[Openswan Users] Pb between Super-Freeswan and XP via NAT

Etienne M atipako at hotmail.com
Fri Jun 10 00:24:03 CEST 2005 

Hi Paul,

Thanks for your answer
To be close to an operational network, I changed my experimental netwok 
below.
I also upgrade from Super-Freeswan to Openswan 2.2.0 (I also tried Openswan 
2.3.1)
But always, when the NAT is enabled, the VPN does not works.
I have been working about this for one month !

Problems are always there.

I always obtain these errors :
cannot respond to IPsec SA request because no connection is known
INVALID_ID_INFORMATION
Quick Mode I1 message is unacceptable because it uses a previously used 
Message ID
INVALID_MESSAGE_ID

Thanks for any help.

Etienne.

Experimentation network :

    |192.168.30.0 LAN
--------------
Openswan 2.2.0 RH9 Kernel 2.4.20-8
--------------
    |192.168.20.10
    |
    |192.168.20.20
--------------
   NAT : PREROUTING -i eth0 -j DNAT --to 192.168.20.10
(Mandrake 9)
--------------
    |200.10.10.10
    |
    |
    |200.10.10.20
--------------
Router Linux
(Mandrake 9)
--------------
    |192.168.10.20
    |
    |192.168.10.30
--------------
roadwarrior XP SP2
--------------


