[Openswan Users] suspected ESPinUDP packet (NAT-Traversal) [1]

ihsanturkmen at hedefalliance.com.tr ihsanturkmen at hedefalliance.com.tr
Tue May 30 13:50:43 CEST 2006 

Hi..

Two Openswan gateways are talking to eachother. ISAKMP SA established and 
IPsec SA established. No problem at this stage,but NAT-T is not working. 
One of the gateways is behind a NAT device while the other uses public ip 
address address.

I get the following debug output.

May 30 12:37:03 vizyon kernel: klips_debug:ipsec_rcv: IKE packet - not 
handled here
May 30 12:37:33 vizyon kernel: klips_debug:ipsec_spi_get_info: 
buffer=0pd7b86000, *start=0p00000000, offset=0, length=3072
May 30 12:37:33 vizyon kernel: klips_debug:ipsec_spi_get_info: 
buffer=0pd7b86000, *start=0p00000000, offset=898, length=3072
May 30 12:37:33 vizyon kernel: klips_debug:ipsec_rcv: suspected ESPinUDP 
packet (NAT-Traversal) [1].
May 30 12:37:33 vizyon kernel: klips_debug:   IP: ihl:20 ver:4 tos:0 
tlen:112 id:0 DF frag_off:0 ttl:57 proto:17 (UDP) chk:37785 
saddr:212.64.209.131:500 daddr:10.34.253.253:500

Here is the status screen


[root at vizyon root]# ipsec auto status
ipsec auto: warning: obsolete command syntax used
000 interface ipsec0/eth1 10.34.253.253
000 interface ipsec0/eth1 10.34.253.253
000 %myid = (none)
000 debug nattraversal
000
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=64, keysizemin=192, 
keysizemax=192
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=128, keysizemin=128, 
keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, 
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, 
keysizemin=160, keysizemax=160
000
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, 
keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, 
keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,2,36} 
trans={0,2,72} attrs={0,2,48}
000
000 "Hedef": 
10.34.5.0/24===10.34.253.253[81.214.55.178]---10.34.253.254...212.64.209.131===10.34.254.0/24; 
erouted; eroute owner: #2
000 "Hedef":     srcip=unset; dstip=unset; srcup=ipsec _updown; 
dstup=ipsec _updown;
000 "Hedef":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; 
rekey_fuzz: 100%; keyingtries: 0
000 "Hedef":   policy: PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 24,24; interface: 
eth1;
000 "Hedef":   dpd: action:restart; delay:30; timeout:120;
000 "Hedef":   newest ISAKMP SA: #1; newest IPsec SA: #2;
000 "Hedef":   IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
000 "Hedef":   ESP algorithms wanted: 3_000-1, flags=-strict
000 "Hedef":   ESP algorithms loaded: 3_000-1, flags=-strict
000 "Hedef":   ESP algorithm newest: 3DES_0-HMAC_MD5; pfsgroup=<Phase1>
000
000 #2: "Hedef":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); 
EVENT_SA_REPLACE in 25764s; newest IPSEC; eroute owner
000 #2: "Hedef" esp.9b76a7a9 at 212.64.209.131 esp.1b71fb5a at 10.34.253.253 
tun.1002 at 212.64.209.131 tun.1001 at 10.34.253.253
000 #1: "Hedef":500 STATE_MAIN_I4 (ISAKMP SA established); 
EVENT_SA_REPLACE in 850s; newest ISAKMP; lastdpd=25s(seq in:17211 out:0)


Help is appreciated..
Thanks in advance..



İhsan Türkmen
Hedef Alliance Holding A.Ş.
Bilgi Sistemleri Direktörlüğü

Namık Kemal Cad. Göztepe Mah.
Karanfil Sok. No: 62
34550 Bağcılar / İstanbul/TR
Tel : +90 (212) 445 50 95
Fax: +90 (212) 445 97 54
Bu e-posta ve eklerinde verilen bilgiler kisiye ozel ve gizli olup,yalnizca mesajda belirlenen alici ile ilgilidir.
Bu mesajda bulunan tum fikir,gorus ve ekindeki dosyalar sadece adres sahibine ait olup,Hedef Alliance Holding A.S. ve/veya istirakleri hic bir sekilde sorumlu tutulamaz. Sirketimiz mesajin ve bilgilerin size degisiklige ugrayarak veya gec ulasmasindan,butunlugunun ve gizliliginin korunamamasindan,virus icermesinden ve bilgisayar sisteminize verebilecegi herhangi bir zarardan sorumlu tutulamaz.

This message and attachments are confidential and intended solely for the individual(s) stated in this message. This email is not intended to impose nor shall it be construed as imposing any legally binding obligation upon Hedef Alliance Holding A.S. and/or any of its subsidiaries or associated companies. Our company shall have no liability for any changes or late receiving,loss of integrity and confidentiality,viruses and any damages caused in anyway to your computer system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20060530/afd195fe/attachment-0001.htm

More information about the Users mailing list