<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 12pt;
font-family:Calibri
}
--></style></head>
<body class='hmmessage'><div dir='ltr'>Hi,<br><br>for the last couple of days I've been struggling to create a roadwarrior setup that will allow access to my home network with my laptops and phone. Since I'm pretty new to VPN/IPSEC i've had to fix and learn quite a few issues, but now I'm really stuck.<br><br>So far logging into the network works for macosx from both within and outside of the network. Windows doesn't work from outside of the network. <br>I basically see it establishing the IPSEC tunnel and then immediately receiving a delete message. Here's a part of the logs:<br><br>===========================================================================================================<br><br>Mar 15 07:22:47 alarmpi pluto[7511]: | warning: NETKEY/XFRM in transport mode accepts ALL encrypted protoport packets between the hosts in violation of RFC 4301, Section 5.2<br>Mar 15 07:22:47 alarmpi pluto[7511]: | warning: NETKEY/XFRM in transport mode accepts ALL encrypted protoport packets between the hosts in violation of RFC 4301, Section 5.2<br>Mar 15 07:22:47 alarmpi pluto[7511]: "L2TP-PSK-noNAT"[7] 192.168.0.1 #12: received and ignored informational message<br>Mar 15 07:22:47 alarmpi pluto[7511]: "L2TP-PSK-noNAT"[7] 192.168.0.1 #12: received Delete SA payload: deleting ISAKMP State #12<br>Mar 15 07:22:47 alarmpi pluto[7511]: "L2TP-PSK-noNAT"[7] 192.168.0.1: deleting connection "L2TP-PSK-noNAT" instance with peer 192.168.0.1 {isakmp=#0/ipsec=#0}<br>Mar 15 07:22:47 alarmpi pluto[7511]: | warning: NETKEY/XFRM in transport mode accepts ALL encrypted protoport packets between the hosts in violation of RFC 4301, Section 5.2<br>Mar 15 07:22:47 alarmpi pluto[7511]: | warning: NETKEY/XFRM in transport mode accepts ALL encrypted protoport packets between the hosts in violation of RFC 4301, Section 5.2<br>Mar 15 07:22:47 alarmpi pluto[7511]: packet from 192.168.0.1:4500: received and ignored informational message<br>Mar 15 07:23:12 alarmpi pluto[7511]: packet from 192.168.0.1:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000008]<br>Mar 15 07:23:12 alarmpi pluto[7511]: packet from 192.168.0.1:500: received Vendor ID payload [RFC 3947] method set to=115<br>Mar 15 07:23:12 alarmpi pluto[7511]: packet from 192.168.0.1:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 115<br>Mar 15 07:23:12 alarmpi pluto[7511]: packet from 192.168.0.1:500: ignoring Vendor ID payload [FRAGMENTATION]<br>Mar 15 07:23:12 alarmpi pluto[7511]: packet from 192.168.0.1:500: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]<br>Mar 15 07:23:12 alarmpi pluto[7511]: packet from 192.168.0.1:500: ignoring Vendor ID payload [Vid-Initial-Contact]<br>Mar 15 07:23:12 alarmpi pluto[7511]: packet from 192.168.0.1:500: ignoring Vendor ID payload [IKE CGA version 1]<br>Mar 15 07:23:12 alarmpi pluto[7511]: "L2TP-PSK-noNAT"[8] 192.168.0.1 #17: responding to Main Mode from unknown peer 192.168.0.1<br>Mar 15 07:23:12 alarmpi pluto[7511]: "L2TP-PSK-noNAT"[8] 192.168.0.1 #17: OAKLEY_GROUP 20 not supported. Attribute OAKLEY_GROUP_DESCRIPTION<br>Mar 15 07:23:12 alarmpi pluto[7511]: "L2TP-PSK-noNAT"[8] 192.168.0.1 #17: OAKLEY_GROUP 19 not supported. Attribute OAKLEY_GROUP_DESCRIPTION<br>Mar 15 07:23:12 alarmpi pluto[7511]: "L2TP-PSK-noNAT"[8] 192.168.0.1 #17: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1<br>Mar 15 07:23:12 alarmpi pluto[7511]: "L2TP-PSK-noNAT"[8] 192.168.0.1 #17: STATE_MAIN_R1: sent MR1, expecting MI2<br>Mar 15 07:23:12 alarmpi pluto[7511]: "L2TP-PSK-noNAT"[8] 192.168.0.1 #17: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): both are NATed<br>Mar 15 07:23:12 alarmpi pluto[7511]: "L2TP-PSK-noNAT"[8] 192.168.0.1 #17: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2<br>Mar 15 07:23:12 alarmpi pluto[7511]: "L2TP-PSK-noNAT"[8] 192.168.0.1 #17: STATE_MAIN_R2: sent MR2, expecting MI3<br>Mar 15 07:23:12 alarmpi pluto[7511]: "L2TP-PSK-noNAT"[8] 192.168.0.1 #17: Main