[Openswan Users] no connection is known for...

Mark Frost mfrost at westnet.com
Fri May 21 17:11:30 CEST 2004 

I'm stuck.  I've got the following situation:


192.168.1.101 (WinXP client)
      |
Linksys cable router (doing NAT)
      || (Y.Y.Y.Y)
      ||
      || (Internet)
      ||
      || (X.X.X.X)
Openswan gateway
      |
      |
NAT'd network (ultimate destination)


In other words, I'm going from a WinXP client on a NAT'd network, across the Internet,
then into another NAT'd network on the other side of the Openswan gateway.  It is my understanding
that the only way to possibly accomplish this is to do the combination of L2TP+IPsec which is what
I'm working on.  I'm just at the first phase of getting the IPsec part to work (i.e. the
tunnel just to the gateway).

I'm getting the following messages in /var/log/secure when I "dial out" from the WinXP client:

---------
May 21 15:43:37 outpost pluto[3925]: packet from Y.Y.Y.Y:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
May 21 15:43:37 outpost pluto[3925]: packet from Y.Y.Y.Y:500: ignoring Vendor ID payload [FRAGMENTATION]
May 21 15:43:37 outpost pluto[3925]: packet from Y.Y.Y.Y:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
May 21 15:43:37 outpost pluto[3925]: packet from Y.Y.Y.Y:500: ignoring Vendor ID payload [26244d38eddb61b3...]
May 21 15:43:37 outpost pluto[3925]: "L2TP-CERT"[1] Y.Y.Y.Y #1: responding to Main Mode from unknown peer Y.Y.Y.Y
May 21 15:43:37 outpost pluto[3925]: "L2TP-CERT"[1] Y.Y.Y.Y #1: only OAKLEY_GROUP_MODP1024 and OAKLEY_GROUP_MODP1536 supported.  Attribute OAKLEY_GROUP_DESCRIPTION
May 21 15:43:37 outpost pluto[3925]: "L2TP-CERT"[1] Y.Y.Y.Y #1: transition from state (null) to state STATE_MAIN_R1
May 21 15:43:37 outpost pluto[3925]: "L2TP-CERT"[1] Y.Y.Y.Y #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
May 21 15:43:37 outpost pluto[3925]: "L2TP-CERT"[1] Y.Y.Y.Y #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
May 21 15:43:38 outpost pluto[3925]: "L2TP-CERT"[1] Y.Y.Y.Y #1: Peer ID is ID_DER_ASN1_DN: 'C=US, ST=NY, L=South Salem, O=Mark Frost, CN=mfrost99'
May 21 15:43:38 outpost pluto[3925]: "L2TP-CERT"[1] Y.Y.Y.Y #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
May 21 15:43:38 outpost pluto[3925]: | NAT-T: new mapping Y.Y.Y.Y:500/4500)
May 21 15:43:38 outpost pluto[3925]: "L2TP-CERT"[1] Y.Y.Y.Y:4500 #1: sent MR3, ISAKMP SA established
May 21 15:43:38 outpost pluto[3925]: "L2TP-CERT"[1] Y.Y.Y.Y:4500 #1: cannot respond to IPsec SA request because no connection is known for X.X.X.X:4500[ ..Openswan GW's DN.. ]:17/1701...Y.Y.Y.Y:4500[ ..WinXP client's DN.. ]:17/1701
May 21 15:43:38 outpost pluto[3925]: "L2TP-CERT"[1] Y.Y.Y.Y:4500 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xd4887469 (perhaps this is a duplicated packet)
May 21 15:44:08 outpost last message repeated 4 times
May 21 15:44:40 outpost pluto[3925]: "L2TP-CERT"[1] Y.Y.Y.Y:4500 #1: received Delete SA payload: deleting ISAKMP State #1
May 21 15:44:40 outpost pluto[3925]: "L2TP-CERT"[1] Y.Y.Y.Y:4500: deleting connection "L2TP-CERT" instance with peer Y.Y.Y.Y {isakmp=#0/ipsec=#0
---------

Note that X.X.X.X is the Openswan gateway's external (public) IP address and Y.Y.Y.Y is the
public address on the Linksys box.

Here's my /etc/ipsec.conf file:

--------
version 2.0

config setup
    interfaces=%defaultroute
    nat_traversal=yes
    klipsdebug=none
    plutodebug=none
    uniqueids=yes

conn %default
    keyingtries=1
    compress=yes
    disablearrivalcheck=no
    authby=rsasig
    leftrsasigkey=%cert
    rightrsasigkey=%cert

conn L2TP-CERT
    #
    # Use a certificate. Disable Perfect Forward Secrecy.
    #
    authby=rsasig
    pfs=no
    left=X.X.X.X
    leftnexthop=%defaultroute
    leftrsasigkey=%cert
    leftcert=/etc/ipsec.d/certs/openswan_gw.pem
    leftsendcert=always
    leftprotoport=17/1701
    #
    # The remote user.
    #
    right=%any
    rightrsasigkey=%cert
    rightcert=/etc/ipsec.d/certs/winxp_client.pem
    rightsubnetwithin=192.168.1.0/24
    rightprotoport=17/1701
    #
    # Authorize this connection, and wait for connection from user.
    #
    auto=add
    keyingtries=3

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
--------


- I am running Openswan 2.1.2.
- I have installed the XP NAT-T patch (Q818043) on the WinXP client.
- Using X.509 certificates
- When "dialing out" from the WinXP box, the errors are generated on the Openswan side,
  but the XP client just times out.

I've been working on this for a very long time and am hopeful I can get this working someday.
Any help would be greatly appreciated.

Thanks

Mark

<>

More information about the Users mailing list