[Openswan Users] Connectivity problem...

Yiannis Mavroukakis yiannis at jaguarfreight.com
Tue Aug 30 12:09:49 CEST 2005 

I'm banging my head against a brick wall here, so any help will be
appreciated...

I've got the exact same setup to work on my home server, so I tried to
copy it on to our
office firewall, so I can establish a roadwarrior setup..Needless to say
it didn't work as expected :)

Here is the log extract

============
Aug 29 09:37:43 firewall ipsec__plutorun: Starting Pluto subsystem...
Aug 29 09:37:43 firewall pluto[29266]: Starting Pluto (Openswan Version
2.4.0rc1 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID
OEEF^^MBhKKT)
Aug 29 09:37:43 firewall pluto[29266]: Setting NAT-Traversal port-4500
floating to on
Aug 29 09:37:43 firewall pluto[29266]:    port floating activation
criteria nat_t=1/port_fload=1
Aug 29 09:37:43 firewall pluto[29266]:   including NAT-Traversal patch
(Version 0.6c)
Aug 29 09:37:43 firewall pluto[29266]: 1 bad entries in virtual_private
- none loaded
Aug 29 09:37:43 firewall pluto[29266]: ike_alg_register_enc():
Activating OAKLEY_AES_CBC: Ok (ret=0)
Aug 29 09:37:43 firewall pluto[29266]: starting up 1 cryptographic
helpers
Aug 29 09:37:43 firewall pluto[29266]: started helper pid=29277 (fd:6)
Aug 29 09:37:43 firewall pluto[29266]: Using Linux 2.6 IPsec interface
code on 2.6.11-mm4
Aug 29 09:37:43 firewall pluto[29266]: Changing to directory
'/etc/ipsec.d/cacerts'
Aug 29 09:37:43 firewall pluto[29266]:   loaded CA cert file
'cacert.pem' (1367 bytes)
Aug 29 09:37:43 firewall pluto[29266]: Changing to directory
'/etc/ipsec.d/aacerts'
Aug 29 09:37:43 firewall pluto[29266]: Changing to directory
'/etc/ipsec.d/ocspcerts'
Aug 29 09:37:43 firewall pluto[29266]: Changing to directory
'/etc/ipsec.d/crls'
Aug 29 09:37:43 firewall pluto[29266]:   loaded crl file 'crl.pem' (536
bytes)
Aug 29 09:37:44 firewall pluto[29266]:   loaded host cert file
'/etc/ipsec.d/certs/chandra.pem' (3760 bytes)
Aug 29 09:37:44 firewall pluto[29266]: added connection description
"roadwarrior-l2tp"
Aug 29 09:37:44 firewall pluto[29266]:   loaded host cert file
'/etc/ipsec.d/certs/chandra.pem' (3760 bytes)
Aug 29 09:37:44 firewall pluto[29266]: added connection description
"roadwarrior"
Aug 29 09:37:44 firewall pluto[29266]:   loaded host cert file
'/etc/ipsec.d/certs/chandra.pem' (3760 bytes)
Aug 29 09:37:44 firewall pluto[29266]: added connection description
"roadwarrior-l2tp-updatedwin"
Aug 29 09:37:44 firewall pluto[29266]: listening for IKE messages
Aug 29 09:37:44 firewall pluto[29266]: adding interface lo/lo
127.0.0.1:500
Aug 29 09:37:44 firewall pluto[29266]: adding interface lo/lo
127.0.0.1:4500
Aug 29 09:37:44 firewall pluto[29266]: adding interface eth1/eth1
192.168.5.1:500
Aug 29 09:37:44 firewall pluto[29266]: adding interface eth1/eth1
192.168.5.1:4500
Aug 29 09:37:44 firewall pluto[29266]: adding interface eth0:0/eth0:0
217.x.x.82:500
Aug 29 09:37:44 firewall pluto[29266]: adding interface eth0:0/eth0:0
217.x.x.82:4500
Aug 29 09:37:44 firewall pluto[29266]: adding interface eth0/eth0
217.x.x.83:500
Aug 29 09:37:44 firewall pluto[29266]: adding interface eth0/eth0
217.x.x.83:4500
Aug 29 09:37:44 firewall pluto[29266]: loading secrets from
"/etc/ipsec.secrets"
Aug 29 09:37:44 firewall pluto[29266]:   loaded private key file
'/etc/ipsec.d/private/chandra.key' (1655 bytes)
Aug 29 09:38:07 firewall pluto[29266]: packet from 83.x.x.241:500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Aug 29 09:38:07 firewall pluto[29266]: packet from 83.x.x.241:500:
ignoring Vendor ID payload [FRAGMENTATION]