mode peer ID is ID_IPV4_ADDR: '192.168.0.121'<br>Mar 15 07:23:12 alarmpi pluto[7511]: "L2TP-PSK-noNAT"[8] 192.168.0.1 #17: switched from "L2TP-PSK-noNAT" to "L2TP-PSK-noNAT"<br>Mar 15 07:23:12 alarmpi pluto[7511]: "L2TP-PSK-noNAT"[9] 192.168.0.1 #17: deleting connection "L2TP-PSK-noNAT" instance with peer 192.168.0.1 {isakmp=#0/ipsec=#0}<br>Mar 15 07:23:12 alarmpi pluto[7511]: "L2TP-PSK-noNAT"[9] 192.168.0.1 #17: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3<br>Mar 15 07:23:12 alarmpi pluto[7511]: "L2TP-PSK-noNAT"[9] 192.168.0.1 #17: new NAT mapping for #17, was 192.168.0.1:500, now 192.168.0.1:4500<br>Mar 15 07:23:12 alarmpi pluto[7511]: "L2TP-PSK-noNAT"[9] 192.168.0.1 #17: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp2048}<br>Mar 15 07:23:12 alarmpi pluto[7511]: "L2TP-PSK-noNAT"[9] 192.168.0.1 #17: Dead Peer Detection (RFC 3706): not enabled because peer did not advertise it<br>Mar 15 07:23:12 alarmpi pluto[7511]: "L2TP-PSK-noNAT"[9] 192.168.0.1 #17: the peer proposed: 92.109.12.70/32:17/1701 -> 192.168.0.121/32:17/0<br>Mar 15 07:23:12 alarmpi pluto[7511]: "L2TP-PSK-noNAT"[9] 192.168.0.1 #17: NAT-Traversal: received 2 NAT-OA. using first, ignoring others<br>Mar 15 07:23:12 alarmpi pluto[7511]: "L2TP-PSK-noNAT"[9] 192.168.0.1 #18: responding to Quick Mode proposal {msgid:01000000}<br>Mar 15 07:23:12 alarmpi pluto[7511]: "L2TP-PSK-noNAT"[9] 192.168.0.1 #18: us: 192.168.0.103<192.168.0.103>:17/1701<br>Mar 15 07:23:12 alarmpi pluto[7511]: "L2TP-PSK-noNAT"[9] 192.168.0.1 #18: them: 192.168.0.1[192.168.0.121]:17/0<br>Mar 15 07:23:12 alarmpi pluto[7511]: | warning: NETKEY/XFRM in transport mode accepts ALL encrypted protoport packets between the hosts in violation of RFC 4301, Section 5.2<br>Mar 15 07:23:12 alarmpi pluto[7511]: "L2TP-PSK-noNAT"[9] 192.168.0.1 #18: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1<br>Mar 15 07:23:12 alarmpi pluto[7511]: "L2TP-PSK-noNAT"[9] 192.168.0.1 #18: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2<br>Mar 15 07:23:12 alarmpi pluto[7511]: | warning: NETKEY/XFRM in transport mode accepts ALL encrypted protoport packets between the hosts in violation of RFC 4301, Section 5.2<br>Mar 15 07:23:13 alarmpi pluto[7511]: "L2TP-PSK-noNAT"[9] 192.168.0.1 #18: Dead Peer Detection (RFC 3706): not enabled because peer did not advertise it<br>Mar 15 07:23:13 alarmpi pluto[7511]: "L2TP-PSK-noNAT"[9] 192.168.0.1 #18: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2<br>Mar 15 07:23:13 alarmpi pluto[7511]: "L2TP-PSK-noNAT"[9] 192.168.0.1 #18: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0x34f4f065 <0x7bf174a3 xfrm=AES_128-HMAC_SHA1 NATOA=192.168.0.121 NATD=192.168.0.1:4500 DPD=none}<br>Mar 15 07:23:13 alarmpi pluto[7511]: "L2TP-PSK-noNAT"[9] 192.168.0.1 #17: the peer proposed: 92.109.12.70/32:17/1701 -> 192.168.0.121/32:17/0<br>Mar 15 07:23:13 alarmpi pluto[7511]: "L2TP-PSK-noNAT"[9] 192.168.0.1 #17: NAT-Traversal: received 2 NAT-OA. using first, ignoring others<br>Mar 15 07:23:13 alarmpi pluto[7511]: "L2TP-PSK-noNAT"[9] 192.168.0.1 #19: responding to Quick Mode proposal {msgid:02000000}<br>Mar 15 07:23:13 alarmpi pluto[7511]: "L2TP-PSK-noNAT"[9] 192.168.0.1 #19: us: 192.168.0.103<192.168.0.103>:17/1701<br>Mar 15 07:23:13 alarmpi pluto[7511]: "L2TP-PSK-noNAT"[9] 192.168.0.1 #19: them: 192.168.0.1[192.168.0.121]:17/0<br>Mar 15 07:23:13 alarmpi pluto[7511]: "L2TP-PSK-noNAT"[9] 192.168.0.1 #19: keeping refhim=4294901761 during rekey<br>Mar 15 07:23:13 alarmpi pluto[7511]: "L2TP-PSK-noNAT"[9] 192.168.0.1 #19: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1<br>Mar 15 07:23:13 alarmpi pluto[7511]: "L2TP-PSK-noNAT"[9] 192.168.0.1 #19: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2<br>Mar 15 07:23:13 alarmpi pluto[7511]: | warning: NETKEY/XFRM in transport mode accepts ALL encrypted protoport packets between the hosts in violation of RFC 4301, Section 5.2<br>Mar 15 07:23:13 alarmpi pluto[7511]: "L2TP-PSK-noNAT"[9] 192.168.0.1 #19: Dead Peer Detection (RFC 3706): not enabled because peer