[Openswan Users] Connecting Linux client to OSX server

James Chamberlain james.chamberlain at gmail.com
Mon Apr 3 21:12:04 CEST 2006


Hi,

I followed the guide for connecting linux as and l2tp client to windows
and tried to apply the same thing for connecting to OSX. The OSX server
has been upgraded to 10.4.5 so the NAT-T stuff should be spec compliant.
For right now I am still tried to get the ipsec connection to work and
have not gotten to working on the l2tp part yet.

Here is my basic configuration of openswan:

config setup
	nat_traversal=yes

conn MYVPN
	authby=secret
	pfs=no
	auto=add
	keyingtries=3
	rekey=no
	type=transport
	
	left=%defaultroute
	leftprotoport=17/1701
		
	right=XXX.XXX.XXX.XXX
	rightid=XXX.XXX.XXX.XXX
	rightprotoport=17/1701


Here is the startup of ipsec:

Apr  3 20:01:20 dev1 Initializing IPsec netlink socket
Apr  3 20:01:20 dev1 ipsec_setup: KLIPS ipsec0 on eth1
192.168.20.230/255.255.255.0 broadcast 192.168.20.255
Apr  3 20:01:20 dev1 ipsec__plutorun: Starting Pluto subsystem...
Apr  3 20:01:20 dev1 ipsec_setup: ...Openswan IPsec started
Apr  3 20:01:20 dev1 ipsec_setup: Starting Openswan IPsec
U2.4.5rc6/K2.6.15-gentoo-r5...
Apr  3 20:01:20 dev1 ipsec_setup:
insmod /lib/modules/2.6.15-gentoo-r5/kernel/net/ipv4/ah4.ko
Apr  3 20:01:20 dev1 ipsec_setup:
insmod /lib/modules/2.6.15-gentoo-r5/kernel/net/ipv4/esp4.ko
Apr  3 20:01:20 dev1 ipsec_setup:
insmod /lib/modules/2.6.15-gentoo-r5/kernel/net/ipv4/ipcomp.ko
Apr  3 20:01:20 dev1 ipsec_setup:
insmod /lib/modules/2.6.15-gentoo-r5/kernel/net/ipv4/xfrm4_tunnel.ko
Apr  3 20:01:20 dev1 ipsec_setup:
insmod /lib/modules/2.6.15-gentoo-r5/kernel/net/xfrm/xfrm_user.ko
Apr  3 20:01:20 dev1 ipsec_setup:
insmod /lib/modules/2.6.15-gentoo-r5/kernel/crypto/sha1.ko
Apr  3 20:01:20 dev1 ipsec_setup:
insmod /lib/modules/2.6.15-gentoo-r5/kernel/crypto/des.ko
Apr  3 20:01:20 dev1 ipsec_setup:
insmod /lib/modules/2.6.15-gentoo-r5/kernel/arch/x86_64/crypto/aes-x86_64.ko
Apr  3 20:01:20 dev1 pluto[21618]: Starting Pluto (Openswan Version
2.4.5rc6 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID
OESTg[~pX at __)
Apr  3 20:01:20 dev1 pluto[21618]: Setting NAT-Traversal port-4500
floating to on
Apr  3 20:01:20 dev1 pluto[21618]:    port floating activation criteria
nat_t=1/port_fload=1
Apr  3 20:01:20 dev1 pluto[21618]:   including NAT-Traversal patch
(Version 0.6c)
Apr  3 20:01:20 dev1 pluto[21618]: ike_alg_register_enc(): Activating
OAKLEY_AES_CBC: Ok (ret=0)
Apr  3 20:01:20 dev1 pluto[21618]: starting up 3 cryptographic helpers
Apr  3 20:01:20 dev1 pluto[21618]: started helper pid=21656 (fd:6)
Apr  3 20:01:20 dev1 pluto[21618]: started helper pid=21657 (fd:7)
Apr  3 20:01:20 dev1 pluto[21618]: started helper pid=21658 (fd:8)
Apr  3 20:01:20 dev1 pluto[21618]: Using Linux 2.6 IPsec interface code
on 2.6.15-gentoo-r5
Apr  3 20:01:20 dev1 pluto[21618]: Changing to directory
'/etc/ipsec/ipsec.d/cacerts'
Apr  3 20:01:20 dev1 pluto[21618]: Changing to directory
'/etc/ipsec/ipsec.d/aacerts'
Apr  3 20:01:20 dev1 pluto[21618]: Changing to directory
'/etc/ipsec/ipsec.d/ocspcerts'
Apr  3 20:01:20 dev1 pluto[21618]: Changing to directory
'/etc/ipsec/ipsec.d/crls'
Apr  3 20:01:20 dev1 pluto[21618]:   Warning: empty directory
Apr  3 20:01:20 dev1 pluto[21618]: added connection description "MYVPN"
Apr  3 20:01:20 dev1 pluto[21618]: listening for IKE messages
Apr  3 20:01:20 dev1 pluto[21618]: adding interface eth1/eth1
192.168.20.230:500
Apr  3 20:01:20 dev1 pluto[21618]: adding interface eth1/eth1
192.168.20.230:4500
Apr  3 20:01:20 dev1 pluto[21618]: adding interface lo/lo 127.0.0.1:500
Apr  3 20:01:20 dev1 pluto[21618]: adding interface lo/lo 127.0.0.1:4500
Apr  3 20:01:20 dev1 pluto[21618]: adding interface lo/lo ::1:500
Apr  3 20:01:20 dev1 pluto[21618]: loading secrets from
"/etc/ipsec/ipsec.secrets"


