[Openswan Users]

Paul Overton paul at trusted-management.com
Wed Mar 16 12:53:28 CET 2005 

This is a real limitation of NAT traversal with openswan, you can only have
one active tunnel per certificate/ip address.

In your case, you can overcome your issues with your LAN/DMZ by having a
single tunnel and then using your firewall code to protect the two adjacent
networks. In this case I would recommend having your LAN and DMZ IP address
ranges adjacent to each other. 

You probably don't actually need a tunnel to your external interface, as you
can probably have the identical services available from your DMZ. In this
case you should use the ipsec up script to give the desired functionality.

You could try using L2TP as over IPsec as an alternative, where you can
route multiple networks over the layer 2 tunnel.

Paul  

-----Original Message-----
From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On
Behalf Of lux
Sent: 16 March 2005 00:01
To: users at openswan.org
Subject: [Openswan Users]

I am trying to set up an IPSec access between Windows (road warrior) and a
Linux gateway with Openswan.

My setup (the public IP addresses were changed with IPs from the 10.0.0.0
and 172.16.0.0 private networks):

     192.168.1.254   10.0.0.2
                =======
===================
LAN-------------GATEWAY==================IPSec tunnel========Windows
roadwarrior
                =======
===================
                   | 192.168.100.254
                   |
                   |
                   |
                   |
                  DMZ


On the gateway I have Fedora Core 3 with Openswan 2.3.0, native IPSec.

As long as I use only one tunnel of the 3 defined (for example I ping the
gateway on 10.0.0.2), everything seems to work fine.
But when the second tunnel comes up (for example I ping 192.168.100.254),
the first tunnel is shut down. After a while (seconds) the second tunnel is
shut down, and the first returns up. After another while, the first goes
down and the second comes up and so on. After some of this transitions, the
second tunnel (the one to the dmz, for example) stays up and the first stays
down.
It seems that there can be only one tunnel at a time between the road
warrior pc and 10.0.0.2.
Is this a real limitation? Can I circumvent it?

The config is:

config setup
        nat_traversal=yes
       
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192
.168.2.0/24,%v4:!192.168.15.128/25

conn %default
        keyingtries=1
        compress=no
        authby=rsasig
        leftrsasigkey=%cert
        rightrsasigkey=%cert

conn roadwarrior-net
        leftsubnet=192.168.1.0/255.255.255.0
        also=roadwarrior

conn roadwarrior-dmz
        leftsubnet=192.168.100.0/24
        also=roadwarrior

conn roadwarrior
        left=10.0.0.2
        leftcert=server.pem
        leftnexthop=10.0.0.1
        right=%any
        rightsubnet=vhost:%no,%priv
        rightcert=lux.pem
        auto=add
        pfs=yes

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf



On the Windows machine I have Windows 2000 . I'm usign the ipsec.exe utility
from Marcus Mueller, with the following config:

conn roadwarrior
	left=%any
	right=10.0.0.2
	rightca="C=IT,S=XX,L=XXXXXX,O=Company inc.,CN=Company inc.
CA,Email=info at domain.com"
	network=auto
	auto=start
	pfs=yes

conn dmz
	left=%any
	right=10.0.0.2
	rightsubnet=192.168.100.0/255.255.255.0
	rightca="C=IT,S=XX,L=XXXXXX,O=Company inc.,CN=Company inc.
CA,Email=info at domain.com"
	network=auto
	auto=start
	pfs=yes

conn net
	left=%any
	right=10.0.0.2
	rightsubnet=192.168.1.0/255.255.255.0
	rightca="C=IT,S=XX,L=XXXXXX,O=Company inc.,CN=Company inc.
CA,Email=info at domain.com"
	network=auto
	auto=start
	pfs=yes

I also tried using Windows XP SP2 (updated ipseccmd.exe) with the same
results.

Here is the pluto log (notice the "deleting" and "SA established" lines):