Aug 29 09:38:07 firewall pluto[29266]: packet from 83.x.x.241:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set
to=106 
Aug 29 09:38:07 firewall pluto[29266]: packet from 83.x.x.241:500:
ignoring Vendor ID payload [Vid-Initial-Contact]
Aug 29 09:38:07 firewall pluto[29266]: "roadwarrior-l2tp"[1] 83.x.x.241
#1: responding to Main Mode from unknown peer 83.x.x.241
Aug 29 09:38:07 firewall pluto[29266]: "roadwarrior-l2tp"[1] 83.x.x.241
#1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Aug 29 09:38:07 firewall pluto[29266]: "roadwarrior-l2tp"[1] 83.x.x.241
#1: STATE_MAIN_R1: sent MR1, expecting MI2
Aug 29 09:38:08 firewall pluto[29266]: "roadwarrior-l2tp"[1] 83.x.x.241
#1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer
is NATed
Aug 29 09:38:08 firewall pluto[29266]: "roadwarrior-l2tp"[1] 83.x.x.241
#1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Aug 29 09:38:08 firewall pluto[29266]: "roadwarrior-l2tp"[1] 83.x.x.241
#1: STATE_MAIN_R2: sent MR2, expecting MI3
Aug 29 09:38:08 firewall pluto[29266]: "roadwarrior-l2tp"[1] 83.x.x.241
#1: Main mode peer ID is ID_DER_ASN1_DN: 'C=UK, ST=London, L=London,
O=My Company, CN=Dummy User, E=dummy at jaguarfreight.com'
Aug 29 09:38:08 firewall pluto[29266]: "roadwarrior-l2tp"[1] 83.x.x.241
#1: crl update for "C=UK, ST=London, L=London, O=My Company, OU=IT,
CN=Jaguar Freight, E=administrator at jaguarfreight.com" is overdue since
Aug 04 12:34:52 UTC 2005
Aug 29 09:38:08 firewall pluto[29266]: "roadwarrior-l2tp"[2] 83.x.x.241
#1: deleting connection "roadwarrior-l2tp" instance with peer 83.x.x.241
{isakmp=#0/ipsec=#0}
Aug 29 09:38:08 firewall pluto[29266]: "roadwarrior-l2tp"[2] 83.x.x.241
#1: I am sending my cert
Aug 29 09:38:08 firewall pluto[29266]: "roadwarrior-l2tp"[2] 83.x.x.241
#1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Aug 29 09:38:08 firewall pluto[29266]: | NAT-T: new mapping
83.x.x.241:500/4500)
Aug 29 09:38:08 firewall pluto[29266]: "roadwarrior-l2tp"[2] 83.x.x.241
#1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}
Aug 29 09:38:08 firewall pluto[29266]: ERROR: "roadwarrior-l2tp"[2]
83.x.x.241 #2: netlink write() of XFRM_MSG_ALLOCSPI message for Get SPI
esp.0 at 217.x.x.83 failed. Errno 111: Connection refused
Aug 29 09:38:08 firewall pluto[29266]: "roadwarrior-l2tp"[2] 83.x.x.241
#2: responding to Quick Mode {msgid:b299127b}
Aug 29 09:38:08 firewall pluto[29266]: ERROR: "roadwarrior-l2tp"[2]
83.x.x.241 #2: netlink write() of XFRM_MSG_UPDSA message for Add SA
esp.0 at 217.x.x.83 failed. Errno 111: Connection refused
Aug 29 09:38:09 firewall pluto[29266]: "roadwarrior-l2tp"[2] 83.x.x.241
#2: next payload type of ISAKMP Hash Payload has an unknown value: 180
Aug 29 09:38:09 firewall pluto[29266]: "roadwarrior-l2tp"[2] 83.x.x.241
#2: malformed payload in packet
Aug 29 09:38:09 firewall pluto[29266]: "roadwarrior-l2tp"[2] 83.x.x.241
#2: sending notification PAYLOAD_MALFORMED to 83.x.x.241:4500
Aug 29 09:38:11 firewall pluto[29266]: "roadwarrior-l2tp"[2] 83.x.x.241
#2: next payload type of ISAKMP Hash Payload has an unknown value: 180
Aug 29 09:38:11 firewall pluto[29266]: "roadwarrior-l2tp"[2] 83.x.x.241
#2: malformed payload in packet
Aug 29 09:38:11 firewall pluto[29266]: "roadwarrior-l2tp"[2] 83.x.x.241
#2: sending notification PAYLOAD_MALFORMED to 83.x.x.241:4500
Aug 29 09:38:15 firewall pluto[29266]: "roadwarrior-l2tp"[2] 83.x.x.241
#1: received Delete SA payload: deleting ISAKMP State #1
Aug 29 09:38:15 firewall pluto[29266]: packet from 83.x.x.241:4500:
received and ignored informational message
