[Openswan Users] L2TP/IPsec with double NAT

Stefano Pazzaglia stefano.pazzaglia at fastwebnet.it
Sat Aug 13 14:04:39 CEST 2005 

Some good news, connection between a natted client and a natted server seems 
to hold on, but if another (not natted) client tries at the same time to 
connect to openswan after an hour error message below attached occurs, while 
natted client doesn't loose connection. This is my ipsec.conf


version 2.0     # conforms to second version of ipsec.conf specification

config setup
        interfaces=%defaultroute
        klipsdebug=none
        plutodebug=none
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:37.xxx.xxx.0/21,%v4:!192.168.0.0/24

conn %default
        keyingtries=1
        compress=yes
        disablearrivalcheck=no
        authby=secret
        type=tunnel
        ikelifetime=120m
        keylife=60m


conn I-hate-vpn
        pfs=no
        left=%defaultroute
        leftprotoport=17/1701
        rightprotoport=17/1701
        rightid=
        leftid=
        right=%any
        rightsubnet=vhost:%no,%priv
        auto=add

include /etc/ipsec.d/examples/no_oe.conf

And error message for 2th client...

Aug 13 12:07:16 Orione l2tpd[8649]: check_control: control, cid = 0, Ns = 4, 
Nr = 57
Aug 13 12:07:46 Orione pluto[8493]: "I-hate-vpn"[3] 83.xxx.xxx.xxx #26: 
initiating Quick Mode PSK+ENCRYPT+COMPRESS+TUNNEL to re
place #22 {using isakmp#21}
Aug 13 12:07:46 Orione pluto[8493]: "I-hate-vpn"[3] 83.xxx.xxx.xxx: ignoring 
informational payload, type INVALID_ID_INFORMA
TION
Aug 13 12:07:46 Orione pluto[8493]: "I-hate-vpn"[3] 83.xxx.xxx.xxx #21: 
received and ignored informational message
Aug 13 12:08:09 Orione l2tpd[8649]: check_control: control, cid = 0, Ns = 5, 
Nr = 525
Aug 13 12:08:16 Orione l2tpd[8649]: check_control: control, cid = 0, Ns = 4, 
Nr = 58
Aug 13 12:08:56 Orione pluto[8493]: "I-hate-vpn"[3] 83.xxx.xxx.xxx #26: max 
number of retransmissions (2) reached STATE_QUICK_I
1
Aug 13 12:09:09 Orione l2tpd[8649]: check_control: control, cid = 0, Ns = 5, 
Nr = 526
Aug 13 12:09:16 Orione l2tpd[8649]: check_control: control, cid = 0, Ns = 4, 
Nr = 59
Aug 13 12:10:09 Orione l2tpd[8649]: check_control: control, cid = 0, Ns = 5, 
Nr = 527
Aug 13 12:10:16 Orione l2tpd[8649]: check_control: control, cid = 0, Ns = 4, 
Nr = 60
Aug 13 12:11:09 Orione l2tpd[8649]: check_control: control, cid = 0, Ns = 5, 
Nr = 528
Aug 13 12:11:16 Orione l2tpd[8649]: check_control: control, cid = 0, Ns = 4, 
Nr = 61
Aug 13 12:12:09 Orione l2tpd[8649]: check_control: control, cid = 0, Ns = 5, 
Nr = 529
Aug 13 12:12:16 Orione pluto[8493]: "I-hate-vpn"[3] 83.xxx.xxx.xxx #22: 
IPsec SA expired (LATEST!)
Aug 13 12:12:16 Orione pluto[8493]: ERROR: netlink XFRM_MSG_DELPOLICY 
response for flow int.0 at 0.0.0.0 included errno 2: No su
ch file or directory
Aug 13 12:12:21 Orione l2tpd[8649]: control_xmit: Maximum retries exceeded 
for tunnel 35656.  Closing.
Aug 13 12:12:21 Orione pppd[15706]: Terminating on signal 15.
Aug 13 12:12:21 Orione pppd[15706]: Modem hangup
Aug 13 12:12:21 Orione pppd[15706]: Script /etc/ppp/ip-down started (pid 
16788)
Aug 13 12:12:21 Orione pppd[15706]: Connection terminated.
Aug 13 12:12:21 Orione pppd[15706]: Connect time 60.1 minutes.
Aug 13 12:12:21 Orione pppd[15706]: Sent 4039153 bytes, received 1695432 
bytes.
Aug 13 12:12:21 Orione pppd[15706]: Waiting for 1 child processes...
Aug 13 12:12:21 Orione pppd[15706]:   script /etc/ppp/ip-down, pid 16788
Aug 13 12:12:21 Orione pppd[15706]: Script /etc/ppp/ip-down finished (pid 
16788), status = 0x1
Aug 13 12:12:21 Orione pppd[15706]: Connect time 60.1 minutes.
Aug 13 12:12:21 Orione pppd[15706]: Sent 4039153 bytes, received 1695432 
bytes.
Aug 13 12:12:21 Orione pppd[15706]: Exit.


