[Openswan Users] VPN wxp-NAT-NAT-openswan

Miguel A. Felipe michel at claudiofelipe.com
Sat Sep 16 14:12:35 EDT 2006


I forgot to change leftprotoport=17/0 to 17/%any, and now im getting error
messages starting Pluto, do you think I have to change the virtual_private
line to something across my networks¿?:

Sep 16 20:05:35 cf01fw01 ipsec_setup: ...Openswan IPsec started
Sep 16 20:05:35 cf01fw01 ipsec_setup: Starting Openswan IPsec 2.4.6...
Sep 16 20:05:35 cf01fw01 ipsec_setup: insmod
/lib/modules/2.6.15-1-686-smp/kernel/net/key/af_key.ko 
Sep 16 20:05:35 cf01fw01 ipsec_setup: insmod
/lib/modules/2.6.15-1-686-smp/kernel/net/ipv4/xfrm4_tunnel.ko 
Sep 16 20:05:35 cf01fw01 ipsec_setup: insmod
/lib/modules/2.6.15-1-686-smp/kernel/net/xfrm/xfrm_user.ko 
Sep 16 20:05:37 cf01fw01 ipsec__plutorun: /usr/lib/ipsec/_plutorun: line
217: 26564 Aborted                 /usr/lib/ipsec/pluto --nofork
--secretsfile /etc/ipsec.secrets --ipsecdir /etc/ipsec.d --use-auto
--uniqueids --nat_traversal --virtual_private
%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12 --nhelpers 0
Sep 16 20:05:37 cf01fw01 ipsec__plutorun: 003 ASSERTION FAILED at
connections.c:1382: isanyaddr(&c->spd.that.host_addr)
Sep 16 20:05:37 cf01fw01 ipsec__plutorun: 000 %myid = (none)
Sep 16 20:05:37 cf01fw01 ipsec__plutorun: 000 debug none
Sep 16 20:05:37 cf01fw01 ipsec__plutorun: 000  
Sep 16 20:05:37 cf01fw01 ipsec__plutorun: 000 algorithm ESP encrypt: id=2,
name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
Sep 16 20:05:37 cf01fw01 ipsec__plutorun: 000 algorithm ESP encrypt: id=3,
name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
Sep 16 20:05:37 cf01fw01 ipsec__plutorun: 000 algorithm ESP encrypt: id=7,
name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
Sep 16 20:05:37 cf01fw01 ipsec__plutorun: 000 algorithm ESP encrypt: id=11,
name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
Sep 16 20:05:37 cf01fw01 ipsec__plutorun: 000 algorithm ESP encrypt: id=12,
name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
Sep 16 20:05:37 cf01fw01 ipsec__plutorun: 000 algorithm ESP encrypt: id=252,
name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
Sep 16 20:05:37 cf01fw01 ipsec__plutorun: 000 algorithm ESP encrypt: id=253,
name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
Sep 16 20:05:37 cf01fw01 ipsec__plutorun: 000 algorithm ESP auth attr: id=1,
name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
Sep 16 20:05:37 cf01fw01 ipsec__plutorun: 000 algorithm ESP auth attr: id=2,
name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
Sep 16 20:05:37 cf01fw01 ipsec__plutorun: 000 algorithm ESP auth attr: id=5,
name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
Sep 16 20:05:37 cf01fw01 ipsec__plutorun: 000 algorithm ESP auth attr:
id=251, name=(null), keysizemin=0, keysizemax=0
Sep 16 20:05:37 cf01fw01 ipsec__plutorun: 000  
Sep 16 20:05:37 cf01fw01 ipsec__plutorun: 000 algorithm IKE encrypt: id=5,
name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
Sep 16 20:05:37 cf01fw01 ipsec__plutorun: 000 algorithm IKE encrypt: id=7,
name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
Sep 16 20:05:37 cf01fw01 ipsec__plutorun: 000 algorithm IKE hash: id=1,
name=OAKLEY_MD5, hashsize=16
Sep 16 20:05:37 cf01fw01 ipsec__plutorun: 000 algorithm IKE hash: id=2,
name=OAKLEY_SHA1, hashsize=20
Sep 16 20:05:37 cf01fw01 ipsec__plutorun: 000 algorithm IKE dh group: id=2,
name=OAKLEY_GROUP_MODP1024, bits=1024
Sep 16 20:05:37 cf01fw01 ipsec__plutorun: 000 algorithm IKE dh group: id=5,
name=OAKLEY_GROUP_MODP1536, bits=1536
Sep 16 20:05:37 cf01fw01 ipsec__plutorun: 000 algorithm IKE dh group: id=14,
name=OAKLEY_GROUP_MODP2048, bits=2048
Sep 16 20:05:37 cf01fw01 ipsec__plutorun: 000 algorithm IKE dh group: id=15,
name=OAKLEY_GROUP_MODP3072, bits=3072
Sep 16 20:05:37 cf01fw01 ipsec__plutorun: 000 algorithm IKE dh group: id=16,
name=OAKLEY_GROUP_MODP4096, bits=4096
Sep 16 20:05:37 cf01fw01 ipsec__plutorun: 000 algorithm IKE dh group: id=17,
name=OAKLEY_GROUP_MODP6144, bits=6144
Sep 16 20:05:37 cf01fw01 ipsec__plutorun: 000 algorithm IKE dh group: id=18,
name=OAKLEY_GROUP_MODP8192, bits=8192
Sep 16 20:05:37 cf01fw01 ipsec__plutorun: 000  
Sep 16 20:05:37 cf01fw01 ipsec__plutorun: 000 stats db_ops.c: {curr_cnt,
total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0} 
Sep 16 20:05:37 cf01fw01 ipsec__plutorun: 000  
Sep 16 20:05:37 cf01fw01 ipsec__plutorun: 000 "l2tp-psk-orgWIN2KXP":
%any:17/1701...192.168.1.2:17/%any===83.3.4.5/32; unrouted; eroute owner: #0
Sep 16 20:05:37 cf01fw01 ipsec__plutorun: 000 "l2tp-psk-orgWIN2KXP":
srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
Sep 16 20:05:37 cf01fw01 ipsec__plutorun: 000 "l2tp-psk-orgWIN2KXP":
ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%;
keyingtries: 0
Sep 16 20:05:37 cf01fw01 ipsec__plutorun: 000 "l2tp-psk-orgWIN2KXP":
policy: PSK+ENCRYPT+TUNNEL+DONTREKEY; prio: 32,32; interface: ; 
Sep 16 20:05:37 cf01fw01 ipsec__plutorun: 000 "l2tp-psk-orgWIN2KXP":
newest ISAKMP SA: #0; newest IPsec SA: #0; 
Sep 16 20:05:37 cf01fw01 ipsec__plutorun: 000  
Sep 16 20:05:37 cf01fw01 ipsec__plutorun: 000  
Sep 16 20:05:37 cf01fw01 ipsec__plutorun: ...could not add conn
"l2tp-psk-orgWIN2KXP"
Sep 16 20:05:37 cf01fw01 ipsec__plutorun: whack: is Pluto running?
connect() for "/var/run/pluto/pluto.ctl" failed (111 Connection refused)
Sep 16 20:05:37 cf01fw01 ipsec__plutorun: !pluto failure!:  exited with
error status 134 (signal 6)
Sep 16 20:05:37 cf01fw01 ipsec__plutorun: restarting IPsec after pause...