Jun  2 03:04:10 linuxrh9 ipsec__plutorun: Starting Pluto subsystem...
pluto[6207]: Starting Pluto (Openswan Version 2.2.0 X.509-1.5.4 
PLUTO_USES_KEYRR)
pluto[6207]:   including NAT-Traversal patch (Version 0.6c)
pluto[6207]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
pluto[6207]: Using KLIPS IPsec interface code
pluto[6207]: Changing to directory '/etc/ipsec.d/cacerts'
pluto[6207]:   loaded CA cert file 'cacert.pem' (1107 bytes)
pluto[6207]: Could not change to directory '/etc/ipsec.d/aacerts'
pluto[6207]: Changing to directory '/etc/ipsec.d/ocspcerts'
pluto[6207]: Changing to directory '/etc/ipsec.d/crls'
pluto[6207]:   loaded crl file 'crl.pem' (459 bytes)
pluto[6207]:   loaded host cert file '/etc/ipsec.d/certs/universite.pem' 
(3348 bytes)
pluto[6207]: added connection description "nomade"
pluto[6207]: listening for IKE messages
pluto[6207]: adding interface ipsec0/eth0 192.168.20.10
pluto[6207]: adding interface ipsec0/eth0 192.168.20.10:4500
pluto[6207]: loading secrets from "/etc/ipsec.secrets"
pluto[6207]:   loaded private key file '/etc/ipsec.d/private/universite.key' 
(964 bytes)
pluto[6207]: packet from 192.168.10.30:500: ignoring Vendor ID payload [MS 
NT5 ISAKMPOAKLEY 00000004]
pluto[6207]: packet from 192.168.10.30:500: ignoring Vendor ID payload 
[FRAGMENTATION]
pluto[6207]: packet from 192.168.10.30:500: received Vendor ID payload 
[draft-ietf-ipsec-nat-t-ike-02_n]
pluto[6207]: packet from 192.168.10.30:500: ignoring Vendor ID payload 
[26244d38eddb61b3172a36e3d0cfb819]
pluto[6207]: "nomade"[1] 192.168.10.30 #1: responding to Main Mode from 
unknown peer 192.168.10.30
pluto[6207]: "nomade"[1] 192.168.10.30 #1: transition from state (null) to 
state STATE_MAIN_R1
pluto[6207]: "nomade"[1] 192.168.10.30 #1: NAT-Traversal: Result using 
draft-ietf-ipsec-nat-t-ike-02/03: i am NATed
pluto[6207]: "nomade"[1] 192.168.10.30 #1: transition from state 
STATE_MAIN_R1 to state STATE_MAIN_R2
pluto[6207]: "nomade"[1] 192.168.10.30 #1: Peer ID is ID_DER_ASN1_DN: 'C=FR, 
ST=Orsay, L=Essonne, O=Universite, CN=nomade220'
pluto[6207]: "nomade"[2] 192.168.10.30 #1: deleting connection "nomade" 
instance with peer 192.168.10.30 {isakmp=#0/ipsec=#0}
pluto[6207]: "nomade"[2] 192.168.10.30 #1: I am sending my cert
pluto[6207]: "nomade"[2] 192.168.10.30 #1: transition from state 
STATE_MAIN_R2 to state STATE_MAIN_R3
pluto[6207]: | NAT-T: new mapping 192.168.10.30:500/4500)
pluto[6207]: "nomade"[2] 192.168.10.30:4500 #1: sent MR3, ISAKMP SA 
established
pluto[6207]: "nomade"[2] 192.168.10.30:4500 #1: cannot respond to IPsec SA 
request because no connection is known for 
200.10.10.10/32===192.168.20.10:4500[C=FR, ST=Orsay, L=Essonne, 
O=Universite, CN=universite.fr]...192.168.10.30:4500[C=FR, ST=Orsay, 
L=Essonne, O=Universite, CN=nomade220]
pluto[6207]: "nomade"[2] 192.168.10.30:4500 #1: sending encrypted 
notification INVALID_ID_INFORMATION to 192.168.10.30:4500
pluto[6207]: "nomade"[2] 192.168.10.30:4500 #1: Quick Mode I1 message is 
unacceptable because it uses a previously used Message ID 0x9f57aca8 
(perhaps this is a duplicated packet)
pluto[6207]: "nomade"[2] 192.168.10.30:4500 #1: sending encrypted 
notification INVALID_MESSAGE_ID to 192.168.10.30:4500
pluto[6207]: "nomade"[2] 192.168.10.30:4500 #1: Quick Mode I1 message is 
unacceptable because it uses a previously used Message ID 0x9f57aca8 
(perhaps this is a duplicated packet)
pluto[6207]: "nomade"[2] 192.168.10.30:4500 #1: sending encrypted 
notification INVALID_MESSAGE_ID to 192.168.10.30:4500
pluto[6207]: "nomade"[2] 192.168.10.30:4500 #1: Quick Mode I1 message is 
unacceptable because it uses a previously used Message ID 0x9f57aca8 
(perhaps this is a duplicated packet)
pluto[6207]: "nomade"[2] 192.168.10.30:4500 #1: sending encrypted 
notification INVALID_MESSAGE_ID to 192.168.10.30:4500
pluto[6207]: "nomade"[2] 192.168.10.30:4500 #1: received Delete SA payload: 
deleting ISAKMP State #1
pluto[6207]: "nomade"[2] 192.168.10.30:4500: deleting connection "nomade" 
instance with peer 192.168.10.30 {isakmp=#0/ipsec=#0}
pluto[6207]: packet from 192.168.10.30:4500: received and ignored 
informational message
pluto[6207]: packet from 192.168.10.30:4500: Informational Exchange is for 
an unknown (expired?) SA
pluto[6207]: packet from 192.168.10.30:4500: Informational Exchange is for 
an unknown (expired?) SA


Linux ipsec.con file :
config setup
	interfaces="ipsec0=eth0"
	klipsdebug=all
	plutodebug=none
	nat_traversal=yes
	myid=@linuxrh9
	uniqueids=no
	virtual_private=%v4:192.168.10.0/24,%v4:192.168.20.0/24,%v4:192.168.30.0/24

conn %default
	keyingtries=3
	compress=yes
	disablearrivalcheck=no
	#authby=secret
	authby=rsasig
	leftrsasigkey=%cert
	rightrsasigkey=%cert

conn nomade
	right=%any
	left=192.168.20.10
	leftnexthop=192.168.20.20
	#leftnexthop=200.10.10.10
	leftcert=proxitel.pem
	auto=add
	pfs=no
	rightid=%any
	leftid=%any

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf


XP ipsec.conf file :
conn nomade
	left=%any
	right=200.10.10.10
	rightca="C=FR, S=Fontenay-Les-Briis, L=Essonne, O=Universite, 
CN=universite.fr"
	network=auto
	auto=start
	pfs=no
	compress=yes

More information about the Users mailing list