[Openswan Users] 2 NAT packets dropps

Wed Jun 8 13:05:44 CEST 2005

Hi all,

at the moment, I am playing with VPN/Openswan
My network setup looks like:

host1 openswan 1.0.9 (int 10.83.0.А, ext 10.83.200.A)

cisco 1 (int 10.83.200.B)

cisco 2 (NAT, int 10.83.200.C, ext X.Y.W.S)

internet

cisco 3 (NAT, int 10.83.D.E, ext X.Y.W.Z)

host2 Sonicwall vpnclient 8.0 (int 10.83.D.F)

openswan ipsec.conf:

# basic configuration
config setup
         # THIS SETTING MUST BE CORRECT or almost nothing will work;
         # %defaultroute is okay for most simple cases.
         interfaces=%defaultroute
         # Debug-logging controls:  "none" for (almost) none, "all" f
         klipsdebug=none
         plutodebug=none
         # Use auto= parameters in conn descriptions to control start
         plutoload=%search
         plutostart=%search
         plutowait=no
         # Close down old connection when new one using same ID shows
         uniqueids=yes
         nat_traversal=yes

# defaults for subsequent connection descriptions
conn %default
         # How persistent to be in (re)keying negotiations (0 means v
         keyingtries=0
         # RSA authentication with keys from DNS.
         authby=rsasig
         auth=esp
         #$leftrsasigkey=%dns
         #ightrsasigkey=%dns
         compress=yes
         pfs=yes
         disablearrivalcheck=yes
         keyexchange=ike
         keylife=24h
         #aggrmode=yes
         #rekey=no
conn upfr24
         type=tunnel
         left=%defaultroute
         leftsubnet=10.83.0.0/255.255.255.0
         leftcert=mvCert.der
         leftrsasigkey=%cert
         leftid=X.Y.W.S             (cisco 2 ext)
         right=X.Y.W.Z         (cisco 3 ext)
         rightsubnet=10.83.D.F/255.255.255.255
         rightrsasigkey=%cert
         rightid="/C=RU/ля ля ля..."
         compress=no
         auto=start

Everything seems to work fine, but

host1# ping host2 - no messages
ifconfig
ipsec0    ....
           inet addr:10.83.200.A  Mask:255.255.255.0
           UP RUNNING NOARP  MTU:16260  Metric:1
           RX packets:245 errors:0 dropped:0 overruns:0 frame:0
           TX packets:231 errors:0 dropped:14 overruns:0 carrier:0
           collisions:0 txqueuelen:10
           RX bytes:14756 (14.4 Kb)  TX bytes:32802 (32.0 Kb)

host2# ping host1 - yes response

logfiles:

Jun  8 09:27:38 ibm320 pluto[3056]: "upfr24" #1: initiating Main Mode
Jun  8 09:27:38 ibm320 pluto[3056]: "upfr24" #1: received Vendor ID  
payload [dra
ft-ietf-ipsec-nat-t-ike-00]
Jun  8 09:27:38 ibm320 pluto[3056]: "upfr24" #1: transition from state  
STATE_MAI
N_I1 to state STATE_MAIN_I2
Jun  8 09:27:39 ibm320 pluto[3056]: "upfr24" #1: ignoring Vendor ID  
payload [47b
be7c993f1fc13b4e6d0db565c68e5010201010201010310382e302e302028...]
Jun  8 09:27:39 ibm320 pluto[3056]: "upfr24" #1: ignoring Vendor ID  
payload [da8
e937880010000]
Jun  8 09:27:39 ibm320 pluto[3056]: "upfr24" #1: ignoring Vendor ID  
payload [XAU
TH]
Jun  8 09:27:39 ibm320 pluto[3056]: "upfr24" #1: NAT-Traversal: Result  
using dra
ft-ietf-ipsec-nat-t-ike-00/01: both are NATed
Jun  8 09:27:39 ibm320 pluto[3056]: "upfr24" #1: Warning: peer is NATed  
but sour
ce port is still udp/500. Ipsec-passthrough NAT device suspected -- NAT-T  
may no
t work.
Jun  8 09:27:39 ibm320 pluto[3056]: "upfr24" #1: transition from state  
STATE_MAI
N_I2 to state STATE_MAIN_I3
Jun  8 09:27:39 ibm320 pluto[3056]: "upfr24" #1: Main mode peer ID is  
ID_DER_ASN
1_DN: 'C=RU, .........'
Jun  8 09:27:39 ibm320 pluto[3056]: "upfr24" #1: crl update is overdue  
since Dec
  19 06:32:35 UTC 2003
Jun  8 09:27:39 ibm320 pluto[3056]: "upfr24" #1: crl update is overdue  
since Dec
  19 06:32:35 UTC 2003
Jun  8 09:27:39 ibm320 pluto[3056]: "upfr24" #1: transition from state  
STATE_MAI
N_I3 to state STATE_MAIN_I4
Jun  8 09:27:39 ibm320 pluto[3056]: "upfr24" #1: ISAKMP SA established
Jun  8 09:27:39 ibm320 pluto[3056]: "upfr24" #2: initiating Quick Mode  
RSASIG+EN
CRYPT+TUNNEL+PFS+DISABLEARRIVALCHECK
Jun  8 09:27:39 ibm320 pluto[3056]: "upfr24" #3: responding to Quick Mode
Jun  8 09:27:39 ibm320 pluto[3056]: "upfr24" #3: transition from state  
(null) to
  state STATE_QUICK_R1
Jun  8 09:27:39 ibm320 pluto[3056]: "upfr24" #2: IKE message has the  
Commit Flag
  set but Pluto doesn't implement this feature; ignoring flag
Jun  8 09:27:40 ibm320 pluto[3056]: "upfr24" #2: transition from state  
STATE_QUI
CK_I1 to state STATE_QUICK_I2
Jun  8 09:27:40 ibm320 pluto[3056]: "upfr24" #2: sent QI2, IPsec SA  
established
Jun  8 09:27:40 ibm320 pluto[3056]: "upfr24" #3: transition from state  
STATE_QUI
CK_R1 to state STATE_QUICK_R2
Jun  8 09:27:40 ibm320 pluto[3056]: "upfr24" #3: IPsec SA established

