<DIV> HELLO:<BR> everyone!<BR> I am trying to study the VPN by the openswan. Now the ipsec VPN passthrough the <BR>NAT device make some trouble: INVALID_MESSAGE_ID in the Quick mode. Why? What<BR>shall i do? <BR> I do it by this way:<BR> 1: First,I constructed the VPN system by the openswan-2.4.7 on the CentOS-4.4 without NAT. <BR> The IPsec SA established:<BR> #ipsec auto --up road<BR> 104 "road" #1: STATE_MAIN_I1: initiate<BR> 003 "road" #1: received Vendor ID payload [Openswan (this version) 2.4.7 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]<BR> 003 "road" #1: received Vendor ID payload [Dead Peer Detection]<BR> 003 "road" #1: received Vendor ID payload [RFC 3947] method set to=110 <BR> 106 "road" #1: STATE_MAIN_I2: sent MI2, expecting MR2<BR> 003 "road" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected<BR> 108 "road" #1: STATE_MAIN_I3: sent MI3, expecting MR3<BR> 004 "road" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1536}<BR> 117 "road" #2: STATE_QUICK_I1: initiate<BR> 004 "road" #2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x62bdff15 <0xe3c1013e xfrm=AES_0-HMAC_SHA1 NATD=none DPD=none}<BR> <BR> 2: Follow above step, constructed the VPN system by the openswan-2.4.7 on the CentOS-4.4 with NAT. <BR> <BR> 2.1 The VPN network topology with NAT are:<BR> Note:the Router model is: H3C AR 18-21A,this product support the ipsec data passthrough the NAT.(<A href="http://www.h3c.com">http://www.h3c.com</A>)<BR> <BR> left network<--------->Router<-------------->laptop<BR> eth1:192.168.3.33 LAN WAN eth0:192.168.0.22<BR> eth1:192.168.1.9<BR> <BR> 2.2 Modify "/etc/ipsec.conf" on the left(192.168.3.33): </DIV>
<DIV> version 2.0 </DIV>
<DIV> config setup<BR> nat_traversal=yes<BR> nhelpers=0</DIV>
<DIV> conn road<BR> left=192.168.3.33<BR> leftnexthop=%defaultroute<BR> <A href="mailto:leftid=@laptop">leftid=@laptop</A><BR> leftrsasigkey=0sAQNgTnRnteuIwjhq/Lm9QdK60buLB3Ggdh8K+dGVHZ63zma3FP9LE2xp9xfysHI7i+7ey1D+YCWC2831h6jim7cJtIA5hI75h2NZtcl0MVxy<BR> LqV++ryYiuceWgEMxG5Qr87nN+040kbZVmNrnJLSurZrrjNelqPuzJivlROcCYdeFHLWUh4PFbUDKmzpVoUy4hCokBnlhH3coasLBIe1+9G/eOz2mlEbjTi8E+0RS6iIqlfM<BR> WdVMZv3QfRLDYGOMOVJRCXfJWVVJ3gzmj9vhA01ffQ/lfM2FyDPNOjzI384f6vFhkNS6M9Q1mr/v7GCPReHnPKiSs9LuY7mycgr610dFpta1K8AFJQYIPbLeEQma6GDj<BR> right=192.168.0.22<BR> rightsubnet=192.168.1.0/24<BR> <A href="mailto:rightid=@vpnserver">rightid=@vpnserver</A> <BR> rightrsasigkey=0sAQOMxeosF6RzqISPzFLzDI3winmxxBtr+UrFxGakqT1+q8ShGuADZc+iTvDPrJFSVraRVSfm/6yYfiCyWxmdrKQIDGTUQdzPu8PbeErEnny<BR> d21asQsaHyQ3fG6VXZfgYiKTKIcDl1X3MP//0xZqNSh/UxysZ4xedWRrAX2A36PjSzCRhF9Te3k+VASURhkvTNV44zpQNm6kSx0Adm4guaQw6nPrYIVq5wkfLr9iwmXrMscH<BR> rqcdvesDkevOQJrEYJ/PqB6PbwGsfsDrkEcTF1/gvvXh7cRCEEQ7MLlqHZHXT5TmsJCinVroCnmKQOtfMAsq7sNIqGU/Jm6O25oni95DE9J/TzAaJe5sNwkluLoBT4Q33<BR> auto=add</DIV>
<DIV> include /etc/ipsec.d/examples/no_oe.conf<BR> <BR> 2.3 Modify "/etc/ipsec.conf" on the laptop(192.168.0.22): </DIV>
