[Openswan Users] VPN works internally, not from internet through NAT

Arno Lehmann al at its-lehmann.de
Mon Jul 23 18:35:05 EDT 2007


Hi,

24.07.2007 00:18,, Paul Wouters wrote::
> On Mon, 23 Jul 2007, Arno Lehmann wrote:
> 
> 
> That could be: http://bugs.xelerance.com/view.php?id=802

Really? The bug sounds really different to me... anyway, I'll try the 
patch...

> Try the patch in openswan 2.4.9's contrib directory?

... but I really wanted to have ONE machine where I only used packages 
from the distribution...

Well, as you all know that doesn't always work :-(

Arno


> Paul
> 
>> after I got the PSK authentication working inside my test network, I
>> progessed to the next problems.
>>
>> The basic setup:
>> Client is Windows Vista, using IPsec/L2TP as VPN client.
>> Server is Linux Openswan U2.4.6/K2.6.18.8-0.3-default (netkey) as
>> distributed in OpenSUSE 10.2
>>
>> I use x509 certificates for authentication, which does work inside the
>>   LAN.
>>
>> The LAN is connected to the internet through a NAT'ing router.
>>
>> This is the network layout:
>>
>> ~~~~~~~~~
>> Internet } === Router === VPN-Gateway === Internal LAN, 192.168.0.0/24
>> ~~~~~~~~~     /      |    \               (irrelevant for now...)
>>               /       |     \
>>    dynamic IP,  static IP    static IP
>> ddns hostname  192.168.1.1  192.168.1.2
>>
>>
>> The router is doing NAT and is set up to forward incoming traffic on
>> udp ports 500 and 4500 to the 192.168.1.1 host. tcpdump shows that an
>> ipsec conversation is taking place between client and VPN gateway.
>>
>> (The router can be setup to also forward ip protocols 50 and 51; would
>> that help? - after my reading, I suppose it would not.)
>>
>> The relevant configuration of the VPN gateway is:
>>
>> version 2.0     # conforms to second version of ipsec.conf specification
>>
>> # basic configuration
>>
>> config setup
>>          interfaces="ipsec0=eth2 ipsec1=eth1 ipsec2=eth0"
>>          # klipsdebug=
>>          # plutodebug=all
>>          # manualstart=
>>          # syslog=
>>          plutowait=yes
>>          nhelpers=0
>> virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.0.0/24,%v4:!192.168.37.0/24,%v4:!192.168.1.1/24
>>          nat_traversal=yes
>>
>> conn extern-cert
>>          pfs=no
>>          authby=rsasig
>>          rightrsasigkey=%cert
>>          leftcert=ITS-VPN.pem
>>          left=192.168.1.2
>>          leftnexthop=192.168.1.1
>>          leftrsasigkey=%cert
>>          leftprotoport=17/1701
>>          right=%any
>>          rightprotoport=17/1701
>>          rightsubnet=vhost:%no,%priv
>>          rightca=%same
>>          auto=add
>>
>> An almost complete session log is at the end of this mail, but the
>> problem, in short, is this:
>>
>> A VPN connection is not created, which I suspect is due to the
>> following events:
>>
>>  > Jul 23 23:12:22 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1
>> #3: STATE_QUICK_R2: IPsec SA established {ESP=>0x4f2beffd <0x5299bed6
>> xfrm=AES_128-HMAC_SHA1 NATD=82.113.106.1:34585 DPD=none}
>>  > Jul 23 23:12:23 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1
>> #1: received Delete SA(0x3423cae0) payload: deleting IPSEC State #2
>>
>> Which seems to indicate that my client for some reason unknown to me
>> refuses the VPN setup.
>>
>> Now I've got two questions:
>> - Is this really the clients decision to refuse the VPN setup?
>> - How do I fix that?
>>
>> That same client, with the identical certificates, can create a VPN
>> connection through the LAN. The only difference in the connection
>> setup is that the internal VPN connection is defined without a
>> leftnexthop statement, and left= refers to another network interface.
>>
>>
>> Thanks, again, in advance for your support!
>>
>> Arno
>>
>> Here is the ipsec session log:
>>> Jul 23 23:11:37 balrog ipsec__plutorun: Starting Pluto subsystem...
>>> Jul 23 23:11:37 balrog pluto[13798]: Starting Pluto (Openswan Version 2.4.6 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OEN|EMqk_Mlg)