Mar 15 11:08:57 mail pluto[24382]: packet from 172.16.1.1:500: ignoring
Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004] Mar 15 11:08:57 mail
pluto[24382]: packet from 172.16.1.1:500: ignoring Vendor ID payload
[FRAGMENTATION] Mar 15 11:08:57 mail pluto[24382]: packet from
172.16.1.1:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
method set to=106 Mar 15 11:08:57 mail pluto[24382]: packet from
172.16.1.1:500: ignoring Vendor ID payload [Vid-Initial-Contact] Mar 15
11:08:57 mail pluto[24382]: "roadwarrior"[1] 172.16.1.1 #1: responding to
Main Mode from unknown peer 172.16.1.1 Mar 15 11:08:57 mail pluto[24382]:
"roadwarrior"[1] 172.16.1.1 #1: transition from state STATE_MAIN_R0 to state
STATE_MAIN_R1 Mar 15 11:08:57 mail pluto[24382]: "roadwarrior"[1] 172.16.1.1
#1:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
Mar 15 11:08:57 mail pluto[24382]: "roadwarrior"[1] 172.16.1.1 #1:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2 Mar 15 11:08:58
mail pluto[24382]: "roadwarrior"[1] 172.16.1.1 #1: Main mode peer ID is
ID_DER_ASN1_DN: 'C=IT, ST=XX, L=XXXXXX, O=Company inc., CN=lux,
E=info at domain.com'
Mar 15 11:08:58 mail pluto[24382]: "roadwarrior"[1] 172.16.1.1 #1: I am
sending my cert Mar 15 11:08:58 mail pluto[24382]: "roadwarrior"[1]
172.16.1.1 #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Mar 15 11:08:58 mail pluto[24382]: | NAT-T: new mapping
172.16.1.1:500/33863) Mar 15 11:08:58 mail pluto[24382]: "roadwarrior"[1]
172.16.1.1:33863 #1: sent MR3, ISAKMP SA established Mar 15 11:08:58 mail
pluto[24382]: "roadwarrior"[1] 172.16.1.1:33863 #2:
responding to Quick Mode
Mar 15 11:08:58 mail pluto[24382]: "roadwarrior"[1] 172.16.1.1:33863 #2:
transition from state STATE_QUICK_R0 to state STATE_QUICK_R1 Mar 15 11:08:58
mail pluto[24382]: "roadwarrior"[1] 172.16.1.1:33863 #2:
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2 Mar 15 11:08:58
mail pluto[24382]: "roadwarrior"[1] 172.16.1.1:33863 #2: IPsec SA
established {ESP/NAT=>0xf7cae962 <0x78e24bfd NATOA=0.0.0.0} Mar 15 11:09:30
mail pluto[24382]: packet from 172.16.1.1:500: ignoring Vendor ID payload
[MS NT5 ISAKMPOAKLEY 00000004] Mar 15 11:09:30 mail pluto[24382]: packet
from 172.16.1.1:500: ignoring Vendor ID payload [FRAGMENTATION] Mar 15
11:09:30 mail pluto[24382]: packet from 172.16.1.1:500: received Vendor ID
payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106 Mar 15 11:09:30
mail pluto[24382]: packet from 172.16.1.1:500: ignoring Vendor ID payload
[Vid-Initial-Contact] Mar 15 11:09:30 mail pluto[24382]: "roadwarrior"[2]
172.16.1.1 #3: responding to Main Mode from unknown peer 172.16.1.1 Mar 15
11:09:30 mail pluto[24382]: "roadwarrior"[2] 172.16.1.1 #3: transition from
state STATE_MAIN_R0 to state STATE_MAIN_R1 Mar 15 11:09:30 mail
pluto[24382]: "roadwarrior"[2] 172.16.1.1 #3:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
Mar 15 11:09:30 mail pluto[24382]: "roadwarrior"[2] 172.16.1.1 #3:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2 Mar 15 11:09:31
mail pluto[24382]: "roadwarrior"[2] 172.16.1.1 #3: Main mode peer ID is
ID_DER_ASN1_DN: 'C=IT, ST=XX, L=XXXXXX, O=Company inc., CN=lux,
E=info at domain.com'
Mar 15 11:09:31 mail pluto[24382]: "roadwarrior"[2] 172.16.1.1 #3: I am
sending my cert Mar 15 11:09:31 mail pluto[24382]: "roadwarrior"[2]
172.16.1.1 #3: deleting connection "roadwarrior" instance with peer
172.16.1.1 {isakmp=#1/ipsec=#2} Mar 15 11:09:31 mail pluto[24382]:
"roadwarrior" #2: deleting state
(STATE_QUICK_R2)
Mar 15 11:09:31 mail pluto[24382]: "roadwarrior" #1: deleting state
(STATE_MAIN_R3)
Mar 15 11:09:31 mail pluto[24382]: "roadwarrior"[2] 172.16.1.1 #3:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3 Mar 15 11:09:31