<DIV> version 2.0 <BR> config setup<BR> nat_traversal=yes<BR> nhelpers=0<BR> conn road<BR> left=192.168.0.22<BR> <A href="mailto:leftid=@vpnserver">leftid=@vpnserver</A><BR> leftsubnet=192.168.1.0/24<BR> leftrsasigkey=0sAQOMxeosF6RzqISPzFLzDI3winmxxBtr+UrFxGakqT1+q8ShGuADZc+iTvDPrJFSVraRVSfm/6yYfiCyWxmdrKQIDGTUQdzPu8PbeErEnnyd<BR> 21asQsaHyQ3fG6VXZfgYiKTKIcDl1X3MP//0xZqNSh/UxysZ4xedWRrAX2A36PjSzCRhF9Te3k+VASURhkvTNV44zpQNm6kSx0Adm4guaQw6nPrYIVq5wkfLr9iwmXrMscHr<BR> qcdvesDkevOQJrEYJ/PqB6PbwGsfsDrkEcTF1/gvvXh7cRCEEQ7MLlqHZHXT5TmsJCinVroCnmKQOtfMAsq7sNIqGU/Jm6O25oni95DE9J/TzAaJe5sNwkluLoBT4Q33<BR> rightnexthop=%defaultroute<BR> right=%any<BR> <A href="mailto:rightid=@laptop">rightid=@laptop</A> <BR> rightrsasigkey=0sAQNgTnRnteuIwjhq/Lm9QdK60buLB3Ggdh8K+dGVHZ63zma3FP9LE2xp9xfysHI7i+7ey1D+YCWC2831h6jim7cJtIA5hI75h2NZtcl0MVx<BR> yLqV++ryYiuceWgEMxG5Qr87nN+040kbZVmNrnJLSurZrrjNelqPuzJivlROcCYdeFHLWUh4PFbUDKmzpVoUy4hCokBnlhH3coasLBIe1+9G/eOz2mlEbjTi8E+0RS6iIqlf<BR> MWdVMZv3QfRLDYGOMOVJRCXfJWVVJ3gzmj9vhA01ffQ/lfM2FyDPNOjzI384f6vFhkNS6M9Q1mr/v7GCPReHnPKiSs9LuY7mycgr610dFpta1K8AFJQYIPbLeEQma6GDj<BR> auto=add</DIV>
<DIV> include /etc/ipsec.d/examples/no_oe.conf <BR> <BR> 2.4 Execute command on the left(192.168.3.33) and laptop(192.168.0.22):<BR> #service ipsec restart<BR> 2.5 Execute command on the left(192.168.3.33):<BR> #ipsec auto --up road<BR> 104 "road" #1: STATE_MAIN_I1: initiate<BR> 003 "road" #1: received Vendor ID payload [Openswan (this version) 2.4.7 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]<BR> 003 "road" #1: received Vendor ID payload [Dead Peer Detection]<BR> 003 "road" #1: received Vendor ID payload [RFC 3947] method set to=110 <BR> 106 "road" #1: STATE_MAIN_I2: sent MI2, expecting MR2<BR> 003 "road" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): i am NATed<BR> 108 "road" #1: STATE_MAIN_I3: sent MI3, expecting MR3<BR> 004 "road" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1536}<BR> 117 "road" #2: STATE_QUICK_I1: initiate<BR> 010 "road" #2: STATE_QUICK_I1: retransmission; will wait 20s for response<BR> 010 "road" #2: STATE_QUICK_I1: retransmission; will wait 40s for response<BR> 031 "road" #2: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal<BR> 000 "road" #2: starting keying attempt 2 of an unlimited number, but releasing whack</DIV>
<DIV> 2.6 We will educe the ipsec data pass through the NAT failed from the above informations!!!Why??<BR> <BR> 2.7 The log file of ipsec on the left(192.168.3.33) are:<BR> <BR> Oct 29 15:33:00 beijing5000 pluto[3083]: "road" #1: initiating Main Mode<BR> Oct 29 15:33:00 beijing5000 pluto[3083]: "road" #1: received Vendor ID payload [Openswan (this version) 2.4.7 PLUTO_SENDS_VENDORID <BR> PLUTO_USES_KEYRR]<BR> Oct 29 15:33:00 beijing5000 pluto[3083]: "road" #1: received Vendor ID payload [Dead Peer Detection]<BR> Oct 29 15:33:00 beijing5000 pluto[3083]: "road" #1: received Vendor ID payload [RFC 3947] method set to=110 <BR> Oct 29 15:33:00 beijing5000 pluto[3083]: "road" #1: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)<BR> Oct 29 15:33:00 beijing5000 pluto[3083]: "road" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2<BR> Oct 29 15:33:00 beijing5000 pluto[3083]: "road" #1: STATE_MAIN_I2: sent MI2, expecting MR2<BR> Oct 29 15:33:00 beijing5000 pluto[3083]: "road" #1: I did not send a certificate because I do not have one.