[Openswan Users] Openswan Checkpoint NAT problem (NO_PROPOSAL_CHOSEN?)

Alon Swartz loni at securityforest.com
Mon Jan 30 14:46:32 CET 2006


Hi Guys,

Any help would be of great help and appreciation.

Sorry for the long post, but I have tried to supply all the relevant information, and to 
be as methodical in my explanations as possible.

CONTENTS:
  1. My problem
  2. My lab configuration
  3. Lab explanations
  4. Connections that do work
  5. Connections that do not work
  6. Suspected problem
  7. Configurations
     a. win2ksrv (checkpoint)
     b. west (openswan)
  8. Logs and dumps



1. MY PROBLEM

I am not able to connect from openswan (west) to checkpoint VPN NGX R60 (win2ksrv) through a NAT gateway (gw).


2. MY LAB CONFIGURATION

west <----------+                                                          +---------> east
eth0: 10.0.0.5  |                                                          |           eth0: 11.0.0.5
                |---------> eth0: 10.0.0.10 (gw) eth1: 11.0.0.10 <---------|           eth1: 12.0.0.5
                |                                                          | 
msXP <----------+                                                          +---------> win2ksrv (CP R60)
nic1: 10.0.0.6                                                                         nic1: 11.0.0.6
                                                                                       nic2: 12.0.0.6
                                           

3. LAB EXPLANATIONS

west
   OS: Fedora Core 3 2.6.12-1.1381_FC3 
   OpenSwan: 2.4.4 using NETKEY
   eth0: connected to WestNET

gw
   OS: Fedora Core 3 2.6.12-1.1381_FC3
   eth0: connected to WestNET
   eth1: connected to EastNET

east
   OS: Fedora Core 3 2.6.12-1.1381_FC3
   OpenSwan: 2.4.4 using NETKEY
   eth0: connected to EastNET
   eth1: connected to EastNET_internal

msXP
   OS: Windows XP SP2
   SecureClient R56 (comes with Checkpoint NGX R60 distribution)
   nic1: connected to WestNET

win2ksrv
   OS: Windows 2000 server
   Checkpoint VPN NGX R60
   nic1: connected to EastNET
   nic2: connected to EastNET_internal


4. CONNECTIONS THAT DO WORK

   a. west---->gw-------------->east     [works!]
   b. west---->gw(with nat)---->east     [works!]
   c. msXP---->gw-------------->win2ksrv [works!]
   d. msXP---->gw(with nat)---->win2ksrv [works!]
   e. west---->gw-------------->win2ksrv [works!]

Please note that connections d & e. 
   d. It seems win2ksrv is configured correctly for a connection through NAT.
   e. It seems west configuration is configured correctly to connect to win2ksrv.


5. CONNECTIONS THAT DO NOT WORK

   f. west---->gw(with nat)---->win2ksrv [DOESN'T WORK!]


6. SUSPECTED PROBLEM
The connection from west to win2ksrv through gw (with NAT) fails with the message NO_PROPOSAL_CHOSEN.
This message appears both in the openswan pluto debug logs and checkpoint logs (below).

I don't recieve this error when connecting from west without NAT.

Note: Don't pay attention to the difference in timing, they are not syncronized.
      BTW - Could this be a problem?

</var/log/secure at west>
----------------------
Jan 23 19:47:54 localhost pluto[25976]: "cptest" #1: STATE_CPSC_I2: CP SecureClient - awaiting authentication status
Jan 23 19:47:54 localhost pluto[25976]: packet from 11.0.0.6:4500: Mode Config message is for a non-existent (expired?) ISAKMP SA
Jan 23 19:47:54 localhost pluto[25976]: "cptest" #1: while waiting for XAUTH_STATUS, got INTERNAL_IP6_NETMASK instead.
Jan 23 19:47:54 localhost pluto[25976]: "cptest" #1: successfully logged in
Jan 23 19:47:54 localhost pluto[25976]: "cptest" #1: transition from state STATE_CPSC_I2 to state STATE_MAIN_I4
Jan 23 19:47:54 localhost pluto[25976]: "cptest" #1: STATE_MAIN_I4: ISAKMP SA established
Jan 23 19:47:54 localhost pluto[25976]: "cptest" #2: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+DONTREKEY+UP+CPSC {using isakmp#1}
Jan 23 19:47:54 localhost pluto[25976]: "cptest" #1: ignoring informational payload, type NO_PROPOSAL_CHOSEN
Jan 23 19:47:54 localhost pluto[25976]: "cptest" #1: received and ignored informational message
Jan 23 19:47:58 localhost pluto[25976]: packet from 11.0.0.6:4500: Mode Config message is for a non-existent (expired?) ISAKMP SA