mail pluto[24382]: | NAT-T: new mapping 172.16.1.1:500/33863) Mar 15
11:09:31 mail pluto[24382]: "roadwarrior"[2] 172.16.1.1:33863 #3: sent MR3,
ISAKMP SA established Mar 15 11:09:31 mail pluto[24382]:
"roadwarrior-dmz"[1] 172.16.1.1:33863 #4:
responding to Quick Mode
Mar 15 11:09:31 mail pluto[24382]: "roadwarrior-dmz"[1] 172.16.1.1:33863 #4:
transition from state STATE_QUICK_R0 to state STATE_QUICK_R1 Mar 15 11:09:31
mail pluto[24382]: "roadwarrior-dmz"[1] 172.16.1.1:33863 #4:
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2 Mar 15 11:09:31
mail pluto[24382]: "roadwarrior-dmz"[1] 172.16.1.1:33863 #4:
IPsec SA established {ESP/NAT=>0xeddfcd30 <0x421c2a0c NATOA=0.0.0.0} Mar 15
11:11:13 mail pluto[24382]: "roadwarrior"[2] 172.16.1.1:33863 #3:
received Delete SA payload: deleting ISAKMP State #3 Mar 15 11:11:13 mail
pluto[24382]: "roadwarrior"[2] 172.16.1.1:33863: deleting connection
"roadwarrior" instance with peer 172.16.1.1 {isakmp=#0/ipsec=#0} Mar 15
11:11:13 mail pluto[24382]: packet from 172.16.1.1:33863: received and
ignored informational message Mar 15 11:11:24 mail pluto[24382]: packet from
172.16.1.1:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Mar 15 11:11:24 mail pluto[24382]: packet from 172.16.1.1:500: ignoring
Vendor ID payload [FRAGMENTATION] Mar 15 11:11:24 mail pluto[24382]: packet
from 172.16.1.1:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n] method set to=106 Mar 15 11:11:24 mail
pluto[24382]: packet from 172.16.1.1:500: ignoring Vendor ID payload
[Vid-Initial-Contact] Mar 15 11:11:24 mail pluto[24382]: "roadwarrior"[3]
172.16.1.1 #5: responding to Main Mode from unknown peer 172.16.1.1 Mar 15
11:11:24 mail pluto[24382]: "roadwarrior"[3] 172.16.1.1 #5: transition from
state STATE_MAIN_R0 to state STATE_MAIN_R1 Mar 15 11:11:24 mail
pluto[24382]: "roadwarrior"[3] 172.16.1.1 #5:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
Mar 15 11:11:24 mail pluto[24382]: "roadwarrior"[3] 172.16.1.1 #5:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2 Mar 15 11:11:24
mail pluto[24382]: "roadwarrior"[3] 172.16.1.1 #5: Main mode peer ID is
ID_DER_ASN1_DN: 'C=IT, ST=XX, L=XXXXXX, O=Company inc., CN=lux,
E=info at domain.com'
Mar 15 11:11:24 mail pluto[24382]: "roadwarrior"[3] 172.16.1.1 #5: I am
sending my cert Mar 15 11:11:24 mail pluto[24382]: "roadwarrior"[3]
172.16.1.1 #5: deleting connection "roadwarrior-dmz" instance with peer
172.16.1.1 {isakmp=#0/ipsec=#4} Mar 15 11:11:24 mail pluto[24382]:
"roadwarrior-dmz" #4: deleting state
(STATE_QUICK_R2)
Mar 15 11:11:24 mail pluto[24382]: "roadwarrior"[3] 172.16.1.1 #5:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3 Mar 15 11:11:24
mail pluto[24382]: | NAT-T: new mapping 172.16.1.1:500/33863) Mar 15
11:11:24 mail pluto[24382]: "roadwarrior"[3] 172.16.1.1:33863 #5: sent MR3,
ISAKMP SA established Mar 15 11:11:25 mail pluto[24382]: "roadwarrior"[3]
172.16.1.1:33863 #6:
responding to Quick Mode
Mar 15 11:11:25 mail pluto[24382]: "roadwarrior"[3] 172.16.1.1:33863 #6:
transition from state STATE_QUICK_R0 to state STATE_QUICK_R1 Mar 15 11:11:26
mail pluto[24382]: "roadwarrior"[3] 172.16.1.1:33863 #6:
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2 Mar 15 11:11:26
mail pluto[24382]: "roadwarrior"[3] 172.16.1.1:33863 #6: IPsec SA
established {ESP/NAT=>0xbe59a09f <0x25de535f NATOA=0.0.0.0}
_______________________________________________
Users mailing list
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users

--
This message has been scanned for viruses and dangerous content by
MailScanner, and is believed to be clean.
MailScanner thanks transtec Computers for their support.

More information about the Users mailing list