[Openswan Users] L2TP/IPSec VPN and ADSL modem that double NATs.

Jim Barber jim.barber at ddihealth.com
Tue Nov 15 16:21:24 CET 2005


I've been having trouble setting up an L2TP/IPSec server on our Linux gateway here at work.
I have successfully done the same thing on my home system which is almost identical.

I am running the Debian package openswan_2.4.0-3.
I am running this on the latest Linux 2.6.14 kernel.

The specific error that I get is as follows:

#------------------------------------------------------------------------
"roadwarrior-all"[2] 203.214.119.71 #1: cannot respond to IPsec SA request because no connection is known for 
203.188.158.2/32===10.0.0.1[C=AU, ST=Western Australia, L=Perth, O=DDI Health, CN=vpn.ddihealth.com, 
E=hostmaster at ddihealth.com]:17/1701...203.214.119.71[C=AU, ST=Western Australia, L=Perth, O=DDI Health, CN=Doug Mansell, 
E=doug.mansell at ddihealth.com]:17/1701
#------------------------------------------------------------------------

I've trawled through the mailing lists and found references to this error in a lot of messages, but none of the posts I read seem to 
have the same setup as me and nothing that I see suggested seems to apply.

Even though both my home server and work server is setup pretty much identically (same software versions, kernel, etc, just 
different IP addresses); what I found is that the ADSL modems are setup differently.
My home ADSL modem assigns my external IP address directly to my ethernet card.
The ADSL modem at work still has an internal IP address bound to the ethernet card and must NAT later for our external address.

Therefore packets from my home network travel out like so:

     10.1.1.0/24 network ->  eth0[10.1.1.1] -> eth1[dynamic external IP] -> NAT to ADSL modem -> Internet

However here at work the packets travel out something like so:

     10.10.0.0/24 network -> eth0[10.10.0.1] -> eth1[10.0.0.1] -> NAT to ADSL modem -> static [203.188.158.2] -> NAT to Internet.

And obviously the reverse happens when packets travel from the internet back into the local network again.
I hope the above makes sense...

The L2TP/IPSec servers are in the local networks, and the client connecting to them is the Windows XP L2TP/IPSec VPN client.
I suspect that it is the double NAT that happens with the ADSL setup at my workplace that is causing the issue.

The contents of the ipsec.conf file on the work server is as follows (minus comments):

#------------------------------------------------------------------------
	version 2.0

	config setup
		nat_traversal=yes
		virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12

	conn %default
		auto=add
		compress=yes
		left=%defaultroute
		keyingtries=1
		leftcert=gwCert.pem
		leftrsasigkey=%cert
		right=%any
		rightrsasigkey=%cert

	conn roadwarrior-net
		leftsubnet=10.10.0.0/24
		also=roadwarrior

	conn roadwarrior-all
		leftsubnet=0.0.0.0/0
		also=roadwarrior

	conn roadwarrior
		rightsubnet=vhost:%no,%priv
		pfs=yes

	conn roadwarrior-l2tp
		type=transport
		leftprotoport=udp/l2tp
		rightprotoport=udp/l2tp
		pfs=no

	conn roadwarrior-l2tp-oldwin
		leftprotoport=udp
		rightprotoport=udp/l2tp
		pfs=no

	include /etc/ipsec.d/examples/no_oe.conf
#------------------------------------------------------------------------

My home server is almost the same except it refers to a different leftcert, and the 10.10.0.0/24 network is replaced with the 
10.1.1.0/24 network.
Note that I have also tried with the following setting (appending the ,!%4:10.10.0.0/24) but it still didn't work:

		virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12,!%4:10.10.0.0/24


The log output for the connection is as follows (timestamps, hostname, pluto daemon PID removed):
The Windows XP client is not NATed and is connecting from 203.214.119.71

