Hi all,<br><br>I have problems with NAT-T. Roadwarrior is FortiClient on WinXP. It works when not behind NAT. Where should I look for error? Here are two parts of log file, one for client behind NAT, and another for client with public IP:<br>
<br><br>Client behind NAT:<br>===============================================================================================================================================<br><br>Apr 16 11:18:46 blabla pluto[2108]: packet from cl1.x.x.x:62960: received Vendor ID payload [Dead Peer Detection]<br>
Apr 16 11:18:46 blabla pluto[2108]: packet from cl1.x.x.x:62960: ignoring unknown Vendor ID payload [afca071368a1f1c96b8696fc77570100]<br>Apr 16 11:18:46 blabla pluto[2108]: packet from cl1.x.x.x:62960: ignoring unknown Vendor ID payload [6ef67e6852cf311713e50b8b005db7b8]<br>
Apr 16 11:18:46 blabla pluto[2108]: packet from cl1.x.x.x:62960: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] method set to=108<br>Apr 16 11:18:46 blabla pluto[2108]: packet from cl1.x.x.x:62960: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]<br>
Apr 16 11:18:46 blabla pluto[2108]: "srv-rw"[1] cl1.x.x.x #1: responding to Main Mode from unknown peer cl1.x.x.x<br>Apr 16 11:18:46 blabla pluto[2108]: "srv-rw"[1] cl1.x.x.x #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1<br>
Apr 16 11:18:46 blabla pluto[2108]: "srv-rw"[1] cl1.x.x.x #1: STATE_MAIN_R1: sent MR1, expecting MI2<br>Apr 16 11:18:46 blabla pluto[2108]: packet from cl1.x.x.x:62960: received Vendor ID payload [Dead Peer Detection]<br>
Apr 16 11:18:46 blabla pluto[2108]: packet from cl1.x.x.x:62960: ignoring unknown Vendor ID payload [afca071368a1f1c96b8696fc77570100]<br>Apr 16 11:18:46 blabla pluto[2108]: packet from cl1.x.x.x:62960: ignoring unknown Vendor ID payload [6ef67e6852cf311713e50b8b005db7b8]<br>
Apr 16 11:18:46 blabla pluto[2108]: packet from cl1.x.x.x:62960: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] method set to=108<br>Apr 16 11:18:46 blabla pluto[2108]: packet from cl1.x.x.x:62960: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]<br>
Apr 16 11:18:46 blabla pluto[2108]: "srv-rw"[1] cl1.x.x.x #2: responding to Main Mode from unknown peer cl1.x.x.x<br>Apr 16 11:18:46 blabla pluto[2108]: "srv-rw"[1] cl1.x.x.x #2: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1<br>
Apr 16 11:18:46 blabla pluto[2108]: "srv-rw"[1] cl1.x.x.x #2: STATE_MAIN_R1: sent MR1, expecting MI2<br>Apr 16 11:18:46 blabla pluto[2108]: "srv-rw"[1] cl1.x.x.x #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed <-- Mislim da je ovo "kvaka"!<br>
Apr 16 11:18:46 blabla pluto[2108]: "srv-rw"[1] cl1.x.x.x #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2<br>Apr 16 11:18:46 blabla pluto[2108]: "srv-rw"[1] cl1.x.x.x #1: STATE_MAIN_R2: sent MR2, expecting MI3<br>
Apr 16 11:18:47 blabla pluto[2108]: "srv-rw"[1] cl1.x.x.x #1: Main mode peer ID is ID_DER_ASN1_DN: 'C=RS, ST=Serbia, O=blabla, OU=blabla, CN=Aleksandar Markovic, E=<a href="mailto:markoni@blabla.co.yu">markoni@blabla.co.yu</a>'<br>
Apr 16 11:18:47 blabla pluto[2108]: "srv-rw"[1] cl1.x.x.x #1: crl update for "C=RS, ST=Serbia, L=Belgrade, O=blabla, CN=No.1" is overdue since Mar 25 15:20:26 UTC 2008<br>Apr 16 11:18:47 blabla pluto[2108]: "srv-rw"[1] cl1.x.x.x #1: I am sending my cert<br>
Apr 16 11:18:47 blabla pluto[2108]: "srv-rw"[1] cl1.x.x.x #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3<br>Apr 16 11:18:47 blabla pluto[2108]: | NAT-T: new mapping cl1.x.x.x:62960/62961)Apr 16 11:18:47 blabla pluto[2108]: "srv-rw"[1] cl1.x.x.x #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1536}<br>
Apr 16 11:18:48 blabla pluto[2108]: "srv-rw"[1] cl1.x.x.x #1: cannot respond to IPsec SA request because no connection is known for <a href="http://10.78.83.0/24===srv.x.x.x[C=RS">10.78.83.0/24===srv.x.x.x[C=RS</a>, ST=Serbia, O=blabla, CN=Test]...cl1.x.x.x[C=RS, ST=Serbia, O=blabla, OU=blabla, CN=Aleksandar Markovic, E=markoni@blabla.co.yu]===<a href="http://192.168.0.214/32">192.168.0.214/32</a><br>
Apr 16 11:18:48 blabla pluto[2108]: "srv-rw"[1] cl1.x.x.x #1: sending encrypted notification INVALID_ID_INFORMATION to cl1.x.x.x:62961<br>Apr 16 11:18:57 blabla pluto[2108]: "srv-rw"[1] cl1.x.x.x #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x7cfad2cf (perhaps this is a duplicated packet)<br>
Apr 16 11:18:57 blabla pluto[2108]: "srv-rw"[1] cl1.x.x.x #1: sending encrypted notification INVALID_MESSAGE_ID to cl1.x.x.x:62961<br>Apr 16 11:19:01 blabla pluto[2108]: "srv-rw"[1] cl1.x.x.x #1: received Delete SA payload: deleting ISAKMP State #1<br>
