[Openswan Users] ERROR: asynchronous network error report on eth1 (sport=4500) for message to 76.104.101.6 port 1325, complainant 134.126.34.124: No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)

Xunhua Wang wangxx at jmu.edu
Wed Mar 28 23:50:00 EDT 2007 

Hi there,

I have a Fedora Core 6 box and have installed "Linux Openswan
U2.4.7/K2.6.20-1.2925.fc6 (netkey)" and xl2tpd-1.1.09 on it. This box has
two network interfaces, eth0 for internal connection and eth1 for external
connection (which has a public IP address).

Using a MS Windows 2000 client with L2TP/IPsec combination, I can connect to
the Linux box and obtain an internal IP address in the following two cases:

1) Case 1: the client has a public IP address
2) Case 2: the client is behind a NAT and this NAT allows outgoing UDP
packets to keep their source port 4500 (this was observed in the server
log).

However, if I put the client behind _another_ NAT, which maps the source
port of outgoing UDP packets from 4500 to 1325, I got the following error in
the server log: "ERROR: asynchronous network error report on eth1
(sport=4500) for message to 76.104.101.6 port 1325, complainant
134.126.34.124: No route to host [errno 113, origin ICMP type 3 code 1 (not
authenticated)"

The server log shows that an IPsec SA is indeed established. Dumped traffic
indicates that, after the IPsec SA was established, the client sent the
server several UDP-wrapped ESP packets (source port 1325, destination port
4500) but the server never responded.

The relevant server log is included below.

