[Openswan Users] impossible ISAKMP rekey using NAT-T ?

Paul Wouters paul at xelerance.com
Mon Oct 25 12:21:35 CEST 2004 

On Mon, 25 Oct 2004, albert agusti wrote:

> I'm trying to deploy a VPN ipsec between two nated host (for the moment
> testing only gw-gw traffic). Both behind same DSL routers not doing
> nothing like ipsec passthrough that could affect and both runing kernel
> 2.6 and openswan 2.2.0. When I rise the tunnel all goes fine, ruted and
> secured.
>
> The problem arises when timer for ISAKMP key reaches the limit. On both
> logs at the ends, lines like those appear:
>
> pluto[4172]: packet from R.R.R.R:10075: received Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-03]
> pluto[4172]: packet from R.R.R.R:10075: received Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 108
> pluto[4172]: packet from R.R.R.R:10075: received Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-00]
> pluto[4172]: packet from R.R.R.R:10075: initial Main Mode message
> received on 192.168.3.2:4500 but no connection has been authorized
>
> Key IS NEVER RENEGOTIATED!!, at the end the end SA expires, and some
> time latter (at ipsec_life), tunnel goes down

This is the third report of this in the last week, so I think we have
a bug here. This email was the only one which actually contained some
logfiles so we can better understand what is going on. I've filed it
in the bug tracker, and hopefully we'll have this fixed soon.

Paul

> If I try the same but DISABLING NAT-T, and for my surprise all goes fine
> and ISAKMP rekey can do it's job !!! Tunnel is not functional because I
> need UDP encapsulation, but the rest is going OK. The question is: did I
> miss something important ? the first sensation is that NAT-T is not
> doing his job right. Message is displayed in pluto talking about mapping
> between 500/4500, but the erros seems to be that it does not recognize
> the peer :-(
>
> My config at both ends is very simple. Something like this (with obious
> changes):
>
> conn albert
>        left=%defaultroute
>        leftid=@smaug.serialnet.net
>        leftsubnet=192.168.3.11/32
>        leftrsasigkey=0sA......
>        right=R.R.R.R
>        rightid=@glaurung.serialnet.net
>        rightsubnet=192.168.1.10/32
>        rightrsasigkey=0sAQOd......
>
> I've tested avoiding the use of %defaultroute and use the IP local
> adresses, I've tested to define %myid an config setup, but nothing
> changes.
> Anybody knows what's going on?
>
> Thanks in advance
> Albert Agustí
>
>

More information about the Users mailing list