[Openswan Users] Windows client NAT-T

Ingo Brüll ibruell at gmx.de
Mon Apr 25 12:52:18 CEST 2005


Hi,

i have tried to connect a Windows 2000 SP4 Client with the NAT-T Patch
(818043) to connect to openswan 2.2.0-4 (debian sarge) on debian sarge
with kernel 2.6.8-2-686. I am using tha kernel ipsec stack.

Now i cannot connect from the Windows 2000 client that is attached
behind a simple router without ipsec capabilities to the openswan gateway.

After i saw that a patch for pluto is required to get the connect
established i thought that something similarly has to be done for the
kernel ipsec stack. Is that right ?

In a privious posting Paul Wouters wrote that the connection was
terminated at the openswan gateway but i can not see any message that is
related to the connection comming up.

Here again the oakley.log i posted:


--- snip ---
 4-14: 11:15:47:328:c70 Initialization OK
 4-14: 11:16:07:296:9d0 Acquire from driver: op=0000000C
src=192.168.0.6.0 dst=192.168.61.1.0 proto = 0, SrcMask=255.255.255.255,
DstMask=255.255.255.0, Tunnel 1, TunnelEndpt=x.x.x.x Inbound
TunnelEndpt=192.168.0.6
 4-14: 11:16:07:296:254 Filter to match: Src x.x.x.x Dst 192.168.0.6
 4-14: 11:16:07:296:254 MM PolicyName: 1
 4-14: 11:16:07:296:254 MMPolicy dwFlags 2 SoftSAExpireTime 28800
 4-14: 11:16:07:296:254 MMOffer[0] LifetimeSec 28800 QMLimit 0 DHGroup 2
 4-14: 11:16:07:296:254 MMOffer[0] Encrypt: Dreifach-DES CBC Hash: SHA
 4-14: 11:16:07:296:254 MMOffer[1] LifetimeSec 28800 QMLimit 0 DHGroup 2
 4-14: 11:16:07:296:254 MMOffer[1] Encrypt: Dreifach-DES CBC Hash: MD5
 4-14: 11:16:07:296:254 MMOffer[2] LifetimeSec 28800 QMLimit 0 DHGroup 1
 4-14: 11:16:07:296:254 MMOffer[2] Encrypt: DES CBC Hash: SHA
 4-14: 11:16:07:296:254 MMOffer[3] LifetimeSec 28800 QMLimit 0 DHGroup 1
 4-14: 11:16:07:296:254 MMOffer[3] Encrypt: DES CBC Hash: MD5
 4-14: 11:16:07:296:254 Auth[0]:RSA Sig C=DE, S=Schleswig-Holstein,
O=Krematorium Tornesch, CN=ca.krema-tornesch.de AuthFlags 0
 4-14: 11:16:07:296:254 QM PolicyName: Host-kremate filter action dwFlags 1
 4-14: 11:16:07:296:254 QMOffer[0] LifetimeKBytes 50000 LifetimeSec 3600
 4-14: 11:16:07:296:254 QMOffer[0] dwFlags 0 dwPFSGroup -2147483648
 4-14: 11:16:07:296:254  Algo[0] Operation: ESP Algo: Dreifach-DES CBC
HMAC: MD5
 4-14: 11:16:07:296:254 Starting Negotiation: src = 192.168.0.6.0500,
dst = x.x.x.x.0500, proto = 00, context = 0000000C, ProxySrc =
192.168.0.6.0000, ProxyDst = 192.168.61.0.0000 SrcMask = 255.255.255.255
DstMask = 255.255.255.0
 4-14: 11:16:07:296:254 constructing ISAKMP Header
 4-14: 11:16:07:296:254 constructing SA (ISAKMP)
