[Openswan Users] Any known problems with NAT Traversal with
Linux 2.4.26/2.6.7?
Toby Corkindale
openswan at wintrmute.net
Wed Jul 21 15:31:24 CEST 2004
On Wed, Jul 21, 2004 at 10:23:51PM +1000, Herbert Xu wrote:
[snip]
> OK so the packet is correct when it arrived.
>
> Please strace pluto by attaching to it with strace -fp and then
> attempt the above connection again. You should look out for
> the last recvfrom before the
>
> Quick Mode message is for a non-existent (expired?) ISAKMP SA
> message.
>
> This should tell us whether pluto is getting the private IP or not.
Looks like this:
select(12, [4 6 9 10 11], [], NULL, {10, 0}) = 1 (in [11], left {9, 350000})
poll([{fd=11, events=POLLIN|POLLPRI|POLLOUT, revents=POLLIN|POLLOUT}], 1, -1) = 1
recvfrom(11, "\0\0\0\0\177\215\363\241\321\303\225m\356\364GN\307\27"..., 65536, 0, {sa_family=AF_INET, sin_port=htons(4500), sin_addr=inet_addr("192.168.2.11")}, [16]) = 56
time([1090416483]) = 1090416483
getpid() = 2850
rt_sigaction(SIGPIPE, {0x40115c60, [], SA_RESTORER, 0x40079dc8}, {SIG_IGN}, 8) = 0
send(3, "<84>Jul 21 14:28:03 pluto[2850]:"..., 126, 0) = 126
And the corresponding log:
Jul 21 14:28:02 penfold pluto[2850]: "roadwarrior"[14] 193.30.123.243:4500 #25: transition from state (null) to state STATE_QUICK_R1
Jul 21 14:28:03 penfold pluto[2850]: packet from 192.168.2.11:4500: Quick Mode message is for a non-existent (expired?) ISAKMP SA
Jul 21 14:29:27 penfold pluto[2850]: "roadwarrior"[14] 193.30.123.243:4500 #25:
max number of retransmissions (2) reached STATE_QUICK_R1
Note that the time matches up for the "Quick mode message is ..."
> If it is seeing a private IP then please show us the output of
> cat /proc/net/ip_conntrack on the server immeidately after the
> above failure. Please also include the output of
> iptables -t nat -vnL.
How immediate is "immediately"?
A couple of minutes later, I still see this present:
udp 17 161 src=193.30.123.243 dst=123.158.235.14 sport=4500 dport=4500 src=123.158.235.14 dst=193.30.123.243 sport=4500 dport=4500 [ASSURED] use=1
(That was after grepping for the remote IP (193.30.123.243)- I have removed
the rest, which I believe are unrelated lines, as the server is quite busy and
ip_conntrack is quite long)
# iptables -t nat -vnL
Chain PREROUTING (policy ACCEPT 14235 packets, 773K bytes)
pkts bytes target prot opt in out source destination
1552 81536 REVERSENAT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpts:64000:64999
0 0 REVERSENAT udp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 udp dpts:64000:64999
Chain POSTROUTING (policy ACCEPT 2907 packets, 198K bytes)
pkts bytes target prot opt in out source destination
421 21903 MASQUERADE all -- * ppp0 10.0.0.0/8 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain REVERSENAT (2 references)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:63000:63099 to:10.23.1.4
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:63000:63099 to:10.23.1.4
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:63100:63199 to:10.23.1.9
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:63100:63199 to:10.23.1.9
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:63200:63299 to:10.23.1.50
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:63200:63299 to:10.23.1.50
1552 81536 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:63300:63399 to:10.23.1.10
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:63300:63399 to:10.23.1.10
If it's useful to know:
This server is running kernel 2.4.26 w/OpenSwan KLIPS 2.1.4, and includes the
NAT-T kernel patch.
Any ideas?
Thanks for helping,
Toby
--
Turning and turning in the widening gyre/The falcon cannot hear the falconer;
Things fall apart, the centre cannot hold/Mere anarchy is loosed upon the world
(gpg --keyserver www.co.uk.pgp.net --recv-key 897E5FF3)
More information about the Users
mailing list