<fw.log at win2ksrv>
-----------------
Number:                   	419
Date:                        	23Jan2006
Time:                        	15:01:34
Product:                   	VPN-1 Pro/Express
Interface:                  	daemon
Origin:                      	win2ksrv (11.0.0.6)
Type:                        	Alert
Action:                      	Reject
Reject Reason:        	IKE failure
Source:                    	11.0.0.10
Destination:             	win2ksrv (11.0.0.6)
User:                        	test
Encryption Scheme:	IKE
Subproduct:             	VPN
VPN Feature:            	SecureClients
Information:             	reason: Client Encryption: No proposal chosen


7. CONFIGURATIONS

A. win2ksrv (checkpoint)

I am not an expert in checkpoint, so I may have missed an important configuration somewhere...
Here are the configurations I suspect are related to "NO_PROPOSAL_CHOSEN", but I may be wrong.

Policy -> Global Properties -> Remote Access ->
  VPN - IKE (Phase 1)
    Support encryption algorithms: DES, 3DES, AES-256
    Use encryption algorithm:      AES-256
    Support data integrity:        MD5, SHA1
    Use data integrity:            SHA1
    Support Diffie-Hellman groups: Group 2 (1024 bit)
    Use Diffie-Hellman group:      Group 2 (1024 bit)

  VPN - IPSEC (Phase 2)
    User encryption properties
      Encryption algorithm:        AES-256
      Data Integrity:              SHA1
      [unchecked] - enforce encryption algorithm and data integrity on all users

User "test" is configured to use the above configuration


B. west (openswan)

<ipsec.conf at west>
version 2.0
config setup
        nat_traversal=yes
        plutodebug=all
        #plutodebug="parsing emitting control"
        #plutodebug="parsing control"
        #plutodebug=control

conn cptest
        leftid=@!
        left=%defaultroute
        leftxauthclient=yes
        right=11.0.0.6
        rightsubnet=12.0.0.0/8
        rightxauthserver=yes
	rightrsasigkey=0x0103A7AF2621D94252876DEFEDE6F1CE6036EF0D5A1B2B8607D87FD7B500...
        ikelifetime=24h
        rekey=yes
        ike=aes256-sha1-modp1024
        esp=aes256-sha1
        auth=esp
        keyexchange=ike
        cpsc=yes

I have tried using the following configs separately and together, but with no luck.
        type=tunnel
        keyingtries=1
        disablearrivalcheck=no
        disablearrivalcheck=yes
        authby=rsasig
        authby=secret
        pfs=no


8. LOGS and DUMPS

[root at west ~]# ./vpn_cptest
XXX: CPSC
002 "cptest" #1: initiating Main Mode
104 "cptest" #1: STATE_MAIN_I1: initiate
003 "cptest" #1: received Vendor ID payload [RFC 3947] method set to=109
002 "cptest" #1: enabling possible NAT-traversal with method 3
002 "cptest" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
106 "cptest" #1: STATE_MAIN_I2: sent MI2, expecting MR2
002 "cptest" #1: I did not send a certificate because I do not have one.
003 "cptest" #1: NAT-Traversal: Result using 3: i am NATed
002 "cptest" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
108 "cptest" #1: STATE_MAIN_I3: sent MI3, expecting MR3
002 "cptest" #1: Main mode peer ID is ID_IPV4_ADDR: '11.0.0.6'
002 "cptest" #1: no crl from issuer "O=win2ksrv..yyzenm" found (strict=no)
002 "cptest" #1: end certificate with identical subject and issuer not accepted
002 "cptest" #1: X.509 certificate rejected
002 "cptest" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
004 "cptest" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=aes_256 prf=oakley_sha group=modp1024}
003 "cptest" #1: discarding duplicate packet; already STATE_MAIN_I4
003 "cptest" #1: discarding duplicate packet; already STATE_MAIN_I4
041 "cptest" #1: cptest prompt for Username:
Name enter:   test
002 "cptest" #1: XAUTH: Answering XAUTH challenge with user='test'
002 "cptest" #1: transition from state STATE_CPSC_I0 to state STATE_CPSC_I1
004 "cptest" #1: STATE_CPSC_I1: CP SecureClient - awaiting password request
002 "cptest" #1: XAUTH: Unsupported attribute: INTERNAL_IP6_DNS
040 "cptest" #1: cptest prompt for Password:
Enter secret:
002 "cptest" #1: XAUTH: Answering XAUTH challenge with user='`w \010'
002 "cptest" #1: transition from state STATE_CPSC_I1 to state STATE_CPSC_I2
004 "cptest" #1: STATE_CPSC_I2: CP SecureClient - awaiting authentication status
002 "cptest" #1: while waiting for XAUTH_STATUS, got INTERNAL_IP6_NETMASK instead.
002 "cptest" #1: successfully logged in
002 "cptest" #1: transition from state STATE_CPSC_I2 to state STATE_MAIN_I4
004 "cptest" #1: STATE_MAIN_I4: ISAKMP SA established
002 "cptest" #2: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP+CPSC {using isakmp#1}
117 "cptest" #2: STATE_QUICK_I1: initiate


