[Openswan Users] FC6 iptables problem
Xunhua Wang
wangxx at jmu.edu
Fri Mar 23 17:16:14 EDT 2007
Ok. I may have found the reason but it is not clear where to fix it. My
Windows IPsec/L2TP client is behind a NAT (its IP address is 192.168.1.103)
but the IPsec SA does _not_ report it (see below).
----- /var/log/secure Starts -----
Mar 23 15:38:32 Newton pluto[2816]: packet from 76.104.101.6:500: ignoring
Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000002]
Mar 23 15:38:32 Newton pluto[2816]: packet from 76.104.101.6:500: ignoring
Vendor ID payload [FRAGMENTATION]
Mar 23 15:38:32 Newton pluto[2816]: packet from 76.104.101.6:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
Mar 23 15:38:32 Newton pluto[2816]: "roadwarrior"[5] 76.104.101.6 #5:
responding to Main Mode from unknown peer 76.104.101.6
Mar 23 15:38:32 Newton pluto[2816]: "roadwarrior"[5] 76.104.101.6 #5:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Mar 23 15:38:32 Newton pluto[2816]: "roadwarrior"[5] 76.104.101.6 #5:
STATE_MAIN_R1: sent MR1, expecting MI2
Mar 23 15:38:32 Newton pluto[2816]: "roadwarrior"[5] 76.104.101.6 #5:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
Mar 23 15:38:32 Newton pluto[2816]: "roadwarrior"[5] 76.104.101.6 #5:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Mar 23 15:38:32 Newton pluto[2816]: "roadwarrior"[5] 76.104.101.6 #5:
STATE_MAIN_R2: sent MR2, expecting MI3
Mar 23 15:38:32 Newton pluto[2816]: "roadwarrior"[5] 76.104.101.6 #5: Main
mode peer ID is ID_DER_ASN1_DN: 'C=US, ST=Virginia, L=Harrisonburg, O=JMU,
OU=CS, CN=IPsec VPN Client 001'
Mar 23 15:38:32 Newton pluto[2816]: "roadwarrior"[5] 76.104.101.6 #5: crl
update for "C=US, ST=Virginia, L=Harrisonburg, O=JMU, OU=CS, CN=Crypto CA"
is overdue since Jun 04 01:53:24 UTC 2006
Mar 23 15:38:32 Newton pluto[2816]: "roadwarrior"[5] 76.104.101.6 #5:
switched from "roadwarrior" to "roadwarrior"
Mar 23 15:38:32 Newton pluto[2816]: "roadwarrior"[6] 76.104.101.6 #5:
deleting connection "roadwarrior" instance with peer 76.104.101.6
{isakmp=#0/ipsec=#0}
Mar 23 15:38:32 Newton pluto[2816]: "roadwarrior"[6] 76.104.101.6 #5: I am
sending my cert
Mar 23 15:38:32 Newton pluto[2816]: "roadwarrior"[6] 76.104.101.6 #5:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Mar 23 15:38:32 Newton pluto[2816]: | NAT-T: new mapping
76.104.101.6:500/1468)
Mar 23 15:38:32 Newton pluto[2816]: "roadwarrior"[6] 76.104.101.6 #5:
STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}
Mar 23 15:38:32 Newton pluto[2816]: "roadwarrior-l2tp-updatedwin"[3]
76.104.101.6 #6: responding to Quick Mode {msgid:ec7f7f02}
Mar 23 15:38:32 Newton pluto[2816]: "roadwarrior-l2tp-updatedwin"[3]
76.104.101.6 #6: transition from state STATE_QUICK_R0 to state
STATE_QUICK_R1
Mar 23 15:38:32 Newton pluto[2816]: "roadwarrior-l2tp-updatedwin"[3]
76.104.101.6 #6: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed,
expecting QI2
Mar 23 15:38:32 Newton pluto[2816]: "roadwarrior-l2tp-updatedwin"[3]
76.104.101.6 #6: transition from state STATE_QUICK_R1 to state
STATE_QUICK_R2
Mar 23 15:38:32 Newton pluto[2816]: "roadwarrior-l2tp-updatedwin"[3]
76.104.101.6 #6: STATE_QUICK_R2: IPsec SA established {ESP=>0x61a49581
<0xb9b65f0b xfrm=3DES_0-HMAC_MD5 NATD=76.104.101.6:1468 DPD=none}
Mar 23 15:38:37 Newton pluto[2816]: ERROR: asynchronous network error report
on eth1 (sport=4500) for message to 76.104.101.6 port 1468, complainant
134.126.34.124: No route to host [errno 113, origin ICMP type 3 code 1 (not
authenticated)]
------ /var/log/secure ends ------
In contrast, on another good Linux box (which runs RHEL 4), the IPsec SA
reports correctly the NAT.
--- Good log on another machine -----
Mar 23 13:34:44 localhost pluto[3236]: "roadwarrior-l2tp-updatedwin"[178]
76.104.101.6:1330 #487: IPsec SA established {ESP/NAT=>0xbbaf4633
<0x748dcc2f NATOA=192.168.1.103}
----- Good log ends -----
I did turn on the nat_traversal in ipsec.conf with "nat_traversal=yes" (my
ipsec.conf is attached).
Do I need to patch the kernel or something else?
Thanks,
Steve
> -----Original Message-----
> From: Paul Wouters [mailto:paul at xelerance.com]
> Sent: Friday, March 23, 2007 2:16 PM
> To: Xunhua Wang
> Cc: users at openswan.org
> Subject: RE: [Openswan Users] FC6 iptables problem
>
> On Fri, 23 Mar 2007, Xunhua Wang wrote:
>
> > Ok, I made the changes (I also added "iptables -t mangle -A INPUT -p udp
> > --dport 4500 -j MARK --set-mark 50" as my Windows client is behind a
NAT)
> > and it got better but the problem persists.
> >
> > Here is what I have from /var/log/secure
> >
> > Mar 23 11:47:13 Newton pluto[2816]: | NAT-T: new mapping
> > 76.104.101.6:500/1300)
>
> > Mar 23 11:47:13 Newton pluto[2816]: "roadwarrior-l2tp-updatedwin"[1]
> > 76.104.101.6 #2: STATE_QUICK_R2: IPsec SA established {ESP=>0x9c9d09ad
> > <0x4175cada xfrm=3DES_0-HMAC_MD5 NATD=76.104.101.6:1300 DPD=none}
> > Mar 23 11:47:18 Newton pluto[2816]: ERROR: asynchronous network error
> report
> > on eth1 (sport=4500) for message to 76.104.101.6 port 1300, complainant
> > 134.126.34.124: No route to host [errno 113, origin ICMP type 3 code 1
> (not
> > authenticated)]
>
> Are you allowing any source to destination udp 4500, and source udp 4500
> to any destination 4500?
> It looks like perhaps you only allow 4500 <-> 4500?
>
> Paul
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipsec.conf
Type: application/octet-stream
Size: 889 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20070323/985d076a/attachment.obj
More information about the Users
mailing list