[Openswan Users] impossible ISAKMP rekey using NAT-T ?

albert agusti aagusti at serialnet.net
Mon Oct 25 12:11:53 CEST 2004


Hello, 

I'm trying to deploy a VPN ipsec between two nated host (for the moment
testing only gw-gw traffic). Both behind same DSL routers not doing
nothing like ipsec passthrough that could affect and both runing kernel
2.6 and openswan 2.2.0. When I rise the tunnel all goes fine, ruted and
secured.

The problem arises when timer for ISAKMP key reaches the limit. On both
logs at the ends, lines like those appear:

pluto[4172]: packet from R.R.R.R:10075: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-03]
pluto[4172]: packet from R.R.R.R:10075: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 108
pluto[4172]: packet from R.R.R.R:10075: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-00]
pluto[4172]: packet from R.R.R.R:10075: initial Main Mode message
received on 192.168.3.2:4500 but no connection has been authorized

Key IS NEVER RENEGOTIATED!!, at the end the end SA expires, and some
time latter (at ipsec_life), tunnel goes down

If I try the same but DISABLING NAT-T, and for my surprise all goes fine
and ISAKMP rekey can do it's job !!! Tunnel is not functional because I
need UDP encapsulation, but the rest is going OK. The question is: did I
miss something important ? the first sensation is that NAT-T is not
doing his job right. Message is displayed in pluto talking about mapping
between 500/4500, but the erros seems to be that it does not recognize
the peer :-(

My config at both ends is very simple. Something like this (with obious
changes):

conn albert
        left=%defaultroute
        leftid=@smaug.serialnet.net
        leftsubnet=192.168.3.11/32
        leftrsasigkey=0sA......
        right=R.R.R.R
        rightid=@glaurung.serialnet.net
        rightsubnet=192.168.1.10/32
        rightrsasigkey=0sAQOd......

I've tested avoiding the use of %defaultroute and use the IP local
adresses, I've tested to define %myid an config setup, but nothing
changes.
Anybody knows what's going on?

Thanks in advance
Albert Agustí

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20041025/3159bd37/attachment.htm


More information about the Users mailing list