[Openswan Users] winXP + NAT-T + IPSEC

Balu Stefan balustefan at sprovider.ro
Fri Sep 2 18:49:21 CEST 2005


Ok ...
On one side I have a nat-ed pc running windows XP. It's ip address allways changes...and on the other side I have a linu box directly connected to the internet.
Now the XP box acts as a roadwarrior to the gateway (which I must say it has a subnet 10.0.0.0/24 in the back).
so ...
       XP ---O ROUTER -----O --<INTERNET>--O GATEWAY --O---<SUBNET>
the router I am nated by has the address of 81.196.111.218
my ip address behind this router is 192.168.4.147
the GATEWAY's IP address is 194.102.253.132
the subnet is 10.0.0.0/24

Now ...if I am connected with my XP directly to the internet ...the tunnel with the subnet works like charm...but when I bring it behind a nat ...not anymore...
This is what is did
1) took openswan http://www.openswan.org/download/openswan-2.4.0rc4.tar.gz
2) patched the kernel like make newpatch (or so ...just like in the documentation)
3) reconfigured/recompiled/reinstalled my kernel with NAT-T support
4) make programs install in openswan dir ...
5) created CA, resulting:
    a) /etc/ssl/cacert.pem -> rootCA certificate
    b) /etc/ssl/private/cakey.pem -> rootCA key file
    c) /etc/ssl/certs/ipsec.pem -> this gateway's cert
    d) /etc/ssl/private/ipsec.pem -> this gateway's key
    e) /etc/ssl/certs/client1.pem -> xp's cert file
    f) /etc/ssl/client1.p12 ->xp's cert file that will be imported on XP
got all the files in the right places in /etc/ipsec.d/
6) configured ipsec.conf on getway:
# cat /etc/ipsec.conf
    version 2.0
    config setup
        interfaces=%defaultroute
        plutodebug="all"
        nat_traversal=yes
    conn rwar-sp
        type=tunnel
        authby=rsasig
        leftrsasigkey=%cert
        left=%defaultroute
        leftsubnet=10.0.0.0/24
        leftnexthop=194.102.253.129
        leftcert=ipsec.pem
        rightrsasigkey=%cert
        right=%any
        pfs=yes
        auto=add
7) imported the .p12 file into the certificates, client1 info was installed in Personal Certificates and cacer part in the TrustedRootCertificates
8) configured the windows machine's ipsec.conf file for muller's ipsec tool:
    conn rwar-sp
        type=tunnel
        left=%any
        right=194.102.253.132
        rightnexthop=194.102.253.129
        rightsubnet=10.0.0.0/24
        rightca="C=RO,S=none,L=Bucharest,O=Staff Collection,CN=Balu Stefan,Email=stefan at staffcollection.ro"
        network=auto
        auto=add
        pfs=yes
9) created DWORD reg key "AssumeUDPEncapsulationContextOnSendRule" with the value of "2" in order to enable NAT
10) executed: ipsec 
    which created the FreeSWAN policy.
11) Assigned the policy (same as auto=start)
12) pinged 10.0.0.1
    Negociating ...
    Negociating ...
and so on forever
in this time I get on my linux box:
Sep  2 14:02:32 mx pluto[17756]: | *received whack message
Sep  2 14:02:32 mx pluto[17756]: listening for IKE messages
Sep  2 14:02:32 mx pluto[17756]: | found lo with address 127.0.0.1
Sep  2 14:02:32 mx pluto[17756]: | found eth0 with address 194.102.253.132
Sep  2 14:02:32 mx pluto[17756]: | found eth1 with address 10.0.0.1
Sep  2 14:02:32 mx pluto[17756]: adding interface eth1/eth1 10.0.0.1:500
Sep  2 14:02:32 mx pluto[17756]: adding interface eth0/eth0 194.102.253.132:500
Sep  2 14:02:32 mx pluto[17756]: adding interface lo/lo 127.0.0.1:500
Sep  2 14:02:32 mx pluto[17756]: | could not open /proc/net/if_inet6
Sep  2 14:02:32 mx pluto[17756]: loading secrets from "/etc/ipsec.secrets"
Sep  2 14:02:32 mx pluto[17756]:   loaded private key file '/etc/ipsec.d/private/ipsec.key' (1743 bytes)
...
