[Openswan Users] L2TP/IPsec with double NAT
Stefano Pazzaglia
stefano.pazzaglia at fastwebnet.it
Thu Aug 11 22:53:13 CEST 2005
Ok, tried to put Openswan on the Internet. Tied to connect by a client
NATted (unfortunately I can only try in this way at the moment). As usually,
when the 2 parts are going to rekey something wrong happens!!! I attach my
logs and I hope someone can help me, because I'm seriously thinking to look
at some others VPN servers...
Thanks in advance...
Aug 11 21:28:57 localhost pluto[13393]: added connection description
"I-hate-vpn"
Aug 11 21:28:57 localhost pluto[13393]: listening for IKE messages
Aug 11 21:28:57 localhost pluto[13393]: adding interface eth1/eth1
217.58.52.83
Aug 11 21:28:57 localhost pluto[13393]: adding interface eth1/eth1
217.58.52.83:4500
Aug 11 21:28:57 localhost pluto[13393]: adding interface eth0/eth0
192.168.0.102
Aug 11 21:28:57 localhost pluto[13393]: adding interface eth0/eth0
192.168.0.102:4500
Aug 11 21:28:57 localhost pluto[13393]: adding interface lo/lo 127.0.0.1
Aug 11 21:28:57 localhost pluto[13393]: adding interface lo/lo
127.0.0.1:4500
Aug 11 21:28:57 localhost pluto[13393]: adding interface lo/lo ::1
Aug 11 21:28:57 localhost pluto[13393]: loading secrets from
"/etc/ipsec.secrets"
Aug 11 21:29:25 localhost pluto[13393]: packet from 213.140.19.123:46937:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Aug 11 21:29:25 localhost pluto[13393]: packet from 213.140.19.123:46937:
ignoring Vendor ID payload [FRAGMENTATION]
Aug 11 21:29:25 localhost pluto[13393]: packet from 213.140.19.123:46937:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Aug 11 21:29:25 localhost pluto[13393]: packet from 213.140.19.123:46937:
ignoring Vendor ID payload [26244d38eddb61b3172a36e3d0cfb819]
Aug 11 21:29:25 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46937
#1: responding to Main Mode from unknown peer 213.140.19.123:46937
Aug 11 21:29:25 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46937
#1: transition from state (null) to state STATE_MAIN_R1
Aug 11 21:29:25 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46937
#1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is
NATed
Aug 11 21:29:25 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46937
#1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Aug 11 21:29:25 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46937
#1: Peer ID is ID_FQDN: '@pava-winzozz'
Aug 11 21:29:25 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46937
#1: I did not send a certificate because I do not have one.
Aug 11 21:29:25 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46937
#1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Aug 11 21:29:25 localhost pluto[13393]: | NAT-T: new mapping
213.140.19.123:46937/46945)
Aug 11 21:29:25 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945
#1: sent MR3, ISAKMP SA established
Aug 11 21:29:26 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945
#2: responding to Quick Mode
Aug 11 21:29:26 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945
#2: transition from state (null) to state STATE_QUICK_R1
Aug 11 21:29:26 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945
#2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Aug 11 21:29:26 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945
#2: IPsec SA established {ESP=>0xaebf69fb <0x7ef8f61c NATOA=37.255.126.225}
Aug 11 21:29:35 localhost sshd[13531]: Accepted keyboard-interactive/pam for
root from ::ffff:192.168.0.200 port 1967 ssh2
Aug 11 21:29:35 localhost sshd[13534]: (pam_unix) session opened for user
root by root(uid=0)
Aug 11 21:44:56 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945
#3: initiating Quick Mode PSK+ENCRYPT+COMPRESS+TUNNEL to replace #2 {using
isakmp#1}
Aug 11 21:44:56 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945
#1: ignoring informational payload, type INVALID_ID_INFORMATION
Aug 11 21:44:56 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945
#1: received and ignored informational message
Aug 11 21:46:06 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945
#3: max number of retransmissions (2) reached STATE_QUICK_I1
Aug 11 21:49:26 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945
#2: IPsec SA expired (LATEST!)
Aug 11 21:49:27 localhost pluto[13393]: ERROR: netlink XFRM_MSG_DELPOLICY
response for flow int.0 at 0.0.0.0 included errno 2: No such file or directory
Aug 11 21:49:33 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945
#4: responding to Quick Mode
Aug 11 21:49:33 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945
#4: transition from state (null) to state STATE_QUICK_R1
Aug 11 21:49:33 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945
#4: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Aug 11 21:49:33 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945
#4: IPsec SA established {ESP=>0xdc0f91db <0x95e30c15 NATOA=37.255.126.225}
Aug 11 21:49:55 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945
#5: initiating Main Mode to replace #1
Aug 11 21:49:55 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945
#5: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Aug 11 21:49:55 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945
#5: ignoring Vendor ID payload [FRAGMENTATION]
Aug 11 21:49:55 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945
#5: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Aug 11 21:49:55 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945
#5: enabling possible NAT-traversal with method RFC XXXX (NAT-Traversal)
Aug 11 21:49:55 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945
#5: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Aug 11 21:49:55 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945
#5: I did not send a certificate because I do not have one.