-----Original Message-----
From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On
Behalf Of Miguel A. Felipe
Sent: sábado, 16 de septiembre de 2006 20:00
To: 'Paul Wouters'
Cc: users at openswan.org
Subject: Re: [Openswan Users] VPN wxp-NAT-NAT-openswan

I think I haven´t explained enought....

The ip 83.3.4.5, its my public address  (server) that is natted in the
VPN,FW server, so the router2 is not doing nat, only forwarding packets to
the VPN,FW server.

Yes, I want to use l2tp

So I think left is my public address, don´t you think so?
I´have changed the configuration to this, and now its doing more things...
Ipsec.conf
version 2.0     # conforms to second version of ipsec.conf specification
config setup
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
        nhelpers=0
conn l2tp-psk-orgWIN2KXP
        authby=secret
        rekey=no
        pfs=no
        left=%defaultroute
        leftsubnet=80.38.102.7/32
        leftprotoport=17/0
        right=%any
        rightprotoport=17/1701
        rightsubnet=vhost:%priv,%no
        auto=add
include /etc/ipsec.d/examples/no_oe.conf

And now the messages are more than before.... but I still don’t know what is
happening because it doesn´t works..

Sep 16 19:19:46 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #71:
responding to Main Mode from unknown peer 80.1.1.1
Sep 16 19:19:46 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #71:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Sep 16 19:19:46 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #71:
STATE_MAIN_R1: sent MR1, expecting MI2
Sep 16 19:19:46 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #71:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
Sep 16 19:19:46 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #71:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Sep 16 19:19:46 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #71:
STATE_MAIN_R2: sent MR2, expecting MI3
Sep 16 19:19:47 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #71:
Main mode peer ID is ID_FQDN: '@xxxxxxxxxxxxxxxxx'
Sep 16 19:19:47 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #71:
I did not send a certificate because I do not have one.
Sep 16 19:19:47 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #71:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Sep 16 19:19:47 cf01fw01 pluto[3035]: | NAT-T: new mapping
80.1.1.1:500/4500)
Sep 16 19:19:47 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #71:
STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}
Sep 16 19:19:47 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #72:
responding to Quick Mode {msgid:77e81a46}
Sep 16 19:19:47 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #72:
transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Sep 16 19:19:47 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #72:
STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Sep 16 19:19:47 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #59:
received Delete SA payload: deleting ISAKMP State #59
Sep 16 19:19:47 cf01fw01 pluto[3035]: packet from 80.1.1.1:4500: received
and ignored informational message
Sep 16 19:19:47 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #72:
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Sep 16 19:19:47 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #72:
STATE_QUICK_R2: IPsec SA established {ESP=>0x2ea27051 <0x7446282c
xfrm=3DES_0-HMAC_MD5 NATD=80.1.1.1:4500 DPD=none}
Sep 16 19:19:47 cf01fw01 pluto[3035]: packet from 80.1.1.1:500: ignoring
Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Sep 16 19:19:47 cf01fw01 pluto[3035]: packet from 80.1.1.1:500: ignoring
Vendor ID payload [FRAGMENTATION]
Sep 16 19:19:47 cf01fw01 pluto[3035]: packet from 80.1.1.1:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106 
Sep 16 19:19:47 cf01fw01 pluto[3035]: packet from 80.1.1.1:500: ignoring
Vendor ID payload [Vid-Initial-Contact]
Sep 16 19:19:47 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #73:
responding to Main Mode from unknown peer 80.1.1.1
Sep 16 19:19:47 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #73:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Sep 16 19:19:47 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #73:
STATE_MAIN_R1: sent MR1, expecting MI2
Sep 16 19:19:47 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #73:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
Sep 16 19:19:47 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #73:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Sep 16 19:19:47 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #73:
STATE_MAIN_R2: sent MR2, expecting MI3
Sep 16 19:19:48 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #73:
Main mode peer ID is ID_FQDN: '@xxxxxxxxxxxxxxxxx'
Sep 16 19:19:48 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #73:
I did not send a certificate because I do not have one.
Sep 16 19:19:48 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #73:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Sep 16 19:19:48 cf01fw01 pluto[3035]: | NAT-T: new mapping
80.1.1.1:500/4500)
Sep 16 19:19:48 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #73:
STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}
Sep 16 19:19:48 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #74:
responding to Quick Mode {msgid:40a9021c}
Sep 16 19:19:48 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #74:
transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Sep 16 19:19:48 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #74:
STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Sep 16 19:19:48 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #61:
received Delete SA payload: deleting ISAKMP State #61
Sep 16 19:19:48 cf01fw01 pluto[3035]: packet from 80.1.1.1:4500: received
and ignored informational message
Sep 16 19:19:48 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #74:
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Sep 16 19:19:48 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #74:
STATE_QUICK_R2: IPsec SA established {ESP=>0x0af8b7e0 <0xaf3c6587
xfrm=3DES_0-HMAC_MD5 NATD=80.1.1.1:4500 DPD=none}
Sep 16 19:19:48 cf01fw01 pluto[3035]: packet from 80.1.1.1:500: ignoring
Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Sep 16 19:19:48 cf01fw01 pluto[3035]: packet from 80.1.1.1:500: ignoring
Vendor ID payload [FRAGMENTATION]
Sep 16 19:19:48 cf01fw01 pluto[3035]: packet from 80.1.1.1:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106 
Sep 16 19:19:48 cf01fw01 pluto[3035]: packet from 80.1.1.1:500: ignoring
Vendor ID payload [Vid-Initial-Contact]
Sep 16 19:19:48 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #75:
responding to Main Mode from unknown peer 80.1.1.1
Sep 16 19:19:48 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #75:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Sep 16 19:19:48 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #75:
STATE_MAIN_R1: sent MR1, expecting MI2
Sep 16 19:19:48 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #75:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
Sep 16 19:19:48 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #75:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Sep 16 19:19:48 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #75:
STATE_MAIN_R2: sent MR2, expecting MI3
Sep 16 19:19:48 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #75:
Main mode peer ID is ID_FQDN: '@xxxxxxxxxxxxxxxxx'
Sep 16 19:19:48 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #75:
I did not send a certificate because I do not have one.
Sep 16 19:19:48 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #75:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Sep 16 19:19:48 cf01fw01 pluto[3035]: | NAT-T: new mapping
80.1.1.1:500/4500)
Sep 16 19:19:48 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #75:
STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}
Sep 16 19:19:49 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #76:
responding to Quick Mode {msgid:a77be722}
Sep 16 19:19:49 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #76:
transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Sep 16 19:19:49 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #76:
STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Sep 16 19:19:49 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #63:
received Delete SA payload: deleting ISAKMP State #63
Sep 16 19:19:49 cf01fw01 pluto[3035]: packet from 80.1.1.1:4500: received
and ignored informational message
Sep 16 19:19:49 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #76:
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Sep 16 19:19:49 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #76:
STATE_QUICK_R2: IPsec SA established {ESP=>0x77cdeaf8 <0x7170d614
xfrm=3DES_0-HMAC_MD5 NATD=80.1.1.1:4500 DPD=none}
Sep 16 19:19:49 cf01fw01 pluto[3035]: packet from 80.1.1.1:500: ignoring
Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Sep 16 19:19:49 cf01fw01 pluto[3035]: packet from 80.1.1.1:500: ignoring
Vendor ID payload [FRAGMENTATION]
Sep 16 19:19:49 cf01fw01 pluto[3035]: packet from 80.1.1.1:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106 
Sep 16 19:19:49 cf01fw01 pluto[3035]: packet from 80.1.1.1:500: ignoring
Vendor ID payload [Vid-Initial-Contact]
Sep 16 19:19:49 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #77:
responding to Main Mode from unknown peer 80.1.1.1
Sep 16 19:19:49 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #77:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Sep 16 19:19:49 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #77:
STATE_MAIN_R1: sent MR1, expecting MI2
Sep 16 19:19:49 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #77:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
Sep 16 19:19:49 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #77:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Sep 16 19:19:49 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #77:
STATE_MAIN_R2: sent MR2, expecting MI3
Sep 16 19:19:49 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #77:
Main mode peer ID is ID_FQDN: '@xxxxxxxxxxxxxxxxx'
Sep 16 19:19:49 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #77:
I did not send a certificate because I do not have one.
Sep 16 19:19:49 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #77:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Sep 16 19:19:49 cf01fw01 pluto[3035]: | NAT-T: new mapping
80.1.1.1:500/4500)
Sep 16 19:19:49 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #77:
STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}
Sep 16 19:19:50 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #78:
responding to Quick Mode {msgid:a20af4da}
Sep 16 19:19:50 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #78:
transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Sep 16 19:19:50 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #78:
STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Sep 16 19:19:50 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #65:
received Delete SA payload: deleting ISAKMP State #65
Sep 16 19:19:50 cf01fw01 pluto[3035]: packet from 80.1.1.1:4500: received
and ignored informational message
Sep 16 19:19:50 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #75:
received Delete SA(0x77cdeaf8) payload: deleting IPSEC State #76
Sep 16 19:19:50 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #75:
received and ignored informational message
Sep 16 19:19:50 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #73:
received Delete SA(0x0af8b7e0) payload: deleting IPSEC State #74
Sep 16 19:19:50 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #73:
received and ignored informational message
Sep 16 19:19:50 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #77:
received Delete SA payload: deleting ISAKMP State #77
Sep 16 19:19:50 cf01fw01 pluto[3035]: packet from 80.1.1.1:4500: received
and ignored informational message
Sep 16 19:19:50 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #75:
received Delete SA payload: deleting ISAKMP State #75
Sep 16 19:19:50 cf01fw01 pluto[3035]: packet from 80.1.1.1:4500: received
and ignored informational message
Sep 16 19:19:50 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #73:
received Delete SA payload: deleting ISAKMP State #73
Sep 16 19:19:50 cf01fw01 pluto[3035]: packet from 80.1.1.1:4500: received
and ignored informational message
Sep 16 19:19:50 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #71:
received Delete SA payload: deleting ISAKMP State #71
Sep 16 19:19:50 cf01fw01 pluto[3035]: packet from 80.1.1.1:4500: received
and ignored informational message
Sep 16 19:19:50 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #69:
received Delete SA payload: deleting ISAKMP State #69
Sep 16 19:19:50 cf01fw01 pluto[3035]: packet from 80.1.1.1:4500: received
and ignored informational message
Sep 16 19:19:50 cf01fw01 pluto[3035]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #67:
received Delete SA payload: deleting ISAKMP State #67
Sep 16 19:19:50 cf01fw01 pluto[3035]: packet from 80.1.1.1:4500: received
and ignored informational message
Sep 16 19:19:50 cf01fw01 pluto[3035]: packet from 80.1.1.1:4500:
Informational Exchange is for an unknown (expired?) SA
Sep 16 19:19:50 cf01fw01 last message repeated 35 times
