Sep  2 14:02:36 mx pluto[17756]: | *received 276 bytes from 81.196.111.218:500 on eth0 (port=500)
Sep  2 14:02:36 mx pluto[17756]: |   d1 62 ab 86  3c 6c 12 34  00 00 00 00  00 00 00 00
Sep  2 14:02:36 mx pluto[17756]: |   01 10 02 00  00 00 00 00  00 00 01 14  0d 00 00 a4
Sep  2 14:02:36 mx pluto[17756]: |   00 00 00 01  00 00 00 01  00 00 00 98  01 01 00 04
Sep  2 14:02:36 mx pluto[17756]: |   03 00 00 24  01 01 00 00  80 01 00 05  80 02 00 02
Sep  2 14:02:36 mx pluto[17756]: |   80 04 00 02  80 03 00 03  80 0b 00 01  00 0c 00 04
Sep  2 14:02:36 mx pluto[17756]: |   00 00 70 80  03 00 00 24  02 01 00 00  80 01 00 05
Sep  2 14:02:36 mx pluto[17756]: |   80 02 00 01  80 04 00 02  80 03 00 03  80 0b 00 01
Sep  2 14:02:36 mx pluto[17756]: |   00 0c 00 04  00 00 70 80  03 00 00 24  03 01 00 00
Sep  2 14:02:36 mx pluto[17756]: |   80 01 00 01  80 02 00 02  80 04 00 01  80 03 00 03
Sep  2 14:02:36 mx pluto[17756]: |   80 0b 00 01  00 0c 00 04  00 00 70 80  00 00 00 24
Sep  2 14:02:36 mx pluto[17756]: |   04 01 00 00  80 01 00 01  80 02 00 01  80 04 00 01
Sep  2 14:02:36 mx pluto[17756]: |   80 03 00 03  80 0b 00 01  00 0c 00 04  00 00 70 80
Sep  2 14:02:36 mx pluto[17756]: |   0d 00 00 18  1e 2b 51 69  05 99 1c 7d  7c 96 fc bf
Sep  2 14:02:36 mx pluto[17756]: |   b5 87 e4 61  00 00 00 04  0d 00 00 14  40 48 b7 d5
Sep  2 14:02:36 mx pluto[17756]: |   6e bc e8 85  25 e7 de 7f  00 d6 c2 d3  0d 00 00 14
Sep  2 14:02:36 mx pluto[17756]: |   90 cb 80 91  3e bb 69 6e  08 63 81 b5  ec 42 7b 1f
Sep  2 14:02:36 mx pluto[17756]: |   00 00 00 14  26 24 4d 38  ed db 61 b3  17 2a 36 e3
Sep  2 14:02:36 mx pluto[17756]: |   d0 cf b8 19
Sep  2 14:02:36 mx pluto[17756]: | **parse ISAKMP Message:
Sep  2 14:02:36 mx pluto[17756]: |    initiator cookie:
Sep  2 14:02:36 mx pluto[17756]: |   d1 62 ab 86  3c 6c 12 34
Sep  2 14:02:36 mx pluto[17756]: |    responder cookie:
Sep  2 14:02:36 mx pluto[17756]: |   00 00 00 00  00 00 00 00
Sep  2 14:02:36 mx pluto[17756]: |    next payload type: ISAKMP_NEXT_SA
Sep  2 14:02:36 mx pluto[17756]: |    ISAKMP version: ISAKMP Version 1.0
Sep  2 14:02:36 mx pluto[17756]: |    exchange type: ISAKMP_XCHG_IDPROT
Sep  2 14:02:36 mx pluto[17756]: |    flags: none
Sep  2 14:02:36 mx pluto[17756]: |    message ID:  00 00 00 00
Sep  2 14:02:36 mx pluto[17756]: |    length: 276
Sep  2 14:02:36 mx pluto[17756]: |  processing packet with exchange type=ISAKMP_XCHG_IDPROT (2)
Sep  2 14:02:36 mx pluto[17756]: | ***parse ISAKMP Security Association Payload:
Sep  2 14:02:36 mx pluto[17756]: |    next payload type: ISAKMP_NEXT_VID
Sep  2 14:02:36 mx pluto[17756]: |    length: 164
Sep  2 14:02:36 mx pluto[17756]: |    DOI: ISAKMP_DOI_IPSEC
