<html><head><meta http-equiv="Content-Type" content="text/html charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">Rescued from the spam bucket. Please remember to subscribe to the mailing list before posting to it.<br class=""><div><br class=""><div class=""><div class=""><span class="" style="font-family: -webkit-system-font, 'Helvetica Neue', Helvetica, sans-serif; color: rgb(127, 127, 127);"><b class="">From: </b></span><span class="" style="font-family: -webkit-system-font, 'Helvetica Neue', Helvetica, sans-serif;">Adrian Sender <<a href="mailto:aasender@gmail.com" class="">aasender@gmail.com</a>></span></div><div class=""><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;" class=""><span style="font-family: -webkit-system-font, Helvetica Neue, Helvetica, sans-serif; color:rgba(127, 127, 127, 1.0);" class=""><b class="">Subject: </b></span><span style="font-family: -webkit-system-font, Helvetica Neue, Helvetica, sans-serif;" class=""><b class="">Cannot connect to openswan vpn with public ip on windows</b><br class=""></span></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;" class=""><span style="font-family: -webkit-system-font, Helvetica Neue, Helvetica, sans-serif; color:rgba(127, 127, 127, 1.0);" class=""><b class="">Date: </b></span><span style="font-family: -webkit-system-font, Helvetica Neue, Helvetica, sans-serif;" class="">January 20, 2016 at 1:08:43 AM EST<br class=""></span></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;" class=""><span style="font-family: -webkit-system-font, Helvetica Neue, Helvetica, sans-serif; color:rgba(127, 127, 127, 1.0);" class=""><b class="">To: </b></span><span style="font-family: -webkit-system-font, Helvetica Neue, Helvetica, sans-serif;" class=""><a href="mailto:users@lists.openswan.org" class="">users@lists.openswan.org</a><br class=""></span></div><br class=""><br class=""><div dir="ltr" class=""><div class=""><div class="">Hi Guys,<br class=""><br class=""></div>I am wondering if anyone can help me out with a openswan issue, not sure if this is a known problem, I know Mac has an issue with Public IP and openswan, but I am having a similar issue on Windows 7 using a internet facing public ip address.<br class=""><br class=""></div>The same configuration just changing the windows 7 machine to use nat works perfectly.<br class=""><div class=""><br class="">root@r-4051-VM:/etc# cat ipsec.conf <br class=""># Manual: ipsec.conf.5<br class="">version2.0<br class=""><br class="">config setup<br class="">nat_traversal=no<br class="">#nat_traversal=yes<br class="">virtual_private=%v4:<a href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12" class="">10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12</a><br class="">protostack=auto<br class=""><br class=""><br class="">root@r-4051-VM:/etc/ipsec.d# cat l2tp.conf <br class="">conn L2TP-PSK<br class=""> authby=secret<br class=""> pfs=no<br class=""> rekey=no<br class=""> keyingtries=3<br class=""> left=xxx.xxx.252.199<br class=""> leftprotoport=17/1701<br class=""> right=%any<br class=""> rightprotoport=17/%any<br class=""> auto=add<br class=""><br class=""><div class=""><div class=""><div class=""><br class="">How to reproduce bug.<br class=""><br class="">1. Install windows 7.<br class="">2. Configure network with internet facing public IP address.<br class="">3. Enable VPN on source nat address in CS.<br class="">4. Setup VPN client with user/pass and preshared key using the windows vpn wizard.<br class="">5. Internet facing VPN client on windows 7 fails to connect.<br class="">6. Put same windows 7 machine behind NAT, VPN works.<br class=""><br class="">Logs for public IP address, note the connection fails.