tcpdump output:

1.
tcpdump -i eth1 src X.Y.W.Z   (Cisco3 ext)
09:36:01.941136 **.ru.isakmp > 10.83.200.A.isakmp: isakmp: phase 1 I iden
t: [|sa]
09:36:11.306903 **.ru.isakmp > 10.83.200.A.isakmp: isakmp: phase 1 ? iden
t: [|sa]
09:36:11.479699 **.ru.isakmp > 10.83.200.A.isakmp: isakmp: phase 1 ? iden
t: [|cr]
09:36:11.856809 **.ru.isakmp > 10.83.200.A.isakmp: isakmp: phase 1 ? iden
t[E]: [encrypted id] (frag 11400:1328 at 0+)
09:36:11.856919 **.ru > 10.83.200.A: udp (frag 11400:20 at 1328)
09:36:12.181531 **.ru.isakmp > 10.83.200.A.isakmp: isakmp: phase 2/others
  ? oakley-quick[EC]: [encrypted hash]
09:36:13.625977 **.ru.isakmp > 10.83.200.A.isakmp: isakmp: phase 2/others
  ? none[E]: [encrypted #82]
09:36:14.622172 **.ru.isakmp > 10.83.200.A.isakmp: isakmp: phase 2/others
  ? #58[]: [|#85]
09:36:15.620202 **.ru.isakmp > 10.83.200.A.isakmp: isakmp: phase 2/others
  ? #114[]: [|#15]
09:36:16.621788 **.ru.isakmp > 10.83.200.A.isakmp: isakmp: phase 2/others
  ? #7[EC]: [encrypted #189]
09:36:17.619646 **.ru.isakmp > 10.83.200.A.isakmp: isakmp: phase 2/others
  ? #152[C]: [|#101]

2.
tcpdump -i eth1 src 192.168.200.A
09:32:28.527202 10.83.200.A.isakmp > **.ru.isakmp: isakmp: phase 1 I iden
t: [|sa] (DF)
09:32:28.867820 10.83.200.A.isakmp > **.ru.isakmp: isakmp: phase 1 I iden
t: [|ke] (DF)
09:32:29.258838 10.83.200.A.isakmp > **.ru.isakmp: isakmp: phase 1 I iden
t[E]: [encrypted id] (DF)
09:32:29.776442 10.83.200.A.isakmp > **.ru.isakmp: isakmp: phase 2/others
  I oakley-quick[E]: [encrypted hash] (DF)
09:32:30.250533 10.83.200.A.isakmp > **.ru.isakmp: isakmp: phase 2/others
  I oakley-quick[E]: [encrypted hash] (DF)
09:32:31.768216 10.83.200.A.isakmp > **.ru.isakmp: isakmp: phase 2/others
  ? #158[C]: [|ke]
09:32:32.776634 10.83.200.A.isakmp > **.ru.isakmp: isakmp: phase 2/others
  ? #255[E]: [encrypted #61]
09:32:33.792164 10.83.200.A.isakmp > **.ru.isakmp: isakmp: phase 2/others
  ? #104[C]: [|#133]
09:32:34.805680 10.83.200.A.isakmp > **.ru.isakmp: isakmp: phase 2/others
  ? #248[E]: [encrypted #101]
----------
Any hints, what's causing this problem?

ths in advance, student