search the list, you may find the answer by yourself.<br><br><div class="gmail_quote">2011/8/6 Иван Кочанов <span dir="ltr"><<a href="mailto:gruzzz88@mail.ru">gruzzz88@mail.ru</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div><p>Hi!<br>I need help with understanding of problem.<br>I can't connect to my VPN server which is behind nat router. Log says the following:<br><br>/var/log/auth.log<br>Aug 6 14:21:11 GATE pluto[1565]: adding interface eth1/eth1 <a href="http://192.168.0.8:500" target="_blank">192.168.0.8:500</a><br>
Aug 6 14:21:11 GATE pluto[1565]: adding interface eth1/eth1 <a href="http://192.168.0.8:4500" target="_blank">192.168.0.8:4500</a><br>Aug 6 14:21:11 GATE pluto[1565]: adding interface lo/lo <a href="http://127.0.0.1:500" target="_blank">127.0.0.1:500</a><br>
Aug 6 14:21:11 GATE pluto[1565]: adding interface lo/lo <a href="http://127.0.0.1:4500" target="_blank">127.0.0.1:4500</a><br>Aug 6 14:21:11 GATE pluto[1565]: loading secrets from "/etc/ipsec.secrets"<br>Aug 6 14:21:12 GATE perl: pam_unix(webmin:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=root<br>
Aug 6 14:21:14 GATE webmin[1726]: Webmin starting<br>Aug 6 14:22:47 GATE sshd[1746]: Accepted password for gateroot from 192.168.0.41 port 4589 ssh2<br>Aug 6 14:22:47 GATE sshd[1746]: pam_unix(sshd:session): session opened for user gateroot by (uid=0)<br>
Aug 6 14:22:53 GATE sudo: gateroot : TTY=pts/0 ; PWD=/home/gateroot ; USER=root ; COMMAND=/bin/bash<br>Aug 6 14:23:03 GATE pluto[1565]: packet from <a href="http://212.94.111.119:500" target="_blank">212.94.111.119:500</a>: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000008]<br>
Aug 6 14:23:03 GATE pluto[1565]: packet from <a href="http://212.94.111.119:500" target="_blank">212.94.111.119:500</a>: received Vendor ID payload [RFC 3947] method set to=109<br>Aug 6 14:23:03 GATE pluto[1565]: packet from <a href="http://212.94.111.119:500" target="_blank">212.94.111.119:500</a>: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109<br>
Aug 6 14:23:03 GATE pluto[1565]: packet from <a href="http://212.94.111.119:500" target="_blank">212.94.111.119:500</a>: ignoring Vendor ID payload [FRAGMENTATION]<br>Aug 6 14:23:03 GATE pluto[1565]: packet from <a href="http://212.94.111.119:500" target="_blank">212.94.111.119:500</a>: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]<br>
Aug 6 14:23:03 GATE pluto[1565]: packet from <a href="http://212.94.111.119:500" target="_blank">212.94.111.119:500</a>: ignoring Vendor ID payload [Vid-Initial-Contact]<br>Aug 6 14:23:03 GATE pluto[1565]: packet from <a href="http://212.94.111.119:500" target="_blank">212.94.111.119:500</a>: ignoring Vendor ID payload [IKE CGA version 1]<br>
Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #1: responding to Main Mode from unknown peer 212.94.111.119<br>Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #1: OAKLEY_GROUP 20 not supported. Attribute OAKLEY_GROUP_DESCRIPTION<br>
Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #1: OAKLEY_GROUP 19 not supported. Attribute OAKLEY_GROUP_DESCRIPTION<br>Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1<br>
Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #1: STATE_MAIN_R1: sent MR1, expecting MI2<br>Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): i am NATed<br>
Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2<br>Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #1: STATE_MAIN_R2: sent MR2, expecting MI3<br>
Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #1: Main mode peer ID is ID_IPV4_ADDR: '212.94.111.119'<br>Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3<br>
Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #1: new NAT mapping for #1, was <a href="http://212.94.111.119:500" target="_blank">212.94.111.119:500</a>, now <a href="http://212.94.111.119:4500" target="_blank">212.94.111.119:4500</a><br>
Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp2048}<br>Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #1: Dead Peer Detection (RFC 3706): not enabled because peer did not advertise it<br>
Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #1: the peer proposed: <a href="http://212.94.111.118/32:17/1701" target="_blank">212.94.111.118/32:17/1701</a> -> <a href="http://212.94.111.119/32:17/0" target="_blank">212.94.111.119/32:17/0</a><br>
Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #1: NAT-Traversal: received 2 NAT-OA. ignored because peer is not NATed<br>Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #2: responding to Quick Mode proposal {msgid:01000000}<br>
Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #2: us: 192.168.0.8<192.168.0.8>[212.94.111.118,+S=C]:17/1701---192.168.0.251<br>Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #2: them: 212.94.111.119[+S=C]:17/1701<br>
Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1<br>Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2<br>
Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #2: Dead Peer Detection (RFC 3706): not enabled because peer did not advertise it<br>Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2<br>
Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #2: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0xee920fce <0x0ee59f42 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=<a href="http://212.94.111.119:4500" target="_blank">212.94.111.119:4500</a> DPD=none}<br>
Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #1: the peer proposed: <a href="http://212.94.111.118/32:17/1701" target="_blank">212.94.111.118/32:17/1701</a> -> <a href="http://212.94.111.119/32:17/1701" target="_blank">212.94.111.119/32:17/1701</a><br>
Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #1: NAT-Traversal: received 2 NAT-OA. ignored because peer is not NATed<br>Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #3: responding to Quick Mode proposal {msgid:02000000}<br>
Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #3: us: 192.168.0.8<192.168.0.8>[212.94.111.118,+S=C]:17/1701---192.168.0.251<br>Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #3: them: 212.94.111.119[+S=C]:17/1701<br>
Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #3: keeping refhim=4294901761 during rekey<br>Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #3: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1<br>
Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #3: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2<br>Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #3: Dead Peer Detection (RFC 3706): not enabled because peer did not advertise it<br>
Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #3: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2<br>Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #3: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0xe83ba9ff <0xc5934fd6 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=<a href="http://212.94.111.119:4500" target="_blank">212.94.111.119:4500</a> DPD=none}<br>
Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #1: received Delete SA(0xee920fce) payload: deleting IPSEC State #2<br>Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #1: received and ignored informational message<br>
Aug 6 14:23:06 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #1: the peer proposed: <a href="http://212.94.111.118/32:17/1701" target="_blank">212.94.111.118/32:17/1701</a> -> <a href="http://212.94.111.119/32:17/1701" target="_blank">212.94.111.119/32:17/1701</a><br>
Aug 6 14:23:06 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #1: NAT-Traversal: received 2 NAT-OA. ignored because peer is not NATed<br>Aug 6 14:23:06 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #4: responding to Quick Mode proposal {msgid:03000000}<br>
Aug 6 14:23:06 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #4: us: 192.168.0.8<192.168.0.8>[212.94.111.118,+S=C]:17/1701---192.168.0.251<br>Aug 6 14:23:06 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #4: them: 212.94.111.119[+S=C]:17/1701<br>
Aug 6 14:23:06 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #4: keeping refhim=4294901761 during rekey<br>Aug 6 14:23:06 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #4: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1<br>
Aug 6 14:23:06 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #4: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2<br>Aug 6 14:23:06 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #4: Dead Peer Detection (RFC 3706): not enabled because peer did not advertise it<br>
