[Openswan Users] winxp behind on server behind nat patch
Bernd Galonska
B.Galonska at fhr.de
Thu Feb 24 10:14:28 CET 2005
To connect win2k winxp with l2tp over ipsec to openswan/strongswan a server
behind Nat is impossible. There a to reasons one on openswan/strongswan side
an the other on the windows side. I have a patch to solve this problen
The cenario is
winXp ===> nat-router ------- nat-router ===>
openswan/strongswan
192.168.203.137 192.168.1.2 192.168.1.10
192.168.1.3
private address public address public address
private address
After you get an message sent MR3, ISAKMP SA established you will get the
error message
pluto[22440]: "roadwarrior-l2tp"[4] 192.168.1.2:1024 #3: cannot respond to
IPsec SA request because no connection is known for
192.168.1.10/32===192.168.1.3:4500[C=DE, O=testvpn, OU=testgw,
CN=testgw]:17/1701...192.168.1.2:1024[C=DE, O=testvpn, OU=testgw,
CN=testgw]:17/1701
the reason is that in respons to quick mode 1 message the looking for a
other conectione
/* Now that we have identities of client subnets, we must look for
* a suitable connection (our current one only matches for hosts).
*/
but in transport mode its not nessesery because we only connect hosts. The
first part of the patch make it possible to use the old connection in
transport mode with nat.
after this you will get the errore message on windows side because windows
can not hadel the Nat-OA payload in the respons to quickmode
2-22: 10:11:27:152:32c Receive: (get) SA = 0x000fc738 from
192.168.1.10.4500
2-22: 10:11:27:152:32c ISAKMP Header: (V1.0), len = 180
2-22: 10:11:27:152:32c I-COOKIE edde624a8f662b24
2-22: 10:11:27:152:32c R-COOKIE 6d0aaeb755ae733d
2-22: 10:11:27:152:32c exchange: Oakley Quick Mode
2-22: 10:11:27:152:32c flags: 1 ( encrypted )
2-22: 10:11:27:152:32c next payload: HASH
2-22: 10:11:27:152:32c message ID: 06076b9b
2-22: 10:11:27:152:32c processing HASH (QM)
2-22: 10:11:27:152:32c QM Hash failed
2-22: 10:11:27:152:32c Datenschutzmodus (Schnellmodus)
2-22: 10:11:27:152:32c Quell-IP-Adresse 192.168.203.137
Quell-IP-Adressmaske 255.255.255.255 Ziel-IP-Adresse 192.168.1.10
Ziel-IP-Adressmaske 255.255.255.255 Protokoll 17 Quellport 1701 Zielport
1701 Lokale IKE-Adresse 192.168.203.137 Peer-IKE-Adresse 192.168.1.10
2-22: 10:11:27:152:32c Zertifikatsbasierte Identität. Peerantragsteller
C=DE, O=testvpn, OU=testgw, CN=testgw Peer-SHA-Fingerabdruck
7f0b85fe95961ddc61d609429ba5b89b40514882 Peer, der die
Zertifizierungsstelle ausstellt: C=DE, O=testvpn, CN=testca
Stammzertifizierungsstelle C=DE, O=testvpn, CN=testca Eigener Antragsteller
C=DE, O=testvpn, OU=testgw, CN=testgw Eigener SHA-Fingerabdruck
7f0b85fe95961ddc61d609429ba5b89b40514882 Peer-IP-Adresse: 192.168.1.10
2-22: 10:11:27:152:32c Benutzer
2-22: 10:11:27:152:32c Fehler beim Bearbeiten des Hashaufkommens.
2-22: 10:11:27:152:32c 0x0 0x0
so I have disabled the is in the second part of the patch.
but mow we are now not confirm with rfc3947 !!!!
Has any one an idea how we can turn on and of the sending of Nat-OA payload
depending on the connection partner ( venture ID MS ) or shod there be a
switch in the ipsec.conf ???
Hear is the patch
Schnipp -----------------------------------------
--- programs/pluto/ipsec_doi.c.pre 2005-02-22 17:03:39.000000000 +0000
+++ programs/pluto/ipsec_doi.c 2005-02-22 16:57:20.000000000 +0000
@@ -4552,6 +4552,19 @@
struct connection *p = find_client_connection(c
, our_net, his_net, b->my.proto, b->my.port, b->his.proto,
b->his.port);
+#ifdef NAT_TRAVERSAL
+ #ifdef I_KNOW_TRANSPORT_MODE_HAS_SECURITY_CONCERN_BUT_I_WANT_IT
+ if( (p1st->nat_traversal & NAT_T_DETECTED)
+ && !(p1st->st_policy & POLICY_TUNNEL)
+ && (p1st->nat_traversal & LELEM(NAT_TRAVERSAL_NAT_BHND_ME))
+ && (p == NULL) )
+ {
+ p = c;
+ DBG(DBG_CONTROL, DBG_log("using old for transport mod connection
\"%s\"", p->name));
+
+ }
+ #endif
+#endif
if (p == NULL)
{
/* This message occurs in very puzzling circumstances
@@ -4850,16 +4863,16 @@
}
#ifdef NAT_TRAVERSAL
- if ((st->nat_traversal & NAT_T_WITH_NATOA)
+/* if ((st->nat_traversal & NAT_T_WITH_NATOA)
&& (st->nat_traversal & LELEM(NAT_TRAVERSAL_NAT_BHND_ME))
&& (st->st_esp.attrs.encapsulation == ENCAPSULATION_MODE_TRANSPORT))
{
- /** Send NAT-OA if our address is NATed and if we use Transport Mode
*/
+ // ** Send NAT-OA if our address is NATed and if we use Transport Mode
if (!nat_traversal_add_natoa(ISAKMP_NEXT_NONE, &md->rbody, md->st))
{
return STF_INTERNAL_ERROR;
}
- }
+ }*/
if ((st->nat_traversal & NAT_T_DETECTED)
&& (st->st_esp.attrs.encapsulation == ENCAPSULATION_MODE_TRANSPORT)
&& (c->spd.that.has_client))
Schnapp-----------------------------------------
More information about the Users
mailing list