[Openswan Users] Help with ipsec/l2tpd and nat on client and server

Mon Jul 10 10:40:13 CEST 2006

Hi

I an running a centos 3 server (RHEL3 equivalent), which uses the hybrid
2.4/2.6 kernel.

The server has been running for a while with natted clients, on
openswan-utils-2.1.5, using the in-kernel ipsec implementation.

However, the server is now behind a natting gateway, which has a port
forward to forward all traffic to the server.  

My config used to look like the following:

conn L2TP-PSK
        authby=secret
        pfs=no
        left=public.range.227
        leftnexthop=public.range.225
        leftprotoport=17/1701
        leftid=
        rightid=
        right=%any
        rightprotoport=17/1701
        auto=add
        keyingtries=3

I am now trying to add a config for the server natted situation, but am
having no luck:

conn L2TP-PSK-nat
        authby=secret
        pfs=no
        left=10.0.0.3
        leftnexthop=10.0.0.2
        leftprotoport=17/1701
        leftid=
        rightid=
        right=%any
        rightsubnet=vhost:%no,%priv
        rightprotoport=17/1701
        auto=add
        keyingtries=3

I am getting the following in my logs.  Can someone please help me
understand the error, and fix it.  

Thanks

Chris

Jul 10 09:35:43 dovetail-fw pluto[9016]: "L2TP-PSK-nat"[3]
196.209.54.254 #2: Peer ID is ID_FQDN: '@vmwin'
Jul 10 09:35:43 dovetail-fw pluto[9016]: "L2TP-PSK-nat"[4]
196.209.54.254 #2: deleting connection "L2TP-PSK-nat" instance with peer
196.209.54.254 {isakmp=#0/ipsec=#0}
Jul 10 09:35:43 dovetail-fw pluto[9016]: "L2TP-PSK-nat"[4]
196.209.54.254 #2: transition from state STATE_MAIN_R2 to state
STATE_MAIN_R3
Jul 10 09:35:43 dovetail-fw pluto[9016]: | NAT-T: new mapping
196.209.54.254:500/4500)
Jul 10 09:35:43 dovetail-fw pluto[9016]: "L2TP-PSK-nat"[4]
196.209.54.254:4500 #2: sent MR3, ISAKMP SA established

Jul 10 09:35:43 dovetail-fw pluto[9016]: "L2TP-PSK-nat"[4]
196.209.54.254:4500 #2: cannot respond to IPsec SA request because no
connection is known for
165.165.164.185/32===10.0.0.3:4500[S=C]:17/1701...196.209.54.254:4500[@vmwin,S=C]:17/1701

This is where the problem is
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Jul 10 09:35:43 dovetail-fw pluto[9016]: "L2TP-PSK-nat"[4]
196.209.54.254:4500 #2: Quick Mode I1 message is unacceptable because it
uses a previously used Message ID 0x840d5df3 (perhaps this is a
duplicated packet)
Jul 10 09:35:45 dovetail-fw pluto[9016]: "L2TP-PSK-nat"[4]
196.209.54.254:4500 #2: Quick Mode I1 message is unacceptable because it
uses a previously used Message ID 0x840d5df3 (perhaps this is a
duplicated packet)
Jul 10 09:35:46 dovetail-fw pluto[9016]: "L2TP-PSK-nat"[4]
196.209.54.254:4500 #2: received Delete SA payload: deleting ISAKMP
State #2
Jul 10 09:35:46 dovetail-fw pluto[9016]: "L2TP-PSK-nat"[4]
196.209.54.254:4500: deleting connection "L2TP-PSK-nat" instance with
peer 196.209.54.254 {isakmp=#0/ipsec=#0}

Jul 10 09:35:52 dovetail-fw pluto[9016]: packet from 196.209.54.254:500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Jul 10 09:35:52 dovetail-fw pluto[9016]: packet from 196.209.54.254:500:
ignoring Vendor ID payload [FRAGMENTATION]
Jul 10 09:35:52 dovetail-fw pluto[9016]: packet from 196.209.54.254:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Jul 10 09:35:52 dovetail-fw pluto[9016]: packet from 196.209.54.254:500:
ignoring Vendor ID payload [26244d38eddb61b3...]
Jul 10 09:35:52 dovetail-fw pluto[9016]: "L2TP-PSK-nat"[5]
196.209.54.254 #3: responding to Main Mode from unknown peer
196.209.54.254
Jul 10 09:35:52 dovetail-fw pluto[9016]: "L2TP-PSK-nat"[5]
196.209.54.254 #3: only OAKLEY_GROUP_MODP1024 and OAKLEY_GROUP_MODP1536
supported.  Attribute OAKLEY_GROUP_DESCRIPTION
Jul 10 09:35:52 dovetail-fw pluto[9016]: "L2TP-PSK-nat"[5]
196.209.54.254 #3: transition from state (null) to state STATE_MAIN_R1
Jul 10 09:35:52 dovetail-fw pluto[9016]: "L2TP-PSK-nat"[5]
196.209.54.254 #3: NAT-Traversal: Result using
draft-ietf-ipsec-nat-t-ike-02/03: both are NATed
Jul 10 09:35:52 dovetail-fw pluto[9016]: "L2TP-PSK-nat"[5]
196.209.54.254 #3: transition from state STATE_MAIN_R1 to state
STATE_MAIN_R2
Jul 10 09:35:52 dovetail-fw pluto[9016]: "L2TP-PSK-nat"[5]
196.209.54.254 #3: Peer ID is ID_FQDN: '@vmwin'
Jul 10 09:35:52 dovetail-fw pluto[9016]: "L2TP-PSK-nat"[6]
196.209.54.254 #3: deleting connection "L2TP-PSK-nat" instance with peer
196.209.54.254 {isakmp=#0/ipsec=#0}
Jul 10 09:35:52 dovetail-fw pluto[9016]: "L2TP-PSK-nat"[6]
196.209.54.254 #3: transition from state STATE_MAIN_R2 to state
STATE_MAIN_R3
Jul 10 09:35:52 dovetail-fw pluto[9016]: | NAT-T: new mapping
196.209.54.254:500/4500)
Jul 10 09:35:52 dovetail-fw pluto[9016]: "L2TP-PSK-nat"[6]
196.209.54.254:4500 #3: sent MR3, ISAKMP SA established
Jul 10 09:35:52 dovetail-fw pluto[9016]: "L2TP-PSK-nat"[6]
196.209.54.254:4500 #3: cannot respond to IPsec SA request because no
connection is known for
165.165.164.185/32===10.0.0.3:4500[S=C]:17/1701...196.209.54.254:4500[@vmwin,S=C]:17/1701
Jul 10 09:35:52 dovetail-fw pluto[9016]: "L2TP-PSK-nat"[6]
196.209.54.254:4500 #3: Quick Mode I1 message is unacceptable because it
uses a previously used Message ID 0xd638e0f8 (perhaps this is a
duplicated packet)
Jul 10 09:35:54 dovetail-fw pluto[9016]: "L2TP-PSK-nat"[6]
196.209.54.254:4500 #3: received Delete SA payload: deleting ISAKMP
State #3
Jul 10 09:35:54 dovetail-fw pluto[9016]: "L2TP-PSK-nat"[6]
196.209.54.254:4500: deleting connection "L2TP-PSK-nat" instance with
peer 196.209.54.254 {isakmp=#0/ipsec=#0}