---------- /var/log/secure starts ----------
Mar 28 21:01:28 Newton pluto[13304]: "roadwarrior-l2tp-updatedwin"[6]
76.104.101.6 #12: responding to Quick Mode {msgid:3d5b839c}
Mar 28 21:01:28 Newton pluto[13304]: | install_inbound_ipsec_sa() checking
if we can route
Mar 28 21:01:28 Newton pluto[13304]: | route owner of
"roadwarrior-l2tp-updatedwin"[6] 76.104.101.6 unrouted: NULL; eroute owner:
NULL
Mar 28 21:01:28 Newton pluto[13304]: | could_route called for
roadwarrior-l2tp-updatedwin (kind=CK_INSTANCE)
Mar 28 21:01:28 Newton pluto[13304]: | add inbound eroute
76.104.101.6/32:1701 --17-> 134.126.34.124/32:1701 =>
tun.10000 at 134.126.34.124 (raw_eroute)
Mar 28 21:01:28 Newton pluto[13304]: | finished processing quick inI1
Mar 28 21:01:28 Newton pluto[13304]: | complete state transition with STF_OK
Mar 28 21:01:28 Newton pluto[13304]: "roadwarrior-l2tp-updatedwin"[6]
76.104.101.6 #12: transition from state STATE_QUICK_R0 to state
STATE_QUICK_R1
Mar 28 21:01:28 Newton pluto[13304]: | sending reply packet to
76.104.101.6:1325 (from port=4500)
Mar 28 21:01:28 Newton pluto[13304]: | sending 172 bytes for STATE_QUICK_R0
through eth1:4500 to 76.104.101.6:1325:
Mar 28 21:01:28 Newton pluto[13304]: | inserting event EVENT_RETRANSMIT,
timeout in 10 seconds for #12
Mar 28 21:01:28 Newton pluto[13304]: "roadwarrior-l2tp-updatedwin"[6]
76.104.101.6 #12: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed,
expecting QI2
Mar 28 21:01:28 Newton pluto[13304]: | modecfg pull: noquirk policy:push
not-client
Mar 28 21:01:28 Newton pluto[13304]: | phase 1 is done, looking for phase 1
to unpend
Mar 28 21:01:28 Newton pluto[13304]: | next event EVENT_RETRANSMIT in 10
seconds for #12
Mar 28 21:01:28 Newton pluto[13304]: |  
Mar 28 21:01:28 Newton pluto[13304]: | *received 52 bytes from
76.104.101.6:1325 on eth1 (port=4500)
Mar 28 21:01:28 Newton pluto[13304]: |  processing packet with exchange
type=ISAKMP_XCHG_QUICK (32)
Mar 28 21:01:28 Newton pluto[13304]: | ICOOKIE:  6f f5 7f b0  d2 76 ab 8b
Mar 28 21:01:28 Newton pluto[13304]: | RCOOKIE:  d7 b3 ce 77  ec b9 26 58
Mar 28 21:01:28 Newton pluto[13304]: | peer:  4c 68 65 06
Mar 28 21:01:28 Newton pluto[13304]: | state hash entry 18
Mar 28 21:01:28 Newton pluto[13304]: | peer and cookies match on #12,
provided msgid 9c835b3d vs 9c835b3d
Mar 28 21:01:28 Newton pluto[13304]: | state object #12 found, in
STATE_QUICK_R1
Mar 28 21:01:28 Newton pluto[13304]: | processing connection
roadwarrior-l2tp-updatedwin[6] 76.104.101.6
Mar 28 21:01:28 Newton pluto[13304]: | install_ipsec_sa() for #12: outbound
only
Mar 28 21:01:28 Newton pluto[13304]: | route owner of
"roadwarrior-l2tp-updatedwin"[6] 76.104.101.6 unrouted: NULL; eroute owner:
NULL
Mar 28 21:01:28 Newton pluto[13304]: | could_route called for
roadwarrior-l2tp-updatedwin (kind=CK_INSTANCE)
Mar 28 21:01:28 Newton pluto[13304]: | sr for #12: unrouted
Mar 28 21:01:28 Newton pluto[13304]: | route owner of
"roadwarrior-l2tp-updatedwin"[6] 76.104.101.6 unrouted: NULL; eroute owner:
NULL
Mar 28 21:01:28 Newton pluto[13304]: | route_and_eroute with c:
roadwarrior-l2tp-updatedwin (next: none) ero:null esr:{(nil)} ro:null
rosr:{(nil)} and state: 12
Mar 28 21:01:28 Newton pluto[13304]: | eroute_connection add eroute
134.126.34.124/32:1701 --17-> 76.104.101.6/32:1701 =>
esp.358dd4bf at 76.104.101.6 (raw_eroute)
Mar 28 21:01:28 Newton pluto[13304]: | command executing up-host
Mar 28 21:01:28 Newton pluto[13304]: |   trusted_ca called with a=C=US,
ST=Virginia, L=Harrisonburg, O=JMU, OU=CS, CN=Crypto CA b=C=US, ST=Virginia,
L=Harrisonburg, O=JMU, OU=CS, CN=Crypto CA
Mar 28 21:01:28 Newton pluto[13304]: | executing up-host: 2>&1
PLUTO_VERSION='1.1' PLUTO_VERB='up-host'
PLUTO_CONNECTION='roadwarrior-l2tp-updatedwin' PLUTO_NEXT_HOP='76.104.101.6'
PLUTO_INTERFACE='eth1' PLUTO_ME='134.126.34.124' PLUTO_MY_ID='C=US,
ST=Virginia, L=Harrisonburg, O=JMU, OU=CS, CN=IPsec VPN Server 02'
PLUTO_MY_CLIENT='134.126.34.124/32' PLUTO_MY_CLIENT_NET='134.126.34.124'
PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='1701'
