[Openswan Users] NAT problems

Geert Janssens info at kobaltwit.be
Wed Jan 11 17:51:51 CET 2006 

On Wednesday 11 January 2006 17:00, you wrote:
> On Wed, 11 Jan 2006, Geert Janssens wrote:
> > First I added rightsubnet=vhost:%priv,%no on both sides. When I restarted
> > ipsec, the tunnel didn't show up in ipsec auto --status.
> > So I tried to manually add the routes with
> > # ipsec auto --add kobaltwit-to-auxima
> >
> > This returned an error:
> > 023 virtual IP must only be used with %any and without client
> >
> > So I also replaced rightid with %any (it was the remote firewall's public
> > interface until now). After restarting the routes appear again in ipsec
> > auto --status, but I can't up the connection:
> > [root at chief openswan]# ipsec auto --verbose --up kobaltwit-to-auxima
> > 029 "kobaltwit-to-auxima": cannot initiate connection without knowing
> > peer IP address (kind=CK_TEMPLATE)
>
> Only add the rightsubnet to the responder (server), not the initiator
> (client)
>
Thank you for the fast response and sorry to bother you again. I changed the 
configuration to have the vhost rightsubnet on the server only. When I try to 
bring up the connection, it gets stuck in STATE_QUICK_I1.

On the server I have the following log messages:
| ***parse ISAKMP Identification Payload (IPsec DOI):
|    next payload type: ISAKMP_NEXT_NONE
|    length: 16
|    ID type: ID_IPV4_ADDR_SUBNET
|    Protocol ID: 0
|    port: 0
| removing 4 bytes of padding
| HASH(1) computed:
|   c6 c5 40 da  80 b1 8e aa  29 a8 69 5f  09 26 f4 a2
| peer client is subnet 192.168.0.2/32
| peer client protocol/port is 0/0
| our client is subnet 81.83.108.106/32
| our client protocol/port is 0/0
| find_client_connection starting with kobaltwit-to-auxima
|   looking for 81.83.108.106/32:0/0 -> 192.168.0.2/32:0/0
|   concrete checking against sr#0 192.168.2.2/32 -> 0.0.0.0/32
|    match_id a=C=BE, L=Grimbergen, O=Kobalt W.I.T., 
CN=kobaltwit.homelinux.com b=C=BE, L=Grimbergen, O=Kobalt W.I.T., 
CN=kobaltwit.homelinux.com
|   match_id called with a=C=BE, L=Grimbergen, O=Kobalt W.I.T., 
CN=kobaltwit.homelinux.com b=C=BE, L=Grimbergen, O=Kobalt W.I.T., 
CN=kobaltwit.homelinux.com
|   trusted_ca called with a=(empty) b=(empty)
|   fc_try trying kobaltwit-to-auxima:81.83.108.106/32:0/0 -> 
192.168.0.2/32:0/0 vs kobaltwit-to-auxima:192.168.2.2/32:0/0 -> 
0.0.0.0/32:0/0
|   fc_try concluding with none [0]
|   fc_try kobaltwit-to-auxima gives none
|   checking hostpair 192.168.2.2/32 -> 0.0.0.0/32 is found
|    match_id a=C=BE, L=Grimbergen, O=Kobalt W.I.T., 
CN=kobaltwit.homelinux.com b=C=BE, L=Grimbergen, O=Kobalt W.I.T., 
CN=kobaltwit.homelinux.com
|   match_id called with a=C=BE, L=Grimbergen, O=Kobalt W.I.T., 
CN=kobaltwit.homelinux.com b=C=BE, L=Grimbergen, O=Kobalt W.I.T., 
CN=kobaltwit.homelinux.com
|   trusted_ca called with a=(empty) b=(empty)
|   fc_try trying kobaltwit-to-auxima:81.83.108.106/32:0/0 -> 
192.168.0.2/32:0/0 vs kobaltwit-to-auxima:192.168.2.2/32:0/0 -> 
0.0.0.0/32:0/0
|   fc_try concluding with none [0]
|    match_id a=C=BE, L=Grimbergen, O=Kobalt W.I.T., 
CN=kobaltwit.homelinux.com b=C=BE, L=Grimbergen, O=Kobalt W.I.T., 
CN=kobaltwit.homelinux.com
|   match_id called with a=C=BE, L=Grimbergen, O=Kobalt W.I.T., 
CN=kobaltwit.homelinux.com b=C=BE, L=Grimbergen, O=Kobalt W.I.T., 
CN=kobaltwit.homelinux.com
|   trusted_ca called with a=(empty) b=(empty)
|   fc_try_oppo trying kobaltwit-to-auxima:81.83.108.106/32 -> 192.168.0.2/32 
vs kobaltwit-to-auxima:192.168.2.2/32 -> 0.0.0.0/32
|   fc_try_oppo concluding with none [0]
|   concluding with d = none
"kobaltwit-to-auxima"[1] 84.195.167.62:4500 #1: cannot respond to IPsec SA 
request because no connection is known for 
81.83.108.106/32===192.168.2.2:4500[C=BE, L=Grimbergen, O=Kobalt W.I.T., 
CN=auxima.homeip.net]...84.195.167.62:4500[C=BE, L=Grimbergen, O=Kobalt 
W.I.T., CN=kobaltwit.homelinux.com]===192.168.0.2/32
"kobaltwit-to-auxima"[1] 84.195.167.62:4500 #1: sending encrypted notification 
INVALID_ID_INFORMATION to 84.195.167.62:4500

