[Openswan Users] Windows 2000 RW behind a NAT Router
Ingo Brüll
ibruell at gmx.de
Thu Apr 14 12:33:53 CEST 2005
Hi,
i have testet that with Windows XP SP2 with Marcus Mueller's tool and
always got the same errors in the oakley log:
--- snip ---
4-14: 11:15:47:328:c70 Initialization OK
4-14: 11:16:07:296:9d0 Acquire from driver: op=0000000C
src=192.168.0.6.0 dst=192.168.61.1.0 proto = 0, SrcMask=255.255.255.255,
DstMask=255.255.255.0, Tunnel 1, TunnelEndpt=x.x.x.x Inbound
TunnelEndpt=192.168.0.6
4-14: 11:16:07:296:254 Filter to match: Src x.x.x.x Dst 192.168.0.6
4-14: 11:16:07:296:254 MM PolicyName: 1
4-14: 11:16:07:296:254 MMPolicy dwFlags 2 SoftSAExpireTime 28800
4-14: 11:16:07:296:254 MMOffer[0] LifetimeSec 28800 QMLimit 0 DHGroup 2
4-14: 11:16:07:296:254 MMOffer[0] Encrypt: Dreifach-DES CBC Hash: SHA
4-14: 11:16:07:296:254 MMOffer[1] LifetimeSec 28800 QMLimit 0 DHGroup 2
4-14: 11:16:07:296:254 MMOffer[1] Encrypt: Dreifach-DES CBC Hash: MD5
4-14: 11:16:07:296:254 MMOffer[2] LifetimeSec 28800 QMLimit 0 DHGroup 1
4-14: 11:16:07:296:254 MMOffer[2] Encrypt: DES CBC Hash: SHA
4-14: 11:16:07:296:254 MMOffer[3] LifetimeSec 28800 QMLimit 0 DHGroup 1
4-14: 11:16:07:296:254 MMOffer[3] Encrypt: DES CBC Hash: MD5
4-14: 11:16:07:296:254 Auth[0]:RSA Sig C=DE, S=Schleswig-Holstein,
O=Krematorium Tornesch, CN=ca.krema-tornesch.de AuthFlags 0
4-14: 11:16:07:296:254 QM PolicyName: Host-kremate filter action dwFlags 1
4-14: 11:16:07:296:254 QMOffer[0] LifetimeKBytes 50000 LifetimeSec 3600
4-14: 11:16:07:296:254 QMOffer[0] dwFlags 0 dwPFSGroup -2147483648
4-14: 11:16:07:296:254 Algo[0] Operation: ESP Algo: Dreifach-DES CBC
HMAC: MD5
4-14: 11:16:07:296:254 Starting Negotiation: src = 192.168.0.6.0500,
dst = x.x.x.x.0500, proto = 00, context = 0000000C, ProxySrc =
192.168.0.6.0000, ProxyDst = 192.168.61.0.0000 SrcMask = 255.255.255.255
DstMask = 255.255.255.0
4-14: 11:16:07:296:254 constructing ISAKMP Header
4-14: 11:16:07:296:254 constructing SA (ISAKMP)
4-14: 11:16:07:296:254 Constructing Vendor MS NT5 ISAKMPOAKLEY
4-14: 11:16:07:296:254 Constructing Vendor FRAGMENTATION
4-14: 11:16:07:296:254 Constructing Vendor draft-ietf-ipsec-nat-t-ike-02
4-14: 11:16:07:296:254 Constructing Vendor Vid-Initial-Contact
4-14: 11:16:07:296:254
4-14: 11:16:07:296:254 Sending: SA = 0x000D8618 to x.x.x.x:Type 2.500
4-14: 11:16:07:296:254 ISAKMP Header: (V1.0), len = 276
4-14: 11:16:07:296:254 I-COOKIE f4471376e078c8c4
4-14: 11:16:07:296:254 R-COOKIE 0000000000000000
4-14: 11:16:07:296:254 exchange: Oakley Main Mode
4-14: 11:16:07:296:254 flags: 0
4-14: 11:16:07:296:254 next payload: SA
4-14: 11:16:07:296:254 message ID: 00000000
4-14: 11:16:07:296:254 Ports S:f401 D:f401
4-14: 11:16:07:390:254
