[Openswan Users] VPN works internally, not from internet through NAT
Paul Wouters
paul at xelerance.com
Mon Jul 23 18:18:49 EDT 2007
On Mon, 23 Jul 2007, Arno Lehmann wrote:
That could be: http://bugs.xelerance.com/view.php?id=802
Try the patch in openswan 2.4.9's contrib directory?
Paul
> after I got the PSK authentication working inside my test network, I
> progessed to the next problems.
>
> The basic setup:
> Client is Windows Vista, using IPsec/L2TP as VPN client.
> Server is Linux Openswan U2.4.6/K2.6.18.8-0.3-default (netkey) as
> distributed in OpenSUSE 10.2
>
> I use x509 certificates for authentication, which does work inside the
> LAN.
>
> The LAN is connected to the internet through a NAT'ing router.
>
> This is the network layout:
>
> ~~~~~~~~~
> Internet } === Router === VPN-Gateway === Internal LAN, 192.168.0.0/24
> ~~~~~~~~~ / | \ (irrelevant for now...)
> / | \
> dynamic IP, static IP static IP
> ddns hostname 192.168.1.1 192.168.1.2
>
>
> The router is doing NAT and is set up to forward incoming traffic on
> udp ports 500 and 4500 to the 192.168.1.1 host. tcpdump shows that an
> ipsec conversation is taking place between client and VPN gateway.
>
> (The router can be setup to also forward ip protocols 50 and 51; would
> that help? - after my reading, I suppose it would not.)
>
> The relevant configuration of the VPN gateway is:
>
> version 2.0 # conforms to second version of ipsec.conf specification
>
> # basic configuration
>
> config setup
> interfaces="ipsec0=eth2 ipsec1=eth1 ipsec2=eth0"
> # klipsdebug=
> # plutodebug=all
> # manualstart=
> # syslog=
> plutowait=yes
> nhelpers=0
> virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.0.0/24,%v4:!192.168.37.0/24,%v4:!192.168.1.1/24
> nat_traversal=yes
>
> conn extern-cert
> pfs=no
> authby=rsasig
> rightrsasigkey=%cert
> leftcert=ITS-VPN.pem
> left=192.168.1.2
> leftnexthop=192.168.1.1
> leftrsasigkey=%cert
> leftprotoport=17/1701
> right=%any
> rightprotoport=17/1701
> rightsubnet=vhost:%no,%priv
> rightca=%same
> auto=add
>
> An almost complete session log is at the end of this mail, but the
> problem, in short, is this:
>
> A VPN connection is not created, which I suspect is due to the
> following events:
>
> > Jul 23 23:12:22 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1
> #3: STATE_QUICK_R2: IPsec SA established {ESP=>0x4f2beffd <0x5299bed6
> xfrm=AES_128-HMAC_SHA1 NATD=82.113.106.1:34585 DPD=none}
> > Jul 23 23:12:23 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1
> #1: received Delete SA(0x3423cae0) payload: deleting IPSEC State #2
>
> Which seems to indicate that my client for some reason unknown to me
> refuses the VPN setup.
>
> Now I've got two questions:
> - Is this really the clients decision to refuse the VPN setup?
> - How do I fix that?
>
> That same client, with the identical certificates, can create a VPN
> connection through the LAN. The only difference in the connection
> setup is that the internal VPN connection is defined without a
> leftnexthop statement, and left= refers to another network interface.
>
>
> Thanks, again, in advance for your support!
>
> Arno
>
> Here is the ipsec session log:
> > Jul 23 23:11:37 balrog ipsec__plutorun: Starting Pluto subsystem...
