[Openswan Users] VPN works internally, not from internet through NAT
Arno Lehmann
al at its-lehmann.de
Mon Jul 23 17:37:12 EDT 2007
Hi again,
after I got the PSK authentication working inside my test network, I
progessed to the next problems.
The basic setup:
Client is Windows Vista, using IPsec/L2TP as VPN client.
Server is Linux Openswan U2.4.6/K2.6.18.8-0.3-default (netkey) as
distributed in OpenSUSE 10.2
I use x509 certificates for authentication, which does work inside the
LAN.
The LAN is connected to the internet through a NAT'ing router.
This is the network layout:
~~~~~~~~~
Internet } === Router === VPN-Gateway === Internal LAN, 192.168.0.0/24
~~~~~~~~~ / | \ (irrelevant for now...)
/ | \
dynamic IP, static IP static IP
ddns hostname 192.168.1.1 192.168.1.2
The router is doing NAT and is set up to forward incoming traffic on
udp ports 500 and 4500 to the 192.168.1.1 host. tcpdump shows that an
ipsec conversation is taking place between client and VPN gateway.
(The router can be setup to also forward ip protocols 50 and 51; would
that help? - after my reading, I suppose it would not.)
The relevant configuration of the VPN gateway is:
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
interfaces="ipsec0=eth2 ipsec1=eth1 ipsec2=eth0"
# klipsdebug=
# plutodebug=all
# manualstart=
# syslog=
plutowait=yes
nhelpers=0
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.0.0/24,%v4:!192.168.37.0/24,%v4:!192.168.1.1/24
nat_traversal=yes
conn extern-cert
pfs=no
authby=rsasig
rightrsasigkey=%cert
leftcert=ITS-VPN.pem
left=192.168.1.2
leftnexthop=192.168.1.1
leftrsasigkey=%cert
leftprotoport=17/1701
right=%any
rightprotoport=17/1701
rightsubnet=vhost:%no,%priv
rightca=%same
auto=add
An almost complete session log is at the end of this mail, but the
problem, in short, is this:
A VPN connection is not created, which I suspect is due to the
following events:
> Jul 23 23:12:22 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1
#3: STATE_QUICK_R2: IPsec SA established {ESP=>0x4f2beffd <0x5299bed6
xfrm=AES_128-HMAC_SHA1 NATD=82.113.106.1:34585 DPD=none}
> Jul 23 23:12:23 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1
#1: received Delete SA(0x3423cae0) payload: deleting IPSEC State #2
Which seems to indicate that my client for some reason unknown to me
refuses the VPN setup.
Now I've got two questions:
- Is this really the clients decision to refuse the VPN setup?
- How do I fix that?
That same client, with the identical certificates, can create a VPN
connection through the LAN. The only difference in the connection
setup is that the internal VPN connection is defined without a
leftnexthop statement, and left= refers to another network interface.
Thanks, again, in advance for your support!
Arno
Here is the ipsec session log:
> Jul 23 23:11:37 balrog ipsec__plutorun: Starting Pluto subsystem...
