[Openswan Users] Openswan, WinXP NAT-T and PSK sticks at STATE_MAIN_R1 to STATE_MAIN_R2

Mike Rothon mike.rothon at certisa.com
Mon Jan 30 11:53:57 CET 2006 

Firstly I must declare myself as an IPSEC novice!

The desired configuration is as follows:

---------------------
Linux/Samba Server
Kernel 2.6 (SuSE 9.1)
Openswan 2.3.0
192.1.168.1.200
---------------------
	|
	V
---------------------
DLink ADSL Router
80.xxx.xxx.xxx
NAT Passthrough
---------------------
	|
	V
---------------------
DLink Router
86.xxx.xxx.xxx
NAT Passthrough
---------------------
	|
	V
---------------------
WinXP Client
192.168.0.1
---------------------

I have checked the mailing lists, howto's etc. and although there is a vast 
amount of information I can't find the exact problem I am facing as I am using PSK not certificates.

Here is the end of /var/log/messages:

Jan 30 09:24:17 linux pluto[12157]: packet from 86.xxx.xxx.xxx:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Jan 30 09:24:17 linux pluto[12157]: packet from 86.xxx.xxx.xxx:500: ignoring Vendor ID payload [FRAGMENTATION]
Jan 30 09:24:17 linux pluto[12157]: packet from 86.xxx.xxx.xxx:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
Jan 30 09:24:17 linux pluto[12157]: packet from 86.xxx.xxx.xxx:500: ignoring Vendor ID payload [Vid-Initial-Contact]
Jan 30 09:24:17 linux pluto[12157]: "L2TP-PSK"[1] 86.xxx.xxx.xxx #1: responding to Main Mode from unknown peer 86.xxx.xxx.xxx
Jan 30 09:24:17 linux pluto[12157]: "L2TP-PSK"[1] 86.xxx.xxx.xxx #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jan 30 09:24:18 linux pluto[12157]: "L2TP-PSK"[1] 86.xxx.xxx.xxx #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: both are NATed
Jan 30 09:24:18 linux pluto[12157]: "L2TP-PSK"[1] 86.xxx.xxx.xxx #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jan 30 09:25:28 linux pluto[12157]: "L2TP-PSK"[1] 86.xxx.xxx.xxx #1: max number of retransmissions (2) reached STATE_MAIN_R2
Jan 30 09:25:28 linux pluto[12157]: "L2TP-PSK"[1] 86.xxx.xxx.xxx: deleting connection "L2TP-PSK" instance with peer 86.xxx.xxx.xxx {isakmp=#0/ipsec=#0}


This is the connection part of ipsec.conf (from Jacco):

conn L2TP-PSK
        authby=secret
        pfs=no
        rekey=no
        keyingtries=3
        left=192.168.1.101
        leftprotoport=17/1701
        right=86.xxx.xxx.xxx
        rightprotoport=17/1701
        auto=add

I have also enabled NAT traversal and disabled OE:

nat_traversal=yes
include /etc/ipsec.d/examples/no_oe.conf

Finally I have patched the WinXP SP2 client as discussed elsewhere.

Thanks in advance.................Mike.

More information about the Users mailing list