<br class=""><br class="">root@r-4045-VM:~# cat /var/log/auth.log<br class=""><br class="">Jan 20 00:01:36 r-4045-VM pluto[4569]: packet from <a href="http://130.244.221.180:500/" class="">130.244.221.180:500</a>: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000008]<br class="">Jan 20 00:01:36 r-4045-VM pluto[4569]: packet from <a href="http://130.244.221.180:500/" class="">130.244.221.180:500</a>: received Vendor ID payload [RFC 3947] method set to=109<br class="">Jan 20 00:01:36 r-4045-VM pluto[4569]: packet from <a href="http://130.244.221.180:500/" class="">130.244.221.180:500</a>: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109<br class="">Jan 20 00:01:36 r-4045-VM pluto[4569]: packet from <a href="http://130.244.221.180:500/" class="">130.244.221.180:500</a>: ignoring Vendor ID payload [FRAGMENTATION]<br class="">Jan 20 00:01:36 r-4045-VM pluto[4569]: packet from <a href="http://130.244.221.180:500/" class="">130.244.221.180:500</a>: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]<br class="">Jan 20 00:01:36 r-4045-VM pluto[4569]: packet from <a href="http://130.244.221.180:500/" class="">130.244.221.180:500</a>: ignoring Vendor ID payload [Vid-Initial-Contact]<br class="">Jan 20 00:01:36 r-4045-VM pluto[4569]: packet from <a href="http://130.244.221.180:500/" class="">130.244.221.180:500</a>: ignoring Vendor ID payload [IKE CGA version 1]<br class="">Jan 20 00:01:36 r-4045-VM pluto[4569]: "L2TP-PSK"[23] 130.244.221.180 #67: responding to Main Mode from unknown peer 130.244.221.180<br class="">Jan 20 00:01:36 r-4045-VM pluto[4569]: "L2TP-PSK"[23] 130.244.221.180 #67: OAKLEY_GROUP 20 not supported. Attribute OAKLEY_GROUP_DESCRIPTION<br class="">Jan 20 00:01:36 r-4045-VM pluto[4569]: "L2TP-PSK"[23] 130.244.221.180 #67: OAKLEY_GROUP 19 not supported. Attribute OAKLEY_GROUP_DESCRIPTION<br class="">Jan 20 00:01:36 r-4045-VM pluto[4569]: "L2TP-PSK"[23] 130.244.221.180 #67: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1<br class="">Jan 20 00:01:36 r-4045-VM pluto[4569]: "L2TP-PSK"[23] 130.244.221.180 #67: STATE_MAIN_R1: sent MR1, expecting MI2<br class="">Jan 20 00:01:36 r-4045-VM pluto[4569]: "L2TP-PSK"[23] 130.244.221.180 #67: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected<br class="">Jan 20 00:01:36 r-4045-VM pluto[4569]: "L2TP-PSK"[23] 130.244.221.180 #67: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2<br class="">Jan 20 00:01:36 r-4045-VM pluto[4569]: "L2TP-PSK"[23] 130.244.221.180 #67: STATE_MAIN_R2: sent MR2, expecting MI3<br class="">Jan 20 00:01:36 r-4045-VM pluto[4569]: "L2TP-PSK"[23] 130.244.221.180 #67: Main mode peer ID is ID_IPV4_ADDR: '130.244.221.180'<br class="">Jan 20 00:01:36 r-4045-VM pluto[4569]: "L2TP-PSK"[23] 130.244.221.180 #67: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3<br class="">Jan 20 00:01:36 r-4045-VM pluto[4569]: "L2TP-PSK"[23] 130.244.221.180 #67: STATE_MAIN_R3: sent MR3, ISAKMP SA established<br class="">{auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp2048}<br class="">Jan 20 00:01:36 r-4045-VM pluto[4569]: "L2TP-PSK"[23] 130.244.221.180 #67: the peer proposed: <a href="http://111.112.231.214/32:17/1701" class="">111.112.231.214/32:17/1701</a> -> <a href="http://130.244.221.180/32:17/1701" class="">130.244.221.180/32:17/1701</a><br class="">Jan 20 00:01:36 r-4045-VM pluto[4569]: "L2TP-PSK"[23] 130.244.221.180 #68: responding to Quick Mode proposal {msgid:01000000}<br class="">Jan 20 00:01:36 r-4045-VM pluto[4569]: "L2TP-PSK"[23] 130.244.221.180 #68: us: 111.112.231.214<111.112.231.214>[+S=C]:17/1701<br class="">Jan 20 00:01:36 r-4045-VM pluto[4569]: "L2TP-PSK"[23] 130.244.221.180 #68: them: 130.244.221.180[+S=C]:17/1701<br class="">Jan 20 00:01:36 r-4045-VM pluto[4569]: "L2TP-PSK"[23] 130.244.221.180 #68: keeping refhim=4294901761 during rekey<br class="">Jan 20 00:01:36 r-4045-VM pluto[4569]: "L2TP-PSK"[23] 130.244.221.180 #68: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1<br class="">Jan 20 00:01:36 r-4045-VM pluto[4569]: "L2TP-PSK"[23] 130.244.221.180 #68: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2<br class="">Jan 20 