[Openswan dev] nat-t openswan interop problem

Paul Wouters paul at xelerance.com
Wed Oct 12 19:42:26 CEST 2005 

---------- Forwarded message ----------
Date: Wed, 12 Oct 2005 17:52:51 +0200
From: "[ISO-8859-15] Martin Schläffer" <schlaeff at sbox.tugraz.at>
To: users at openswan.org
Subject: [Openswan Users]

Hi,

I want to connect on a Linux client with Openswan 2.4.0, Kernel 2.6.12 to a 
Windows Server, which is not NATed.
The connection uses l2tp and works perfectly with a Linux client if it _is_not_ 
behind a NAT device, or works when connecting using a Windows client which _is_ 
behind a NAT device.

But the connection with openswan under linux using NAT-T cannot be established, 
which can be seen in the following log:

104 "iaik" #1: STATE_MAIN_I1: initiate
003 "iaik" #1: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
003 "iaik" #1: ignoring Vendor ID payload [FRAGMENTATION]
003 "iaik" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] 
method set to=106
106 "iaik" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "iaik" #1: NAT-Traversal: Only 0 NAT-D - Aborting NAT-Traversal negotiation
108 "iaik" #1: STATE_MAIN_I3: sent MI3, expecting MR3
004 "iaik" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG 
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
117 "iaik" #2: STATE_QUICK_I1: initiate
010 "iaik" #2: STATE_QUICK_I1: retransmission; will wait 20s for response
010 "iaik" #2: STATE_QUICK_I1: retransmission; will wait 40s for response
031 "iaik" #2: max number of retransmissions (2) reached STATE_QUICK_I1. No 
acceptable response to our first Quick Mode message: perhaps peer likes no 
proposal

I'm using the native ipsec kernel stack and not klips, nat_traversal=yes is set 
in the config.
I could not find a detailed Howto for this kind of setup or how to solve the 
problem. Does anyone know how to solve this problem and what further 
information can I post to help tracking down this Problem?

This is the ipsec.conf:
-----
config setup
         klipsdebug=none
         plutodebug=none
         uniqueids=yes
         nat_traversal=yes

conn %default
         keyingtries=1
         disablearrivalcheck=yes
         pfs=no
         compress=yes
         authby=rsasig
         leftrsasigkey=%cert
         rightrsasigkey=%cert

conn iaik
         type=transport
         right="IP of Windows Server"
         rightprotoport=17/1701
         rightid="CERT INFORMATION"
         rightrsasigkey=%cert
         rightca="CA INFORMATION"
         pfs=no
         left=%defaultroute
         leftprotoport=17/1701
         leftrsasigkey=%cert
         leftca="CA INFORMATION"
         leftcert=/etc/ipsec.d/certs/cert.pem
         auto=add
-----

Best regards,
Martin
_______________________________________________
Users mailing list
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users

More information about the Dev mailing list