[Openswan Users] Double NATs trouble

Zhang Jian jzhang at cienettechnologies.com
Thu Mar 11 11:37:30 CET 2004


Hi All,

Following the Jacco's page, I setup a L2TP/IPSEC VPN.
My case is: Our VPN roadwarriors( winXp,2000) that is in public network, or
behind a NAT device, our VPN server is in public network. VPN clients can
access our internal network by L2TP/IPSEC connection.
Now it is running, the clients behind one NAT device also can . Thanks to
Jacco and you all!
I am using: Openswan Version 1.0.1rc2 including X.509 patch with traffic
selectors (Version 0.9.37) and  NAT-Traversal patch (Version 0.6)

I tried to let a roadwarrior( winXp,2000) behind two NATs(that says, it can
reach Internet through Two NATs)  access internal network by L2TP/IPSEC, our
VPN server is in Public network. But I failed.
Behind one NAT is OK, but Behind Two NATs is failed. Here is the failed
logs;

Feb 27 20:37:55 vpngw pluto[3370]: packet from a.b.c.d:500: ignoring Vendor
ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Feb 27 20:37:55 vpngw pluto[3370]: packet from a.b.c.d:500: ignoring Vendor
ID payload [FRAGMENTATION]
Feb 27 20:37:55 vpngw pluto[3370]: packet from a.b.c.d:500: received Vendor
ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Feb 27 20:37:55 vpngw pluto[3370]: packet from a.b.c.d:500: ignoring Vendor
ID payload [26244d38eddb61b3...]
Feb 27 20:37:55 vpngw pluto[3370]: "L2TP-CERT-orgWIN2KXP"[3] a.b.c.d #3:
responding to Main Mode from unknown peer a.b.c.d
Feb 27 20:37:55 vpngw pluto[3370]: "L2TP-CERT-orgWIN2KXP"[3] a.b.c.d #3:
transition from state (null) to state STATE_MAIN_R1
Feb 27 20:37:56 vpngw pluto[3370]: packet from a.b.c.d:500: ignoring Vendor
ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Feb 27 20:37:56 vpngw pluto[3370]: packet from a.b.c.d:500: ignoring Vendor
ID payload [FRAGMENTATION]
Feb 27 20:37:56 vpngw pluto[3370]: packet from a.b.c.d:500: received Vendor
ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Feb 27 20:37:56 vpngw pluto[3370]: packet from a.b.c.d:500: ignoring Vendor
ID payload [26244d38eddb61b3...]
Feb 27 20:37:56 vpngw pluto[3370]: "L2TP-CERT-orgWIN2KXP"[3] a.b.c.d #4:
responding to Main Mode from unknown peer a.b.c.d
Feb 27 20:37:56 vpngw pluto[3370]: "L2TP-CERT-orgWIN2KXP"[3] a.b.c.d #4:
transition from state (null) to state STATE_MAIN_R1
Feb 27 20:37:57 vpngw pluto[3370]: "L2TP-CERT-orgWIN2KXP"[3] a.b.c.d #3:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
Feb 27 20:37:57 vpngw pluto[3370]: "L2TP-CERT-orgWIN2KXP"[3] a.b.c.d #3:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Feb 27 20:37:57 vpngw pluto[3370]: "L2TP-CERT-orgWIN2KXP"[3] a.b.c.d #3:
Main mode peer ID is ID_DER_ASN1_DN: 'C=CN, ST=Beijing, L=BJ, O=abcd,
OU=Tech, CN=tom.abcd.net, E=tom at abcd.net'
Feb 27 20:37:57 vpngw pluto[3370]: "L2TP-CERT-orgWIN2KXP"[4] a.b.c.d #3:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Feb 27 20:37:57 vpngw pluto[3370]: | NAT-T: new mapping a.b.c.d:500/65202)
Feb 27 20:37:57 vpngw pluto[3370]: "L2TP-CERT-orgWIN2KXP"[4] a.b.c.d:65202
#3: sent MR3, ISAKMP SA established
:$
Feb 27 20:38:04 vpngw pluto[3370]: "L2TP-CERT-orgWIN2KXP"[4] a.b.c.d:65202
#3: discarding duplicate packet -- exhausted retransmission; already
STATE_MAIN_R3
Feb 27 20:38:28 vpngw last message repeated 2 times
Feb 27 20:39:00 vpngw pluto[3370]: "L2TP-CERT-orgWIN2KXP"[4] a.b.c.d:65202
#3: next payload type of ISAKMP Hash Payload has an unknown value: 118
Feb 27 20:39:00 vpngw pluto[3370]: "L2TP-CERT-orgWIN2KXP"[4] a.b.c.d:65202
#3: malformed payload in packet
Feb 27 20:39:00 vpngw pluto[3370]: "L2TP-CERT-orgWIN2KXP"[4] a.b.c.d:65202
#3: sending notification PAYLOAD_MALFORMED to a.b.c.d:65202
Feb 27 20:39:06 vpngw pluto[3370]: "L2TP-CERT-orgWIN2KXP"[3] a.b.c.d:65202
#4: max number of retransmissions (2) reached STATE_MAIN_R1
Feb 27 20:39:06 vpngw pluto[3370]: "L2TP-CERT-orgWIN2KXP"[3] a.b.c.d:65202:
deleting connection "L2TP-CERT-oWIN2KXP" instance with peer a.b.c.d

My question is , Does the current NAT-T patch support behind two NATs?
If not, have any workaround way?

Any help , comments will be appreciated!

ZJ
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20040311/19f5011f/attachment-0001.htm


More information about the Users mailing list