[Openswan Users] WinXP with Certificates and NAT-T

Leonard Tulipan l.tulipan at mpwi.at
Fri Jun 4 12:17:37 CEST 2004 

So, I am at it again, trying ipsec with x.509 certs and and XP as 
Client, but I don't get it to work

==========
Setup:
==========

winXP IBM NB with Marcus Müller ipsec tool
192.168.0.151/24
  |
Linux Firewall (60.60.60.60)
  |
Internet
  |
Linux Firewall with Superfreeswan 2.03 (200.200.200.200)
  |
192.168.118.0/24 Network

the Freeswan Linux has a new kernel which has Nat-T compiled in. This 
was holding me back before, since that firewall is in a remote location, 
and I didn't want to compile a new kernel remote (I did and it even 
worked :-)

==========
Configs:
==========

-- ipsec.conf on the IBM NB
conn lan_roadwarrior
      left=%any
      right=200.200.200.200
      rightsubnet=192.168.118.0/255.255.255.0
      rightca="CN=VPN,O=Schneller Scharau 5th Mind,L=Wien,C=AT"
      network=lan
      auto=start
      pfs=yes

conn ras_roadwarrior
      left=%any
      right=200.200.200.200
      rightsubnet=192.168.118.0/255.255.255.0
      authby=secret
      type=tunnel
      presharedkey=BLABLABLA
      network=ras
      auto=start
      pfs=yes
-- ipsec.conf IBM END --

-- ipsec.conf on the Firewall
version 2.0

config setup
        interfaces=%defaultroute
        klipsdebug=none
        plutodebug=none
        uniqueids=yes
        nat_traversal=yes

conn %default
        keyingtries=1
        compress=yes
        disablearrivalcheck=no
        authby=rsasig
        leftrsasigkey=%cert
        rightrsasigkey=%cert
        leftcert=GatewayCert.pem

# OE policy groups are disabled by default
conn block
        auto=ignore

conn clear
        auto=ignore

conn private
        auto=ignore

conn private-or-clear
        auto=ignore

conn clear-or-private
        auto=ignore

conn packetdefault
        auto=ignore

conn nat_t_nb_test
        right=%any
        left=%defaultroute
        leftsubnet=192.168.118.0/24
        rightsubnet=192.168.0.151/32
        rightcert=RoadWarrior1Cert.pem
        authby=rsasig
        leftcert=GatewayCert.pem
        auto=add
        pfs=yes
        leftupdown=/usr/local/lib/ipsec/_updown_ncp
-- ipsec.conf Firewall END --

==========
Logs:
==========

Pakets on Firewall 60.60.60.60:
tcpdump -n -i any host 200.200.200.200 and not port 22
11:01:45.361586 60.60.60.60.isakmp > 200.200.200.200.isakmp: isakmp: 
phase 1 ? ident: [|ke]
11:01:45.447109 200.200.200.200.isakmp > 60.60.60.60.isakmp: isakmp: 
phase 1 R ident: [|ke] (DF)
11:01:45.447249 200.200.200.200.isakmp > 192.168.0.151.isakmp: isakmp: 
phase 1 R ident: [|ke] (DF)
11:01:45.899193 192.168.0.151.4500 > 200.200.200.200.4500:  udp 88

Pakets on Firewall 200.200.200.200:
tcpdump -n -i any host 60.60.60.60 and not port 22
11:03:52.953533 200.200.200.200.isakmp > 60.60.60.60.isakmp: isakmp: 
phase 1 R ident: [|ke] (DF)
11:04:02.953550 200.200.200.200.isakmp > 60.60.60.60.isakmp: isakmp: 
phase 1 R ident: [|ke] (DF)
11:04:22.953365 200.200.200.200.isakmp > 60.60.60.60.isakmp: isakmp: 
phase 1 R ident: [|ke] (DF)

Apparently I do not see the Packets on UDP Port 4500. Somehow they elude 
the tcpdump tool

These are the relevant VPN Log entries:
Jun  4 11:00:06 firewall pluto[27533]: Starting Pluto (FreeS/WAN Version 
sfs-2.03 X.509-1.4.8 PLUTO_USES_KEYRR)
Jun  4 11:00:06 firewall pluto[27533]:   including NAT-Traversal patch 
(Version 0.6b)
Jun  4 11:00:06 firewall pluto[27533]: Using KLIPS IPsec interface code
Jun  4 11:00:06 firewall pluto[27533]: Changing to directory 
'/etc/ipsec.d/cacerts'
Jun  4 11:00:06 firewall pluto[27533]:   loaded cacert file 'cacert.pem' 
(1180 bytes)
Jun  4 11:00:06 firewall pluto[27533]: Changing to directory 
'/etc/ipsec.d/crls'
Jun  4 11:00:06 firewall pluto[27533]:   loaded crl file 'crl.pem' (633 
bytes)
Jun  4 11:00:06 firewall pluto[27533]:   loaded host cert file 
'/etc/ipsec.d/certs/GatewayCert.pem' (1005 bytes)
Jun  4 11:00:06 firewall pluto[27533]:   loaded host cert file 
'/etc/ipsec.d/certs/RoadWarrior1Cert.pem' (1009 bytes)
Jun  4 11:00:06 firewall pluto[27533]: added connection description 
"nat_t_nb_test"
Jun  4 11:00:07 firewall pluto[27533]: listening for IKE messages
Jun  4 11:00:07 firewall pluto[27533]: adding interface ipsec0/ppp0 
200.200.200.200
Jun  4 11:00:07 firewall pluto[27533]: adding interface ipsec0/ppp0 
200.200.200.200:4500
Jun  4 11:00:07 firewall pluto[27533]: loading secrets from 
"/etc/ipsec.secrets"
Jun  4 11:00:07 firewall pluto[27533]:   loaded private key file 
'/etc/ipsec.d/private/GatewayKey.pem' (963 bytes)
Jun  4 11:01:39 firewall pluto[27533]: packet from 60.60.60.60:500: 
ignoring Delete SA payload: not encrypted
Jun  4 11:01:45 firewall pluto[27533]: packet from 60.60.60.60:500: 
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Jun  4 11:01:45 firewall pluto[27533]: packet from 60.60.60.60:500: 
ignoring Vendor ID payload [FRAGMENTATION]
Jun  4 11:01:45 firewall pluto[27533]: packet from 60.60.60.60:500: 
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Jun  4 11:01:45 firewall pluto[27533]: packet from 60.60.60.60:500: 
ignoring Vendor ID payload [26244d38eddb61b3...]
Jun  4 11:01:45 firewall pluto[27533]: "nat_t_nb_test"[1] 60.60.60.60 
#1: responding to Main Mode from unknown peer 60.60.60.60
Jun  4 11:01:45 firewall pluto[27533]: "nat_t_nb_test"[1] 60.60.60.60 
#1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer 
is NATed
Jun  4 11:02:55 firewall pluto[27533]: "nat_t_nb_test"[1] 60.60.60.60 
#1: max number of retransmissions (2) reached STATE_MAIN_R2
Jun  4 11:02:55 firewall pluto[27533]: "nat_t_nb_test"[1] 60.60.60.60: 
deleting connection "nat_t_nb_test" instance with peer 60.60.60.60 
{isakmp=#0/ipsec=#0}

==========
Questions:
==========

So, why does this connection fail? Why doesn't it authenticate itself?
The two certificates are in the proper locations on the NB (done with 
mmc). Linux seems to load all relevant certificates.

Any ideas for me?

Cheers
Leonard

More information about the Users mailing list