_R1<br><4>Sep 28 19:09:07 (none) pluto[13205]: "L2TP-PSK"[4]
<a href="http://220.133.111.25">220.133.111.25</a> #4: STATE_Q<br>UICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2<br><4>Sep 28 19:09:08 (none) pluto[13205]: "L2TP-PSK"[4] <a href="http://220.133.111.25">
220.133.111.25</a> #4: transit<br>ion from state STATE_QUICK_R1 to state STATE_QUICK_R2<br><4>Sep 28 19:09:08 (none) pluto[13205]: "L2TP-PSK"[4] <a href="http://220.133.111.25">220.133.111.25</a> #4: STATE_Q
<br>UICK_R2: IPsec SA established {ESP=>0xaf47c1e2 <0x9f0bf7e6 xfrm=3DES_0-HMAC_MD5<br>NATD=<a href="http://220.133.111.25:1025">220.133.111.25:1025</a> DPD=none}<br><7>Sep 28 19:09:09 (none) xl2tpd[11580]: control_finish: Peer requested tunnel 1
<br>0 twice, ignoring second one.<br><5>Sep 28 19:09:09 (none) xl2tpd[11580]: Connection established to <a href="http://220.133.111.2">220.133.111.2</a><br>5, 1701. Local: 48069, Remote: 10 (ref=0/0). LNS session is 'default'
<br><5>Sep 28 19:09:09 (none) xl2tpd[11580]: Call established with <a href="http://220.133.111.25">220.133.111.25</a>, L<br>ocal: 48477, Remote: 1, Serial: 0<br><5>Sep 28 19:09:09 (none) pppd[14339]: pppd 2.4.3
started by root, uid 0<br><7>Sep 28 19:09:09 (none) pppd[14339]: using channel 11<br><6>Sep 28 19:09:09 (none) pppd[14339]: Using interface ppp1<br><5>Sep 28 19:09:09 (none) pppd[14339]: Connect: ppp1 <--> /dev/pts/0
<br><7>Sep 28 19:09:09 (none) pppd[14339]: sent [LCP ConfReq id=0x1 <mru 1410> <asyn<br>cmap 0x0> <auth chap MD5> <magic 0x465cb2f>]<br><7>Sep 28 19:09:09 (none) pppd[14339]: rcvd [LCP ConfAck id=0x1 <mru 1410> <asyn
<br>cmap 0x0> <auth chap MD5> <magic 0x465cb2f>]<br><7>Sep 28 19:09:11 (none) pppd[14339]: rcvd [LCP ConfReq id=0x1 <mru 1400> <magi<br>c 0x7af2472d> <pcomp> <accomp> <callback CBCP>]
<br><7>Sep 28 19:09:11 (none) pppd[14339]: sent [LCP ConfRej id=0x1 <pcomp> <accomp><br> <callback CBCP>]<br><7>Sep 28 19:09:11 (none) pppd[14339]: rcvd [LCP ConfReq id=0x2 <mru 1400> <magi
<br>c 0x7af2472d>]<br><7>Sep 28 19:09:11 (none) pppd[14339]: sent [LCP ConfAck id=0x2 <mru 1400> <magi<br>c 0x7af2472d>]<br><7>Sep 28 19:09:11 (none) pppd[14339]: sent [CHAP Challenge id=0xae <71f098c677e
<br>554272d8646caee46cefeea073e>, name = "EZPacket"]<br><7>Sep 28 19:09:11 (none) pppd[14339]: rcvd [LCP code=0xc id=0x3 7a f2 47 2d 4d<br>53 52 41 53 56 35 2e 31 30]<br><7>Sep 28 19:09:11 (none) pppd[14339]: sent [LCP CodeRej id=0x2 0c 03 00 12 7a f
<br>2 47 2d 4d 53 52 41 53 56 35 2e 31 30]<br><7>Sep 28 19:09:11 (none) pppd[14339]: rcvd [LCP code=0xc id=0x4 7a f2 47 2d 4d<br>53 52 41 53 2d 30 2d 37 30 30 4d]<br><7>Sep 28 19:09:11 (none) pppd[14339]: sent [LCP CodeRej id=0x3 0c 04 00 14 7a f
<br>2 47 2d 4d 53 52 41 53 2d 30 2d 37 30 30 4d]<br><7>Sep 28 19:09:11 (none) pppd[14339]: rcvd [CHAP Response id=0xae <cbad58839c85<br>e97528de0013df111852>, name = "ezpacket"]<br><4>Sep 28 19:09:11 (none) pppd[14339]: Warning - secret file /etc/ppp/chap-secre
<br>ts has world and/or group access<br><7>Sep 28 19:09:11 (none) pppd[14339]: sent [CHAP Success id=0xae "Access grante<br>d"]<br><7>Sep 28 19:09:11 (none) pppd[14339]: sent [IPCP ConfReq id=0x1 <compress VJ 0f
<br> 01> <addr <a href="http://192.168.1.253">192.168.1.253</a>>]<br><7>Sep 28 19:09:11 (none) pppd[14339]: rcvd [CCP ConfReq id=0x5 <mppe +H -M -S -<br>L -D +C>]<br><4>Sep 28 19:09:11 (none) pppd[14339]: Unsupported protocol 'Compression Control
