[Openswan Users] L2TP/IPsec with double NAT

Stefano Pazzaglia stefano.pazzaglia at fastwebnet.it
Thu Aug 11 22:53:13 CEST 2005 

Ok, tried to put Openswan on the Internet. Tied to connect by a client 
NATted (unfortunately I can only try in this way at the moment). As usually, 
when the 2 parts are going to rekey something wrong happens!!! I attach my 
logs and I hope someone can help me, because I'm seriously thinking to look 
at some others VPN servers...
Thanks in advance...

Aug 11 21:28:57 localhost pluto[13393]: added connection description 
"I-hate-vpn"
Aug 11 21:28:57 localhost pluto[13393]: listening for IKE messages
Aug 11 21:28:57 localhost pluto[13393]: adding interface eth1/eth1 
217.58.52.83
Aug 11 21:28:57 localhost pluto[13393]: adding interface eth1/eth1 
217.58.52.83:4500
Aug 11 21:28:57 localhost pluto[13393]: adding interface eth0/eth0 
192.168.0.102
Aug 11 21:28:57 localhost pluto[13393]: adding interface eth0/eth0 
192.168.0.102:4500
Aug 11 21:28:57 localhost pluto[13393]: adding interface lo/lo 127.0.0.1
Aug 11 21:28:57 localhost pluto[13393]: adding interface lo/lo 
127.0.0.1:4500
Aug 11 21:28:57 localhost pluto[13393]: adding interface lo/lo ::1
Aug 11 21:28:57 localhost pluto[13393]: loading secrets from 
"/etc/ipsec.secrets"
Aug 11 21:29:25 localhost pluto[13393]: packet from 213.140.19.123:46937: 
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Aug 11 21:29:25 localhost pluto[13393]: packet from 213.140.19.123:46937: 
ignoring Vendor ID payload [FRAGMENTATION]
Aug 11 21:29:25 localhost pluto[13393]: packet from 213.140.19.123:46937: 
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Aug 11 21:29:25 localhost pluto[13393]: packet from 213.140.19.123:46937: 
ignoring Vendor ID payload [26244d38eddb61b3172a36e3d0cfb819]
Aug 11 21:29:25 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46937 
#1: responding to Main Mode from unknown peer 213.140.19.123:46937
Aug 11 21:29:25 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46937 
#1: transition from state (null) to state STATE_MAIN_R1
Aug 11 21:29:25 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46937 
#1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is 
NATed
Aug 11 21:29:25 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46937 
#1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Aug 11 21:29:25 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46937 
#1: Peer ID is ID_FQDN: '@pava-winzozz'
Aug 11 21:29:25 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46937 
#1: I did not send a certificate because I do not have one.
Aug 11 21:29:25 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46937 
#1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Aug 11 21:29:25 localhost pluto[13393]: | NAT-T: new mapping 
213.140.19.123:46937/46945)
Aug 11 21:29:25 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945 
#1: sent MR3, ISAKMP SA established
Aug 11 21:29:26 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945 
#2: responding to Quick Mode
Aug 11 21:29:26 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945 
#2: transition from state (null) to state STATE_QUICK_R1
Aug 11 21:29:26 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945 
#2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Aug 11 21:29:26 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945 
#2: IPsec SA established {ESP=>0xaebf69fb <0x7ef8f61c NATOA=37.255.126.225}
Aug 11 21:29:35 localhost sshd[13531]: Accepted keyboard-interactive/pam for 
root from ::ffff:192.168.0.200 port 1967 ssh2
Aug 11 21:29:35 localhost sshd[13534]: (pam_unix) session opened for user 
root by root(uid=0)
Aug 11 21:44:56 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945 
#3: initiating Quick Mode PSK+ENCRYPT+COMPRESS+TUNNEL to replace #2 {using 
isakmp#1}
Aug 11 21:44:56 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945 
#1: ignoring informational payload, type INVALID_ID_INFORMATION
Aug 11 21:44:56 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945 
#1: received and ignored informational message
Aug 11 21:46:06 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945 
#3: max number of retransmissions (2) reached STATE_QUICK_I1
Aug 11 21:49:26 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945 
#2: IPsec SA expired (LATEST!)
Aug 11 21:49:27 localhost pluto[13393]: ERROR: netlink XFRM_MSG_DELPOLICY 
response for flow int.0 at 0.0.0.0 included errno 2: No such file or directory
Aug 11 21:49:33 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945 
#4: responding to Quick Mode
Aug 11 21:49:33 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945 
#4: transition from state (null) to state STATE_QUICK_R1
Aug 11 21:49:33 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945 
#4: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Aug 11 21:49:33 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945 
#4: IPsec SA established {ESP=>0xdc0f91db <0x95e30c15 NATOA=37.255.126.225}
Aug 11 21:49:55 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945 
#5: initiating Main Mode to replace #1
Aug 11 21:49:55 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945 
#5: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Aug 11 21:49:55 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945 
#5: ignoring Vendor ID payload [FRAGMENTATION]
Aug 11 21:49:55 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945 
#5: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Aug 11 21:49:55 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945 
#5: enabling possible NAT-traversal with method RFC XXXX (NAT-Traversal)
Aug 11 21:49:55 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945 
#5: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Aug 11 21:49:55 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945 
#5: I did not send a certificate because I do not have one.
Aug 11 21:49:55 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945 
#5: NAT-Traversal: Only 0 NAT-D - Aborting NAT-Traversal negociation
Aug 11 21:49:55 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945 
#5: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Aug 11 21:49:56 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945 
#5: Peer ID is ID_IPV4_ADDR: '37.255.126.225'
Aug 11 21:49:56 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945 
#5: we require peer to have ID '@pava-winzozz', but peer declares 
'37.255.126.225'
Aug 11 21:49:56 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945 
#5: sending encrypted notification INVALID_ID_INFORMATION to 
213.140.19.123:46945
Aug 11 21:49:57 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945 
#5: Peer ID is ID_IPV4_ADDR: '37.255.126.225'
Aug 11 21:49:57 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945 
#5: we require peer to have ID '@pava-winzozz', but peer declares 
'37.255.126.225'
Aug 11 21:49:57 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945 
#5: sending encrypted notification INVALID_ID_INFORMATION to 
213.140.19.123:46945
Aug 11 21:49:59 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945 
#5: Peer ID is ID_IPV4_ADDR: '37.255.126.225'
Aug 11 21:49:59 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945 
#5: we require peer to have ID '@pava-winzozz', but peer declares 
'37.255.126.225'
Aug 11 21:49:59 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945 
#5: sending encrypted notification INVALID_ID_INFORMATION to 
213.140.19.123:46945
Aug 11 21:50:03 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945 
#5: Peer ID is ID_IPV4_ADDR: '37.255.126.225'
Aug 11 21:50:03 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945 
#5: we require peer to have ID '@pava-winzozz', but peer declares 
'37.255.126.225'
Aug 11 21:50:03 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945 
#5: sending encrypted notification INVALID_ID_INFORMATION to 
213.140.19.123:46945
Aug 11 21:50:11 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945 
#5: Peer ID is ID_IPV4_ADDR: '37.255.126.225'
Aug 11 21:50:11 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945 
#5: we require peer to have ID '@pava-winzozz', but peer declares 
'37.255.126.225'
Aug 11 21:50:11 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945 
#5: sending encrypted notification INVALID_ID_INFORMATION to 
213.140.19.123:46945
Aug 11 21:50:27 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945 
#5: Peer ID is ID_IPV4_ADDR: '37.255.126.225'
Aug 11 21:50:27 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945 
#5: we require peer to have ID '@pava-winzozz', but peer declares 
'37.255.126.225'
Aug 11 21:50:27 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945 
#5: sending encrypted notification INVALID_ID_INFORMATION to 
213.140.19.123:46945
Aug 11 21:50:56 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945 
#1: received Delete SA(0xdc0f91db) payload: deleting IPSEC State #4
Aug 11 21:50:56 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945 
#1: received and ignored informational message
Aug 11 21:50:56 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945 
#5: next payload type of ISAKMP Hash Payload has an unknown value: 168
Aug 11 21:50:56 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945 
#5: malformed payload in packet
Aug 11 21:50:56 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945 
#5: sending encrypted notification PAYLOAD_MALFORMED to 213.140.19.123:46945
Aug 11 21:50:56 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945 
#1: received Delete SA payload: deleting ISAKMP State #1
Aug 11 21:50:56 localhost pluto[13393]: packet from 213.140.19.123:46945: 
received and ignored informational message
Aug 11 21:51:05 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945 
#5: max number of retransmissions (2) reached STATE_MAIN_I3.  Possible 
authentication failure: no acceptable response to our first encrypted 
message
Aug 11 21:51:05 localhost pluto[13393]: "I-hate-vpn"[1] 
213.140.19.123:46945: deleting connection "I-hate-vpn" instance with peer 
213.140.19.123 {isakmp=#0/ipsec=#0}





