[Openswan Users] Openswan package on FC5 need NAT-T patch ?? VPN don't work !!

Frederico Madeira fmadeira at gmail.com
Mon May 22 21:08:05 CEST 2006 

I'm try to make a road warrior connection but don't work.

In sever i have result:
[root at fw02 fred]# /usr/sbin/ipsec verify

Checking your system to see if IPsec got installed and started
correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.4.4/K2.6.15-1.1830_FC4 (netkey)
Checking for IPsec support in kernel                            [OK]
Checking for RSA private key (/etc/ipsec.secrets)               [OK]
Checking that pluto is running                                  [OK]
Two or more interfaces found, checking IP forwarding            [OK]
Checking NAT and MASQUERADEing                                  [N/A]
Checking for 'ip' command                                       [OK]
Checking for 'iptables' command                                 [OK]
Checking for 'setkey' command for NETKEY IPsec stack support    [OK]
Opportunistic Encryption Support
[DISABLED]
[root at fw02 fred]#

in client road warrior i got:
[root at notebook_02 ~]# ipsec verify

Checking your system to see if IPsec got installed and started
correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.4.4/K2.6.16-1.2111_FC5 (netkey)
Checking for IPsec support in kernel                            [OK]
Checking for RSA private key (/etc/ipsec.secrets)               [OK]
Checking that pluto is running                                  [OK]
Two or more interfaces found, checking IP forwarding            [FAILED]
Checking for 'ip' command                                       [OK]
Checking for 'iptables' command                                 [OK]
Checking for 'setkey' command for NETKEY IPsec stack support    [OK]
Opportunistic Encryption Support
[DISABLED]
[root at notebook_02 ~]#

The server have real ip, the client is behind a nat on adsl link.

My ipsec.conf on client is:

config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for
lots.
        # klipsdebug=none
        # plutodebug="control parsing"
        nat_traversal=yes
        interfaces=%defaultroute
        #interfaces="ipsec0=eth0"
        virtual_private=%v4:192.168.0.0/24
include /etc/ipsec.d/*.conf

conn road
    left=%defaultroute              # Gateway's information
    leftid=@note
    leftrsasigkey=
   right=200.199.xxx.xxx                    # Wildcard: we don't know
   rightsubnet=10.60.60.0/24
   rightid=@fw02
   rightrsasigkey=....
    auto=add                       # authorizes but doesn't start this
                                   # connection at startup

My ipsec.conf on server is:

config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for
lots.
         klipsdebug=all
        # plutodebug="control parsing"
        nat_traversal=yes
        interfaces=%defaultroute
        #interfaces="ipsec0=eth0"
conn road
    left=200.199.xxx.xxx              # Gateway's information
    leftid=@fw02
    leftsubnet=10.60.60.0/24
    leftrsasigkey=
   rightnexthop=%defaultroute
   right=%any
   rightid=@note
   rightrsasigkey=
   auto=add                       # authorizes but doesn't start this
                                   # connection at startup


when i start a road connection, i got on /var/log/secure in server:


May 22 19:00:08 fw02 pluto[18305]: "road"[1] 201.9.143.99: deleting
connection "road" instance with peer 201.9.143.99 {isakmp=#0/ipsec=#0}
May 22 19:00:08 fw02 pluto[18305]: packet from 201.9.143.99:61766:
received and ignored informational message
May 22 19:01:10 fw02 pluto[18305]: packet from 201.9.143.99:500:
received Vendor ID payload [Openswan (this version) 2.4.4  X.509-1.5.4
PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]
May 22 19:01:10 fw02 pluto[18305]: packet from 201.9.143.99:500:
received Vendor ID payload [Dead Peer Detection]
May 22 19:01:10 fw02 pluto[18305]: packet from 201.9.143.99:500:
received Vendor ID payload [RFC 3947] method set to=109
May 22 19:01:10 fw02 pluto[18305]: packet from 201.9.143.99:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but
already using method 109
May 22 19:01:10 fw02 pluto[18305]: packet from 201.9.143.99:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but
already using method 109
May 22 19:01:10 fw02 pluto[18305]: packet from 201.9.143.99:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
May 22 19:01:10 fw02 pluto[18305]: "road"[2] 201.9.143.99 #2: responding
to Main Mode from unknown peer 201.9.143.99
May 22 19:01:10 fw02 pluto[18305]: "road"[2] 201.9.143.99 #2: transition
from state STATE_MAIN_R0 to state STATE_MAIN_R1
May 22 19:01:10 fw02 pluto[18305]: "road"[2] 201.9.143.99 #2:
STATE_MAIN_R1: sent MR1, expecting MI2
May 22 19:01:10 fw02 pluto[18305]: "road"[2] 201.9.143.99 #2:
NAT-Traversal: Result using 3: peer is NATed
May 22 19:01:10 fw02 pluto[18305]: "road"[2] 201.9.143.99 #2: transition
from state STATE_MAIN_R1 to state STATE_MAIN_R2
May 22 19:01:10 fw02 pluto[18305]: "road"[2] 201.9.143.99 #2:
STATE_MAIN_R2: sent MR2, expecting MI3
May 22 19:01:10 fw02 pluto[18305]: "road"[2] 201.9.143.99 #2: Main mode
peer ID is ID_FQDN: '@note'
May 22 19:01:10 fw02 pluto[18305]: "road"[2] 201.9.143.99 #2: I did not
send a certificate because I do not have one.
May 22 19:01:10 fw02 pluto[18305]: "road"[2] 201.9.143.99 #2: transition
from state STATE_MAIN_R2 to state STATE_MAIN_R3
May 22 19:01:10 fw02 pluto[18305]: | NAT-T: new mapping
201.9.143.99:500/61949)
May 22 19:01:10 fw02 pluto[18305]: "road"[2] 201.9.143.99 #2:
STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG
cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1536}
May 22 19:01:10 fw02 pluto[18305]: "road"[2] 201.9.143.99 #2: cannot
respond to IPsec SA request because no connection is known for
10.60.60.0/24===200.199.xxx.xxx[@fw02]...201.9.143.99[@note]===192.168.0.7/32
May 22 19:01:10 fw02 pluto[18305]: "road"[2] 201.9.143.99 #2: sending
encrypted notification INVALID_ID_INFORMATION to 201.9.143.99:61949
May 22 19:01:20 fw02 pluto[18305]: "road"[2] 201.9.143.99 #2: Quick Mode
I1 message is unacceptable because it uses a previously used Message ID
0x1a75fa3d (perhaps this is a duplicated packet)
May 22 19:01:20 fw02 pluto[18305]: "road"[2] 201.9.143.99 #2: sending
encrypted notification INVALID_MESSAGE_ID to 201.9.143.99:61949
May 22 19:01:40 fw02 pluto[18305]: "road"[2] 201.9.143.99 #2: Quick Mode
I1 message is unacceptable because it uses a previously used Message ID
0x1a75fa3d (perhaps this is a duplicated packet)
May 22 19:01:40 fw02 pluto[18305]: "road"[2] 201.9.143.99 #2: sending
encrypted notification INVALID_MESSAGE_ID to 201.9.143.99:61949
May 22 19:02:20 fw02 pluto[18305]: "road"[2] 201.9.143.99 #2: cannot
respond to IPsec SA request because no connection is known for
10.60.60.0/24===200.199.xxx.xxx[@fw02]...201.9.143.99[@note]===192.168.0.7/32
May 22 19:02:20 fw02 pluto[18305]: "road"[2] 201.9.143.99 #2: sending
encrypted notification INVALID_ID_INFORMATION to 201.9.143.99:61949
May 22 19:02:31 fw02 pluto[18305]: "road"[2] 201.9.143.99 #2: Quick Mode
I1 message is unacceptable because it uses a previously used Message ID
0xa3061b07 (perhaps this is a duplicated packet)
May 22 19:02:31 fw02 pluto[18305]: "road"[2] 201.9.143.99 #2: sending
encrypted notification INVALID_MESSAGE_ID to 201.9.143.99:61949
May 22 19:02:36 fw02 pluto[18305]: "road"[2] 201.9.143.99 #2: received
Delete SA payload: deleting ISAKMP State #2
May 22 19:02:36 fw02 pluto[18305]: "road"[2] 201.9.143.99: deleting
connection "road" instance with peer 201.9.143.99 {isakmp=#0/ipsec=#0}
May 22 19:02:36 fw02 pluto[18305]: packet from 201.9.143.99:61949:
received and ignored informational message

I only install openswan package using yum. Need else more??

What i doning wrong ??

Tanks.


Fred


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20060522/a07d4c3f/attachment.htm

More information about the Users mailing list