[Openswan Users] Windows client NAT-T
Ingo Brüll
ibruell at gmx.de
Mon Apr 25 12:52:18 CEST 2005
Hi,
i have tried to connect a Windows 2000 SP4 Client with the NAT-T Patch
(818043) to connect to openswan 2.2.0-4 (debian sarge) on debian sarge
with kernel 2.6.8-2-686. I am using tha kernel ipsec stack.
Now i cannot connect from the Windows 2000 client that is attached
behind a simple router without ipsec capabilities to the openswan gateway.
After i saw that a patch for pluto is required to get the connect
established i thought that something similarly has to be done for the
kernel ipsec stack. Is that right ?
In a privious posting Paul Wouters wrote that the connection was
terminated at the openswan gateway but i can not see any message that is
related to the connection comming up.
Here again the oakley.log i posted:
--- snip ---
4-14: 11:15:47:328:c70 Initialization OK
4-14: 11:16:07:296:9d0 Acquire from driver: op=0000000C
src=192.168.0.6.0 dst=192.168.61.1.0 proto = 0, SrcMask=255.255.255.255,
DstMask=255.255.255.0, Tunnel 1, TunnelEndpt=x.x.x.x Inbound
TunnelEndpt=192.168.0.6
4-14: 11:16:07:296:254 Filter to match: Src x.x.x.x Dst 192.168.0.6
4-14: 11:16:07:296:254 MM PolicyName: 1
4-14: 11:16:07:296:254 MMPolicy dwFlags 2 SoftSAExpireTime 28800
4-14: 11:16:07:296:254 MMOffer[0] LifetimeSec 28800 QMLimit 0 DHGroup 2
4-14: 11:16:07:296:254 MMOffer[0] Encrypt: Dreifach-DES CBC Hash: SHA
4-14: 11:16:07:296:254 MMOffer[1] LifetimeSec 28800 QMLimit 0 DHGroup 2
4-14: 11:16:07:296:254 MMOffer[1] Encrypt: Dreifach-DES CBC Hash: MD5
4-14: 11:16:07:296:254 MMOffer[2] LifetimeSec 28800 QMLimit 0 DHGroup 1
4-14: 11:16:07:296:254 MMOffer[2] Encrypt: DES CBC Hash: SHA
4-14: 11:16:07:296:254 MMOffer[3] LifetimeSec 28800 QMLimit 0 DHGroup 1
4-14: 11:16:07:296:254 MMOffer[3] Encrypt: DES CBC Hash: MD5
4-14: 11:16:07:296:254 Auth[0]:RSA Sig C=DE, S=Schleswig-Holstein,
O=Krematorium Tornesch, CN=ca.krema-tornesch.de AuthFlags 0
4-14: 11:16:07:296:254 QM PolicyName: Host-kremate filter action dwFlags 1
4-14: 11:16:07:296:254 QMOffer[0] LifetimeKBytes 50000 LifetimeSec 3600
4-14: 11:16:07:296:254 QMOffer[0] dwFlags 0 dwPFSGroup -2147483648
4-14: 11:16:07:296:254 Algo[0] Operation: ESP Algo: Dreifach-DES CBC
HMAC: MD5
4-14: 11:16:07:296:254 Starting Negotiation: src = 192.168.0.6.0500,
dst = x.x.x.x.0500, proto = 00, context = 0000000C, ProxySrc =
192.168.0.6.0000, ProxyDst = 192.168.61.0.0000 SrcMask = 255.255.255.255
DstMask = 255.255.255.0
4-14: 11:16:07:296:254 constructing ISAKMP Header
4-14: 11:16:07:296:254 constructing SA (ISAKMP)
4-14: 11:16:07:296:254 Constructing Vendor MS NT5 ISAKMPOAKLEY
4-14: 11:16:07:296:254 Constructing Vendor FRAGMENTATION
4-14: 11:16:07:296:254 Constructing Vendor draft-ietf-ipsec-nat-t-ike-02
4-14: 11:16:07:296:254 Constructing Vendor Vid-Initial-Contact
4-14: 11:16:07:296:254
4-14: 11:16:07:296:254 Sending: SA = 0x000D8618 to x.x.x.x:Type 2.500
4-14: 11:16:07:296:254 ISAKMP Header: (V1.0), len = 276
4-14: 11:16:07:296:254 I-COOKIE f4471376e078c8c4