----- Original Message ----- 
From: "Stefano Pazzaglia" <stefano.pazzaglia at fastwebnet.it>
To: <users at openswan.org>
Sent: Friday, August 12, 2005 10:41 PM
Subject: Re: [Openswan Users] L2TP/IPsec with double NAT


> Sorry, bad copy & paste...
>
> ----- Original Message ----- 
> From: "Stefano Pazzaglia" <stefano.pazzaglia at fastwebnet.it>
> To: <users at openswan.org>
> Sent: Friday, August 12, 2005 10:09 PM
> Subject: Re: [Openswan Users] Openswan + L2TP
>
>
>> No way...
>>
>> Aug 12 21:33:52 Orione l2tpd[741]: check_control: control, cid = 0, Ns = 
>> 4, Nr = 17
>> Aug 12 21:34:22 Orione pluto[578]: "I-hate-vpn"[2] 213.xxx.xxx.xxx #3: 
>> initiating Quick Mode PSK+ENCRYPT+COMPRESS+TUNNEL to re
>> place #2 {using isakmp#1}
>> Aug 12 21:34:22 Orione pluto[578]: "I-hate-vpn"[2] 213.xxx.xxx.xxx #1: 
>> ignoring informational payload, type INVALID_ID_INFORMA
>> TION
>> Aug 12 21:34:22 Orione pluto[578]: "I-hate-vpn"[2] 213.xxx.xxx.xxx #1: 
>> received and ignored informational message
>> Aug 12 21:34:52 Orione l2tpd[741]: check_control: control, cid = 0, Ns = 
>> 4, Nr = 18
>> Aug 12 21:35:32 Orione pluto[578]: "I-hate-vpn"[2] 213.xxx.xxx.xxx #3: 
>> max number of retransmissions (2) reached STATE_QUICK_I
>> 1
>> Aug 12 21:35:52 Orione l2tpd[741]: check_control: control, cid = 0, Ns = 
>> 4, Nr = 19
>> Aug 12 21:36:52 Orione l2tpd[741]: check_control: control, cid = 0, Ns = 
>> 4, Nr = 20
>> Aug 12 21:37:52 Orione l2tpd[741]: check_control: control, cid = 0, Ns = 
>> 4, Nr = 21
>> Aug 12 21:38:52 Orione pluto[578]: "I-hate-vpn"[2] 213.xxx.xxx.xxx #2: 
>> IPsec SA expired (LATEST!)
>> Aug 12 21:38:52 Orione pluto[578]: ERROR: netlink XFRM_MSG_DELPOLICY 
>> response for flow int.0 at 0.0.0.0 included errno 2: No suc
>> h file or directory
>> Aug 12 21:38:57 Orione l2tpd[741]: control_xmit: Maximum retries exceeded 
>> for tunnel 15618.  Closing.
>> Aug 12 21:38:57 Orione pppd[759]: Terminating on signal 15.
>> Aug 12 21:38:57 Orione pppd[759]: Modem hangup
>> Aug 12 21:38:57 Orione pppd[759]: Script /etc/ppp/ip-down started (pid 
>> 1265)
>> Aug 12 21:38:57 Orione pppd[759]: Connection terminated.
>> Aug 12 21:38:57 Orione pppd[759]: Connect time 20.1 minutes.
>> Aug 12 21:38:57 Orione pppd[759]: Sent 1443370 bytes, received 240363 
>> bytes.
>> Aug 12 21:38:57 Orione pppd[759]: Waiting for 1 child processes...
>> Aug 12 21:38:57 Orione pppd[759]:   script /etc/ppp/ip-down, pid 1265
>> Aug 12 21:38:57 Orione pppd[759]: Script /etc/ppp/ip-down finished (pid 
>> 1265), status = 0x1
>> Aug 12 21:38:57 Orione pppd[759]: Connect time 20.1 minutes.
>> Aug 12 21:38:57 Orione pppd[759]: Sent 1443370 bytes, received 240363 
>> bytes.
>> Aug 12 21:38:57 Orione pppd[759]: Exit.
