[Openswan Users] OpenSWAN NAT-T w/ FreeBSD Firewall

Wed Oct 20 12:25:43 CEST 2004

hi, i'm trying to get openswan to work with nat traversal through a freebsd ipf
firewall. its openswan -> openswan and works just fine without NAT, but when i
try to run it through the firewall it just times out. i've looked around and
can't seem to find any help on the web so i was hoping the list could help.
below are my logs from the server and client, any ideas?

server:

Oct 18 17:28:47 server pluto[19028]: Changing to directory '/etc/ipsec.d/cacerts'
Oct 18 17:28:47 server pluto[19028]:   loaded CA cert file 'cacert.pem' (2399 bytes)
Oct 18 17:28:47 server pluto[19028]:   loaded CA cert file 'CAkey.pem' (3311 bytes)
Oct 18 17:28:47 server pluto[19028]:   no passphrase available
Oct 18 17:28:47 server pluto[19028]: Could not change to directory '/etc/ipsec.d/aacerts'
Oct 18 17:28:47 server pluto[19028]: Changing to directory '/etc/ipsec.d/ocspcerts'
Oct 18 17:28:47 server pluto[19028]: Changing to directory '/etc/ipsec.d/crls'
Oct 18 17:28:47 server pluto[19028]:   loaded crl file 'crl.pem' (1060 bytes)
Oct 18 17:28:47 server pluto[19028]:   loaded host cert file '/etc/ipsec.d/certs/dormammu.pem' (7840 bytes)
Oct 18 17:28:47 server pluto[19028]: added connection description "roadwarrior"
Oct 18 17:28:47 server pluto[19028]:   loaded host cert file '/etc/ipsec.d/certs/dormammu.pem' (7840 bytes)
Oct 18 17:28:47 server pluto[19028]: added connection description "roadwarrior-all"
Oct 18 17:28:47 server pluto[19028]: listening for IKE messages
Oct 18 17:28:47 server pluto[19028]: adding interface eth0/eth0 X.X.X.X
Oct 18 17:28:47 server pluto[19028]: adding interface eth0/eth0 X.X.X.X:4500
Oct 18 17:28:47 server pluto[19028]: adding interface lo/lo 127.0.0.1
Oct 18 17:28:47 server pluto[19028]: adding interface lo/lo 127.0.0.1:4500
Oct 18 17:28:47 server pluto[19028]: loading secrets from "/etc/ipsec.secrets"
Oct 18 17:28:47 server pluto[19028]:   loaded private key file '/etc/ipsec.d/private/dormammu.key' (5088 bytes)
Oct 18 17:28:56 server pluto[19028]: packet from Y.Y.Y.Y:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Oct 18 17:28:56 server pluto[19028]: packet from Y.Y.Y.Y:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 108
Oct 18 17:28:56 server pluto[19028]: packet from Y.Y.Y.Y:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Oct 18 17:28:56 server pluto[19028]: "roadwarrior"[1] Y.Y.Y.Y #1: responding to Main Mode from unknown peer 216.17.172.1
Oct 18 17:28:56 server pluto[19028]: "roadwarrior"[1] Y.Y.Y.Y #1: transition from state (null) to state STATE_MAIN_R1
Oct 18 17:28:56 server pluto[19028]: "roadwarrior"[1] Y.Y.Y.Y #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
Oct 18 17:28:56 server pluto[19028]: "roadwarrior"[1] Y.Y.Y.Y #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Oct 18 17:30:06 server pluto[19028]: "roadwarrior"[1] Y.Y.Y.Y #1: max number of retransmissions (2) reached STATE_MAIN_R2
Oct 18 17:30:06 server pluto[19028]: "roadwarrior"[1] Y.Y.Y.Y: deleting connection "roadwarrior" instance with peer Y.Y.Y.Y {isakmp=#0/ipsec=#0}

client:

