[Openswan Users] Windows XP, L2TP, NAT-T and rekying
tkrivanek at volny.cz
tkrivanek at volny.cz
Wed Apr 20 23:57:58 CEST 2005
Hello,
I have troubles with NATed (don't have else) Windows XP road warrior
clients. They can establish working tunnel to my Openswan server. But
after exactly one hour, when SA expires and should be rekeyed, the
connection gets broken.
This setup works with 2.2.0, problems seems to appear after upgrade to
2.3.1.
Part of my ipsec.conf:
config setup
nat_traversal=yes
uniqueids=yes #does not help
conn L2TP-PSK-orgWIN2KXP
authby=rsasig
rightrsasigkey=%cert
pfs=no
left=xx.xxx.xx.xx
leftcert=fw-ova.crt
leftnexthop=%defaultroute
leftprotoport=17/1701
right=%any
rightprotoport=17/1701
auto=add
keyingtries=1
ikelifetime=3800s #lowering and raising does not help
dpdaction=clear #does not help
I am using linux kernel 2.4.30 , whith this ipsec --version:
Linux Openswan 2.3.1 (klips)
See `ipsec --copyright' for copyright information.
I am lost. Can anyone help me, or has solution to this problem?
Many thanks and best regards
Tomas
Here are logs. #72 is successfully negotiated ISAKMPSA and #73 is
successfully negotiated IPsecSA:
.
.
Apr 20 21:17:25 fw-ova pluto[12554]: "L2TP-PSK-orgWIN2KXP"[6]
62.240.186.40 #72: sent MR3, ISAKMP SA established
.
Apr 20 21:17:25 fw-ova pluto[12554]: "L2TP-PSK-orgWIN2KXP"[6]
62.240.186.40 #73: IPsec SA established {ESP=>0xddddb5a1 <0x33fed991
xfrm=3DES_0-HMAC_MD5 NATD=62.240.186.40}
Apr 20 22:12:55 fw-ova pluto[12554]: "L2TP-PSK-orgWIN2KXP"[6]
62.240.186.40 #82: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL to
replace #73 {using isakmp#72}
Apr 20 22:14:05 fw-ova pluto[12554]: "L2TP-PSK-orgWIN2KXP"[6]
62.240.186.40 #82: max number of retransmissions (2) reached STATE_QUICK_I1
Apr 20 22:16:15 fw-ova pluto[12554]: "L2TP-PSK-orgWIN2KXP"[6]
62.240.186.40 #83: initiating Main Mode to replace #72
Apr 20 22:16:47 fw-ova pluto[12554]: "L2TP-PSK-orgWIN2KXP"[6]
62.240.186.40 #84: responding to Quick Mode {msgid:e90ac7e9}
Apr 20 22:16:47 fw-ova pluto[12554]: "L2TP-PSK-orgWIN2KXP"[6]
62.240.186.40 #84: transition from state STATE_QUICK_R0 to state
STATE_QUICK_R1
Apr 20 22:16:48 fw-ova pluto[12554]: "L2TP-PSK-orgWIN2KXP"[6]
62.240.186.40 #84: discarding duplicate packet; already STATE_QUICK_R1
Apr 20 22:17:18 fw-ova last message repeated 4 times
Apr 20 22:17:25 fw-ova pluto[12554]: "L2TP-PSK-orgWIN2KXP"[6]
62.240.186.40 #83: max number of retransmissions (2) reached
STATE_MAIN_I1. No response (or no acceptable response) to our first IKE
message
Apr 20 22:17:25 fw-ova pluto[12554]: "L2TP-PSK-orgWIN2KXP"[6]
62.240.186.40 #73: IPsec SA expired (LATEST!)