----- Original Message ----- 
From: "Jacco de Leeuw" <jacco2 at dds.nl>
To: <users at openswan.org>
Sent: Wednesday, August 10, 2005 11:52 PM
Subject: Re: [Openswan Users] L2TP/IPsec with double NAT


> Stefano Pazzaglia wrote:
>
>> Ok, no answers at all...
>
> I refer to my previous suggestions.
>
>> connect from a natted and updated xp client, how must look my ipsec.conf
>> like? I'm not still sure about what to write in left, leftnexthop,
>> leftsubnet, right etc...
>
> See http://www.jacco2.dds.nl/networking/freeswan-l2tp.html#NAT
> for some tips.
>
>> Moreover when I indicate leftsubnet=192.168.0.0/24
>> in ipsec.conf  connection can't start.
>
> If left is the local VPN server, then there should not be a
> leftsubnet. The L2TP daemon facilitates the access to the
> internal subnet, not Openswan.
>
>> In this moment another attempt is
>> failing and this is the output from ipsec auto --status.
>> What the hell means 000 xxx.xxx.xxx.91/32:0 -17-> 213.140.19.123/32:0 =>
>> %hold 0    %acquire-netlink????????
>
> Don't get yourself distracted by large amounts of output.
> Take a few steps backs. Start without NAT. Then switch from PSK to certs.
> Then put the client behind NAT. And finally the server.
>
> Jacco
> -- 
> Jacco de Leeuw                         mailto:jacco2 at dds.nl
> Zaandam, The Netherlands           http://www.jacco2.dds.nl
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
>
>
> -- 
> No virus found in this incoming message.
> Checked by AVG Anti-Virus.
> Version: 7.0.338 / Virus Database: 267.10.5/67 - Release Date: 09/08/2005
>
>

More information about the Users mailing list