00:01:36 r-4045-VM pluto[4569]: "L2TP-PSK"[23] 130.244.221.180 #68: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2<br class="">Jan 20 00:01:36 r-4045-VM pluto[4569]: "L2TP-PSK"[23] 130.244.221.180 #68: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0x1677a1c0 <0x241ef249 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}<br class="">Jan 20 00:01:54 r-4045-VM sshd[8198]: Accepted publickey for root from 169.254.0.1 port 38084 ssh2<br class="">Jan 20 00:01:54 r-4045-VM sshd[8198]: pam_unix(sshd:session): session opened for user root by (uid=0)<br class="">Jan 20 00:01:54 r-4045-VM sshd[8198]: pam_unix(sshd:session): session closed for user root<br class="">Jan 20 00:02:11 r-4045-VM pluto[4569]: "L2TP-PSK"[23] 130.244.221.180 #67: received Delete SA(0x1677a1c0) payload: deleting IPSEC State #68<br class="">Jan 20 00:02:11 r-4045-VM pluto[4569]: "L2TP-PSK"[23] 130.244.221.180 #67: received and ignored informational message<br class="">Jan 20 00:02:11 r-4045-VM pluto[4569]: "L2TP-PSK"[23] 130.244.221.180 #67: received Delete SA payload: deleting ISAKMP State #67<br class="">Jan 20 00:02:11 r-4045-VM pluto[4569]: packet from <a href="http://130.244.221.180:500/" class="">130.244.221.180:500</a>: received and ignored informational message<br class=""><br class=""><br class=""><br class="">Here is the same machine but I changed the networking so I am on NAT, no other configuration settings were changed. In this case I am able to connect to the Cloudstack Remote Access VPN.<br class=""><br class=""><br class="">root@r-4045-VM:~# cat /var/log/auth.log<br class=""><br class="">Jan 19 23:34:10 r-4045-VM pluto[4569]: packet from <a href="http://139.233.222.112:500/" class="">139.233.222.112:500</a>: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000008]<br class="">Jan 19 23:34:10 r-4045-VM pluto[4569]: packet from <a href="http://139.233.222.112:500/" class="">139.233.222.112:500</a>: received Vendor ID payload [RFC 3947] method set to=109<br class="">Jan 19 23:34:10 r-4045-VM pluto[4569]: packet from <a href="http://139.233.222.112:500/" class="">139.233.222.112:500</a>: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109<br class="">Jan 19 23:34:10 r-4045-VM pluto[4569]: packet from <a href="http://139.233.222.112:500/" class="">139.233.222.112:500</a>: ignoring Vendor ID payload [FRAGMENTATION]<br class="">Jan 19 23:34:10 r-4045-VM pluto[4569]: packet from <a href="http://139.233.222.112:500/" class="">139.233.222.112:500</a>: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]<br class="">Jan 19 23:34:10 r-4045-VM pluto[4569]: packet from <a href="http://139.233.222.112:500/" class="">139.233.222.112:500</a>: ignoring Vendor ID payload [Vid-Initial-Contact]<br class="">Jan 19 23:34:10 r-4045-VM pluto[4569]: packet from <a href="http://139.233.222.112:500/" class="">139.233.222.112:500</a>: ignoring Vendor ID payload [IKE CGA version 1]<br class="">Jan 19 23:34:10 r-4045-VM pluto[4569]: "L2TP-PSK"[28] 139.233.222.112 #65: responding to Main Mode from unknown peer 139.233.222.112<br class="">Jan 19 23:34:10 r-4045-VM pluto[4569]: "L2TP-PSK"[28] 139.233.222.112 #65: OAKLEY_GROUP 20 not supported. Attribute OAKLEY_GROUP_DESCRIPTION<br class="">Jan 19 23:34:10 r-4045-VM pluto[4569]: "L2TP-PSK"[28] 139.233.222.112 #65: OAKLEY_GROUP 19 not supported. Attribute OAKLEY_GROUP_DESCRIPTION<br class="">Jan 19 23:34:10 r-4045-VM pluto[4569]: "L2TP-PSK"[28] 139.233.222.112 #65: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1<br class="">Jan 19 23:34:10 r-4045-VM pluto[4569]: "L2TP-PSK"[28] 139.233.222.112 #65: STATE_MAIN_R1: sent MR1, expecting MI2<br class="">Jan 19 23:34:10 r-4045-VM pluto[4569]: "L2TP-PSK"[28] 139.233.222.112 #65: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): peer is NATed<br class="">Jan 19 23:34:10 r-4045-VM pluto[4569]: "L2TP-PSK"[28] 139.233.222.112 #65: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2<br