Apr 20 22:17:26 fw-ova pluto[12554]: "L2TP-PSK-orgWIN2KXP"[6]
62.240.186.40 #72: ignoring Delete SA payload: PROTO_IPSEC_ESP
SA(0xddddb5a1) not found (maybe expired)
Apr 20 22:17:26 fw-ova pluto[12554]: "L2TP-PSK-orgWIN2KXP"[6]
62.240.186.40 #72: received and ignored informational message
Apr 20 22:17:28 fw-ova pluto[12554]: ERROR: pfkey write() of
SADB_X_DELFLOW message 273 for flow int.0 at 0.0.0.0 failed. Errno 14: Bad
address
Apr 20 22:17:28 fw-ova pluto[12554]: | 02 0f 00 0b 0e 00 00 00 11 01
00 00 0a 31 00 00
Apr 20 22:17:28 fw-ova pluto[12554]: | 03 00 15 00 00 00 00 00 02 00
06 a5 52 75 88 12
Apr 20 22:17:28 fw-ova pluto[12554]: | 00 00 00 00 00 00 00 00 03 00
16 00 00 00 00 00
Apr 20 22:17:28 fw-ova pluto[12554]: | 02 00 06 a5 3e f0 ba 28 00 00
00 00 00 00 00 00
Apr 20 22:17:28 fw-ova pluto[12554]: | 03 00 17 00 00 00 00 00 02 00
ff ff ff ff ff ff
Apr 20 22:17:28 fw-ova pluto[12554]: | 36 36 36 36 36 36 36 36 03 00
18 00 00 00 00 00
Apr 20 22:17:28 fw-ova pluto[12554]: | 02 00 ff ff ff ff ff ff 58 d7
ff bf 22 e5 0a 08
Apr 20 22:17:50 fw-ova pluto[12554]: "L2TP-PSK-orgWIN2KXP"[6]
62.240.186.40 #72: received Delete SA payload: deleting ISAKMP State #72
Apr 20 22:17:50 fw-ova pluto[12554]: packet from 62.240.186.40:4500:
received and ignored informational message
Apr 20 22:17:50 fw-ova pluto[12554]: packet from 62.240.186.40:4500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Apr 20 22:17:50 fw-ova pluto[12554]: packet from 62.240.186.40:4500:
ignoring Vendor ID payload [FRAGMENTATION]
Apr 20 22:17:50 fw-ova pluto[12554]: packet from 62.240.186.40:4500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set
to=106
Apr 20 22:17:50 fw-ova pluto[12554]: "L2TP-PSK-orgWIN2KXP"[7]
62.240.186.40 #85: responding to Main Mode from unknown peer 62.240.186.40
Apr 20 22:17:50 fw-ova pluto[12554]: "L2TP-PSK-orgWIN2KXP"[7]
62.240.186.40 #85: transition from state STATE_MAIN_R0 to state
STATE_MAIN_R1
Apr 20 22:17:51 fw-ova pluto[12554]: packet from 62.240.186.40:4500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Apr 20 22:17:51 fw-ova pluto[12554]: packet from 62.240.186.40:4500:
ignoring Vendor ID payload [FRAGMENTATION]
Apr 20 22:17:51 fw-ova pluto[12554]: packet from 62.240.186.40:4500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set
to=106
Apr 20 22:17:51 fw-ova pluto[12554]: "L2TP-PSK-orgWIN2KXP"[8]
62.240.186.40 #86: responding to Main Mode from unknown peer 62.240.186.40
Apr 20 22:17:51 fw-ova pluto[12554]: "L2TP-PSK-orgWIN2KXP"[8]
62.240.186.40 #86: transition from state STATE_MAIN_R0 to state
STATE_MAIN_R1
Apr 20 22:17:53 fw-ova pluto[12554]: packet from 62.240.186.40:4500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Apr 20 22:17:53 fw-ova pluto[12554]: packet from 62.240.186.40:4500:
ignoring Vendor ID payload [FRAGMENTATION]
Apr 20 22:17:53 fw-ova pluto[12554]: packet from 62.240.186.40:4500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set
to=106
Apr 20 22:17:53 fw-ova pluto[12554]: "L2TP-PSK-orgWIN2KXP"[9]
