[Openswan Users] OpenSwan, Windows, NAT-t, L2TP, not working.

Valentí Jové vjove at genos.accio.com
Wed Jul 7 20:26:30 CEST 2004 

Hi,

I'm trying to configure an IPSEC/L2TP tunnel between an FreeSwan/Openswan Linux
and a Windows roadwarrior, both of them are natted.

The Ip map is:

Windows -------- Router 1 -------- Router 2 ---------- Swan box
192.168.13.8 --- 192.168.13.50 --- 192.168.12.50 ----- 192.168.12.8

The IPsec tunnel works correctly but then, the Windows client sents the L2TP
packets through the Ipsec tunnel (UDP packets, port 1701), and they never reach
the L2TPD daemon, but they reach the linux box, as you can see from the
following log.

Jul  7 14:56:11 satellite kernel: PREROUTING mangle IN=eth1 OUT=
MAC=00:10:5a:92:9f:27:00:02:3f:b1:78:24:08:00 SRC=192.168.12.50
DST=192.168.12.55 LEN=135 TOS=0x00 PREC=0x00 TTL=127 ID=4264 PROTO=UDP SPT=1701
DPT=1701 LEN=115
Jul  7 14:56:11 satellite kernel: PREROUTING nat IN=eth1 OUT=
MAC=00:10:5a:92:9f:27:00:02:3f:b1:78:24:08:00 SRC=192.168.12.50
DST=192.168.12.55 LEN=135 TOS=0x00 PREC=0x00 TTL=127 ID=4264 PROTO=UDP SPT=1701
DPT=1701 LEN=115
Jul  7 14:56:11 satellite kernel: INPUT mangle IN=eth1 OUT=
MAC=00:10:5a:92:9f:27:00:02:3f:b1:78:24:08:00 SRC=192.168.12.50
DST=192.168.12.55 LEN=135 TOS=0x00 PREC=0x00 TTL=127 ID=4264 PROTO=UDP SPT=1701
DPT=1701 LEN=115
Jul  7 14:56:11 satellite kernel: INPUT IN=eth1 OUT=
MAC=00:10:5a:92:9f:27:00:02:3f:b1:78:24:08:00 SRC=192.168.12.50
DST=192.168.12.55 LEN=135 TOS=0x00 PREC=0x00 TTL=127 ID=4264 PROTO=UDP SPT=1701
DPT=1701 LEN=115


This is kernel 2.6, and we've tried with patched vanilla kernels, Suse kernels,
openswan, freeswan, Suse FreeSwan RPMs, etc. etc., all of them with same
results.

We believe the SPD rules are wrong, but we don't know how to change them or how
to do pluto sets them properly, because L2TP packets go from SRC=192.168.12.50
DST=192.168.12.55, but SPD allows 192.168.12.50[1701] 192.168.13.50[1701].
Is this assumption correct?

Anyone? Any clue?


Thank you,

Valentí




setkey -PD

192.168.12.50[1701] 192.168.13.50[1701] udp
        in ipsec
        esp/transport//unique#16393
        created: Jul  7 15:10:40 2004  lastused:
        lifetime: 0(s) validtime: 0(s)
        spid=1568 seq=9 pid=20500
        refcnt=1
192.168.13.50[1701] 192.168.12.50[1701] udp
        out ipsec
        esp/transport//unique#16393
        created: Jul  7 15:10:40 2004  lastused:
        lifetime: 0(s) validtime: 0(s)
        spid=1577 seq=8 pid=20500
        refcnt=1
....



# setkey -D

192.168.12.55[4500] 192.168.12.50[4500]
        esp-udp mode=transport spi=317968056(0x12f3ceb8) reqid=16489(0x00004069)
        E: 3des-cbc  759de3f7 08f8b37c 03b33816 caf656b9 4a024180 d3428cd1
        A: hmac-md5  03cea3e9 171150f8 b85d590a c6299076
        seq=0x00000000 replay=64 flags=0x00000000 state=mature
        created: Jul  7 14:58:48 2004   current: Jul  7 14:58:49 2004
        diff: 1(s)      hard: 0(s)      soft: 0(s)
        last:                           hard: 0(s)      soft: 0(s)
        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 0 soft: 0
        sadb_seq=1 pid=19598 refcnt=0
192.168.12.50[4500] 192.168.12.55[4500]
        esp-udp mode=transport spi=570057633(0x21fa63a1) reqid=16489(0x00004069)
        E: 3des-cbc  1ba017ad 57cc9468 13720480 8d59ff9d 0ff067fe 4716acb7
        A: hmac-md5  29bd9b82 38214549 900d2aee 5b24cc83
        seq=0x00000000 replay=64 flags=0x00000000 state=mature
        created: Jul  7 14:58:48 2004   current: Jul  7 14:58:49 2004
        diff: 1(s)      hard: 0(s)      soft: 0(s)
        last: Jul  7 14:58:48 2004      hard: 0(s)      soft: 0(s)
        current: 115(bytes)     hard: 0(bytes)  soft: 0(bytes)
        allocated: 1    hard: 0 soft: 0
        sadb_seq=0 pid=19598 refcnt=0


