[Openswan Users] Mac OS X 10.4.3 <-> Openswan

Jacco de Leeuw jacco2 at dds.nl
Wed Nov 23 19:45:35 CET 2005


Paul Wouters wrote:

> I am using MacOSX 10.4.3 behind NAT using L2TP with Openswan 2.4.4 without
> NAT-T problems. Can someone who think it is still broken give me more
> information and preferably logfiles?

http://bugs.xelerance.com/view.php?id=462

If you use nat_traversal=yes then Openswan will always come to the conclusion
that both peers are NATed if a Mac connects. But if none of the peers are
actually NATed and you still use nat_traversal=yes then the connection will
not work (see log below). You would have to use nat_traversal=no. But that
will shuts out NATed clients.

This was true for Openswan 2.4.2. I have not tried it with 2.4.4 yet (no Mac
at hand) but I don't see a mention of Mac related fixes in the Changelog for
2.4.2-2.4.4. So I assumed the problem was still there. Nat_traversal.c did not
change in these three versions. Are you using a CVS version, perhaps? There
was a port hash fix added to CVS on Oct 2.

Here's the log:

pluto[6132]: packet from 192.168.0.5:500: received Vendor ID payload 
[draft-ietf-ipsec-nat-t-ike] method set to=110
pluto[6132]: "L2TP-CERT"[1] 192.168.0.5 #1: responding to Main Mode from 
unknown peer 192.168.0.5
Nov 14 19:04:45 ibmjacco pluto[6132]: "L2TP-CERT"[1] 192.168.0.5 #1: 
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
pluto[6132]: "L2TP-CERT"[1] 192.168.0.5 #1: STATE_MAIN_R1: sent MR1, expecting MI2
pluto[6132]: "L2TP-CERT"[1] 192.168.0.5 #1: ignoring Vendor ID payload 
[KAME/racoon]
pluto[6132]: "L2TP-CERT"[1] 192.168.0.5 #1: NAT-Traversal: Result using RFC 
3947 (NAT -Traversal): both are NATed
pluto[6132]: "L2TP-CERT"[1] 192.168.0.5 #1: transition from state 
STATE_MAIN_R1 to state STATE_MAIN_R2
pluto[6132]: "L2TP-CERT"[1] 192.168.0.5 #1: STATE_MAIN_R2: sent MR2, expecting MI3
pluto[6132]: "L2TP-CERT"[1] 192.168.0.5 #1: Main mode peer ID is 
ID_DER_ASN1_DN: 'C=NL, ST=ST, L=L, O=TESTORG, CN=TESTUSER'
pluto[6132]: "L2TP-CERT"[1] 192.168.0.5 #1: crl update for "C=NL, ST=ST, L=L, 
O=TESTORG, CN=TESTCA" is overdue since Jan 24 14:47:19 UTC 2005
pluto[6132]: "L2TP-CERT"[2] 192.168.0.5 #1: deleting connection "L2TP-CERT" 
instance with peer 192.168.0.5 {isakmp=#0/ipsec=#0}
pluto[6132]: "L2TP-CERT"[2] 192.168.0.5 #1: I am sending my cert
pluto[6132]: "L2TP-CERT"[2] 192.168.0.5 #1: transition from state 
STATE_MAIN_R2 to state STATE_MAIN_R3
pluto[6132]: "L2TP-CERT"[2] 192.168.0.5 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA 
established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_sha 
group=modp1024}
pluto[6132]: "L2TP-CERT"[2] 192.168.0.5 #1: ignoring informational payload, 
type IPSEC_INITIAL_CONTACT
pluto[6132]: "L2TP-CERT"[2] 192.168.0.5 #1: received and ignored informational 
message
pluto[6132]: "L2TP-CERT"[2] 192.168.0.5 #2: ENCAPSULATION_MODE_TRANSPORT must 
only be used if NAT-Traversal is not detected
pluto[6132]: "L2TP-CERT"[2] 192.168.0.5 #2: ENCAPSULATION_MODE_TRANSPORT must 
only be used if NAT-Traversal is not detected
pluto[6132]: "L2TP-CERT"[2] 192.168.0.5 #2: responding to Quick Mode 
{msgid:a78bec9e}

Jacco
-- 
Jacco de Leeuw                         mailto:jacco2 at dds.nl
Zaandam, The Netherlands           http://www.jacco2.dds.nl
                     Mosquitos suck


More information about the Users mailing list