#------------------------------------------------------------------------
pluto: packet from 203.214.119.71:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
pluto: packet from 203.214.119.71:500: ignoring Vendor ID payload [FRAGMENTATION]
pluto: packet from 203.214.119.71:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
pluto: packet from 203.214.119.71:500: ignoring Vendor ID payload [Vid-Initial-Contact]
pluto: "roadwarrior-all"[1] 203.214.119.71 #1: responding to Main Mode from unknown peer 203.214.119.71
pluto: "roadwarrior-all"[1] 203.214.119.71 #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
pluto: "roadwarrior-all"[1] 203.214.119.71 #1: STATE_MAIN_R1: sent MR1, expecting MI2
pluto: "roadwarrior-all"[1] 203.214.119.71 #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: i am NATed
pluto: "roadwarrior-all"[1] 203.214.119.71 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
pluto: "roadwarrior-all"[1] 203.214.119.71 #1: STATE_MAIN_R2: sent MR2, expecting MI3
pluto: "roadwarrior-all"[1] 203.214.119.71 #1: Main mode peer ID is ID_DER_ASN1_DN: 'C=AU, ST=Western Australia, L=Perth, O=DDI 
Health, CN=Doug Mansell, E=doug.mansell at ddihealth.com'
pluto: "roadwarrior-all"[1] 203.214.119.71 #1: no crl from issuer "C=AU, ST=Western Australia, L=Perth, O=DDI Health, CN=DDI Perth 
Certification Authority, E=hostmaster at ddihealth.com" found (strict=no)
pluto: "roadwarrior-all"[2] 203.214.119.71 #1: deleting connection "roadwarrior-all" instance with peer 203.214.119.71 
{isakmp=#0/ipsec=#0}
pluto: "roadwarrior-all"[2] 203.214.119.71 #1: I am sending my cert
pluto: "roadwarrior-all"[2] 203.214.119.71 #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
pluto: | NAT-T: new mapping 203.214.119.71:500/4500)
pluto: "roadwarrior-all"[2] 203.214.119.71 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG 
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}
pluto: "roadwarrior-all"[2] 203.214.119.71 #1: cannot respond to IPsec SA request because no connection is known for 
203.188.158.2/32===10.0.0.1[C=AU, ST=Western Australia, L=Perth, O=DDI Health, CN=vpn.ddihealth.com, 
E=hostmaster at ddihealth.com]:17/1701...203.214.119.71[C=AU, ST=Western Australia, L=Perth, O=DDI Health, CN=Doug Mansell, 
E=doug.mansell at ddihealth.com]:17/1701
pluto: "roadwarrior-all"[2] 203.214.119.71 #1: sending encrypted notification INVALID_ID_INFORMATION to 203.214.119.71:4500
pluto: "roadwarrior-all"[2] 203.214.119.71 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 
0x077b3d15 (perhaps this is a duplicated packet)
pluto: "roadwarrior-all"[2] 203.214.119.71 #1: sending encrypted notification INVALID_MESSAGE_ID to 203.214.119.71:4500
pluto: "roadwarrior-all"[2] 203.214.119.71 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 
0x077b3d15 (perhaps this is a duplicated packet)
pluto: "roadwarrior-all"[2] 203.214.119.71 #1: sending encrypted notification INVALID_MESSAGE_ID to 203.214.119.71:4500
pluto: "roadwarrior-all"[2] 203.214.119.71 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 
0x077b3d15 (perhaps this is a duplicated packet)
pluto: "roadwarrior-all"[2] 203.214.119.71 #1: sending encrypted notification INVALID_MESSAGE_ID to 203.214.119.71:4500
pluto: "roadwarrior-all"[2] 203.214.119.71 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 
0x077b3d15 (perhaps this is a duplicated packet)
pluto: "roadwarrior-all"[2] 203.214.119.71 #1: sending encrypted notification INVALID_MESSAGE_ID to 203.214.119.71:4500
pluto: "roadwarrior-all"[2] 203.214.119.71 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 
0x077b3d15 (perhaps this is a duplicated packet)
pluto: "roadwarrior-all"[2] 203.214.119.71 #1: sending encrypted notification INVALID_MESSAGE_ID to 203.214.119.71:4500
pluto: "roadwarrior-all"[2] 203.214.119.71 #1: received Delete SA payload: deleting ISAKMP State #1
pluto: "roadwarrior-all"[2] 203.214.119.71: deleting connection "roadwarrior-all" instance with peer 203.214.119.71 {isakmp=#0/ipsec=#0}
pluto: packet from 203.214.119.71:4500: received and ignored informational message
#------------------------------------------------------------------------

For completeness here is a successful connect from the same client to my home L2TP/IPSec server.
Note that there are different certificates in play but everything else is the same.
As per my different ADSL setup, no special NATing needs to be done.

