[Openswan Users] pluto failure

Wolfram Tuleweit Wolfram.Tuleweit at t-online.de
Thu Sep 29 11:56:52 CEST 2005 

Hallo,
me think I have a similar problem:

The Situation is:
                       
(Private LAN1)
  |
  |
-----------------------------------
Initiator: 
Slackware 10.0
Kernel 2.4.26
Linux Openswan 2.3.1
----------------------------------
  |
  |
  (DSL)
  |
  |
-------------------------------
NatBox Cisco 3600
--------------------------------
 |
 |
 (Private LAN2)
 |
 |
----------------------------------------
Responder: 
Slackware 10.0
Kernel 2.4.26
StrongSwan2.4.1 (sorry ;-)
---------------------------------------


On the Initiator-site occurs the following:

I reached Quickmode succesfully - a IPsec SA is established:

Sep 29 09:49:05 PC2 pluto[347]: packet from 141.39.76.42:4772: Informational Exchange is for an unknown (expired?) SA
Sep 29 09:49:33 PC2 pluto[347]: "adh_es23" #7: initiating Main Mode
Sep 29 09:49:33 PC2 pluto[347]: "adh_es23" #7: ignoring unknown Vendor ID payload [75b0653cb281eb26d31ede38c8e1e228]
Sep 29 09:49:33 PC2 pluto[347]: "adh_es23" #7: received Vendor ID payload [Dead Peer Detection]
Sep 29 09:49:33 PC2 pluto[347]: "adh_es23" #7: received Vendor ID payload [RFC 3947] method set to=109
Sep 29 09:49:33 PC2 pluto[347]: "adh_es23" #7: enabling possible NAT-traversal with method 3
Sep 29 09:49:33 PC2 pluto[347]: "adh_es23" #7: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Sep 29 09:49:33 PC2 pluto[347]: | NAT-T: new mapping 141.39.76.42:500/187)
Sep 29 09:49:33 PC2 pluto[347]: "adh_es23" #7: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): peer is NATed
Sep 29 09:49:33 PC2 pluto[347]: "adh_es23" #7: I am sending my cert
Sep 29 09:49:33 PC2 pluto[347]: "adh_es23" #7: I am sending a certificate request
Sep 29 09:49:33 PC2 pluto[347]: "adh_es23" #7: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Sep 29 09:49:33 PC2 pluto[347]: "adh_es23" #7: Main mode peer ID is ID_DER_ASN1_DN: 'C=DE, ST=B......, O=....., OU=....., CN=.....'
Sep 29 09:49:33 PC2 pluto[347]: "adh_es23" #7: crl update for "C=DE, ST=...., L=..., O=...., OU=T..., CN=....." is overdue since Aug 20 07:14:28 UTC 2005
Sep 29 09:49:33 PC2 pluto[347]: "adh_es23" #7: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Sep 29 09:49:33 PC2 pluto[347]: "adh_es23" #7: ISAKMP SA established
Sep 29 09:49:33 PC2 pluto[347]: "adh_es23" #8: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP {using isakmp#7}
Sep 29 09:49:34 PC2 pluto[347]: "adh_es23" #8: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Sep 29 09:49:34 PC2 pluto[347]: | NAT-T: new mapping 141.39.76.42:4500/4774)
Sep 29 09:49:34 PC2 pluto[347]: | pfkey_lib_debug:pfkey_msg_parse: satype 0 conversion to proto failed for msg_type 2 (update).
Sep 29 09:49:34 PC2 pluto[347]: | pfkey_lib_debug:pfkey_msg_build: Trouble parsing newly built pfkey message, error=-22.
Sep 29 09:49:34 PC2 pluto[347]: "adh_es23" #8: pfkey_msg_build of Add SA esp.252eca01 at 84.189.202.200 failed, code -22
Sep 29 09:49:34 PC2 pluto[347]: "adh_es23" #8: sent QI2, IPsec SA established {ESP=>0x150961e5 <0x252eca01 xfrm=AES_128-HMAC_SHA1 NATD=
141.39.76.42}

But the new NAT Mapping fails.

If I use the Tunnel, e.g. a Host from the private LAN1 would reached a arbitrary Host in LAN2,

a lot of error occurs in the loggfile:


Sep 29 09:52:20 PC2 pluto[347]: | NAT-T: new mapping 141.39.76.42:4500/4776)
Sep 29 09:52:20 PC2 pluto[347]: | pfkey_lib_debug:pfkey_msg_parse: satype 0 conversion to proto failed for msg_type 2 (update).
Sep 29 09:52:20 PC2 pluto[347]: | pfkey_lib_debug:pfkey_msg_build: Trouble parsing newly built pfkey message, error=-22.
Sep 29 09:52:20 PC2 pluto[347]: "adh_es23" #8: pfkey_msg_build of Add SA esp.252eca01 at 84.189.202.200 failed, code -22
Sep 29 09:52:21 PC2 pluto[347]: | NAT-T: new mapping 141.39.76.42:4500/4777)
Sep 29 09:52:21 PC2 pluto[347]: | pfkey_lib_debug:pfkey_msg_parse: satype 0 conversion to proto failed for msg_type 2 (update).
Sep 29 09:52:21 PC2 pluto[347]: | pfkey_lib_debug:pfkey_msg_build: Trouble parsing newly built pfkey message, error=-22.
Sep 29 09:52:21 PC2 pluto[347]: "adh_es23" #8: pfkey_msg_build of Add SA esp.252eca01 at 84.189.202.200 failed, code -22
Sep 29 09:52:23 PC2 pluto[347]: | NAT-T: new mapping 141.39.76.42:4500/4778)
Sep 29 09:52:23 PC2 pluto[347]: | pfkey_lib_debug:pfkey_msg_parse: satype 0 conversion to proto failed for msg_type 2 (update).
Sep 29 09:52:23 PC2 pluto[347]: | pfkey_lib_debug:pfkey_msg_build: Trouble parsing newly built pfkey message, error=-22.
Sep 29 09:52:23 PC2 pluto[347]: "adh_es23" #8: pfkey_msg_build of Add SA esp.252eca01 at 84.189.202.200 failed, code -22
Sep 29 09:52:24 PC2 pluto[347]: | NAT-T: new mapping 141.39.76.42:4500/4779)
Sep 29 09:52:24 PC2 pluto[347]: | pfkey_lib_debug:pfkey_msg_parse: satype 0 conversion to proto failed for msg_type 2 (update).
Sep 29 09:52:24 PC2 pluto[347]: | pfkey_lib_debug:pfkey_msg_build: Trouble parsing newly built pfkey message, error=-22.
Sep 29 09:52:24 PC2 pluto[347]: "adh_es23" #8: pfkey_msg_build of Add SA esp.252eca01 at 84.189.202.200 failed, code -22
......


and so on.

I hope I can give contribution to solve  this Problem. Concerning the first Messages for this thread -  could it be a slackware-problem?
Best regards 


Wolfram Tuleweit

More information about the Users mailing list