4-14: 11:16:07:296:254 R-COOKIE 0000000000000000
4-14: 11:16:07:296:254 exchange: Oakley Main Mode
4-14: 11:16:07:296:254 flags: 0
4-14: 11:16:07:296:254 next payload: SA
4-14: 11:16:07:296:254 message ID: 00000000
4-14: 11:16:07:296:254 Ports S:f401 D:f401
4-14: 11:16:07:390:254
4-14: 11:16:07:390:254 Receive: (get) SA = 0x000d8618 from x.x.x.x.500
4-14: 11:16:07:390:254 ISAKMP Header: (V1.0), len = 104
4-14: 11:16:07:390:254 I-COOKIE f4471376e078c8c4
4-14: 11:16:07:390:254 R-COOKIE ee8361d5db1e1f74
4-14: 11:16:07:390:254 exchange: Oakley Main Mode
4-14: 11:16:07:390:254 flags: 0
4-14: 11:16:07:390:254 next payload: SA
4-14: 11:16:07:390:254 message ID: 00000000
4-14: 11:16:07:390:254 processing payload SA
4-14: 11:16:07:390:254 Received Phase 1 Transform 1
4-14: 11:16:07:390:254 Encryption Alg Dreifach-DES CBC(5)
4-14: 11:16:07:390:254 Hash Alg SHA(2)
4-14: 11:16:07:390:254 Oakley Group 2
4-14: 11:16:07:390:254 Auth Method RSA-Signatur mit Zertifikaten(3)
4-14: 11:16:07:390:254 Life type in Seconds
4-14: 11:16:07:390:254 Life duration of 28800
4-14: 11:16:07:390:254 Phase 1 SA accepted: transform=1
4-14: 11:16:07:390:254 SA - Oakley proposal accepted
4-14: 11:16:07:390:254 processing payload VENDOR ID
4-14: 11:16:07:390:254 Received VendorId draft-ietf-ipsec-nat-t-ike-02
4-14: 11:16:07:390:254 ClearFragList
4-14: 11:16:07:390:254 constructing ISAKMP Header
4-14: 11:16:07:468:254 constructing KE
4-14: 11:16:07:468:254 constructing NONCE (ISAKMP)
4-14: 11:16:07:468:254 Constructing NatDisc
4-14: 11:16:07:468:254
4-14: 11:16:07:468:254 Sending: SA = 0x000D8618 to x.x.x.x:Type 2.500
4-14: 11:16:07:468:254 ISAKMP Header: (V1.0), len = 232
4-14: 11:16:07:468:254 I-COOKIE f4471376e078c8c4
4-14: 11:16:07:468:254 R-COOKIE ee8361d5db1e1f74
4-14: 11:16:07:468:254 exchange: Oakley Main Mode
4-14: 11:16:07:468:254 flags: 0
4-14: 11:16:07:468:254 next payload: KE
4-14: 11:16:07:468:254 message ID: 00000000
4-14: 11:16:07:468:254 Ports S:f401 D:f401
4-14: 11:16:07:546:254
4-14: 11:16:07:546:254 Receive: (get) SA = 0x000d8618 from x.x.x.x.500
4-14: 11:16:07:546:254 ISAKMP Header: (V1.0), len = 228
4-14: 11:16:07:546:254 I-COOKIE f4471376e078c8c4
4-14: 11:16:07:546:254 R-COOKIE ee8361d5db1e1f74
4-14: 11:16:07:546:254 exchange: Oakley Main Mode
4-14: 11:16:07:546:254 flags: 0
4-14: 11:16:07:546:254 next payload: KE
4-14: 11:16:07:546:254 message ID: 00000000
4-14: 11:16:07:546:254 processing payload KE
4-14: 11:16:07:562:254 processing payload NONCE
4-14: 11:16:07:562:254 processing payload NATDISC
4-14: 11:16:07:562:254 Processing NatHash
4-14: 11:16:07:562:254 Nat hash 1081601265cae14dab53caadd6a9b5b7
4-14: 11:16:07:562:254 63b42f7f
4-14: 11:16:07:562:254 SA StateMask2 1f
4-14: 11:16:07:562:254 processing payload NATDISC
4-14: 11:16:07:562:254 Processing NatHash
4-14: 11:16:07:562:254 Nat hash 3fe018031be8edad5b16451fcfdd6234
4-14: 11:16:07:562:254 bb1351e8
4-14: 11:16:07:562:254 SA StateMask2 9f
4-14: 11:16:07:562:254 ClearFragList
4-14: 11:16:07:562:254 Floated Ports Orig Me:f401 Peer:f401
