[Openswan Users] problem with NATT and openswan

Darcy Ganga dganga at syachile.cl
Wed Sep 14 12:29:30 CEST 2005


Hola,


I need your help, after the install patch
openswan-2.4.0dr8.kernel-2.4-natt.patch, and recompile kernel and
modules, my ipsec present problem with the any connection via
roadwarrior.

It exists some problem in my config file, missing some parameter?

Data: 

AAA.AAA.AAA.AAA = network segment internal 1
BBB.BBB.BBB.BBB = network segment internal 2
XXX.XXX.XXX.XXX = Eth0 interface (external)
YYY.YYY.YYY.YYY = external IP, try connect using NAT-T

My config file are:

/etc/ipsec.conf

version 2.0
 
config setup
        interfaces=%defaultroute
        nat_traversal=yes
#        virtual_private=%v4:192.168.0.0/16
 
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
include ipsec.road.conf

/etc/ipsec.road.conf
version 2.0
 
conn roadwarrior-net
        leftsubnet=AAA.AAA.AAA.AAA/24
        also=roadwarrior
 
conn roadwarrior-net2
        leftsubnet=BBB.BBB.BBB.BB/24
        also=roadwarrior
 
 
conn roadwarrior-all
        leftsubnet=0.0.0.0/0
        also=roadwarrior
 
conn roadwarrior
        left=%defaultroute
        leftcert=certificate.pem
        right=%any
        rightsubnet=vhost:%no,%priv
        auto=add
        authby=secret
        pfs=yes
 
conn roadwarrior-l2tp
        type=transport
        left=%defaultroute
        leftcert=certificate.pem
        leftprotoport=17/1701
        right=%any
        rightprotoport=17/1701
        pfs=no
        auto=add
 
conn roadwarrior-l2tp-updatedwin
        type=transport
        left=%defaultroute
        leftcert=certificate.pem
        leftprotoport=17/0
        right=%any
        rightprotoport=17/1701
        rightsubnet=vhost:%no,%priv
        pfs=no
        auto=add
 

/var/log/secure

Sep 13 22:43:01 dns ipsec__plutorun: Starting Pluto subsystem...
Sep 13 22:43:01 dns pluto[8414]: Starting Pluto (Openswan Version 2.1.5
X.509-1.4.8-1 PLUTO_USES_KEYRR)
Sep 13 22:43:01 dns pluto[8414]:   including NAT-Traversal patch
(Version 0.6c)
Sep 13 22:43:01 dns pluto[8414]: Using KLIPS IPsec interface code
Sep 13 22:43:01 dns pluto[8414]: Changing to directory
'/etc/ipsec.d/cacerts'
Sep 13 22:43:01 dns pluto[8414]:   Warning: empty directory
Sep 13 22:43:01 dns pluto[8414]: Changing to directory
'/etc/ipsec.d/crls'
Sep 13 22:43:01 dns pluto[8414]:   Warning: empty directory
Sep 13 22:43:01 dns pluto[8414]:   loaded host cert file
'/etc/ipsec.d/certs/certificate.pem' (3598 bytes)
Sep 13 22:43:01 dns pluto[8414]: added connection description
"roadwarrior"
Sep 13 22:43:01 dns pluto[8414]:   loaded host cert file
'/etc/ipsec.d/certs/certificate.pem' (3598 bytes)
Sep 13 22:43:01 dns pluto[8414]: added connection description
"roadwarrior-all"
Sep 13 22:43:02 dns pluto[8414]:   loaded host cert file
'/etc/ipsec.d/certs/certificate.pem' (3598 bytes)
Sep 13 22:43:02 dns pluto[8414]: added connection description
"roadwarrior-net2"
Sep 13 22:43:02 dns pluto[8414]:   loaded host cert file
'/etc/ipsec.d/certs/certificate.pem' (3598 bytes)
Sep 13 22:43:02 dns pluto[8414]: added connection description
"roadwarrior-net"
Sep 13 22:43:02 dns pluto[8414]: listening for IKE messages
Sep 13 22:43:02 dns pluto[8414]: adding interface ipsec0/eth0
XXX.XXX.XXX.XXX
Sep 13 22:43:02 dns pluto[8414]: adding interface ipsec0/eth0
XXX.XXX.XXX.XXX:4500
Sep 13 22:43:02 dns pluto[8414]: loading secrets from
"/etc/ipsec.secrets"
Sep 13 22:43:02 dns pluto[8414]:   loaded private key file
'/etc/ipsec.d/private/certificate.pem' (963 bytes)
Sep 13 22:43:02 dns pluto[8414]:   loaded private key file
'/etc/ipsec.d/private/certificate2.pem' (963 bytes)
Sep 13 22:43:02 dns pluto[8414]: loading secrets from
"/etc/ipsec.psk.secrets"
Sep 13 22:43:27 dns pluto[8414]: packet from YYY.YYY.YYY.YYY:500:
ignoring Vendor ID payload [Dead Peer Detection]
Sep 13 22:43:27 dns pluto[8414]: packet from YYY.YYY.YYY.YYY:500:
ignoring Vendor ID payload [afca071368a1f1c9...]
Sep 13 22:43:27 dns pluto[8414]: packet from YYY.YYY.YYY.YYY:500:
ignoring Vendor ID payload [6ef67e6852cf3117...]
Sep 13 22:43:27 dns pluto[8414]: packet from YYY.YYY.YYY.YYY:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Sep 13 22:43:27 dns pluto[8414]: packet from YYY.YYY.YYY.YYY:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Sep 13 22:43:27 dns pluto[8414]: "roadwarrior"[1] YYY.YYY.YYY.YYY #1:
responding to Main Mode from unknown peer YYY.YYY.YYY.YYY
Sep 13 22:43:27 dns pluto[8414]: "roadwarrior"[1] YYY.YYY.YYY.YYY #1:
transition from state (null) to state STATE_MAIN_R1
Sep 13 22:43:27 dns pluto[8414]: "roadwarrior"[1] YYY.YYY.YYY.YYY #1:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is
NATed
Sep 13 22:43:27 dns pluto[8414]: "roadwarrior"[1] YYY.YYY.YYY.YYY #1:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Sep 13 22:43:57 dns pluto[8414]: packet from YYY.YYY.YYY.YYY:62410: next
payload type of ISAKMP Message has an unknown value:108
Sep 13 22:44:37 dns pluto[8414]: "roadwarrior"[1] YYY.YYY.YYY.YYY #1:
max number of retransmissions (2) reached STATE_MAIN_R2
Sep 13 22:44:37 dns pluto[8414]: "roadwarrior"[1] YYY.YYY.YYY.YYY:
deleting connection "roadwarrior" instance with peer YYY.YYY.YYY.YYY
{isakmp=#0/ipsec=#0}


Regards,
-- 
Darcy Roberto Ganga
System Engineer and Technical Software
S&A Consultores de Chile S.A
mailto:dganga at syachile.cl
http://www.syachile.cl
Phone:56-2-9401500
Direct:56-2-9401560
Key fingerprint =  91 4F 1F 11 89 E4 84 25  36 0B 92 E6 E6 91 8D 3F  47
05 36 EC
User #290674 counter.li.org




More information about the Users mailing list