4-14: 11:16:07:390:254 Receive: (get) SA = 0x000d8618 from x.x.x.x.500
4-14: 11:16:07:390:254 ISAKMP Header: (V1.0), len = 104
4-14: 11:16:07:390:254 I-COOKIE f4471376e078c8c4
4-14: 11:16:07:390:254 R-COOKIE ee8361d5db1e1f74
4-14: 11:16:07:390:254 exchange: Oakley Main Mode
4-14: 11:16:07:390:254 flags: 0
4-14: 11:16:07:390:254 next payload: SA
4-14: 11:16:07:390:254 message ID: 00000000
4-14: 11:16:07:390:254 processing payload SA
4-14: 11:16:07:390:254 Received Phase 1 Transform 1
4-14: 11:16:07:390:254 Encryption Alg Dreifach-DES CBC(5)
4-14: 11:16:07:390:254 Hash Alg SHA(2)
4-14: 11:16:07:390:254 Oakley Group 2
4-14: 11:16:07:390:254 Auth Method RSA-Signatur mit Zertifikaten(3)
4-14: 11:16:07:390:254 Life type in Seconds
4-14: 11:16:07:390:254 Life duration of 28800
4-14: 11:16:07:390:254 Phase 1 SA accepted: transform=1
4-14: 11:16:07:390:254 SA - Oakley proposal accepted
4-14: 11:16:07:390:254 processing payload VENDOR ID
4-14: 11:16:07:390:254 Received VendorId draft-ietf-ipsec-nat-t-ike-02
4-14: 11:16:07:390:254 ClearFragList
4-14: 11:16:07:390:254 constructing ISAKMP Header
4-14: 11:16:07:468:254 constructing KE
4-14: 11:16:07:468:254 constructing NONCE (ISAKMP)
4-14: 11:16:07:468:254 Constructing NatDisc
4-14: 11:16:07:468:254
4-14: 11:16:07:468:254 Sending: SA = 0x000D8618 to x.x.x.x:Type 2.500
4-14: 11:16:07:468:254 ISAKMP Header: (V1.0), len = 232
4-14: 11:16:07:468:254 I-COOKIE f4471376e078c8c4
4-14: 11:16:07:468:254 R-COOKIE ee8361d5db1e1f74
4-14: 11:16:07:468:254 exchange: Oakley Main Mode
4-14: 11:16:07:468:254 flags: 0
4-14: 11:16:07:468:254 next payload: KE
4-14: 11:16:07:468:254 message ID: 00000000
4-14: 11:16:07:468:254 Ports S:f401 D:f401
4-14: 11:16:07:546:254
4-14: 11:16:07:546:254 Receive: (get) SA = 0x000d8618 from x.x.x.x.500
4-14: 11:16:07:546:254 ISAKMP Header: (V1.0), len = 228
4-14: 11:16:07:546:254 I-COOKIE f4471376e078c8c4
4-14: 11:16:07:546:254 R-COOKIE ee8361d5db1e1f74
4-14: 11:16:07:546:254 exchange: Oakley Main Mode
4-14: 11:16:07:546:254 flags: 0
4-14: 11:16:07:546:254 next payload: KE
4-14: 11:16:07:546:254 message ID: 00000000
4-14: 11:16:07:546:254 processing payload KE
4-14: 11:16:07:562:254 processing payload NONCE
4-14: 11:16:07:562:254 processing payload NATDISC
4-14: 11:16:07:562:254 Processing NatHash
4-14: 11:16:07:562:254 Nat hash 1081601265cae14dab53caadd6a9b5b7
4-14: 11:16:07:562:254 63b42f7f
4-14: 11:16:07:562:254 SA StateMask2 1f
4-14: 11:16:07:562:254 processing payload NATDISC
4-14: 11:16:07:562:254 Processing NatHash
4-14: 11:16:07:562:254 Nat hash 3fe018031be8edad5b16451fcfdd6234
4-14: 11:16:07:562:254 bb1351e8
4-14: 11:16:07:562:254 SA StateMask2 9f
4-14: 11:16:07:562:254 ClearFragList