root at gw# tcpdump -i eth1
03:35:27.376155 arp who-has 11.0.0.6 tell 11.0.0.10
03:35:27.378779 arp reply 11.0.0.6 is-at 00:0c:29:54:c9:50
03:35:27.378975 IP 11.0.0.10.isakmp > 11.0.0.6.isakmp: isakmp: phase 1 I ident
03:35:27.515570 IP 11.0.0.6.isakmp > 11.0.0.10.isakmp: isakmp: phase 1 R ident
03:35:27.667748 IP 11.0.0.10.isakmp > 11.0.0.6.isakmp: isakmp: phase 1 I ident
03:35:27.681928 IP 11.0.0.6.isakmp > 11.0.0.10.isakmp: isakmp: phase 1 R ident
03:35:27.796213 IP 11.0.0.10.4500 > 11.0.0.6.4500: UDP, length 64
03:35:27.856077 IP 11.0.0.6.4500 > 11.0.0.10.4500: UDP, length 1680
03:35:27.857913 IP 11.0.0.6 > west: udp
03:35:27.931715 IP 11.0.0.6.4500 > 11.0.0.10.4500: UDP, length 1680
03:35:27.931721 IP 11.0.0.6 > west: udp
03:35:28.001426 IP 11.0.0.6.4500 > 11.0.0.10.4500: UDP, length 1680
03:35:28.001431 IP 11.0.0.6 > west: udp
03:35:28.190163 IP 11.0.0.6.4500 > 11.0.0.10.4500: UDP, length 80
03:35:28.606568 IP 11.0.0.10.4500 > 11.0.0.6.4500: UDP, length 80
03:35:28.645160 IP 11.0.0.6.4500 > 11.0.0.10.4500: UDP, length 368
03:35:29.078528 IP 11.0.0.10.4500 > 11.0.0.6.4500: UDP, length 80
03:35:29.106357 IP 11.0.0.6.4500 > 11.0.0.10.4500: UDP, length 608
03:35:29.135772 IP 11.0.0.10.4500 > 11.0.0.6.4500: UDP, length 80
03:35:29.266302 IP 11.0.0.10.4500 > 11.0.0.6.4500: UDP, length 304
03:35:29.268512 IP 11.0.0.6.4500 > 11.0.0.10.4500: UDP, length 256
03:35:29.309064 IP 12.0.0.6.netbios-ns > 11.0.0.10.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
03:35:29.310741 IP 11.0.0.6.netbios-ns > 11.0.0.10.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
03:35:29.310950 IP 11.0.0.10 > 11.0.0.6: icmp 86: 11.0.0.10 udp port netbios-ns unreachable
03:35:30.431397 IP 12.0.0.6.netbios-ns > 11.0.0.10.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
03:35:30.431402 IP 11.0.0.6.netbios-ns > 11.0.0.10.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
03:35:30.431517 IP 11.0.0.10 > 11.0.0.6: icmp 86: 11.0.0.10 udp port netbios-ns unreachable
03:35:31.618757 IP 12.0.0.6.netbios-ns > 11.0.0.10.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
03:35:31.618762 IP 11.0.0.6.netbios-ns > 11.0.0.10.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
03:35:31.618825 IP 11.0.0.10 > 11.0.0.6: icmp 86: 11.0.0.10 udp port netbios-ns unreachable
03:35:35.444081 IP 11.0.0.10.4500 > 11.0.0.6.4500: UDP, length 304
03:35:37.718211 IP 11.0.0.10.4500 > 11.0.0.6.4500: UDP, length 96

