[Openswan Users] VPN works internally, not from internet through NAT
Arno Lehmann
al at its-lehmann.de
Mon Jul 23 18:35:05 EDT 2007
Hi,
24.07.2007 00:18,, Paul Wouters wrote::
> On Mon, 23 Jul 2007, Arno Lehmann wrote:
>
>
> That could be: http://bugs.xelerance.com/view.php?id=802
Really? The bug sounds really different to me... anyway, I'll try the
patch...
> Try the patch in openswan 2.4.9's contrib directory?
... but I really wanted to have ONE machine where I only used packages
from the distribution...
Well, as you all know that doesn't always work :-(
Arno
> Paul
>
>> after I got the PSK authentication working inside my test network, I
>> progessed to the next problems.
>>
>> The basic setup:
>> Client is Windows Vista, using IPsec/L2TP as VPN client.
>> Server is Linux Openswan U2.4.6/K2.6.18.8-0.3-default (netkey) as
>> distributed in OpenSUSE 10.2
>>
>> I use x509 certificates for authentication, which does work inside the
>> LAN.
>>
>> The LAN is connected to the internet through a NAT'ing router.
>>
>> This is the network layout:
>>
>> ~~~~~~~~~
>> Internet } === Router === VPN-Gateway === Internal LAN, 192.168.0.0/24
>> ~~~~~~~~~ / | \ (irrelevant for now...)
>> / | \
>> dynamic IP, static IP static IP
>> ddns hostname 192.168.1.1 192.168.1.2
>>
>>
>> The router is doing NAT and is set up to forward incoming traffic on
>> udp ports 500 and 4500 to the 192.168.1.1 host. tcpdump shows that an
>> ipsec conversation is taking place between client and VPN gateway.
>>
>> (The router can be setup to also forward ip protocols 50 and 51; would
>> that help? - after my reading, I suppose it would not.)
>>
>> The relevant configuration of the VPN gateway is:
>>
>> version 2.0 # conforms to second version of ipsec.conf specification
>>
>> # basic configuration
>>
>> config setup
>> interfaces="ipsec0=eth2 ipsec1=eth1 ipsec2=eth0"
>> # klipsdebug=
>> # plutodebug=all
>> # manualstart=
>> # syslog=
>> plutowait=yes
>> nhelpers=0
>> virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.0.0/24,%v4:!192.168.37.0/24,%v4:!192.168.1.1/24
>> nat_traversal=yes
>>
>> conn extern-cert
>> pfs=no
>> authby=rsasig
>> rightrsasigkey=%cert
>> leftcert=ITS-VPN.pem
>> left=192.168.1.2
>> leftnexthop=192.168.1.1
>> leftrsasigkey=%cert
>> leftprotoport=17/1701
>> right=%any
>> rightprotoport=17/1701
>> rightsubnet=vhost:%no,%priv
>> rightca=%same
>> auto=add
>>
>> An almost complete session log is at the end of this mail, but the
>> problem, in short, is this:
>>
>> A VPN connection is not created, which I suspect is due to the
>> following events:
>>
>> > Jul 23 23:12:22 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1
>> #3: STATE_QUICK_R2: IPsec SA established {ESP=>0x4f2beffd <0x5299bed6
>> xfrm=AES_128-HMAC_SHA1 NATD=82.113.106.1:34585 DPD=none}
>> > Jul 23 23:12:23 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1
>> #1: received Delete SA(0x3423cae0) payload: deleting IPSEC State #2
>>
>> Which seems to indicate that my client for some reason unknown to me
>> refuses the VPN setup.
>>
>> Now I've got two questions:
>> - Is this really the clients decision to refuse the VPN setup?
>> - How do I fix that?
>>
>> That same client, with the identical certificates, can create a VPN
>> connection through the LAN. The only difference in the connection
>> setup is that the internal VPN connection is defined without a
>> leftnexthop statement, and left= refers to another network interface.
>>
>>
>> Thanks, again, in advance for your support!
>>
>> Arno
>>
>> Here is the ipsec session log:
>>> Jul 23 23:11:37 balrog ipsec__plutorun: Starting Pluto subsystem...