4-14: 11:16:07:562:254 Floated Ports Orig Me:f401 Peer:f401
4-14: 11:16:07:562:254 Floated Ports Me:9411 Peer:9411
4-14: 11:16:07:562:254 constructing ISAKMP Header
4-14: 11:16:07:562:254 constructing ID
4-14: 11:16:07:562:254 Received no valid CRPs. Using all configured
4-14: 11:16:07:562:254 Looking for IPSec only cert
4-14: 11:16:07:562:254 Cert Trustes. 0 100
4-14: 11:16:07:562:254 Cert SHA Thumbprint 4528c2b2d227cfea567e293cccd5b4c8
4-14: 11:16:07:562:254 fd5e89b8
4-14: 11:16:07:562:254 CertFindExtenstion failed with 0
4-14: 11:16:07:578:254 Entered CRL check
4-14: 11:16:07:578:254 Left CRL check
4-14: 11:16:07:578:254 Cert SHA Thumbprint 4528c2b2d227cfea567e293cccd5b4c8
4-14: 11:16:07:578:254 fd5e89b8
4-14: 11:16:07:578:254 SubjectName: C=DE, S=Schleswig-Holstein,
O=Krematorium Tornesch, OU=support, CN=suptest.krema-tornesch.de
4-14: 11:16:07:578:254 Cert Serialnumber 08
4-14: 11:16:07:578:254 Cert SHA Thumbprint 4528c2b2d227cfea567e293cccd5b4c8
4-14: 11:16:07:578:254 fd5e89b8
4-14: 11:16:07:578:254 SubjectName: C=DE, S=Schleswig-Holstein,
O=Krematorium Tornesch, CN=ca.krema-tornesch.de
4-14: 11:16:07:578:254 Cert Serialnumber 60669091e7649b9a00
4-14: 11:16:07:578:254 Cert SHA Thumbprint f0cd5ebfae95050e2d5e4a00540acff0
4-14: 11:16:07:578:254 41fab8f3
4-14: 11:16:07:578:254 Not storing My cert chain in SA.
4-14: 11:16:07:578:254 MM ID Type 9
4-14: 11:16:07:578:254 MM ID 307f310b300906035504061302444531
4-14: 11:16:07:578:254 1b3019060355040813125363686c6573
4-14: 11:16:07:578:254 7769672d486f6c737465696e311d301b
4-14: 11:16:07:578:254 060355040a13144b72656d61746f7269
4-14: 11:16:07:578:254 756d20546f726e657363683110300e06
4-14: 11:16:07:578:254 0355040b1307737570706f7274312230
4-14: 11:16:07:578:254 2006035504031319737570746573742e
4-14: 11:16:07:578:254 6b72656d612d746f726e657363682e64
4-14: 11:16:07:578:254 65
4-14: 11:16:07:578:254 constructing CERT
4-14: 11:16:07:578:254 Construct SIG
4-14: 11:16:07:578:254 Constructing Cert Request
4-14: 11:16:07:578:254 C=DE, S=Schleswig-Holstein, O=Krematorium
Tornesch, CN=ca.krema-tornesch.de
4-14: 11:16:07:578:254
4-14: 11:16:07:578:254 Sending: SA = 0x000D8618 to x.x.x.x:Type 2.4500
4-14: 11:16:07:578:254 ISAKMP Header: (V1.0), len = 1404
4-14: 11:16:07:578:254 I-COOKIE f4471376e078c8c4
4-14: 11:16:07:578:254 R-COOKIE ee8361d5db1e1f74
4-14: 11:16:07:578:254 exchange: Oakley Main Mode
4-14: 11:16:07:578:254 flags: 1 ( encrypted )
4-14: 11:16:07:578:254 next payload: ID
4-14: 11:16:07:578:254 message ID: 00000000
4-14: 11:16:07:578:254 Ports S:9411 D:9411
4-14: 11:16:07:734:254
4-14: 11:16:07:734:254 Receive: (get) SA = 0x000d8618 from x.x.x.x.4500
4-14: 11:16:07:734:254 ISAKMP Header: (V1.0), len = 1260