 4-14: 11:16:07:296:254 Constructing Vendor MS NT5 ISAKMPOAKLEY
 4-14: 11:16:07:296:254 Constructing Vendor FRAGMENTATION
 4-14: 11:16:07:296:254 Constructing Vendor draft-ietf-ipsec-nat-t-ike-02
 4-14: 11:16:07:296:254 Constructing Vendor Vid-Initial-Contact
 4-14: 11:16:07:296:254
 4-14: 11:16:07:296:254 Sending: SA = 0x000D8618 to x.x.x.x:Type 2.500
 4-14: 11:16:07:296:254 ISAKMP Header: (V1.0), len = 276
 4-14: 11:16:07:296:254   I-COOKIE f4471376e078c8c4
 4-14: 11:16:07:296:254   R-COOKIE 0000000000000000
 4-14: 11:16:07:296:254   exchange: Oakley Main Mode
 4-14: 11:16:07:296:254   flags: 0
 4-14: 11:16:07:296:254   next payload: SA
 4-14: 11:16:07:296:254   message ID: 00000000
 4-14: 11:16:07:296:254 Ports S:f401 D:f401
 4-14: 11:16:07:390:254
 4-14: 11:16:07:390:254 Receive: (get) SA = 0x000d8618 from x.x.x.x.500
 4-14: 11:16:07:390:254 ISAKMP Header: (V1.0), len = 104
 4-14: 11:16:07:390:254   I-COOKIE f4471376e078c8c4
 4-14: 11:16:07:390:254   R-COOKIE ee8361d5db1e1f74
 4-14: 11:16:07:390:254   exchange: Oakley Main Mode
 4-14: 11:16:07:390:254   flags: 0
 4-14: 11:16:07:390:254   next payload: SA
 4-14: 11:16:07:390:254   message ID: 00000000
 4-14: 11:16:07:390:254 processing payload SA
 4-14: 11:16:07:390:254 Received Phase 1 Transform 1
 4-14: 11:16:07:390:254      Encryption Alg Dreifach-DES CBC(5)
 4-14: 11:16:07:390:254      Hash Alg SHA(2)
 4-14: 11:16:07:390:254      Oakley Group 2
 4-14: 11:16:07:390:254      Auth Method RSA-Signatur mit Zertifikaten(3)
 4-14: 11:16:07:390:254      Life type in Seconds
 4-14: 11:16:07:390:254      Life duration of 28800
 4-14: 11:16:07:390:254 Phase 1 SA accepted: transform=1
 4-14: 11:16:07:390:254 SA - Oakley proposal accepted
 4-14: 11:16:07:390:254 processing payload VENDOR ID
 4-14: 11:16:07:390:254 Received VendorId draft-ietf-ipsec-nat-t-ike-02
 4-14: 11:16:07:390:254 ClearFragList
 4-14: 11:16:07:390:254 constructing ISAKMP Header
 4-14: 11:16:07:468:254 constructing KE
 4-14: 11:16:07:468:254 constructing NONCE (ISAKMP)
 4-14: 11:16:07:468:254 Constructing NatDisc
 4-14: 11:16:07:468:254
 4-14: 11:16:07:468:254 Sending: SA = 0x000D8618 to x.x.x.x:Type 2.500
 4-14: 11:16:07:468:254 ISAKMP Header: (V1.0), len = 232
 4-14: 11:16:07:468:254   I-COOKIE f4471376e078c8c4
 4-14: 11:16:07:468:254   R-COOKIE ee8361d5db1e1f74
 4-14: 11:16:07:468:254   exchange: Oakley Main Mode
 4-14: 11:16:07:468:254   flags: 0
 4-14: 11:16:07:468:254   next payload: KE
 4-14: 11:16:07:468:254   message ID: 00000000
 4-14: 11:16:07:468:254 Ports S:f401 D:f401
 4-14: 11:16:07:546:254
 4-14: 11:16:07:546:254 Receive: (get) SA = 0x000d8618 from x.x.x.x.500