4-14: 11:16:07:562:254 Floated Ports Me:9411 Peer:9411
4-14: 11:16:07:562:254 constructing ISAKMP Header
4-14: 11:16:07:562:254 constructing ID
4-14: 11:16:07:562:254 Received no valid CRPs. Using all configured
4-14: 11:16:07:562:254 Looking for IPSec only cert
4-14: 11:16:07:562:254 Cert Trustes. 0 100
4-14: 11:16:07:562:254 Cert SHA Thumbprint 4528c2b2d227cfea567e293cccd5b4c8
4-14: 11:16:07:562:254 fd5e89b8
4-14: 11:16:07:562:254 CertFindExtenstion failed with 0
4-14: 11:16:07:578:254 Entered CRL check
4-14: 11:16:07:578:254 Left CRL check
4-14: 11:16:07:578:254 Cert SHA Thumbprint 4528c2b2d227cfea567e293cccd5b4c8
4-14: 11:16:07:578:254 fd5e89b8
4-14: 11:16:07:578:254 SubjectName: C=DE, S=Schleswig-Holstein,
O=Krematorium Tornesch, OU=support, CN=suptest.krema-tornesch.de
4-14: 11:16:07:578:254 Cert Serialnumber 08
4-14: 11:16:07:578:254 Cert SHA Thumbprint 4528c2b2d227cfea567e293cccd5b4c8
4-14: 11:16:07:578:254 fd5e89b8
4-14: 11:16:07:578:254 SubjectName: C=DE, S=Schleswig-Holstein,
O=Krematorium Tornesch, CN=ca.krema-tornesch.de
4-14: 11:16:07:578:254 Cert Serialnumber 60669091e7649b9a00
4-14: 11:16:07:578:254 Cert SHA Thumbprint f0cd5ebfae95050e2d5e4a00540acff0
4-14: 11:16:07:578:254 41fab8f3
4-14: 11:16:07:578:254 Not storing My cert chain in SA.
4-14: 11:16:07:578:254 MM ID Type 9
4-14: 11:16:07:578:254 MM ID 307f310b300906035504061302444531
4-14: 11:16:07:578:254 1b3019060355040813125363686c6573
4-14: 11:16:07:578:254 7769672d486f6c737465696e311d301b
4-14: 11:16:07:578:254 060355040a13144b72656d61746f7269
4-14: 11:16:07:578:254 756d20546f726e657363683110300e06
4-14: 11:16:07:578:254 0355040b1307737570706f7274312230
4-14: 11:16:07:578:254 2006035504031319737570746573742e
4-14: 11:16:07:578:254 6b72656d612d746f726e657363682e64
4-14: 11:16:07:578:254 65
4-14: 11:16:07:578:254 constructing CERT
4-14: 11:16:07:578:254 Construct SIG
4-14: 11:16:07:578:254 Constructing Cert Request
4-14: 11:16:07:578:254 C=DE, S=Schleswig-Holstein, O=Krematorium
Tornesch, CN=ca.krema-tornesch.de
4-14: 11:16:07:578:254
4-14: 11:16:07:578:254 Sending: SA = 0x000D8618 to x.x.x.x:Type 2.4500
4-14: 11:16:07:578:254 ISAKMP Header: (V1.0), len = 1404
4-14: 11:16:07:578:254 I-COOKIE f4471376e078c8c4
4-14: 11:16:07:578:254 R-COOKIE ee8361d5db1e1f74
4-14: 11:16:07:578:254 exchange: Oakley Main Mode
4-14: 11:16:07:578:254 flags: 1 ( encrypted )
4-14: 11:16:07:578:254 next payload: ID
4-14: 11:16:07:578:254 message ID: 00000000
4-14: 11:16:07:578:254 Ports S:9411 D:9411
4-14: 11:16:07:734:254
4-14: 11:16:07:734:254 Receive: (get) SA = 0x000d8618 from x.x.x.x.4500
4-14: 11:16:07:734:254 ISAKMP Header: (V1.0), len = 1260
4-14: 11:16:07:734:254 I-COOKIE f4471376e078c8c4
4-14: 11:16:07:734:254 R-COOKIE ee8361d5db1e1f74
4-14: 11:16:07:734:254 exchange: Oakley Main Mode
4-14: 11:16:07:734:254 flags: 1 ( encrypted )
4-14: 11:16:07:734:254 next payload: ID
4-14: 11:16:07:750:254 message ID: 00000000
4-14: 11:16:07:750:254 processing payload ID
4-14: 11:16:07:750:254 processing payload CERT
4-14: 11:16:07:750:254 processing payload SIG