> Jul 23 23:11:37 balrog pluto[13798]: Starting Pluto (Openswan Version 2.4.6 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OEN|EMqk_Mlg)
> Jul 23 23:11:37 balrog pluto[13798]: Setting NAT-Traversal port-4500 floating to on
> Jul 23 23:11:37 balrog pluto[13798]: port floating activation criteria nat_t=1/port_fload=1
> Jul 23 23:11:37 balrog pluto[13798]: including NAT-Traversal patch (Version 0.6c)
> Jul 23 23:11:37 balrog pluto[13798]: WARNING: Open of /dev/hw_random failed in init_rnd_pool(), trying alternate sources of random
> Jul 23 23:11:37 balrog pluto[13798]: WARNING: Using /dev/urandom as the source of random
> Jul 23 23:11:37 balrog pluto[13798]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
> Jul 23 23:11:37 balrog pluto[13798]: no helpers will be started, all cryptographic operations will be done inline
> Jul 23 23:11:37 balrog pluto[13798]: Using Linux 2.6 IPsec interface code on 2.6.18.8-0.3-default
> Jul 23 23:11:37 balrog pluto[13798]: Changing to directory '/etc/ipsec.d/cacerts'
> Jul 23 23:11:37 balrog pluto[13798]: loaded CA cert file 'ITS-VPN-cacert.pem' (1939 bytes)
> Jul 23 23:11:37 balrog pluto[13798]: loaded CA cert file 'ITS-CA.pem' (2451 bytes)
> Jul 23 23:11:37 balrog pluto[13798]: Could not change to directory '/etc/ipsec.d/aacerts'
> Jul 23 23:11:37 balrog pluto[13798]: Could not change to directory '/etc/ipsec.d/ocspcerts'
> Jul 23 23:11:37 balrog pluto[13798]: Changing to directory '/etc/ipsec.d/crls'
> Jul 23 23:11:37 balrog pluto[13798]: Warning: empty directory
> Jul 23 23:11:37 balrog ipsec__plutorun: ipsec_auto: fatal error in "private": %defaultroute requested but not known
> Jul 23 23:11:37 balrog ipsec__plutorun: ipsec_auto: fatal error in "clear": %defaultroute requested but not known
> Jul 23 23:11:37 balrog pluto[13798]: loaded host cert file '/etc/ipsec.d/certs/ITS-VPN.pem' (1428 bytes)
> Jul 23 23:11:37 balrog pluto[13798]: added connection description "extern-cert"
> Jul 23 23:11:37 balrog pluto[13798]: loaded host cert file '/etc/ipsec.d/certs/ITS-VPN.pem' (1428 bytes)
> Jul 23 23:11:37 balrog pluto[13798]: added connection description "wlan-cert"
> Jul 23 23:11:37 balrog ipsec__plutorun: ipsec_auto: fatal error in "block": %defaultroute requested but not known
> Jul 23 23:11:37 balrog ipsec__plutorun: ipsec_auto: fatal error in "private-or-clear": %defaultroute requested but not known
> Jul 23 23:11:37 balrog pluto[13798]: loaded host cert file '/etc/ipsec.d/certs/ITS-VPN.pem' (1428 bytes)
> Jul 23 23:11:37 balrog pluto[13798]: added connection description "intern-cert"
> Jul 23 23:11:37 balrog ipsec__plutorun: ipsec_auto: fatal error in "clear-or-private": %defaultroute requested but not known
> Jul 23 23:11:38 balrog ipsec__plutorun: ipsec_auto: fatal error in "packetdefault": %defaultroute requested but not known
> Jul 23 23:11:38 balrog pluto[13798]: listening for IKE messages
> Jul 23 23:11:38 balrog pluto[13798]: adding interface eth2/eth2 192.168.0.22:500
> Jul 23 23:11:38 balrog pluto[13798]: adding interface eth2/eth2 192.168.0.22:4500
> Jul 23 23:11:38 balrog pluto[13798]: adding interface eth0/eth0 192.168.1.2:500
> Jul 23 23:11:38 balrog pluto[13798]: adding interface eth0/eth0 192.168.1.2:4500
> Jul 23 23:11:38 balrog pluto[13798]: adding interface eth1/eth1 192.168.37.1:500
> Jul 23 23:11:38 balrog pluto[13798]: adding interface eth1/eth1 192.168.37.1:4500
> Jul 23 23:11:38 balrog pluto[13798]: adding interface lo/lo 127.0.0.1:500
> Jul 23 23:11:38 balrog pluto[13798]: adding interface lo/lo 127.0.0.1:4500
> Jul 23 23:11:38 balrog pluto[13798]: adding interface lo/lo ::1:500
> Jul 23 23:11:38 balrog pluto[13798]: loading secrets from "/etc/ipsec.secrets"
> Jul 23 23:11:38 balrog pluto[13798]: loaded private key file '/etc/ipsec.d/private/ITS-VPN-key.pem' (963 bytes)
> Jul 23 23:11:38 balrog ipsec__plutorun: 021 no connection named "private"
> Jul 23 23:11:38 balrog ipsec__plutorun: ...could not route conn "private"