 4-14: 11:16:07:546:254 ISAKMP Header: (V1.0), len = 228
 4-14: 11:16:07:546:254   I-COOKIE f4471376e078c8c4
 4-14: 11:16:07:546:254   R-COOKIE ee8361d5db1e1f74
 4-14: 11:16:07:546:254   exchange: Oakley Main Mode
 4-14: 11:16:07:546:254   flags: 0
 4-14: 11:16:07:546:254   next payload: KE
 4-14: 11:16:07:546:254   message ID: 00000000
 4-14: 11:16:07:546:254 processing payload KE
 4-14: 11:16:07:562:254 processing payload NONCE
 4-14: 11:16:07:562:254 processing payload NATDISC
 4-14: 11:16:07:562:254 Processing NatHash
 4-14: 11:16:07:562:254 Nat hash 1081601265cae14dab53caadd6a9b5b7
 4-14: 11:16:07:562:254 63b42f7f
 4-14: 11:16:07:562:254 SA StateMask2 1f
 4-14: 11:16:07:562:254 processing payload NATDISC
 4-14: 11:16:07:562:254 Processing NatHash
 4-14: 11:16:07:562:254 Nat hash 3fe018031be8edad5b16451fcfdd6234
 4-14: 11:16:07:562:254 bb1351e8
 4-14: 11:16:07:562:254 SA StateMask2 9f
 4-14: 11:16:07:562:254 ClearFragList
 4-14: 11:16:07:562:254 Floated Ports Orig Me:f401 Peer:f401
 4-14: 11:16:07:562:254 Floated Ports Me:9411 Peer:9411
 4-14: 11:16:07:562:254 constructing ISAKMP Header
 4-14: 11:16:07:562:254 constructing ID
 4-14: 11:16:07:562:254 Received no valid CRPs.  Using all configured
 4-14: 11:16:07:562:254 Looking for IPSec only cert
 4-14: 11:16:07:562:254 Cert Trustes.  0 100
 4-14: 11:16:07:562:254 Cert SHA Thumbprint 4528c2b2d227cfea567e293cccd5b4c8
 4-14: 11:16:07:562:254 fd5e89b8
 4-14: 11:16:07:562:254 CertFindExtenstion failed with 0
 4-14: 11:16:07:578:254 Entered CRL check
 4-14: 11:16:07:578:254 Left CRL check
 4-14: 11:16:07:578:254 Cert SHA Thumbprint 4528c2b2d227cfea567e293cccd5b4c8
 4-14: 11:16:07:578:254 fd5e89b8
 4-14: 11:16:07:578:254 SubjectName: C=DE, S=Schleswig-Holstein,
O=Krematorium Tornesch, OU=support, CN=suptest.krema-tornesch.de
 4-14: 11:16:07:578:254 Cert Serialnumber 08
 4-14: 11:16:07:578:254 Cert SHA Thumbprint 4528c2b2d227cfea567e293cccd5b4c8
 4-14: 11:16:07:578:254 fd5e89b8
 4-14: 11:16:07:578:254 SubjectName: C=DE, S=Schleswig-Holstein,
O=Krematorium Tornesch, CN=ca.krema-tornesch.de
 4-14: 11:16:07:578:254 Cert Serialnumber 60669091e7649b9a00
 4-14: 11:16:07:578:254 Cert SHA Thumbprint f0cd5ebfae95050e2d5e4a00540acff0
 4-14: 11:16:07:578:254 41fab8f3
 4-14: 11:16:07:578:254 Not storing My cert chain in SA.
 4-14: 11:16:07:578:254 MM ID Type 9
 4-14: 11:16:07:578:254 MM ID 307f310b300906035504061302444531
 4-14: 11:16:07:578:254 1b3019060355040813125363686c6573
 4-14: 11:16:07:578:254 7769672d486f6c737465696e311d301b
 4-14: 11:16:07:578:254 060355040a13144b72656d61746f7269
