[Openswan Users] Any known problems with NAT Traversal with
Linux 2.4.26/2.6.7?
Toby Corkindale
openswan at wintrmute.net
Wed Jul 21 13:51:03 CEST 2004
On Wed, Jul 21, 2004 at 09:21:17PM +1000, Herbert Xu wrote:
> Toby Corkindale <openswan at wintrmute.net> wrote:
> >
> > pluto[2850]: packet from 192.168.2.11:4500: Quick Mode message is for a non-existent (expired?) ISAKMP SA
> > pluto[2850]: "roadwarrior"[4] 193.30.123.321:4500 #7: max number of retransmissions (2) reached STATE_QUICK_R1
> >
> >
> > Now, Look at the second to last line there - notice how the packet has come
> > from the NATed host's *internal* address, whereas all the previous packets
> > were from the external address..
> >
> > Do you think that might have something to do with the problem?
>
> Quite likely. Please take a tcpdump on the server side and show us
> what it says.
Thanks.
Here's a dump - let me know if you'd like more info.
The server side:
# tcpdump -i ppp0 -n host 193.30.123.243
12:50:22.262861 IP 193.30.123.243.500 > 123.158.235.14.500: [|isakmp]
12:50:22.499600 IP 123.158.235.14.500 > 193.30.123.243.500: [|isakmp]
12:50:22.603009 IP 193.30.123.243.500 > 123.158.235.14.500: [|isakmp]
12:50:22.839675 IP 123.158.235.14.500 > 193.30.123.243.500: [|isakmp]
12:50:22.977777 IP 193.30.123.243.4500 > 123.158.235.14.4500: UDP, length: 1376
12:50:23.159567 IP 123.158.235.14.4500 > 193.30.123.243.4500: UDP, length: 80
12:50:23.159583 IP 123.158.235.14.4500 > 193.30.123.243.4500: UDP, length: 1288
12:50:23.305504 IP 193.30.123.243.4500 > 123.158.235.14.4500: UDP, length: 416
12:50:23.459692 IP 123.158.235.14.4500 > 193.30.123.243.4500: UDP, length: 384
12:50:23.808600 IP 193.30.123.243.4500 > 123.158.235.14.4500: UDP, length: 116
12:50:34.289547 IP 123.158.235.14.4500 > 193.30.123.243.4500: UDP, length: 384
12:50:42.892514 IP 193.30.123.243.4500 > 123.158.235.14.4500: UDP, length: 60
12:50:53.879619 IP 123.158.235.14.4500 > 193.30.123.243.4500: UDP, length: 384
12:51:02.890331 IP 193.30.123.243.4500 > 123.158.235.14.4500: UDP, length: 60
Is that detailed enough?
Here's a dump from the machine that is behind the NAT firewall:
12:37:55.883997 IP 192.168.2.11.500 > 123.158.235.14.500: [|isakmp]
12:37:56.200556 IP 123.158.235.14.500 > 192.168.2.11.500: [|isakmp]
12:37:56.225694 IP 192.168.2.11.500 > 123.158.235.14.500: [|isakmp]
12:37:56.566243 IP 123.158.235.14.500 > 192.168.2.11.500: [|isakmp]
12:37:56.595539 IP 192.168.2.11.4500 > 123.158.235.14.4500: UDP, length: 1376
12:37:56.859302 IP 123.158.235.14.4500 > 192.168.2.11.4500: UDP, length: 80
12:37:56.901981 IP 123.158.235.14.4500 > 192.168.2.11.4500: UDP, length: 1288
12:37:56.927733 IP 192.168.2.11.4500 > 123.158.235.14.4500: UDP, length: 416
12:37:57.157504 IP 123.158.235.14.4500 > 192.168.2.11.4500: UDP, length: 384
12:37:57.432248 IP 192.168.2.11.4500 > 123.158.235.14.4500: UDP, length: 116
The details printed to the terminal on the client (NAT) side are:
# ipsec auto --up to-home
104 "work-to-home" #1: STATE_MAIN_I1: initiate
003 "work-to-home" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
106 "work-to-home" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "work-to-home" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: i am NATed
108 "work-to-home" #1: STATE_MAIN_I3: sent MI3, expecting MR3
004 "work-to-home" #1: STATE_MAIN_I4: ISAKMP SA established
112 "work-to-home" #2: STATE_QUICK_I1: initiate
004 "work-to-home" #2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x8d4ea280 <0xeddeacdd IPCOMP=>0x0000a408 <0x0000e654}
-Toby
--
Turning and turning in the widening gyre/The falcon cannot hear the falconer;
Things fall apart, the centre cannot hold/Mere anarchy is loosed upon the world
(gpg --keyserver www.co.uk.pgp.net --recv-key 897E5FF3)
More information about the Users
mailing list