#------------------------------------------------------------------------
pluto: packet from 203.214.119.71:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
pluto: packet from 203.214.119.71:500: ignoring Vendor ID payload [FRAGMENTATION]
pluto: packet from 203.214.119.71:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
pluto: packet from 203.214.119.71:500: ignoring Vendor ID payload [Vid-Initial-Contact]
pluto: "roadwarrior-all"[9] 203.214.119.71 #8: responding to Main Mode from unknown peer 203.214.119.71
pluto: "roadwarrior-all"[9] 203.214.119.71 #8: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
pluto: "roadwarrior-all"[9] 203.214.119.71 #8: STATE_MAIN_R1: sent MR1, expecting MI2
pluto: "roadwarrior-all"[9] 203.214.119.71 #8: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
pluto: "roadwarrior-all"[9] 203.214.119.71 #8: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
pluto: "roadwarrior-all"[9] 203.214.119.71 #8: STATE_MAIN_R2: sent MR2, expecting MI3
pluto: "roadwarrior-all"[9] 203.214.119.71 #8: Main mode peer ID is ID_DER_ASN1_DN: 'C=AU, ST=Victoria, L=Melbourne, O=DDI Health, 
CN=Doug Mansell, E=doug.mansell at ddihealth.com'
pluto: "roadwarrior-all"[9] 203.214.119.71 #8: no crl from issuer "C=AU, ST=Western Australia, L=Perth, O=Lizardnet, CN=Lizardnet 
Certification Authority, E=hostmaster at localhost" found (strict=no)
pluto: "roadwarrior-all"[10] 203.214.119.71 #8: deleting connection "roadwarrior-all" instance with peer 203.214.119.71 
{isakmp=#0/ipsec=#0}
pluto: "roadwarrior-all"[10] 203.214.119.71 #8: I am sending my cert
pluto: "roadwarrior-all"[10] 203.214.119.71 #8: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
pluto: "roadwarrior-all"[10] 203.214.119.71 #8: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG 
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}
pluto: "roadwarrior-l2tp-oldwin"[4] 203.214.119.71 #9: responding to Quick Mode {msgid:e1eb3514}
pluto: "roadwarrior-l2tp-oldwin"[4] 203.214.119.71 #9: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
pluto: "roadwarrior-l2tp-oldwin"[4] 203.214.119.71 #9: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
pluto: "roadwarrior-l2tp-oldwin"[4] 203.214.119.71 #9: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
pluto: "roadwarrior-l2tp-oldwin"[4] 203.214.119.71 #9: STATE_QUICK_R2: IPsec SA established {ESP=>0xc75b61ff <0xacba6e9f 
xfrm=3DES_0-HMAC_MD5 NATD=203.214.119.71:500 DPD=none}
pluto: "roadwarrior-all"[10] 203.214.119.71 #8: received Delete SA(0xc75b61ff) payload: deleting IPSEC State #9
pluto: "roadwarrior-all"[10] 203.214.119.71 #8: deleting connection "roadwarrior-l2tp-oldwin" instance with peer 203.214.119.71 
{isakmp=#0/ipsec=#0}
pluto: "roadwarrior-all"[10] 203.214.119.71 #8: received and ignored informational message
pluto: "roadwarrior-all"[10] 203.214.119.71 #8: received Delete SA payload: deleting ISAKMP State #8
pluto: "roadwarrior-all"[10] 203.214.119.71: deleting connection "roadwarrior-all" instance with peer 203.214.119.71 
{isakmp=#0/ipsec=#0}
pluto: packet from 203.214.119.71:500: received and ignored informational message
#------------------------------------------------------------------------

Any ideas what is wrong?
Is there a configuration option I need to set or change?
Is it a case that Openswan doesn't support this sort of connection?
Is there a required patch about the place?
Should I just hassle the ISP at work to give us a different setup so the ADSL modem has the external IP address bind directly to our 
network card like my setup at home?

Any help is appreciated.

-- 
----------
Jim Barber
DDI Health


More information about the Users mailing list