Aug 29 09:39:53 firewall pluto[29266]: packet from 83.x.x.241:500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Aug 29 09:39:53 firewall pluto[29266]: packet from 83.x.x.241:500:
ignoring Vendor ID payload [FRAGMENTATION]
Aug 29 09:39:53 firewall pluto[29266]: packet from 83.x.x.241:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set
to=106 
Aug 29 09:39:53 firewall pluto[29266]: packet from 83.x.x.241:500:
ignoring Vendor ID payload [Vid-Initial-Contact]
Aug 29 09:39:53 firewall pluto[29266]: "roadwarrior-l2tp"[2] 83.x.x.241
#3: responding to Main Mode from unknown peer 83.x.x.241
Aug 29 09:39:53 firewall pluto[29266]: "roadwarrior-l2tp"[2] 83.x.x.241
#3: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Aug 29 09:39:53 firewall pluto[29266]: "roadwarrior-l2tp"[2] 83.x.x.241
#3: STATE_MAIN_R1: sent MR1, expecting MI2
Aug 29 09:39:53 firewall pluto[29266]: "roadwarrior-l2tp"[2] 83.x.x.241
#3: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer
is NATed
Aug 29 09:39:53 firewall pluto[29266]: "roadwarrior-l2tp"[2] 83.x.x.241
#3: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Aug 29 09:39:53 firewall pluto[29266]: "roadwarrior-l2tp"[2] 83.x.x.241
#3: STATE_MAIN_R2: sent MR2, expecting MI3
Aug 29 09:39:53 firewall pluto[29266]: "roadwarrior-l2tp"[2] 83.x.x.241
#3: Main mode peer ID is ID_DER_ASN1_DN: 'C=UK, ST=London, L=London,
O=My Company, CN=Dummy User, E=dummy at jaguarfreight.com'
Aug 29 09:39:53 firewall pluto[29266]: "roadwarrior-l2tp"[2] 83.x.x.241
#3: crl update for "C=UK, ST=London, L=London, O=My Company, OU=IT,
CN=Jaguar Freight, E=administrator at jaguarfreight.com" is overdue since
Aug 04 12:34:52 UTC 2005
Aug 29 09:39:53 firewall pluto[29266]: "roadwarrior-l2tp"[2] 83.x.x.241
#3: I am sending my cert
Aug 29 09:39:53 firewall pluto[29266]: "roadwarrior-l2tp"[2] 83.x.x.241
#3: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Aug 29 09:39:53 firewall pluto[29266]: | NAT-T: new mapping
83.x.x.241:500/4500)
Aug 29 09:39:53 firewall pluto[29266]: "roadwarrior-l2tp"[2] 83.x.x.241
#3: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}
Aug 29 09:39:53 firewall pluto[29266]: ERROR: "roadwarrior-l2tp"[2]
83.x.x.241 #4: netlink write() of XFRM_MSG_ALLOCSPI message for Get SPI
esp.0 at 217.x.x.83 failed. Errno 111: Connection refused
Aug 29 09:39:53 firewall pluto[29266]: "roadwarrior-l2tp"[2] 83.x.x.241
#4: responding to Quick Mode {msgid:6e24dca2}
Aug 29 09:39:53 firewall pluto[29266]: ERROR: "roadwarrior-l2tp"[2]
83.x.x.241 #4: netlink write() of XFRM_MSG_UPDSA message for Add SA
esp.0 at 217.x.x.83 failed. Errno 111: Connection refused
Aug 29 09:39:54 firewall pluto[29266]: "roadwarrior-l2tp"[2] 83.x.x.241
#4: next payload type of ISAKMP Hash Payload has an unknown value: 235
Aug 29 09:39:54 firewall pluto[29266]: "roadwarrior-l2tp"[2] 83.x.x.241
#4: malformed payload in packet
Aug 29 09:39:54 firewall pluto[29266]: "roadwarrior-l2tp"[2] 83.x.x.241
#4: sending notification PAYLOAD_MALFORMED to 83.x.x.241:4500
Aug 29 09:39:56 firewall pluto[29266]: "roadwarrior-l2tp"[2] 83.x.x.241
#4: next payload type of ISAKMP Hash Payload has an unknown value: 235
Aug 29 09:39:56 firewall pluto[29266]: "roadwarrior-l2tp"[2] 83.x.x.241
#4: malformed payload in packet
Aug 29 09:39:56 firewall pluto[29266]: "roadwarrior-l2tp"[2] 83.x.x.241
#4: sending notification PAYLOAD_MALFORMED to 83.x.x.241:4500
Aug 29 09:40:00 firewall pluto[29266]: "roadwarrior-l2tp"[2] 83.x.x.241
#4: next payload type of ISAKMP Hash Payload has an unknown value: 235
Aug 29 09:40:00 firewall pluto[29266]: "roadwarrior-l2tp"[2] 83.x.x.241