>> Aug 12 21:38:57 Orione l2tpd[741]: call_close : Connection 35 closed to 
>> 213.xxx.xxx.xxx, port 1701 (Timeout)
>> Aug 12 21:39:00 Orione pluto[578]: "I-hate-vpn"[2] 213.xxx.xxx.xxx #4: 
>> responding to Quick Mode {msgid:d8b310cb}
>> Aug 12 21:39:00 Orione pluto[578]: "I-hate-vpn"[2] 213.xxx.xxx.xxx #4: 
>> transition from state STATE_QUICK_R0 to state STATE_QUI
>> CK_R1
>> Aug 12 21:39:00 Orione pluto[578]: "I-hate-vpn"[2] 213.xxx.xxx.xxx #4: 
>> STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, e
>> xpecting QI2
>> Aug 12 21:39:00 Orione l2tpd[741]: get_call: can't find call 61015 in 
>> tunnel 15618
>> Aug 12 21:39:00 Orione pluto[578]: "I-hate-vpn"[2] 213.xxx.xxx.xxx #4: 
>> transition from state STATE_QUICK_R1 to state STATE_QUI
>> CK_R2
>> Aug 12 21:39:00 Orione pluto[578]: "I-hate-vpn"[2] 213.xxx.xxx.xxx #4: 
>> STATE_QUICK_R2: IPsec SA established {ESP=>0xaf5681fa <
>> 0xc5e76fa8 xfrm=3DES_0-HMAC_MD5 NATD=213.xxx.xxx.xxx:25272 DPD=none}
>> Aug 12 21:39:01 Orione l2tpd[741]: get_call: can't find call 61015 in 
>> tunnel 15618
>>
>>
>>
>>
>> ----- Original Message ----- 
>> From: "Jacco de Leeuw" <jacco2 at dds.nl>
>> To: <users at openswan.org>
>> Sent: Friday, August 12, 2005 9:39 PM
>> Subject: Re: [Openswan Users] Openswan + L2TP
>>
>>
>>> Marcos Ferreira da Silva wrote:
>>>
>>>> Could I run a script when the client connect and get the IP?
>>>
>>> Well, there's the /etc/ppp/ip-up script (man pppd)...
>>>
>>>> /usr/sbin/pppd: The remote system is required to authenticate itself
>>>> /usr/sbin/pppd: but I couldn't find any suitable secret (password) for
>>>> it to use to do so.
>>>> /usr/sbin/pppd: (None of the available passwords would let it use an IP
>>>> address.)
>>>>
>>>> /etc/ppp/chap-secrets
>>>> *       markin  "teste" 192.168.99.130
>>>> markin  *       "teste" 192.168.99.130
>>>
>>> Perhaps 192.168.99.130 is not within the 'ip range'
>>> in l2tpd.conf? Or you configured a static virtual IP
>>> address on the client which is not 192.168.99.130?
>>>
>>> Jacco
>>> -- 
>>> Jacco de Leeuw                         mailto:jacco2 at dds.nl
>>> Zaandam, The Netherlands           http://www.jacco2.dds.nl
>>> _______________________________________________
>>> Users mailing list
>>> Users at openswan.org
>>> http://lists.openswan.org/mailman/listinfo/users
>>>
>>>
>>> -- 
>>> No virus found in this incoming message.
>>> Checked by AVG Anti-Virus.
>>> Version: 7.0.338 / Virus Database: 267.10.7/70 - Release Date: 
>>> 11/08/2005
>>>
>>>
>>
>
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
>
>
> -- 
> No virus found in this incoming message.
> Checked by AVG Anti-Virus.
> Version: 7.0.338 / Virus Database: 267.10.7/70 - Release Date: 11/08/2005
>
>

More information about the Users mailing list