[Openswan Users] L2TP/IPsec with double NAT
Stefano Pazzaglia
stefano.pazzaglia at fastwebnet.it
Sat Aug 13 14:04:39 CEST 2005
Some good news, connection between a natted client and a natted server seems
to hold on, but if another (not natted) client tries at the same time to
connect to openswan after an hour error message below attached occurs, while
natted client doesn't loose connection. This is my ipsec.conf
version 2.0 # conforms to second version of ipsec.conf specification
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:37.xxx.xxx.0/21,%v4:!192.168.0.0/24
conn %default
keyingtries=1
compress=yes
disablearrivalcheck=no
authby=secret
type=tunnel
ikelifetime=120m
keylife=60m
conn I-hate-vpn
pfs=no
left=%defaultroute
leftprotoport=17/1701
rightprotoport=17/1701
rightid=
leftid=
right=%any
rightsubnet=vhost:%no,%priv
auto=add
include /etc/ipsec.d/examples/no_oe.conf
And error message for 2th client...
Aug 13 12:07:16 Orione l2tpd[8649]: check_control: control, cid = 0, Ns = 4,
Nr = 57
Aug 13 12:07:46 Orione pluto[8493]: "I-hate-vpn"[3] 83.xxx.xxx.xxx #26:
initiating Quick Mode PSK+ENCRYPT+COMPRESS+TUNNEL to re
place #22 {using isakmp#21}
Aug 13 12:07:46 Orione pluto[8493]: "I-hate-vpn"[3] 83.xxx.xxx.xxx: ignoring
informational payload, type INVALID_ID_INFORMA
TION
Aug 13 12:07:46 Orione pluto[8493]: "I-hate-vpn"[3] 83.xxx.xxx.xxx #21:
received and ignored informational message
Aug 13 12:08:09 Orione l2tpd[8649]: check_control: control, cid = 0, Ns = 5,
Nr = 525
Aug 13 12:08:16 Orione l2tpd[8649]: check_control: control, cid = 0, Ns = 4,
Nr = 58
Aug 13 12:08:56 Orione pluto[8493]: "I-hate-vpn"[3] 83.xxx.xxx.xxx #26: max
number of retransmissions (2) reached STATE_QUICK_I
1
Aug 13 12:09:09 Orione l2tpd[8649]: check_control: control, cid = 0, Ns = 5,
Nr = 526
Aug 13 12:09:16 Orione l2tpd[8649]: check_control: control, cid = 0, Ns = 4,
Nr = 59
Aug 13 12:10:09 Orione l2tpd[8649]: check_control: control, cid = 0, Ns = 5,
Nr = 527
Aug 13 12:10:16 Orione l2tpd[8649]: check_control: control, cid = 0, Ns = 4,
Nr = 60
Aug 13 12:11:09 Orione l2tpd[8649]: check_control: control, cid = 0, Ns = 5,
Nr = 528
Aug 13 12:11:16 Orione l2tpd[8649]: check_control: control, cid = 0, Ns = 4,
Nr = 61
Aug 13 12:12:09 Orione l2tpd[8649]: check_control: control, cid = 0, Ns = 5,
Nr = 529
Aug 13 12:12:16 Orione pluto[8493]: "I-hate-vpn"[3] 83.xxx.xxx.xxx #22:
IPsec SA expired (LATEST!)
Aug 13 12:12:16 Orione pluto[8493]: ERROR: netlink XFRM_MSG_DELPOLICY
response for flow int.0 at 0.0.0.0 included errno 2: No su
ch file or directory
Aug 13 12:12:21 Orione l2tpd[8649]: control_xmit: Maximum retries exceeded
for tunnel 35656. Closing.
Aug 13 12:12:21 Orione pppd[15706]: Terminating on signal 15.
Aug 13 12:12:21 Orione pppd[15706]: Modem hangup
Aug 13 12:12:21 Orione pppd[15706]: Script /etc/ppp/ip-down started (pid
16788)
Aug 13 12:12:21 Orione pppd[15706]: Connection terminated.
Aug 13 12:12:21 Orione pppd[15706]: Connect time 60.1 minutes.