Apr 16 11:19:01 blabla pluto[2108]: packet from cl1.x.x.x:62961: received and ignored informational message<br>Apr 16 11:19:56 blabla pluto[2108]: "srv-rw"[1] cl1.x.x.x #2: max number of retransmissions (2) reached STATE_MAIN_R1<br>
Apr 16 11:19:56 blabla pluto[2108]: "srv-rw"[1] cl1.x.x.x: deleting connection "srv-rw" instance with peer cl1.x.x.x {isakmp=#0/ipsec=#0}<br><br>===============================================================================================================================================<br>
===============================================================================================================================================<br><br><br>Client in the clear:<br>===============================================================================================================================================<br>
<br>Apr 16 11:21:47 blabla pluto[2108]: packet from cl2.x.x.x:500: received Vendor ID payload [Dead Peer Detection]<br>Apr 16 11:21:47 blabla pluto[2108]: packet from cl2.x.x.x:500: ignoring unknown Vendor ID payload [afca071368a1f1c96b8696fc77570100]<br>
Apr 16 11:21:47 blabla pluto[2108]: packet from cl2.x.x.x:500: ignoring unknown Vendor ID payload [6ef67e6852cf311713e50b8b005db7b8]<br>Apr 16 11:21:47 blabla pluto[2108]: packet from cl2.x.x.x:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] method set to=108<br>
Apr 16 11:21:47 blabla pluto[2108]: packet from cl2.x.x.x:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]<br>Apr 16 11:21:47 blabla pluto[2108]: "srv-rw"[2] cl2.x.x.x #3: responding to Main Mode from unknown peer cl2.x.x.x<br>
Apr 16 11:21:47 blabla pluto[2108]: "srv-rw"[2] cl2.x.x.x #3: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1<br>Apr 16 11:21:47 blabla pluto[2108]: "srv-rw"[2] cl2.x.x.x #3: STATE_MAIN_R1: sent MR1, expecting MI2<br>
Apr 16 11:21:48 blabla pluto[2108]: packet from cl2.x.x.x:500: received Vendor ID payload [Dead Peer Detection]<br>Apr 16 11:21:48 blabla pluto[2108]: packet from cl2.x.x.x:500: ignoring unknown Vendor ID payload [afca071368a1f1c96b8696fc77570100]<br>
Apr 16 11:21:48 blabla pluto[2108]: packet from cl2.x.x.x:500: ignoring unknown Vendor ID payload [6ef67e6852cf311713e50b8b005db7b8]<br>Apr 16 11:21:48 blabla pluto[2108]: packet from cl2.x.x.x:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] method set to=108<br>
Apr 16 11:21:48 blabla pluto[2108]: packet from cl2.x.x.x:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]<br>Apr 16 11:21:48 blabla pluto[2108]: "srv-rw"[2] cl2.x.x.x #4: responding to Main Mode from unknown peer cl2.x.x.x<br>
Apr 16 11:21:48 blabla pluto[2108]: "srv-rw"[2] cl2.x.x.x #4: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1<br>Apr 16 11:21:48 blabla pluto[2108]: "srv-rw"[2] cl2.x.x.x #4: STATE_MAIN_R1: sent MR1, expecting MI2<br>
Apr 16 11:21:48 blabla pluto[2108]: "srv-rw"[2] cl2.x.x.x #3: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected<br>Apr 16 11:21:48 blabla pluto[2108]: "srv-rw"[2] cl2.x.x.x #3: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2<br>
Apr 16 11:21:48 blabla pluto[2108]: "srv-rw"[2] cl2.x.x.x #3: STATE_MAIN_R2: sent MR2, expecting MI3<br>Apr 16 11:21:48 blabla pluto[2108]: "srv-rw"[2] cl2.x.x.x #3: Main mode peer ID is ID_DER_ASN1_DN: 'C=RS, ST=Serbia, O=blabla, OU=blabla, CN=Miroslav Havram, E=<a href="mailto:miroslav@blabla.co.yu">miroslav@blabla.co.yu</a>'<br>
Apr 16 11:21:49 blabla pluto[2108]: "srv-rw"[2] cl2.x.x.x #3: crl update for "C=RS, ST=Serbia, L=Belgrade, O=blabla, CN=No.1" is overdue since Mar 25 15:20:26 UTC 2008<br>Apr 16 11:21:49 blabla pluto[2108]: "srv-rw"[2] cl2.x.x.x #3: I am sending my cert<br>
Apr 16 11:21:49 blabla pluto[2108]: "srv-rw"[2] cl2.x.x.x #3: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3<br>Apr 16 11:21:49 blabla pluto[2108]: "srv-rw"[2] cl2.x.x.x #3: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1536}<br>
Apr 16 11:21:49 blabla pluto[2108]: "srv-rw"[2] cl2.x.x.x #5: responding to Quick Mode {msgid:b5656d7e}<br>Apr 16 11:21:50 blabla pluto[2108]: "srv-rw"[2] cl2.x.x.x #5: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1<br>
Apr 16 11:21:50 blabla pluto[2108]: "srv-rw"[2] cl2.x.x.x #5: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2<br>Apr 16 11:22:00 blabla pluto[2108]: "srv-rw"[2] cl2.x.x.x #5: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2<br>
Apr 16 11:22:00 blabla pluto[2108]: "srv-rw"[2] cl2.x.x.x #5: STATE_QUICK_R2: IPsec SA established {ESP=>0x5634f0d7 <0x9212e26f xfrm=3DES_0-HMAC_MD5 NATD=none DPD=none}<br><br>===============================================================================================================================================<br>
<br>