[Openswan Users] winxp behind on server behind nat patch

Bernd Galonska B.Galonska at fhr.de
Thu Feb 24 10:14:28 CET 2005

To connect win2k winxp with l2tp over ipsec to openswan/strongswan a server
behind Nat is impossible. There a to reasons one on openswan/strongswan side
an the other on the windows side. I have a patch to solve this problen

The cenario is

winXp      	    ===>      nat-router ------- nat-router ===>
 private address               public address       public address
private address

After you get an message  sent MR3, ISAKMP SA established you will get the
error message

pluto[22440]: "roadwarrior-l2tp"[4] #3: cannot respond to
IPsec SA request because no connection is known for[C=DE, O=testvpn, OU=testgw,
CN=testgw]:17/1701...[C=DE, O=testvpn, OU=testgw,

the reason is that in respons to quick mode 1 message the looking for a
other conectione

“    /* Now that we have identities of client subnets, we must look for
     * a suitable connection (our current one only matches for hosts).
but in transport mode its not nessesery because we only connect hosts. The
first part of the patch make it possible to use the old connection in
transport mode with nat.

after this you will get the errore  message on windows side because windows
can not hadel the Nat-OA payload  in the  respons to quickmode

  2-22: 10:11:27:152:32c Receive: (get) SA = 0x000fc738 from
 2-22: 10:11:27:152:32c ISAKMP Header: (V1.0), len = 180
 2-22: 10:11:27:152:32c   I-COOKIE edde624a8f662b24
 2-22: 10:11:27:152:32c   R-COOKIE 6d0aaeb755ae733d
 2-22: 10:11:27:152:32c   exchange: Oakley Quick Mode
 2-22: 10:11:27:152:32c   flags: 1 ( encrypted )
 2-22: 10:11:27:152:32c   next payload: HASH
 2-22: 10:11:27:152:32c   message ID: 06076b9b
 2-22: 10:11:27:152:32c processing HASH (QM)
 2-22: 10:11:27:152:32c QM Hash failed
 2-22: 10:11:27:152:32c Datenschutzmodus (Schnellmodus)
 2-22: 10:11:27:152:32c Quell-IP-Adresse
Quell-IP-Adressmaske  Ziel-IP-Adresse
Ziel-IP-Adressmaske  Protokoll 17  Quellport 1701  Zielport
1701  Lokale IKE-Adresse  Peer-IKE-Adresse
 2-22: 10:11:27:152:32c Zertifikatsbasierte Identität.   Peerantragsteller
C=DE, O=testvpn, OU=testgw, CN=testgw  Peer-SHA-Fingerabdruck
7f0b85fe95961ddc61d609429ba5b89b40514882  Peer, der die
Zertifizierungsstelle ausstellt: C=DE, O=testvpn, CN=testca
Stammzertifizierungsstelle C=DE, O=testvpn, CN=testca  Eigener Antragsteller
C=DE, O=testvpn, OU=testgw, CN=testgw  Eigener SHA-Fingerabdruck
7f0b85fe95961ddc61d609429ba5b89b40514882  Peer-IP-Adresse:
 2-22: 10:11:27:152:32c Benutzer
 2-22: 10:11:27:152:32c Fehler beim Bearbeiten des Hashaufkommens.
 2-22: 10:11:27:152:32c 0x0 0x0

so I have disabled the is in the second part of the patch.
but mow  we are now not confirm with rfc3947 !!!!

Has any one an idea how we can turn on and of the sending of Nat-OA payload
depending on the connection partner ( venture ID MS ) or shod there be a
switch in the ipsec.conf ???

Hear is the patch

Schnipp -----------------------------------------

--- programs/pluto/ipsec_doi.c.pre	2005-02-22 17:03:39.000000000 +0000
+++ programs/pluto/ipsec_doi.c	2005-02-22 16:57:20.000000000 +0000
@@ -4552,6 +4552,19 @@
 	struct connection *p = find_client_connection(c
 	    , our_net, his_net, b->my.proto, b->my.port, b->his.proto,

+    if( (p1st->nat_traversal & NAT_T_DETECTED)
+    	&& !(p1st->st_policy & POLICY_TUNNEL)
+    	&& (p1st->nat_traversal & LELEM(NAT_TRAVERSAL_NAT_BHND_ME))
+	&& (p == NULL) )
+        {
+          p = c;
+          DBG(DBG_CONTROL, DBG_log("using old for transport mod  connection
\"%s\"", p->name));
+        }
+  #endif
 	if (p == NULL)
 	    /* This message occurs in very puzzling circumstances
@@ -4850,16 +4863,16 @@

-	if ((st->nat_traversal & NAT_T_WITH_NATOA)
+/*	if ((st->nat_traversal & NAT_T_WITH_NATOA)
 	&& (st->nat_traversal & LELEM(NAT_TRAVERSAL_NAT_BHND_ME))
 	&& (st->st_esp.attrs.encapsulation == ENCAPSULATION_MODE_TRANSPORT))
-	    /** Send NAT-OA if our address is NATed and if we use Transport Mode
+	    // ** Send NAT-OA if our address is NATed and if we use Transport Mode
 	    if (!nat_traversal_add_natoa(ISAKMP_NEXT_NONE, &md->rbody, md->st))
-	}
+	}*/
 	if ((st->nat_traversal & NAT_T_DETECTED)
 	&& (st->st_esp.attrs.encapsulation == ENCAPSULATION_MODE_TRANSPORT)
 	&& (c->spd.that.has_client))


More information about the Users mailing list