[Openswan Users] Help with ipsec/l2tpd and nat on client and
server
Chris Picton
chrisp at tangent.co.za
Mon Jul 10 16:09:50 CEST 2006
On Mon, 2006-07-10 at 14:46 +0200, Jacco de Leeuw wrote:
> Chris Picton wrote:
>
> >>>However, the server is now behind a natting gateway, which has a port
> >>>forward to forward all traffic to the server.
>
> Actually, you only have to forward UDP ports 500 and 4500.
What about protocol 50 as well?
> > When natting the server, I get the logs which are at the end (changed
> > from the logs from 2.1.5). The l2tp tunnel does not attempt to come up,
> > and the ipsec connection appears to come up, but immediately, starts the
> > connection again.
>
> There are no disconnect messages? So the client sets up a large
> number of connections? What does ipsec auto --status say?
There are no disconnect messages. Only when I press cancel on the
client, or when the client timeout and says the remote peer is
unreachable.
The logs go straight from
STATE_QUICK_R2: IPsec SA established
to 4 vendor ID lines, to
responding to Main Mode from unknown peer
again
I have added the output of ipsec auto --status at the end. I ran it
while the client was attempting to connect,
>
> > I am also seeing "udp_encap_rcv(): Unhandled UDP encap type: 1" in my
> > log files.
>
> It might be related to the RHEL3 issues:
> http://lists.debian.org/debian-testing/2004/04/msg00014.html
They dont seem to be fatal, as I get them when using the non-natted
connection as well.
[root at dovetail-fw root]# ipsec auto --status
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface br0/br0 public.range.227
000 interface br0/br0 public.range.227
000 interface br0:1/br0:1 other.range.122
000 interface br0:1/br0:1 other.range.122
000 interface br0:2/br0:2 10.0.0.3
000 interface br0:2/br0:2 10.0.0.3
000 interface eth0/eth0 192.168.102.3
000 interface eth0/eth0 192.168.102.3
000 interface eth2/eth2 192.167.50.250
000 interface eth2/eth2 192.167.50.250
000 interface eth3/eth3 196.4.97.42
000 interface eth3/eth3 196.4.97.42
000 interface eth5/eth5 10.255.255.253
000 interface eth5/eth5 10.255.255.253
000 interface tap0/tap0 10.254.255.1
000 interface tap0/tap0 10.254.255.1
000 interface tun0/tun0 10.1.0.2
000 interface tun0/tun0 10.1.0.2
000 %myid = (none)
000 debug none
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192,
keysizemax=192
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8,
keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0,
keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128,
keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0,
keysizemax=0
000
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0}
trans={0,0,0} attrs={0,0,0}
000
000 "L2TP-PSK": public.range.227:17/1701---public.range.225...%
any:17/1701; unrouted; eroute owner: #0
000 "L2TP-PSK": srcip=unset; dstip=unset; srcup=ipsec _updown;
dstup=ipsec _updown;
000 "L2TP-PSK": ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 3
000 "L2TP-PSK": policy: PSK+ENCRYPT+TUNNEL; prio: 32,32; interface:
br0;
000 "L2TP-PSK": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "L2TP-PSK-nat": 10.0.0.3:17/1701---10.0.0.2...%any:17/1701;
unrouted; eroute owner: #0
000 "L2TP-PSK-nat": srcip=unset; dstip=unset; srcup=ipsec _updown;
dstup=ipsec _updown;
000 "L2TP-PSK-nat": ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 3
000 "L2TP-PSK-nat": policy: PSK+ENCRYPT+TUNNEL; prio: 32,32;
interface: br0:2;
000 "L2TP-PSK-nat": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "L2TP-PSK-nat"[2]:
10.0.0.3:17/1701---10.0.0.2...196.209.54.254[@vmwin]:17/1701; erouted;
eroute owner: #17
000 "L2TP-PSK-nat"[2]: srcip=unset; dstip=unset; srcup=ipsec
_updown; dstup=ipsec _updown;
000 "L2TP-PSK-nat"[2]: ike_life: 3600s; ipsec_life: 28800s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
000 "L2TP-PSK-nat"[2]: policy: PSK+ENCRYPT+TUNNEL; prio: 32,32;
interface: br0:2;
000 "L2TP-PSK-nat"[2]: newest ISAKMP SA: #16; newest IPsec SA: #17;
000 "L2TP-PSK-nat"[2]: IKE algorithm newest:
3DES_CBC_192-SHA1-MODP2048
000
000 #18: "L2TP-PSK-nat"[2] 196.209.54.254:500 STATE_MAIN_R1 (sent MR1,
expecting MI2); EVENT_RETRANSMIT in 10s; nodpd
000 #15: "L2TP-PSK-nat"[2] 196.209.54.254:4500 STATE_QUICK_R2 (IPsec SA
established); EVENT_SA_REPLACE in 3329s
000 #15: "L2TP-PSK-nat"[2] 196.209.54.254 esp.6cb71b15 at 196.209.54.254
esp.1f6e545f at 10.0.0.3
000 #14: "L2TP-PSK-nat"[2] 196.209.54.254:4500 STATE_MAIN_R3 (sent MR3,
ISAKMP SA established); EVENT_SA_REPLACE in 3329s; nodpd
000 #17: "L2TP-PSK-nat"[2] 196.209.54.254:4500 STATE_QUICK_R2 (IPsec SA
established); EVENT_SA_REPLACE in 3330s; newest IPSEC; eroute owner
000 #17: "L2TP-PSK-nat"[2] 196.209.54.254 esp.3f7ed30d at 196.209.54.254
esp.6e69aeda at 10.0.0.3
000 #16: "L2TP-PSK-nat"[2] 196.209.54.254:4500 STATE_MAIN_R3 (sent MR3,
ISAKMP SA established); EVENT_SA_REPLACE in 3330s; newest ISAKMP;
nodpd000 #11: "L2TP-PSK-nat"[2] 196.209.54.254:4500 STATE_MAIN_R3 (sent
MR3, ISAKMP SA established); EVENT_SA_REPLACE in 479s; nodpd
000 #13: "L2TP-PSK-nat"[2] 196.209.54.254:4500 STATE_QUICK_R2 (IPsec SA
established); EVENT_SA_REPLACE in 3329s
000 #13: "L2TP-PSK-nat"[2] 196.209.54.254 esp.13d98354 at 196.209.54.254
esp.f5bdb20b at 10.0.0.3
000 #12: "L2TP-PSK-nat"[2] 196.209.54.254:4500 STATE_MAIN_R3 (sent MR3,
ISAKMP SA established); EVENT_SA_REPLACE in 3328s; nodpd
000
More information about the Users
mailing list