4-14: 11:16:07:734:254 I-COOKIE f4471376e078c8c4
4-14: 11:16:07:734:254 R-COOKIE ee8361d5db1e1f74
4-14: 11:16:07:734:254 exchange: Oakley Main Mode
4-14: 11:16:07:734:254 flags: 1 ( encrypted )
4-14: 11:16:07:734:254 next payload: ID
4-14: 11:16:07:750:254 message ID: 00000000
4-14: 11:16:07:750:254 processing payload ID
4-14: 11:16:07:750:254 processing payload CERT
4-14: 11:16:07:750:254 processing payload SIG
4-14: 11:16:07:750:254 Verifying CertStore
4-14: 11:16:07:750:254 SubjectName: C=DE, S=Schleswig-Holstein,
O=Krematorium Tornesch, CN=gateway.krema-tornesch.de
4-14: 11:16:07:750:254 Cert Serialnumber 09
4-14: 11:16:07:750:254 Cert SHA Thumbprint 50dffb49919e456f7199b18d6c71abf9
4-14: 11:16:07:750:254 3c7fa1dc
4-14: 11:16:07:750:254 Cert Trustes. 0 100
4-14: 11:16:07:750:254 SubjectName: C=DE, S=Schleswig-Holstein,
O=Krematorium Tornesch, CN=gateway.krema-tornesch.de
4-14: 11:16:07:750:254 Cert Serialnumber 09
4-14: 11:16:07:750:254 Cert SHA Thumbprint 50dffb49919e456f7199b18d6c71abf9
4-14: 11:16:07:750:254 3c7fa1dc
4-14: 11:16:07:750:254 SubjectName: C=DE, S=Schleswig-Holstein,
O=Krematorium Tornesch, CN=ca.krema-tornesch.de
4-14: 11:16:07:750:254 Cert Serialnumber 60669091e7649b9a00
4-14: 11:16:07:750:254 Cert SHA Thumbprint f0cd5ebfae95050e2d5e4a00540acff0
4-14: 11:16:07:750:254 41fab8f3
4-14: 11:16:07:750:254 Not storing Peer's cert chain in SA.
4-14: 11:16:07:750:254 Cert SHA Thumbprint 50dffb49919e456f7199b18d6c71abf9
4-14: 11:16:07:750:254 3c7fa1dc
4-14: 11:16:07:750:254 Entered CRL check
4-14: 11:16:07:750:254 Left CRL check
4-14: 11:16:07:750:254 CertFindExtenstion failed with 0
4-14: 11:16:07:750:254 Signature validated
4-14: 11:16:07:750:254 ClearFragList
4-14: 11:16:07:750:254 MM established. SA: 000D8618
4-14: 11:16:07:750:254 QM PolicyName: Host-kremate filter action dwFlags 1
4-14: 11:16:07:750:254 QMOffer[0] LifetimeKBytes 50000 LifetimeSec 3600
4-14: 11:16:07:750:254 QMOffer[0] dwFlags 0 dwPFSGroup -2147483648
4-14: 11:16:07:750:254 Algo[0] Operation: ESP Algo: Dreifach-DES CBC
HMAC: MD5
4-14: 11:16:07:750:254 GetSpi: src = 192.168.61.0.0000, dst =
192.168.0.6.0000, proto = 00, context = 0000000C, srcMask =
255.255.255.0, destMask = 255.255.255.255, TunnelFilter 1
4-14: 11:16:07:750:254 Setting SPI 501207189
4-14: 11:16:07:750:254 constructing ISAKMP Header
4-14: 11:16:07:750:254 constructing HASH (null)
4-14: 11:16:07:750:254 constructing SA (IPSEC)
4-14: 11:16:07:750:254 constructing QM KE
4-14: 11:16:07:828:254 constructing NONCE (IPSEC)
4-14: 11:16:07:828:254 constructing ID (proxy)
4-14: 11:16:07:828:254 constructing ID (proxy)
4-14: 11:16:07:828:254 constructing HASH (QM)
4-14: 11:16:07:828:254