62.240.186.40 #87: responding to Main Mode from unknown peer 62.240.186.40
Apr 20 22:17:53 fw-ova pluto[12554]: "L2TP-PSK-orgWIN2KXP"[9]
62.240.186.40 #87: transition from state STATE_MAIN_R0 to state
STATE_MAIN_R1
Apr 20 22:17:57 fw-ova pluto[12554]: packet from 62.240.186.40:4500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Apr 20 22:17:57 fw-ova pluto[12554]: packet from 62.240.186.40:4500:
ignoring Vendor ID payload [FRAGMENTATION]
Apr 20 22:17:57 fw-ova pluto[12554]: packet from 62.240.186.40:4500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set
to=106
Apr 20 22:17:57 fw-ova pluto[12554]: "L2TP-PSK-orgWIN2KXP"[10]
62.240.186.40 #88: responding to Main Mode from unknown peer 62.240.186.40
Apr 20 22:17:57 fw-ova pluto[12554]: "L2TP-PSK-orgWIN2KXP"[10]
62.240.186.40 #88: transition from state STATE_MAIN_R0 to state
STATE_MAIN_R1
Apr 20 22:18:05 fw-ova pluto[12554]: packet from 62.240.186.40:4500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Apr 20 22:18:05 fw-ova pluto[12554]: packet from 62.240.186.40:4500:
ignoring Vendor ID payload [FRAGMENTATION]
Apr 20 22:18:05 fw-ova pluto[12554]: packet from 62.240.186.40:4500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set
to=106
Apr 20 22:18:05 fw-ova pluto[12554]: "L2TP-PSK-orgWIN2KXP"[11]
62.240.186.40 #89: responding to Main Mode from unknown peer 62.240.186.40
Apr 20 22:18:05 fw-ova pluto[12554]: "L2TP-PSK-orgWIN2KXP"[11]
62.240.186.40 #89: transition from state STATE_MAIN_R0 to state
STATE_MAIN_R1
Apr 20 22:18:21 fw-ova pluto[12554]: packet from 62.240.186.40:4500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Apr 20 22:18:21 fw-ova pluto[12554]: packet from 62.240.186.40:4500:
ignoring Vendor ID payload [FRAGMENTATION]
Apr 20 22:18:21 fw-ova pluto[12554]: packet from 62.240.186.40:4500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set
to=106
Apr 20 22:18:21 fw-ova pluto[12554]: "L2TP-PSK-orgWIN2KXP"[12]
62.240.186.40 #90: responding to Main Mode from unknown peer 62.240.186.40
Apr 20 22:18:21 fw-ova pluto[12554]: "L2TP-PSK-orgWIN2KXP"[12]
62.240.186.40 #90: transition from state STATE_MAIN_R0 to state
STATE_MAIN_R1
Apr 20 22:18:42 fw-ova pluto[12554]: packet from 62.240.186.40:4500:
ignoring Delete SA payload: not encrypted
Apr 20 22:18:42 fw-ova pluto[12554]: packet from 62.240.186.40:4500:
received and ignored informational message
Apr 20 22:18:42 fw-ova pluto[12554]: packet from 62.240.186.40:4500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Apr 20 22:18:42 fw-ova pluto[12554]: packet from 62.240.186.40:4500:
ignoring Vendor ID payload [FRAGMENTATION]
Apr 20 22:18:42 fw-ova pluto[12554]: packet from 62.240.186.40:4500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set
to=106
Apr 20 22:18:42 fw-ova pluto[12554]: packet from 62.240.186.40:4500:
ignoring Vendor ID payload [Vid-Initial-Contact]
Apr 20 22:18:42 fw-ova pluto[12554]: "L2TP-PSK-orgWIN2KXP"[13]
62.240.186.40 #91: responding to Main Mode from unknown peer 62.240.186.40
Apr 20 22:18:42 fw-ova pluto[12554]: "L2TP-PSK-orgWIN2KXP"[13]
