[Openswan Users] [NAT-T] Problem when the server is NATed
Gabriele Buscone
buscone at mastersoft.it
Fri Jun 25 13:35:56 CEST 2004
Hello all,
I'm trying to set up a VPN connection between a Win2000/XP machine with
a openswan server.
I succeeded in doing this when the client and the server aren't NATed or
when only the client is NATed;
but when the server behind NAT, even if the client is not NATed, I got an
error.
Here is my network layout:
LAN 192.168.2.0/24 - Openswan server is 192.168.2.250
|
LAN Gateway 192.168.2.1
|
Internet
OpenSWan server can be accessed from the Internet with a public IP x.x.x.x
which is DNATed by the gateway
to 192.168.2.250.
The configuration file ipsec.conf looks like this:
version 2.0
config setup
#klipsdebug=all
#plutodebug=all
nat_traversal=yes
overridemtu=1360
uniqueids=yes
conn road
authby=rsasig
pfs=no
#compress=no
#
left=192.168.2.250
leftnexthop=%defaultroute
leftcert=master.pem
leftsendcert=always
leftprotoport=17/1701
#
# The remote user.
#
right=%any
rightprotoport=17/1701
rightrsasigkey=%cert
rightsubnet=vhost:%no,%priv,%all
#
#
auto=add
keyingtries=1
conn road2
authby=rsasig
pfs=no
#compress=no
#
left=192.168.2.250
leftnexthop=%defaultroute
leftcert=master.pem
leftsendcert=always
#
leftprotoport=17/4500
#
# The remote user.
#
right=%any
rightprotoport=17/4500
rightrsasigkey=%cert
rightsubnet=vhost:%no,%priv,%all
#rightsubnetwithin=0.0.0.0/0
#
auto=add
keyingtries=1
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
The error I got is the following (I changed the public IP of the client as
10.10.10.10):
Jun 25 12:08:20 master pluto[1217]: packet from 10.10.10.10:500: ignoring
Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Jun 25 12:08:20 master pluto[1217]: packet from 10.10.10.10:500: ignoring
Vendor ID payload [FRAGMENTATION]
Jun 25 12:08:20 master pluto[1217]: packet from 10.10.10.10:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Jun 25 12:08:20 master pluto[1217]: packet from 10.10.10.10:500: ignoring
Vendor ID payload [26244d38eddb61b3...]
Jun 25 12:08:20 master pluto[1217]: "road"[5] 10.10.10.10 #3: responding to
Main Mode from unknown peer 10.10.10.10
Jun 25 12:08:20 master pluto[1217]: "road"[5] 10.10.10.10 #3: only
OAKLEY_GROUP_MODP1024 and OAKLEY_GROUP_MODP1536 supported. Attribute
OAKLEY_GROUP_DESCRIPTION
Jun 25 12:08:20 master pluto[1217]: "road"[5] 10.10.10.10 #3: transition
from state (null) to state STATE_MAIN_R1
Jun 25 12:08:21 master pluto[1217]: "road"[5] 10.10.10.10 #3: NAT-Traversal:
Result using draft-ietf-ipsec-nat-t-ike-02/03: i am NATed
Jun 25 12:08:21 master pluto[1217]: "road"[5] 10.10.10.10 #3: transition
from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jun 25 12:08:21 master pluto[1217]: "road"[5] 10.10.10.10 #3: Peer ID is
ID_DER_ASN1_DN: 'C=IT, ST=NO, L=Novara, O=Master Soft, CN=nb-john'
Jun 25 12:08:21 master pluto[1217]: "road"[6] 10.10.10.10 #3: deleting
connection "road" instance with peer 10.10.10.10 {isakmp=#0/ipsec=#0}
Jun 25 12:08:21 master pluto[1217]: "road"[6] 10.10.10.10 #3: transition
from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jun 25 12:08:21 master pluto[1217]: | NAT-T: new mapping
10.10.10.10:500/4500)
Jun 25 12:08:21 master pluto[1217]: "road"[6] 10.10.10.10:4500 #3: sent MR3,
ISAKMP SA established
Jun 25 12:08:21 master pluto[1217]: "road"[6] 10.10.10.10:4500 #3: cannot
respond to IPsec SA request because no connection is known for
x.x.x.x/32===192.168.2.250:
4500[C=IT, ST=NO, L=Novara, O=Master Soft,
CN=serbox,S=C]:17/1701...10.10.10.10:4500[C=IT, ST=NO, L=Novara, O=Master
Soft, CN=nb-john]:17/1701
Jun 25 12:08:21 master pluto[1217]: "road"[6] 10.10.10.10:4500 #3: Quick
Mode I1 message is unacceptable because it uses a previously used Message ID
0xac6eb97e (perhaps this is a duplicated packet)
Jun 25 12:08:51 master last message repeated 4 times
Jun 25 12:09:23 master pluto[1217]: "road"[6] 10.10.10.10:4500 #3: received
Delete SA payload: deleting ISAKMP State #3
Jun 25 12:09:23 master pluto[1217]: "road"[6] 10.10.10.10:4500: deleting
connection "road" instance with peer 10.10.10.10 {isakmp=#0/ipsec=#0}
Am I missing something in the configuration?
Thanks to anyone who can help me.
Gabriele
More information about the Users
mailing list