[Openswan Users] no connection is known for...
Mark Frost
mfrost at westnet.com
Fri May 21 17:11:30 CEST 2004
I'm stuck. I've got the following situation:
192.168.1.101 (WinXP client)
|
Linksys cable router (doing NAT)
|| (Y.Y.Y.Y)
||
|| (Internet)
||
|| (X.X.X.X)
Openswan gateway
|
|
NAT'd network (ultimate destination)
In other words, I'm going from a WinXP client on a NAT'd network, across the Internet,
then into another NAT'd network on the other side of the Openswan gateway. It is my understanding
that the only way to possibly accomplish this is to do the combination of L2TP+IPsec which is what
I'm working on. I'm just at the first phase of getting the IPsec part to work (i.e. the
tunnel just to the gateway).
I'm getting the following messages in /var/log/secure when I "dial out" from the WinXP client:
---------
May 21 15:43:37 outpost pluto[3925]: packet from Y.Y.Y.Y:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
May 21 15:43:37 outpost pluto[3925]: packet from Y.Y.Y.Y:500: ignoring Vendor ID payload [FRAGMENTATION]
May 21 15:43:37 outpost pluto[3925]: packet from Y.Y.Y.Y:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
May 21 15:43:37 outpost pluto[3925]: packet from Y.Y.Y.Y:500: ignoring Vendor ID payload [26244d38eddb61b3...]
May 21 15:43:37 outpost pluto[3925]: "L2TP-CERT"[1] Y.Y.Y.Y #1: responding to Main Mode from unknown peer Y.Y.Y.Y
May 21 15:43:37 outpost pluto[3925]: "L2TP-CERT"[1] Y.Y.Y.Y #1: only OAKLEY_GROUP_MODP1024 and OAKLEY_GROUP_MODP1536 supported. Attribute OAKLEY_GROUP_DESCRIPTION
May 21 15:43:37 outpost pluto[3925]: "L2TP-CERT"[1] Y.Y.Y.Y #1: transition from state (null) to state STATE_MAIN_R1
May 21 15:43:37 outpost pluto[3925]: "L2TP-CERT"[1] Y.Y.Y.Y #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
May 21 15:43:37 outpost pluto[3925]: "L2TP-CERT"[1] Y.Y.Y.Y #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
May 21 15:43:38 outpost pluto[3925]: "L2TP-CERT"[1] Y.Y.Y.Y #1: Peer ID is ID_DER_ASN1_DN: 'C=US, ST=NY, L=South Salem, O=Mark Frost, CN=mfrost99'
May 21 15:43:38 outpost pluto[3925]: "L2TP-CERT"[1] Y.Y.Y.Y #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
May 21 15:43:38 outpost pluto[3925]: | NAT-T: new mapping Y.Y.Y.Y:500/4500)
May 21 15:43:38 outpost pluto[3925]: "L2TP-CERT"[1] Y.Y.Y.Y:4500 #1: sent MR3, ISAKMP SA established
May 21 15:43:38 outpost pluto[3925]: "L2TP-CERT"[1] Y.Y.Y.Y:4500 #1: cannot respond to IPsec SA request because no connection is known for X.X.X.X:4500[ ..Openswan GW's DN.. ]:17/1701...Y.Y.Y.Y:4500[ ..WinXP client's DN.. ]:17/1701
May 21 15:43:38 outpost pluto[3925]: "L2TP-CERT"[1] Y.Y.Y.Y:4500 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xd4887469 (perhaps this is a duplicated packet)
May 21 15:44:08 outpost last message repeated 4 times
May 21 15:44:40 outpost pluto[3925]: "L2TP-CERT"[1] Y.Y.Y.Y:4500 #1: received Delete SA payload: deleting ISAKMP State #1
May 21 15:44:40 outpost pluto[3925]: "L2TP-CERT"[1] Y.Y.Y.Y:4500: deleting connection "L2TP-CERT" instance with peer Y.Y.Y.Y {isakmp=#0/ipsec=#0
---------
Note that X.X.X.X is the Openswan gateway's external (public) IP address and Y.Y.Y.Y is the
public address on the Linksys box.
Here's my /etc/ipsec.conf file:
--------
version 2.0
config setup
interfaces=%defaultroute
nat_traversal=yes
klipsdebug=none
plutodebug=none
uniqueids=yes
conn %default
keyingtries=1
compress=yes
disablearrivalcheck=no
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
conn L2TP-CERT
#
# Use a certificate. Disable Perfect Forward Secrecy.
#
authby=rsasig
pfs=no
left=X.X.X.X
leftnexthop=%defaultroute
leftrsasigkey=%cert
leftcert=/etc/ipsec.d/certs/openswan_gw.pem
leftsendcert=always
leftprotoport=17/1701
#
# The remote user.
#
right=%any
rightrsasigkey=%cert
rightcert=/etc/ipsec.d/certs/winxp_client.pem
rightsubnetwithin=192.168.1.0/24
rightprotoport=17/1701
#
# Authorize this connection, and wait for connection from user.
#
auto=add
keyingtries=3
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
--------
- I am running Openswan 2.1.2.
- I have installed the XP NAT-T patch (Q818043) on the WinXP client.
- Using X.509 certificates
- When "dialing out" from the WinXP box, the errors are generated on the Openswan side,
but the XP client just times out.
I've been working on this for a very long time and am hopeful I can get this working someday.
Any help would be greatly appreciated.
Thanks
Mark
<>
More information about the Users
mailing list