Sep  2 14:02:36 mx pluto[17756]: | ***parse ISAKMP Vendor ID Payload:
Sep  2 14:02:36 mx pluto[17756]: |    next payload type: ISAKMP_NEXT_VID
Sep  2 14:02:36 mx pluto[17756]: |    length: 24
Sep  2 14:02:36 mx pluto[17756]: | ***parse ISAKMP Vendor ID Payload:
Sep  2 14:02:36 mx pluto[17756]: |    next payload type: ISAKMP_NEXT_VID
Sep  2 14:02:36 mx pluto[17756]: |    length: 20
Sep  2 14:02:36 mx pluto[17756]: | ***parse ISAKMP Vendor ID Payload:
Sep  2 14:02:36 mx pluto[17756]: |    next payload type: ISAKMP_NEXT_VID
Sep  2 14:02:36 mx pluto[17756]: |    length: 20
Sep  2 14:02:36 mx pluto[17756]: | ***parse ISAKMP Vendor ID Payload:
Sep  2 14:02:36 mx pluto[17756]: |    next payload type: ISAKMP_NEXT_NONE
Sep  2 14:02:36 mx pluto[17756]: |    length: 20
Sep  2 14:02:36 mx pluto[17756]: packet from 81.196.111.218:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Sep  2 14:02:36 mx pluto[17756]: packet from 81.196.111.218:500: ignoring Vendor ID payload [FRAGMENTATION]
Sep  2 14:02:36 mx pluto[17756]: packet from 81.196.111.218:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
meth=106, but port floating is off
Sep  2 14:02:36 mx pluto[17756]: packet from 81.196.111.218:500: ignoring Vendor ID payload [Vid-Initial-Contact]
Sep  2 14:02:36 mx pluto[17756]: | find_host_connection called from main_inI1_outR1
Sep  2 14:02:36 mx pluto[17756]: | find_host_pair_conn (find_host_connection2): 194.102.253.132:500 81.196.111.218:500 -> hp:n
one
Sep  2 14:02:36 mx pluto[17756]: | find_host_connection called from main_inI1_outR1
Sep  2 14:02:36 mx pluto[17756]: | find_host_pair_conn (find_host_connection2): 194.102.253.132:500 %any:500 -> hp:none
Sep  2 14:02:36 mx pluto[17756]: packet from 81.196.111.218:500: initial Main Mode message received on 194.102.253.132:500 but
 no connection has been authorized
Sep  2 14:02:36 mx pluto[17756]: | complete state transition with STF_IGNORE
Sep  2 14:02:36 mx pluto[17756]: | next event EVENT_PENDING_PHASE2 in 113 seconds
Sep  2 14:02:37 mx pluto[17756]: |
Sep  2 14:02:37 mx pluto[17756]: | *received 276 bytes from 81.196.111.218:500 on eth0 (port=500)
Sep  2 14:02:37 mx pluto[17756]: |   d1 62 ab 86  3c 6c 12 34  00 00 00 00  00 00 00 00
Sep  2 14:02:37 mx pluto[17756]: |   01 10 02 00  00 00 00 00  00 00 01 14  0d 00 00 a4
Sep  2 14:02:37 mx pluto[17756]: |   00 00 00 01  00 00 00 01  00 00 00 98  01 01 00 04
Sep  2 14:02:37 mx pluto[17756]: |   03 00 00 24  01 01 00 00  80 01 00 05  80 02 00 02
Sep  2 14:02:37 mx pluto[17756]: |   80 04 00 02  80 03 00 03  80 0b 00 01  00 0c 00 04
Sep  2 14:02:37 mx pluto[17756]: |   00 00 70 80  03 00 00 24  02 01 00 00  80 01 00 05
