[Openswan Users] VPN wxp-NAT-NAT-openswan

Miguel A. Felipe michel at claudiofelipe.com
Sat Sep 16 14:00:25 EDT 2006


I think I haven´t explained enought....

The ip 83.3.4.5, its my public address  (server) that is natted in the
VPN,FW server, so the router2 is not doing nat, only forwarding packets to
the VPN,FW server.

Yes, I want to use l2tp

So I think left is my public address, don´t you think so?
I´have changed the configuration to this, and now its doing more things...
Ipsec.conf
version 2.0     # conforms to second version of ipsec.conf specification
config setup
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
        nhelpers=0
conn l2tp-psk-orgWIN2KXP
        authby=secret
        rekey=no
        pfs=no
        left=%defaultroute
        leftsubnet=80.38.102.7/32
        leftprotoport=17/0
        right=%any
        rightprotoport=17/1701
        rightsubnet=vhost:%priv,%no
        auto=add
include /etc/ipsec.d/examples/no_oe.conf

And now the messages are more than before.... but I still don’t know what is
happening because it doesn´t works..

Sep 16 19:19:46 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #71:
responding to Main Mode from unknown peer 80.1.1.1
Sep 16 19:19:46 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #71:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Sep 16 19:19:46 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #71:
STATE_MAIN_R1: sent MR1, expecting MI2
Sep 16 19:19:46 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #71:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
Sep 16 19:19:46 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #71:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Sep 16 19:19:46 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #71:
STATE_MAIN_R2: sent MR2, expecting MI3
Sep 16 19:19:47 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #71:
Main mode peer ID is ID_FQDN: '@xxxxxxxxxxxxxxxxx'
Sep 16 19:19:47 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #71:
I did not send a certificate because I do not have one.
Sep 16 19:19:47 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #71:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Sep 16 19:19:47 cf01fw01 pluto[3035]: | NAT-T: new mapping
80.1.1.1:500/4500)
Sep 16 19:19:47 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #71:
STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}
Sep 16 19:19:47 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #72:
responding to Quick Mode {msgid:77e81a46}
Sep 16 19:19:47 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #72:
transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Sep 16 19:19:47 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #72:
STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Sep 16 19:19:47 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #59:
received Delete SA payload: deleting ISAKMP State #59
Sep 16 19:19:47 cf01fw01 pluto[3035]: packet from 80.1.1.1:4500: received
and ignored informational message
Sep 16 19:19:47 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #72:
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Sep 16 19:19:47 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #72:
STATE_QUICK_R2: IPsec SA established {ESP=>0x2ea27051 <0x7446282c
xfrm=3DES_0-HMAC_MD5 NATD=80.1.1.1:4500 DPD=none}
Sep 16 19:19:47 cf01fw01 pluto[3035]: packet from 80.1.1.1:500: ignoring
Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Sep 16 19:19:47 cf01fw01 pluto[3035]: packet from 80.1.1.1:500: ignoring
Vendor ID payload [FRAGMENTATION]
Sep 16 19:19:47 cf01fw01 pluto[3035]: packet from 80.1.1.1:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106 
Sep 16 19:19:47 cf01fw01 pluto[3035]: packet from 80.1.1.1:500: ignoring
Vendor ID payload [Vid-Initial-Contact]
Sep 16 19:19:47 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #73:
responding to Main Mode from unknown peer 80.1.1.1
Sep 16 19:19:47 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #73:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Sep 16 19:19:47 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #73:
STATE_MAIN_R1: sent MR1, expecting MI2
Sep 16 19:19:47 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #73:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
Sep 16 19:19:47 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #73:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Sep 16 19:19:47 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #73:
STATE_MAIN_R2: sent MR2, expecting MI3
Sep 16 19:19:48 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #73:
Main mode peer ID is ID_FQDN: '@xxxxxxxxxxxxxxxxx'
Sep 16 19:19:48 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #73:
I did not send a certificate because I do not have one.
Sep 16 19:19:48 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #73:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Sep 16 19:19:48 cf01fw01 pluto[3035]: | NAT-T: new mapping
80.1.1.1:500/4500)
Sep 16 19:19:48 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #73:
STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}
Sep 16 19:19:48 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #74:
responding to Quick Mode {msgid:40a9021c}
Sep 16 19:19:48 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #74:
transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Sep 16 19:19:48 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #74:
STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Sep 16 19:19:48 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #61:
received Delete SA payload: deleting ISAKMP State #61
Sep 16 19:19:48 cf01fw01 pluto[3035]: packet from 80.1.1.1:4500: received
and ignored informational message
Sep 16 19:19:48 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #74:
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Sep 16 19:19:48 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #74:
STATE_QUICK_R2: IPsec SA established {ESP=>0x0af8b7e0 <0xaf3c6587
xfrm=3DES_0-HMAC_MD5 NATD=80.1.1.1:4500 DPD=none}
Sep 16 19:19:48 cf01fw01 pluto[3035]: packet from 80.1.1.1:500: ignoring
Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Sep 16 19:19:48 cf01fw01 pluto[3035]: packet from 80.1.1.1:500: ignoring
Vendor ID payload [FRAGMENTATION]
Sep 16 19:19:48 cf01fw01 pluto[3035]: packet from 80.1.1.1:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106 
Sep 16 19:19:48 cf01fw01 pluto[3035]: packet from 80.1.1.1:500: ignoring
Vendor ID payload [Vid-Initial-Contact]
Sep 16 19:19:48 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #75:
responding to Main Mode from unknown peer 80.1.1.1
