[Openswan Users] Nortel contivity and openswan

Thu Dec 23 12:29:00 CET 2004

On Wed, 22 Dec 2004, albert agusti wrote:

> my scenario looks like this
>
> Linux Openswan --- DSL NAT router ---- Internet ----------------------------- Nortel contivity
>
> So I need NAT-traversal in action. This family of Nortel devices seems
> to be really full IPsec and NAT-T featured looking at config options and
> it sould work ...
>
> Tunnel gets up, but traffic only flows from branch office to the
> Openswan. Openswan detects NAT and log shows:
>
> Dec 22 17:32:48 tunnel pluto[4220]: packet from N.N.N.N:500: received
> Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]Dec 22 17:32:48 tunnel
> pluto[4220]: packet from 80.28.216.105:500: ignoring Vendor ID payload
> [625027749d5ab97f5616c1602765cf480a3b7d0b]
> Dec 22 17:32:48 tunnel pluto[4220]: "vpn-sants-nortel" #10: responding
> to Main Mode
> Dec 22 17:32:48 tunnel pluto[4220]: "vpn-sants-nortel" #10: transition
> from state (null) to state STATE_MAIN_R1
> Dec 22 17:32:50 tunnel pluto[4220]: "vpn-sants-nortel" #10:
> NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-00/01: i am NATed

Here Openswan concludes it is NATed.

> Dec 22 17:32:50 tunnel pluto[4220]: "vpn-sants-nortel" #10: transition
> from state STATE_MAIN_R1 to state STATE_MAIN_R2
> Dec 22 17:32:51 tunnel pluto[4220]: "vpn-sants-nortel" #10: ignoring
> informational payload, type IPSEC_INITIAL_CONTACT
> Dec 22 17:32:51 tunnel pluto[4220]: "vpn-sants-nortel" #10: Peer ID is
> ID_IPV4_ADDR: 'N.N.N.N'
> Dec 22 17:32:51 tunnel pluto[4220]: "vpn-sants-nortel" #10: I did not
> send a certificate because I do not have one.
> Dec 22 17:32:51 tunnel pluto[4220]: "vpn-sants-nortel" #10: transition
> from state STATE_MAIN_R2 to state STATE_MAIN_R3
> Dec 22 17:32:51 tunnel pluto[4220]: "vpn-sants-nortel" #10: sent MR3,
> ISAKMP SA established
> Dec 22 17:32:53 tunnel pluto[4220]: "vpn-sants-nortel" #11:
> NAT-Traversal: received 1 NAT-OA. ignored because peer is not NATed

This one I don't understand. Michael? What is a NAT-OA? Why are we ignoring
it?

> Dec 22 17:32:53 tunnel pluto[4220]: "vpn-sants-nortel" #11: responding
> to Quick Mode
> Dec 22 17:32:53 tunnel pluto[4220]: "vpn-sants-nortel" #11: transition
> from state (null) to state STATE_QUICK_R1
> Dec 22 17:32:54 tunnel pluto[4220]: "vpn-sants-nortel" #11: transition
> from state STATE_QUICK_R1 to state STATE_QUICK_R2
> Dec 22 17:32:54 tunnel pluto[4220]: "vpn-sants-nortel" #11: IPsec SA
> established {ESP=>0x5a9852fe <0xb6566bf4 NATOA=0.0.0.0}
>
> Route installed and all seems ok. In Nortel side IPSEC SA looks ok.
> Nothing is seen over UDP 4500.

It seems we forgot we were natted ourselves, when we got that NAT-OA packet.

> Until now all NAT-T proves with openswan
> used this port for NAT traversal, but now traffic encapsulated seems to
> travel over UDP 500

That might be because we got stuck using an older nat-t draft protocol (00/01)

> When traffic goes out Openswan (ping to remote end) and must enter the
> tunnel tcpdump shows things like that :
>
> 21:11:16.563563 IP (tos 0x0, ttl  64, id 1258, offset 0, flags [DF],
> proto 17, length: 154) 192.168.5.2.isakmp > vallfogona.isakmp: [no
> cksum] isakmp 4.4 msgid  cookie ->: phase 2/others ? #241[C]: [|#139]
> (len mismatch: isakmp 1992383718/ip 126)
> 21:11:17.563396 IP (tos 0x0, ttl  64, id 1258, offset 0, flags [DF],
> proto 17, length: 154) 192.168.5.2.isakmp > vallfogona.isakmp: [no
> cksum] isakmp 12.14 msgid  cookie ->: phase 2/others ? #135[]: [|#201]
> (len mismatch: isakmp 3582546107/ip 126)
> 21:11:18.563258 IP (tos 0x0, ttl  64, id 1258, offset 0, flags [DF],
> proto 17, length: 154) 192.168.5.2.isakmp > vallfogona.isakmp: [no
> cksum] isakmp 11.3 msgid  cookie ->: phase 2/others ? #45[C]: [|sig]
> (len mismatch: isakmp 176508591/ip 126)
> ....
>
> anyone knows what does this mean ? what is intented for IKE fase 2 ? and
> what could be the reason for constant len mismatch errors. When packets
> reach remote end (branch office) are discarted
>
> Thanks in advance
> Albert Agustí
>