[Openswan Users] L2TP/IPsec with double NAT

Stefano stefano.pazzaglia at fastwebnet.it
Tue Aug 9 15:57:51 CEST 2005 

Sorry, I forgot to include my error logs...

Aug 9 14:33:51 Orione l2tpd[26576]: check_control: control, cid = 0, Ns = 4, 
Nr = 15

Aug 9 14:34:51 Orione l2tpd[26576]: check_control: control, cid = 0, Ns = 4, 
Nr = 16

Aug 9 14:35:21 Orione pluto[10059]: "roadwarrior"[2] xxx.xxx.xxx.82 #3: 
initiating Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL to replace #2 {using 
isakmp#1}

Aug 9 14:35:21 Orione pluto[10059]: "roadwarrior"[2] xxx.xxx.xxx.82 #1: 
ignoring informational payload, type INVALID_ID_INFORMATION

Aug 9 14:35:21 Orione pluto[10059]: "roadwarrior"[2] xxx.xxx.xxx.82 #1: 
received and ignored informational message

Aug 9 14:35:51 Orione l2tpd[26576]: check_control: control, cid = 0, Ns = 4, 
Nr = 17

Aug 9 14:36:08 Orione postfix/smtpd[10462]: connect from 
unknown[192.168.0.102]

Aug 9 14:36:08 Orione postfix/smtpd[10462]: disconnect from 
unknown[192.168.0.102]

Aug 9 14:36:31 Orione pluto[10059]: "roadwarrior"[2] xxx.xxx.xxx.82 #3: max 
number of retransmissions (2) reached STATE_QUICK_I1

Aug 9 14:36:31 Orione pluto[10059]: "roadwarrior"[2] xxx.xxx.xxx.82 #3: 
starting keying attempt 2 of at most 3

Aug 9 14:36:31 Orione pluto[10059]: "roadwarrior"[2] xxx.xxx.xxx.82 #4: 
initiating Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL to replace #3 {using 
isakmp#1}

Aug 9 14:36:31 Orione pluto[10059]: "roadwarrior"[2] xxx.xxx.xxx.82 #1: 
ignoring informational payload, type INVALID_ID_INFORMATION

Aug 9 14:36:31 Orione pluto[10059]: "roadwarrior"[2] xxx.xxx.xxx.82 #1: 
received and ignored informational message

Aug 9 14:36:51 Orione l2tpd[26576]: check_control: control, cid = 0, Ns = 4, 
Nr = 18

Aug 9 14:37:41 Orione pluto[10059]: "roadwarrior"[2] xxx.xxx.xxx.82 #4: max 
number of retransmissions (2) reached STATE_QUICK_I1

Aug 9 14:37:41 Orione pluto[10059]: "roadwarrior"[2] xxx.xxx.xxx.82 #4: 
starting keying attempt 3 of at most 3

Aug 9 14:37:41 Orione pluto[10059]: "roadwarrior"[2] xxx.xxx.xxx.82 #5: 
initiating Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL to replace #4 {using 
isakmp#1}

Aug 9 14:37:41 Orione pluto[10059]: "roadwarrior"[2] xxx.xxx.xxx.82 #1: 
ignoring informational payload, type INVALID_ID_INFORMATION

Aug 9 14:37:41 Orione pluto[10059]: "roadwarrior"[2] xxx.xxx.xxx.82 #1: 
received and ignored informational message

Aug 9 14:37:51 Orione l2tpd[26576]: check_control: control, cid = 0, Ns = 4, 
Nr = 19

Aug 9 14:38:21 Orione pluto[10059]: "roadwarrior"[2] xxx.xxx.xxx.82 #6: 
initiating Main Mode to replace #1

Aug 9 14:38:51 Orione pluto[10059]: "roadwarrior"[2] xxx.xxx.xxx.82 #5: max 
number of retransmissions (2) reached STATE_QUICK_I1

Aug 9 14:38:51 Orione l2tpd[26576]: check_control: control, cid = 0, Ns = 4, 
Nr = 20

Aug 9 14:39:31 Orione pluto[10059]: "roadwarrior"[2] xxx.xxx.xxx.82 #6: max 
number of retransmissions (2) reached STATE_MAIN_I1. No response (or no 
acceptable response) to our first IKE message

Aug 9 14:39:31 Orione pluto[10059]: "roadwarrior"[2] xxx.xxx.xxx.82 #6: 
starting keying attempt 2 of at most 3

Aug 9 14:39:31 Orione pluto[10059]: "roadwarrior"[2] xxx.xxx.xxx.82 #7: 
initiating Main Mode to replace #6

Aug 9 14:39:51 Orione pluto[10059]: "roadwarrior"[2] xxx.xxx.xxx.82 #2: 
IPsec SA expired (LATEST!)

