[Openswan Users] winxp+openswan+nat-t
pcordoba at ggtsolutions.net
pcordoba at ggtsolutions.net
Mon Jan 3 18:06:56 CET 2005
Hello,
I have a problem with nat traversal, openswan and windows XP.
I have applied windows xp patch for nat-t.
For the moment, I'm in a lab environment.
My lab setup is this
XP client ---- Cisco Pix ---- Linux Box --- Internal net
IP addresses
XP Client = 192.168.200.154
Cisco PIX = 192.168.200.159
= 10.7.3.1
Linux Box = 10.7.3.10
= 192.168.200.198 (Cisco PIX is doing static NAT with VPN passthru)
= 10.69.1.1
Internal net = 10.69.1.0/24
I'm trying to setup L2TP/IPSEC VPN and followed Jacco de Leeuw's instructions
http://www.jacco2.dds.nl/networking/freeswan-l2tp.html
I think the problem is on the server side because I tried another configuration
with the client being NATed and the server not, and it worked ok.
Windows Box
Windows XP Professional SP2 with NAT-T Patch
Linux/GNU Server
Debian 3.1 "Sarge"
Linux Openswan U2.2.0/K2.6.8-1-686 (native)
My ipsec.conf is:
version 2.0 # conforms to second version of ipsec.conf specification
config setup
interfaces=%defaultroute
nat_traversal=yes
klipsdebug="control"
plutodebug="control"
conn L2TP-PSK
authby=secret
pfs=no
left=10.7.3.10
leftnexthop=10.7.3.1
leftprotoport=17/1701
right=%any
rightprotoport=17/1701
auto=add
keyingtries=3
include /etc/ipsec.d/examples/no_oe.conf
Log shows the following:
Jan 3 16:31:21 [pluto] | *received 312 bytes from 192.168.200.154:500 on eth0
Jan 3 16:31:21 [pluto] packet from 192.168.200.154:500: ignoring Vendor ID
payload [MS NT5 ISAKMPOAKLEY 00000004]
Jan 3 16:31:21 [pluto] packet from 192.168.200.154:500: ignoring Vendor ID
payload [FRAGMENTATION]
Jan 3 16:31:21 [pluto] packet from 192.168.200.154:500: received Vendor ID
payload [draft-ietf-ipsec-nat-t-ike-02_n]
Jan 3 16:31:21 [pluto] packet from 192.168.200.154:500: ignoring Vendor ID
payload [26244d38eddb61b3172a36e3d0cfb819]
Jan 3 16:31:21 [pluto] | alg_info_addref() alg_info->ref_cnt=4
- Last output repeated twice -
Jan 3 16:31:21 [pluto] | alg_info_addref() alg_info->ref_cnt=5
- Last output repeated twice -
Jan 3 16:31:21 [pluto] | instantiated "L2TP-PSK" for 192.168.200.154
Jan 3 16:31:21 [pluto] | creating state object #2 at 0x80f0ab0
Jan 3 16:31:21 [pluto] | ICOOKIE: 55 86 75 b2 1b 44 79 1c
Jan 3 16:31:21 [pluto] | RCOOKIE: 7e a8 97 59 89 6f 2f df
Jan 3 16:31:21 [pluto] | peer: c0 a8 c8 9a
Jan 3 16:31:21 [pluto] | state hash entry 14
Jan 3 16:31:21 [pluto] | inserting event EVENT_SO_DISCARD, timeout in 0 seconds
for #2
Jan 3 16:31:21 [pluto] "L2TP-PSK"[2] 192.168.200.154 #2: responding to Main
Mode from unknown peer 192.168.200.154
Jan 3 16:31:21 [pluto] | looking for secret for 10.7.3.10->192.168.200.154 of
kind PPK_PSK
Jan 3 16:31:21 [pluto] "L2TP-PSK"[2] 192.168.200.154 #2: transition from state
(null) to state STATE_MAIN_R1
Jan 3 16:31:21 [pluto] | inserting event EVENT_RETRANSMIT, timeout in 10
seconds for #2
Jan 3 16:31:21 [pluto] | next event EVENT_NAT_T_KEEPALIVE in 9 seconds
Jan 3 16:31:22 [pluto] |
Jan 3 16:31:22 [pluto] | *received 360 bytes from 192.168.200.154:500 on eth0
Jan 3 16:31:22 [pluto] | ICOOKIE: 55 86 75 b2 1b 44 79 1c
Jan 3 16:31:22 [pluto] | RCOOKIE: 7e a8 97 59 89 6f 2f df
Jan 3 16:31:22 [pluto] | peer: c0 a8 c8 9a
Jan 3 16:31:22 [pluto] | state hash entry 14
Jan 3 16:31:22 [pluto] | peer and cookies match on #2, provided msgid 00000000
vs 00000000
Jan 3 16:31:22 [pluto] | state object #2 found, in STATE_MAIN_R1
Jan 3 16:31:22 [pluto] "L2TP-PSK"[2] 192.168.200.154 #2: NAT-Traversal: Result
using draft-ietf-ipsec-nat-t-ike-02/03: i am
NATed
Jan 3 16:31:22 [pluto] | looking for secret for 10.7.3.10->192.168.200.154 of
kind PPK_PSK
Jan 3 16:31:22 [pluto] "L2TP-PSK"[2] 192.168.200.154 #2: transition from state
STATE_MAIN_R1 to state STATE_MAIN_R2
Jan 3 16:31:22 [pluto] | inserting event EVENT_RETRANSMIT, timeout in 10
seconds for #2
Jan 3 16:31:22 [pluto] | next event EVENT_NAT_T_KEEPALIVE in 8 seconds
Jan 3 16:31:22 [pluto] |
Jan 3 16:31:22 [pluto] | *received 68 bytes from 192.168.200.154:4500 on eth0
Jan 3 16:31:22 [pluto] | ICOOKIE: 55 86 75 b2 1b 44 79 1c
Jan 3 16:31:22 [pluto] | RCOOKIE: 7e a8 97 59 89 6f 2f df
Jan 3 16:31:22 [pluto] | peer: c0 a8 c8 9a
Jan 3 16:31:22 [pluto] | state hash entry 14
Jan 3 16:31:22 [pluto] | peer and cookies match on #2, provided msgid 00000000
vs 00000000
Jan 3 16:31:22 [pluto] | state object #2 found, in STATE_MAIN_R2
Jan 3 16:31:22 [pluto] "L2TP-PSK"[2] 192.168.200.154 #2: Peer ID is
ID_IPV4_ADDR: '192.168.200.154'
Jan 3 16:31:22 [pluto] | offered CA: '%none'
Jan 3 16:31:22 [pluto] | thinking about whether to send my certificate:
Jan 3 16:31:22 [pluto] | I have RSA key: OAKLEY_PRESHARED_KEY cert.type:
CERT_NONE
Jan 3 16:31:22 [pluto] | sendcert: CERT_ALWAYSSEND and I did not get a
certificate request
Jan 3 16:31:22 [pluto] | so do not send cert.