Aug 6 14:23:06 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #4: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2<br>Aug 6 14:23:06 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #4: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0xf6a84cfc <0x80cdf100 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=<a href="http://212.94.111.119:4500" target="_blank">212.94.111.119:4500</a> DPD=none}<br>
Aug 6 14:23:06 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #1: received Delete SA(0xe83ba9ff) payload: deleting IPSEC State #3<br>Aug 6 14:23:06 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #1: received and ignored informational message<br>
<br>I don't understand the reason of my issue...<br><br>I have the following configuration of my Ubuntu 10.04 LTS Server.<br><br>/etc/ipsec.conf<br> version 2.0 # conforms to second version of ipsec.conf specification<br>
config setup <br> dumpdir=/var/run/pluto/<br> nat_traversal=yes<br> virtual_private=%v4:<a href="http://10.0.0.0/24,%v4:192.168.0.0/16,%v4:%21192.168.0.0/24" target="_blank">10.0.0.0/24,%v4:192.168.0.0/16,%v4:!192.168.0.0/24</a><br>
oe=off<br> protostack=netkey<br> include /etc/ipsec.d/l2tp-psk.conf<br><br>/etc/ipsec.d/l2tp-psk.conf<br> conn L2TP-PSK-NAT<br> rightsubnet=vhost:%no,%priv<br> also=L2TP-PSK-noNAT<br> conn L2TP-PSK-noNAT<br> authby=secret<br>
pfs=no<br> auto=add<br> keyingtries=3<br> rekey=no<br> ikelifetime=8h<br> keylife=1h<br> type=transport<br> left=192.168.0.8<br> leftid=***WAN_IP***<br> leftnexthop=192.168.0.251<br> leftprotoport=17/1701<br>
right=%any<br> rightprotoport=17/%any<br> dpddelay=30<br> dpdtimeout=30<br><br>/etc/ipsec.secrets<br> 192.168.0.8 %any: "SECRET"<br> ***WAN_IP*** %any: "SECRET"<br><br>/etc/xl2tpd/xl2tpd.conf<br>
[global] ; Global parameters:<br> port = 1701 ; * Bind to port 1701<br> ipsec saref = no<br> debug avp = yes<br>
debug network = yes<br> debug packet= yes<br> debug state = yes<br> debug tunnel = yes<br><br> [lns default] ; Our fallthrough LNS definition<br> ip range = 192.168.0.232-192.168.0.240 ; * Allocate from this IP range<br>
hidden bit = no ; * Use hidden AVP's?<br> local ip = 192.168.0.231 ; * Our local IP to use<br> length bit = yes ; * Use length bit in payload?<br>
refuse pap = yes ; * Refuse PAP authentication<br> refuse chap = yes ; * Refuse CHAP authentication<br> require authentication = yes ; * Require peer to authenticate<br>
name = UbuntuVPNserver ; * Report this as our hostname<br> ppp debug = no ; * Turn on PPP debugging<br> pppoptfile = /etc/ppp/options.xl2tpd ; * ppp options file<br>
flow bit = yes ; * Include sequence numbers<br><br>/etc/ppp/options.xl2tpd<br> ms-dns 192.168.0.1<br> ms-dns 192.168.0.252<br> ms-wins 192.168.0.1<br> require-mschap-v2<br> refuse-mschap<br>
refuse-pap<br> refuse-chap<br> logfile /var/log/xl2tpd.log<br> logfd 2 <br> asyncmap 0<br> auth<br> crtscts<br> lock <br> hide-password<br> modem<br> mru 1280<br> netmask 255.255.255.0<br> debug<br> mtu 1280<br> name l2tpd<br>
proxyarp<br> lcp-echo-interval 30<br> lcp-echo-failure 4<br> ipcp-accept-local<br> ipcp-accept-remote<br> noipx<br><br>UbuntuVPN(<a href="http://192.168.0.8/24%29-------------%28192.168.0.251" target="_blank">192.168.0.8/24)-------------(192.168.0.251</a>) CiscoRouter (***WAN_IP***)--------------INTERNET<br>
<br>I tested my configuration from local network - connection is succesful. I also tried a variant without NAT - it also worked.<br>On my router I made static IP-to-IP NAT, in my acl permitted all TCP, UDP, ESP traffic to my server.<br>
<br><br><br><br><br><br><br><br></p></div>
<br>_______________________________________________<br>
<a href="mailto:Users@openswan.org">Users@openswan.org</a><br>
<a href="http://lists.openswan.org/mailman/listinfo/users" target="_blank">http://lists.openswan.org/mailman/listinfo/users</a><br>
Micropayments: <a href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy" target="_blank">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a><br>
Building and Integrating Virtual Private Networks with Openswan:<br>
<a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a><br>
<br></blockquote></div><br>