class="">Jan 19 23:34:10 r-4045-VM pluto[4569]: "L2TP-PSK"[28] 139.233.222.112 #65: STATE_MAIN_R2: sent MR2, expecting MI3<br class="">Jan 19 23:34:10 r-4045-VM pluto[4569]: "L2TP-PSK"[28] 139.233.222.112 #65: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.82'<br class="">Jan 19 23:34:10 r-4045-VM pluto[4569]: "L2TP-PSK"[28] 139.233.222.112 #65: switched from "L2TP-PSK" to "L2TP-PSK"<br class="">Jan 19 23:34:10 r-4045-VM pluto[4569]: "L2TP-PSK"[29] 139.233.222.112 #65: deleting connection "L2TP-PSK" instance with peer 139.233.222.112 {isakmp=#0/ipsec=#0}<br class="">Jan 19 23:34:10 r-4045-VM pluto[4569]: "L2TP-PSK"[29] 139.233.222.112 #65: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3<br class="">Jan 19 23:34:10 r-4045-VM pluto[4569]: "L2TP-PSK"[29] 139.233.222.112 #65: new NAT mapping for #65, was <a href="http://139.233.222.112:500/" class="">139.233.222.112:500</a>, now <a href="http://139.233.222.112:4500/" class="">139.233.222.112:4500</a><br class="">Jan 19 23:34:10 r-4045-VM pluto[4569]: "L2TP-PSK"[29] 139.233.222.112 #65: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp2048}<br class=""><br class="">Jan 19 23:34:10 r-4045-VM pluto[4569]: "L2TP-PSK"[29] 139.233.222.112 #65: the peer proposed: <a href="http://111.112.231.214/32:17/1701" class="">111.112.231.214/32:17/1701</a> -> <a href="http://192.168.1.82/32:17/0" class="">192.168.1.82/32:17/0</a><br class="">Jan 19 23:34:10 r-4045-VM pluto[4569]: "L2TP-PSK"[29] 139.233.222.112 #65: NAT-Traversal: received 2 NAT-OA. using first, ignoring others<br class="">Jan 19 23:34:10 r-4045-VM pluto[4569]: "L2TP-PSK"[29] 139.233.222.112 #66: responding to Quick Mode proposal<br class="">{msgid:01000000}<br class=""><br class="">Jan 19 23:34:10 r-4045-VM pluto[4569]: "L2TP-PSK"[29] 139.233.222.112 #66: us: 111.112.231.214<111.112.231.214>[+S=C]:17/1701<br class="">Jan 19 23:34:10 r-4045-VM pluto[4569]: "L2TP-PSK"[29] 139.233.222.112 #66: them: 139.233.222.112[192.168.1.82,+S=C]:17/1701<br class="">Jan 19 23:34:10 r-4045-VM pluto[4569]: "L2TP-PSK"[29] 139.233.222.112 #66: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1<br class="">Jan 19 23:34:10 r-4045-VM pluto[4569]: "L2TP-PSK"[29] 139.233.222.112 #66: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2<br class="">Jan 19 23:34:10 r-4045-VM pluto[4569]: "L2TP-PSK"[29] 139.233.222.112 #66: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2<br class="">Jan 19 23:34:10 r-4045-VM pluto[4569]: "L2TP-PSK"[29] 139.233.222.112 #66: STATE_QUICK_R2: IPsec SA established tunnel mode<br class="">{ESP=>0xe3a6868c <0xbfcf6dcb xfrm=AES_128-HMAC_SHA1 NATOA=192.168.1.82 NATD=<a href="http://139.233.222.112:4500/" class="">139.233.222.112:4500</a> DPD=none}<br class=""><br class="">Jan 19 23:34:28 r-4045-VM pluto[4569]: "L2TP-PSK"[29] 139.233.222.112 #65: received Delete SA(0xe3a6868c) payload: deleting IPSEC State #66<br class="">Jan 19 23:34:28 r-4045-VM pluto[4569]: "L2TP-PSK"[29] 139.233.222.112 #65: received and ignored informational message<br class="">Jan 19 23:34:28 r-4045-VM pluto[4569]: "L2TP-PSK"[29] 139.233.222.112 #65: received Delete SA payload: deleting ISAKMP State #65<br class="">Jan 19 23:34:28 r-4045-VM pluto[4569]: "L2TP-PSK"[29] <a href="http://139.233.222.112/" class="">139.233.222.112</a>: deleting connection "L2TP-PSK" instance with peer 139.233.222.112<br class="">{isakmp=#0/ipsec=#0}<br class=""><br class="">Jan 19 23:34:28 r-4045-VM pluto[4569]: packet from <a href="http://139.233.222.112:4500/" class="">139.233.222.112:4500</a>: received and ignored informational message<br class="">Jan 19 23:35:01 r-4045-VM CRON[7995]: pam_unix(cron:session): session closed for user root<br class=""><br class=""></div><div class="">Regards,<br class=""></div><div class="">Adrian Sender<br class=""></div></div></div></div></div>
<br class=""><br class=""></div></div></div><br class=""></body></html>