4-14: 11:16:07:750:254 Verifying CertStore
4-14: 11:16:07:750:254 SubjectName: C=DE, S=Schleswig-Holstein,
O=Krematorium Tornesch, CN=gateway.krema-tornesch.de
4-14: 11:16:07:750:254 Cert Serialnumber 09
4-14: 11:16:07:750:254 Cert SHA Thumbprint 50dffb49919e456f7199b18d6c71abf9
4-14: 11:16:07:750:254 3c7fa1dc
4-14: 11:16:07:750:254 Cert Trustes. 0 100
4-14: 11:16:07:750:254 SubjectName: C=DE, S=Schleswig-Holstein,
O=Krematorium Tornesch, CN=gateway.krema-tornesch.de
4-14: 11:16:07:750:254 Cert Serialnumber 09
4-14: 11:16:07:750:254 Cert SHA Thumbprint 50dffb49919e456f7199b18d6c71abf9
4-14: 11:16:07:750:254 3c7fa1dc
4-14: 11:16:07:750:254 SubjectName: C=DE, S=Schleswig-Holstein,
O=Krematorium Tornesch, CN=ca.krema-tornesch.de
4-14: 11:16:07:750:254 Cert Serialnumber 60669091e7649b9a00
4-14: 11:16:07:750:254 Cert SHA Thumbprint f0cd5ebfae95050e2d5e4a00540acff0
4-14: 11:16:07:750:254 41fab8f3
4-14: 11:16:07:750:254 Not storing Peer's cert chain in SA.
4-14: 11:16:07:750:254 Cert SHA Thumbprint 50dffb49919e456f7199b18d6c71abf9
4-14: 11:16:07:750:254 3c7fa1dc
4-14: 11:16:07:750:254 Entered CRL check
4-14: 11:16:07:750:254 Left CRL check
4-14: 11:16:07:750:254 CertFindExtenstion failed with 0
4-14: 11:16:07:750:254 Signature validated
4-14: 11:16:07:750:254 ClearFragList
4-14: 11:16:07:750:254 MM established. SA: 000D8618
4-14: 11:16:07:750:254 QM PolicyName: Host-kremate filter action dwFlags 1
4-14: 11:16:07:750:254 QMOffer[0] LifetimeKBytes 50000 LifetimeSec 3600
4-14: 11:16:07:750:254 QMOffer[0] dwFlags 0 dwPFSGroup -2147483648
4-14: 11:16:07:750:254 Algo[0] Operation: ESP Algo: Dreifach-DES CBC
HMAC: MD5
4-14: 11:16:07:750:254 GetSpi: src = 192.168.61.0.0000, dst =
192.168.0.6.0000, proto = 00, context = 0000000C, srcMask =
255.255.255.0, destMask = 255.255.255.255, TunnelFilter 1
4-14: 11:16:07:750:254 Setting SPI 501207189
4-14: 11:16:07:750:254 constructing ISAKMP Header
4-14: 11:16:07:750:254 constructing HASH (null)
4-14: 11:16:07:750:254 constructing SA (IPSEC)
4-14: 11:16:07:750:254 constructing QM KE
4-14: 11:16:07:828:254 constructing NONCE (IPSEC)
4-14: 11:16:07:828:254 constructing ID (proxy)
4-14: 11:16:07:828:254 constructing ID (proxy)
4-14: 11:16:07:828:254 constructing HASH (QM)
4-14: 11:16:07:828:254
4-14: 11:16:07:828:254 Sending: SA = 0x000D8618 to x.x.x.x:Type 2.4500
4-14: 11:16:07:828:254 ISAKMP Header: (V1.0), len = 308
4-14: 11:16:07:828:254 I-COOKIE f4471376e078c8c4
4-14: 11:16:07:828:254 R-COOKIE ee8361d5db1e1f74
4-14: 11:16:07:828:254 exchange: Oakley Quick Mode
4-14: 11:16:07:828:254 flags: 1 ( encrypted )
4-14: 11:16:07:828:254 next payload: HASH
4-14: 11:16:07:828:254 message ID: 0183237a
4-14: 11:16:07:828:254 Ports S:9411 D:9411
4-14: 11:16:07:890:254
4-14: 11:16:07:890:254 Receive: (get) SA = 0x000d8618 from x.x.x.x.4500
4-14: 11:16:07:890:254 ISAKMP Header: (V1.0), len = 68
4-14: 11:16:07:890:254 I-COOKIE f4471376e078c8c4
4-14: 11:16:07:890:254 R-COOKIE ee8361d5db1e1f74
4-14: 11:16:07:890:254 exchange: ISAKMP Informational Exchange
