[Openswan Users] NATED IPSECServer, is it NATED IPSECconnection is known for...

foren titze foren.titze at gmx.net
Tue Jun 28 15:56:07 CEST 2005


Hey thanks, goot patch!

Now I get this: 

NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: both are NATed

but the connection can't establish:
----------------
here the debug output:------------------------
Jun 28 14:45:36 linux-vpn2 pluto[9187]: "martin"[1] 80.226.234.83 #55: I am 
sending my cert
Jun 28 14:45:36 linux-vpn2 pluto[9187]: "martin"[1] 80.226.234.83 #55: 
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jun 28 14:45:36 linux-vpn2 pluto[9187]: | NAT-T: new mapping 
80.226.234.83:500/4500)
Jun 28 14:45:36 linux-vpn2 pluto[9187]: "martin"[1] 80.226.234.83 #55: sent 
MR3, ISAKMP SA established
Jun 28 14:45:37 linux-vpn2 pluto[9187]: "martin"[1] 80.226.234.83 #56: 
responding to Quick Mode {msgid:d7674516}
Jun 28 14:45:37 linux-vpn2 pluto[9187]: "martin"[1] 80.226.234.83 #56: 
transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Jun 28 14:45:37 linux-vpn2 pluto[9187]: "martin"[1] 80.226.234.83 #43: 
received Delete SA payload: deleting ISAKMP State #43
Jun 28 14:45:37 linux-vpn2 pluto[9187]: packet from 80.226.234.83:4500: 
received and ignored informational message
Jun 28 14:45:37 linux-vpn2 pluto[9187]: "martin"[1] 80.226.234.83 #56: 
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Jun 28 14:45:37 linux-vpn2 pluto[9187]: "martin"[1] 80.226.234.83 #56: IPsec 
SA established {ESP=>0x9245afd4 <0xa79c6c9d xfrm=3DES_0-HMAC_MD5 
NATD=80.226.234.83}
Jun 28 14:45:37 linux-vpn2 pluto[9187]: packet from 80.226.234.83:500: 
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Jun 28 14:45:37 linux-vpn2 pluto[9187]: packet from 80.226.234.83:500: 
ignoring Vendor ID payload [FRAGMENTATION]
Jun 28 14:45:37 linux-vpn2 pluto[9187]: packet from 80.226.234.83:500: 
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set 
to=106 
Jun 28 14:45:37 linux-vpn2 pluto[9187]: packet from 80.226.234.83:500: 
ignoring Vendor ID payload [Vid-Initial-Contact]
Jun 28 14:45:37 linux-vpn2 pluto[9187]: "martin"[1] 80.226.234.83 #57: 
responding to Main Mode from unknown peer 80.226.234.83
Jun 28 14:45:37 linux-vpn2 pluto[9187]: "martin"[1] 80.226.234.83 #57: 
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jun 28 14:45:38 linux-vpn2 pluto[9187]: "martin"[1] 80.226.234.83 #57: 
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: both are NATed
Jun 28 14:45:38 linux-vpn2 pluto[9187]: "martin"[1] 80.226.234.83 #57: 
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jun 28 14:45:38 linux-vpn2 pluto[9187]: "martin"[1] 80.226.234.83 #55: 
received Delete SA(0x9245afd4) payload: deleting IPSEC State #56
Jun 28 14:45:38 linux-vpn2 pluto[9187]: "martin"[1] 80.226.234.83 #55: 
received and ignored informational message
Jun 28 14:45:38 linux-vpn2 pluto[9187]: "martin"[1] 80.226.234.83 #57: Main 
mode peer ID is ID_DER_ASN1_DN: 'C=DE, ST=NRW, L=Duesseldorf, O=, OU=Unix, 
CN=, E=k'
Jun 28 14:45:38 linux-vpn2 pluto[9187]: "martin"[1] 80.226.234.83 #57: crl 
update for "C=DE, ST=NRW, L=Duesseldorf, O=, U=RootCA, E=" is overdue since 
Feb 24 13:51:39 UTC 2005
Jun 28 14:45:38 linux-vpn2 pluto[9187]: "martin"[1] 80.226.234.83 #57: I am 
sending my cert
Jun 28 14:45:38 linux-vpn2 pluto[9187]: "martin"[1] 80.226.234.83 #57: 
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jun 28 14:45:38 linux-vpn2 pluto[9187]: | NAT-T: new mapping 
80.226.234.83:500/4500)
Jun 28 14:45:38 linux-vpn2 pluto[9187]: "martin"[1] 80.226.234.83 #57: sent 
MR3, ISAKMP SA established
Jun 28 14:45:38 linux-vpn2 pluto[9187]: "martin"[1] 80.226.234.83 #53: 
received Delete SA(0x5d1aa13b) payload: deleting IPSEC State #54
Jun 28 14:45:38 linux-vpn2 pluto[9187]: "martin"[1] 80.226.234.83 #53: 
received and ignored informational message
Jun 28 14:45:38 linux-vpn2 pluto[9187]: "martin"[1] 80.226.234.83 #51: 
received Delete SA(0xe618c00b) payload: deleting IPSEC State #52
Jun 28 14:45:38 linux-vpn2 pluto[9187]: "martin"[1] 80.226.234.83 #51: 