> Jul 23 23:11:38 balrog ipsec__plutorun: 021 no connection named "clear"
> Jul 23 23:11:38 balrog ipsec__plutorun: ...could not route conn "clear"
> Jul 23 23:11:38 balrog ipsec__plutorun: 021 no connection named "block"
> Jul 23 23:11:38 balrog ipsec__plutorun: ...could not route conn "block"
> Jul 23 23:11:38 balrog ipsec__plutorun: 021 no connection named "private-or-clear"
> Jul 23 23:11:38 balrog ipsec__plutorun: ...could not route conn "private-or-clear"
> Jul 23 23:11:38 balrog ipsec__plutorun: 021 no connection named "clear-or-private"
> Jul 23 23:11:38 balrog ipsec__plutorun: ...could not route conn "clear-or-private"
> Jul 23 23:11:38 balrog ipsec__plutorun: 021 no connection named "packetdefault"
> Jul 23 23:11:38 balrog ipsec__plutorun: ...could not route conn "packetdefault"
> Jul 23 23:12:11 balrog pluto[13798]: packet from 82.113.106.1:305: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000005]
> Jul 23 23:12:11 balrog pluto[13798]: packet from 82.113.106.1:305: received Vendor ID payload [RFC 3947] method set to=110
> Jul 23 23:12:11 balrog pluto[13798]: packet from 82.113.106.1:305: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 110
> Jul 23 23:12:11 balrog pluto[13798]: packet from 82.113.106.1:305: ignoring Vendor ID payload [FRAGMENTATION]
> Jul 23 23:12:11 balrog pluto[13798]: packet from 82.113.106.1:305: ignoring unknown Vendor ID payload [fb1de3cdf341b7ea16b7e5be0855f120]
> Jul 23 23:12:11 balrog pluto[13798]: packet from 82.113.106.1:305: ignoring Vendor ID payload [Vid-Initial-Contact]
> Jul 23 23:12:11 balrog pluto[13798]: packet from 82.113.106.1:305: ignoring unknown Vendor ID payload [e3a5966a76379fe707228231e5ce8652]
> Jul 23 23:12:11 balrog pluto[13798]: "extern-cert"[1] 82.113.106.1 #1: responding to Main Mode from unknown peer 82.113.106.1
> Jul 23 23:12:11 balrog pluto[13798]: "extern-cert"[1] 82.113.106.1 #1: only OAKLEY_GROUP_MODP1024 and OAKLEY_GROUP_MODP1536 supported. Attribute OAKLEY_GROUP_DESCRIPTION
> Jul 23 23:12:11 balrog pluto[13798]: "extern-cert"[1] 82.113.106.1 #1: only OAKLEY_GROUP_MODP1024 and OAKLEY_GROUP_MODP1536 supported. Attribute OAKLEY_GROUP_DESCRIPTION
> Jul 23 23:12:11 balrog pluto[13798]: "extern-cert"[1] 82.113.106.1 #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
> Jul 23 23:12:11 balrog pluto[13798]: "extern-cert"[1] 82.113.106.1 #1: STATE_MAIN_R1: sent MR1, expecting MI2
> Jul 23 23:12:13 balrog pluto[13798]: "extern-cert"[1] 82.113.106.1 #1: NAT-Traversal: Result using 3: both are NATed
> Jul 23 23:12:13 balrog pluto[13798]: "extern-cert"[1] 82.113.106.1 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
> Jul 23 23:12:13 balrog pluto[13798]: "extern-cert"[1] 82.113.106.1 #1: STATE_MAIN_R2: sent MR2, expecting MI3
> Jul 23 23:12:14 balrog pluto[13798]: "extern-cert"[1] 82.113.106.1 #1: discarding duplicate packet; already STATE_MAIN_R2
> Jul 23 23:12:16 balrog pluto[13798]: "extern-cert"[1] 82.113.106.1 #1: Main mode peer ID is ID_DER_ASN1_DN: 'C=DE, L=Osnabrueck, O=IT-Service Lehmann, OU=Network, CN=Phoenix, E=al at its-lehmann.de'
> Jul 23 23:12:16 balrog pluto[13798]: "extern-cert"[1] 82.113.106.1 #1: no crl from issuer "C=DE, L=Osnabrueck, O=IT-Service Lehmann, OU=Network, CN=IT-Service Lehmann VPN CA, E=al at its-lehmann.de" found (strict=no)
> Jul 23 23:12:16 balrog pluto[13798]: "extern-cert"[1] 82.113.106.1 #1: no crl from issuer "C=DE, L=Osnabrueck, O=IT-Service Lehmann, OU=CA, CN=IT-Service Lehmann CA, E=al at its-lehmann.de" found (strict=no)
> Jul 23 23:12:16 balrog pluto[13798]: "extern-cert"[1] 82.113.106.1 #1: switched from "extern-cert" to "extern-cert"
> Jul 23 23:12:16 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #1: deleting connection "extern-cert" instance with peer 82.113.106.1 {isakmp=#0/ipsec=#0}
> Jul 23 23:12:16 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #1: I am sending my cert
> Jul 23 23:12:16 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