-----Original Message-----
From: Paul Wouters [mailto:paul at xelerance.com] 
Sent: sábado, 16 de septiembre de 2006 8:11
To: Miguel A. Felipe
Cc: users at openswan.org
Subject: Re: [Openswan Users] VPN wxp-NAT-NAT-openswan

On Sat, 16 Sep 2006, Miguel A. Felipe wrote:

> Im having problems with this Topic, i´m trying to make a VPN server
capable
> to accept connections from an adsl (spain) both NATted

> IP Roadwarrior: 192.168.0.2 WINXP
> Router1 Internal: 192.168.0.1
> Router1 external: 80.1.1.1
> Router2 internal 192.168.1.1

> FW,NAT,VPNGW Internal: 172.23.2.1
> Internal Lan: 172.23.2.0/28

> conn claudiofelipe.com

>         left=83.3.4.5

Left should be your own IP address, not the one of your router

>         leftsubnet=192.168.0.2/32

Then you can leave this out to.

>         leftprotoport=17/%any

You want to use l2tp????

> conn l2tp-psk-orgWIN2KXP
>         authby=secret
>         rekey=no
>         pfs=no
>         left=%defaultroute
>         leftsubnet=83.3.4.5/32
>         leftprotoport=17/0

Don't use 17/0 anymore. Just don't support unpatched Windows clients.

>         rightprotoport=17/1701
>         rightsubnet=0.0.0.0/0

Don't use rightsubnet or leftsubnet with l2tp. The only valid
entry is a rightsubnet=vhost:%priv,%no to support NAT-T, on
the server end.

> Sep 15 22:46:59 hostname pluto[28185]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1
#1:
> cannot respond to IPsec SA request because no connection is known for
> 83.3.4.5/32===192.168.1.2:17/1701...80.1.1.1[@xxxxxxxxxxxxxxxx]:17/1701

I have no idea where 83.3.4.5/32 comes from. I thought both were behind NAT?
It looks like your have a double NAT on one end and a NAT on the other end.

> Does anyone knows whats happen, I have read some posts and they said that
> its impossible to create a VPN through a NATed roadwarrior and a NATed
> VPNGW,

You have picked the most complex possible situation I can think of. A
double NAT'ed (one end NAT'ed twice?), transport mode IPsec, PSK based
authentication l2tp connection.

Provided you get past the issues with respect to proper configuration on the
IPsec level, You'll have a hard time getting the MTU's working so that you
don't get packet fragmentation and kill your IPsec/l2tp packets. And that
is all provided your NAT routers don't NAT the IPSec packets by accident,
or 'help' with IPsec passthrough support.....

Paul
-- 
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

_______________________________________________
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with Openswan: 
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155



More information about the Users mailing list