>>> Jul 23 23:11:37 balrog pluto[13798]: Starting Pluto (Openswan Version 2.4.6 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OEN|EMqk_Mlg)
>>> Jul 23 23:11:37 balrog pluto[13798]: Setting NAT-Traversal port-4500 floating to on
>>> Jul 23 23:11:37 balrog pluto[13798]: port floating activation criteria nat_t=1/port_fload=1
>>> Jul 23 23:11:37 balrog pluto[13798]: including NAT-Traversal patch (Version 0.6c)
>>> Jul 23 23:11:37 balrog pluto[13798]: WARNING: Open of /dev/hw_random failed in init_rnd_pool(), trying alternate sources of random
>>> Jul 23 23:11:37 balrog pluto[13798]: WARNING: Using /dev/urandom as the source of random
>>> Jul 23 23:11:37 balrog pluto[13798]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
>>> Jul 23 23:11:37 balrog pluto[13798]: no helpers will be started, all cryptographic operations will be done inline
>>> Jul 23 23:11:37 balrog pluto[13798]: Using Linux 2.6 IPsec interface code on 2.6.18.8-0.3-default
>>> Jul 23 23:11:37 balrog pluto[13798]: Changing to directory '/etc/ipsec.d/cacerts'
>>> Jul 23 23:11:37 balrog pluto[13798]: loaded CA cert file 'ITS-VPN-cacert.pem' (1939 bytes)
>>> Jul 23 23:11:37 balrog pluto[13798]: loaded CA cert file 'ITS-CA.pem' (2451 bytes)
>>> Jul 23 23:11:37 balrog pluto[13798]: Could not change to directory '/etc/ipsec.d/aacerts'
>>> Jul 23 23:11:37 balrog pluto[13798]: Could not change to directory '/etc/ipsec.d/ocspcerts'
>>> Jul 23 23:11:37 balrog pluto[13798]: Changing to directory '/etc/ipsec.d/crls'
>>> Jul 23 23:11:37 balrog pluto[13798]: Warning: empty directory
>>> Jul 23 23:11:37 balrog ipsec__plutorun: ipsec_auto: fatal error in "private": %defaultroute requested but not known
>>> Jul 23 23:11:37 balrog ipsec__plutorun: ipsec_auto: fatal error in "clear": %defaultroute requested but not known
>>> Jul 23 23:11:37 balrog pluto[13798]: loaded host cert file '/etc/ipsec.d/certs/ITS-VPN.pem' (1428 bytes)
>>> Jul 23 23:11:37 balrog pluto[13798]: added connection description "extern-cert"
>>> Jul 23 23:11:37 balrog pluto[13798]: loaded host cert file '/etc/ipsec.d/certs/ITS-VPN.pem' (1428 bytes)
>>> Jul 23 23:11:37 balrog pluto[13798]: added connection description "wlan-cert"
>>> Jul 23 23:11:37 balrog ipsec__plutorun: ipsec_auto: fatal error in "block": %defaultroute requested but not known
>>> Jul 23 23:11:37 balrog ipsec__plutorun: ipsec_auto: fatal error in "private-or-clear": %defaultroute requested but not known
>>> Jul 23 23:11:37 balrog pluto[13798]: loaded host cert file '/etc/ipsec.d/certs/ITS-VPN.pem' (1428 bytes)
>>> Jul 23 23:11:37 balrog pluto[13798]: added connection description "intern-cert"
>>> Jul 23 23:11:37 balrog ipsec__plutorun: ipsec_auto: fatal error in "clear-or-private": %defaultroute requested but not known
>>> Jul 23 23:11:38 balrog ipsec__plutorun: ipsec_auto: fatal error in "packetdefault": %defaultroute requested but not known
>>> Jul 23 23:11:38 balrog pluto[13798]: listening for IKE messages
>>> Jul 23 23:11:38 balrog pluto[13798]: adding interface eth2/eth2 192.168.0.22:500
>>> Jul 23 23:11:38 balrog pluto[13798]: adding interface eth2/eth2 192.168.0.22:4500
>>> Jul 23 23:11:38 balrog pluto[13798]: adding interface eth0/eth0 192.168.1.2:500
>>> Jul 23 23:11:38 balrog pluto[13798]: adding interface eth0/eth0 192.168.1.2:4500
>>> Jul 23 23:11:38 balrog pluto[13798]: adding interface eth1/eth1 192.168.37.1:500
>>> Jul 23 23:11:38 balrog pluto[13798]: adding interface eth1/eth1 192.168.37.1:4500
>>> Jul 23 23:11:38 balrog pluto[13798]: adding interface lo/lo 127.0.0.1:500
>>> Jul 23 23:11:38 balrog pluto[13798]: adding interface lo/lo 127.0.0.1:4500
>>> Jul 23 23:11:38 balrog pluto[13798]: adding interface lo/lo ::1:500
>>> Jul 23 23:11:38 balrog pluto[13798]: loading secrets from "/etc/ipsec.secrets"
>>> Jul 23 23:11:38 balrog pluto[13798]: loaded private key file '/etc/ipsec.d/private/ITS-VPN-key.pem' (963 bytes)
>>> Jul 23 23:11:38 balrog ipsec__plutorun: 021 no connection named "private"
>>> Jul 23 23:11:38 balrog ipsec__plutorun: ...could not route conn "private"