> Jul 23 23:12:16 balrog pluto[13798]: | NAT-T: new mapping 82.113.106.1:305/34585)
> Jul 23 23:12:16 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}
> Jul 23 23:12:19 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #1: retransmitting in response to duplicate packet; already STATE_MAIN_R3
> Jul 23 23:12:19 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #2: responding to Quick Mode {msgid:01000000}
> Jul 23 23:12:19 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
> Jul 23 23:12:19 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
> Jul 23 23:12:20 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #2: discarding duplicate packet; already STATE_QUICK_R1
> Jul 23 23:12:21 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
> Jul 23 23:12:21 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #2: STATE_QUICK_R2: IPsec SA established {ESP=>0x3423cae0 <0x0bb43eb1 xfrm=AES_128-HMAC_SHA1 NATD=82.113.106.1:34585 DPD=none}
> Jul 23 23:12:21 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #3: responding to Quick Mode {msgid:02000000}
> Jul 23 23:12:21 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #3: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
> Jul 23 23:12:21 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #3: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
> Jul 23 23:12:22 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #3: discarding duplicate packet; already STATE_QUICK_R1
> Jul 23 23:12:22 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #3: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
> Jul 23 23:12:22 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #3: STATE_QUICK_R2: IPsec SA established {ESP=>0x4f2beffd <0x5299bed6 xfrm=AES_128-HMAC_SHA1 NATD=82.113.106.1:34585 DPD=none}
> Jul 23 23:12:23 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #1: received Delete SA(0x3423cae0) payload: deleting IPSEC State #2
> Jul 23 23:12:23 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #1: received and ignored informational message
> Jul 23 23:12:27 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #4: responding to Quick Mode {msgid:03000000}
> Jul 23 23:12:27 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #4: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
> Jul 23 23:12:27 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #4: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
> Jul 23 23:12:28 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #4: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
> Jul 23 23:12:28 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #4: STATE_QUICK_R2: IPsec SA established {ESP=>0xac14385e <0xfe617865 xfrm=AES_128-HMAC_SHA1 NATD=82.113.106.1:34585 DPD=none}
> Jul 23 23:12:28 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #1: received Delete SA(0x4f2beffd) payload: deleting IPSEC State #3
> Jul 23 23:12:28 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #1: received and ignored informational message
> Jul 23 23:12:35 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #5: responding to Quick Mode {msgid:04000000}
> Jul 23 23:12:35 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #5: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
> Jul 23 23:12:35 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #5: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
> Jul 23 23:12:36 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #1: received Delete SA(0xac14385e) payload: deleting IPSEC State #4
> Jul 23 23:12:36 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #1: received and ignored informational message
> Jul 23 23:12:38 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #1: received Delete SA payload: deleting ISAKMP State #1
> Jul 23 23:12:38 balrog pluto[13798]: packet from 82.113.106.1:34585: received and ignored informational message
--
Arno Lehmann
IT-Service Lehmann
www.its-lehmann.de
More information about the Users
mailing list