[Openswan Users] FW: strongswan behind NAT problem - L2TP/IPSEC

Andrew Lemin andrew.lemin at monitorsoft.com
Fri Jul 13 13:43:04 EDT 2007


Paul, well im at a complete loss then!!! :o(

>> In addition to the below, late last night during a mild epiphany I added 'leftsubnet=<SERVER-PUBLIC-IP>/32' to my ipsec.conf in
>> addition to the kind suggestions from Paul.
>> This seemded to work!!! I no longer get the error 'cannot respond to IPsec SA request because no connection is .....

>That is using the virtual_private/nat_traversal code wrongly. Is the server
>behind NAT?

Yes, it is behind a NAT router (Netgear FVX538). It is behind the public IP address (On NAT router) that it is reporting to not
knowing how to route!

I'm at a complete loss because if I don't add this 'leftsubnet=<SERVER-PUBLIC-IP>/32' entry, I cannot get rid of this damn 'cannot
respond to IPSec SA request because no connection is known for' message! :o(


>> packet from <CLIENT-PUBLIC-IP>:500: ignoring Vendor ID payload [MS NT5 I SAKMPOAKLEY 00000004]
>> IN=eth2 OUT= MAC=00:0d:88:cc:ff:5d:00:14:6c:84:f2:df:08:00 SRC= <CLIENT-PUBLIC-IP> DST=192.168.214.2 LEN=340 TOS=0x00 PREC=0x00 T
>> TL=121 ID=38356 PROTO=UDP SPT=500 DPT=500 LEN=320

>Your firewall is (some?) dropping IKE packets.

Actually I did some more digging on this, the firewall is reporting to have accepted the packet, not dropped it. But I think it has
not been picked up by either strongswan or l2tpd !!!


>> IN=eth2 OUT= MAC=00:0d:88:cc:ff:5d:00:14:6c:84:f2:df:08:00 SRC= <CLIENT-PUBLIC-IP> DST=192.168.214.2 LEN=1436 TOS=0x00 PREC=0x00
>> TTL=121 ID=38361 PROTO=UDP SPT=4500 DPT=4500 LEN=1416

>And Epcasulated IPsec packets in udp 4500.

Again this is reported as being accepted, but processed by nothing.

NB: I set my firewall to allow any <-> any and it still does not work!


>> "rt2.monitor.york__GT__andrew.lemin_0"[1] <CLIENT-PUBLIC-IP>:4500 #1: ig noring informational payload, type
INVALID_HASH_INFORMATION

>I've never seen this error. See if it goes away if you fix your firewall.

Probably because I am using leftsubnet wrongly above :o(


What should L2TP be set to by the way?
I.e. What should the local L2TP interface address be? 192.168.214.2? A random number on 192.168.214.0/2?



Please help! I am at a complete loss. I have tried everything I can think of and I have tried every guide I can find! NB: I have now
even set my NAT device which the firewall sits behind to forward ANYTHING (Any service) onto my ipsec server, and still the same
error referring to no connection for PUBLICIP/32===IPSECSERVERIP[cert]:17/1701.....CLIENTIP[cert]:17:1701. 

Am I not supposed to help the IPSec server out by telling it what its IP is on the other side of the NAT device which it is hiding
behind!?!


version 2
conn block
	auto=ignore

conn private
	auto=ignore

conn clear
	auto=ignore

conn packetdefault
	auto=ignore

conn private-or-clear
	auto=ignore

conn clear-or-private
	auto=ignore

config setup
	plutodebug=control
	nat_traversal=yes
	virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.214.0/24,%v4:!192.168.200.0/24

conn rt2.monitor.york__GT__andrew.lemin_0
	auto=add
	authby=rsasig
	left=192.168.214.2
	leftnexthop=192.168.214.1
	leftprotoport=17/1701
	leftrsasigkey=%cert
	leftcert=rt2.monitor.york_1.pem
	right=%any
	rightsubnet=vhost:%priv,%no
	rightrsasigkey=%cert
	rightid="/C=GB/ST=yorkshire/L=york/O=MCSLtd/OU=Support/CN=andrew.lemin_1/emailAddress=email at address.changed.com"
	rightprotoport=17/%any
	keylife=8h
	ikelifetime=1h
	pfs=no
	rekey=no
	ike=3des-md5-modp1024
	esp=3des-md5



# ipsec status
000 "rt2.monitor.york__GT__andrew.lemin_0": 192.168.214.2[C=GB, ST=yorkshire, L=york, O=MCSLtd, OU=Support, CN=rt2.monitor.york_1,
E=support at monitorsoft.com]:17/1701---192.168.214.1...%virtual[C=GB, ST=yorkshire, L=york, O=MCSLtd, OU=Support, CN=andrew.lemin_1,
E=support at monitorsoft.com]:17/%any===?; unrouted; eroute owner: #0
000 "rt2.monitor.york__GT__andrew.lemin_0":   newest ISAKMP SA: #0; newest IPsec SA: #0;




More information about the Users mailing list