<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 10pt;
font-family:Tahoma
}
--></style>
</head>
<body class='hmmessage'>
Hello,<br><br>Iam trying to get this configuration to work in a server behind a NAT, also the server is behind a router that only accepts ICMP, UDP, and TCP connections. For this last reason Iam using forceencaps=yes , and offcourse nat_traversal=yes ... am getting the messages below after it appears to negotiate the ipsec connection correctly. Please note that I have tested the below config witha server in my home LAN (no nat/firewalls in between off course) and it works perfectly.<br><br>Openswan version 2.6.23<br>Lt2p version: 1.2.5<br>Kernel: 2.6.32-24<br><br>Here is my ipsec config:<br><br>ubuntu@ip-10-112-49-52:~$ cat /etc/ipsec.conf<br>version 2.0<br>config setup<br> nat_traversal=yes<br> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12<br> oe=off<br> protostack=netkey<br><br>conn L2TP-PSK-NAT<br> rightsubnet=vhost:%priv<br> also=L2TP-PSK-noNAT<br><br>conn L2TP-PSK-noNAT<br> authby=secret<br> pfs=no<br> auto=add<br> keyingtries=3<br> rekey=no<br> ikelifetime=8h<br> keylife=1h<br> type=transport<br> left=10.112.49.52<br> leftprotoport=17/1701<br> right=%any<br> rightprotoport=17/%any<br> forceencaps=yes<br><br>auth.log<br>NOTE: Some IPs have been replaced for security reasons:<br>189.199.62.74 is a fake public IP representing the remote server<br>181.199.62.74 is a fake public IP representing the public IP of my home router.<br><br><br>Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: packet from 181.199.62.74:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]<br>Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: packet from 181.199.62.74:500: ignoring Vendor ID payload [FRAGMENTATION]<br>Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: packet from 181.199.62.74:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106 <br>Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: packet from 181.199.62.74:500: ignoring Vendor ID payload [Vid-Initial-Contact]<br>Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: "L2TP-PSK-NAT"[2] 181.199.62.74 #53: responding to Main Mode from unknown peer 181.199.62.74<br>Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: "L2TP-PSK-NAT"[2] 181.199.62.74 #53: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1<br>Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: "L2TP-PSK-NAT"[2] 181.199.62.74 #53: STATE_MAIN_R1: sent MR1, expecting MI2<br>Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: "L2TP-PSK-NAT"[2] 181.199.62.74 #52: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2<br>Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: "L2TP-PSK-NAT"[2] 181.199.62.74 #52: STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0x0cae746c <0xc70e0aa0 xfrm=3DES_0-HMAC_MD5 NATOA=192.170.1.3 NATD=181.199.62.74:4500 DPD=none}<br>Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: "L2TP-PSK-NAT"[2] 181.199.62.74 #51: received Delete SA(0x0cae746c) payload: deleting IPSEC State #52<br>Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: "L2TP-PSK-NAT"[2] 181.199.62.74 #51: netlink recvfrom() of response to our XFRM_MSG_DELPOLICY message for policy eroute_connection delete inbound was too long: 100 > 36<br>Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: "L2TP-PSK-NAT"[2] 181.199.62.74 #51: netlink recvfrom() of response to our XFRM_MSG_DELPOLICY message for policy eroute_connection delete inbound was too long: 100 > 36<br>Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: "L2TP-PSK-NAT"[2] 181.199.62.74 #51: netlink recvfrom() of response to our XFRM_MSG_DELPOLICY message for policy unk255.10000@10.112.49.52 was too long: 168 > 36<br>Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: "L2TP-PSK-NAT"[2] 181.199.62.74 #51: netlink recvfrom() of response to our XFRM_MSG_DELPOLICY message for policy unk255.10000@10.112.49.52 was too long: 168 > 36<br>Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: | raw_eroute result=0 <br>Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: "L2TP-PSK-NAT"[2] 181.199.62.74 #51: received and ignored informational message<br>Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: "L2TP-PSK-NAT"[2] 181.199.62.74 #49: received Delete SA(0x3026ac20) payload: deleting IPSEC State #50<br>Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: "L2TP-PSK-NAT"[2] 181.199.62.74 #49: netlink recvfrom() of response to our XFRM_MSG_DELPOLICY message for policy unk255.10000@10.112.49.52 was too long: 168 > 