[Openswan Users] NAT-T Problem with Openswan, Linux client and Windows server

Martin Schläffer schlaeff at sbox.tugraz.at
Wed Oct 12 18:52:51 CEST 2005 

Hi,

I want to connect on a Linux client with Openswan 2.4.0, Kernel 2.6.12 
to a Windows Server, which is not NATed.
The connection uses l2tp and works perfectly with a Linux client if it 
_is_not_ behind a NAT device, or works when connecting using a Windows 
client which _is_ behind a NAT device.

But the connection with openswan under linux using NAT-T cannot be 
established, which can be seen in the following log:

104 "iaik" #1: STATE_MAIN_I1: initiate
003 "iaik" #1: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
003 "iaik" #1: ignoring Vendor ID payload [FRAGMENTATION]
003 "iaik" #1: received Vendor ID payload 
[draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
106 "iaik" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "iaik" #1: NAT-Traversal: Only 0 NAT-D - Aborting NAT-Traversal 
negotiation
108 "iaik" #1: STATE_MAIN_I3: sent MI3, expecting MR3
004 "iaik" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG 
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
117 "iaik" #2: STATE_QUICK_I1: initiate
010 "iaik" #2: STATE_QUICK_I1: retransmission; will wait 20s for response
010 "iaik" #2: STATE_QUICK_I1: retransmission; will wait 40s for response
031 "iaik" #2: max number of retransmissions (2) reached STATE_QUICK_I1. 
No acceptable response to our first Quick Mode message: perhaps peer 
likes no proposal

I'm using the native ipsec kernel stack and not klips, nat_traversal=yes 
is set in the config.
I could not find a detailed Howto for this kind of setup or how to solve 
the problem. Does anyone know how to solve this problem and what further 
information can I post to help tracking down this Problem?

This is the ipsec.conf:
-----
config setup
         klipsdebug=none
         plutodebug=none
         uniqueids=yes
         nat_traversal=yes

conn %default
         keyingtries=1
         disablearrivalcheck=yes
         pfs=no
         compress=yes
         authby=rsasig
         leftrsasigkey=%cert
         rightrsasigkey=%cert

conn iaik
         type=transport
         right="IP of Windows Server"
         rightprotoport=17/1701
         rightid="CERT INFORMATION"
         rightrsasigkey=%cert
         rightca="CA INFORMATION"
         pfs=no
         left=%defaultroute
         leftprotoport=17/1701
         leftrsasigkey=%cert
         leftca="CA INFORMATION"
         leftcert=/etc/ipsec.d/certs/cert.pem
         auto=add
-----

Best regards,
Martin

More information about the Users mailing list