62.240.186.40 #91: transition from state STATE_MAIN_R0 to state
STATE_MAIN_R1
Apr 20 22:18:43 fw-ova pluto[12554]: packet from 62.240.186.40:4500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Apr 20 22:18:43 fw-ova pluto[12554]: packet from 62.240.186.40:4500:
ignoring Vendor ID payload [FRAGMENTATION]
Apr 20 22:18:43 fw-ova pluto[12554]: packet from 62.240.186.40:4500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set
to=106
Apr 20 22:18:43 fw-ova pluto[12554]: packet from 62.240.186.40:4500:
ignoring Vendor ID payload [Vid-Initial-Contact]
Apr 20 22:18:43 fw-ova pluto[12554]: "L2TP-PSK-orgWIN2KXP"[14]
62.240.186.40 #92: responding to Main Mode from unknown peer 62.240.186.40
Apr 20 22:18:43 fw-ova pluto[12554]: "L2TP-PSK-orgWIN2KXP"[14]
62.240.186.40 #92: transition from state STATE_MAIN_R0 to state
STATE_MAIN_R1
Apr 20 22:18:45 fw-ova pluto[12554]: packet from 62.240.186.40:4500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Apr 20 22:18:45 fw-ova pluto[12554]: packet from 62.240.186.40:4500:
ignoring Vendor ID payload [FRAGMENTATION]
Apr 20 22:18:45 fw-ova pluto[12554]: packet from 62.240.186.40:4500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set
to=106
Apr 20 22:18:45 fw-ova pluto[12554]: packet from 62.240.186.40:4500:
ignoring Vendor ID payload [Vid-Initial-Contact]
Apr 20 22:18:45 fw-ova pluto[12554]: "L2TP-PSK-orgWIN2KXP"[15]
62.240.186.40 #93: responding to Main Mode from unknown peer 62.240.186.40
Apr 20 22:18:45 fw-ova pluto[12554]: "L2TP-PSK-orgWIN2KXP"[15]
62.240.186.40 #93: transition from state STATE_MAIN_R0 to state
STATE_MAIN_R1
Apr 20 22:18:49 fw-ova pluto[12554]: packet from 62.240.186.40:4500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Apr 20 22:18:49 fw-ova pluto[12554]: packet from 62.240.186.40:4500:
ignoring Vendor ID payload [FRAGMENTATION]
Apr 20 22:18:49 fw-ova pluto[12554]: packet from 62.240.186.40:4500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set
to=106
Apr 20 22:18:49 fw-ova pluto[12554]: packet from 62.240.186.40:4500:
ignoring Vendor ID payload [Vid-Initial-Contact]
Apr 20 22:18:49 fw-ova pluto[12554]: "L2TP-PSK-orgWIN2KXP"[16]
62.240.186.40 #94: responding to Main Mode from unknown peer 62.240.186.40
Apr 20 22:18:49 fw-ova pluto[12554]: "L2TP-PSK-orgWIN2KXP"[16]
62.240.186.40 #94: transition from state STATE_MAIN_R0 to state
STATE_MAIN_R1
Apr 20 22:18:57 fw-ova pluto[12554]: packet from 62.240.186.40:4500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Apr 20 22:18:57 fw-ova pluto[12554]: packet from 62.240.186.40:4500:
ignoring Vendor ID payload [FRAGMENTATION]
Apr 20 22:18:57 fw-ova pluto[12554]: packet from 62.240.186.40:4500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set
to=106
Apr 20 22:18:57 fw-ova pluto[12554]: packet from 62.240.186.40:4500:
ignoring Vendor ID payload [Vid-Initial-Contact]
Apr 20 22:18:57 fw-ova pluto[12554]: "L2TP-PSK-orgWIN2KXP"[17]
62.240.186.40 #95: responding to Main Mode from unknown peer 62.240.186.40