Sep 16 19:19:48 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #75:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Sep 16 19:19:48 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #75:
STATE_MAIN_R1: sent MR1, expecting MI2
Sep 16 19:19:48 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #75:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
Sep 16 19:19:48 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #75:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Sep 16 19:19:48 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #75:
STATE_MAIN_R2: sent MR2, expecting MI3
Sep 16 19:19:48 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #75:
Main mode peer ID is ID_FQDN: '@xxxxxxxxxxxxxxxxx'
Sep 16 19:19:48 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #75:
I did not send a certificate because I do not have one.
Sep 16 19:19:48 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #75:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Sep 16 19:19:48 cf01fw01 pluto[3035]: | NAT-T: new mapping
80.1.1.1:500/4500)
Sep 16 19:19:48 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #75:
STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}
Sep 16 19:19:49 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #76:
responding to Quick Mode {msgid:a77be722}
Sep 16 19:19:49 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #76:
transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Sep 16 19:19:49 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #76:
STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Sep 16 19:19:49 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #63:
received Delete SA payload: deleting ISAKMP State #63
Sep 16 19:19:49 cf01fw01 pluto[3035]: packet from 80.1.1.1:4500: received
and ignored informational message
Sep 16 19:19:49 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #76:
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Sep 16 19:19:49 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #76:
STATE_QUICK_R2: IPsec SA established {ESP=>0x77cdeaf8 <0x7170d614
xfrm=3DES_0-HMAC_MD5 NATD=80.1.1.1:4500 DPD=none}
Sep 16 19:19:49 cf01fw01 pluto[3035]: packet from 80.1.1.1:500: ignoring
Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Sep 16 19:19:49 cf01fw01 pluto[3035]: packet from 80.1.1.1:500: ignoring
Vendor ID payload [FRAGMENTATION]
Sep 16 19:19:49 cf01fw01 pluto[3035]: packet from 80.1.1.1:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106 
Sep 16 19:19:49 cf01fw01 pluto[3035]: packet from 80.1.1.1:500: ignoring
Vendor ID payload [Vid-Initial-Contact]
Sep 16 19:19:49 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #77:
responding to Main Mode from unknown peer 80.1.1.1
Sep 16 19:19:49 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #77:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Sep 16 19:19:49 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #77:
STATE_MAIN_R1: sent MR1, expecting MI2
Sep 16 19:19:49 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #77:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
Sep 16 19:19:49 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #77:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Sep 16 19:19:49 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #77:
STATE_MAIN_R2: sent MR2, expecting MI3
Sep 16 19:19:49 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #77:
Main mode peer ID is ID_FQDN: '@xxxxxxxxxxxxxxxxx'
Sep 16 19:19:49 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #77:
I did not send a certificate because I do not have one.
Sep 16 19:19:49 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #77:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Sep 16 19:19:49 cf01fw01 pluto[3035]: | NAT-T: new mapping
80.1.1.1:500/4500)
Sep 16 19:19:49 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #77:
STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}
Sep 16 19:19:50 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #78:
responding to Quick Mode {msgid:a20af4da}
Sep 16 19:19:50 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #78:
transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Sep 16 19:19:50 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #78:
STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Sep 16 19:19:50 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #65:
received Delete SA payload: deleting ISAKMP State #65
Sep 16 19:19:50 cf01fw01 pluto[3035]: packet from 80.1.1.1:4500: received
and ignored informational message
Sep 16 19:19:50 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #75:
received Delete SA(0x77cdeaf8) payload: deleting IPSEC State #76
Sep 16 19:19:50 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #75:
received and ignored informational message
Sep 16 19:19:50 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #73:
received Delete SA(0x0af8b7e0) payload: deleting IPSEC State #74
Sep 16 19:19:50 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #73:
received and ignored informational message
Sep 16 19:19:50 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #77:
received Delete SA payload: deleting ISAKMP State #77
Sep 16 19:19:50 cf01fw01 pluto[3035]: packet from 80.1.1.1:4500: received
and ignored informational message
Sep 16 19:19:50 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #75:
received Delete SA payload: deleting ISAKMP State #75
Sep 16 19:19:50 cf01fw01 pluto[3035]: packet from 80.1.1.1:4500: received
and ignored informational message
Sep 16 19:19:50 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #73:
received Delete SA payload: deleting ISAKMP State #73
Sep 16 19:19:50 cf01fw01 pluto[3035]: packet from 80.1.1.1:4500: received
and ignored informational message
Sep 16 19:19:50 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #71:
received Delete SA payload: deleting ISAKMP State #71
Sep 16 19:19:50 cf01fw01 pluto[3035]: packet from 80.1.1.1:4500: received
and ignored informational message
Sep 16 19:19:50 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #69:
received Delete SA payload: deleting ISAKMP State #69
Sep 16 19:19:50 cf01fw01 pluto[3035]: packet from 80.1.1.1:4500: received
and ignored informational message
Sep 16 19:19:50 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #67:
received Delete SA payload: deleting ISAKMP State #67
Sep 16 19:19:50 cf01fw01 pluto[3035]: packet from 80.1.1.1:4500: received
and ignored informational message
Sep 16 19:19:50 cf01fw01 pluto[3035]: packet from 80.1.1.1:4500:
Informational Exchange is for an unknown (expired?) SA
Sep 16 19:19:50 cf01fw01 last message repeated 35 times
















