[Openswan Users] VPN connection to server behind firewall

Albert Strasheim fullung at gmail.com
Wed Nov 9 14:42:06 CET 2005 

Hello all

I am trying to set up a VPN between road warriors and a VPN server 
behind a firewall. I am using Openswan 2.4.2dr5 and l2tpd 0.69-13 on 
Fedora Core 4 with the 2.6.13-1.1532_FC4 kernel. VPN connections on my 
internal LAN to the VPN server work fine. However, I am having problems 
with connections that traverse the firewall.

The firewall has a public IP address (a.b.c.d) and a private IP address 
10.2.2.251. The VPN server has private IP address 10.2.0.13.

I have set up 2 firewall rules using Shorewall on the firewall. 
Shorewall is a frontend to iptables:

DNAT     sdsl           loc:10.2.0.13   udp     500
DNAT     sdsl           loc:10.2.0.13   udp     4500

This means that packets on UDP ports 500 and 4500 should be forwarded 
to the host on the local network with IP address 10.2.0.13 (the VPN 
server).

I have a few questions at this point. Should the firewall also forward 
protocols 50 and 51, or are all those packets encapsulated inside UDP 
packets going to port 4500? Also, does my road warrior have to be able 
to accept connections on port 500 and/or 4500? Should the firewall be 
doing something else to the packets before forwarding them?

On the road warrior, I imported the PKCS12 certificate and set up the 
connection using the New Connection Wizard. I tried all the possible 
values (0, 1, 2) for the AssumeUDPEncapsulationContextOnSendRule DWORD 
in HKLM\System\CurrentControlSet\Services\IPSec, to no avail. The road 
warrior has public IP address x.y.z.w.

My Openswan configuration is as follows:

config setup
  virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
  nat_traversal=yes
conn %default
  keyingtries=1
  compress=yes
  disablearrivalcheck=no
  authby=rsasig
  leftrsasigkey=%cert
  rightrsasigkey=%cert
include /etc/ipsec.d/examples/no_oe.conf
conn roadwarrior-l2tp
  leftprotoport=17/0
  rightprotoport=17/1701
  also=roadwarrior
conn roadwarrior-l2tp-updatedwin
  leftprotoport=17/1701
  rightprotoport=17/1701
  also=roadwarrior
conn roadwarrior
  left=%defaultroute
  leftcert=vpnhost.mydomain.com.pem
  right=%any
  rightsubnet=vhost:%no,%priv
  auto=add
  pfs=no
  compress=no

The following appears in /var/log/secure when I inititate the connection 
from the road warrior:

Nov  9 14:02:46 vpnhost pluto[4850]: packet from x.y.z.w:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Nov  9 14:02:46 vpnhost pluto[4850]: packet from x.y.z.w:500: ignoring Vendor ID payload [FRAGMENTATION]
Nov  9 14:02:46 vpnhost pluto[4850]: packet from x.y.z.w:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
Nov  9 14:02:46 vpnhost pluto[4850]: packet from x.y.z.w:500: ignoring Vendor ID payload [Vid-Initial-Contact]
Nov  9 14:02:46 vpnhost pluto[4850]: "roadwarrior-l2tp"[3] x.y.z.w #2: responding to Main Mode from unknown peer x.y.z.w
Nov  9 14:02:46 vpnhost pluto[4850]: "roadwarrior-l2tp"[3] x.y.z.w #2: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Nov  9 14:02:46 vpnhost pluto[4850]: "roadwarrior-l2tp"[3] x.y.z.w #2: STATE_MAIN_R1: sent MR1, expecting MI2
Nov  9 14:02:47 vpnhost pluto[4850]: "roadwarrior-l2tp"[3] x.y.z.w #2: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: both are NATed
Nov  9 14:02:47 vpnhost pluto[4850]: "roadwarrior-l2tp"[3] x.y.z.w #2: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Nov  9 14:02:47 vpnhost pluto[4850]: "roadwarrior-l2tp"[3] x.y.z.w #2: STATE_MAIN_R2: sent MR2, expecting MI3
Nov  9 14:02:47 vpnhost pluto[4850]: "roadwarrior-l2tp"[3] x.y.z.w #2: Main mode peer ID is ID_DER_ASN1_DN: '<snip>, N=roadwarrior.mydomain.com'
Nov  9 14:02:47 vpnhost pluto[4850]: "roadwarrior-l2tp"[4] x.y.z.w #2: deleting connection "roadwarrior-l2tp" instance with peer x.y.z.w {isakmp=#0/ipsec=#0}
Nov  9 14:02:47 vpnhost pluto[4850]: "roadwarrior-l2tp"[4] x.y.z.w #2: I am sending my cert
Nov  9 14:02:47 vpnhost pluto[4850]: "roadwarrior-l2tp"[4] x.y.z.w #2: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Nov  9 14:02:47 vpnhost pluto[4850]: | NAT-T: new mapping x.y.z.w:500/4500)
Nov  9 14:02:47 vpnhost pluto[4850]: "roadwarrior-l2tp"[4] x.y.z.w #2: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}
Nov  9 14:02:48 vpnhost pluto[4850]: "roadwarrior-l2tp"[4] x.y.z.w #2: cannot respond to IPsec SA request because no connection is known for a.b.c.d/32===10.2.0.13[<snip>, CN=vpnhost.mydomain.com]:17/1701...x.y.z.w[<snip>, CN=roadwarrior.mydomain.com]:17/1701
Nov  9 14:02:48 vpnhost pluto[4850]: "roadwarrior-l2tp"[4] x.y.z.w #2: sending encrypted notification INVALID_ID_INFORMATION to x.y.z.w:4500
Nov  9 14:02:49 vpnhost pluto[4850]: "roadwarrior-l2tp"[4] x.y.z.w #2: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xa5a9bd68 (perhaps this is a duplicated packet)
<snip: message repeated 5 times>
Nov  9 14:03:51 vpnhost pluto[4850]: "roadwarrior-l2tp"[4] x.y.z.w #2: received Delete SA payload: deleting ISAKMP State #2
Nov  9 14:03:51 vpnhost pluto[4850]: "roadwarrior-l2tp"[4] x.y.z.w: deleting connection "roadwarrior-l2tp" instance with peer x.y.z.w {isakmp=#0/ipsec=#0}
Nov  9 14:03:51 vpnhost pluto[4850]: packet from x.y.z.w:4500: received and ignored informational message

Is it possible for this setup to work? Am I doing something wrong?

Thanks for your time.

Regards

Albert Strasheim

More information about the Users mailing list