PLUTO_MY_PROTOCOL='17' PLUTO_PEER='76.104.101.6' PLUTO_PEER_ID='C=US,
ST=Virginia, L=Harrisonburg, O=JMU, OU=CS, CN=IPsec VPN Client 001'
PLUTO_PEER_CLIENT='76.104.101.6/32' PLUTO_PEER_CLIENT_NET='76.104.101.6'
PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='1701'
PLUTO_PEER_PROTOCOL='17' PLUTO_PEER_CA='C=US, ST=Virginia, L=Harrisonburg,
O=JMU, OU=CS, CN=Crypto CA'
PLUTO_CONN_POLICY='RSASIG+ENCRYPT+COMPRESS+TUNNEL+DONTREKEY'   ipsec _updown
Mar 28 21:01:28 Newton pluto[13304]: | route_and_eroute: firewall_notified:
true
Mar 28 21:01:28 Newton pluto[13304]: | command executing prepare-host
Mar 28 21:01:28 Newton pluto[13304]: |   trusted_ca called with a=C=US,
ST=Virginia, L=Harrisonburg, O=JMU, OU=CS, CN=Crypto CA b=C=US, ST=Virginia,
L=Harrisonburg, O=JMU, OU=CS, CN=Crypto CA
Mar 28 21:01:28 Newton pluto[13304]: | executing prepare-host: 2>&1
PLUTO_VERSION='1.1' PLUTO_VERB='prepare-host'
PLUTO_CONNECTION='roadwarrior-l2tp-updatedwin' PLUTO_NEXT_HOP='76.104.101.6'
PLUTO_INTERFACE='eth1' PLUTO_ME='134.126.34.124' PLUTO_MY_ID='C=US,
ST=Virginia, L=Harrisonburg, O=JMU, OU=CS, CN=IPsec VPN Server 02'
PLUTO_MY_CLIENT='134.126.34.124/32' PLUTO_MY_CLIENT_NET='134.126.34.124'
PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='1701'
PLUTO_MY_PROTOCOL='17' PLUTO_PEER='76.104.101.6' PLUTO_PEER_ID='C=US,
ST=Virginia, L=Harrisonburg, O=JMU, OU=CS, CN=IPsec VPN Client 001'
PLUTO_PEER_CLIENT='76.104.101.6/32' PLUTO_PEER_CLIENT_NET='76.104.101.6'
PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='1701'
PLUTO_PEER_PROTOCOL='17' PLUTO_PEER_CA='C=US, ST=Virginia, L=Harrisonburg,
O=JMU, OU=CS, CN=Crypto CA'
PLUTO_CONN_POLICY='RSASIG+ENCRYPT+COMPRESS+TUNNEL+DONTREKEY'   ipsec _updown
Mar 28 21:01:28 Newton pluto[13304]: | command executing route-host
Mar 28 21:01:28 Newton pluto[13304]: |   trusted_ca called with a=C=US,
ST=Virginia, L=Harrisonburg, O=JMU, OU=CS, CN=Crypto CA b=C=US, ST=Virginia,
L=Harrisonburg, O=JMU, OU=CS, CN=Crypto CA
Mar 28 21:01:28 Newton pluto[13304]: | executing route-host: 2>&1
PLUTO_VERSION='1.1' PLUTO_VERB='route-host'
PLUTO_CONNECTION='roadwarrior-l2tp-updatedwin' PLUTO_NEXT_HOP='76.104.101.6'
PLUTO_INTERFACE='eth1' PLUTO_ME='134.126.34.124' PLUTO_MY_ID='C=US,
ST=Virginia, L=Harrisonburg, O=JMU, OU=CS, CN=IPsec VPN Server 02'
PLUTO_MY_CLIENT='134.126.34.124/32' PLUTO_MY_CLIENT_NET='134.126.34.124'
PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='1701'
PLUTO_MY_PROTOCOL='17' PLUTO_PEER='76.104.101.6' PLUTO_PEER_ID='C=US,
ST=Virginia, L=Harrisonburg, O=JMU, OU=CS, CN=IPsec VPN Client 001'
PLUTO_PEER_CLIENT='76.104.101.6/32' PLUTO_PEER_CLIENT_NET='76.104.101.6'
PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='1701'
PLUTO_PEER_PROTOCOL='17' PLUTO_PEER_CA='C=US, ST=Virginia, L=Harrisonburg,
O=JMU, OU=CS, CN=Crypto CA'
PLUTO_CONN_POLICY='RSASIG+ENCRYPT+COMPRESS+TUNNEL+DONTREKEY'   ipsec _updown
Mar 28 21:01:28 Newton pluto[13304]: | route_and_eroute: instance
"roadwarrior-l2tp-updatedwin"[6] 76.104.101.6, setting eroute_owner
{spd=0x8e17ad4,sr=0x8e17ad4} to #12 (was #0) (newest_ipsec_sa=#0)
Mar 28 21:01:28 Newton pluto[13304]: | inI2: instance
roadwarrior-l2tp-updatedwin[6], setting newest_ipsec_sa to #12 (was #0)
(spd.eroute=#12)
Mar 28 21:01:28 Newton pluto[13304]: | complete state transition with STF_OK
Mar 28 21:01:28 Newton pluto[13304]: "roadwarrior-l2tp-updatedwin"[6]
76.104.101.6 #12: transition from state STATE_QUICK_R1 to state
STATE_QUICK_R2
Mar 28 21:01:28 Newton pluto[13304]: | inserting event EVENT_SA_EXPIRE,
timeout in 3600 seconds for #12
Mar 28 21:01:28 Newton pluto[13304]: "roadwarrior-l2tp-updatedwin"[6]
76.104.101.6 #12: STATE_QUICK_R2: IPsec SA established {ESP=>0x358dd4bf
<0x90c3e1a6 xfrm=3DES_0-HMAC_MD5 NATD=76.104.101.6:1325 DPD=none}
Mar 28 21:01:28 Newton pluto[13304]: | modecfg pull: noquirk policy:push
not-client
Mar 28 21:01:28 Newton pluto[13304]: | phase 1 is done, looking for phase 1
to unpend
Mar 28 21:01:28 Newton pluto[13304]: | next event EVENT_NAT_T_KEEPALIVE in
20 seconds