Aug 13 12:12:21 Orione pppd[15706]: Sent 4039153 bytes, received 1695432
bytes.
Aug 13 12:12:21 Orione pppd[15706]: Waiting for 1 child processes...
Aug 13 12:12:21 Orione pppd[15706]: script /etc/ppp/ip-down, pid 16788
Aug 13 12:12:21 Orione pppd[15706]: Script /etc/ppp/ip-down finished (pid
16788), status = 0x1
Aug 13 12:12:21 Orione pppd[15706]: Connect time 60.1 minutes.
Aug 13 12:12:21 Orione pppd[15706]: Sent 4039153 bytes, received 1695432
bytes.
Aug 13 12:12:21 Orione pppd[15706]: Exit.
----- Original Message -----
From: "Stefano Pazzaglia" <stefano.pazzaglia at fastwebnet.it>
To: <users at openswan.org>
Sent: Friday, August 12, 2005 10:41 PM
Subject: Re: [Openswan Users] L2TP/IPsec with double NAT
> Sorry, bad copy & paste...
>
> ----- Original Message -----
> From: "Stefano Pazzaglia" <stefano.pazzaglia at fastwebnet.it>
> To: <users at openswan.org>
> Sent: Friday, August 12, 2005 10:09 PM
> Subject: Re: [Openswan Users] Openswan + L2TP
>
>
>> No way...
>>
>> Aug 12 21:33:52 Orione l2tpd[741]: check_control: control, cid = 0, Ns =
>> 4, Nr = 17
>> Aug 12 21:34:22 Orione pluto[578]: "I-hate-vpn"[2] 213.xxx.xxx.xxx #3:
>> initiating Quick Mode PSK+ENCRYPT+COMPRESS+TUNNEL to re
>> place #2 {using isakmp#1}
>> Aug 12 21:34:22 Orione pluto[578]: "I-hate-vpn"[2] 213.xxx.xxx.xxx #1:
>> ignoring informational payload, type INVALID_ID_INFORMA
>> TION
>> Aug 12 21:34:22 Orione pluto[578]: "I-hate-vpn"[2] 213.xxx.xxx.xxx #1:
>> received and ignored informational message
>> Aug 12 21:34:52 Orione l2tpd[741]: check_control: control, cid = 0, Ns =
>> 4, Nr = 18
>> Aug 12 21:35:32 Orione pluto[578]: "I-hate-vpn"[2] 213.xxx.xxx.xxx #3:
>> max number of retransmissions (2) reached STATE_QUICK_I
>> 1
>> Aug 12 21:35:52 Orione l2tpd[741]: check_control: control, cid = 0, Ns =
>> 4, Nr = 19
>> Aug 12 21:36:52 Orione l2tpd[741]: check_control: control, cid = 0, Ns =
>> 4, Nr = 20
>> Aug 12 21:37:52 Orione l2tpd[741]: check_control: control, cid = 0, Ns =
>> 4, Nr = 21
>> Aug 12 21:38:52 Orione pluto[578]: "I-hate-vpn"[2] 213.xxx.xxx.xxx #2:
>> IPsec SA expired (LATEST!)
>> Aug 12 21:38:52 Orione pluto[578]: ERROR: netlink XFRM_MSG_DELPOLICY
>> response for flow int.0 at 0.0.0.0 included errno 2: No suc
>> h file or directory
>> Aug 12 21:38:57 Orione l2tpd[741]: control_xmit: Maximum retries exceeded
>> for tunnel 15618. Closing.
>> Aug 12 21:38:57 Orione pppd[759]: Terminating on signal 15.
>> Aug 12 21:38:57 Orione pppd[759]: Modem hangup
>> Aug 12 21:38:57 Orione pppd[759]: Script /etc/ppp/ip-down started (pid
>> 1265)
>> Aug 12 21:38:57 Orione pppd[759]: Connection terminated.
>> Aug 12 21:38:57 Orione pppd[759]: Connect time 20.1 minutes.
>> Aug 12 21:38:57 Orione pppd[759]: Sent 1443370 bytes, received 240363
>> bytes.
>> Aug 12 21:38:57 Orione pppd[759]: Waiting for 1 child processes...
