[Openswan Users] Pb between Super-Freeswan and XP via NAT
Etienne M
atipako at hotmail.com
Wed Jun 8 09:37:00 CEST 2005
Hi,
I'm student and I have to make a VPN between a XP roadwarrior and a LAN, via
a NAT and Internet.
Below, my experimentation network. It properly works when the NAT is
disabled.
When the NAT is enabled, the VPN does not work.
I obtain these errors :
cannot respond to IPsec SA request because no connection is known
INVALID_ID_INFORMATION
Quick Mode I1 message is unacceptable because it uses a previously used
Message ID
INVALID_MESSAGE_ID
Thanks for any help.
Etienne.
Experimentation network :
|10.0.0.0 LAN
--------------
super freeswan RH9
--------------
|200.10.10.10
|
|200.10.10.20
--------------
NAT : PREROUTING -i eth0 -j DNAT --to 200.10.10.10
(Mandrake 9)
--------------
|192.168.10.20
|
|
|192.168.10.30
--------------
roadwarrior XP SP2
--------------
ipsec.conf on RH9 :
config setup
interfaces="ipsec0=eth0"
klipsdebug=all
plutodebug=none
plutoload="nomade"
uniqueids=no
plutostart=nomade
nat_traversal=yes
conn %default
keyingtries=3
#compress=yes
disablearrivalcheck=no
#auto=start
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
conn nomade
right=%any
left=200.10.10.10
leftnexthop=200.10.10.20
#rightsubnet=0.0.0.0/0
#left=%defaultroute
#leftid=@linuxrh9
leftcert=universite.pem
rightid=
leftid=
auto=add
pfs=no
ipsec.conf on XP :
conn nomade
left=%any
#right=200.10.10.10
right=192.168.10.20
rightca="C=FR, S=Orsay, L=Essonne, O=universite, CN=orsay.fr"
#rightid=
#leftid=
network=auto
auto=start
pfs=no
nat_traversal=yes
compress=yes
secure file :
ipsec__plutorun: Starting Pluto subsystem...
pluto[16791]: Starting Pluto (FreeS/WAN Version super-freeswan-1.99.8)
pluto[16791]: including X.509 patch with traffic selectors (Version
0.9.32)
pluto[16791]: including NAT-Traversal patch (Version 0.6)
pluto[16791]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
pluto[16791]: ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok
(ret=0)
pluto[16791]: ike_alg_register_enc(): Activating OAKLEY_CAST_CBC: Ok (ret=0)
pluto[16791]: ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok
(ret=0)
pluto[16791]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok
(ret=0)
pluto[16791]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok
(ret=0)
pluto[16791]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok
(ret=0)
pluto[16791]: ike_alg_register_enc(): Activating OAKLEY_SSH_PRIVATE_65289:
Ok (ret=0)
pluto[16791]: Changing to directory '/etc/ipsec.d/cacerts'
pluto[16791]: loaded cacert file 'cacert.pem' (1107 bytes)
pluto[16791]: Changing to directory '/etc/ipsec.d/crls'
pluto[16791]: loaded crl file 'crl.pem' (459 bytes)
pluto[16791]: OpenPGP certificate file '/etc/pgpcert.pgp' not found
pluto[16791]: | from whack: got --esp=3des
pluto[16791]: | from whack: got --ike=3des
pluto[16791]: loaded host cert file '/etc/ipsec.d/universite.pem' (3363
bytes)
pluto[16791]: added connection description "nomade"
pluto[16791]: listening for IKE messages
pluto[16791]: adding interface ipsec0/eth0 200.10.10.10
pluto[16791]: adding interface ipsec0/eth0 200.10.10.10:4500
pluto[16791]: loading secrets from "/etc/ipsec.secrets"
pluto[16791]: loaded private key file
'/etc/ipsec.d/private/universite.key' (964 bytes)
pluto[16791]: "nomade": cannot initiate connection without knowing peer IP
address
pluto[16791]: packet from 192.168.10.30:500: ignoring Vendor ID payload [MS
NT5 ISAKMPOAKLEY 00000004]
pluto[16791]: packet from 192.168.10.30:500: ignoring Vendor ID payload
[FRAGMENTATION]
pluto[16791]: packet from 192.168.10.30:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n]
pluto[16791]: packet from 192.168.10.30:500: ignoring Vendor ID payload
[26244d38eddb61b3...]