received and ignored informational message
Jun 28 14:45:38 linux-vpn2 pluto[9187]: "martin"[1] 80.226.234.83 #49: 
received Delete SA(0x25ba02e7) payload: deleting IPSEC State #50
Jun 28 14:45:38 linux-vpn2 pluto[9187]: "martin"[1] 80.226.234.83 #49: 
received and ignored informational message
Jun 28 14:45:38 linux-vpn2 pluto[9187]: "martin"[1] 80.226.234.83 #47: 
received Delete SA(0x20f99a37) payload: deleting IPSEC State #48
Jun 28 14:45:38 linux-vpn2 pluto[9187]: "martin"[1] 80.226.234.83 #47: 
received and ignored informational message
Jun 28 14:45:38 linux-vpn2 pluto[9187]: "martin"[1] 80.226.234.83 #45: 
received Delete SA(0xa65fc4d5) payload: deleting IPSEC State #46
Jun 28 14:45:38 linux-vpn2 pluto[9187]: "martin"[1] 80.226.234.83 #45: 
received and ignored informational message
Jun 28 14:45:38 linux-vpn2 pluto[9187]: packet from 80.226.234.83:4500: 
Informational Exchange is for an unknown (expired?) SA
Jun 28 14:45:38 linux-vpn2 pluto[9187]: "martin"[1] 80.226.234.83 #57: next 
payload type of ISAKMP Hash Payload has an unknown value: 123
Jun 28 14:45:38 linux-vpn2 pluto[9187]: "martin"[1] 80.226.234.83 #57: 
malformed payload in packet
Jun 28 14:45:38 linux-vpn2 pluto[9187]: "martin"[1] 80.226.234.83 #57: sending 
notification PAYLOAD_MALFORMED to 80.226.234.83:4500
Jun 28 14:45:38 linux-vpn2 pluto[9187]: "martin"[1] 80.226.234.83 #57: failed 
to build notification for spisize=0 
Jun 28 14:45:38 linux-vpn2 pluto[9187]: "martin"[1] 80.226.234.83 #55: 
received Delete SA payload: deleting ISAKMP State #55
Jun 28 14:45:38 linux-vpn2 pluto[9187]: packet from 80.226.234.83:4500: 
received and ignored informational message
Jun 28 14:45:38 linux-vpn2 pluto[9187]: "martin"[1] 80.226.234.83 #53: 
received Delete SA payload: deleting ISAKMP State #53
Jun 28 14:45:38 linux-vpn2 pluto[9187]: packet from 80.226.234.83:4500: 
received and ignored informational message
Jun 28 14:45:38 linux-vpn2 pluto[9187]: "martin"[1] 80.226.234.83 #51: 
received Delete SA payload: deleting ISAKMP State #51
Jun 28 14:45:39 linux-vpn2 pluto[9187]: packet from 80.226.234.83:4500: 
received and ignored informational message
Jun 28 14:45:39 linux-vpn2 pluto[9187]: "martin"[1] 80.226.234.83 #49: 
received Delete SA payload: deleting ISAKMP State #49
Jun 28 14:45:39 linux-vpn2 pluto[9187]: packet from 80.226.234.83:4500: 
received and ignored informational message
Jun 28 14:45:39 linux-vpn2 pluto[9187]: "martin"[1] 80.226.234.83 #47: 
received Delete SA payload: deleting ISAKMP State #47
Jun 28 14:45:39 linux-vpn2 pluto[9187]: packet from 80.226.234.83:4500: 
received and ignored informational message
Jun 28 14:45:39 linux-vpn2 pluto[9187]: "martin"[1] 80.226.234.83 #45: 
received Delete SA payload: deleting ISAKMP State #45
Jun 28 14:45:39 linux-vpn2 pluto[9187]: packet from 80.226.234.83:4500: 
received and ignored informational message
Jun 28 14:46:27 linux-vpn2 pluto[9187]: "martin"[1] 80.226.234.83 #37: max 
number of retransmissions (2) reached STATE_MAIN_R1
----------------------------------------------

nat_traversal=on at the server config. Why ipsec can't finish the second 
isakmp phase??

thanks for your help


Am Dienstag, 28. Juni 2005 13:56 schrieb Jacco de Leeuw:
> foren titze wrote:
> > I try to move my ipsec server (with openswan 2.3.1 and kernel 2.6.11)
> > behind a Firewall that does SNAT and DNAT.
> > ------------------------
> > 80.226.234.106 #2: cannot respond to IPsec SA request because no
> > connection is known for 195.xxx.xxx.22/32===10.0.0.58[C=DE, ST=NRW,
> > L=Duesseldorf, O=xxx, OU=Server-Cert, CN=klaus,
> > E=xxx at www.de]:17/1701...80.226.234.106[C=DE, ST=NRW, L=Duesseldorf,
> > O=xxx, OU=Unix-Admin, CN=klais,
> > E=klais at www.de]:17/1701
>
> Either wait for an updated Openswan (I understand that 2.3.2 is coming up)
> or apply the patch by Bernd Galonska:
>
> http://www.jacco2.dds.nl/networking/patches/openswan-2.3.1-NATserver.patch
>
> Jacco


More information about the Users mailing list