36<br>Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: "L2TP-PSK-NAT"[2] 181.199.62.74 #49: netlink recvfrom() of response to our XFRM_MSG_DELPOLICY message for policy unk255.10000@10.112.49.52 was too long: 168 > 36<br>Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: | raw_eroute result=0 <br>Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: "L2TP-PSK-NAT"[2] 181.199.62.74 #49: received and ignored informational message<br>Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: "L2TP-PSK-NAT"[2] 181.199.62.74 #47: received Delete SA(0x99f52203) payload: deleting IPSEC State #48<br>Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: "L2TP-PSK-NAT"[2] 181.199.62.74 #47: netlink recvfrom() of response to our XFRM_MSG_DELPOLICY message for policy unk255.10000@10.112.49.52 was too long: 168 > 36<br>Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: "L2TP-PSK-NAT"[2] 181.199.62.74 #47: netlink recvfrom() of response to our XFRM_MSG_DELPOLICY message for policy unk255.10000@10.112.49.52 was too long: 168 > 36<br>Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: | raw_eroute result=0 <br>Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: "L2TP-PSK-NAT"[2] 181.199.62.74 #47: received and ignored informational message<br>Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: "L2TP-PSK-NAT"[2] 181.199.62.74 #45: received Delete SA(0x39497c19) payload: deleting IPSEC State #46<br>Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: "L2TP-PSK-NAT"[2] 181.199.62.74 #45: netlink recvfrom() of response to our XFRM_MSG_DELPOLICY message for policy unk255.10000@10.112.49.52 was too long: 168 > 36<br>Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: "L2TP-PSK-NAT"[2] 181.199.62.74 #45: netlink recvfrom() of response to our XFRM_MSG_DELPOLICY message for policy unk255.10000@10.112.49.52 was too long: 168 > 36<br>Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: | raw_eroute result=0 <br>Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: "L2TP-PSK-NAT"[2] 181.199.62.74 #45: received and ignored informational message<br>Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: "L2TP-PSK-NAT"[2] 181.199.62.74 #43: received Delete SA(0x944681bc) payload: deleting IPSEC State #44<br>Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: "L2TP-PSK-NAT"[2] 181.199.62.74 #43: netlink recvfrom() of response to our XFRM_MSG_DELPOLICY message for policy unk255.10000@10.112.49.52 was too long: 168 > 36<br>Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: "L2TP-PSK-NAT"[2] 181.199.62.74 #43: netlink recvfrom() of response to our XFRM_MSG_DELPOLICY message for policy unk255.10000@10.112.49.52 was too long: 168 > 36<br>Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: | raw_eroute result=0 <br>Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: "L2TP-PSK-NAT"[2] 181.199.62.74 #43: received and ignored informational message<br>Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: "L2TP-PSK-NAT"[2] 181.199.62.74 #41: received Delete SA(0xbf5f0234) payload: deleting IPSEC State #42<br>Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: "L2TP-PSK-NAT"[2] 181.199.62.74 #41: netlink recvfrom() of response to our XFRM_MSG_DELPOLICY message for policy unk255.10000@10.112.49.52 was too long: 168 > 36<br>Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: "L2TP-PSK-NAT"[2] 181.199.62.74 #41: netlink recvfrom() of response to our XFRM_MSG_DELPOLICY message for policy unk255.10000@10.112.49.52 was too long: 168 > 36<br>Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: | raw_eroute result=0 <br>Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: "L2TP-PSK-NAT"[2] 181.199.62.74 #41: received and ignored informational message<br>Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: packet from 181.199.62.74:4500: Informational Exchange is for an unknown (expired?) SA with MSGID:0x3362d7ee<br>Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: packet from 181.199.62.74:4500: Informational Exchange is for an unknown (expired?) SA with MSGID:0x62e101ae<br>Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: packet from 181.199.62.74:4500: Informational Exchange is for an unknown (expired?) SA with MSGID:0x13335b0d<br>Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: packet from 181.199.62.74:4500: Informational Exchange is for an unknown (expired?) SA with MSGID:0xbbdba4d8<br>Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: packet from 181.199.62.74:4500: Informational Exchange is for an unknown (expired?) SA with