Aug 11 21:49:55 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945
#5: NAT-Traversal: Only 0 NAT-D - Aborting NAT-Traversal negociation
Aug 11 21:49:55 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945
#5: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Aug 11 21:49:56 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945
#5: Peer ID is ID_IPV4_ADDR: '37.255.126.225'
Aug 11 21:49:56 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945
#5: we require peer to have ID '@pava-winzozz', but peer declares
'37.255.126.225'
Aug 11 21:49:56 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945
#5: sending encrypted notification INVALID_ID_INFORMATION to
213.140.19.123:46945
Aug 11 21:49:57 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945
#5: Peer ID is ID_IPV4_ADDR: '37.255.126.225'
Aug 11 21:49:57 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945
#5: we require peer to have ID '@pava-winzozz', but peer declares
'37.255.126.225'
Aug 11 21:49:57 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945
#5: sending encrypted notification INVALID_ID_INFORMATION to
213.140.19.123:46945
Aug 11 21:49:59 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945
#5: Peer ID is ID_IPV4_ADDR: '37.255.126.225'
Aug 11 21:49:59 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945
#5: we require peer to have ID '@pava-winzozz', but peer declares
'37.255.126.225'
Aug 11 21:49:59 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945
#5: sending encrypted notification INVALID_ID_INFORMATION to
213.140.19.123:46945
Aug 11 21:50:03 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945
#5: Peer ID is ID_IPV4_ADDR: '37.255.126.225'
Aug 11 21:50:03 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945
#5: we require peer to have ID '@pava-winzozz', but peer declares
'37.255.126.225'
Aug 11 21:50:03 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945
#5: sending encrypted notification INVALID_ID_INFORMATION to
213.140.19.123:46945
Aug 11 21:50:11 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945
#5: Peer ID is ID_IPV4_ADDR: '37.255.126.225'
Aug 11 21:50:11 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945
#5: we require peer to have ID '@pava-winzozz', but peer declares
'37.255.126.225'
Aug 11 21:50:11 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945
#5: sending encrypted notification INVALID_ID_INFORMATION to
213.140.19.123:46945
Aug 11 21:50:27 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945
#5: Peer ID is ID_IPV4_ADDR: '37.255.126.225'
Aug 11 21:50:27 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945
#5: we require peer to have ID '@pava-winzozz', but peer declares
'37.255.126.225'
Aug 11 21:50:27 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945
#5: sending encrypted notification INVALID_ID_INFORMATION to
213.140.19.123:46945
Aug 11 21:50:56 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945
#1: received Delete SA(0xdc0f91db) payload: deleting IPSEC State #4
Aug 11 21:50:56 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945
#1: received and ignored informational message
Aug 11 21:50:56 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945
#5: next payload type of ISAKMP Hash Payload has an unknown value: 168
Aug 11 21:50:56 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945
#5: malformed payload in packet
Aug 11 21:50:56 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945
#5: sending encrypted notification PAYLOAD_MALFORMED to 213.140.19.123:46945
Aug 11 21:50:56 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945
#1: received Delete SA payload: deleting ISAKMP State #1
Aug 11 21:50:56 localhost pluto[13393]: packet from 213.140.19.123:46945:
received and ignored informational message
Aug 11 21:51:05 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945
#5: max number of retransmissions (2) reached STATE_MAIN_I3. Possible
authentication failure: no acceptable response to our first encrypted
message
Aug 11 21:51:05 localhost pluto[13393]: "I-hate-vpn"[1]
213.140.19.123:46945: deleting connection "I-hate-vpn" instance with peer
213.140.19.123 {isakmp=#0/ipsec=#0}
----- Original Message -----
From: "Jacco de Leeuw" <jacco2 at dds.nl>
To: <users at openswan.org>
Sent: Wednesday, August 10, 2005 11:52 PM
Subject: Re: [Openswan Users] L2TP/IPsec with double NAT
> Stefano Pazzaglia wrote:
>
>> Ok, no answers at all...
>
> I refer to my previous suggestions.
>
>> connect from a natted and updated xp client, how must look my ipsec.conf
>> like? I'm not still sure about what to write in left, leftnexthop,
>> leftsubnet, right etc...
>
> See http://www.jacco2.dds.nl/networking/freeswan-l2tp.html#NAT
> for some tips.
>
>> Moreover when I indicate leftsubnet=192.168.0.0/24
>> in ipsec.conf connection can't start.
>
> If left is the local VPN server, then there should not be a
> leftsubnet. The L2TP daemon facilitates the access to the
> internal subnet, not Openswan.
>
>> In this moment another attempt is
>> failing and this is the output from ipsec auto --status.
>> What the hell means 000 xxx.xxx.xxx.91/32:0 -17-> 213.140.19.123/32:0 =>
>> %hold 0 %acquire-netlink????????
>
> Don't get yourself distracted by large amounts of output.
> Take a few steps backs. Start without NAT. Then switch from PSK to certs.
> Then put the client behind NAT. And finally the server.
>
> Jacco
> --
> Jacco de Leeuw mailto:jacco2 at dds.nl
> Zaandam, The Netherlands http://www.jacco2.dds.nl
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
>
>
> --
> No virus found in this incoming message.
> Checked by AVG Anti-Virus.
> Version: 7.0.338 / Virus Database: 267.10.5/67 - Release Date: 09/08/2005
>
>
More information about the Users
mailing list