Aug 9 14:39:56 Orione l2tpd[26576]: control_xmit: Maximum retries exceeded 
for tunnel 63219. Closing.

Aug 9 14:39:56 Orione pppd[10207]: Terminating on signal 15.

Aug 9 14:39:56 Orione pppd[10207]: Modem hangup

Aug 9 14:39:56 Orione pppd[10207]: Script /etc/ppp/ip-down started (pid 
10526)

Aug 9 14:39:56 Orione pppd[10207]: Connection terminated.

Aug 9 14:39:56 Orione pppd[10207]: Connect time 19.1 minutes.

Aug 9 14:39:56 Orione pppd[10207]: Sent 642694 bytes, received 54124 bytes.

Aug 9 14:39:56 Orione pppd[10207]: Waiting for 1 child processes...

Aug 9 14:39:56 Orione pppd[10207]: script /etc/ppp/ip-down, pid 10526

Aug 9 14:39:56 Orione pppd[10207]: Script /etc/ppp/ip-down finished (pid 
10526), status = 0x1

Aug 9 14:39:56 Orione pppd[10207]: Connect time 19.1 minutes.

Aug 9 14:39:56 Orione pppd[10207]: Sent 642694 bytes, received 54124 bytes.

Aug 9 14:39:56 Orione pppd[10207]: Exit.

Aug 9 14:39:56 Orione l2tpd[26576]: call_close : Connection 16 closed to 
xxx.xxx.xxx.82, port 1701 (Timeout)

Aug 9 14:40:01 Orione l2tpd[26576]: control_xmit: Unable to deliver closing 
message for tunnel 63219. Destroying anyway.

----- Original Message ----- 
From: "Stefano" <stefano.pazzaglia at fastwebnet.it>
To: <users at openswan.org>
Sent: Tuesday, August 09, 2005 2:25 PM
Subject: Re: [Openswan Users] L2TP/IPsec with double NAT


> No, connection begins but after a while it drops.
> @Jacco, if it's possible I would like to send you my ipsec barf. And,
> another thing I missed to mention,  Openswan server stands in a DMZ with
> interface eth1 (xxx.xxx.xxx.91) on DMZ xxx.xxx.xxx.88/29 and interface 
> eth0
> on my LAN with IP address 192.168.0.102. External firewall has IPs
> xxx.xxx.xxx.85 (out of DMZ) and  xxx.xxx.xxx.89 (within DMZ) and makes 
> DNAT
> to Openswan. In barf logs connection is attempted from a PC belonging to
> LAN. Let me know if I can send you barf for a better comprehension of my
> situation...
>
>
> ----- Original Message ----- 
> From: "Jacco de Leeuw" <jacco2 at dds.nl>
> To: <users at openswan.org>
> Sent: Tuesday, August 09, 2005 11:29 AM
> Subject: Re: [Openswan Users] L2TP/IPsec with double NAT
>
>
>>
>> Stefano Pazzaglia wrote:
>>
>>> Any idea? :-(
>>> I'm wondering if I have to surrender, even if  I think i'm not too far
>>> from the solution ...
>>
>> You did not respond to my suggestion to use certificates instead of
>> a PSK. And did you remember to correct the virtual_private line?
>> I would also suggest you try first without any NAT between the client
>> and the server. When that works, you put the client behind NAT. Then
>> the next step would be to put the server behind NAT as well.
>>
>> Jacco
>> -- 
>> Jacco de Leeuw                         mailto:jacco2 at dds.nl
>> Zaandam, The Netherlands           http://www.jacco2.dds.nl
>> _______________________________________________
>> Users mailing list
>> Users at openswan.org
>> http://lists.openswan.org/mailman/listinfo/users
>
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users

More information about the Users mailing list