>>> Jul 23 23:11:37 balrog pluto[13798]: Setting NAT-Traversal port-4500 floating to on
>>> Jul 23 23:11:37 balrog pluto[13798]:    port floating activation criteria nat_t=1/port_fload=1
>>> Jul 23 23:11:37 balrog pluto[13798]:   including NAT-Traversal patch (Version 0.6c)
>>> Jul 23 23:11:37 balrog pluto[13798]: WARNING: Open of /dev/hw_random failed in init_rnd_pool(), trying alternate sources of random
>>> Jul 23 23:11:37 balrog pluto[13798]: WARNING: Using /dev/urandom as the source of random
>>> Jul 23 23:11:37 balrog pluto[13798]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
>>> Jul 23 23:11:37 balrog pluto[13798]: no helpers will be started, all cryptographic operations will be done inline
>>> Jul 23 23:11:37 balrog pluto[13798]: Using Linux 2.6 IPsec interface code on 2.6.18.8-0.3-default
>>> Jul 23 23:11:37 balrog pluto[13798]: Changing to directory '/etc/ipsec.d/cacerts'
>>> Jul 23 23:11:37 balrog pluto[13798]:   loaded CA cert file 'ITS-VPN-cacert.pem' (1939 bytes)
>>> Jul 23 23:11:37 balrog pluto[13798]:   loaded CA cert file 'ITS-CA.pem' (2451 bytes)
>>> Jul 23 23:11:37 balrog pluto[13798]: Could not change to directory '/etc/ipsec.d/aacerts'
>>> Jul 23 23:11:37 balrog pluto[13798]: Could not change to directory '/etc/ipsec.d/ocspcerts'
>>> Jul 23 23:11:37 balrog pluto[13798]: Changing to directory '/etc/ipsec.d/crls'
>>> Jul 23 23:11:37 balrog pluto[13798]:   Warning: empty directory
>>> Jul 23 23:11:37 balrog ipsec__plutorun: ipsec_auto: fatal error in "private": %defaultroute requested but not known
>>> Jul 23 23:11:37 balrog ipsec__plutorun: ipsec_auto: fatal error in "clear": %defaultroute requested but not known
>>> Jul 23 23:11:37 balrog pluto[13798]:   loaded host cert file '/etc/ipsec.d/certs/ITS-VPN.pem' (1428 bytes)
>>> Jul 23 23:11:37 balrog pluto[13798]: added connection description "extern-cert"
>>> Jul 23 23:11:37 balrog pluto[13798]:   loaded host cert file '/etc/ipsec.d/certs/ITS-VPN.pem' (1428 bytes)
>>> Jul 23 23:11:37 balrog pluto[13798]: added connection description "wlan-cert"
>>> Jul 23 23:11:37 balrog ipsec__plutorun: ipsec_auto: fatal error in "block": %defaultroute requested but not known
>>> Jul 23 23:11:37 balrog ipsec__plutorun: ipsec_auto: fatal error in "private-or-clear": %defaultroute requested but not known
>>> Jul 23 23:11:37 balrog pluto[13798]:   loaded host cert file '/etc/ipsec.d/certs/ITS-VPN.pem' (1428 bytes)
>>> Jul 23 23:11:37 balrog pluto[13798]: added connection description "intern-cert"
>>> Jul 23 23:11:37 balrog ipsec__plutorun: ipsec_auto: fatal error in "clear-or-private": %defaultroute requested but not known
>>> Jul 23 23:11:38 balrog ipsec__plutorun: ipsec_auto: fatal error in "packetdefault": %defaultroute requested but not known
>>> Jul 23 23:11:38 balrog pluto[13798]: listening for IKE messages
>>> Jul 23 23:11:38 balrog pluto[13798]: adding interface eth2/eth2 192.168.0.22:500
>>> Jul 23 23:11:38 balrog pluto[13798]: adding interface eth2/eth2 192.168.0.22:4500
>>> Jul 23 23:11:38 balrog pluto[13798]: adding interface eth0/eth0 192.168.1.2:500
>>> Jul 23 23:11:38 balrog pluto[13798]: adding interface eth0/eth0 192.168.1.2:4500
>>> Jul 23 23:11:38 balrog pluto[13798]: adding interface eth1/eth1 192.168.37.1:500
>>> Jul 23 23:11:38 balrog pluto[13798]: adding interface eth1/eth1 192.168.37.1:4500
>>> Jul 23 23:11:38 balrog pluto[13798]: adding interface lo/lo 127.0.0.1:500
>>> Jul 23 23:11:38 balrog pluto[13798]: adding interface lo/lo 127.0.0.1:4500
>>> Jul 23 23:11:38 balrog pluto[13798]: adding interface lo/lo ::1:500
>>> Jul 23 23:11:38 balrog pluto[13798]: loading secrets from "/etc/ipsec.secrets"
>>> Jul 23 23:11:38 balrog pluto[13798]:   loaded private key file '/etc/ipsec.d/private/ITS-VPN-key.pem' (963 bytes)
>>> Jul 23 23:11:38 balrog ipsec__plutorun: 021 no connection named "private"
>>> Jul 23 23:11:38 balrog ipsec__plutorun: ...could not route conn "private"
>>> Jul 23 23:11:38 balrog ipsec__plutorun: 021 no connection named "clear"
