[Openswan Users] klips openswan2.4.0 +kernel 2.6.13.2 nat-t failed

Delta Yeh delta.yeh at gmail.com
Wed Oct 26 17:20:46 CEST 2005 

pc1----gw1----nat---sw---gw2----pc2

gw1: WAN 10.10.2.1 <http://10.10.2.1>
LAN 192.168.1.1/24 <http://192.168.1.1/24>

nat: WAN 192.168.100.254 <http://192.168.100.254>
LAN: 10.10.2.2 <http://10.10.2.2>

gw2: WAN 132.132.100.190 <http://132.132.100.190>
LAN 192.168.16.1/24 <http://192.168.16.1/24>

both gw1 &gw2 are openswan2.4.0 +kernel 2.6.13.2 <http://2.6.13.2>

gw1 ipsec.conf

version 2.0
config setup
interfaces="%defaultroute"
forwardcontrol=no
myid=@XXXXXXX
pluto=yes
plutowait=no
nat_traversal=yes
virtual_private=%v4:
10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.1.0/24,%v4:!10.10.2.0/24<http://10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.1.0/24,%v4:!10.10.2.0/24>
uniqueids=yes
#connection config for sh_bj
conn sh_bj
type=tunnel
auto=add
left=%defaultroute
keyexchange=ike
keylife=12h
auth=esp
esp=aes128-sha1
pfs=no
compress=no
disablearrivalcheck=no
failureshunt=drop
rekeyfuzz=80%
rekeymargin=9m
leftsubnet=192.168.1.0/24 <http://192.168.1.0/24>
rightsubnet=192.168.16.0/24 <http://192.168.16.0/24>
aggrmode=yes
leftid=xxxxxxxxxxx
right=132.132.100.190 <http://132.132.100.190>
rightid=xxxxxxxxx
ike=aes-sha1-modp1024
ikelifetime=1h
authby=secret
rekey=yes
keyingtries=%forever
#end of config


ipsec auto --status output:

$ ipsec auto --status
000 interface ipsec0/eth1 10.10.2.1 <http://10.10.2.1>
000 interface ipsec0/eth1 10.10.2.1 <http://10.10.2.1>
000 %myid = xxxxxxxxx
000 debug none
000
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=64, keysizemin=192,
keysizemax=192
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=128, keysizemin=128,
keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC,
keysizemin=128, keysizemax=128
000
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,1,36}
trans={0,1,108} attrs={0,1,72}
000
000 "sh_bj":
192.168.1.0/24===10.10.2.1[xxxxxxxx]---10.10.2.2...132.132.100.190[xxxxxxxx]===192.168.16.0/24<http://192.168.1.0/24===10.10.2.1[xxxxxxxx]---10.10.2.2...132.132.100.190[xxxxxxxx]===192.168.16.0/24>;
prospective erouted; eroute owner: #0
000 "sh_bj": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec
_updown;
000 "sh_bj": ike_life: 3600s; ipsec_life: 43200s; rekey_margin: 540s;
rekey_fuzz: 80%; keyingtries: 0
000 "sh_bj": policy: PSK+ENCRYPT+TUNNEL+UP+AGGRESSIVE+failureDROP; prio:
24,24; interface: eth1;
000 "sh_bj": dpd: action:hold; delay:30; timeout:120;
000 "sh_bj": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "sh_bj": IKE algorithms wanted: 7_000-2-2, flags=-strict
000 "sh_bj": IKE algorithms found: 7_128-2_160-2,
000 "sh_bj": ESP algorithms wanted: 12_128-2, flags=-strict
000 "sh_bj": ESP algorithms loaded: 12_128-2, flags=-strict
000
000 #10: "sh_bj":500 STATE_AGGR_I1 (sent AI1, expecting AR1);
EVENT_RETRANSMIT in 5s; nodpd
000


seg of auto.log
26 11:03:05 firewall pluto[21786]: "sh_bj" #1: initiating Aggressive Mode
#1, connection "sh_bj"
Oct 26 11:03:05 firewall pluto[21786]: "sh_bj" #1: message ignored because
it contains an unknown or unexpected payload type (ISAKMP_NEXT_NAT-D) at the
outermost level
Oct 26 11:03:05 firewall pluto[21786]: "sh_bj" #1: sending notification
INVALID_PAYLOAD_TYPE to 132.132.100.190:500 <http://132.132.100.190:500>
Oct 26 11:03:15 firewall pluto[21786]: "sh_bj" #1: message ignored because
it contains an unknown or unexpected payload type (ISAKMP_NEXT_NAT-D) at the
outermost level
Oct 26 11:03:15 firewall pluto[21786]: "sh_bj" #1: sending notification
INVALID_PAYLOAD_TYPE to 132.132.100.190:500 <http://132.132.100.190:500>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20051026/0871597e/attachment.htm

More information about the Users mailing list