[Openswan Users] NAT traversal on Openswan

Tejas Jin txjin at intelliepi.com
Thu Aug 30 17:40:35 EDT 2007 

Tejas Jin wrote:
> Tejas Jin wrote:
>> Paul Wouters wrote:
>>  
>>> On Thu, 30 Aug 2007, Tejas Jin wrote:
>>>
>>>      
>>>> 104 "office" #1: STATE_MAIN_I1: initiate
>>>> 003 "office" #1: received Vendor ID payload [Openswan (this version)
>>>> openswan-2.4.9-31.el4  PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]
>>>> 003 "office" #1: received Vendor ID payload [Dead Peer Detection]
>>>> 003 "office" #1: received Vendor ID payload [RFC 3947] method set 
>>>> to=110
>>>> 106 "office" #1: STATE_MAIN_I2: sent MI2, expecting MR2
>>>> 003 "office" #1: NAT-Traversal: Result using RFC 3947 
>>>> (NAT-Traversal): i
>>>> am NATed
>>>> 108 "office" #1: STATE_MAIN_I3: sent MI3, expecting MR3
>>>> 004 "office" #1: STATE_MAIN_I4: ISAKMP SA established
>>>> {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5
>>>> group=modp1536}
>>>> 117 "office" #2: STATE_QUICK_I1: initiate
>>>> 010 "office" #2: STATE_QUICK_I1: retransmission; will wait 20s for 
>>>> response
>>>>           
>> Here is the message I found in /var/log/secure on the other end.
>> "office"[3] 76.185.110.212 #38: sending encrypted notification 
>> INVALID_MESSAGE_ID to 76.184.110.195:4500
>>
>>
>> _______________________________________________
>> Users at openswan.org
>> http://lists.openswan.org/mailman/listinfo/users
>> Building and Integrating Virtual Private Networks with Openswan: 
>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>
>>   
> Okay this should tell more
>
> Aug 30 16:00:31 firewalltemp pluto[29661]: "office"[3] 76.184.110.195 
> #38: cannot respond to IPsec SA request because no connection is known 
> for 
> 192.168.3.0/24===75.107.111.99[@firewall]...76.184.110.195[@warrior]===192.168.5.232/32 
>
> Aug 30 16:00:31 firewalltemp pluto[29661]: "office"[3] 76.184.110.195 
> #38: sending encrypted notification INVALID_ID_INFORMATION to 
> 76.184.110.195:4500
> Aug 30 16:00:32 firewalltemp pluto[29661]: "office"[3] 76.184.110.195 
> #38: received Delete SA payload: deleting ISAKMP State #38
> Aug 30 16:00:32 firewalltemp pluto[29661]: "office"[3] 76.184.110.195: 
> deleting connection "office" instance with peer 76.184.110.195 
> {isakmp=#0/ipsec=#0}
> Aug 30 16:00:32 firewalltemp pluto[29661]: packet from 
> 76.184.110.195:4500: received and ignored informational message
> Aug 30 16:00:32 firewalltemp pluto[29661]: ERROR: asynchronous network 
> error report on eth0 (sport=4500) for message to 76.184.110.195 port 
> 4500, complainant 76.184.110.195: Connection refused [errno 111, 
> origin ICMP type 3 code 3 (not authenticated)]
> Aug 30 16:01:04 firewalltemp pluto[29661]: packet from 
> 76.184.110.195:500: received Vendor ID payload [Openswan (this 
> version) openswan-2.4.9-31.el4  PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]
> Aug 30 16:01:04 firewalltemp pluto[29661]: packet from 
> 76.184.110.195:500: received Vendor ID payload [Dead Peer Detection]
> Aug 30 16:01:04 firewalltemp pluto[29661]: packet from 
> 76.184.110.195:500: received Vendor ID payload [RFC 3947] method set 
> to=110
> Aug 30 16:01:04 firewalltemp pluto[29661]: packet from 
> 76.184.110.195:500: received Vendor ID payload 
> [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 110
> Aug 30 16:01:04 firewalltemp pluto[29661]: packet from 
> 76.184.110.195:500: received Vendor ID payload 
> [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 110
> Aug 30 16:01:04 firewalltemp pluto[29661]: packet from 
> 76.184.110.195:500: received Vendor ID payload 
> [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 110
> Aug 30 16:01:04 firewalltemp pluto[29661]: packet from 
> 76.184.110.195:500: received Vendor ID payload 
> [draft-ietf-ipsec-nat-t-ike-00]
> Aug 30 16:01:04 firewalltemp pluto[29661]: "office"[4] 76.184.110.195 
> #39: responding to Main Mode from unknown peer 76.184.110.195
> Aug 30 16:01:04 firewalltemp pluto[29661]: "office"[4] 76.184.110.195 
> #39: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
> Aug 30 16:01:04 firewalltemp pluto[29661]: "office"[4] 76.184.110.195 
> #39: STATE_MAIN_R1: sent MR1, expecting MI2
> Aug 30 16:01:05 firewalltemp pluto[29661]: "office"[4] 76.184.110.195 
> #39: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): peer is NATed
> Aug 30 16:01:05 firewalltemp pluto[29661]: "office"[4] 76.184.110.195 
> #39: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
> Aug 30 16:01:05 firewalltemp pluto[29661]: "office"[4] 76.184.110.195 
> #39: STATE_MAIN_R2: sent MR2, expecting MI3
> Aug 30 16:01:05 firewalltemp pluto[29661]: "office"[4] 76.184.110.195 
> #39: Main mode peer ID is ID_FQDN: '@warrior'
> Aug 30 16:01:05 firewalltemp pluto[29661]: "office"[4] 76.184.110.195 
> #39: I did not send a certificate because I do not have one.
> Aug 30 16:01:05 firewalltemp pluto[29661]: "office"[4] 76.184.110.195 
> #39: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
> Aug 30 16:01:05 firewalltemp pluto[29661]: "office"[4] 76.184.110.195 
> #39: STATE_MAIN_R3: sent MR3, ISAKMP SA established 
> {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 
> group=modp1536}
> Aug 30 16:01:05 firewalltemp pluto[29661]: "office"[4] 76.184.110.195 
> #39: cannot respond to IPsec SA request because no connection is known 
> for 
> 192.168.3.0/24===75.107.111.99[@firewall]...76.184.110.195[@warrior]===192.168.5.232/32 
>
> Aug 30 16:01:05 firewalltemp pluto[29661]: "office"[4] 76.184.110.195 
> #39: sending encrypted notification INVALID_ID_INFORMATION to 
> 76.184.110.195:4500
> Aug 30 16:01:15 firewalltemp pluto[29661]: "office"[4] 76.184.110.195 
> #39: Quick Mode I1 message is unacceptable because it uses a 
> previously used Message ID 0xed9b49bd (perhaps this is a duplicated 
> packet)
> Aug 30 16:01:15 firewalltemp pluto[29661]: "office"[4] 76.184.110.195 
> #39: sending encrypted notification INVALID_MESSAGE_ID to 
> 76.184.110.195:4500
> Aug 30 16:01:35 firewalltemp pluto[29661]: "office"[4] 76.184.110.195 
> #39: Quick Mode I1 message is unacceptable because it uses a 
> previously used Message ID 0xed9b49bd (perhaps this is a duplicated 
> packet)
> Aug 30 16:01:35 firewalltemp pluto[29661]: "office"[4] 76.184.110.195 
> #39: sending encrypted notification INVALID_MESSAGE_ID to 
> 76.184.110.195:4500
>
>
I have also updated on both systems to openswan-2.4.9

More information about the Users mailing list