did not advertise it<br>Mar 15 07:23:13 alarmpi pluto[7511]: "L2TP-PSK-noNAT"[9] 192.168.0.1 #19: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2<br>Mar 15 07:23:13 alarmpi pluto[7511]: "L2TP-PSK-noNAT"[9] 192.168.0.1 #19: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0x30f1ec4a <0x25651ad1 xfrm=AES_128-HMAC_SHA1 NATOA=192.168.0.121 NATD=192.168.0.1:4500 DPD=none}<br>Mar 15 07:23:13 alarmpi pluto[7511]: "L2TP-PSK-noNAT"[9] 192.168.0.1 #17: received Delete SA(0x34f4f065) payload: deleting IPSEC State #18<br>Mar 15 07:23:13 alarmpi pluto[7511]: "L2TP-PSK-noNAT"[9] 192.168.0.1 #17: received and ignored informational message<br>Mar 15 07:23:15 alarmpi pluto[7511]: "L2TP-PSK-noNAT"[9] 192.168.0.1 #17: received Delete SA(0x30f1ec4a) payload: deleting IPSEC State #19<br>Mar 15 07:23:15 alarmpi pluto[7511]: | warning: NETKEY/XFRM in transport mode accepts ALL encrypted protoport packets between the hosts in violation of RFC 4301, Section 5.2<br>Mar 15 07:23:15 alarmpi pluto[7511]: | warning: NETKEY/XFRM in transport mode accepts ALL encrypted protoport packets between the hosts in violation of RFC 4301, Section 5.2<br>Mar 15 07:23:15 alarmpi pluto[7511]: "L2TP-PSK-noNAT"[9] 192.168.0.1 #17: received and ignored informational message<br>Mar 15 07:23:15 alarmpi pluto[7511]: "L2TP-PSK-noNAT"[9] 192.168.0.1 #17: received Delete SA payload: deleting ISAKMP State #17<br>Mar 15 07:23:15 alarmpi pluto[7511]: "L2TP-PSK-noNAT"[9] 192.168.0.1: deleting connection "L2TP-PSK-noNAT" instance with peer 192.168.0.1 {isakmp=#0/ipsec=#0}<br>Mar 15 07:23:15 alarmpi pluto[7511]: | warning: NETKEY/XFRM in transport mode accepts ALL encrypted protoport packets between the hosts in violation of RFC 4301, Section 5.2<br>Mar 15 07:23:15 alarmpi pluto[7511]: | warning: NETKEY/XFRM in transport mode accepts ALL encrypted protoport packets between the hosts in violation of RFC 4301, Section 5.2<br>Mar 15 07:23:16 alarmpi pluto[7511]: packet from 192.168.0.1:4500: received and ignored informational message<br><br>==========================================================================================================<br><br>The establishing and deleting goes on for a few times and then the windows client gives up. Since this doesn't happen when I'm on the local network I'm guessing it's NAT, but I can't tell from the logs. <br><br>BTW openswan is running on an archlinux raspberry pi.<br><br>Some versions:<br>===================================================================<br><code>ipsec --version</code> : Linux Openswan U2.6.42/K3.18.8-4-ARCH (netkey)<br>uname -a: Linux alarmpi 3.18.8-4-ARCH #1 PREEMPT Thu Mar 5 18:05:39 MST 2015 armv6l GNU/Linux<br>xl2tpd version: xl2tpd-1.3.6<br>===================================================================<br>My ipsec config:<br>================================================================================================================<br>conn L2TP-PSK-noNAT<br> authby=secret<br> #shared secret. Use rsasig for certificates.<br><br> pfs=no<br> #Enable pfs<br><br> auto=add<br> #the ipsec tunnel should be started and routes created when the ipsec daemon itself starts.<br><br> keyingtries=3<br> #Only negotiate a conn. 3 times.<br><br> ikelifetime=8h<br> keylife=1h<br><br> type=transport<br> #because we use l2tp as tunnel protocol<br><br> left=192.168.0.103<br> #left=%any<br> leftprotoport=17/1701<br> right=%any<br> rightprotoport=17/0<br><br> dpddelay=10<br> # Dead Peer Dectection (RFC 3706) keepalives delay<br> dpdtimeout=20<br> # length of time (in seconds) we will idle without hearing either an R_U_THERE poll from our peer, or an R_U_THERE_ACK reply.<br> dpdaction=clear<br> # When a DPD enabled peer is declared dead, what action should be taken. clear means the eroute and SA with both be cleared.<br><br>=============================================================================================================<br><br>Any hints or clues would be greatly appreciated!<br><br><br><br><br><br><br><br><br> </div></body>
</html>