[Openswan Users] Help with ipsec/l2tpd and nat on client and server

Chris Picton chrisp at tangent.co.za
Mon Jul 10 16:09:50 CEST 2006 

On Mon, 2006-07-10 at 14:46 +0200, Jacco de Leeuw wrote:
> Chris Picton wrote:
> 
> >>>However, the server is now behind a natting gateway, which has a port
> >>>forward to forward all traffic to the server.  
> 
> Actually, you only have to forward UDP ports 500 and 4500.

What about protocol 50 as well?

> > When natting the server, I get the logs which are at the end (changed
> > from the logs from 2.1.5).  The l2tp tunnel does not attempt to come up,
> > and the ipsec connection appears to come up, but immediately, starts the
> > connection again.
> 
> There are no disconnect messages? So the client sets up a large
> number of connections? What does ipsec auto --status say?

There are no disconnect messages.  Only when I press cancel on the
client, or when the client timeout and says the remote peer is
unreachable.

The logs go straight from 
STATE_QUICK_R2: IPsec SA established
to 4 vendor ID lines, to
responding to Main Mode from unknown peer
again


I have added the output of ipsec auto --status at the end.  I ran it
while the client was attempting to connect,

> 
> > I am also seeing "udp_encap_rcv(): Unhandled UDP encap type: 1" in my
> > log files.
> 
> It might be related to the RHEL3 issues:
> http://lists.debian.org/debian-testing/2004/04/msg00014.html

They dont seem to be fatal, as I get them when using the non-natted
connection as well.


[root at dovetail-fw root]# ipsec auto --status
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface br0/br0 public.range.227
000 interface br0/br0 public.range.227
000 interface br0:1/br0:1 other.range.122
000 interface br0:1/br0:1 other.range.122
000 interface br0:2/br0:2 10.0.0.3
000 interface br0:2/br0:2 10.0.0.3
000 interface eth0/eth0 192.168.102.3
000 interface eth0/eth0 192.168.102.3
000 interface eth2/eth2 192.167.50.250
000 interface eth2/eth2 192.167.50.250
000 interface eth3/eth3 196.4.97.42
000 interface eth3/eth3 196.4.97.42
000 interface eth5/eth5 10.255.255.253
000 interface eth5/eth5 10.255.255.253
000 interface tap0/tap0 10.254.255.1
000 interface tap0/tap0 10.254.255.1
000 interface tun0/tun0 10.1.0.2
000 interface tun0/tun0 10.1.0.2
000 %myid = (none)
000 debug none
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192,
keysizemax=192
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8,
keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0,
keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128,
keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0,
keysizemax=0
000
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0}
trans={0,0,0} attrs={0,0,0}
000
000 "L2TP-PSK": public.range.227:17/1701---public.range.225...%
any:17/1701; unrouted; eroute owner: #0
000 "L2TP-PSK":     srcip=unset; dstip=unset; srcup=ipsec _updown;
dstup=ipsec _updown;
000 "L2TP-PSK":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 3
000 "L2TP-PSK":   policy: PSK+ENCRYPT+TUNNEL; prio: 32,32; interface:
br0;
000 "L2TP-PSK":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "L2TP-PSK-nat": 10.0.0.3:17/1701---10.0.0.2...%any:17/1701;
unrouted; eroute owner: #0
000 "L2TP-PSK-nat":     srcip=unset; dstip=unset; srcup=ipsec _updown;
dstup=ipsec _updown;
000 "L2TP-PSK-nat":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 3
000 "L2TP-PSK-nat":   policy: PSK+ENCRYPT+TUNNEL; prio: 32,32;
interface: br0:2;
000 "L2TP-PSK-nat":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "L2TP-PSK-nat"[2]:
10.0.0.3:17/1701---10.0.0.2...196.209.54.254[@vmwin]:17/1701; erouted;
eroute owner: #17
000 "L2TP-PSK-nat"[2]:     srcip=unset; dstip=unset; srcup=ipsec
_updown; dstup=ipsec _updown;
000 "L2TP-PSK-nat"[2]:   ike_life: 3600s; ipsec_life: 28800s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
000 "L2TP-PSK-nat"[2]:   policy: PSK+ENCRYPT+TUNNEL; prio: 32,32;
interface: br0:2;
000 "L2TP-PSK-nat"[2]:   newest ISAKMP SA: #16; newest IPsec SA: #17;
000 "L2TP-PSK-nat"[2]:   IKE algorithm newest:
3DES_CBC_192-SHA1-MODP2048
000
000 #18: "L2TP-PSK-nat"[2] 196.209.54.254:500 STATE_MAIN_R1 (sent MR1,
expecting MI2); EVENT_RETRANSMIT in 10s; nodpd
000 #15: "L2TP-PSK-nat"[2] 196.209.54.254:4500 STATE_QUICK_R2 (IPsec SA
established); EVENT_SA_REPLACE in 3329s
000 #15: "L2TP-PSK-nat"[2] 196.209.54.254 esp.6cb71b15 at 196.209.54.254
esp.1f6e545f at 10.0.0.3
000 #14: "L2TP-PSK-nat"[2] 196.209.54.254:4500 STATE_MAIN_R3 (sent MR3,
ISAKMP SA established); EVENT_SA_REPLACE in 3329s; nodpd
000 #17: "L2TP-PSK-nat"[2] 196.209.54.254:4500 STATE_QUICK_R2 (IPsec SA
established); EVENT_SA_REPLACE in 3330s; newest IPSEC; eroute owner
000 #17: "L2TP-PSK-nat"[2] 196.209.54.254 esp.3f7ed30d at 196.209.54.254
esp.6e69aeda at 10.0.0.3
000 #16: "L2TP-PSK-nat"[2] 196.209.54.254:4500 STATE_MAIN_R3 (sent MR3,
ISAKMP SA established); EVENT_SA_REPLACE in 3330s; newest ISAKMP;
nodpd000 #11: "L2TP-PSK-nat"[2] 196.209.54.254:4500 STATE_MAIN_R3 (sent
MR3, ISAKMP SA established); EVENT_SA_REPLACE in 479s; nodpd
000 #13: "L2TP-PSK-nat"[2] 196.209.54.254:4500 STATE_QUICK_R2 (IPsec SA
established); EVENT_SA_REPLACE in 3329s
000 #13: "L2TP-PSK-nat"[2] 196.209.54.254 esp.13d98354 at 196.209.54.254
esp.f5bdb20b at 10.0.0.3
000 #12: "L2TP-PSK-nat"[2] 196.209.54.254:4500 STATE_MAIN_R3 (sent MR3,
ISAKMP SA established); EVENT_SA_REPLACE in 3328s; nodpd
000

More information about the Users mailing list