[Openswan Users] Connection Stuck on STATE_MAIN_I3

Carlos Prieto prieto.carlos at gmail.com
Mon Jan 30 14:42:39 CET 2006 

Hi !

I'm trying to get a connection with NATed clients using either
Linux/Openswan and Windows 2000/XP.

I've followed the instructions from
http://www.natecarlson.com/linux/ipsec-x509.php.

I have to mention that we had SuSE linux 9.0 with FreeSwan 1.99 +
X.509Patch, and it was running smoothly for over a year with NATed and
non-NATed
clients. Now, we upgraded to Fedora Core 4 running Openswan 2.4.4 and the
VPNs connections are not working. Only works if the client is not NATed.

I'm using X.509 certificates (the same certificates used with SuSE and
FreeSWAN). Here is my configuration:

version 2.0


config setup
        interfaces=%defaultroute
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16


conn %default
        keyingtries=1
        compress=yes
        disablearrivalcheck=no
        authby=rsasig
        leftrsasigkey=%cert
        rightrsasigkey=%cert

conn block
    auto=ignore


conn private
    auto=ignore


conn private-or-clear
    auto=ignore


conn clear-or-private
    auto=ignore


conn clear
    auto=ignore


conn packetdefault
    auto=ignore

conn roadwarrior-net
        leftsubnet=(local ip net)/(local subnet)
        also=roadwarrior


conn roadwarrior
        left=%defaultroute
        leftcert=(vpn gateway x.509 certificate file)
        right=%any
        rightsubnet=vhost:%no,%priv
        auto=add
        pfs=yes

So, when i try to initiate a manual connection from a Linux NATed client,
here are the steps:

ipsec auto --verbose --up roadwarrior
002 "roadwarrior" #1: initiating Main Mode
104 "roadwarrior" #1: STATE_MAIN_I1: initiate
003 "roadwarrior" #1: ignoring unknown Vendor ID payload
[4f45647c6b5d646e6a744347]
003 "roadwarrior" #1: received Vendor ID payload [Dead Peer Detection]
003 "roadwarrior" #1: received Vendor ID payload [RFC 3947] method set
to=109
002 "roadwarrior" #1: enabling possible NAT-traversal with method 3
002 "roadwarrior" #1: transition from state STATE_MAIN_I1 to state
STATE_MAIN_I2106 "roadwarrior" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "roadwarrior" #1: NAT-Traversal: Result using 3: i am NATed
002 "roadwarrior" #1: I am sending my cert
002 "roadwarrior" #1: I am sending a certificate request
002 "roadwarrior" #1: transition from state STATE_MAIN_I2 to state
STATE_MAIN_I3108 "roadwarrior" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "roadwarrior" #1: discarding duplicate packet; already STATE_MAIN_I3
010 "roadwarrior" #1: STATE_MAIN_I3: retransmission; will wait 20s for
response
003 "roadwarrior" #1: discarding duplicate packet; already STATE_MAIN_I3
010 "roadwarrior" #1: STATE_MAIN_I3: retransmission; will wait 40s for
response
031 "roadwarrior" #1: max number of retransmissions (2) reached
STATE_MAIN_I3. Possible authentication failure: no acceptable response to
our first encrypted message

And, on the gateway side (which it's not NATed) here is the log:

Jan 30 14:30:33 zeus pluto[8239]: packet from x.y.z.w:500: ignoring unknown
Vendor ID payload [4f457a7d4646466667725f65]
Jan 30 14:30:33 zeus pluto[8239]: packet from x.y.z.w:500: received Vendor
ID payload [Dead Peer Detection]
Jan 30 14:30:33 zeus pluto[8239]: packet from x.y.z.w:500: received Vendor
ID payload [RFC 3947] method set to=109
Jan 30 14:30:33 zeus pluto[8239]: packet from x.y.z.w:500: received Vendor
ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using
method 109
Jan 30 14:30:33 zeus pluto[8239]: packet from x.y.z.w:500: received Vendor
ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using
method 109
Jan 30 14:30:33 zeus pluto[8239]: packet from x.y.z.w:500: received Vendor
ID payload [draft-ietf-ipsec-nat-t-ike-00]
Jan 30 14:30:33 zeus pluto[8239]: "roadwarrior"[1] x.y.z.w #1: responding to
Main Mode from unknown peer 201.240.76.12
Jan 30 14:30:33 zeus pluto[8239]: "roadwarrior"[1] x.y.z.w #1: transition
from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jan 30 14:30:33 zeus pluto[8239]: "roadwarrior"[1] x.y.z.w #1:
STATE_MAIN_R1: sent MR1, expecting MI2
Jan 30 14:30:34 zeus pluto[8239]: "roadwarrior"[1] x.y.z.w #1:
NAT-Traversal: Result using 3: peer is NATed
Jan 30 14:30:34 zeus pluto[8239]: "roadwarrior"[1] x.y.z.w #1: transition
from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jan 30 14:30:34 zeus pluto[8239]: "roadwarrior"[1] x.y.z.w #1:
STATE_MAIN_R2: sent MR2, expecting MI3
Jan 30 14:31:44 zeus pluto[8239]: "roadwarrior"[1] x.y.z.w #1: max number of
retransmissions (2) reached STATE_MAIN_R2
Jan 30 14:31:44 zeus pluto[8239]: "roadwarrior"[1] x.y.z.w: deleting
connection "roadwarrior" instance with peer x.y.z.w {isakmp=#0/ipsec=#0}

So, it seems the Main Initiator Phase 3 from the client, does not reach the
VPN gateway, the Client says it sent it, but the Gateway claims it'is
missing.

        NATed               IPsec
         Client              Gateway

       MI1 ---------->
           <---------- MR1
       MI2 ---------->
           <---------- MR2
       MI3 ---------->   ( LOST ! )
           <---------- MR3 ( NEVER COMES ! )

However, if i move this client, to a non-NATed connection, the
connection success.

 I've been playing around for 3 or 4 days, and i really can't sleep. I would
appreciate any help you could give me.

Thanks in advance.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20060130/07faf448/attachment-0001.htm

More information about the Users mailing list