[Openswan Users] openswan/l2tp client to windows 2003 server

Peter Teufl pteufl at sbox.tugraz.at
Tue Mar 22 10:52:26 CET 2005 

Hi,
I want to connect with openswan-2.3.0 and ltpd (0.70-pre200311) to a 
Windows 20003 VPN Server. When I am in an non NAT environment, the 
connection is working perfectly.
Unfortunately I do not have any luck when the client is behind a NAT 
device (the server is not behind a NAT device).

I have tried some different combinations of linux/openswan:
linux-2.4.28 with openswan-2.3.0
linux-2.6.10 with openswan-2.3.0 (native kernel IPSEC and KLIPS mode)
linux-2.6.10 with openswan-2.2.0 (native kernel IPSEC)
linux-2.6.10 with openswan-2.3.1dr3 (native kernel IPSEC): only 
difference: "with method RFC XXXX" is replaced by RFC number.
All of the kernels are from ftp.kernel.org and are self compiled.

The results can be seen below. Openswan tries to enable NAT, but it fails...

L2TP config is not shown here, because with NAT-T I do not get that far. 
I have even tried to change the source and set 
draft-ietf-ipsec-nat-t-ike-02_n to value 107 which is 
draft-ietf-ipsec-nat-t-ike-02. Then I was able to finish phase1, but 
phase 2 failed with something like ("client id does not match my 
proposal").

Just for info: I used racoon to establish the connection. NAT-T seems to 
work there, but then it is not able to decode the certificate chain sent 
by windows 2003.

Does anyone know, how to solve this?

Best Regards,
Peter

This is the output in auth.log from
ipsec auto --up windows2003
Mar 22 09:30:33 linux pluto[6439]: "windows2003" #1: initiating Main Mode
Mar 22 09:30:33 linux pluto[6439]: | no IKE algorithms for this connection
Mar 22 09:30:33 linux pluto[6439]: "windows2003" #1: ignoring Vendor ID 
payload [MS NT5 ISAKMPOAKLEY 00000004]
Mar 22 09:30:33 linux pluto[6439]: "windows2003" #1: ignoring Vendor ID 
payload [FRAGMENTATION]
Mar 22 09:30:33 linux pluto[6439]: "windows2003" #1: received Vendor ID 
payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
Mar 22 09:30:33 linux pluto[6439]: "windows2003" #1: enabling possible 
NAT-traversal with method RFC XXXX (NAT-Traversal)
Mar 22 09:30:33 linux pluto[6439]: "windows2003" #1: transition from 
state STATE_MAIN_I1 to state STATE_MAIN_I2
Mar 22 09:30:33 linux pluto[6439]: "windows2003" #1: NAT-Traversal: Only 
0 NAT-D - Aborting NAT-Traversal negociation
Mar 22 09:30:33 linux pluto[6439]: "windows2003" #1: I am sending my cert
Mar 22 09:30:33 linux pluto[6439]: "windows2003" #1: I am sending a 
certificate request
Mar 22 09:30:33 linux pluto[6439]: "windows2003" #1: transition from 
state STATE_MAIN_I2 to state STATE_MAIN_I3
Mar 22 09:30:34 linux pluto[6439]: "windows2003" #1: discarding 
duplicate packet; already STATE_MAIN_I3
Mar 22 09:31:02 linux last message repeated 4 times
Mar 22 09:31:32 linux pluto[6439]: "windows2003" #1: ignoring Delete SA 
payload: not encrypted
Mar 22 09:31:32 linux pluto[6439]: "windows2003" #1: received and 
ignored informational message
Mar 22 09:31:43 linux pluto[6439]: "windows2003" #1: max number of 
retransmissions (2) reached STATE_MAIN_I3.  Possible authentication 
failure: no acceptable response to our first encrypted message
Mar 22 09:32:37 linux pluto[6439]: shutting down
Mar 22 09:32:37 linux pluto[6439]: forgetting secrets
Mar 22 09:32:37 linux pluto[6439]: "windows2003": deleting connection

This is the config:
config setup
    klipsdebug=none
    nat_traversal=yes
    interfaces="ipsec0=eth0"
    plutodebug=none
    uniqueids=yes

conn %default
    keyingtries=1
    disablearrivalcheck=no
    pfs=no
    compress=no
    authby=rsasig
    leftrsasigkey=%cert
    rightrsasigkey=%cert
    keylife=30m

conn windows2003
    type=transport
    right="IP OF WINDOWS 2003 VPN SERVER"
    rightid="CERT INFORMATION"
    rightrsasigkey=%cert
    rightca="CAINFORMATION"
    rightprotoport=17/1701
    pfs=no
    left="CLIENT IP ADDRESS"
    leftprotoport=17/0
    leftcert="FILENAME OF CERT"
    auto=add

More information about the Users mailing list