Jan 3 16:31:22 [pluto] "L2TP-PSK"[2] 192.168.200.154 #2: I did not send a
certificate because I do not have one.
Jan 3 16:31:22 [pluto] "L2TP-PSK"[2] 192.168.200.154 #2: transition from state
STATE_MAIN_R2 to state STATE_MAIN_R3
Jan 3 16:31:22 [pluto] | NAT-T: new mapping 192.168.200.154:500/4500)
Jan 3 16:31:22 [pluto] | inserting event EVENT_SA_REPLACE, timeout in 3330
seconds for #2
Jan 3 16:31:22 [pluto] "L2TP-PSK"[2] 192.168.200.154:4500 #2: sent MR3, ISAKMP
SA established
Jan 3 16:31:22 [pluto] | next event EVENT_NAT_T_KEEPALIVE in 8 seconds
Jan 3 16:31:22 [pluto] |
Jan 3 16:31:22 [pluto] | *received 372 bytes from 192.168.200.154:4500 on eth0
Jan 3 16:31:22 [pluto] | ICOOKIE: 55 86 75 b2 1b 44 79 1c
Jan 3 16:31:22 [pluto] | RCOOKIE: 7e a8 97 59 89 6f 2f df
Jan 3 16:31:22 [pluto] | peer: c0 a8 c8 9a
Jan 3 16:31:22 [pluto] | state hash entry 14
Jan 3 16:31:22 [pluto] | peer and cookies match on #2, provided msgid 68fae285
vs 00000000
Jan 3 16:31:22 [pluto] | state object not found
Jan 3 16:31:22 [pluto] | ICOOKIE: 55 86 75 b2 1b 44 79 1c
Jan 3 16:31:22 [pluto] | RCOOKIE: 7e a8 97 59 89 6f 2f df
Jan 3 16:31:22 [pluto] | peer: c0 a8 c8 9a
Jan 3 16:31:22 [pluto] | state hash entry 14
Jan 3 16:31:22 [pluto] | peer and cookies match on #2, provided msgid 00000000
vs 00000000
Jan 3 16:31:22 [pluto] | state object #2 found, in STATE_MAIN_R3
Jan 3 16:31:22 [pluto] | our client is 192.168.200.198
Jan 3 16:31:22 [pluto] | our client protocol/port is 17/1701
Jan 3 16:31:22 [pluto] | find_client_connection starting with L2TP-PSK
Jan 3 16:31:22 [pluto] | looking for 192.168.200.198/32:17/1701 ->
192.168.200.154/32:17/1701
Jan 3 16:31:22 [pluto] | concrete checking against sr#0 10.7.3.10/32 ->
192.168.200.154/32
Jan 3 16:31:22 [pluto] | match_id a=192.168.200.154 b=192.168.200.154
Jan 3 16:31:22 [pluto] | match_id called with a=192.168.200.154
b=192.168.200.154
Jan 3 16:31:22 [pluto] | trusted_ca called with a=(empty) b=(empty)
Jan 3 16:31:22 [pluto] | fc_try trying L2TP-PSK:192.168.200.198/32:17/1701 ->
192.168.200.154/32:17/1701 vs L2TP-PSK:10.7.3.10/32:17/1701 ->
192.168.200.154/32:17/1701
Jan 3 16:31:22 [pluto] | fc_try concluding with none [0]
Jan 3 16:31:22 [pluto] | fc_try L2TP-PSK gives none
Jan 3 16:31:22 [pluto] | checking hostpair 10.7.3.10/32 -> 192.168.200.154/32
is not found
Jan 3 16:31:22 [pluto] | concluding with d = none
Jan 3 16:31:22 [pluto] "L2TP-PSK" #1: cannot respond to IPsec SA request
because no connection is known for
192.168.200.198/32===10.7.3.10:4500:17/1701...192.168.200.154:4500:17/1701
Jan 3 16:31:22 [pluto] "L2TP-PSK" #1: sending encrypted notification
INVALID_ID_INFORMATION to 192.168.200.154:4500
I think the problem is near here, but I can't figure out how to fix it.
Thank you for your help,
Pablo Cordoba
More information about the Users
mailing list