[Openswan Users] VPN wxp-NAT-NAT-openswan

[Miguel A. Felipe]

Im having problems with this Topic, i´m trying to make a VPN server capable
to accept connections from an adsl (spain) both NATted

 

Roadwarrior-->Router1 ADSL (NAT)----------Internet----------Router2
ADSL---------FW,NAT,VPNGW------Internal Lan

 

IP Roadwarrior: 192.168.0.2 WINXP

Router1 Internal: 192.168.0.1

Router1 external: 80.1.1.1

Router2 internal 192.168.1.1

FW,NAT,VPNGW External: 192.168.1.2 Linux, debian, 2.6, openswan
2.4.6+dfsg-1, FW+NAT PUBLIC ADRESS  (Site2 external 83.3.4.5)

FW,NAT,VPNGW Internal: 172.23.2.1 

Internal Lan: 172.23.2.0/28

 

I have configures de wxp client with PSK

My ipsec.conf is:

version 2.0     # conforms to second version of ipsec.conf specification

config setup

        nat_traversal=yes

        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12

        nhelpers=0

conn claudiofelipe.com

        authby=secret

        pfs=no

        rekey=no

        keyingtries=3

        left=83.3.4.5

        leftsubnet=192.168.0.2/32

        leftprotoport=17/%any

        right=%any

        rightprotoport=17/%any

        auto=add

conn l2tp-psk-orgWIN2KXP

        authby=secret

        rekey=no

        pfs=no

        left=%defaultroute

        leftsubnet=83.3.4.5/32

        leftprotoport=17/0

        right=%any

        rightprotoport=17/1701

        rightsubnet=0.0.0.0/0

        auto=add

conn L2TP-PSK-EXTERNAL

         authby=secret 

         pfs=no

         rekey=no

         keyingtries=3

         left=%defaultroute

         leftprotoport=17/1701

         right=%any

         rightsubnet=vhost:%no,%priv

         rightprotoport=17/1701

         auto=add

conn host.example.com

        rightsubnet=192.168.1.2/32

conn host.example.com-net

        leftsubnet=172.23.2.0/28

        rightsubnet=192.168.1.2/32

include /etc/ipsec.d/examples/no_oe.conf

 

 

And I cant connect the error is:

 

Sep 15 22:46:59 hostname pluto[28185]: packet from 80.1.1.1:500: ignoring
Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]

Sep 15 22:46:59 hostname pluto[28185]: packet from 80.1.1.1:500: ignoring
Vendor ID payload [FRAGMENTATION]

Sep 15 22:46:59 hostname pluto[28185]: packet from 80.1.1.1:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106 

Sep 15 22:46:59 hostname pluto[28185]: packet from 80.1.1.1:500: ignoring
Vendor ID payload [Vid-Initial-Contact]

Sep 15 22:46:59 hostname pluto[28185]: "l2tp-psk-orgWIN2KXP"[1] 80.1.1.1 #1:
responding to Main Mode from unknown peer 80.1.1.1

Sep 15 22:46:59 hostname pluto[28185]: "l2tp-psk-orgWIN2KXP"[1] 80.1.1.1 #1:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1

Sep 15 22:46:59 hostname pluto[28185]: "l2tp-psk-orgWIN2KXP"[1] 80.1.1.1 #1:
STATE_MAIN_R1: sent MR1, expecting MI2

Sep 15 22:46:59 hostname pluto[28185]: "l2tp-psk-orgWIN2KXP"[1] 80.1.1.1 #1:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed

Sep 15 22:46:59 hostname pluto[28185]: "l2tp-psk-orgWIN2KXP"[1] 80.1.1.1 #1:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2

Sep 15 22:46:59 hostname pluto[28185]: "l2tp-psk-orgWIN2KXP"[1] 80.1.1.1 #1:
STATE_MAIN_R2: sent MR2, expecting MI3

Sep 15 22:46:59 hostname pluto[28185]: "l2tp-psk-orgWIN2KXP"[1] 80.1.1.1 #1:
Main mode peer ID is ID_FQDN: '@xxxxxxxxxxx'

Sep 15 22:46:59 hostname pluto[28185]: "l2tp-psk-orgWIN2KXP"[1] 80.1.1.1 #1:
switched from "l2tp-psk-orgWIN2KXP" to "l2tp-psk-orgWIN2KXP"

Sep 15 22:46:59 hostname pluto[28185]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #1:
deleting connection "l2tp-psk-orgWIN2KXP" instance with peer 80.1.1.1
{isakmp=#0/ipsec=#0}

Sep 15 22:46:59 hostname pluto[28185]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #1:
I did not send a certificate because I do not have one.

Sep 15 22:46:59 hostname pluto[28185]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #1:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3

Sep 15 22:46:59 hostname pluto[28185]: | NAT-T: new mapping
80.1.1.1:500/4500)

Sep 15 22:46:59 hostname pluto[28185]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #1:
STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}

Sep 15 22:46:59 hostname pluto[28185]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #1:
cannot respond to IPsec SA request because no connection is known for
83.3.4.5/32===192.168.1.2:17/1701...80.1.1.1[@xxxxxxxxxxxxxxxx]:17/1701

Sep 15 22:46:59 hostname pluto[28185]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #1:
sending encrypted notification INVALID_ID_INFORMATION to 80.1.1.1:4500

Sep 15 22:47:00 hostname pluto[28185]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #1:
Quick Mode I1 message is unacceptable because it uses a previously used
Message ID 0xda3024b3 (perhaps this is a duplicated packet)

Sep 15 22:47:00 hostname pluto[28185]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #1:
sending encrypted notification INVALID_MESSAGE_ID to 80.1.1.1:4500

Sep 15 22:47:02 hostname pluto[28185]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #1:
Quick Mode I1 message is unacceptable because it uses a previously used
Message ID 0xda3024b3 (perhaps this is a duplicated packet)

Sep 15 22:47:02 hostname pluto[28185]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #1:
sending encrypted notification INVALID_MESSAGE_ID to 80.1.1.1:4500

Sep 15 22:47:06 hostname pluto[28185]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #1:
Quick Mode I1 message is unacceptable because it uses a previously used
Message ID 0xda3024b3 (perhaps this is a duplicated packet)

Sep 15 22:47:06 hostname pluto[28185]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #1:
sending encrypted notification INVALID_MESSAGE_ID to 80.1.1.1:4500

Sep 15 22:47:14 hostname pluto[28185]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #1:
Quick Mode I1 message is unacceptable because it uses a previously used
Message ID 0xda3024b3 (perhaps this is a duplicated packet)

Sep 15 22:47:14 hostname pluto[28185]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #1:
sending encrypted notification INVALID_MESSAGE_ID to 80.1.1.1:4500

Sep 15 22:47:17 hostname pluto[28185]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #1:
received Delete SA payload: deleting ISAKMP State #1

Sep 15 22:47:17 hostname pluto[28185]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1:
deleting connection "l2tp-psk-orgWIN2KXP" instance with peer 80.1.1.1
{isakmp=#0/ipsec=#0}

 

 

Does anyone knows whats happen, I have read some posts and they said that
its impossible to create a VPN through a NATed roadwarrior and a NATed
VPNGW,

 

 

Please help me i´m newbe working with openswan



 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20060916/ca7ede61/attachment-0001.html