>>> Jul 23 23:11:38 balrog ipsec__plutorun: ...could not route conn "clear"
>>> Jul 23 23:11:38 balrog ipsec__plutorun: 021 no connection named "block"
>>> Jul 23 23:11:38 balrog ipsec__plutorun: ...could not route conn "block"
>>> Jul 23 23:11:38 balrog ipsec__plutorun: 021 no connection named "private-or-clear"
>>> Jul 23 23:11:38 balrog ipsec__plutorun: ...could not route conn "private-or-clear"
>>> Jul 23 23:11:38 balrog ipsec__plutorun: 021 no connection named "clear-or-private"
>>> Jul 23 23:11:38 balrog ipsec__plutorun: ...could not route conn "clear-or-private"
>>> Jul 23 23:11:38 balrog ipsec__plutorun: 021 no connection named "packetdefault"
>>> Jul 23 23:11:38 balrog ipsec__plutorun: ...could not route conn "packetdefault"
>>> Jul 23 23:12:11 balrog pluto[13798]: packet from 82.113.106.1:305: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000005]
>>> Jul 23 23:12:11 balrog pluto[13798]: packet from 82.113.106.1:305: received Vendor ID payload [RFC 3947] method set to=110
>>> Jul 23 23:12:11 balrog pluto[13798]: packet from 82.113.106.1:305: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 110
>>> Jul 23 23:12:11 balrog pluto[13798]: packet from 82.113.106.1:305: ignoring Vendor ID payload [FRAGMENTATION]
>>> Jul 23 23:12:11 balrog pluto[13798]: packet from 82.113.106.1:305: ignoring unknown Vendor ID payload [fb1de3cdf341b7ea16b7e5be0855f120]
>>> Jul 23 23:12:11 balrog pluto[13798]: packet from 82.113.106.1:305: ignoring Vendor ID payload [Vid-Initial-Contact]
>>> Jul 23 23:12:11 balrog pluto[13798]: packet from 82.113.106.1:305: ignoring unknown Vendor ID payload [e3a5966a76379fe707228231e5ce8652]
>>> Jul 23 23:12:11 balrog pluto[13798]: "extern-cert"[1] 82.113.106.1 #1: responding to Main Mode from unknown peer 82.113.106.1
>>> Jul 23 23:12:11 balrog pluto[13798]: "extern-cert"[1] 82.113.106.1 #1: only OAKLEY_GROUP_MODP1024 and OAKLEY_GROUP_MODP1536 supported.  Attribute OAKLEY_GROUP_DESCRIPTION
>>> Jul 23 23:12:11 balrog pluto[13798]: "extern-cert"[1] 82.113.106.1 #1: only OAKLEY_GROUP_MODP1024 and OAKLEY_GROUP_MODP1536 supported.  Attribute OAKLEY_GROUP_DESCRIPTION
>>> Jul 23 23:12:11 balrog pluto[13798]: "extern-cert"[1] 82.113.106.1 #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
>>> Jul 23 23:12:11 balrog pluto[13798]: "extern-cert"[1] 82.113.106.1 #1: STATE_MAIN_R1: sent MR1, expecting MI2
>>> Jul 23 23:12:13 balrog pluto[13798]: "extern-cert"[1] 82.113.106.1 #1: NAT-Traversal: Result using 3: both are NATed
>>> Jul 23 23:12:13 balrog pluto[13798]: "extern-cert"[1] 82.113.106.1 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
>>> Jul 23 23:12:13 balrog pluto[13798]: "extern-cert"[1] 82.113.106.1 #1: STATE_MAIN_R2: sent MR2, expecting MI3
>>> Jul 23 23:12:14 balrog pluto[13798]: "extern-cert"[1] 82.113.106.1 #1: discarding duplicate packet; already STATE_MAIN_R2
>>> Jul 23 23:12:16 balrog pluto[13798]: "extern-cert"[1] 82.113.106.1 #1: Main mode peer ID is ID_DER_ASN1_DN: 'C=DE, L=Osnabrueck, O=IT-Service Lehmann, OU=Network, CN=Phoenix, E=al at its-lehmann.de'
>>> Jul 23 23:12:16 balrog pluto[13798]: "extern-cert"[1] 82.113.106.1 #1: no crl from issuer "C=DE, L=Osnabrueck, O=IT-Service Lehmann, OU=Network, CN=IT-Service Lehmann VPN CA, E=al at its-lehmann.de" found (strict=no)
>>> Jul 23 23:12:16 balrog pluto[13798]: "extern-cert"[1] 82.113.106.1 #1: no crl from issuer "C=DE, L=Osnabrueck, O=IT-Service Lehmann, OU=CA, CN=IT-Service Lehmann CA, E=al at its-lehmann.de" found (strict=no)
>>> Jul 23 23:12:16 balrog pluto[13798]: "extern-cert"[1] 82.113.106.1 #1: switched from "extern-cert" to "extern-cert"
>>> Jul 23 23:12:16 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #1: deleting connection "extern-cert" instance with peer 82.113.106.1 {isakmp=#0/ipsec=#0}
>>> Jul 23 23:12:16 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #1: I am sending my cert
>>> Jul 23 23:12:16 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
