[Openswan Users] is this a known problem with NAT-T negotiation?

Wed Jul 21 16:20:09 CEST 2004

Folks:

I have set up a very simple host to host scenario, with openswan on Linux
kernel 2.6 as the client, an IBM server as the server. When I connected
without NAT, every thing works fine. When I put a NAT box in front of the
Linux client, the tunnel cannot be established. The log (attached below) on
Linux side looks very similar to the without NAT one. After sending the
last quick mode message, linux think mission accomplished.

Then I found the server didn't think so. Reading the server side trace, I
found it didn't received the last Quick mode message. For the last port
4500 packet, the non-ESP marker is not there, so it is regarded as a UDP
encaped packet. Then I came back to the client side and ran a comm trace
(with ethereal). Then it is obvious I saw 5 IKE packets with port 4500 (the
first 2 are main mode messages after it switched from 500 to 4500), then
the next two is the first two for quick mode. Then the last one supposed to
be the last quick mode message sent to the server, but shown up in Ethereal
as UDP encaped ESP packet. So it is indeed the Linux that didn't finish the
job. But according to the log, at least it intended to send the correct
message.

I am not attaching more docs, such as configure file. Hopefully this
problem rings a bell to somebody. If you need more info, please let me
know.

[root at vpn-lab etc]# ipsec auto --verbose --up test
002 "test" #1: initiating Main Mode
104 "test" #1: STATE_MAIN_I1: initiate
003 "test" #1: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-03]
002 "test" #1: enabling possible NAT-traversal with
method RFC XXXX (NAT-Traversal)
002 "test" #1: transition from state STATE_MAIN_I1 to
state STATE_MAIN_I2
106 "test" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "test" #1: NAT-Traversal: Result using
draft-ietf-ipsec-nat-t-ike-02/03: i am NATed
002 "test" #1: transition from state STATE_MAIN_I2 to
state STATE_MAIN_I3
108 "test" #1: STATE_MAIN_I3: sent MI3, expecting MR3
002 "test" #1: Peer ID is ID_IPV4_ADDR: '9.5.56.175'
002 "test" #1: transition from state STATE_MAIN_I3 to
state STATE_MAIN_I4
002 "test" #1: ISAKMP SA established
004 "test" #1: STATE_MAIN_I4: ISAKMP SA established
002 "test" #2: initiating Quick Mode
PSK+ENCRYPT+PFS+UP {using isakmp#1}
112 "test" #2: STATE_QUICK_I1: initiate
002 "test" #2: IKE message has the Commit Flag set but
Pluto doesn't implement this feature; ignoring flag
003 "test" #2: NAT-Traversal: received 1 NAT-OA.
ignored because peer is not NATed
002 "test" #2: transition from state STATE_QUICK_I1 to
state STATE_QUICK_I2
002 "test" #2: sent QI2, IPsec SA established
{ESP=>0x2b8c2d59 <0x48850f79}
004 "test" #2: STATE_QUICK_I2: sent QI2, IPsec SA
established {ESP=>0x2b8c2d59 <0x48850f79}

Xiaoming