> > Jul 23 23:11:37 balrog pluto[13798]: Starting Pluto (Openswan Version 2.4.6 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OEN|EMqk_Mlg)
> > Jul 23 23:11:37 balrog pluto[13798]: Setting NAT-Traversal port-4500 floating to on
> > Jul 23 23:11:37 balrog pluto[13798]: port floating activation criteria nat_t=1/port_fload=1
> > Jul 23 23:11:37 balrog pluto[13798]: including NAT-Traversal patch (Version 0.6c)
> > Jul 23 23:11:37 balrog pluto[13798]: WARNING: Open of /dev/hw_random failed in init_rnd_pool(), trying alternate sources of random
> > Jul 23 23:11:37 balrog pluto[13798]: WARNING: Using /dev/urandom as the source of random
> > Jul 23 23:11:37 balrog pluto[13798]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
> > Jul 23 23:11:37 balrog pluto[13798]: no helpers will be started, all cryptographic operations will be done inline
> > Jul 23 23:11:37 balrog pluto[13798]: Using Linux 2.6 IPsec interface code on 2.6.18.8-0.3-default
> > Jul 23 23:11:37 balrog pluto[13798]: Changing to directory '/etc/ipsec.d/cacerts'
> > Jul 23 23:11:37 balrog pluto[13798]: loaded CA cert file 'ITS-VPN-cacert.pem' (1939 bytes)
> > Jul 23 23:11:37 balrog pluto[13798]: loaded CA cert file 'ITS-CA.pem' (2451 bytes)
> > Jul 23 23:11:37 balrog pluto[13798]: Could not change to directory '/etc/ipsec.d/aacerts'
> > Jul 23 23:11:37 balrog pluto[13798]: Could not change to directory '/etc/ipsec.d/ocspcerts'
> > Jul 23 23:11:37 balrog pluto[13798]: Changing to directory '/etc/ipsec.d/crls'
> > Jul 23 23:11:37 balrog pluto[13798]: Warning: empty directory
> > Jul 23 23:11:37 balrog ipsec__plutorun: ipsec_auto: fatal error in "private": %defaultroute requested but not known
> > Jul 23 23:11:37 balrog ipsec__plutorun: ipsec_auto: fatal error in "clear": %defaultroute requested but not known
> > Jul 23 23:11:37 balrog pluto[13798]: loaded host cert file '/etc/ipsec.d/certs/ITS-VPN.pem' (1428 bytes)
> > Jul 23 23:11:37 balrog pluto[13798]: added connection description "extern-cert"
> > Jul 23 23:11:37 balrog pluto[13798]: loaded host cert file '/etc/ipsec.d/certs/ITS-VPN.pem' (1428 bytes)
> > Jul 23 23:11:37 balrog pluto[13798]: added connection description "wlan-cert"
> > Jul 23 23:11:37 balrog ipsec__plutorun: ipsec_auto: fatal error in "block": %defaultroute requested but not known
> > Jul 23 23:11:37 balrog ipsec__plutorun: ipsec_auto: fatal error in "private-or-clear": %defaultroute requested but not known
> > Jul 23 23:11:37 balrog pluto[13798]: loaded host cert file '/etc/ipsec.d/certs/ITS-VPN.pem' (1428 bytes)
> > Jul 23 23:11:37 balrog pluto[13798]: added connection description "intern-cert"
> > Jul 23 23:11:37 balrog ipsec__plutorun: ipsec_auto: fatal error in "clear-or-private": %defaultroute requested but not known
> > Jul 23 23:11:38 balrog ipsec__plutorun: ipsec_auto: fatal error in "packetdefault": %defaultroute requested but not known
> > Jul 23 23:11:38 balrog pluto[13798]: listening for IKE messages
> > Jul 23 23:11:38 balrog pluto[13798]: adding interface eth2/eth2 192.168.0.22:500
> > Jul 23 23:11:38 balrog pluto[13798]: adding interface eth2/eth2 192.168.0.22:4500
> > Jul 23 23:11:38 balrog pluto[13798]: adding interface eth0/eth0 192.168.1.2:500
> > Jul 23 23:11:38 balrog pluto[13798]: adding interface eth0/eth0 192.168.1.2:4500
> > Jul 23 23:11:38 balrog pluto[13798]: adding interface eth1/eth1 192.168.37.1:500
> > Jul 23 23:11:38 balrog pluto[13798]: adding interface eth1/eth1 192.168.37.1:4500
> > Jul 23 23:11:38 balrog pluto[13798]: adding interface lo/lo 127.0.0.1:500
> > Jul 23 23:11:38 balrog pluto[13798]: adding interface lo/lo 127.0.0.1:4500
> > Jul 23 23:11:38 balrog pluto[13798]: adding interface lo/lo ::1:500
> > Jul 23 23:11:38 balrog pluto[13798]: loading secrets from "/etc/ipsec.secrets"
> > Jul 23 23:11:38 balrog pluto[13798]: loaded private key file '/etc/ipsec.d/private/ITS-VPN-key.pem' (963 bytes)
> > Jul 23 23:11:38 balrog ipsec__plutorun: 021 no connection named "private"
> > Jul 23 23:11:38 balrog ipsec__plutorun: ...could not route conn "private"