4-14: 11:16:07:890:254 flags: 1 ( encrypted )
4-14: 11:16:07:890:254 next payload: HASH
4-14: 11:16:07:890:254 message ID: 6a5844c4
4-14: 11:16:07:890:254 processing HASH (Notify/Delete)
4-14: 11:16:07:890:254 processing payload NOTIFY
4-14: 11:16:07:890:254 notify: INVALID-ID-INFORMATION
4-14: 11:16:07:890:254 isadb_set_status sa:000D8618 centry:00000000
status 3601
4-14: 11:16:08:328:e70 retransmit: sa = 000D8618 centry 00100C08 ,
count = 1
4-14: 11:16:08:328:e70
4-14: 11:16:08:328:e70 Sending: SA = 0x000D8618 to x.x.x.x:Type 2.4500
4-14: 11:16:08:328:e70 ISAKMP Header: (V1.0), len = 308
4-14: 11:16:08:328:e70 I-COOKIE f4471376e078c8c4
4-14: 11:16:08:328:e70 R-COOKIE ee8361d5db1e1f74
4-14: 11:16:08:328:e70 exchange: Oakley Quick Mode
4-14: 11:16:08:328:e70 flags: 1 ( encrypted )
4-14: 11:16:08:328:e70 next payload: HASH
4-14: 11:16:08:328:e70 message ID: 0183237a
4-14: 11:16:08:328:e70 Ports S:9411 D:9411
4-14: 11:16:08:375:254
4-14: 11:16:08:375:254 Receive: (get) SA = 0x000d8618 from x.x.x.x.4500
4-14: 11:16:08:375:254 ISAKMP Header: (V1.0), len = 68
4-14: 11:16:08:375:254 I-COOKIE f4471376e078c8c4
4-14: 11:16:08:375:254 R-COOKIE ee8361d5db1e1f74
4-14: 11:16:08:375:254 exchange: ISAKMP Informational Exchange
4-14: 11:16:08:375:254 flags: 1 ( encrypted )
4-14: 11:16:08:375:254 next payload: HASH
4-14: 11:16:08:375:254 message ID: e0aa9d78
4-14: 11:16:08:375:254 processing HASH (Notify/Delete)
4-14: 11:16:08:375:254 processing payload NOTIFY
4-14: 11:16:08:375:254 notify: INVALID-MESSAGE-ID
4-14: 11:16:08:375:254 Unknown Notify Message 9
4-14: 11:16:10:328:e70 retransmit: sa = 000D8618 centry 00100C08 ,
count = 2
4-14: 11:16:10:328:e70
4-14: 11:16:10:328:e70 Sending: SA = 0x000D8618 to x.x.x.x:Type 2.4500
4-14: 11:16:10:328:e70 ISAKMP Header: (V1.0), len = 308
4-14: 11:16:10:328:e70 I-COOKIE f4471376e078c8c4
4-14: 11:16:10:328:e70 R-COOKIE ee8361d5db1e1f74
4-14: 11:16:10:328:e70 exchange: Oakley Quick Mode
4-14: 11:16:10:328:e70 flags: 1 ( encrypted )
4-14: 11:16:10:328:e70 next payload: HASH
4-14: 11:16:10:328:e70 message ID: 0183237a
4-14: 11:16:10:328:e70 Ports S:9411 D:9411
4-14: 11:16:10:390:254
4-14: 11:16:10:390:254 Receive: (get) SA = 0x000d8618 from x.x.x.x.4500
4-14: 11:16:10:390:254 ISAKMP Header: (V1.0), len = 68
4-14: 11:16:10:390:254 I-COOKIE f4471376e078c8c4
4-14: 11:16:10:390:254 R-COOKIE ee8361d5db1e1f74
4-14: 11:16:10:390:254 exchange: ISAKMP Informational Exchange
4-14: 11:16:10:390:254 flags: 1 ( encrypted )
4-14: 11:16:10:390:254 next payload: HASH
4-14: 11:16:10:390:254 message ID: fc8f905f
4-14: 11:16:10:390:254 processing HASH (Notify/Delete)
4-14: 11:16:10:390:254 processing payload NOTIFY
4-14: 11:16:10:390:254 notify: INVALID-MESSAGE-ID
4-14: 11:16:10:390:254 Unknown Notify Message 9
--- snip ---
--
best regards
Ingo Bruell
---
<ibruell at gmx.de>
<ICQ# 40377720>
Oldenburg PGP-Fingerprint: CB01 AE12 B359 87C4 BF1C 953C 8FE7 C648
169E E5FC
Germany PGP-Public-Key available at pgpkeys.mit.edu
More information about the Users
mailing list