[Openswan Users] Pb between Super-Freeswan and XP via NAT

Etienne M atipako at hotmail.com
Wed Jun 8 09:37:00 CEST 2005 

Hi,

I'm student and I have to make a VPN between a XP roadwarrior and a LAN, via 
a NAT and Internet.
Below, my experimentation network. It properly works when the NAT is 
disabled.
When the NAT is enabled, the VPN does not work.

I obtain these errors :
cannot respond to IPsec SA request because no connection is known
INVALID_ID_INFORMATION
Quick Mode I1 message is unacceptable because it uses a previously used 
Message ID
INVALID_MESSAGE_ID

Thanks for any help.

Etienne.

Experimentation network :

    |10.0.0.0 LAN
--------------
super freeswan RH9
--------------
    |200.10.10.10
    |
    |200.10.10.20
--------------
   NAT : PREROUTING -i eth0 -j DNAT --to 200.10.10.10
(Mandrake 9)
--------------
    |192.168.10.20
    |
    |
    |192.168.10.30
--------------
roadwarrior XP SP2
--------------


ipsec.conf on RH9 :
config setup
interfaces="ipsec0=eth0"
klipsdebug=all
plutodebug=none
plutoload="nomade"
uniqueids=no
plutostart=nomade
nat_traversal=yes

conn %default
keyingtries=3
#compress=yes
disablearrivalcheck=no
#auto=start
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert

conn nomade
right=%any
left=200.10.10.10
leftnexthop=200.10.10.20
#rightsubnet=0.0.0.0/0
#left=%defaultroute
#leftid=@linuxrh9
leftcert=universite.pem
rightid=
leftid=
auto=add
pfs=no


ipsec.conf on XP :
conn nomade
left=%any
#right=200.10.10.10
right=192.168.10.20
rightca="C=FR, S=Orsay, L=Essonne, O=universite, CN=orsay.fr"
#rightid=
#leftid=
network=auto
auto=start
pfs=no
nat_traversal=yes
compress=yes

