[Openswan Users] openswan 2.4.2dr5 aggressive mode +nat-t test failed.

Delta Yeh delta.yeh at gmail.com
Sat Oct 29 14:21:58 CEST 2005


I tested openswan 2.4.2dr5 in my home network last night.

pc-a======gw-a=====sw=======gw-b=====pc-b

both gw-a & gw-b are openswan 2.4.2dr5 + klips+kernel2.6.13.2(lfs)
both gw-a & gw-b use static ip address .


**************************************
gw-a is initiator , gw-b is responder
**************************************

I did these test:
a. both gw-a & gw-b use main mode and with nat_traversal=no ,it's ok.
b. both gw-a & gw-b use main mode and with nat_traversal=yes ,it's ok.
c. both gw-a & gw-b use aggressive mode and with nat_traversal=no, it's ok.
d. both gw-a & gw-b use aggressive mode and with nat_traversal=yes, failed.


the config is as below, config for gw-b is almost the same except the lefXXX
and rightXXX.

ipsec.conf for gw-a

config setup
interfaces="%defaultroute"
forwardcontrol=no
pluto=yes
plutowait=no
nat_traversal=yes
uniqueids=yes
conn test
type=tunnel
auto=add
left=%defaultroute
keyexchange=ike
keylife=12h
auth=esp
esp=aes128-sha1
pfs=no
compress=no
disablearrivalcheck=no
failureshunt=drop
rekeyfuzz=80%
rekeymargin=9m
leftsubnet=10.10.12.0/24 <http://10.10.12.0/24>
rightsubnet=192.168.1.0/24 <http://192.168.1.0/24>
aggrmode=yes
leftid=xxxxxxxxxxxxx
right=192.168.121.114 <http://192.168.121.114>
rightid=xxxxxxxxxxxxxxxx
ike=aes-sha1-modp1024
ikelifetime=1h
authby=secret
rekey=yes
keyingtries=%forever
#end of config

 segment of auth.log


Oct 28 23:13:34 firewall pluto[4618]: added connection description "test"
Oct 28 23:13:53 firewall pluto[4618]: "test" #4: initiating Aggressive Mode
#4, connection "test"
Oct 28 23:13:53 firewall pluto[4618]: "test" #4: message ignored because it
contains an unknown or unexpected payload type (ISAKMP_NEXT_NAT-D) at the
outermost level
Oct 28 23:13:53 firewall pluto[4618]: "test" #4: sending notification
INVALID_PAYLOAD_TYPE to 192.168.121.114:500 <http://192.168.121.114:500>
Oct 28 23:14:03 firewall pluto[4618]: "test" #4: message ignored because it
contains an unknown or unexpected payload type (ISAKMP_NEXT_NAT-D) at the
outermost level
Oct 28 23:14:03 firewall pluto[4618]: "test" #4: sending notification
INVALID_PAYLOAD_TYPE to 192.168.121.114:500 <http://192.168.121.114:500>
Oct 28 23:14:03 firewall pluto[4618]: "test" #4: message ignored because it
contains an unknown or unexpected payload type (ISAKMP_NEXT_NAT-D) at the
outermost level
Oct 28 23:14:03 firewall pluto[4618]: "test" #4: sending notification
INVALID_PAYLOAD_TYPE to 192.168.121.114:500 <http://192.168.121.114:500>


I then did another tests:

e.gw-a aggressive mode + nat_traversal=no
gw-b aggressive mode +nat_traversa=yes , failed.

the logs of auth.log is like test d.

f.gw-a aggressive mode + nat _traversal=yes
gw-b aggressive mode +nat_traversal=no , it's ok.



It seems that openswan-2.4.2dr5 don't like work as a responder if
use aggressive mode + nat_travresal=yes.


Of cause it faild when I add a nat box between gw-a and gw-b with
aggressive mode + nat_traversal=yes. the logs like test d.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20051029/ec1d52b0/attachment-0001.htm


More information about the Users mailing list