root at gw# tcpdump -i eth1 -v
03:35:47.070467 IP (tos 0x0, ttl  63, id 0, offset 0, flags [DF], proto 17, length: 244) 11.0.0.10.isakmp > 11.0.0.6.isakmp: isakmp 1.0 msgid : phase 1 I ident: [|sa]
03:35:47.071808 IP (tos 0x0, ttl 128, id 58559, offset 0, flags [none], proto 17, length: 136) 11.0.0.6.isakmp > 11.0.0.10.isakmp: isakmp 1.0 msgid : phase 1 R ident: [|sa]
03:35:47.187230 IP (tos 0x0, ttl  63, id 1, offset 0, flags [DF], proto 17, length: 256) 11.0.0.10.isakmp > 11.0.0.6.isakmp: isakmp 1.0 msgid : phase 1 I ident: [|ke]
03:35:47.188557 IP (tos 0x0, ttl 128, id 58560, offset 0, flags [none], proto 17, length: 284) 11.0.0.6.isakmp > 11.0.0.10.isakmp: isakmp 1.0 msgid : phase 1 R ident: [|ke]
03:35:47.283611 IP (tos 0x0, ttl  63, id 0, offset 0, flags [DF], proto 17, length: 92) 11.0.0.10.4500 > 11.0.0.6.4500: UDP, length 64
03:35:47.286779 IP (tos 0x0, ttl 128, id 58561, offset 0, flags [+], proto 17, length: 1500) 11.0.0.6.4500 > 11.0.0.10.4500: UDP, length 1680
03:35:47.286784 IP (tos 0x0, ttl 127, id 58561, offset 1480, flags [none], proto 17, length: 228) 11.0.0.6 > west: udp
03:35:47.435546 IP (tos 0x0, ttl 128, id 58562, offset 0, flags [+], proto 17, length: 1500) 11.0.0.6.4500 > 11.0.0.10.4500: UDP, length 1680
03:35:47.435550 IP (tos 0x0, ttl 127, id 58562, offset 1480, flags [none], proto 17, length: 228) 11.0.0.6 > west: udp
03:35:47.517211 IP (tos 0x0, ttl 128, id 58573, offset 0, flags [+], proto 17, length: 1500) 11.0.0.6.4500 > 11.0.0.10.4500: UDP, length 1680
03:35:47.517223 IP (tos 0x0, ttl 127, id 58573, offset 1480, flags [none], proto 17, length: 228) 11.0.0.6 > west: udp
03:35:47.731822 IP (tos 0x0, ttl 128, id 58578, offset 0, flags [none], proto 17, length: 108) 11.0.0.6.4500 > 11.0.0.10.4500: UDP, length 80
03:35:48.031654 IP (tos 0x0, ttl  63, id 1, offset 0, flags [DF], proto 17, length: 108) 11.0.0.10.4500 > 11.0.0.6.4500: UDP, length 80
03:35:48.034773 IP (tos 0x0, ttl 128, id 58579, offset 0, flags [none], proto 17, length: 396) 11.0.0.6.4500 > 11.0.0.10.4500: UDP, length 368
03:35:48.361543 IP (tos 0x0, ttl  63, id 2, offset 0, flags [DF], proto 17, length: 108) 11.0.0.10.4500 > 11.0.0.6.4500: UDP, length 80
03:35:48.363621 IP (tos 0x0, ttl 128, id 58580, offset 0, flags [none], proto 17, length: 636) 11.0.0.6.4500 > 11.0.0.10.4500: UDP, length 608
03:35:48.446342 IP (tos 0x0, ttl  63, id 3, offset 0, flags [DF], proto 17, length: 108) 11.0.0.10.4500 > 11.0.0.6.4500: UDP, length 80
03:35:48.524542 IP (tos 0x0, ttl  63, id 4, offset 0, flags [DF], proto 17, length: 332) 11.0.0.10.4500 > 11.0.0.6.4500: UDP, length 304
03:35:48.526912 IP (tos 0x0, ttl 128, id 58585, offset 0, flags [none], proto 17, length: 284) 11.0.0.6.4500 > 11.0.0.10.4500: UDP, length 256
03:35:52.534744 IP (tos 0x0, ttl  63, id 5, offset 0, flags [DF], proto 17, length: 124) 11.0.0.10.4500 > 11.0.0.6.4500: UDP, length 96


<west@/var/log/secure> pluto debug log is available at: 
http://securityforest.com/west_secure.txt



Again, sorry for the long post, any help would be great!

Cheers,
Loni













More information about the Users mailing list