> > Jul 23 23:11:38 balrog ipsec__plutorun: 021 no connection named "clear"
> > Jul 23 23:11:38 balrog ipsec__plutorun: ...could not route conn "clear"
> > Jul 23 23:11:38 balrog ipsec__plutorun: 021 no connection named "block"
> > Jul 23 23:11:38 balrog ipsec__plutorun: ...could not route conn "block"
> > Jul 23 23:11:38 balrog ipsec__plutorun: 021 no connection named "private-or-clear"
> > Jul 23 23:11:38 balrog ipsec__plutorun: ...could not route conn "private-or-clear"
> > Jul 23 23:11:38 balrog ipsec__plutorun: 021 no connection named "clear-or-private"
> > Jul 23 23:11:38 balrog ipsec__plutorun: ...could not route conn "clear-or-private"
> > Jul 23 23:11:38 balrog ipsec__plutorun: 021 no connection named "packetdefault"
> > Jul 23 23:11:38 balrog ipsec__plutorun: ...could not route conn "packetdefault"
> > Jul 23 23:12:11 balrog pluto[13798]: packet from 82.113.106.1:305: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000005]
> > Jul 23 23:12:11 balrog pluto[13798]: packet from 82.113.106.1:305: received Vendor ID payload [RFC 3947] method set to=110
> > Jul 23 23:12:11 balrog pluto[13798]: packet from 82.113.106.1:305: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 110
> > Jul 23 23:12:11 balrog pluto[13798]: packet from 82.113.106.1:305: ignoring Vendor ID payload [FRAGMENTATION]
> > Jul 23 23:12:11 balrog pluto[13798]: packet from 82.113.106.1:305: ignoring unknown Vendor ID payload [fb1de3cdf341b7ea16b7e5be0855f120]
> > Jul 23 23:12:11 balrog pluto[13798]: packet from 82.113.106.1:305: ignoring Vendor ID payload [Vid-Initial-Contact]
> > Jul 23 23:12:11 balrog pluto[13798]: packet from 82.113.106.1:305: ignoring unknown Vendor ID payload [e3a5966a76379fe707228231e5ce8652]
> > Jul 23 23:12:11 balrog pluto[13798]: "extern-cert"[1] 82.113.106.1 #1: responding to Main Mode from unknown peer 82.113.106.1
> > Jul 23 23:12:11 balrog pluto[13798]: "extern-cert"[1] 82.113.106.1 #1: only OAKLEY_GROUP_MODP1024 and OAKLEY_GROUP_MODP1536 supported. Attribute OAKLEY_GROUP_DESCRIPTION
> > Jul 23 23:12:11 balrog pluto[13798]: "extern-cert"[1] 82.113.106.1 #1: only OAKLEY_GROUP_MODP1024 and OAKLEY_GROUP_MODP1536 supported. Attribute OAKLEY_GROUP_DESCRIPTION
> > Jul 23 23:12:11 balrog pluto[13798]: "extern-cert"[1] 82.113.106.1 #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
> > Jul 23 23:12:11 balrog pluto[13798]: "extern-cert"[1] 82.113.106.1 #1: STATE_MAIN_R1: sent MR1, expecting MI2
> > Jul 23 23:12:13 balrog pluto[13798]: "extern-cert"[1] 82.113.106.1 #1: NAT-Traversal: Result using 3: both are NATed
> > Jul 23 23:12:13 balrog pluto[13798]: "extern-cert"[1] 82.113.106.1 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
> > Jul 23 23:12:13 balrog pluto[13798]: "extern-cert"[1] 82.113.106.1 #1: STATE_MAIN_R2: sent MR2, expecting MI3
> > Jul 23 23:12:14 balrog pluto[13798]: "extern-cert"[1] 82.113.106.1 #1: discarding duplicate packet; already STATE_MAIN_R2
> > Jul 23 23:12:16 balrog pluto[13798]: "extern-cert"[1] 82.113.106.1 #1: Main mode peer ID is ID_DER_ASN1_DN: 'C=DE, L=Osnabrueck, O=IT-Service Lehmann, OU=Network, CN=Phoenix, E=al at its-lehmann.de'
> > Jul 23 23:12:16 balrog pluto[13798]: "extern-cert"[1] 82.113.106.1 #1: no crl from issuer "C=DE, L=Osnabrueck, O=IT-Service Lehmann, OU=Network, CN=IT-Service Lehmann VPN CA, E=al at its-lehmann.de" found (strict=no)
> > Jul 23 23:12:16 balrog pluto[13798]: "extern-cert"[1] 82.113.106.1 #1: no crl from issuer "C=DE, L=Osnabrueck, O=IT-Service Lehmann, OU=CA, CN=IT-Service Lehmann CA, E=al at its-lehmann.de" found (strict=no)
> > Jul 23 23:12:16 balrog pluto[13798]: "extern-cert"[1] 82.113.106.1 #1: switched from "extern-cert" to "extern-cert"
> > Jul 23 23:12:16 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #1: deleting connection "extern-cert" instance with peer 82.113.106.1 {isakmp=#0/ipsec=#0}
> > Jul 23 23:12:16 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #1: I am sending my cert
> > Jul 23 23:12:16 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