pluto[16791]: "nomade"[1] 192.168.10.30 #1: responding to Main Mode from
unknown peer 192.168.10.30
pluto[16791]: "nomade"[1] 192.168.10.30 #1: NAT-Traversal: Result using
draft-ietf-ipsec-nat-t-ike-02/03: i am NATed
pluto[16791]: "nomade"[1] 192.168.10.30 #1: Main mode peer ID is
ID_DER_ASN1_DN: 'C=FR, ST=Orsay, L=Essonne, O=universite, CN=NomadeXP'
pluto[16791]: "nomade"[2] 192.168.10.30 #1: deleting connection "nomade"
instance with peer 192.168.10.30
pluto[16791]: | NAT-T: new mapping 192.168.10.30:500/4500)
pluto[16791]: "nomade"[2] 192.168.10.30:4500 #1: sent MR3, ISAKMP SA
established
pluto[16791]: "nomade"[2] 192.168.10.30:4500 #1: cannot respond to IPsec SA
request because no connection is known for
192.168.10.20/32===200.10.10.10:4500[C=FR, ST=Orsay, L=Essonne, O=My Company
Ltd, CN=universite]...192.168.10.30:4500[C=FR, ST=Orsay, L=Essonne,
O=universite, CN=NomadeXP]
pluto[16791]: "nomade"[2] 192.168.10.30:4500 #1: sending encrypted
notification INVALID_ID_INFORMATION to 192.168.10.30:4500
pluto[16791]: "nomade"[2] 192.168.10.30:4500 #1: Quick Mode I1 message is
unacceptable because it uses a previously used Message ID 0x977a113e
(perhaps this is a duplicated packet)
pluto[16791]: "nomade"[2] 192.168.10.30:4500 #1: sending encrypted
notification INVALID_MESSAGE_ID to 192.168.10.30:4500
pluto[16791]: "nomade"[2] 192.168.10.30:4500 #1: Quick Mode I1 message is
unacceptable because it uses a previously used Message ID 0x977a113e
(perhaps this is a duplicated packet)
pluto[16791]: "nomade"[2] 192.168.10.30:4500 #1: sending encrypted
notification INVALID_MESSAGE_ID to 192.168.10.30:4500
pluto[16791]: "nomade"[2] 192.168.10.30:4500 #1: Quick Mode I1 message is
unacceptable because it uses a previously used Message ID 0x977a113e
(perhaps this is a duplicated packet)
pluto[16791]: "nomade"[2] 192.168.10.30:4500 #1: sending encrypted
notification INVALID_MESSAGE_ID to 192.168.10.30:4500
pluto[16791]: "nomade"[2] 192.168.10.30:4500 #1: Quick Mode I1 message is
unacceptable because it uses a previously used Message ID 0x977a113e
(perhaps this is a duplicated packet)
pluto[16791]: "nomade"[2] 192.168.10.30:4500 #1: sending encrypted
notification INVALID_MESSAGE_ID to 192.168.10.30:4500
pluto[16791]: "nomade"[2] 192.168.10.30:4500 #1: Quick Mode I1 message is
unacceptable because it uses a previously used Message ID 0x977a113e
(perhaps this is a duplicated packet)
pluto[16791]: "nomade"[2] 192.168.10.30:4500 #1: sending encrypted
notification INVALID_MESSAGE_ID to 192.168.10.30:4500
More information about the Users
mailing list