[Openswan Users]
NAT-ed Server Connected to Non-Nat-ed MS IPSec Road Warrior Not
Working
Meron Lavie
lavie at netvision.net.il
Sat Jul 15 19:30:47 CEST 2006
I have a Linux FC5 serving as a Gateway/Firewall/Openswan server, behind an
ADSL (PPPoE ?) modem/router. I want it to enable individual, dynamic IP
hosts (possibly NAT-ed) to be able to connect to my LAN - as authenticated
by PSK. As a first step, I tried to ensure I can make an IPSec/L2ptd
connection from another internal client host on the same LAN from a
WinXP/SP2 client. This worked fine. Then, I tried to connect from a
non-NAT-ed external host, but that failed.
Please note that my configuration uses ADSL. This means that my true public
IP address (111.111.111.111) is being NAT-ed by my ISP to 10.0.0.1 via and
ADSL modem/router whose internal IP address is 10.0.0.138. My server then in
turn NATs to the 192.168.1.0/24 range for my LAN hosts.
The failure I encounter is that the MS IPSec client on the external W2K3/SP1
host keeps on showing "Connecting to 111.111.111.111", and in the
/var/log/secure log I see:
Jul 15 18:25:13 serverhostname pluto[971]: "L2TP-PSK-EXTERNAL"[1]
222.222.222.222 #1: Quick Mode I1 message is unacceptable because it uses a
previously used Message ID 0x98d0f8e0 (perhaps this is a duplicated packet)
Jul 15 18:25:13 serverhostname pluto[971]: "L2TP-PSK-EXTERNAL"[1]
222.222.222.222 #1: sending encrypted notification INVALID_MESSAGE_ID to
209.88.179.60:4500
Jul 15 18:25:13 serverhostname pluto[971]: | sending 68 bytes for
notification packet through eth0:4500 to 222.222.222.222:4500:
Jul 15 18:25:13 serverhostname pluto[971]: | next event
EVENT_NAT_T_KEEPALIVE in 16 seconds
Could somebody please set me straight?
TIA
Lavie
==========================================
ADSL Router
External IP Address (real world public IP Address) = 111.111.111.111/32
Internal IP Address: 10.0.0.138/8
==========================================
OPENSWAS SERVER / GATEWAY / FIREWALL (all from RPM binaries - no
self-compiles):
FC5 with the 2.6.17-1.2145_FC5 vanilla kernel
Linux Openswan U2.4.4
l2tpd.0.69-0.4.20051030.fc5
iptables v1.3.5 (configured to allow in UDP/500 and UDP/4500 from all
sources)
pppd 2.4.3
Address as presented to the ADSL router which expects/demands this address,
via eth0: 10.0.0.1/8
LAN Address, via eth1: 192.168.1.254/24
=========================================
EXTERNAL CLIENT:
W2K3 Server/SP1
Default MS IPSec client, configured for PSK.
Non-NAT-ed
IP Address = 222.222.222.222/32
=========================================
INTERNAL CLIENT:
WinXP/SP2
Default MS IPSec client, configured for PSK.
IP Address = 192.168.1.22/24
=========================================
IPSEC.CONF
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# Debug-logging controls: "none" for (almost) none, "all" for lots.
# klipsdebug=none
plutodebug="control parsing"
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192
.168.1.0/24
conn L2TP-PSK-INTERNAL
authby=secret
pfs=no
rekey=no
keyingtries=3
left=192.168.1.254
leftprotoport=17/%any
right=%any
rightprotoport=17/%any
auto=add
conn L2TP-PSK-EXTERNAL
authby=secret
pfs=no
rekey=no
keyingtries=3
left=10.0.0.1
leftnexthop=10.0.0.138
leftid=10.0.0.1
leftprotoport=17/%any
right=%any
rightprotoport=17/%any
rightid=222.222.222.222
auto=add
include /etc/ipsec.d/*.conf
=========================================
L2TPD.CONF:
[global]
;listen-addr = 192.168.1.254
[lns default]
ip range = 192.168.1.128-192.168.1.253
local ip = 192.168.1.99
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd
length bit = yes
More information about the Users
mailing list