Here is what happens when I try to connect:

104 "MYVPN" #1: STATE_MAIN_I1: initiate
003 "MYVPN" #1: ignoring Vendor ID payload [KAME/racoon]
003 "MYVPN" #1: received Vendor ID payload [RFC 3947] method set to=109
106 "MYVPN" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "MYVPN" #1: ignoring Vendor ID payload [KAME/racoon]
003 "MYVPN" #1: NAT-Traversal: Result using 3: both are NATed
108 "MYVPN" #1: STATE_MAIN_I3: sent MI3, expecting MR3
004 "MYVPN" #1: STATE_MAIN_I4: ISAKMP SA established
{auth=OAKLEY_PRESHARED_KE Y cipher=oakley_3des_cbc_192 prf=oakley_sha
group=modp1024}
117 "MYVPN" #2: STATE_QUICK_I1: initiate
003 "MYVPN" #2: length of ISAKMP Notification Payload is smaller than
minimum
003 "MYVPN" #2: malformed payload in packet
010 "MYVPN" #2: STATE_QUICK_I1: retransmission; will wait 20s for
response
003 "MYVPN" #2: length of ISAKMP Notification Payload is smaller than
minimum
003 "MYVPN" #2: malformed payload in packet
003 "MYVPN" #2: length of ISAKMP Notification Payload is smaller than
minimum
003 "MYVPN" #2: malformed payload in packet
010 "MYVPN" #2: STATE_QUICK_I1: retransmission; will wait 40s for
response
031 "MYVPN" #2: max number of retransmissions (2) reached
STATE_QUICK_I1.  No acceptable response to our first Quick Mode message:
perhaps peer likes no proposal
000 "MYVPN" #2: starting keying attempt 2 of at most 3, but releasing
whack


Does anyone see anything obvious that I could be doing wrong or anything
I could do to produce more debug that could show what the problem is? If
If disable nat_traversal it will connect, but will not work correctly.

