using protostack=klips, when i try to connect by another client behind a nat, I get the following log info at the server side:<div><div><div><div><br></div><div><br></div><div><div>Jun 27 12:00:19 majid-server pluto[2127]: "road"[3] xxx.yyy.zzz.aaa #5: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1</div>
<div>Jun 27 12:00:19 majid-server pluto[2127]: "road"[3] xxx.yyy.zzz.aaa #5: STATE_MAIN_R1: sent MR1, expecting MI2</div><div>Jun 27 12:00:19 majid-server pluto[2127]: "road"[3] xxx.yyy.zzz.aaa #5: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): both are NATed</div>
<div>Jun 27 12:00:19 majid-server pluto[2127]: "road"[3] xxx.yyy.zzz.aaa #5: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2</div><div>Jun 27 12:00:19 majid-server pluto[2127]: "road"[3] xxx.yyy.zzz.aaa #5: STATE_MAIN_R2: sent MR2, expecting MI3</div>
<div>Jun 27 12:00:19 majid-server pluto[2127]: "road"[3] xxx.yyy.zzz.aaa #5: Main mode peer ID is ID_IPV4_ADDR: '192.168.0.198'</div><div>Jun 27 12:00:19 majid-server pluto[2127]: "road"[3] xxx.yyy.zzz.aaa #5: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3</div>
<div>Jun 27 12:00:19 majid-server pluto[2127]: "road"[3] xxx.yyy.zzz.aaa #5: new NAT mapping for #5, was xxx.yyy.zzz.aaa:879, now xxx.yyy.zzz.aaa:50320</div><div>Jun 27 12:00:19 majid-server pluto[2127]: "road"[3] xxx.yyy.zzz.aaa #5: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha group=modp2048}</div>
<div>Jun 27 12:00:19 majid-server pluto[2127]: "road"[3] xxx.yyy.zzz.aaa #5: the peer proposed: <a href="http://10.0.0.0/24:0/0">10.0.0.0/24:0/0</a> -> <a href="http://192.168.0.0/24:0/0">192.168.0.0/24:0/0</a></div>
<div>Jun 27 12:00:19 majid-server pluto[2127]: "road"[3] xxx.yyy.zzz.aaa #5: NAT-Traversal: received 2 NAT-OA. using first, ignoring others</div><div>Jun 27 12:00:19 majid-server pluto[2127]: "road"[3] xxx.yyy.zzz.aaa #6: responding to Quick Mode proposal {msgid:391d4cf3}</div>
<div>Jun 27 12:00:19 majid-server pluto[2127]: "road"[3] xxx.yyy.zzz.aaa #6: us: 10.0.0.105<10.0.0.105>[94.202.86.118,+S=C]---10.0.0.1</div><div>Jun 27 12:00:19 majid-server pluto[2127]: "road"[3] xxx.yyy.zzz.aaa #6: them: 10.0.0.1---xxx.yyy.zzz.aaa[192.168.0.198,+S=C]===<a href="http://192.168.0.0/24">192.168.0.0/24</a></div>
<div>Jun 27 12:00:19 majid-server pluto[2127]: "road"[3] xxx.yyy.zzz.aaa #6: cannot install eroute -- it is in use for "road"[2] xxx.yyy.zzz.aaa #2</div><div>Jun 27 12:00:29 majid-server pluto[2127]: "road"[3] xxx.yyy.zzz.aaa #6: discarding duplicate packet; already STATE_QUICK_R0</div>
<div>Jun 27 12:00:49 majid-server pluto[2127]: "road"[3] xxx.yyy.zzz.aaa #6: discarding duplicate packet; already STATE_QUICK_R0</div><div>Jun 27 12:01:29 majid-server pluto[2127]: "road"[3] xxx.yyy.zzz.aaa #5: the peer proposed: <a href="http://10.0.0.0/24:0/0">10.0.0.0/24:0/0</a> -> <a href="http://192.168.0.0/24:0/0">192.168.0.0/24:0/0</a></div>
<div>Jun 27 12:01:29 majid-server pluto[2127]: "road"[3] xxx.yyy.zzz.aaa #5: NAT-Traversal: received 2 NAT-OA. using first, ignoring others</div><div>Jun 27 12:01:29 majid-server pluto[2127]: "road"[3] xxx.yyy.zzz.aaa #7: responding to Quick Mode proposal {msgid:bf6863d2}</div>
<div>Jun 27 12:01:29 majid-server pluto[2127]: "road"[3] xxx.yyy.zzz.aaa #7: us: 10.0.0.105<10.0.0.105>[94.202.86.118,+S=C]---10.0.0.1</div><div>Jun 27 12:01:29 majid-server pluto[2127]: "road"[3] xxx.yyy.zzz.aaa #7: them: 10.0.0.1---xxx.yyy.zzz.aaa[192.168.0.198,+S=C]===<a href="http://192.168.0.0/24">192.168.0.0/24</a></div>
<div>Jun 27 12:01:29 majid-server pluto[2127]: "road"[3] xxx.yyy.zzz.aaa #7: cannot install eroute -- it is in use for "road"[2] xxx.yyy.zzz.aaa #2</div></div><div><br></div><div><br></div><div><br></div>
</div></div><br><div class="gmail_quote">On Sun, Jun 27, 2010 at 11:37 AM, Majid Khonji <span dir="ltr"><<a href="mailto:majid@khonji.org">majid@khonji.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
Yes I have mast0 interface with the same IP of eth0 (not exactly the external since I have a nat router at my home GW)<div>I actually want to narrow down the problem to ipsec only. I want to establish a secure SA using mast (multiple clients behind a nat), after that I will solve the other issues. (I actually succeeded with netkey and xl2tp on a linux client and an android phone)</div>
<div><br></div><div><div><div></div><div class="h5"><br><br><div class="gmail_quote">On Sun, Jun 27, 2010 at 3:56 AM, Paul Wouters <span dir="ltr"><<a href="mailto:paul@xelerance.com" target="_blank">paul@xelerance.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>On Sun, 27 Jun 2010, Majid Khonji wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
When i use protostack=mast<br>
I get the following error (when i connect a client)<br>
packet from <a href="http://10.0.0.1:500" target="_blank">10.0.0.1:500</a>: initial Main Mode message received on <a href="http://10.0.0.105:500" target="_blank">10.0.0.105:500</a> but no connection has been authorized with<br>
policy=PSK<br>
</blockquote>
<br>
<br></div>
Do you have a mast0 interface? Does it have the same ip as your external ip?<div><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
mast0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 <br>
inet addr:10.0.0.105 Mask:255.255.255.255<br>
</blockquote>
<br>
</div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
conn road<br>
</blockquote>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div>
left=10.0.0.105<br></div><div>
leftsubnet=<a href="http://10.0.0.0/24" target="_blank">10.0.0.0/24</a><br>
</div></blockquote>
<br><div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
conn road-l2tp<br>
also=road<br>
</blockquote>
<br></div>
That is not going to work because l2tp does not use a subnet= on the<br>
server side. Please see examples in /etc/ipsec.d/examples/l2tp*<div><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
#because Mac clients don't like 1701<br>
rightprotoport=17/1701<br>
</blockquote>
<br></div>
That should be 17/%any<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
conn road-l2tp-mac<br>
</blockquote>
<br>
A separate conn should not be needed.<br><font color="#888888">
<br>
Paul<br>
</font></blockquote></div><br><br clear="all"><br></div></div>-- <br>Regards,<br><br>Majid Khonji<br><br>
</div>
</blockquote></div><br><br clear="all"><br>-- <br>Regards,<br><br>Majid Khonji<br><br>
</div>