>> Aug 12 21:38:57 Orione pppd[759]: script /etc/ppp/ip-down, pid 1265
>> Aug 12 21:38:57 Orione pppd[759]: Script /etc/ppp/ip-down finished (pid
>> 1265), status = 0x1
>> Aug 12 21:38:57 Orione pppd[759]: Connect time 20.1 minutes.
>> Aug 12 21:38:57 Orione pppd[759]: Sent 1443370 bytes, received 240363
>> bytes.
>> Aug 12 21:38:57 Orione pppd[759]: Exit.
>> Aug 12 21:38:57 Orione l2tpd[741]: call_close : Connection 35 closed to
>> 213.xxx.xxx.xxx, port 1701 (Timeout)
>> Aug 12 21:39:00 Orione pluto[578]: "I-hate-vpn"[2] 213.xxx.xxx.xxx #4:
>> responding to Quick Mode {msgid:d8b310cb}
>> Aug 12 21:39:00 Orione pluto[578]: "I-hate-vpn"[2] 213.xxx.xxx.xxx #4:
>> transition from state STATE_QUICK_R0 to state STATE_QUI
>> CK_R1
>> Aug 12 21:39:00 Orione pluto[578]: "I-hate-vpn"[2] 213.xxx.xxx.xxx #4:
>> STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, e
>> xpecting QI2
>> Aug 12 21:39:00 Orione l2tpd[741]: get_call: can't find call 61015 in
>> tunnel 15618
>> Aug 12 21:39:00 Orione pluto[578]: "I-hate-vpn"[2] 213.xxx.xxx.xxx #4:
>> transition from state STATE_QUICK_R1 to state STATE_QUI
>> CK_R2
>> Aug 12 21:39:00 Orione pluto[578]: "I-hate-vpn"[2] 213.xxx.xxx.xxx #4:
>> STATE_QUICK_R2: IPsec SA established {ESP=>0xaf5681fa <
>> 0xc5e76fa8 xfrm=3DES_0-HMAC_MD5 NATD=213.xxx.xxx.xxx:25272 DPD=none}
>> Aug 12 21:39:01 Orione l2tpd[741]: get_call: can't find call 61015 in
>> tunnel 15618
>>
>>
>>
>>
>> ----- Original Message -----
>> From: "Jacco de Leeuw" <jacco2 at dds.nl>
>> To: <users at openswan.org>
>> Sent: Friday, August 12, 2005 9:39 PM
>> Subject: Re: [Openswan Users] Openswan + L2TP
>>
>>
>>> Marcos Ferreira da Silva wrote:
>>>
>>>> Could I run a script when the client connect and get the IP?
>>>
>>> Well, there's the /etc/ppp/ip-up script (man pppd)...
>>>
>>>> /usr/sbin/pppd: The remote system is required to authenticate itself
>>>> /usr/sbin/pppd: but I couldn't find any suitable secret (password) for
>>>> it to use to do so.
>>>> /usr/sbin/pppd: (None of the available passwords would let it use an IP
>>>> address.)
>>>>
>>>> /etc/ppp/chap-secrets
>>>> * markin "teste" 192.168.99.130
>>>> markin * "teste" 192.168.99.130
>>>
>>> Perhaps 192.168.99.130 is not within the 'ip range'
>>> in l2tpd.conf? Or you configured a static virtual IP
>>> address on the client which is not 192.168.99.130?
>>>
>>> Jacco
>>> --
>>> Jacco de Leeuw mailto:jacco2 at dds.nl
>>> Zaandam, The Netherlands http://www.jacco2.dds.nl
>>> _______________________________________________
>>> Users mailing list
>>> Users at openswan.org
>>> http://lists.openswan.org/mailman/listinfo/users
>>>
>>>
>>> --
>>> No virus found in this incoming message.
>>> Checked by AVG Anti-Virus.
>>> Version: 7.0.338 / Virus Database: 267.10.7/70 - Release Date:
>>> 11/08/2005
>>>
>>>
>>
>
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
>
>
> --
> No virus found in this incoming message.
> Checked by AVG Anti-Virus.
> Version: 7.0.338 / Virus Database: 267.10.7/70 - Release Date: 11/08/2005
>
>
More information about the Users
mailing list