[Openswan Users] L2TP/IPsec with double NAT
Stefano
stefano.pazzaglia at fastwebnet.it
Tue Aug 9 15:57:51 CEST 2005
Sorry, I forgot to include my error logs...
Aug 9 14:33:51 Orione l2tpd[26576]: check_control: control, cid = 0, Ns = 4,
Nr = 15
Aug 9 14:34:51 Orione l2tpd[26576]: check_control: control, cid = 0, Ns = 4,
Nr = 16
Aug 9 14:35:21 Orione pluto[10059]: "roadwarrior"[2] xxx.xxx.xxx.82 #3:
initiating Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL to replace #2 {using
isakmp#1}
Aug 9 14:35:21 Orione pluto[10059]: "roadwarrior"[2] xxx.xxx.xxx.82 #1:
ignoring informational payload, type INVALID_ID_INFORMATION
Aug 9 14:35:21 Orione pluto[10059]: "roadwarrior"[2] xxx.xxx.xxx.82 #1:
received and ignored informational message
Aug 9 14:35:51 Orione l2tpd[26576]: check_control: control, cid = 0, Ns = 4,
Nr = 17
Aug 9 14:36:08 Orione postfix/smtpd[10462]: connect from
unknown[192.168.0.102]
Aug 9 14:36:08 Orione postfix/smtpd[10462]: disconnect from
unknown[192.168.0.102]
Aug 9 14:36:31 Orione pluto[10059]: "roadwarrior"[2] xxx.xxx.xxx.82 #3: max
number of retransmissions (2) reached STATE_QUICK_I1
Aug 9 14:36:31 Orione pluto[10059]: "roadwarrior"[2] xxx.xxx.xxx.82 #3:
starting keying attempt 2 of at most 3
Aug 9 14:36:31 Orione pluto[10059]: "roadwarrior"[2] xxx.xxx.xxx.82 #4:
initiating Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL to replace #3 {using
isakmp#1}
Aug 9 14:36:31 Orione pluto[10059]: "roadwarrior"[2] xxx.xxx.xxx.82 #1:
ignoring informational payload, type INVALID_ID_INFORMATION
Aug 9 14:36:31 Orione pluto[10059]: "roadwarrior"[2] xxx.xxx.xxx.82 #1:
received and ignored informational message
Aug 9 14:36:51 Orione l2tpd[26576]: check_control: control, cid = 0, Ns = 4,
Nr = 18
Aug 9 14:37:41 Orione pluto[10059]: "roadwarrior"[2] xxx.xxx.xxx.82 #4: max
number of retransmissions (2) reached STATE_QUICK_I1
Aug 9 14:37:41 Orione pluto[10059]: "roadwarrior"[2] xxx.xxx.xxx.82 #4:
starting keying attempt 3 of at most 3
Aug 9 14:37:41 Orione pluto[10059]: "roadwarrior"[2] xxx.xxx.xxx.82 #5:
initiating Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL to replace #4 {using
isakmp#1}
Aug 9 14:37:41 Orione pluto[10059]: "roadwarrior"[2] xxx.xxx.xxx.82 #1:
ignoring informational payload, type INVALID_ID_INFORMATION
Aug 9 14:37:41 Orione pluto[10059]: "roadwarrior"[2] xxx.xxx.xxx.82 #1:
received and ignored informational message
Aug 9 14:37:51 Orione l2tpd[26576]: check_control: control, cid = 0, Ns = 4,
Nr = 19
Aug 9 14:38:21 Orione pluto[10059]: "roadwarrior"[2] xxx.xxx.xxx.82 #6:
initiating Main Mode to replace #1
Aug 9 14:38:51 Orione pluto[10059]: "roadwarrior"[2] xxx.xxx.xxx.82 #5: max
number of retransmissions (2) reached STATE_QUICK_I1
Aug 9 14:38:51 Orione l2tpd[26576]: check_control: control, cid = 0, Ns = 4,
Nr = 20
Aug 9 14:39:31 Orione pluto[10059]: "roadwarrior"[2] xxx.xxx.xxx.82 #6: max
number of retransmissions (2) reached STATE_MAIN_I1. No response (or no
acceptable response) to our first IKE message
Aug 9 14:39:31 Orione pluto[10059]: "roadwarrior"[2] xxx.xxx.xxx.82 #6:
starting keying attempt 2 of at most 3
Aug 9 14:39:31 Orione pluto[10059]: "roadwarrior"[2] xxx.xxx.xxx.82 #7:
initiating Main Mode to replace #6
Aug 9 14:39:51 Orione pluto[10059]: "roadwarrior"[2] xxx.xxx.xxx.82 #2:
IPsec SA expired (LATEST!)