> > Jul 23 23:12:16 balrog pluto[13798]: | NAT-T: new mapping 82.113.106.1:305/34585)
> > Jul 23 23:12:16 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}
> > Jul 23 23:12:19 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #1: retransmitting in response to duplicate packet; already STATE_MAIN_R3
> > Jul 23 23:12:19 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #2: responding to Quick Mode {msgid:01000000}
> > Jul 23 23:12:19 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
> > Jul 23 23:12:19 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
> > Jul 23 23:12:20 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #2: discarding duplicate packet; already STATE_QUICK_R1
> > Jul 23 23:12:21 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
> > Jul 23 23:12:21 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #2: STATE_QUICK_R2: IPsec SA established {ESP=>0x3423cae0 <0x0bb43eb1 xfrm=AES_128-HMAC_SHA1 NATD=82.113.106.1:34585 DPD=none}
> > Jul 23 23:12:21 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #3: responding to Quick Mode {msgid:02000000}
> > Jul 23 23:12:21 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #3: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
> > Jul 23 23:12:21 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #3: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
> > Jul 23 23:12:22 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #3: discarding duplicate packet; already STATE_QUICK_R1
> > Jul 23 23:12:22 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #3: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
> > Jul 23 23:12:22 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #3: STATE_QUICK_R2: IPsec SA established {ESP=>0x4f2beffd <0x5299bed6 xfrm=AES_128-HMAC_SHA1 NATD=82.113.106.1:34585 DPD=none}
> > Jul 23 23:12:23 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #1: received Delete SA(0x3423cae0) payload: deleting IPSEC State #2
> > Jul 23 23:12:23 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #1: received and ignored informational message
> > Jul 23 23:12:27 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #4: responding to Quick Mode {msgid:03000000}
> > Jul 23 23:12:27 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #4: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
> > Jul 23 23:12:27 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #4: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
> > Jul 23 23:12:28 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #4: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
> > Jul 23 23:12:28 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #4: STATE_QUICK_R2: IPsec SA established {ESP=>0xac14385e <0xfe617865 xfrm=AES_128-HMAC_SHA1 NATD=82.113.106.1:34585 DPD=none}
> > Jul 23 23:12:28 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #1: received Delete SA(0x4f2beffd) payload: deleting IPSEC State #3
> > Jul 23 23:12:28 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #1: received and ignored informational message
> > Jul 23 23:12:35 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #5: responding to Quick Mode {msgid:04000000}
> > Jul 23 23:12:35 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #5: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
> > Jul 23 23:12:35 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #5: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
> > Jul 23 23:12:36 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #1: received Delete SA(0xac14385e) payload: deleting IPSEC State #4
> > Jul 23 23:12:36 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #1: received and ignored informational message
> > Jul 23 23:12:38 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #1: received Delete SA payload: deleting ISAKMP State #1
> > Jul 23 23:12:38 balrog pluto[13798]: packet from 82.113.106.1:34585: received and ignored informational message
>
>
>
--
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
More information about the Users
mailing list