Apr 20 22:18:57 fw-ova pluto[12554]: "L2TP-PSK-orgWIN2KXP"[17]
62.240.186.40 #95: transition from state STATE_MAIN_R0 to state
STATE_MAIN_R1
Apr 20 22:19:00 fw-ova pluto[12554]: "L2TP-PSK-orgWIN2KXP"[7]
62.240.186.40 #85: max number of retransmissions (2) reached STATE_MAIN_R1
Apr 20 22:19:00 fw-ova pluto[12554]: "L2TP-PSK-orgWIN2KXP"[7]
62.240.186.40: deleting connection "L2TP-PSK-orgWIN2KXP" instance with
peer 62.240.186.40 {isakmp=#0/ipsec=#0}
Apr 20 22:19:01 fw-ova pluto[12554]: "L2TP-PSK-orgWIN2KXP"[8]
62.240.186.40 #86: max number of retransmissions (2) reached STATE_MAIN_R1
Apr 20 22:19:01 fw-ova pluto[12554]: "L2TP-PSK-orgWIN2KXP"[8]
62.240.186.40: deleting connection "L2TP-PSK-orgWIN2KXP" instance with
peer 62.240.186.40 {isakmp=#0/ipsec=#0}
Apr 20 22:19:03 fw-ova pluto[12554]: "L2TP-PSK-orgWIN2KXP"[9]
62.240.186.40 #87: max number of retransmissions (2) reached STATE_MAIN_R1
Apr 20 22:19:03 fw-ova pluto[12554]: "L2TP-PSK-orgWIN2KXP"[9]
62.240.186.40: deleting connection "L2TP-PSK-orgWIN2KXP" instance with
peer 62.240.186.40 {isakmp=#0/ipsec=#0}
Apr 20 22:19:07 fw-ova pluto[12554]: "L2TP-PSK-orgWIN2KXP"[10]
62.240.186.40 #88: max number of retransmissions (2) reached STATE_MAIN_R1
Apr 20 22:19:07 fw-ova pluto[12554]: "L2TP-PSK-orgWIN2KXP"[10]
62.240.186.40: deleting connection "L2TP-PSK-orgWIN2KXP" instance with
peer 62.240.186.40 {isakmp=#0/ipsec=#0}
Apr 20 22:19:13 fw-ova pluto[12554]: packet from 62.240.186.40:4500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Apr 20 22:19:13 fw-ova pluto[12554]: packet from 62.240.186.40:4500:
ignoring Vendor ID payload [FRAGMENTATION]
Apr 20 22:19:13 fw-ova pluto[12554]: packet from 62.240.186.40:4500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set
to=106
Apr 20 22:19:13 fw-ova pluto[12554]: packet from 62.240.186.40:4500:
ignoring Vendor ID payload [Vid-Initial-Contact]
Apr 20 22:19:13 fw-ova pluto[12554]: "L2TP-PSK-orgWIN2KXP"[18]
62.240.186.40 #96: responding to Main Mode from unknown peer 62.240.186.40
Apr 20 22:19:13 fw-ova pluto[12554]: "L2TP-PSK-orgWIN2KXP"[18]
62.240.186.40 #96: transition from state STATE_MAIN_R0 to state
STATE_MAIN_R1
Apr 20 22:19:15 fw-ova pluto[12554]: "L2TP-PSK-orgWIN2KXP"[11]
62.240.186.40 #89: max number of retransmissions (2) reached STATE_MAIN_R1
Apr 20 22:19:15 fw-ova pluto[12554]: "L2TP-PSK-orgWIN2KXP"[11]
62.240.186.40: deleting connection "L2TP-PSK-orgWIN2KXP" instance with
peer 62.240.186.40 {isakmp=#0/ipsec=#0}
Apr 20 22:19:29 fw-ova pluto[12554]: packet from 62.240.186.40:4500:
ignoring Delete SA payload: not encrypted
Apr 20 22:19:29 fw-ova pluto[12554]: packet from 62.240.186.40:4500:
received and ignored informational message
Apr 20 22:19:31 fw-ova pluto[12554]: "L2TP-PSK-orgWIN2KXP"[12]
62.240.186.40 #90: max number of retransmissions (2) reached STATE_MAIN_R1
Apr 20 22:19:31 fw-ova pluto[12554]: "L2TP-PSK-orgWIN2KXP"[12]
62.240.186.40: deleting connection "L2TP-PSK-orgWIN2KXP" instance with
peer 62.240.186.40 {isakmp=#0/ipsec=#0}
More information about the Users
mailing list