<br> Protocol' (0x80fd) received<br><7>Sep 28 19:09:11 (none) pppd[14339]: sent [LCP ProtRej id=0x4 80 fd 01 05 00 0<br>a 12 06 01 00 00 01]<br><7>Sep 28 19:09:11 (none) pppd[14339]: rcvd [IPCP ConfReq id=0x6 <addr
<a href="http://0.0.0.0">0.0.0.0</a>><br><ms-dns1 <a href="http://0.0.0.0">0.0.0.0</a>> <ms-wins <a href="http://0.0.0.0">0.0.0.0</a>> <ms-dns3 <a href="http://0.0.0.0">0.0.0.0</a>> <ms-wins <a href="http://0.0.0.0">
0.0.0.0</a>>]<br><7>Sep 28 19:09:11 (none) pppd[14339]: sent [IPCP ConfRej id=0x6 <ms-wins 0.0.0.<br>0> <ms-wins <a href="http://0.0.0.0">0.0.0.0</a>>]<br><7>Sep 28 19:09:11 (none) pppd[14339]: rcvd [IPCP ConfRej id=0x1 <compress VJ 0f
<br> 01>]<br><7>Sep 28 19:09:11 (none) pppd[14339]: sent [IPCP ConfReq id=0x2 <addr 192.168.1<br>.253>]<br><7>Sep 28 19:09:11 (none) pppd[14339]: rcvd [IPCP ConfReq id=0x7 <addr <a href="http://0.0.0.0">
0.0.0.0</a>><br><ms-dns1 <a href="http://0.0.0.0">0.0.0.0</a>> <ms-dns3 <a href="http://0.0.0.0">0.0.0.0</a>>]<br><7>Sep 28 19:09:11 (none) pppd[14339]: sent [IPCP ConfNak id=0x7 <addr 192.168.1<br>
.128> <ms-dns1 <a href="http://192.168.1.1">192.168.1.1</a>> <ms-dns3 <a href="http://192.168.1.1">192.168.1.1</a>>]<br><7>Sep 28 19:09:11 (none) pppd[14339]: rcvd [IPCP ConfAck id=0x2 <addr 192.168.1
<br>.253>]<br><7>Sep 28 19:09:11 (none) pppd[14339]: rcvd [IPCP ConfReq id=0x8 <addr 192.168.1<br>.128> <ms-dns1 <a href="http://192.168.1.1">192.168.1.1</a>> <ms-dns3 <a href="http://192.168.1.1">
192.168.1.1</a>>]<br><7>Sep 28 19:09:11 (none) pppd[14339]: sent [IPCP ConfAck id=0x8 <addr 192.168.1<br>.128> <ms-dns1 <a href="http://192.168.1.1">192.168.1.1</a>> <ms-dns3 <a href="http://192.168.1.1">
192.168.1.1</a>>]<br><6>Sep 28 19:09:11 (none) pppd[14339]: found interface br0 for proxy arp<br><5>Sep 28 19:09:11 (none) pppd[14339]: local IP address <a href="http://192.168.1.253">192.168.1.253</a><br>
<5>Sep 28 19:09:11 (none) pppd[14339]: remote IP address <a href="http://192.168.1.128">192.168.1.128</a><br><7>Sep 28 19:09:11 (none) pppd[14339]: Script /etc/ppp/ip-up started (pid 14344)<br><7>Sep 28 19:09:11 (none) pppd[14339]: Script /etc/ppp/ip-up finished (pid 14344
<br>), status = 0x1<br><br>===============> User B<br><4>Sep 28 19:12:51 (none) pluto[13205]: packet from <a href="http://220.133.111.25:500">220.133.111.25:500</a>: ignoring<br> Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
<br><4>Sep 28 19:12:51 (none) pluto[13205]: packet from <a href="http://220.133.111.25:500">220.133.111.25:500</a>: ignoring<br> Vendor ID payload [FRAGMENTATION]<br><4>Sep 28 19:12:51 (none) pluto[13205]: packet from
<a href="http://220.133.111.25:500">220.133.111.25:500</a>: received<br> Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106<br><4>Sep 28 19:12:51 (none) pluto[13205]: packet from <a href="http://220.133.111.25:500">
220.133.111.25:500</a>: ignoring<br> Vendor ID payload [Vid-Initial-Contact]<br><4>Sep 28 19:12:51 (none) pluto[13205]: "L2TP-PSK"[4] <a href="http://220.133.111.25">220.133.111.25</a> #5: respond<br>ing to Main Mode from unknown peer
<a href="http://220.133.111.25">220.133.111.25</a><br><4>Sep 28 19:12:51 (none) pluto[13205]: "L2TP-PSK"[4] <a href="http://220.133.111.25">220.133.111.25</a> #5: transit<br>ion from state STATE_MAIN_R0 to state STATE_MAIN_R1