Thanks,

James


On Mon, 2006-04-03 at 13:56 +0200, Jacco de Leeuw wrote:
> James Chamberlain wrote:
> 
> > Has anyone successfully connected a Linux client to a NAT'd OSX server 
> > running vpnd? The OSX server was just updated to 10.4.5 since should 
> > resolve some of the interoperability issues that I have seen others 
> > complain about. Has any any tried this? Most of the entries in the list 
> > are about the opposite connecting OSX clients to Linux servers.
> 
> I've put together some info on using Linux as a client:
> http://www.jacco2.dds.nl/networking/freeswan-l2tp.html#Client
> I've mainly tested it with Windows 2003 but the same procedure
> should be valid for Mac OS X as well.
> 
> I've just tried to connect with Openswan 2.4.5rc6 to a Mac OS X Server
> (probably running 10.4.3) and I don't think it worked with NAT-T:
> 
>   "L2TP-PSK2" #1: initiating Main Mode
>   "L2TP-PSK2" #1: ignoring Vendor ID payload [KAME/racoon]
>   "L2TP-PSK2" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] 
> method set to=110
>   "L2TP-PSK2" #1: enabling possible NAT-traversal with method 4
>   "L2TP-PSK2" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
>   "L2TP-PSK2" #1: STATE_MAIN_I2: sent MI2, expecting MR2
>   "L2TP-PSK2" #1: ignoring Vendor ID payload [KAME/racoon]
>   "L2TP-PSK2" #1: I did not send a certificate because I do not have one.
>   "L2TP-PSK2" #1: NAT-Traversal: Only 0 NAT-D - Aborting NAT-Traversal negotiation
>   "L2TP-PSK2" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
>   "L2TP-PSK2" #1: STATE_MAIN_I3: sent MI3, expecting MR3
>   "L2TP-PSK2" #1: Main mode peer ID is ID_IPV4_ADDR: 'x.x.x.x'
>   "L2TP-PSK2" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
>   "L2TP-PSK2" #1: STATE_MAIN_I4: ISAKMP SA established 
> {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha 
> group=modp1024}
>   "L2TP-PSK2" #2: initiating Quick Mode PSK+ENCRYPT+UP {using isakmp#1}
>   "L2TP-PSK2" #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT
>   "L2TP-PSK2" #1: received and ignored informational message
>   "L2TP-PSK2" #1: ignoring informational payload, type NO_PROPOSAL_CHOSEN
>   "L2TP-PSK2" #1: received and ignored informational message
>   "L2TP-PSK2" #1: ignoring informational payload, type NO_PROPOSAL_CHOSEN
>   "L2TP-PSK2" #1: received and ignored informational message
> 
> This version of Mac OS X Server does not support RFC 3947 and the client
> did not send the Vendor ID of Apple's NAT-T variant
> ("draft-ietf-ipsec-nat-t-ike") so the NAT-T negotiation failed.
> But then I added this patch:
> 
> --- nat_traversal.c.org     2006-01-04 19:57:52.000000000 +0100
> +++ nat_traversal.c     2006-04-03 11:12:08.000000000 +0200
> @@ -202,6 +202,7 @@
>                  if (r) r = out_vendorid(np, outs, VID_NATT_IETF_03);
>                  if (r) r = out_vendorid(np, outs, VID_NATT_IETF_02);
>                  if (r) r = out_vendorid(np, outs, VID_NATT_IETF_02_N);
> +               if (r) r = out_vendorid(np, outs, 
> VID_NATT_DRAFT_IETF_IPSEC_NAT_T_IKE);
>          }
>          if (nat_traversal_support_non_ike) {
>                  if (r) r = out_vendorid(np, outs, VID_NATT_IETF_00);
> 
> I got a bit further because this time Openswan sent the Apple NAT-T VID:
> 
> "L2TP-PSK2" #1: initiating Main Mode
> "L2TP-PSK2" #1: ignoring Vendor ID payload [KAME/racoon]
> "L2TP-PSK2" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] method 
> set to=110
> "L2TP-PSK2" #1: enabling possible NAT-traversal with method 4
> "L2TP-PSK2" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
> "L2TP-PSK2" #1: STATE_MAIN_I2: sent MI2, expecting MR2
> "L2TP-PSK2" #1: ignoring Vendor ID payload [KAME/racoon]
> "L2TP-PSK2" #1: I did not send a certificate because I do not have one.
> "L2TP-PSK2" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): i am NATed
> "L2TP-PSK2" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
> "L2TP-PSK2" #1: STATE_MAIN_I3: sent MI3, expecting MR3
> "L2TP-PSK2" #1: Main mode peer ID is ID_IPV4_ADDR: 'x.x.x.x'
> "L2TP-PSK2" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
> "L2TP-PSK2" #1: STATE_MAIN_I4: ISAKMP SA established 
> {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha 
> group=modp1024}
> "L2TP-PSK2" #2: initiating Quick Mode PSK+ENCRYPT+UP {using isakmp#1}
> "L2TP-PSK2" #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT
> "L2TP-PSK2" #1: received and ignored informational message
> "L2TP-PSK2" #2: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME
> "L2TP-PSK2" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
> "L2TP-PSK2" #2: STATE_QUICK_I2: sent QI2, IPsec SA established 
> {ESP=>0x0d5001c5 <0x560dc080 xfrm=AES_0-HMAC_SHA1 NATD=none DPD=none}
> 
> Jacco



More information about the Users mailing list