Sep  2 14:02:37 mx pluto[17756]: |   80 02 00 01  80 04 00 02  80 03 00 03  80 0b 00 01
Sep  2 14:02:37 mx pluto[17756]: |   00 0c 00 04  00 00 70 80  03 00 00 24  03 01 00 00
Sep  2 14:02:37 mx pluto[17756]: |   80 01 00 01  80 02 00 02  80 04 00 01  80 03 00 03
Sep  2 14:02:37 mx pluto[17756]: |   80 0b 00 01  00 0c 00 04  00 00 70 80  00 00 00 24
Sep  2 14:02:37 mx pluto[17756]: |   04 01 00 00  80 01 00 01  80 02 00 01  80 04 00 01
Sep  2 14:02:37 mx pluto[17756]: |   80 03 00 03  80 0b 00 01  00 0c 00 04  00 00 70 80
Sep  2 14:02:37 mx pluto[17756]: |   0d 00 00 18  1e 2b 51 69  05 99 1c 7d  7c 96 fc bf
Sep  2 14:02:37 mx pluto[17756]: |   b5 87 e4 61  00 00 00 04  0d 00 00 14  40 48 b7 d5
Sep  2 14:02:37 mx pluto[17756]: |   6e bc e8 85  25 e7 de 7f  00 d6 c2 d3  0d 00 00 14
Sep  2 14:02:37 mx pluto[17756]: |   90 cb 80 91  3e bb 69 6e  08 63 81 b5  ec 42 7b 1f
Sep  2 14:02:37 mx pluto[17756]: |   00 00 00 14  26 24 4d 38  ed db 61 b3  17 2a 36 e3
Sep  2 14:02:37 mx pluto[17756]: |   d0 cf b8 19
Sep  2 14:02:37 mx pluto[17756]: | **parse ISAKMP Message:
Sep  2 14:02:37 mx pluto[17756]: |    initiator cookie:
Sep  2 14:02:37 mx pluto[17756]: |   d1 62 ab 86  3c 6c 12 34
Sep  2 14:02:37 mx pluto[17756]: |    responder cookie:
Sep  2 14:02:37 mx pluto[17756]: |   00 00 00 00  00 00 00 00
Sep  2 14:02:37 mx pluto[17756]: |    next payload type: ISAKMP_NEXT_SA
Sep  2 14:02:37 mx pluto[17756]: |    ISAKMP version: ISAKMP Version 1.0
Sep  2 14:02:37 mx pluto[17756]: |    exchange type: ISAKMP_XCHG_IDPROT
Sep  2 14:02:37 mx pluto[17756]: |    flags: none
Sep  2 14:02:37 mx pluto[17756]: |    message ID:  00 00 00 00
Sep  2 14:02:37 mx pluto[17756]: |    length: 276
Sep  2 14:02:37 mx pluto[17756]: |  processing packet with exchange type=ISAKMP_XCHG_IDPROT (2)
Sep  2 14:02:37 mx pluto[17756]: | ***parse ISAKMP Security Association Payload:
Sep  2 14:02:37 mx pluto[17756]: |    next payload type: ISAKMP_NEXT_VID
Sep  2 14:02:37 mx pluto[17756]: |    length: 164
Sep  2 14:02:37 mx pluto[17756]: |    DOI: ISAKMP_DOI_IPSEC
Sep  2 14:02:37 mx pluto[17756]: | ***parse ISAKMP Vendor ID Payload:
Sep  2 14:02:37 mx pluto[17756]: |    next payload type: ISAKMP_NEXT_VID
Sep  2 14:02:37 mx pluto[17756]: |    length: 24
Sep  2 14:02:37 mx pluto[17756]: | ***parse ISAKMP Vendor ID Payload:
Sep  2 14:02:37 mx pluto[17756]: |    next payload type: ISAKMP_NEXT_VID
....
and so on

WHAT AM I MISSING?!
I MUST SAY THAT THIS WORKS IF THE XP BOX HAS A ROUTABLE IP ADDRESS..
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20050902/ed1e29d2/attachment-0001.htm


More information about the Users mailing list