>>> Jul 23 23:11:38 balrog ipsec__plutorun: 021 no connection named "clear"
>>> Jul 23 23:11:38 balrog ipsec__plutorun: ...could not route conn "clear"
>>> Jul 23 23:11:38 balrog ipsec__plutorun: 021 no connection named "block"
>>> Jul 23 23:11:38 balrog ipsec__plutorun: ...could not route conn "block"
>>> Jul 23 23:11:38 balrog ipsec__plutorun: 021 no connection named "private-or-clear"
>>> Jul 23 23:11:38 balrog ipsec__plutorun: ...could not route conn "private-or-clear"
>>> Jul 23 23:11:38 balrog ipsec__plutorun: 021 no connection named "clear-or-private"
>>> Jul 23 23:11:38 balrog ipsec__plutorun: ...could not route conn "clear-or-private"
>>> Jul 23 23:11:38 balrog ipsec__plutorun: 021 no connection named "packetdefault"
>>> Jul 23 23:11:38 balrog ipsec__plutorun: ...could not route conn "packetdefault"
>>> Jul 23 23:12:11 balrog pluto[13798]: packet from 82.113.106.1:305: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000005]
>>> Jul 23 23:12:11 balrog pluto[13798]: packet from 82.113.106.1:305: received Vendor ID payload [RFC 3947] method set to=110
>>> Jul 23 23:12:11 balrog pluto[13798]: packet from 82.113.106.1:305: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 110
>>> Jul 23 23:12:11 balrog pluto[13798]: packet from 82.113.106.1:305: ignoring Vendor ID payload [FRAGMENTATION]
>>> Jul 23 23:12:11 balrog pluto[13798]: packet from 82.113.106.1:305: ignoring unknown Vendor ID payload [fb1de3cdf341b7ea16b7e5be0855f120]
>>> Jul 23 23:12:11 balrog pluto[13798]: packet from 82.113.106.1:305: ignoring Vendor ID payload [Vid-Initial-Contact]
>>> Jul 23 23:12:11 balrog pluto[13798]: packet from 82.113.106.1:305: ignoring unknown Vendor ID payload [e3a5966a76379fe707228231e5ce8652]
>>> Jul 23 23:12:11 balrog pluto[13798]: "extern-cert"[1] 82.113.106.1 #1: responding to Main Mode from unknown peer 82.113.106.1
>>> Jul 23 23:12:11 balrog pluto[13798]: "extern-cert"[1] 82.113.106.1 #1: only OAKLEY_GROUP_MODP1024 and OAKLEY_GROUP_MODP1536 supported. Attribute OAKLEY_GROUP_DESCRIPTION
>>> Jul 23 23:12:11 balrog pluto[13798]: "extern-cert"[1] 82.113.106.1 #1: only OAKLEY_GROUP_MODP1024 and OAKLEY_GROUP_MODP1536 supported. Attribute OAKLEY_GROUP_DESCRIPTION
>>> Jul 23 23:12:11 balrog pluto[13798]: "extern-cert"[1] 82.113.106.1 #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
>>> Jul 23 23:12:11 balrog pluto[13798]: "extern-cert"[1] 82.113.106.1 #1: STATE_MAIN_R1: sent MR1, expecting MI2
>>> Jul 23 23:12:13 balrog pluto[13798]: "extern-cert"[1] 82.113.106.1 #1: NAT-Traversal: Result using 3: both are NATed
>>> Jul 23 23:12:13 balrog pluto[13798]: "extern-cert"[1] 82.113.106.1 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
>>> Jul 23 23:12:13 balrog pluto[13798]: "extern-cert"[1] 82.113.106.1 #1: STATE_MAIN_R2: sent MR2, expecting MI3
>>> Jul 23 23:12:14 balrog pluto[13798]: "extern-cert"[1] 82.113.106.1 #1: discarding duplicate packet; already STATE_MAIN_R2
>>> Jul 23 23:12:16 balrog pluto[13798]: "extern-cert"[1] 82.113.106.1 #1: Main mode peer ID is ID_DER_ASN1_DN: 'C=DE, L=Osnabrueck, O=IT-Service Lehmann, OU=Network, CN=Phoenix, E=al at its-lehmann.de'
>>> Jul 23 23:12:16 balrog pluto[13798]: "extern-cert"[1] 82.113.106.1 #1: no crl from issuer "C=DE, L=Osnabrueck, O=IT-Service Lehmann, OU=Network, CN=IT-Service Lehmann VPN CA, E=al at its-lehmann.de" found (strict=no)
>>> Jul 23 23:12:16 balrog pluto[13798]: "extern-cert"[1] 82.113.106.1 #1: no crl from issuer "C=DE, L=Osnabrueck, O=IT-Service Lehmann, OU=CA, CN=IT-Service Lehmann CA, E=al at its-lehmann.de" found (strict=no)
>>> Jul 23 23:12:16 balrog pluto[13798]: "extern-cert"[1] 82.113.106.1 #1: switched from "extern-cert" to "extern-cert"
>>> Jul 23 23:12:16 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #1: deleting connection "extern-cert" instance with peer 82.113.106.1 {isakmp=#0/ipsec=#0}
>>> Jul 23 23:12:16 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #1: I am sending my cert
>>> Jul 23 23:12:16 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
