[Openswan Users] Linux IPsec client

Xunhua Wang wangxx at jmu.edu
Tue Sep 26 17:41:36 EDT 2006 

Thank you and Paul for the replies.

> -----Original Message-----
> From: Jacco de Leeuw [mailto:jacco2 at dds.nl]
> Sent: Tuesday, September 26, 2006 4:39 PM
> To: users at openswan.org
> Subject: Re: [Openswan Users] Linux IPsec client
> 
> Xunhua Wang wrote:
> 
> > Sep 26 14:32:27 localhost pluto[3418]: packet from 68.235.168.219:500:
> > ignoring unknown Vendor ID payload [4f456e4d43757f784f704063]
> > Sep 26 14:32:27 localhost pluto[3418]: packet from 68.235.168.219:500:
> > received Vendor ID payload [Dead Peer Detection]
> 
> No NAT-Traversal vendor IDs? There's also no NAT-T negotiation result.

My mistake. I revised the _client_ side ipsec.conf as follows:

---------- CLIENT SIDE ipsec.conf BEGINS ----------

# Configuration for connecting to an L2TP/IPsec server,
# for example Windows 2003 Server.
#
# Authenticates through certificates. The Linux client can be
# behind NAT or not.
version 2.0
    
config setup
       interfaces=%defaultroute
       nat_traversal=yes

conn %default
   keyingtries=3
   compress=yes
   disablearrivalcheck=no
   authby=rsasig
   leftrsasigkey=%cert
   rightrsasigkey=%cert
   
conn l2tpclient
        pfs=no
        rekey=no
        type=transport
        left=%defaultroute
        leftcert=/etc/ipsec.d/certs/ipsec-client.crt
        leftprotoport=17/1701
        right=134.126.20.79
        rightcert=/etc/ipsec.d/certs/ipsec-server.crt
        rightca=%same
        rightprotoport=17/1701
        auto=add

include /etc/ipsec.d/examples/no_oe.conf

---------- CLIENT SIDE ipsec.conf ENDS ----------

But after this I still got the following error (a little bit different from
the last one) from the server side /var/log/secure:

---------- /var/log/secure STARTS ----------
Sep 26 16:53:37 localhost pluto[3418]: packet from 68.235.168.219:500:
ignoring unknown Vendor ID payload [4f456e4d43757f784f704063]
Sep 26 16:53:37 localhost pluto[3418]: packet from 68.235.168.219:500:
received Vendor ID payload [Dead Peer Detection]
Sep 26 16:53:37 localhost pluto[3418]: packet from 68.235.168.219:500:
ignoring unknown Vendor ID payload [4a131c81070358455c5728f20e95452f]
Sep 26 16:53:37 localhost pluto[3418]: packet from 68.235.168.219:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] method set to=108
Sep 26 16:53:37 localhost pluto[3418]: packet from 68.235.168.219:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but
already using method 108
Sep 26 16:53:37 localhost pluto[3418]: packet from 68.235.168.219:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but
already using method 108
Sep 26 16:53:37 localhost pluto[3418]: packet from 68.235.168.219:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Sep 26 16:53:37 localhost pluto[3418]: "roadwarrior"[320] 68.235.168.219
#344: responding to Main Mode from unknown peer 68.235.168.219
Sep 26 16:53:37 localhost pluto[3418]: "roadwarrior"[320] 68.235.168.219
#344: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Sep 26 16:53:37 localhost pluto[3418]: "roadwarrior"[320] 68.235.168.219
#344: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is
NATed
Sep 26 16:53:37 localhost pluto[3418]: "roadwarrior"[320] 68.235.168.219
#344: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Sep 26 16:53:37 localhost pluto[3418]: "roadwarrior"[320] 68.235.168.219
#344: Main mode peer ID is ID_DER_ASN1_DN: 'C=US, ST=Virginia,
L=Harrisonburg, O=JMU, OU=CS, CN=Steve Wang'
Sep 26 16:53:37 localhost pluto[3418]: "roadwarrior"[320] 68.235.168.219
#344: crl update for "C=US, ST=Virginia, L=Harrisonburg, O=JMU, OU=CS,
CN=Crypto CA" is overdue since Jun 04 01:53:24 UTC 2006
Sep 26 16:53:37 localhost pluto[3418]: "roadwarrior"[321] 68.235.168.219
#344: deleting connection "roadwarrior" instance with peer 68.235.168.219
{isakmp=#0/ipsec=#0}
Sep 26 16:53:37 localhost pluto[3418]: "roadwarrior"[321] 68.235.168.219
#344: I am sending my cert
Sep 26 16:53:37 localhost pluto[3418]: "roadwarrior"[321] 68.235.168.219
#344: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Sep 26 16:53:37 localhost pluto[3418]: | NAT-T: new mapping
68.235.168.219:500/4500)
Sep 26 16:53:37 localhost pluto[3418]: "roadwarrior"[321]
68.235.168.219:4500 #344: sent MR3, ISAKMP SA established
Sep 26 16:53:38 localhost pluto[3418]: "roadwarrior"[321]
68.235.168.219:4500 #344: cannot respond to IPsec SA request because no
connection is known for 134.126.20.79:4500[C=US, ST=Virginia,
L=Harrisonburg, O=JMU, OU=CS, CN=IPsec VPN Server
02]:17/1701...68.235.168.219:4500[C=US, ST=Virginia, L=Harrisonburg, O=JMU,
OU=CS, CN=Steve Wang]:17/1701===192.168.1.3/32
Sep 26 16:53:38 localhost pluto[3418]: "roadwarrior"[321]
68.235.168.219:4500 #344: sending encrypted notification
INVALID_ID_INFORMATION to 68.235.168.219:4500
Sep 26 16:53:48 localhost pluto[3418]: "roadwarrior"[321]
68.235.168.219:4500 #344: Quick Mode I1 message is unacceptable because it
uses a previously used Message ID 0xcca06183 (perhaps this is a duplicated
packet)
Sep 26 16:53:48 localhost pluto[3418]: "roadwarrior"[321]
68.235.168.219:4500 #344: sending encrypted notification INVALID_MESSAGE_ID
to 68.235.168.219:4500
Sep 26 16:54:08 localhost pluto[3418]: "roadwarrior"[321]
68.235.168.219:4500 #344: Quick Mode I1 message is unacceptable because it
uses a previously used Message ID 0xcca06183 (perhaps this is a duplicated
packet)
Sep 26 16:54:08 localhost pluto[3418]: "roadwarrior"[321]
68.235.168.219:4500 #344: sending encrypted notification INVALID_MESSAGE_ID
to 68.235.168.219:4500
---------- /var/log/secure ENDS ----------

> > 134.126.20.79[C=US, ST=Virginia, L=Harrisonburg, O=JMU, OU=CS, CN=IPsec
> VPN
> > Server 02]:17/1701...68.235.168.219[C=US, ST=Virginia, L=Harrisonburg,
> > O=JMU, OU=CS, CN=Steve Wang]:17/1701===192.168.1.3/32
> 
> But the client appears to be behind so you need NAT-T.
> 
> The server's ipsec.conf has all the lines for NAT-T support but are you
> sure that this ipsec.conf has actually been loaded?

Yes. Using Windows XP and 2000 (behind a NAT or not) we can connect to the
same server without any problems.

> Paul asked: Is 192.168.1.0/24 part of virtual_private? do you have
nat_traversal=yes?

My virtual_private is defined as
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192
.
168.100.0/24

And I do have "nat_traversal=yes"

Indeed, the same server works fine when the client runs (dual-boot) Windows
2000 with the same IP (192.168.1.3) behind the same NAT (68.235.168.219).

It looks like that the problem is with my Linux IPsec client, not the
server. What have I done wrong?

> Jacco
> --
> Jacco de Leeuw                         mailto:jacco2 at dds.nl
> Zaandam, The Netherlands           http://www.jacco2.dds.nl

Steve

More information about the Users mailing list