4-14: 11:16:07:828:254 Sending: SA = 0x000D8618 to x.x.x.x:Type 2.4500
4-14: 11:16:07:828:254 ISAKMP Header: (V1.0), len = 308
4-14: 11:16:07:828:254 I-COOKIE f4471376e078c8c4
4-14: 11:16:07:828:254 R-COOKIE ee8361d5db1e1f74
4-14: 11:16:07:828:254 exchange: Oakley Quick Mode
4-14: 11:16:07:828:254 flags: 1 ( encrypted )
4-14: 11:16:07:828:254 next payload: HASH
4-14: 11:16:07:828:254 message ID: 0183237a
4-14: 11:16:07:828:254 Ports S:9411 D:9411
4-14: 11:16:07:890:254
4-14: 11:16:07:890:254 Receive: (get) SA = 0x000d8618 from x.x.x.x.4500
4-14: 11:16:07:890:254 ISAKMP Header: (V1.0), len = 68
4-14: 11:16:07:890:254 I-COOKIE f4471376e078c8c4
4-14: 11:16:07:890:254 R-COOKIE ee8361d5db1e1f74
4-14: 11:16:07:890:254 exchange: ISAKMP Informational Exchange
4-14: 11:16:07:890:254 flags: 1 ( encrypted )
4-14: 11:16:07:890:254 next payload: HASH
4-14: 11:16:07:890:254 message ID: 6a5844c4
4-14: 11:16:07:890:254 processing HASH (Notify/Delete)
4-14: 11:16:07:890:254 processing payload NOTIFY
4-14: 11:16:07:890:254 notify: INVALID-ID-INFORMATION
4-14: 11:16:07:890:254 isadb_set_status sa:000D8618 centry:00000000
status 3601
4-14: 11:16:08:328:e70 retransmit: sa = 000D8618 centry 00100C08 ,
count = 1
4-14: 11:16:08:328:e70
4-14: 11:16:08:328:e70 Sending: SA = 0x000D8618 to x.x.x.x:Type 2.4500
4-14: 11:16:08:328:e70 ISAKMP Header: (V1.0), len = 308
4-14: 11:16:08:328:e70 I-COOKIE f4471376e078c8c4
4-14: 11:16:08:328:e70 R-COOKIE ee8361d5db1e1f74
4-14: 11:16:08:328:e70 exchange: Oakley Quick Mode
4-14: 11:16:08:328:e70 flags: 1 ( encrypted )
4-14: 11:16:08:328:e70 next payload: HASH
4-14: 11:16:08:328:e70 message ID: 0183237a
4-14: 11:16:08:328:e70 Ports S:9411 D:9411
4-14: 11:16:08:375:254
4-14: 11:16:08:375:254 Receive: (get) SA = 0x000d8618 from x.x.x.x.4500
4-14: 11:16:08:375:254 ISAKMP Header: (V1.0), len = 68
4-14: 11:16:08:375:254 I-COOKIE f4471376e078c8c4
4-14: 11:16:08:375:254 R-COOKIE ee8361d5db1e1f74
4-14: 11:16:08:375:254 exchange: ISAKMP Informational Exchange
4-14: 11:16:08:375:254 flags: 1 ( encrypted )
4-14: 11:16:08:375:254 next payload: HASH
4-14: 11:16:08:375:254 message ID: e0aa9d78
4-14: 11:16:08:375:254 processing HASH (Notify/Delete)
4-14: 11:16:08:375:254 processing payload NOTIFY
4-14: 11:16:08:375:254 notify: INVALID-MESSAGE-ID
4-14: 11:16:08:375:254 Unknown Notify Message 9
4-14: 11:16:10:328:e70 retransmit: sa = 000D8618 centry 00100C08 ,
count = 2
4-14: 11:16:10:328:e70
4-14: 11:16:10:328:e70 Sending: SA = 0x000D8618 to x.x.x.x:Type 2.4500
4-14: 11:16:10:328:e70 ISAKMP Header: (V1.0), len = 308
4-14: 11:16:10:328:e70 I-COOKIE f4471376e078c8c4
4-14: 11:16:10:328:e70 R-COOKIE ee8361d5db1e1f74
4-14: 11:16:10:328:e70 exchange: Oakley Quick Mode
