[Openswan Users] Far end behind destination NAT

Brian Candler B.Candler at pobox.com
Mon Mar 13 14:47:24 CET 2006


I think that NAT-T is not working when the far-end is behind destination NAT
and the near-end is behind source NAT. Here's the setup:

client                  x.x.x.x    p.p.p.p           10.11.2.13
openswan ---------> src ==================> dst --------------->PIX
                    NAT                     NAT               (xauth,
                    f/w  (public Internet)  f/w                modecfg)

This works if the client is Cisco's own VPN client for Linux, and also with
vpnc for FreeBSD. However with openswan 2.4.5rc5 I get:

root at OpenWrt:~# ipsec auto --verbose --up office
002 "office" #5: initiating Aggressive Mode #5, connection "office"
112 "office" #5: STATE_AGGR_I1: initiate
003 "office" #5: received Vendor ID payload [Cisco-Unity]
003 "office" #5: received Vendor ID payload [XAUTH]
003 "office" #5: received Vendor ID payload [Dead Peer Detection]
003 "office" #5: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
003 "office" #5: ignoring unknown Vendor ID payload [4048b7d56ebce88525e7de7f00d6c2d3c0000000]
003 "office" #5: ignoring unknown Vendor ID payload [fd8369b2e0a36ff4856c969306366347]
003 "office" #5: ignoring Vendor ID payload [Cisco VPN 3000 Series]
003 "office" #5: protocol/port in Phase 1 ID Payload must be 0/0 or 17/500 but are 17/0
002 "office" #5: Aggressive mode peer ID is ID_IPV4_ADDR: '10.11.2.13'
003 "office" #5: no suitable connection for peer '10.11.2.13'
003 "office" #5: initial Aggressive Mode packet claiming to be from p.p.p.p on p.p.p.p but no connection has been authorized
218 "office" #5: STATE_AGGR_I1: INVALID_ID_INFORMATION
002 "office" #5: sending notification INVALID_ID_INFORMATION to p.p.p.p:500

It seems not to have realised that 10.11.2.13 is not the same as p.p.p.p,
because the far end is behind NAT.

Logs with plutodebug="natt" don't really show much more:

Jan  3 22:06:35 (none) kern.debug pluto[8446]: | processing connection office
Jan  3 22:06:35 (none) kern.debug pluto[8446]: | processing connection office
Jan  3 22:06:35 (none) kern.warn pluto[8446]: "office" #5: initiating Aggressive Mode #5, connection "office"
Jan  3 22:06:35 (none) kern.debug pluto[8446]: | processing connection office
Jan  3 22:06:35 (none) kern.debug pluto[8446]: | nat add vid. port: 1 nonike: 1
Jan  3 22:06:36 (none) kern.debug pluto[8446]: | processing connection office
Jan  3 22:06:36 (none) kern.warn pluto[8446]: "office" #5: received Vendor ID payload [Cisco-Unity]
Jan  3 22:06:36 (none) kern.warn pluto[8446]: "office" #5: received Vendor ID payload [XAUTH]
Jan  3 22:06:36 (none) kern.warn pluto[8446]: "office" #5: received Vendor ID payload [Dead Peer Detection]
Jan  3 22:06:36 (none) kern.warn pluto[8446]: "office" #5: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
Jan  3 22:06:36 (none) kern.warn pluto[8446]: "office" #5: ignoring unknown Vendor ID payload [4048b7d56ebce88525e7de7f00d6c2d3c0000000]
Jan  3 22:06:36 (none) kern.warn pluto[8446]: "office" #5: ignoring unknown Vendor ID payload [fd8369b2e0a36ff4856c969306366347]
Jan  3 22:06:36 (none) kern.warn pluto[8446]: "office" #5: ignoring Vendor ID payload [Cisco VPN 3000 Series]
Jan  3 22:06:36 (none) kern.warn pluto[8446]: "office" #5: protocol/port in Phase 1 ID Payload must be 0/0 or 17/500 but are 17/0
Jan  3 22:06:36 (none) kern.warn pluto[8446]: "office" #5: Aggressive mode peer ID is ID_IPV4_ADDR: '10.11.2.13'
Jan  3 22:06:36 (none) kern.warn pluto[8446]: "office" #5: no suitable connection for peer '10.11.2.13'
Jan  3 22:06:36 (none) kern.warn pluto[8446]: "office" #5: initial Aggressive Mode packet claiming to be from p.p.p.p on p.p.p.p but no connection has been authorized
Jan  3 22:06:36 (none) kern.warn pluto[8446]: "office" #5: sending notification INVALID_ID_INFORMATION to p.p.p.p:500

The config is as follows:

conn office
        ike=3des-md5-modp1024
        aggrmode=yes
        authby=secret
        left=%defaultroute
        leftid=@testgroup
        leftxauthclient=yes
        leftmodecfgclient=yes
        right=p.p.p.p
        rightxauthserver=yes
        rightmodecfgserver=yes
        pfs=no
        auto=add

Is this a known issue? Is there any more debugging I can provide to help
isolate it?

Thanks,

Brian.


More information about the Users mailing list