[Openswan Users] Aggressive mode, NAT-T, destination behind NAT

Brian Candler B.Candler at pobox.com
Mon Apr 10 17:15:19 CEST 2006 

Here's a different scenario which fails with 2.4.5 (it failed with 2.4.4
too)

I'm using aggressive mode to attempt to set up a connection to a PIX. This
PIX is behind a static NAT router/firewall. Ultimately this connection will
be authenticated using XAUTH, but it doesn't get that far.

[Why am I doing this? It's our normal office VPN for roaming users. I must
use aggressive mode because the userbase is divided into named groups, each
with their own pre-shared key, and aggressive mode is the only way this
works]

So it looks like this:


       X.X.X.24           X.X.X.65             10.11.2.13
  openswan ------------------------ FW ----------------- PIX
                                  <---->
                                static NAT

Here's what happens:

root at OpenWrt:~# ipsec auto --verbose --up office
002 "office" #1: initiating Aggressive Mode #1, connection "office"
112 "office" #1: STATE_AGGR_I1: initiate
003 "office" #1: received Vendor ID payload [Cisco-Unity]
003 "office" #1: received Vendor ID payload [XAUTH]
003 "office" #1: received Vendor ID payload [Dead Peer Detection]
003 "office" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] method set to=108
003 "office" #1: ignoring unknown Vendor ID payload [4048b7d56ebce88525e7de7f00d6c2d3c0000000]
003 "office" #1: ignoring unknown Vendor ID payload [0638090dd106127d208deea97fa5210a]
003 "office" #1: ignoring Vendor ID payload [Cisco VPN 3000 Series]
003 "office" #1: protocol/port in Phase 1 ID Payload must be 0/0 or 17/500 but are 17/0
002 "office" #1: Aggressive mode peer ID is ID_IPV4_ADDR: '10.11.2.13'
003 "office" #1: no suitable connection for peer '10.11.2.13'
003 "office" #1: initial Aggressive Mode packet claiming to be from X.X.X.65 on X.X.X.65 but no connection has been authorized
218 "office" #1: STATE_AGGR_I1: INVALID_ID_INFORMATION
002 "office" #1: sending notification INVALID_ID_INFORMATION to X.X.X.65:500

Configs:

[/etc/ipsec.conf]
version 2.0

config setup
        nat_traversal=yes
        plutodebug="natt control"

conn office
        ike=3des-md5-modp1024
        aggrmode=yes
        authby=secret
        left=%defaultroute
        leftid=@mygroup
        leftxauthclient=yes
        leftmodecfgclient=yes
        right=X.X.X.65
        rightxauthserver=yes
        rightmodecfgserver=yes
        pfs=no
        auto=add

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf

[/etc/ipsec.secrets]
@mygroup X.X.X.65 : PSK "..."

This works using the Cisco client for Linux, and vpnc under FreeBSD, but not
with Openswan 2.4.5.

Openswan logs don't show any NAT-T decision-making, even though natt logging
is on. I think it's simply not getting that far.

Any suggestions?

Regards,

Brian.

More information about the Users mailing list