/var/log/messages

Jul  7 18:55:59 satellite pluto[2822]: Starting Pluto (FreeS/WAN Version 2.04
X.509-1.5.4 LIBCURL PLUTO_USES_KEYRR)
Jul  7 18:55:59 satellite pluto[2822]:   including NAT-Traversal patch (Version
0.6)
Jul  7 18:55:59 satellite pluto[2822]: Using Linux 2.6 IPsec interface code
Jul  7 18:56:00 satellite pluto[2822]: Changing to directory
'/etc/ipsec.d/cacerts'
Jul  7 18:56:00 satellite pluto[2822]:   loaded CA cert file 'cacert.pem' (940
bytes)
Jul  7 18:56:00 satellite pluto[2822]: Could not change to directory
'/etc/ipsec.d/aacerts'
Jul  7 18:56:00 satellite pluto[2822]: Could not change to directory
'/etc/ipsec.d/ocspcerts'
Jul  7 18:56:00 satellite pluto[2822]: Changing to directory '/etc/ipsec.d/crls'
Jul  7 18:56:00 satellite pluto[2822]:   loaded crl file 'crl.pem' (402 bytes)

Jul  7 18:56:01 satellite pluto[2822]:   loaded host cert file
'/etc/ipsec.d/certs/satellite.genos.intranet.pem' (3091 bytes)
Jul  7 18:56:01 satellite pluto[2822]: added connection description "rw"
Jul  7 18:56:01 satellite pluto[2822]: listening for IKE messages
Jul  7 18:56:01 satellite pluto[2822]: adding interface eth1/eth1 192.168.12.55
Jul  7 18:56:01 satellite pluto[2822]: adding interface eth1/eth1
192.168.12.55:4500
Jul  7 18:56:01 satellite pluto[2822]: adding interface eth0/eth0 192.168.11.55
Jul  7 18:56:01 satellite pluto[2822]: adding interface eth0/eth0
192.168.11.55:4500
Jul  7 18:56:01 satellite pluto[2822]: adding interface lo/lo 127.0.0.1
Jul  7 18:56:01 satellite pluto[2822]: adding interface lo/lo 127.0.0.1:4500
Jul  7 18:56:01 satellite pluto[2822]: adding interface lo/lo ::1
Jul  7 18:56:01 satellite pluto[2822]: adding interface lo/lo ::1:4500
Jul  7 18:56:01 satellite pluto[2822]: loading secrets from "/etc/ipsec.secrets"
Jul  7 18:56:01 satellite pluto[2822]:   loaded private key file
'/etc/ipsec.d/private/satellite.genos.intranet.key' (963 bytes)
Jul  7 18:56:03 satellite pluto[2822]: packet from 192.168.13.52:500: ignoring
Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000002]
Jul  7 18:56:03 satellite pluto[2822]: packet from 192.168.13.52:500: ignoring
Vendor ID payload [FRAGMENTATION]
Jul  7 18:56:03 satellite pluto[2822]: packet from 192.168.13.52:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Jul  7 18:56:03 satellite pluto[2822]: "rw"[1] 192.168.13.52 #1: responding to
Main Mode from unknown peer 192.168.13.52
Jul  7 18:56:03 satellite pluto[2822]: "rw"[1] 192.168.13.52 #1: only
OAKLEY_GROUP_MODP1024 and OAKLEY_GROUP_MODP1536 supported.  Attribute
OAKLEY_GROUP_DESCRIPTION
Jul  7 18:56:03 satellite pluto[2822]: "rw"[1] 192.168.13.52 #1: NAT-Traversal:
Result using draft-ietf-ipsec-nat-t-ike-02/03: both are NATed
Jul  7 18:56:03 satellite pluto[2822]: "rw"[1] 192.168.13.52 #1: Peer ID is
ID_DER_ASN1_DN: 'C=ES, ST=Spain, O=Genos, CN=Genos'
Jul  7 18:56:03 satellite pluto[2822]: "rw"[2] 192.168.13.52 #1: deleting
connection "rw" instance with peer 192.168.13.52 {isakmp=#0/ipsec=#0}
Jul  7 18:56:03 satellite pluto[2822]: | NAT-T: new mapping
192.168.13.52:500/4500)
Jul  7 18:56:03 satellite pluto[2822]: "rw"[2] 192.168.13.52:4500 #1: sent MR3,
ISAKMP SA established
Jul  7 18:56:03 satellite pluto[2822]: "rw"[2] 192.168.13.52:4500 #2: responding
to Quick Mode
Jul  7 18:56:04 satellite pluto[2822]: "rw"[2] 192.168.13.52:4500 #2: IPsec SA
established {ESP=>0x6c4a8195 <0x92230387}

More information about the Users mailing list