<br><4>Sep 28 19:12:51 (none) pluto[13205]: "L2TP-PSK"[4] <a href="http://220.133.111.25">220.133.111.25</a> #5: STATE_M<br>AIN_R1: sent MR1, expecting MI2<br><4>Sep 28 19:12:51 (none) pluto[13205]: "L2TP-PSK"[4]
<a href="http://220.133.111.25">220.133.111.25</a> #5: NAT-Tra<br>versal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed<br><4>Sep 28 19:12:52 (none) pluto[13205]: "L2TP-PSK"[4] <a href="http://220.133.111.25">
220.133.111.25</a> #5: WARNING<br>: calc_dh_shared(): for OAKLEY_GROUP_MODP2048 took 210000 usec<br><4>Sep 28 19:12:52 (none) pluto[13205]: "L2TP-PSK"[4] <a href="http://220.133.111.25">220.133.111.25</a> #5: transit
<br>ion from state STATE_MAIN_R1 to state STATE_MAIN_R2<br><4>Sep 28 19:12:52 (none) pluto[13205]: "L2TP-PSK"[4] <a href="http://220.133.111.25">220.133.111.25</a> #5: STATE_M<br>AIN_R2: sent MR2, expecting MI3
<br><4>Sep 28 19:12:52 (none) pluto[13205]: "L2TP-PSK"[4] <a href="http://220.133.111.25">220.133.111.25</a> #5: Main mo<br>de peer ID is ID_FQDN: '@x31'<br><4>Sep 28 19:12:52 (none) pluto[13205]: "L2TP-PSK"[4]
<a href="http://220.133.111.25">220.133.111.25</a> #5: switche<br>d from "L2TP-PSK" to "L2TP-PSK"<br><4>Sep 28 19:12:52 (none) pluto[13205]: "L2TP-PSK"[5] <a href="http://220.133.111.25">
220.133.111.25</a> #5: I did n<br>ot send a certificate because I do not have one.<br><4>Sep 28 19:12:52 (none) pluto[13205]: "L2TP-PSK"[5] <a href="http://220.133.111.25">220.133.111.25</a> #5: transit<br>
ion from state STATE_MAIN_R2 to state STATE_MAIN_R3<br><4>Sep 28 19:12:52 (none) pluto[13205]: "L2TP-PSK"[5] <a href="http://220.133.111.25">220.133.111.25</a> #5: STATE_M<br>AIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley
<br>_3des_cbc_192 prf=oakley_sha group=modp2048}<br><4>Sep 28 19:12:52 (none) pluto[13205]: "L2TP-PSK"[5] <a href="http://220.133.111.25">220.133.111.25</a> #6: respond<br>ing to Quick Mode {msgid:c2ea9131}
<br><4>Sep 28 19:12:52 (none) pluto[13205]: "L2TP-PSK"[5] <a href="http://220.133.111.25">220.133.111.25</a> #6: cannot<br>install eroute -- it is in use for "L2TP-PSK"[4] <a href="http://220.133.111.25">
220.133.111.25</a> #4<br><4>Sep 28 19:12:52 (none) pluto[13205]: "L2TP-PSK"[5] <a href="http://220.133.111.25">220.133.111.25</a> #5: Quick M<br>ode I1 message is unacceptable because it uses a previously used Message ID 0xc2
<br>ea9131 (perhaps this is a duplicated packet)<br><4>Sep 28 19:12:52 (none) pluto[13205]: "L2TP-PSK"[5] <a href="http://220.133.111.25">220.133.111.25</a> #5: sending<br> encrypted notification INVALID_MESSAGE_ID to
<a href="http://220.133.111.25:4500">220.133.111.25:4500</a><br><4>Sep 28 19:12:54 (none) pluto[13205]: "L2TP-PSK"[5] <a href="http://220.133.111.25">220.133.111.25</a> #5: Quick M<br>ode I1 message is unacceptable because it uses a previously used Message ID 0xc2
<br>ea9131 (perhaps this is a duplicated packet)<br><4>Sep 28 19:12:54 (none) pluto[13205]: "L2TP-PSK"[5] <a href="http://220.133.111.25">220.133.111.25</a> #5: sending<br> encrypted notification INVALID_MESSAGE_ID to
<a href="http://220.133.111.25:4500">220.133.111.25:4500</a><br><br><br><br>- pluto keep complaining about duplicate msg id.<br>- Any idea?<br>