 4-14: 11:16:07:578:254 756d20546f726e657363683110300e06
 4-14: 11:16:07:578:254 0355040b1307737570706f7274312230
 4-14: 11:16:07:578:254 2006035504031319737570746573742e
 4-14: 11:16:07:578:254 6b72656d612d746f726e657363682e64
 4-14: 11:16:07:578:254 65
 4-14: 11:16:07:578:254 constructing CERT
 4-14: 11:16:07:578:254 Construct SIG
 4-14: 11:16:07:578:254 Constructing Cert Request
 4-14: 11:16:07:578:254 C=DE, S=Schleswig-Holstein, O=Krematorium
Tornesch, CN=ca.krema-tornesch.de
 4-14: 11:16:07:578:254
 4-14: 11:16:07:578:254 Sending: SA = 0x000D8618 to x.x.x.x:Type 2.4500
 4-14: 11:16:07:578:254 ISAKMP Header: (V1.0), len = 1404
 4-14: 11:16:07:578:254   I-COOKIE f4471376e078c8c4
 4-14: 11:16:07:578:254   R-COOKIE ee8361d5db1e1f74
 4-14: 11:16:07:578:254   exchange: Oakley Main Mode
 4-14: 11:16:07:578:254   flags: 1 ( encrypted )
 4-14: 11:16:07:578:254   next payload: ID
 4-14: 11:16:07:578:254   message ID: 00000000
 4-14: 11:16:07:578:254 Ports S:9411 D:9411
 4-14: 11:16:07:734:254
 4-14: 11:16:07:734:254 Receive: (get) SA = 0x000d8618 from x.x.x.x.4500
 4-14: 11:16:07:734:254 ISAKMP Header: (V1.0), len = 1260
 4-14: 11:16:07:734:254   I-COOKIE f4471376e078c8c4
 4-14: 11:16:07:734:254   R-COOKIE ee8361d5db1e1f74
 4-14: 11:16:07:734:254   exchange: Oakley Main Mode
 4-14: 11:16:07:734:254   flags: 1 ( encrypted )
 4-14: 11:16:07:734:254   next payload: ID
 4-14: 11:16:07:750:254   message ID: 00000000
 4-14: 11:16:07:750:254 processing payload ID
 4-14: 11:16:07:750:254 processing payload CERT
 4-14: 11:16:07:750:254 processing payload SIG
 4-14: 11:16:07:750:254 Verifying CertStore
 4-14: 11:16:07:750:254 SubjectName: C=DE, S=Schleswig-Holstein,
O=Krematorium Tornesch, CN=gateway.krema-tornesch.de
 4-14: 11:16:07:750:254 Cert Serialnumber 09
 4-14: 11:16:07:750:254 Cert SHA Thumbprint 50dffb49919e456f7199b18d6c71abf9
 4-14: 11:16:07:750:254 3c7fa1dc
 4-14: 11:16:07:750:254 Cert Trustes.  0 100
 4-14: 11:16:07:750:254 SubjectName: C=DE, S=Schleswig-Holstein,
O=Krematorium Tornesch, CN=gateway.krema-tornesch.de
 4-14: 11:16:07:750:254 Cert Serialnumber 09
 4-14: 11:16:07:750:254 Cert SHA Thumbprint 50dffb49919e456f7199b18d6c71abf9
 4-14: 11:16:07:750:254 3c7fa1dc
 4-14: 11:16:07:750:254 SubjectName: C=DE, S=Schleswig-Holstein,
O=Krematorium Tornesch, CN=ca.krema-tornesch.de
 4-14: 11:16:07:750:254 Cert Serialnumber 60669091e7649b9a00
 4-14: 11:16:07:750:254 Cert SHA Thumbprint f0cd5ebfae95050e2d5e4a00540acff0
 4-14: 11:16:07:750:254 41fab8f3
 4-14: 11:16:07:750:254 Not storing Peer's cert chain in SA.
 4-14: 11:16:07:750:254 Cert SHA Thumbprint 50dffb49919e456f7199b18d6c71abf9