<BR> Oct 29 15:33:00 beijing5000 pluto[3083]: "road" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): i am NATed<BR> Oct 29 15:33:00 beijing5000 pluto[3083]: "road" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3<BR> Oct 29 15:33:00 beijing5000 pluto[3083]: "road" #1: STATE_MAIN_I3: sent MI3, expecting MR3<BR> Oct 29 15:33:00 beijing5000 pluto[3083]: "road" #1: Main mode peer ID is ID_FQDN: <A href="mailto:'@vpnserver'">'@vpnserver'</A><BR> Oct 29 15:33:00 beijing5000 pluto[3083]: "road" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4<BR> Oct 29 15:33:00 beijing5000 pluto[3083]: "road" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc<BR> _192 prf=oakley_md5 group=modp1536}<BR> Oct 29 15:33:00 beijing5000 pluto[3083]: "road" #2: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}<BR> Oct 29 15:33:00 beijing5000 pluto[3083]: "road" #1: ignoring informational payload, type INVALID_ID_INFORMATION<BR> Oct 29 15:33:00 beijing5000 pluto[3083]: "road" #1: received and ignored informational message<BR> Oct 29 15:33:10 beijing5000 pluto[3083]: "road" #1: ignoring informational payload, type INVALID_MESSAGE_ID<BR> Oct 29 15:33:10 beijing5000 pluto[3083]: "road" #1: received and ignored informational message<BR> Oct 29 15:33:30 beijing5000 pluto[3083]: "road" #1: ignoring informational payload, type INVALID_MESSAGE_ID<BR> Oct 29 15:33:30 beijing5000 pluto[3083]: "road" #1: received and ignored informational message<BR> Oct 29 15:34:10 beijing5000 pluto[3083]: "road" #2: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable respons<BR> e to our first Quick Mode message: perhaps peer likes no proposal<BR> <BR> 2.8 The log file of ipsec on the laptop(192.168.0.22) are:<BR> <BR> Oct 29 15:25:41 shanghai5000 pluto[30593]: packet from 192.168.0.1:12291: received Vendor ID payload [Openswan (this version) 2.4.7 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]<BR> Oct 29 15:25:41 shanghai5000 pluto[30593]: packet from 192.168.0.1:12291: received Vendor ID payload [Dead Peer Detection]<BR> Oct 29 15:25:41 shanghai5000 pluto[30593]: packet from 192.168.0.1:12291: received Vendor ID payload [RFC 3947] method set to=110 <BR> Oct 29 15:25:41 shanghai5000 pluto[30593]: packet from 192.168.0.1:12291: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 110<BR> Oct 29 15:25:41 shanghai5000 pluto[30593]: packet from 192.168.0.1:12291: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 110<BR> Oct 29 15:25:41 shanghai5000 pluto[30593]: packet from 192.168.0.1:12291: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 110<BR> Oct 29 15:25:41 shanghai5000 pluto[30593]: packet from 192.168.0.1:12291: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]<BR> Oct 29 15:25:41 shanghai5000 pluto[30593]: "road"[3] 192.168.0.1 #3: responding to Main Mode from unknown peer 192.168.0.1<BR> Oct 29 15:25:41 shanghai5000 pluto[30593]: "road"[3] 192.168.0.1 #3: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1<BR> Oct 29 15:25:41 shanghai5000 pluto[30593]: "road"[3] 192.168.0.1 #3: STATE_MAIN_R1: sent MR1, expecting MI2<BR> Oct 29 15:25:41 shanghai5000 pluto[30593]: "road"[3] 192.168.0.1 #3: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): peer