secure file :
ipsec__plutorun: Starting Pluto subsystem...
pluto[16791]: Starting Pluto (FreeS/WAN Version super-freeswan-1.99.8)
pluto[16791]:   including X.509 patch with traffic selectors (Version 
0.9.32)
pluto[16791]:   including NAT-Traversal patch (Version 0.6)
pluto[16791]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
pluto[16791]: ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok 
(ret=0)
pluto[16791]: ike_alg_register_enc(): Activating OAKLEY_CAST_CBC: Ok (ret=0)
pluto[16791]: ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok 
(ret=0)
pluto[16791]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok 
(ret=0)
pluto[16791]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok 
(ret=0)
pluto[16791]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok 
(ret=0)
pluto[16791]: ike_alg_register_enc(): Activating OAKLEY_SSH_PRIVATE_65289: 
Ok (ret=0)
pluto[16791]: Changing to directory '/etc/ipsec.d/cacerts'
pluto[16791]:   loaded cacert file 'cacert.pem' (1107 bytes)
pluto[16791]: Changing to directory '/etc/ipsec.d/crls'
pluto[16791]:   loaded crl file 'crl.pem' (459 bytes)
pluto[16791]: OpenPGP certificate file '/etc/pgpcert.pgp' not found
pluto[16791]: | from whack: got --esp=3des
pluto[16791]: | from whack: got --ike=3des
pluto[16791]:   loaded host cert file '/etc/ipsec.d/universite.pem' (3363 
bytes)
pluto[16791]: added connection description "nomade"
pluto[16791]: listening for IKE messages
pluto[16791]: adding interface ipsec0/eth0 200.10.10.10
pluto[16791]: adding interface ipsec0/eth0 200.10.10.10:4500
pluto[16791]: loading secrets from "/etc/ipsec.secrets"
pluto[16791]:   loaded private key file 
'/etc/ipsec.d/private/universite.key' (964 bytes)
pluto[16791]: "nomade": cannot initiate connection without knowing peer IP 
address
pluto[16791]: packet from 192.168.10.30:500: ignoring Vendor ID payload [MS 
NT5 ISAKMPOAKLEY 00000004]
pluto[16791]: packet from 192.168.10.30:500: ignoring Vendor ID payload 
[FRAGMENTATION]
pluto[16791]: packet from 192.168.10.30:500: received Vendor ID payload 
[draft-ietf-ipsec-nat-t-ike-02_n]
pluto[16791]: packet from 192.168.10.30:500: ignoring Vendor ID payload 
[26244d38eddb61b3...]
pluto[16791]: "nomade"[1] 192.168.10.30 #1: responding to Main Mode from 
unknown peer 192.168.10.30
pluto[16791]: "nomade"[1] 192.168.10.30 #1: NAT-Traversal: Result using 
draft-ietf-ipsec-nat-t-ike-02/03: i am NATed
pluto[16791]: "nomade"[1] 192.168.10.30 #1: Main mode peer ID is 
ID_DER_ASN1_DN: 'C=FR, ST=Orsay, L=Essonne, O=universite, CN=NomadeXP'
pluto[16791]: "nomade"[2] 192.168.10.30 #1: deleting connection "nomade" 
instance with peer 192.168.10.30
pluto[16791]: | NAT-T: new mapping 192.168.10.30:500/4500)
pluto[16791]: "nomade"[2] 192.168.10.30:4500 #1: sent MR3, ISAKMP SA 
established
pluto[16791]: "nomade"[2] 192.168.10.30:4500 #1: cannot respond to IPsec SA 
request because no connection is known for 
192.168.10.20/32===200.10.10.10:4500[C=FR, ST=Orsay, L=Essonne, O=My Company 
Ltd, CN=universite]...192.168.10.30:4500[C=FR, ST=Orsay, L=Essonne, 
O=universite, CN=NomadeXP]
pluto[16791]: "nomade"[2] 192.168.10.30:4500 #1: sending encrypted 
notification INVALID_ID_INFORMATION to 192.168.10.30:4500
pluto[16791]: "nomade"[2] 192.168.10.30:4500 #1: Quick Mode I1 message is 
unacceptable because it uses a previously used Message ID 0x977a113e 
(perhaps this is a duplicated packet)
pluto[16791]: "nomade"[2] 192.168.10.30:4500 #1: sending encrypted 
notification INVALID_MESSAGE_ID to 192.168.10.30:4500
pluto[16791]: "nomade"[2] 192.168.10.30:4500 #1: Quick Mode I1 message is 
unacceptable because it uses a previously used Message ID 0x977a113e 
(perhaps this is a duplicated packet)
pluto[16791]: "nomade"[2] 192.168.10.30:4500 #1: sending encrypted 
notification INVALID_MESSAGE_ID to 192.168.10.30:4500
pluto[16791]: "nomade"[2] 192.168.10.30:4500 #1: Quick Mode I1 message is 
unacceptable because it uses a previously used Message ID 0x977a113e 
(perhaps this is a duplicated packet)
pluto[16791]: "nomade"[2] 192.168.10.30:4500 #1: sending encrypted 
notification INVALID_MESSAGE_ID to 192.168.10.30:4500
pluto[16791]: "nomade"[2] 192.168.10.30:4500 #1: Quick Mode I1 message is 
unacceptable because it uses a previously used Message ID 0x977a113e 
(perhaps this is a duplicated packet)
pluto[16791]: "nomade"[2] 192.168.10.30:4500 #1: sending encrypted 
notification INVALID_MESSAGE_ID to 192.168.10.30:4500
pluto[16791]: "nomade"[2] 192.168.10.30:4500 #1: Quick Mode I1 message is 
unacceptable because it uses a previously used Message ID 0x977a113e 
(perhaps this is a duplicated packet)
pluto[16791]: "nomade"[2] 192.168.10.30:4500 #1: sending encrypted 
notification INVALID_MESSAGE_ID to 192.168.10.30:4500

More information about the Users mailing list