Apparently, the server can't match the connection with the client during 
QUICK, although it managed so during MAIN.

The configuration files are now:
-------------------------------
-ipsec.conf on IpsecPeer1 (initiator, client)
-------------------------------
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.13 2004/03/24 04:14:39 ken Exp $

# This file:  /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5


version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        # klipsdebug=none
        # plutodebug="control parsing"
        plutodebug=all
        interfaces=%defaultroute
        nat_traversal=yes

# Add connections here

#Disable Opportunistic Encryption
include /etc/openswan/ipsec.d/examples/no_oe.conf

conn kobaltwit-to-auxima
     # Left security gateway, subnet behind it, next hop toward right.
     left=auxima.homeip.net
     leftid="C=BE, L=Grimbergen, O=Kobalt W.I.T., CN=auxima.homeip.net"
     leftrsasigkey=%cert
     leftcert=/etc/openswan/ipsec.d/certs/auxima-kobaltwit-vpn.pem
     # Right security gateway, subnet behind it, next hop toward left.
     right=%defaultroute
     rightsubnet=192.168.0.0/24
     rightid="C=BE, L=Grimbergen, O=Kobalt W.I.T., CN=kobaltwit.homelinux.com"
     rightrsasigkey=%cert
     rightcert=/etc/openswan/ipsec.d/certs/kobaltwit-auxima-vpn.pem
     auto=add

-------------------------------
-ipsec.conf on IpsecPeer2 (responder, server)
-------------------------------
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.13 2004/03/24 04:14:39 ken Exp $

# This file:  /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5


version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        # klipsdebug=none
        # plutodebug="control parsing"
        plutodebug=all
        interfaces=%defaultroute
        nat_traversal=yes
        virtual_private=%v4:192.168.0.0/24

# Add connections here

#Disable Opportunistic Encryption
include /etc/openswan/ipsec.d/examples/no_oe.conf

conn kobaltwit-to-auxima
     # Left security gateway, subnet behind it, next hop toward right.
     left=%defaultroute
     leftsubnet=192.168.2.0/24
     leftid="C=BE, L=Grimbergen, O=Kobalt W.I.T., CN=auxima.homeip.net"
     leftrsasigkey=%cert
     leftcert=/etc/openswan/ipsec.d/certs/auxima-kobaltwit-vpn.pem
     # Right security gateway, subnet behind it, next hop toward left.
     right=%any
     rightsubnet=vhost:%priv,%no
     rightid="C=BE, L=Grimbergen, O=Kobalt W.I.T., CN=kobaltwit.homelinux.com"
     rightrsasigkey=%cert
     rightcert=/etc/openswan/ipsec.d/certs/kobaltwit-auxima-vpn.pem
     auto=add

Just for completeness, I repeat that both the ipsec initiator and the ipsec 
responder are behind a natting firewall, with incoming traffic on external 
ports 500 (UDP) 4500 (UDP) and 50 (TCP) being forwarded to the ipsec 
machines.

Thanks for any further help.

Geert

More information about the Users mailing list