[Openswan Users] NAT-ed Server Connected to Non-Nat-ed MS IPSec Road Warrior Not Working

Meron Lavie lavie at netvision.net.il
Sat Jul 15 19:30:47 CEST 2006


I have a Linux FC5 serving as a Gateway/Firewall/Openswan server, behind an
ADSL (PPPoE ?) modem/router. I want it to enable individual, dynamic IP
hosts (possibly NAT-ed) to be able to connect to my LAN - as authenticated
by PSK. As a first step, I tried to ensure I can make an IPSec/L2ptd
connection from another internal client host on the same LAN from a
WinXP/SP2 client. This worked fine. Then, I tried to connect from a
non-NAT-ed external host, but that failed.

Please note that my configuration uses ADSL. This means that my true public
IP address (111.111.111.111) is being NAT-ed by my ISP to 10.0.0.1 via and
ADSL modem/router whose internal IP address is 10.0.0.138. My server then in
turn NATs to the 192.168.1.0/24 range for my LAN hosts.

The failure I encounter is that the MS IPSec client on the external W2K3/SP1
host keeps on showing "Connecting to 111.111.111.111", and in the
/var/log/secure log I see:
Jul 15 18:25:13 serverhostname pluto[971]: "L2TP-PSK-EXTERNAL"[1]
222.222.222.222 #1: Quick Mode I1 message is unacceptable because it uses a
previously used Message ID 0x98d0f8e0 (perhaps this is a duplicated packet)
Jul 15 18:25:13 serverhostname pluto[971]: "L2TP-PSK-EXTERNAL"[1]
222.222.222.222 #1: sending encrypted notification INVALID_MESSAGE_ID to
209.88.179.60:4500
Jul 15 18:25:13 serverhostname pluto[971]: | sending 68 bytes for
notification packet through eth0:4500 to 222.222.222.222:4500:
Jul 15 18:25:13 serverhostname pluto[971]: | next event
EVENT_NAT_T_KEEPALIVE in 16 seconds 

Could somebody please set me straight?

TIA

Lavie

==========================================
ADSL Router
External IP Address (real world public IP Address)  = 111.111.111.111/32
Internal IP Address: 10.0.0.138/8

==========================================
OPENSWAS SERVER / GATEWAY / FIREWALL (all from RPM binaries - no
self-compiles): 
FC5 with the 2.6.17-1.2145_FC5 vanilla kernel
Linux Openswan U2.4.4
l2tpd.0.69-0.4.20051030.fc5
iptables v1.3.5 (configured to allow in UDP/500 and UDP/4500 from all
sources)
pppd 2.4.3
Address as presented to the ADSL router which expects/demands this address,
via eth0: 10.0.0.1/8
LAN Address, via eth1: 192.168.1.254/24

=========================================
EXTERNAL CLIENT:
W2K3 Server/SP1
Default MS IPSec client, configured for PSK.
Non-NAT-ed
IP Address = 222.222.222.222/32

=========================================
INTERNAL CLIENT:
WinXP/SP2
Default MS IPSec client, configured for PSK.
IP Address = 192.168.1.22/24

=========================================
IPSEC.CONF
version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        # klipsdebug=none
        plutodebug="control parsing"
        nat_traversal=yes
 
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192
.168.1.0/24

conn L2TP-PSK-INTERNAL
        authby=secret
        pfs=no
        rekey=no
        keyingtries=3
        left=192.168.1.254
        leftprotoport=17/%any
        right=%any
        rightprotoport=17/%any
        auto=add

conn L2TP-PSK-EXTERNAL
        authby=secret
        pfs=no
        rekey=no
        keyingtries=3
        left=10.0.0.1
        leftnexthop=10.0.0.138
        leftid=10.0.0.1
        leftprotoport=17/%any
        right=%any
        rightprotoport=17/%any
        rightid=222.222.222.222
        auto=add

include /etc/ipsec.d/*.conf
=========================================
L2TPD.CONF:
[global]
;listen-addr = 192.168.1.254

[lns default]
ip range = 192.168.1.128-192.168.1.253
local ip = 192.168.1.99
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd
length bit = yes









More information about the Users mailing list