[Openswan Users] Help with ipsec/l2tpd and nat on client and server

Chris Picton chrisp at tangent.co.za
Mon Jul 10 15:02:45 CEST 2006 

On Mon, 2006-07-10 at 12:33 +0200, Jacco de Leeuw wrote:
> Chris Picton wrote:
> 
> > I an running a centos 3 server (RHEL3 equivalent), which uses the hybrid
> > 2.4/2.6 kernel.
> 
> RHEL3 may not be a good choice:
> http://lists.openswan.org/pipermail/users/2005-April/004382.html

Thanks for the reply.  I had read the messages regarding rhel3, but I
unfortunately cannot change this right now.

> 
> > The server has been running for a while with natted clients, on
> > openswan-utils-2.1.5, using the in-kernel ipsec implementation.
> > 
> > However, the server is now behind a natting gateway, which has a port
> > forward to forward all traffic to the server.  
> 
> http://www.jacco2.dds.nl/networking/freeswan-l2tp.html#serverNATed
> You need to upgrade to 2.4.5 or install a patch for 2.1.5.

I have installed 2.4.5 (just the tools, not the kernel modules).

The connection still works when the server is not natted.
When natting the server, I get the logs which are at the end (changed
from the logs from 2.1.5).  The l2tp tunnel does not attempt to come up,
and the ipsec connection appears to come up, but immediately, starts the
connection again.

I am also seeing "udp_encap_rcv(): Unhandled UDP encap type: 1" in my
log files.




> 
> > conn L2TP-PSK
> >         authby=secret
> 
> PSK and NAT could be a source of problems. Certificates are recommended.
I will investigate that, but I have lot of legacy clients using the PSK


> 
> >         rightsubnet=vhost:%no,%priv
> 
> I don't think rightsubnet is supported with PSKs. You should be able to
> do without it. Are there no log messages rejecting the L2TP-PSK-nat conn?
I have removed the rightsubnet section - I was not sure about it anyway.

Chris

LOGS
---------------------
Jul 10 13:45:26 dovetail-fw pluto[17430]: packet from
196.209.54.254:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY
00000004]
Jul 10 13:45:26 dovetail-fw pluto[17430]: packet from
196.209.54.254:500: ignoring Vendor ID payload [FRAGMENTATION]
Jul 10 13:45:26 dovetail-fw pluto[17430]: packet from
196.209.54.254:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
Jul 10 13:45:26 dovetail-fw pluto[17430]: packet from
196.209.54.254:500: ignoring Vendor ID payload [Vid-Initial-Contact]
Jul 10 13:45:26 dovetail-fw pluto[17430]: "L2TP-PSK-nat"[2]
196.209.54.254 #40: responding to Main Mode from unknown peer
196.209.54.254
Jul 10 13:45:26 dovetail-fw pluto[17430]: "L2TP-PSK-nat"[2]
196.209.54.254 #40: transition from state STATE_MAIN_R0 to state
STATE_MAIN_R1
Jul 10 13:45:26 dovetail-fw pluto[17430]: "L2TP-PSK-nat"[2]
196.209.54.254 #40: STATE_MAIN_R1: sent MR1, expecting MI2
Jul 10 13:45:26 dovetail-fw pluto[17430]: "L2TP-PSK-nat"[2]
196.209.54.254 #40: NAT-Traversal: Result using
draft-ietf-ipsec-nat-t-ike-02/03: both are NATed
Jul 10 13:45:26 dovetail-fw pluto[17430]: "L2TP-PSK-nat"[2]
196.209.54.254 #40: transition from state STATE_MAIN_R1 to state
STATE_MAIN_R2
Jul 10 13:45:26 dovetail-fw pluto[17430]: "L2TP-PSK-nat"[2]
196.209.54.254 #40: STATE_MAIN_R2: sent MR2, expecting MI3
Jul 10 13:45:26 dovetail-fw pluto[17430]: "L2TP-PSK-nat"[2]
196.209.54.254 #40: Main mode peer ID is ID_FQDN: '@vmwin'
Jul 10 13:45:26 dovetail-fw pluto[17430]: "L2TP-PSK-nat"[2]
196.209.54.254 #40: I did not send a certificate because I do not have
one.
Jul 10 13:45:26 dovetail-fw pluto[17430]: "L2TP-PSK-nat"[2]
196.209.54.254 #40: transition from state STATE_MAIN_R2 to state
STATE_MAIN_R3
Jul 10 13:45:26 dovetail-fw pluto[17430]: | NAT-T: new mapping
196.209.54.254:500/4500)
Jul 10 13:45:26 dovetail-fw pluto[17430]: "L2TP-PSK-nat"[2]
196.209.54.254 #40: STATE_MAIN_R3: sent MR3, ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
group=modp2048}
Jul 10 13:45:26 dovetail-fw pluto[17430]: "L2TP-PSK-nat"[2]
196.209.54.254 #41: responding to Quick Mode {msgid:6d9d1fe6}
Jul 10 13:45:26 dovetail-fw pluto[17430]: "L2TP-PSK-nat"[2]
196.209.54.254 #41: transition from state STATE_QUICK_R0 to state
STATE_QUICK_R1
Jul 10 13:45:26 dovetail-fw pluto[17430]: "L2TP-PSK-nat"[2]
196.209.54.254 #41: STATE_QUICK_R1: sent QR1, inbound IPsec SA
installed, expecting QI2
Jul 10 13:45:26 dovetail-fw pluto[17430]: "L2TP-PSK-nat"[2]
196.209.54.254 #41: transition from state STATE_QUICK_R1 to state
STATE_QUICK_R2
Jul 10 13:45:26 dovetail-fw pluto[17430]: "L2TP-PSK-nat"[2]
196.209.54.254 #41: STATE_QUICK_R2: IPsec SA established
{ESP=>0x00518692 <0x507fa2b0 xfrm=3DES_0-HMAC_MD5
NATD=196.209.54.254:4500 DPD=none}


The above set of logs then repeats until I press cancel on the windows
client.

More information about the Users mailing list