Aug 9 14:39:56 Orione l2tpd[26576]: control_xmit: Maximum retries exceeded
for tunnel 63219. Closing.
Aug 9 14:39:56 Orione pppd[10207]: Terminating on signal 15.
Aug 9 14:39:56 Orione pppd[10207]: Modem hangup
Aug 9 14:39:56 Orione pppd[10207]: Script /etc/ppp/ip-down started (pid
10526)
Aug 9 14:39:56 Orione pppd[10207]: Connection terminated.
Aug 9 14:39:56 Orione pppd[10207]: Connect time 19.1 minutes.
Aug 9 14:39:56 Orione pppd[10207]: Sent 642694 bytes, received 54124 bytes.
Aug 9 14:39:56 Orione pppd[10207]: Waiting for 1 child processes...
Aug 9 14:39:56 Orione pppd[10207]: script /etc/ppp/ip-down, pid 10526
Aug 9 14:39:56 Orione pppd[10207]: Script /etc/ppp/ip-down finished (pid
10526), status = 0x1
Aug 9 14:39:56 Orione pppd[10207]: Connect time 19.1 minutes.
Aug 9 14:39:56 Orione pppd[10207]: Sent 642694 bytes, received 54124 bytes.
Aug 9 14:39:56 Orione pppd[10207]: Exit.
Aug 9 14:39:56 Orione l2tpd[26576]: call_close : Connection 16 closed to
xxx.xxx.xxx.82, port 1701 (Timeout)
Aug 9 14:40:01 Orione l2tpd[26576]: control_xmit: Unable to deliver closing
message for tunnel 63219. Destroying anyway.
----- Original Message -----
From: "Stefano" <stefano.pazzaglia at fastwebnet.it>
To: <users at openswan.org>
Sent: Tuesday, August 09, 2005 2:25 PM
Subject: Re: [Openswan Users] L2TP/IPsec with double NAT
> No, connection begins but after a while it drops.
> @Jacco, if it's possible I would like to send you my ipsec barf. And,
> another thing I missed to mention, Openswan server stands in a DMZ with
> interface eth1 (xxx.xxx.xxx.91) on DMZ xxx.xxx.xxx.88/29 and interface
> eth0
> on my LAN with IP address 192.168.0.102. External firewall has IPs
> xxx.xxx.xxx.85 (out of DMZ) and xxx.xxx.xxx.89 (within DMZ) and makes
> DNAT
> to Openswan. In barf logs connection is attempted from a PC belonging to
> LAN. Let me know if I can send you barf for a better comprehension of my
> situation...
>
>
> ----- Original Message -----
> From: "Jacco de Leeuw" <jacco2 at dds.nl>
> To: <users at openswan.org>
> Sent: Tuesday, August 09, 2005 11:29 AM
> Subject: Re: [Openswan Users] L2TP/IPsec with double NAT
>
>
>>
>> Stefano Pazzaglia wrote:
>>
>>> Any idea? :-(
>>> I'm wondering if I have to surrender, even if I think i'm not too far
>>> from the solution ...
>>
>> You did not respond to my suggestion to use certificates instead of
>> a PSK. And did you remember to correct the virtual_private line?
>> I would also suggest you try first without any NAT between the client
>> and the server. When that works, you put the client behind NAT. Then
>> the next step would be to put the server behind NAT as well.
>>
>> Jacco
>> --
>> Jacco de Leeuw mailto:jacco2 at dds.nl
>> Zaandam, The Netherlands http://www.jacco2.dds.nl
>> _______________________________________________
>> Users mailing list
>> Users at openswan.org
>> http://lists.openswan.org/mailman/listinfo/users
>
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
More information about the Users
mailing list