[Openswan Users] Far end behind destination NAT
Brian Candler
B.Candler at pobox.com
Mon Mar 13 14:47:24 CET 2006
I think that NAT-T is not working when the far-end is behind destination NAT
and the near-end is behind source NAT. Here's the setup:
client x.x.x.x p.p.p.p 10.11.2.13
openswan ---------> src ==================> dst --------------->PIX
NAT NAT (xauth,
f/w (public Internet) f/w modecfg)
This works if the client is Cisco's own VPN client for Linux, and also with
vpnc for FreeBSD. However with openswan 2.4.5rc5 I get:
root at OpenWrt:~# ipsec auto --verbose --up office
002 "office" #5: initiating Aggressive Mode #5, connection "office"
112 "office" #5: STATE_AGGR_I1: initiate
003 "office" #5: received Vendor ID payload [Cisco-Unity]
003 "office" #5: received Vendor ID payload [XAUTH]
003 "office" #5: received Vendor ID payload [Dead Peer Detection]
003 "office" #5: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
003 "office" #5: ignoring unknown Vendor ID payload [4048b7d56ebce88525e7de7f00d6c2d3c0000000]
003 "office" #5: ignoring unknown Vendor ID payload [fd8369b2e0a36ff4856c969306366347]
003 "office" #5: ignoring Vendor ID payload [Cisco VPN 3000 Series]
003 "office" #5: protocol/port in Phase 1 ID Payload must be 0/0 or 17/500 but are 17/0
002 "office" #5: Aggressive mode peer ID is ID_IPV4_ADDR: '10.11.2.13'
003 "office" #5: no suitable connection for peer '10.11.2.13'
003 "office" #5: initial Aggressive Mode packet claiming to be from p.p.p.p on p.p.p.p but no connection has been authorized
218 "office" #5: STATE_AGGR_I1: INVALID_ID_INFORMATION
002 "office" #5: sending notification INVALID_ID_INFORMATION to p.p.p.p:500
It seems not to have realised that 10.11.2.13 is not the same as p.p.p.p,
because the far end is behind NAT.
Logs with plutodebug="natt" don't really show much more:
Jan 3 22:06:35 (none) kern.debug pluto[8446]: | processing connection office
Jan 3 22:06:35 (none) kern.debug pluto[8446]: | processing connection office
Jan 3 22:06:35 (none) kern.warn pluto[8446]: "office" #5: initiating Aggressive Mode #5, connection "office"
Jan 3 22:06:35 (none) kern.debug pluto[8446]: | processing connection office
Jan 3 22:06:35 (none) kern.debug pluto[8446]: | nat add vid. port: 1 nonike: 1
Jan 3 22:06:36 (none) kern.debug pluto[8446]: | processing connection office
Jan 3 22:06:36 (none) kern.warn pluto[8446]: "office" #5: received Vendor ID payload [Cisco-Unity]
Jan 3 22:06:36 (none) kern.warn pluto[8446]: "office" #5: received Vendor ID payload [XAUTH]
Jan 3 22:06:36 (none) kern.warn pluto[8446]: "office" #5: received Vendor ID payload [Dead Peer Detection]
Jan 3 22:06:36 (none) kern.warn pluto[8446]: "office" #5: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
Jan 3 22:06:36 (none) kern.warn pluto[8446]: "office" #5: ignoring unknown Vendor ID payload [4048b7d56ebce88525e7de7f00d6c2d3c0000000]
Jan 3 22:06:36 (none) kern.warn pluto[8446]: "office" #5: ignoring unknown Vendor ID payload [fd8369b2e0a36ff4856c969306366347]
Jan 3 22:06:36 (none) kern.warn pluto[8446]: "office" #5: ignoring Vendor ID payload [Cisco VPN 3000 Series]
Jan 3 22:06:36 (none) kern.warn pluto[8446]: "office" #5: protocol/port in Phase 1 ID Payload must be 0/0 or 17/500 but are 17/0
Jan 3 22:06:36 (none) kern.warn pluto[8446]: "office" #5: Aggressive mode peer ID is ID_IPV4_ADDR: '10.11.2.13'
Jan 3 22:06:36 (none) kern.warn pluto[8446]: "office" #5: no suitable connection for peer '10.11.2.13'
Jan 3 22:06:36 (none) kern.warn pluto[8446]: "office" #5: initial Aggressive Mode packet claiming to be from p.p.p.p on p.p.p.p but no connection has been authorized
Jan 3 22:06:36 (none) kern.warn pluto[8446]: "office" #5: sending notification INVALID_ID_INFORMATION to p.p.p.p:500
The config is as follows:
conn office
ike=3des-md5-modp1024
aggrmode=yes
authby=secret
left=%defaultroute
leftid=@testgroup
leftxauthclient=yes
leftmodecfgclient=yes
right=p.p.p.p
rightxauthserver=yes
rightmodecfgserver=yes
pfs=no
auto=add
Is this a known issue? Is there any more debugging I can provide to help
isolate it?
Thanks,
Brian.
More information about the Users
mailing list