[Openswan Users] NAT traversal on Openswan
Tejas Jin
txjin at intelliepi.com
Thu Aug 30 17:08:27 EDT 2007
Tejas Jin wrote:
> Paul Wouters wrote:
>
>> On Thu, 30 Aug 2007, Tejas Jin wrote:
>>
>>
>>
>>> 104 "office" #1: STATE_MAIN_I1: initiate
>>> 003 "office" #1: received Vendor ID payload [Openswan (this version)
>>> openswan-2.4.9-31.el4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]
>>> 003 "office" #1: received Vendor ID payload [Dead Peer Detection]
>>> 003 "office" #1: received Vendor ID payload [RFC 3947] method set to=110
>>> 106 "office" #1: STATE_MAIN_I2: sent MI2, expecting MR2
>>> 003 "office" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): i
>>> am NATed
>>> 108 "office" #1: STATE_MAIN_I3: sent MI3, expecting MR3
>>> 004 "office" #1: STATE_MAIN_I4: ISAKMP SA established
>>> {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5
>>> group=modp1536}
>>> 117 "office" #2: STATE_QUICK_I1: initiate
>>> 010 "office" #2: STATE_QUICK_I1: retransmission; will wait 20s for response
>>>
>>>
> Here is the message I found in /var/log/secure on the other end.
>
> "office"[3] 76.185.110.212 #38: sending encrypted notification
> INVALID_MESSAGE_ID to 76.184.110.195:4500
>
>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
>
Okay this should tell more
Aug 30 16:00:31 firewalltemp pluto[29661]: "office"[3] 76.184.110.195
#38: cannot respond to IPsec SA request because no connection is known
for
192.168.3.0/24===75.107.111.99[@firewall]...76.184.110.195[@warrior]===192.168.5.232/32
Aug 30 16:00:31 firewalltemp pluto[29661]: "office"[3] 76.184.110.195
#38: sending encrypted notification INVALID_ID_INFORMATION to
76.184.110.195:4500
Aug 30 16:00:32 firewalltemp pluto[29661]: "office"[3] 76.184.110.195
#38: received Delete SA payload: deleting ISAKMP State #38
Aug 30 16:00:32 firewalltemp pluto[29661]: "office"[3] 76.184.110.195:
deleting connection "office" instance with peer 76.184.110.195
{isakmp=#0/ipsec=#0}
Aug 30 16:00:32 firewalltemp pluto[29661]: packet from
76.184.110.195:4500: received and ignored informational message
Aug 30 16:00:32 firewalltemp pluto[29661]: ERROR: asynchronous network
error report on eth0 (sport=4500) for message to 76.184.110.195 port
4500, complainant 76.184.110.195: Connection refused [errno 111, origin
ICMP type 3 code 3 (not authenticated)]
Aug 30 16:01:04 firewalltemp pluto[29661]: packet from
76.184.110.195:500: received Vendor ID payload [Openswan (this version)
openswan-2.4.9-31.el4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]
Aug 30 16:01:04 firewalltemp pluto[29661]: packet from
76.184.110.195:500: received Vendor ID payload [Dead Peer Detection]
Aug 30 16:01:04 firewalltemp pluto[29661]: packet from
76.184.110.195:500: received Vendor ID payload [RFC 3947] method set to=110
Aug 30 16:01:04 firewalltemp pluto[29661]: packet from
76.184.110.195:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 110
Aug 30 16:01:04 firewalltemp pluto[29661]: packet from
76.184.110.195:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 110
Aug 30 16:01:04 firewalltemp pluto[29661]: packet from
76.184.110.195:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 110
Aug 30 16:01:04 firewalltemp pluto[29661]: packet from
76.184.110.195:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-00]
Aug 30 16:01:04 firewalltemp pluto[29661]: "office"[4] 76.184.110.195
#39: responding to Main Mode from unknown peer 76.184.110.195
Aug 30 16:01:04 firewalltemp pluto[29661]: "office"[4] 76.184.110.195
#39: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Aug 30 16:01:04 firewalltemp pluto[29661]: "office"[4] 76.184.110.195
#39: STATE_MAIN_R1: sent MR1, expecting MI2
Aug 30 16:01:05 firewalltemp pluto[29661]: "office"[4] 76.184.110.195
#39: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): peer is NATed
Aug 30 16:01:05 firewalltemp pluto[29661]: "office"[4] 76.184.110.195
#39: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Aug 30 16:01:05 firewalltemp pluto[29661]: "office"[4] 76.184.110.195
#39: STATE_MAIN_R2: sent MR2, expecting MI3
Aug 30 16:01:05 firewalltemp pluto[29661]: "office"[4] 76.184.110.195
#39: Main mode peer ID is ID_FQDN: '@warrior'
Aug 30 16:01:05 firewalltemp pluto[29661]: "office"[4] 76.184.110.195
#39: I did not send a certificate because I do not have one.
Aug 30 16:01:05 firewalltemp pluto[29661]: "office"[4] 76.184.110.195
#39: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Aug 30 16:01:05 firewalltemp pluto[29661]: "office"[4] 76.184.110.195
#39: STATE_MAIN_R3: sent MR3, ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5
group=modp1536}
Aug 30 16:01:05 firewalltemp pluto[29661]: "office"[4] 76.184.110.195
#39: cannot respond to IPsec SA request because no connection is known
for
192.168.3.0/24===75.107.111.99[@firewall]...76.184.110.195[@warrior]===192.168.5.232/32
Aug 30 16:01:05 firewalltemp pluto[29661]: "office"[4] 76.184.110.195
#39: sending encrypted notification INVALID_ID_INFORMATION to
76.184.110.195:4500
Aug 30 16:01:15 firewalltemp pluto[29661]: "office"[4] 76.184.110.195
#39: Quick Mode I1 message is unacceptable because it uses a previously
used Message ID 0xed9b49bd (perhaps this is a duplicated packet)
Aug 30 16:01:15 firewalltemp pluto[29661]: "office"[4] 76.184.110.195
#39: sending encrypted notification INVALID_MESSAGE_ID to
76.184.110.195:4500
Aug 30 16:01:35 firewalltemp pluto[29661]: "office"[4] 76.184.110.195
#39: Quick Mode I1 message is unacceptable because it uses a previously
used Message ID 0xed9b49bd (perhaps this is a duplicated packet)
Aug 30 16:01:35 firewalltemp pluto[29661]: "office"[4] 76.184.110.195
#39: sending encrypted notification INVALID_MESSAGE_ID to
76.184.110.195:4500
More information about the Users
mailing list