#4: malformed payload in packet
Aug 29 09:40:00 firewall pluto[29266]: "roadwarrior-l2tp"[2] 83.x.x.241
#4: sending notification PAYLOAD_MALFORMED to 83.x.x.241:4500
Aug 29 09:40:08 firewall pluto[29266]: "roadwarrior-l2tp"[2] 83.x.x.241
#4: next payload type of ISAKMP Hash Payload has an unknown value: 235
Aug 29 09:40:08 firewall pluto[29266]: "roadwarrior-l2tp"[2] 83.x.x.241
#4: malformed payload in packet
Aug 29 09:40:08 firewall pluto[29266]: "roadwarrior-l2tp"[2] 83.x.x.241
#4: sending notification PAYLOAD_MALFORMED to 83.x.x.241:4500
Aug 29 09:40:08 firewall pluto[29266]: "roadwarrior-l2tp"[2] 83.x.x.241
#3: received Delete SA payload: deleting ISAKMP State #3
Aug 29 09:40:08 firewall pluto[29266]: packet from 83.x.x.241:4500:
received and ignored informational message
Aug 29 09:40:51 firewall pluto[29266]: shutting down
Aug 29 09:40:51 firewall pluto[29266]: forgetting secrets
Aug 29 09:40:51 firewall pluto[29266]: "roadwarrior-l2tp"[2] 83.x.x.241:
deleting connection "roadwarrior-l2tp" instance with peer 83.x.x.241
{isakmp=#0/ipsec=#0}
Aug 29 09:40:51 firewall pluto[29266]: "roadwarrior-l2tp" #4: deleting
state (STATE_QUICK_R0)
Aug 29 09:40:51 firewall pluto[29266]: "roadwarrior-l2tp" #2: deleting
state (STATE_QUICK_R0)
Aug 29 09:40:51 firewall pluto[29266]: "roadwarrior-l2tp-updatedwin":
deleting connection
Aug 29 09:40:51 firewall pluto[29266]: "roadwarrior": deleting
connection
Aug 29 09:40:51 firewall pluto[29266]: "roadwarrior-l2tp": deleting
connection
Aug 29 09:40:51 firewall pluto[29266]: shutting down interface eth0/eth0
217.x.x.83:4500
Aug 29 09:40:51 firewall pluto[29266]: shutting down interface eth0/eth0
217.x.x.83:500
Aug 29 09:40:51 firewall pluto[29266]: shutting down interface
eth0:0/eth0:0 217.x.x.82:4500
Aug 29 09:40:51 firewall pluto[29266]: shutting down interface
eth0:0/eth0:0 217.x.x.82:500
Aug 29 09:40:51 firewall pluto[29266]: shutting down interface eth1/eth1
192.168.5.1:4500
Aug 29 09:40:51 firewall pluto[29266]: shutting down interface eth1/eth1
192.168.5.1:500
Aug 29 09:40:51 firewall pluto[29266]: shutting down interface lo/lo
127.0.0.1:4500
Aug 29 09:40:51 firewall pluto[29266]: shutting down interface lo/lo
127.0.0.1
===========================

There shouldn't be anything stopping packets coming through..The server
has two outside world IP's, as you can see one of them bound 
on a virtual interface. Some traffic to/from that IP is DNAT'ed/SNAT'ed.

Any ideas? If you need more info just let me know.

Thanks!

Note:__________________________________________________________________
This message is for the named person's use only. It may contain
confidential, proprietary or legally privileged information. No
confidentiality or privilege is waived or lost by any mistransmission.
If you receive this message in error, please immediately delete it and
all copies of it from your system, destroy any hard copies of it and
notify the sender. You must not, directly or indirectly, use, disclose,
distribute, print, or copy any part of this message if you are not the
intended recipient. Jaguar Freight Services and any of its subsidiaries
each reserve the right to monitor all e-mail communications through its
networks.
Any views expressed in this message are those of the individual sender,
except where the message states otherwise and the sender is authorized
to state them to be the views of any such entity.
________________________________________________________________________
This e-mail has been scanned for all known viruses.

More information about the Users mailing list