MSGID:0x9f9b1385<br>Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: packet from 181.199.62.74:4500: Informational Exchange is for an unknown (expired?) SA with MSGID:0xaff01be8<br>Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: packet from 181.199.62.74:4500: Informational Exchange is for an unknown (expired?) SA with MSGID:0x6b605417<br>Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: packet from 181.199.62.74:4500: Informational Exchange is for an unknown (expired?) SA with MSGID:0x53f3de1c<br>Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: packet from 181.199.62.74:4500: Informational Exchange is for an unknown (expired?) SA with MSGID:0x5dc88fda<br>Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: packet from 181.199.62.74:4500: Informational Exchange is for an unknown (expired?) SA with MSGID:0xbf0d6282<br>Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: packet from 181.199.62.74:4500: Informational Exchange is for an unknown (expired?) SA with MSGID:0x99dc2e71<br>Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: packet from 181.199.62.74:4500: Informational Exchange is for an unknown (expired?) SA with MSGID:0xcf73a1fe<br>Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: packet from 181.199.62.74:4500: Informational Exchange is for an unknown (expired?) SA with MSGID:0x5e0e2b61<br>Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: packet from 181.199.62.74:4500: Informational Exchange is for an unknown (expired?) SA with MSGID:0x3a6290eb<br>Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: packet from 181.199.62.74:4500: Informational Exchange is for an unknown (expired?) SA with MSGID:0x479a71ba<br>Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: packet from 181.199.62.74:4500: Informational Exchange is for an unknown (expired?) SA with MSGID:0x2bf119ba<br>Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: packet from 181.199.62.74:4500: Informational Exchange is for an unknown (expired?) SA with MSGID:0x5602aea4<br>Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: packet from 181.199.62.74:500: ignoring Delete SA payload: not encrypted<br>Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: packet from 181.199.62.74:500: received and ignored informational message<br>Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: packet from 181.199.62.74:4500: Informational Exchange is for an unknown (expired?) SA with MSGID:0xe451d0cf<br>Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: packet from 181.199.62.74:4500: Informational Exchange is for an unknown (expired?) SA with MSGID:0xb3409413<br>Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: packet from 181.199.62.74:4500: Informational Exchange is for an unknown (expired?) SA with MSGID:0x12af66a1<br>Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: "L2TP-PSK-NAT"[2] 181.199.62.74 #51: received Delete SA payload: deleting ISAKMP State #51<br>Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: packet from 181.199.62.74:4500: received and ignored informational message<br>Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: "L2TP-PSK-NAT"[2] 181.199.62.74 #49: received Delete SA payload: deleting ISAKMP State #49<br>Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: packet from 181.199.62.74:4500: received and ignored informational message<br>Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: "L2TP-PSK-NAT"[2] 181.199.62.74 #47: received Delete SA payload: deleting ISAKMP State #47<br>Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: packet from 181.199.62.74:4500: received and ignored informational message<br>Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: "L2TP-PSK-NAT"[2] 181.199.62.74 #45: received Delete SA payload: deleting ISAKMP State #45<br>Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: packet from 181.199.62.74:4500: received and ignored informational message<br>Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: "L2TP-PSK-NAT"[2] 181.199.62.74 #43: received Delete SA payload: deleting ISAKMP State #43<br>Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: packet from 181.199.62.74:4500: received and ignored informational message<br>Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: "L2TP-PSK-NAT"[2] 181.199.62.74 #41: received Delete SA payload: deleting ISAKMP State #41<br>Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: packet from 181.199.62.74:4500: received and ignored informational message<br><br><br>Thanks<br>Gunther<br><br><br><br> </body>
</html>