[Openswan Users] NAT-T: reconnect to gateway fails
Pepijn Oomen
oomen at piprograms.com
Sun Aug 19 08:04:09 EDT 2007
Problem description: connection to the gateway works fine, but problems
arise when reconnecting after taking down the VPN. Waiting for a period
of time solves this problem.
Probable cause: an orphaned IPsec SA prevents proper TCP/IP flow on
reconnect.
Extended description: it looks like an orphaned IPsec SA is the cause of
the reconnection problem. On reconnect, the ISAKMP and IPsec SAs are
established correctly, but no traffic flows (from server to client?)
through the tunnel making it impossible to establish the L2TP connection.
A similar problem seems to be caused by two types of scenarios:
a) OpenSWAN leaves an orphaned IPsec SA after a replacement IPsec SA is
installed,
b) MacOSX does not reestablish the ISAKMP SA after it is dropped,
causing failure in communication for controlling the connection and thus
causing an orphaned IPsec SA on the OpenSWAN side.
Software in use:
client: MacOSX 10.4.10 builtin L2TP/IPSEC client behind NAT
server:
- Debian Etch 4.0r0 (2.6.18-4-686 /w NETKEY) behind NAT
- OpenSWAN 2.4.9, xl2tpd 1.1.11 (both build from sources)
Analysis:
T = 0
[...]
"l2tp"[1] x.x.x.x #1: NAT-Traversal: Result using RFC 3947
(NAT-Traversal): both are NATed
[...]
"l2tp"[2] x.x.x.x #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established
{auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_sha
group=modp1024}
[...]
"l2tp"[2] x.x.x.x #2: STATE_QUICK_R2: IPsec SA established
{ESP=>0x0bda84bf <0x2cdb6add xfrm=AES_128-HMAC_SHA1 NATD=x.x.x.x:4500
DPD=none}
The connection is establised without problems. The ISAKMP and IPsec SAs
are in place and traffic is flowing throught the tunnel. When the tunnel
is taken down at this point, all works fine.
T + 50 minutes
"l2tp"[2] x.x.x.x #3: NAT-Traversal: received 2 NAT-OA. using first,
ignoring others
"l2tp"[2] x.x.x.x #3: responding to Quick Mode {msgid:aaaadf8d}
"l2tp"[2] x.x.x.x #3: transition from state STATE_QUICK_R0 to state
STATE_QUICK_R1
"l2tp"[2] x.x.x.x #3: STATE_QUICK_R1: sent QR1, inbound IPsec SA
installed, expecting QI2
"l2tp"[2] x.x.x.x #3: transition from state STATE_QUICK_R1 to state
STATE_QUICK_R2
"l2tp"[2] x.x.x.x #3: STATE_QUICK_R2: IPsec SA established
{ESP=>0x0563b499 <0x96c23648 xfrm=AES_128-HMAC_SHA1 NATD=x.x.x.x:4500
DPD=none}
The client has decided it is time to replace the IPsec SA. The server
responds accordingly and a new IPsec SA is established. The old IPsec SA
is still available but no longer used. Traffic flows through the tunnel
correctly, but taking down the tunnel at this point makes reconnection
impossible, scenario (a).
T + 60 minutes
"l2tp"[2] x.x.x.x #1: ISAKMP SA expired (--dontrekey)
The server drops the ISAKMP SA. Traffic is still flowing through the
tunnel, but when dropping the connection, the server is not notified of
this and an orphaned IPsec SA is left, scenario (b).
T + 100 minutes
"l2tp"[2] x.x.x.x #4: STATE_MAIN_R3: sent MR3, ISAKMP SA established
{auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_sha
group=modp1024}
[...]
"l2tp"[2] x.x.x.x #5: STATE_QUICK_R2: IPsec SA established
{ESP=>0x0d9e5585 <0x6eff9828 xfrm=AES_128-HMAC_SHA1 NATD=x.x.x.x:4500
DPD=none}
The IPsec SA is again replaced by the client, but it notices the missing
ISAKMP SA, which is first re-established. Traffic flow is still intact,
but on disconnect OpenSWAN leaves an orphaned IPsec SA in place, which
prevents succesfull reconnect, scenario (a).
T + 110 minutes
The orphan IPsec SA is abandoned, leaving the 'normal' situation of one
ISAKMP SA and one IPsec SA. Disconnection now works as expected and a
reconnect is possible.
--
We are perfect, but the code is terrible.
-- Microsoft Software Developer
More information about the Users
mailing list