>>> Jul 23 23:12:16 balrog pluto[13798]: | NAT-T: new mapping 82.113.106.1:305/34585)
>>> Jul 23 23:12:16 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}
>>> Jul 23 23:12:19 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #1: retransmitting in response to duplicate packet; already STATE_MAIN_R3
>>> Jul 23 23:12:19 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #2: responding to Quick Mode {msgid:01000000}
>>> Jul 23 23:12:19 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
>>> Jul 23 23:12:19 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
>>> Jul 23 23:12:20 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #2: discarding duplicate packet; already STATE_QUICK_R1
>>> Jul 23 23:12:21 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
>>> Jul 23 23:12:21 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #2: STATE_QUICK_R2: IPsec SA established {ESP=>0x3423cae0 <0x0bb43eb1 xfrm=AES_128-HMAC_SHA1 NATD=82.113.106.1:34585 DPD=none}
>>> Jul 23 23:12:21 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #3: responding to Quick Mode {msgid:02000000}
>>> Jul 23 23:12:21 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #3: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
>>> Jul 23 23:12:21 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #3: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
>>> Jul 23 23:12:22 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #3: discarding duplicate packet; already STATE_QUICK_R1
>>> Jul 23 23:12:22 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #3: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
>>> Jul 23 23:12:22 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #3: STATE_QUICK_R2: IPsec SA established {ESP=>0x4f2beffd <0x5299bed6 xfrm=AES_128-HMAC_SHA1 NATD=82.113.106.1:34585 DPD=none}
>>> Jul 23 23:12:23 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #1: received Delete SA(0x3423cae0) payload: deleting IPSEC State #2
>>> Jul 23 23:12:23 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #1: received and ignored informational message
>>> Jul 23 23:12:27 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #4: responding to Quick Mode {msgid:03000000}
>>> Jul 23 23:12:27 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #4: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
>>> Jul 23 23:12:27 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #4: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
>>> Jul 23 23:12:28 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #4: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
>>> Jul 23 23:12:28 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #4: STATE_QUICK_R2: IPsec SA established {ESP=>0xac14385e <0xfe617865 xfrm=AES_128-HMAC_SHA1 NATD=82.113.106.1:34585 DPD=none}
>>> Jul 23 23:12:28 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #1: received Delete SA(0x4f2beffd) payload: deleting IPSEC State #3
>>> Jul 23 23:12:28 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #1: received and ignored informational message
>>> Jul 23 23:12:35 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #5: responding to Quick Mode {msgid:04000000}
>>> Jul 23 23:12:35 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #5: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
>>> Jul 23 23:12:35 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #5: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
>>> Jul 23 23:12:36 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #1: received Delete SA(0xac14385e) payload: deleting IPSEC State #4
>>> Jul 23 23:12:36 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #1: received and ignored informational message
>>> Jul 23 23:12:38 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #1: received Delete SA payload: deleting ISAKMP State #1
>>> Jul 23 23:12:38 balrog pluto[13798]: packet from 82.113.106.1:34585: received and ignored informational message
>>
>>
>
--
Arno Lehmann
IT-Service Lehmann
www.its-lehmann.de
More information about the Users
mailing list