>>> Jul 23 23:12:16 balrog pluto[13798]: | NAT-T: new mapping 82.113.106.1:305/34585)
>>> Jul 23 23:12:16 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}
>>> Jul 23 23:12:19 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #1: retransmitting in response to duplicate packet; already STATE_MAIN_R3
>>> Jul 23 23:12:19 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #2: responding to Quick Mode {msgid:01000000}
>>> Jul 23 23:12:19 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
>>> Jul 23 23:12:19 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
>>> Jul 23 23:12:20 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #2: discarding duplicate packet; already STATE_QUICK_R1
>>> Jul 23 23:12:21 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
>>> Jul 23 23:12:21 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #2: STATE_QUICK_R2: IPsec SA established {ESP=>0x3423cae0 <0x0bb43eb1 xfrm=AES_128-HMAC_SHA1 NATD=82.113.106.1:34585 DPD=none}
>>> Jul 23 23:12:21 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #3: responding to Quick Mode {msgid:02000000}
>>> Jul 23 23:12:21 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #3: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
>>> Jul 23 23:12:21 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #3: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
>>> Jul 23 23:12:22 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #3: discarding duplicate packet; already STATE_QUICK_R1
>>> Jul 23 23:12:22 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #3: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
>>> Jul 23 23:12:22 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #3: STATE_QUICK_R2: IPsec SA established {ESP=>0x4f2beffd <0x5299bed6 xfrm=AES_128-HMAC_SHA1 NATD=82.113.106.1:34585 DPD=none}
>>> Jul 23 23:12:23 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #1: received Delete SA(0x3423cae0) payload: deleting IPSEC State #2
>>> Jul 23 23:12:23 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #1: received and ignored informational message
>>> Jul 23 23:12:27 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #4: responding to Quick Mode {msgid:03000000}
>>> Jul 23 23:12:27 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #4: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
>>> Jul 23 23:12:27 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #4: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
>>> Jul 23 23:12:28 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #4: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
>>> Jul 23 23:12:28 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #4: STATE_QUICK_R2: IPsec SA established {ESP=>0xac14385e <0xfe617865 xfrm=AES_128-HMAC_SHA1 NATD=82.113.106.1:34585 DPD=none}
>>> Jul 23 23:12:28 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #1: received Delete SA(0x4f2beffd) payload: deleting IPSEC State #3
>>> Jul 23 23:12:28 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #1: received and ignored informational message
>>> Jul 23 23:12:35 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #5: responding to Quick Mode {msgid:04000000}
>>> Jul 23 23:12:35 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #5: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
>>> Jul 23 23:12:35 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #5: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
>>> Jul 23 23:12:36 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #1: received Delete SA(0xac14385e) payload: deleting IPSEC State #4
>>> Jul 23 23:12:36 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #1: received and ignored informational message
>>> Jul 23 23:12:38 balrog pluto[13798]: "extern-cert"[2] 82.113.106.1 #1: received Delete SA payload: deleting ISAKMP State #1
>>> Jul 23 23:12:38 balrog pluto[13798]: packet from 82.113.106.1:34585: received and ignored informational message
>>
>>
> 

-- 
Arno Lehmann
IT-Service Lehmann
www.its-lehmann.de


More information about the Users mailing list