is NATed<BR> Oct 29 15:25:41 shanghai5000 pluto[30593]: "road"[3] 192.168.0.1 #3: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2<BR> Oct 29 15:25:41 shanghai5000 pluto[30593]: "road"[3] 192.168.0.1 #3: STATE_MAIN_R2: sent MR2, expecting MI3<BR> Oct 29 15:25:41 shanghai5000 pluto[30593]: "road"[3] 192.168.0.1 #3: Main mode peer ID is ID_FQDN: <A href="mailto:'@laptop'">'@laptop'</A><BR> Oct 29 15:25:41 shanghai5000 pluto[30593]: "road"[3] 192.168.0.1 #3: I did not send a certificate because I do not have one.<BR> Oct 29 15:25:42 shanghai5000 pluto[30593]: "road"[3] 192.168.0.1 #3: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3<BR> Oct 29 15:25:42 shanghai5000 pluto[30593]: | NAT-T: new mapping 192.168.0.1:12291/12290)<BR> Oct 29 15:25:42 shanghai5000 pluto[30593]: "road"[3] 192.168.0.1 #3: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1536}<BR> Oct 29 15:25:42 shanghai5000 pluto[30593]: "road"[3] 192.168.0.1 #3: cannot respond to IPsec SA request because no connection is known for 192.168.1.0/24===192.168.0.22[@vpnserver]...192.168.0.1[@laptop]===192.168.3.33/32<BR> Oct 29 15:25:42 shanghai5000 pluto[30593]: "road"[3] 192.168.0.1 #3: sending encrypted notification INVALID_ID_INFORMATION to 192.168.0.1:12290<BR> Oct 29 15:25:52 shanghai5000 pluto[30593]: "road"[3] 192.168.0.1 #3: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x19529c28 (perhaps this is a duplicated packet)<BR> Oct 29 15:25:52 shanghai5000 pluto[30593]: "road"[3] 192.168.0.1 #3: sending encrypted notification INVALID_MESSAGE_ID to 192.168.0.1:12290<BR> Oct 29 15:26:12 shanghai5000 pluto[30593]: "road"[3] 192.168.0.1 #3: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x19529c28 (perhaps this is a duplicated packet)<BR> Oct 29 15:26:12 shanghai5000 pluto[30593]: "road"[3] 192.168.0.1 #3: sending encrypted notification INVALID_MESSAGE_ID to 192.168.0.1:12290<BR> <BR> 2.9 <BR> #ipsec verify<BR> Checking your system to see if IPsec got installed and started correctly:<BR> Version check and ipsec on-path [OK]<BR> Linux Openswan U2.4.7/K2.6.9-42.EL (netkey)<BR> Checking for IPsec support in kernel [OK]<BR> NETKEY detected, testing for disabled ICMP send_redirects [OK]<BR> NETKEY detected, testing for disabled ICMP accept_redirects [OK]<BR> Checking for RSA private key (/etc/ipsec.secrets) [OK]<BR> Checking that pluto is running [OK]<BR> Two or more interfaces found, checking IP forwarding [OK]<BR> Checking NAT and MASQUERADEing [OK]<BR> Checking for 'ip' command [OK]<BR> Checking for 'iptables' command [OK]<BR> Opportunistic Encryption Support [DISABLED] <BR> <BR> <BR> Note:There is the capture dtat in accessories.<BR> Thanks<BR> <BR> <BR> <BR> yours: ruifengyang<BR> email: <A href="mailto:yrff_ren@163.com">yrff_ren@163.com</A> <BR> 2008/10/30 </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV><br><!-- footer --><br>
<hr>
<font style="font-size:12px;line-height:15px;">[广告] </font><font style="font-size:12px;line-height:15px;">金秋最</font><a style="font-size:12px;line-height:15px; color:blue; text-decoration:underline;" href="http://popme.163.com/link/003985_1010_7027.html">关注楼盘-房不胜房</a>