[Openswan Users] NATED IPSECServer, is it NATED IPSECconnection is known for...
foren titze
foren.titze at gmx.net
Tue Jun 28 15:56:07 CEST 2005
Hey thanks, goot patch!
Now I get this:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: both are NATed
but the connection can't establish:
----------------
here the debug output:------------------------
Jun 28 14:45:36 linux-vpn2 pluto[9187]: "martin"[1] 80.226.234.83 #55: I am
sending my cert
Jun 28 14:45:36 linux-vpn2 pluto[9187]: "martin"[1] 80.226.234.83 #55:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jun 28 14:45:36 linux-vpn2 pluto[9187]: | NAT-T: new mapping
80.226.234.83:500/4500)
Jun 28 14:45:36 linux-vpn2 pluto[9187]: "martin"[1] 80.226.234.83 #55: sent
MR3, ISAKMP SA established
Jun 28 14:45:37 linux-vpn2 pluto[9187]: "martin"[1] 80.226.234.83 #56:
responding to Quick Mode {msgid:d7674516}
Jun 28 14:45:37 linux-vpn2 pluto[9187]: "martin"[1] 80.226.234.83 #56:
transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Jun 28 14:45:37 linux-vpn2 pluto[9187]: "martin"[1] 80.226.234.83 #43:
received Delete SA payload: deleting ISAKMP State #43
Jun 28 14:45:37 linux-vpn2 pluto[9187]: packet from 80.226.234.83:4500:
received and ignored informational message
Jun 28 14:45:37 linux-vpn2 pluto[9187]: "martin"[1] 80.226.234.83 #56:
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Jun 28 14:45:37 linux-vpn2 pluto[9187]: "martin"[1] 80.226.234.83 #56: IPsec
SA established {ESP=>0x9245afd4 <0xa79c6c9d xfrm=3DES_0-HMAC_MD5
NATD=80.226.234.83}
Jun 28 14:45:37 linux-vpn2 pluto[9187]: packet from 80.226.234.83:500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Jun 28 14:45:37 linux-vpn2 pluto[9187]: packet from 80.226.234.83:500:
ignoring Vendor ID payload [FRAGMENTATION]
Jun 28 14:45:37 linux-vpn2 pluto[9187]: packet from 80.226.234.83:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set
to=106
Jun 28 14:45:37 linux-vpn2 pluto[9187]: packet from 80.226.234.83:500:
ignoring Vendor ID payload [Vid-Initial-Contact]
Jun 28 14:45:37 linux-vpn2 pluto[9187]: "martin"[1] 80.226.234.83 #57:
responding to Main Mode from unknown peer 80.226.234.83
Jun 28 14:45:37 linux-vpn2 pluto[9187]: "martin"[1] 80.226.234.83 #57:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jun 28 14:45:38 linux-vpn2 pluto[9187]: "martin"[1] 80.226.234.83 #57:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: both are NATed
Jun 28 14:45:38 linux-vpn2 pluto[9187]: "martin"[1] 80.226.234.83 #57:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jun 28 14:45:38 linux-vpn2 pluto[9187]: "martin"[1] 80.226.234.83 #55:
received Delete SA(0x9245afd4) payload: deleting IPSEC State #56
Jun 28 14:45:38 linux-vpn2 pluto[9187]: "martin"[1] 80.226.234.83 #55:
received and ignored informational message
Jun 28 14:45:38 linux-vpn2 pluto[9187]: "martin"[1] 80.226.234.83 #57: Main
mode peer ID is ID_DER_ASN1_DN: 'C=DE, ST=NRW, L=Duesseldorf, O=, OU=Unix,
CN=, E=k'
Jun 28 14:45:38 linux-vpn2 pluto[9187]: "martin"[1] 80.226.234.83 #57: crl
update for "C=DE, ST=NRW, L=Duesseldorf, O=, U=RootCA, E=" is overdue since
Feb 24 13:51:39 UTC 2005
Jun 28 14:45:38 linux-vpn2 pluto[9187]: "martin"[1] 80.226.234.83 #57: I am
sending my cert
Jun 28 14:45:38 linux-vpn2 pluto[9187]: "martin"[1] 80.226.234.83 #57:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jun 28 14:45:38 linux-vpn2 pluto[9187]: | NAT-T: new mapping
80.226.234.83:500/4500)
Jun 28 14:45:38 linux-vpn2 pluto[9187]: "martin"[1] 80.226.234.83 #57: sent
MR3, ISAKMP SA established
Jun 28 14:45:38 linux-vpn2 pluto[9187]: "martin"[1] 80.226.234.83 #53:
received Delete SA(0x5d1aa13b) payload: deleting IPSEC State #54
Jun 28 14:45:38 linux-vpn2 pluto[9187]: "martin"[1] 80.226.234.83 #53:
received and ignored informational message
Jun 28 14:45:38 linux-vpn2 pluto[9187]: "martin"[1] 80.226.234.83 #51:
received Delete SA(0xe618c00b) payload: deleting IPSEC State #52
Jun 28 14:45:38 linux-vpn2 pluto[9187]: "martin"[1] 80.226.234.83 #51:
received and ignored informational message
Jun 28 14:45:38 linux-vpn2 pluto[9187]: "martin"[1] 80.226.234.83 #49:
received Delete SA(0x25ba02e7) payload: deleting IPSEC State #50
Jun 28 14:45:38 linux-vpn2 pluto[9187]: "martin"[1] 80.226.234.83 #49:
received and ignored informational message
Jun 28 14:45:38 linux-vpn2 pluto[9187]: "martin"[1] 80.226.234.83 #47:
received Delete SA(0x20f99a37) payload: deleting IPSEC State #48
Jun 28 14:45:38 linux-vpn2 pluto[9187]: "martin"[1] 80.226.234.83 #47:
received and ignored informational message
Jun 28 14:45:38 linux-vpn2 pluto[9187]: "martin"[1] 80.226.234.83 #45:
received Delete SA(0xa65fc4d5) payload: deleting IPSEC State #46
Jun 28 14:45:38 linux-vpn2 pluto[9187]: "martin"[1] 80.226.234.83 #45:
received and ignored informational message
Jun 28 14:45:38 linux-vpn2 pluto[9187]: packet from 80.226.234.83:4500:
Informational Exchange is for an unknown (expired?) SA
Jun 28 14:45:38 linux-vpn2 pluto[9187]: "martin"[1] 80.226.234.83 #57: next
payload type of ISAKMP Hash Payload has an unknown value: 123
Jun 28 14:45:38 linux-vpn2 pluto[9187]: "martin"[1] 80.226.234.83 #57:
malformed payload in packet
Jun 28 14:45:38 linux-vpn2 pluto[9187]: "martin"[1] 80.226.234.83 #57: sending
notification PAYLOAD_MALFORMED to 80.226.234.83:4500
Jun 28 14:45:38 linux-vpn2 pluto[9187]: "martin"[1] 80.226.234.83 #57: failed
to build notification for spisize=0
Jun 28 14:45:38 linux-vpn2 pluto[9187]: "martin"[1] 80.226.234.83 #55:
received Delete SA payload: deleting ISAKMP State #55
Jun 28 14:45:38 linux-vpn2 pluto[9187]: packet from 80.226.234.83:4500:
received and ignored informational message
Jun 28 14:45:38 linux-vpn2 pluto[9187]: "martin"[1] 80.226.234.83 #53:
received Delete SA payload: deleting ISAKMP State #53
Jun 28 14:45:38 linux-vpn2 pluto[9187]: packet from 80.226.234.83:4500:
received and ignored informational message
Jun 28 14:45:38 linux-vpn2 pluto[9187]: "martin"[1] 80.226.234.83 #51:
received Delete SA payload: deleting ISAKMP State #51
Jun 28 14:45:39 linux-vpn2 pluto[9187]: packet from 80.226.234.83:4500:
received and ignored informational message
Jun 28 14:45:39 linux-vpn2 pluto[9187]: "martin"[1] 80.226.234.83 #49:
received Delete SA payload: deleting ISAKMP State #49
Jun 28 14:45:39 linux-vpn2 pluto[9187]: packet from 80.226.234.83:4500:
received and ignored informational message
Jun 28 14:45:39 linux-vpn2 pluto[9187]: "martin"[1] 80.226.234.83 #47:
received Delete SA payload: deleting ISAKMP State #47
Jun 28 14:45:39 linux-vpn2 pluto[9187]: packet from 80.226.234.83:4500:
received and ignored informational message
Jun 28 14:45:39 linux-vpn2 pluto[9187]: "martin"[1] 80.226.234.83 #45:
received Delete SA payload: deleting ISAKMP State #45
Jun 28 14:45:39 linux-vpn2 pluto[9187]: packet from 80.226.234.83:4500:
received and ignored informational message
Jun 28 14:46:27 linux-vpn2 pluto[9187]: "martin"[1] 80.226.234.83 #37: max
number of retransmissions (2) reached STATE_MAIN_R1
----------------------------------------------
nat_traversal=on at the server config. Why ipsec can't finish the second
isakmp phase??
thanks for your help
Am Dienstag, 28. Juni 2005 13:56 schrieb Jacco de Leeuw:
> foren titze wrote:
> > I try to move my ipsec server (with openswan 2.3.1 and kernel 2.6.11)
> > behind a Firewall that does SNAT and DNAT.
> > ------------------------
> > 80.226.234.106 #2: cannot respond to IPsec SA request because no
> > connection is known for 195.xxx.xxx.22/32===10.0.0.58[C=DE, ST=NRW,
> > L=Duesseldorf, O=xxx, OU=Server-Cert, CN=klaus,
> > E=xxx at www.de]:17/1701...80.226.234.106[C=DE, ST=NRW, L=Duesseldorf,
> > O=xxx, OU=Unix-Admin, CN=klais,
> > E=klais at www.de]:17/1701
>
> Either wait for an updated Openswan (I understand that 2.3.2 is coming up)
> or apply the patch by Bernd Galonska:
>
> http://www.jacco2.dds.nl/networking/patches/openswan-2.3.1-NATserver.patch
>
> Jacco
More information about the Users
mailing list