4-14: 11:16:10:328:e70 flags: 1 ( encrypted )
4-14: 11:16:10:328:e70 next payload: HASH
4-14: 11:16:10:328:e70 message ID: 0183237a
4-14: 11:16:10:328:e70 Ports S:9411 D:9411
4-14: 11:16:10:390:254
4-14: 11:16:10:390:254 Receive: (get) SA = 0x000d8618 from x.x.x.x.4500
4-14: 11:16:10:390:254 ISAKMP Header: (V1.0), len = 68
4-14: 11:16:10:390:254 I-COOKIE f4471376e078c8c4
4-14: 11:16:10:390:254 R-COOKIE ee8361d5db1e1f74
4-14: 11:16:10:390:254 exchange: ISAKMP Informational Exchange
4-14: 11:16:10:390:254 flags: 1 ( encrypted )
4-14: 11:16:10:390:254 next payload: HASH
4-14: 11:16:10:390:254 message ID: fc8f905f
4-14: 11:16:10:390:254 processing HASH (Notify/Delete)
4-14: 11:16:10:390:254 processing payload NOTIFY
4-14: 11:16:10:390:254 notify: INVALID-MESSAGE-ID
4-14: 11:16:10:390:254 Unknown Notify Message 9
--- snip ---
Here the config file from openswan:
--- snip ---
version 2
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file
# More elaborate and more varied sample configurations can be found
# in FreeS/WAN's doc/examples file, and in the HTML documentation.
# basic configuration
config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work;
# %defaultroute is okay for most simple cases.
interfaces="%defaultroute"
# Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=none
plutodebug=none
# Use auto= parameters in conn descriptions to control startup actions.
#plutoload=%search
#plutostart=%search
# Close down old connection when new one using same ID shows up.
uniqueids=yes
nat_traversal=yes
keep_alive=5
overridemtu=1300
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
conn %default
type=tunnel
keyexchange=ike
keyingtries=5
disablearrivalcheck=no
authby=rsasig
rightrsasigkey=%cert
leftsubnet=192.168.61.0/24
leftcert=gatewayCert.pem
leftid="/C=DE/ST=Schleswig-Holstein/O=x/CN=gateway.x.de"
right=%any
pfs=yes
left=%defaultroute
leftupdown=/usr/lib/ipsec/_updown_obl2
compress=no
auth=esp
esp=aes256-sha1
auto=add
conn rw-sup
right=%any
rightid="/C=DE/ST=Schleswig-Holstein/O=x/OU=support/CN=*"
keylife=60m
keyingtries=0
disablearrivalcheck=no
auth=esp
esp=3des-sha1,aes128-md5,aes256-md5,aes128-sha1,aes256-sha1
pfs=yes
dpddelay=120
dpdtimeout=370
dpdaction=clear
--- snip ---
ipsec.conf from Windows XP client:
--- snip ---
conn kremate
left=x.dyndns.org
leftsubnet=192.168.61.0/24
right=%any
rightca="C=DE, ST=Schleswig-Holstein, O=x, CN=ca.x.de"
network=lan
auto=start
pfs=yes
nat_traversal=yes
--- snip ---
--
best regards
Ingo Bruell
---
<ibruell at gmx.de>
<ICQ# 40377720>
Oldenburg PGP-Fingerprint: CB01 AE12 B359 87C4 BF1C 953C 8FE7 C648
169E E5FC
Germany PGP-Public-Key available at pgpkeys.mit.edu
More information about the Users
mailing list