-----Original Message-----
From: Paul Wouters [mailto:paul at xelerance.com] 
Sent: sábado, 16 de septiembre de 2006 8:11
To: Miguel A. Felipe
Cc: users at openswan.org
Subject: Re: [Openswan Users] VPN wxp-NAT-NAT-openswan

On Sat, 16 Sep 2006, Miguel A. Felipe wrote:

> Im having problems with this Topic, i´m trying to make a VPN server
capable
> to accept connections from an adsl (spain) both NATted

> IP Roadwarrior: 192.168.0.2 WINXP
> Router1 Internal: 192.168.0.1
> Router1 external: 80.1.1.1
> Router2 internal 192.168.1.1

> FW,NAT,VPNGW Internal: 172.23.2.1
> Internal Lan: 172.23.2.0/28

> conn claudiofelipe.com

>         left=83.3.4.5

Left should be your own IP address, not the one of your router

>         leftsubnet=192.168.0.2/32

Then you can leave this out to.

>         leftprotoport=17/%any

You want to use l2tp????

> conn l2tp-psk-orgWIN2KXP
>         authby=secret
>         rekey=no
>         pfs=no
>         left=%defaultroute
>         leftsubnet=83.3.4.5/32
>         leftprotoport=17/0

Don't use 17/0 anymore. Just don't support unpatched Windows clients.

>         rightprotoport=17/1701
>         rightsubnet=0.0.0.0/0

Don't use rightsubnet or leftsubnet with l2tp. The only valid
entry is a rightsubnet=vhost:%priv,%no to support NAT-T, on
the server end.

> Sep 15 22:46:59 hostname pluto[28185]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1
#1:
> cannot respond to IPsec SA request because no connection is known for
> 83.3.4.5/32===192.168.1.2:17/1701...80.1.1.1[@xxxxxxxxxxxxxxxx]:17/1701

I have no idea where 83.3.4.5/32 comes from. I thought both were behind NAT?
It looks like your have a double NAT on one end and a NAT on the other end.

> Does anyone knows whats happen, I have read some posts and they said that
> its impossible to create a VPN through a NATed roadwarrior and a NATed
> VPNGW,

You have picked the most complex possible situation I can think of. A
double NAT'ed (one end NAT'ed twice?), transport mode IPsec, PSK based
authentication l2tp connection.

Provided you get past the issues with respect to proper configuration on the
IPsec level, You'll have a hard time getting the MTU's working so that you
don't get packet fragmentation and kill your IPsec/l2tp packets. And that
is all provided your NAT routers don't NAT the IPSec packets by accident,
or 'help' with IPsec passthrough support.....

Paul
-- 
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155



More information about the Users mailing list