 4-14: 11:16:07:750:254 3c7fa1dc
 4-14: 11:16:07:750:254 Entered CRL check
 4-14: 11:16:07:750:254 Left CRL check
 4-14: 11:16:07:750:254 CertFindExtenstion failed with 0
 4-14: 11:16:07:750:254 Signature validated
 4-14: 11:16:07:750:254 ClearFragList
 4-14: 11:16:07:750:254 MM established.  SA: 000D8618
 4-14: 11:16:07:750:254 QM PolicyName: Host-kremate filter action dwFlags 1
 4-14: 11:16:07:750:254 QMOffer[0] LifetimeKBytes 50000 LifetimeSec 3600
 4-14: 11:16:07:750:254 QMOffer[0] dwFlags 0 dwPFSGroup -2147483648
 4-14: 11:16:07:750:254  Algo[0] Operation: ESP Algo: Dreifach-DES CBC
HMAC: MD5
 4-14: 11:16:07:750:254 GetSpi: src = 192.168.61.0.0000, dst =
192.168.0.6.0000, proto = 00, context = 0000000C, srcMask =
255.255.255.0, destMask = 255.255.255.255, TunnelFilter 1
 4-14: 11:16:07:750:254 Setting SPI  501207189
 4-14: 11:16:07:750:254 constructing ISAKMP Header
 4-14: 11:16:07:750:254 constructing HASH (null)
 4-14: 11:16:07:750:254 constructing SA (IPSEC)
 4-14: 11:16:07:750:254 constructing QM KE
 4-14: 11:16:07:828:254 constructing NONCE (IPSEC)
 4-14: 11:16:07:828:254 constructing ID (proxy)
 4-14: 11:16:07:828:254 constructing ID (proxy)
 4-14: 11:16:07:828:254 constructing HASH (QM)
 4-14: 11:16:07:828:254
 4-14: 11:16:07:828:254 Sending: SA = 0x000D8618 to x.x.x.x:Type 2.4500
 4-14: 11:16:07:828:254 ISAKMP Header: (V1.0), len = 308
 4-14: 11:16:07:828:254   I-COOKIE f4471376e078c8c4
 4-14: 11:16:07:828:254   R-COOKIE ee8361d5db1e1f74
 4-14: 11:16:07:828:254   exchange: Oakley Quick Mode
 4-14: 11:16:07:828:254   flags: 1 ( encrypted )
 4-14: 11:16:07:828:254   next payload: HASH
 4-14: 11:16:07:828:254   message ID: 0183237a
 4-14: 11:16:07:828:254 Ports S:9411 D:9411
 4-14: 11:16:07:890:254
 4-14: 11:16:07:890:254 Receive: (get) SA = 0x000d8618 from x.x.x.x.4500
 4-14: 11:16:07:890:254 ISAKMP Header: (V1.0), len = 68
 4-14: 11:16:07:890:254   I-COOKIE f4471376e078c8c4
 4-14: 11:16:07:890:254   R-COOKIE ee8361d5db1e1f74
 4-14: 11:16:07:890:254   exchange: ISAKMP Informational Exchange
 4-14: 11:16:07:890:254   flags: 1 ( encrypted )
 4-14: 11:16:07:890:254   next payload: HASH
 4-14: 11:16:07:890:254   message ID: 6a5844c4
 4-14: 11:16:07:890:254 processing HASH (Notify/Delete)
 4-14: 11:16:07:890:254 processing payload NOTIFY
 4-14: 11:16:07:890:254 notify: INVALID-ID-INFORMATION
 4-14: 11:16:07:890:254 isadb_set_status sa:000D8618 centry:00000000
status 3601
 4-14: 11:16:08:328:e70 retransmit: sa = 000D8618 centry 00100C08 ,
count = 1
 4-14: 11:16:08:328:e70
 4-14: 11:16:08:328:e70 Sending: SA = 0x000D8618 to x.x.x.x:Type 2.4500