Oct 18 17:28:54 client pluto[3244]: Changing to directory '/etc/ipsec.d/cacerts'
Oct 18 17:28:54 client pluto[3244]:   loaded CA cert file 'cacert.pem' (2399 bytes)
Oct 18 17:28:54 client pluto[3244]:   loaded CA cert file 'CAkey.pem' (3311 bytes)
Oct 18 17:28:54 client pluto[3244]:   no passphrase available
Oct 18 17:28:54 client pluto[3244]: Could not change to directory '/etc/ipsec.d/aacerts'
Oct 18 17:28:54 client pluto[3244]: Changing to directory '/etc/ipsec.d/ocspcerts'
Oct 18 17:28:54 client pluto[3244]: Changing to directory '/etc/ipsec.d/crls'
Oct 18 17:28:54 client pluto[3244]:   loaded crl file 'crl.pem' (1060 bytes)
Oct 18 17:28:54 client pluto[3244]:   loaded host cert file '/etc/ipsec.d/certs/scion.pem' (7798 bytes)
Oct 18 17:28:54 client pluto[3244]: added connection description "roadwarrior-p"
Oct 18 17:28:54 client pluto[3244]:   loaded host cert file '/etc/ipsec.d/certs/server.pem' (7840 bytes)
Oct 18 17:28:54 client pluto[3244]:   loaded host cert file '/etc/ipsec.d/certs/scion.pem' (7798 bytes)
Oct 18 17:28:54 client pluto[3244]: added connection description "roadwarrior-d"
Oct 18 17:28:54 client pluto[3244]:   loaded host cert file '/etc/ipsec.d/certs/scion.pem' (7798 bytes)
Oct 18 17:28:54 client pluto[3244]: added connection description "roadwarrior-net-p"
Oct 18 17:28:54 client pluto[3244]:   loaded host cert file '/etc/ipsec.d/certs/server.pem' (7840 bytes)
Oct 18 17:28:54 client pluto[3244]:   loaded host cert file '/etc/ipsec.d/certs/scion.pem' (7798 bytes)
Oct 18 17:28:54 client pluto[3244]: added connection description "roadwarrior-net-d"
Oct 18 17:28:54 client pluto[3244]: listening for IKE messages
Oct 18 17:28:54 client pluto[3244]: adding interface eth0/eth0 192.168.0.97
Oct 18 17:28:54 client pluto[3244]: adding interface eth0/eth0 192.168.0.97:4500
Oct 18 17:28:54 client pluto[3244]: adding interface lo/lo 127.0.0.1
Oct 18 17:28:54 client pluto[3244]: adding interface lo/lo 127.0.0.1:4500
Oct 18 17:28:54 client pluto[3244]: loading secrets from "/etc/ipsec.secrets"
Oct 18 17:28:54 client pluto[3244]:   loaded private key file '/etc/ipsec.d/private/scion.key' (5063 bytes)
Oct 18 17:28:56 client pluto[3244]: "roadwarrior-d" #1: initiating Main Mode
Oct 18 17:28:56 client pluto[3244]: "roadwarrior-d" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Oct 18 17:28:56 client pluto[3244]: "roadwarrior-d" #1: enabling possible NAT-traversal with method RFC XXXX (NAT-Traversal)
Oct 18 17:28:56 client pluto[3244]: "roadwarrior-d" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Oct 18 17:28:56 client pluto[3244]: "roadwarrior-d" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: i am NATed
Oct 18 17:28:56 client pluto[3244]: "roadwarrior-d" #1: I am sending my cert
Oct 18 17:28:56 client pluto[3244]: "roadwarrior-d" #1: I am sending a certificate request
Oct 18 17:28:57 client pluto[3244]: "roadwarrior-d" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Oct 18 17:29:06 client pluto[3244]: "roadwarrior-d" #1: discarding duplicate packet; already STATE_MAIN_I3
Oct 18 17:29:26 client pluto[3244]: "roadwarrior-d" #1: discarding duplicate packet; already STATE_MAIN_I3
Oct 18 17:29:27 client battery-stats-collector[1407]: apm_read failed with error code 1 
Oct 18 17:30:07 client pluto[3244]: "roadwarrior-d" #1: max number of retransmissions (2) reached STATE_MAIN_I3.  Possible authentication failure: no acceptable response to our 
first encrypted message
Oct 18 17:30:16 client pluto[3244]: "roadwarrior-d" #2: initiating Main Mode
Oct 18 17:30:16 client pluto[3244]: "roadwarrior-d" #2: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Oct 18 17:30:16 client pluto[3244]: "roadwarrior-d" #2: enabling possible NAT-traversal with method RFC XXXX (NAT-Traversal)
Oct 18 17:30:16 client pluto[3244]: "roadwarrior-d" #2: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Oct 18 17:30:16 client pluto[3244]: "roadwarrior-d" #2: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: i am NATed
Oct 18 17:30:16 client pluto[3244]: "roadwarrior-d" #2: I am sending my cert
Oct 18 17:30:16 client pluto[3244]: "roadwarrior-d" #2: I am sending a certificate request
Oct 18 17:30:16 client pluto[3244]: "roadwarrior-d" #2: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Oct 18 17:30:26 client pluto[3244]: "roadwarrior-d" #2: discarding duplicate packet; already STATE_MAIN_I3
Oct 18 17:30:27 client battery-stats-collector[1407]: apm_read failed with error code 1 
Oct 18 17:30:46 client pluto[3244]: "roadwarrior-d" #2: discarding duplicate packet; already STATE_MAIN_I3
Oct 18 17:31:26 client pluto[3244]: "roadwarrior-d" #2: max number of retransmissions (2) reached STATE_MAIN_I3.  Possible authentication failure: no acceptable response to our 
first encrypted message

<EOF>
::[ RFC 2795 ]::
 "Democracy means simply the bludgeoning of the
 people by the people for the people."
 -Oscar Wilde