[Openswan Users]
Roadwarriror --- Behind NAT CLIENT W2K/WinXP not working...
Deepak Naidu
deepak_nai at yahoo.com
Tue Nov 8 15:07:41 CET 2005
Hi All,
I have been using Openswan U2.3.1 on FC3 --
2.6 kernel, and I can easily connect to it using any
Win2k or WinXP client behind NAT.... my VPN server is
also natted with L2tpd+cert using windows VPN client.
But, I have one more machine which has FC1 with 2.4
kernel 2.4.22 and FreeSwan with FreeS/WAN
super-freeswan-1.99.8 version....
Using the same config file which worked for openswan
is not working for freeswan. I get "cannot respond to
IPsec SA request because no connection is known for"
error message when trying to connect from W2K/WinXP
client behind NAT... But same thing works when I try
to use vpn clinet on win2k/xp with a dialup
connection...
---------my Ipsec.conf-----
config setup
interfaces="ipsec0=eth0 "
klipsdebug=none
plutodebug=none
fragicmp=no
packetdefault=drop
hidetos=yes
uniqueids=yes
overridemtu=1410
nocrsend=no
nat_traversal=yes
keep_alive=60
plutostart=%search
plutoload=%search
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!172.17.0.0/24
conn %default
rekeymargin=9m
rekeyfuzz=100%
keyingtries=1
auto=add
compress="no"
authby="rsasig"
disablearrivalcheck=no
conn sh
left="202.149.x.x"
leftnexthop="202.149.x.x"
leftsubnet="172.17.0.0/24"
right="%any"
#rightsubnet=vhost:%no,%priv
leftcert="/net/etc/netserv/conf/vpn/certificates/sslca/local_cert.pem"
rightcert="/net/etc/netserv/conf/vpn/certificates/sslca/client_cert.pem"
leftrsasigkey="%cert"
rightrsasigkey="%cert"
type="tunnel"
pfs="no"
pfsgroup="modp2048"
rightprotoport="17/1701"
leftprotoport="17/1701"
keyexchange="ike"
ike="3des-md5-modp2048"
esp="3des-md5"
keylife="28800"
ikelifetime="3600"
compress="no"
auto=add
NOTE: Currenty I have 2 ISP connections one has route
and other interface accepts VPN connection.
------ERROR MESSAGE-------------
Nov 8 20:26:22 netserv pluto[2188]: packet from
210.18.143.69:500: ignoring Vendor ID payload [MS NT5
ISAKMPOAKLEY 00000002]
Nov 8 20:26:22 netserv pluto[2188]: packet from
210.18.143.69:500: ignoring Vendor ID payload
[FRAGMENTATION]
Nov 8 20:26:22 netserv pluto[2188]: packet from
210.18.143.69:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n]
Nov 8 20:26:22 netserv pluto[2188]: "shaikh_1"[1]
210.18.143.69 #1: responding to Main Mode from unknown
peer 210.18.143.69
Nov 8 20:26:25 netserv pluto[2188]: "shaikh_1"[1]
210.18.143.69 #1: NAT-Traversal: Result using
draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
Nov 8 20:26:27 netserv pluto[2188]: "shaikh_1"[1]
210.18.143.69 #1: discarding duplicate packet; already
STATE_MAIN_R2
Nov 8 20:26:29 netserv pluto[2188]: "shaikh_1"[1]
210.18.143.69 #1: discarding duplicate packet; already
STATE_MAIN_R2
Nov 8 20:26:29 netserv pluto[2188]: "shaikh_1"[1]
210.18.143.69 #1: Main mode peer ID is ID_DER_ASN1_DN:
'C=IN, ST=mah, L=mum, O=mangal, OU=it, CN=it,
E=support at mangalkeshav.com'
Nov 8 20:26:29 netserv pluto[2188]: "shaikh_1"[1]
210.18.143.69 #1: Issuer CRL not found
Nov 8 20:26:29 netserv pluto[2188]: "shaikh_1"[1]
210.18.143.69 #1: Issuer CRL not found
Nov 8 20:26:29 netserv pluto[2188]: | NAT-T: new
mapping 210.18.143.69:500/4500)
Nov 8 20:26:29 netserv pluto[2188]: "shaikh_1"[1]
210.18.143.69:4500 #1: sent MR3, ISAKMP SA established
Nov 8 20:26:30 netserv pluto[2188]: "shaikh_1"[1]
210.18.143.69:4500 #1: retransmitting in response to
duplicate packet; already STATE_MAIN_R3
Nov 8 20:26:32 netserv pluto[2188]: "shaikh_1"[1]
210.18.143.69:4500 #1: retransmitting in response to
duplicate packet; already STATE_MAIN_R3
Nov 8 20:26:33 netserv pluto[2188]: "shaikh_1"[1]
210.18.143.69:4500 #1: cannot respond to IPsec SA
request because no connection is known for
202.149.200.27:4500[C=IN, ST=maharas, L=mumba, O=man,
OU=it, CN=it,
E=support at mangalkeshav.com]:17/1701...210.18.143.69:4500[C=IN,
ST=mah, L=mum, O=mangal, OU=it, CN=it,
E=support at mangalkeshav.com]:17/1701===3313516807
Nov 8 20:26:33 netserv pluto[2188]: "shaikh_1"[1]
210.18.143.69:4500 #1: sending encrypted notification
INVALID_ID_INFORMATION to 210.18.143.69:4500
Nov 8 20:26:40 netserv pluto[2188]: "shaikh_1"[1]
210.18.143.69:4500 #1: Quick Mode I1 message is
unacceptable because it uses a previously used Message
ID 0x362f07ed (perhaps this is a duplicated packet)
Nov 8 20:26:40 netserv pluto[2188]: "shaikh_1"[1]
210.18.143.69:4500 #1: sending encrypted notification
INVALID_MESSAGE_IDto 210.18.143.69:4500
Nov 8 20:26:48 netserv pluto[2188]: "shaikh_1"[1]
210.18.143.69:4500 #1: Quick Mode I1 message is
unacceptable because it uses a previously used Message
ID 0x362f07ed (perhaps this is a duplicated packet)
Nov 8 20:26:48 netserv pluto[2188]: "shaikh_1"[1]
210.18.143.69:4500 #1: sending encrypted notification
INVALID_MESSAGE_IDto 210.18.143.69:4500
Nov 8 20:27:04 netserv pluto[2188]: "shaikh_1"[1]
210.18.143.69:4500 #1: Quick Mode I1 message is
unacceptable because it uses a previously used Message
ID 0x362f07ed (perhaps this is a duplicated packet)
Nov 8 20:27:04 netserv pluto[2188]: "shaikh_1"[1]
210.18.143.69:4500 #1: sending encrypted notification
INVALID_MESSAGE_IDto 210.18.143.69:4500
Cheers,
Deepak Naidu.
___________________________________________________________
To help you stay safe and secure online, we've developed the all new Yahoo! Security Centre. http://uk.security.yahoo.com
More information about the Users
mailing list