 4-14: 11:16:08:328:e70 ISAKMP Header: (V1.0), len = 308
 4-14: 11:16:08:328:e70   I-COOKIE f4471376e078c8c4
 4-14: 11:16:08:328:e70   R-COOKIE ee8361d5db1e1f74
 4-14: 11:16:08:328:e70   exchange: Oakley Quick Mode
 4-14: 11:16:08:328:e70   flags: 1 ( encrypted )
 4-14: 11:16:08:328:e70   next payload: HASH
 4-14: 11:16:08:328:e70   message ID: 0183237a
 4-14: 11:16:08:328:e70 Ports S:9411 D:9411
 4-14: 11:16:08:375:254
 4-14: 11:16:08:375:254 Receive: (get) SA = 0x000d8618 from x.x.x.x.4500
 4-14: 11:16:08:375:254 ISAKMP Header: (V1.0), len = 68
 4-14: 11:16:08:375:254   I-COOKIE f4471376e078c8c4
 4-14: 11:16:08:375:254   R-COOKIE ee8361d5db1e1f74
 4-14: 11:16:08:375:254   exchange: ISAKMP Informational Exchange
 4-14: 11:16:08:375:254   flags: 1 ( encrypted )
 4-14: 11:16:08:375:254   next payload: HASH
 4-14: 11:16:08:375:254   message ID: e0aa9d78
 4-14: 11:16:08:375:254 processing HASH (Notify/Delete)
 4-14: 11:16:08:375:254 processing payload NOTIFY
 4-14: 11:16:08:375:254 notify: INVALID-MESSAGE-ID
 4-14: 11:16:08:375:254 Unknown Notify Message 9
 4-14: 11:16:10:328:e70 retransmit: sa = 000D8618 centry 00100C08 ,
count = 2
 4-14: 11:16:10:328:e70
 4-14: 11:16:10:328:e70 Sending: SA = 0x000D8618 to x.x.x.x:Type 2.4500
 4-14: 11:16:10:328:e70 ISAKMP Header: (V1.0), len = 308
 4-14: 11:16:10:328:e70   I-COOKIE f4471376e078c8c4
 4-14: 11:16:10:328:e70   R-COOKIE ee8361d5db1e1f74
 4-14: 11:16:10:328:e70   exchange: Oakley Quick Mode
 4-14: 11:16:10:328:e70   flags: 1 ( encrypted )
 4-14: 11:16:10:328:e70   next payload: HASH
 4-14: 11:16:10:328:e70   message ID: 0183237a
 4-14: 11:16:10:328:e70 Ports S:9411 D:9411
 4-14: 11:16:10:390:254
 4-14: 11:16:10:390:254 Receive: (get) SA = 0x000d8618 from x.x.x.x.4500
 4-14: 11:16:10:390:254 ISAKMP Header: (V1.0), len = 68
 4-14: 11:16:10:390:254   I-COOKIE f4471376e078c8c4
 4-14: 11:16:10:390:254   R-COOKIE ee8361d5db1e1f74
 4-14: 11:16:10:390:254   exchange: ISAKMP Informational Exchange
 4-14: 11:16:10:390:254   flags: 1 ( encrypted )
 4-14: 11:16:10:390:254   next payload: HASH
 4-14: 11:16:10:390:254   message ID: fc8f905f
 4-14: 11:16:10:390:254 processing HASH (Notify/Delete)
 4-14: 11:16:10:390:254 processing payload NOTIFY
 4-14: 11:16:10:390:254 notify: INVALID-MESSAGE-ID
 4-14: 11:16:10:390:254 Unknown Notify Message 9
--- snip ---

-- 
best regards

Ingo Bruell

---
<ibruell at gmx.de>
<ICQ# 40377720>
Oldenburg  PGP-Fingerprint: CB01 AE12 B359 87C4 BF1C  953C 8FE7 C648
169E E5FC
Germany    PGP-Public-Key available at pgpkeys.mit.edu


More information about the Users mailing list