Mar 28 21:01:33 Newton pluto[13304]: | rejected packet:
Mar 28 21:01:33 Newton pluto[13304]: |   35 8d d4 bf  00 00 00 03  46 92 2b
8a  a3 45 61 ae
Mar 28 21:01:33 Newton pluto[13304]: |   bf 99 f9 2b  a6 8c a7 eb  02 01 a4
fc  78 0f e7 54
Mar 28 21:01:33 Newton pluto[13304]: |   9a 1f 0a 58  9f 7a cb f2  53 2b 31
cd  74 a3 dd f4
Mar 28 21:01:33 Newton pluto[13304]: |   66 1d 1f a3  ba 6a bf ca  c5 09 e3
45  5e a0 e1 f4
Mar 28 21:01:33 Newton pluto[13304]: |   9c d0 e8 d6  09 0a d3 cc  94 04 fb
9a  74 ef 26 d8
Mar 28 21:01:33 Newton pluto[13304]: |   ad 8d 0e 27  08 e9 ff 99  08 44 dd
6d  f4 5b 23 8f
Mar 28 21:01:33 Newton pluto[13304]: |   b7 28 4b ad  71 46 8e c0  11 37 e5
99  3c b9 9e 35
Mar 28 21:01:33 Newton pluto[13304]: |   a7 b5 67 f1  b1 51 85 c6  83 5f bf
37  1c d9 18 c1
Mar 28 21:01:33 Newton pluto[13304]: |   9f e6 59 21  83 8a 19 14  63 71 ed
e3  cb 0c 59 96
Mar 28 21:01:33 Newton pluto[13304]: |   a9 9d b3 7e
Mar 28 21:01:33 Newton pluto[13304]: | control:
Mar 28 21:01:33 Newton pluto[13304]: |   18 00 00 00  00 00 00 00  08 00 00
00  01 00 00 00
Mar 28 21:01:33 Newton pluto[13304]: |   86 7e 22 7c  86 7e 22 7c  2c 00 00
00  00 00 00 00
Mar 28 21:01:33 Newton pluto[13304]: |   0b 00 00 00  71 00 00 00  02 03 01
00  00 00 00 00
Mar 28 21:01:33 Newton pluto[13304]: |   00 00 00 00  02 00 00 00  86 7e 22
7c  00 00 00 00
Mar 28 21:01:33 Newton pluto[13304]: |   00 00 00 00
Mar 28 21:01:33 Newton pluto[13304]: | name:
Mar 28 21:01:33 Newton pluto[13304]: |   02 00 05 2d  4c 68 65 06  00 00 00
00  00 00 00 00
Mar 28 21:01:33 Newton pluto[13304]: ERROR: asynchronous network error
report on eth1 (sport=4500) for message to 76.104.101.6 port 1325,
complainant 134.126.34.124: No route to host [errno 113, origin ICMP type 3
code 1 (not authenticated)]
Mar 28 21:01:33 Newton pluto[13304]: | rejected packet:
Mar 28 21:01:33 Newton pluto[13304]: |   35 8d d4 bf  00 00 00 04  9f e6 59
21  83 8a 19 14
Mar 28 21:01:33 Newton pluto[13304]: |   cf a8 a5 00  1f 6f 60 06  76 71 3f
55  bf 69 71 5d
Mar 28 21:01:33 Newton pluto[13304]: |   8e 6d 04 ff  16 d4 b0 09  40 3e 9d
a0  71 d4 fd 3e
Mar 28 21:01:33 Newton pluto[13304]: |   c0 3b 35 08
Mar 28 21:01:33 Newton pluto[13304]: | control:
Mar 28 21:01:33 Newton pluto[13304]: |   18 00 00 00  00 00 00 00  08 00 00
00  01 00 00 00
Mar 28 21:01:33 Newton pluto[13304]: |   86 7e 22 7c  86 7e 22 7c  2c 00 00
00  00 00 00 00
Mar 28 21:01:33 Newton pluto[13304]: |   0b 00 00 00  71 00 00 00  02 03 01
00  00 00 00 00
Mar 28 21:01:33 Newton pluto[13304]: |   00 00 00 00  02 00 00 00  86 7e 22
7c  00 00 00 00
Mar 28 21:01:33 Newton pluto[13304]: |   00 00 00 00
Mar 28 21:01:33 Newton pluto[13304]: | name:
Mar 28 21:01:33 Newton pluto[13304]: |   02 00 05 2d  4c 68 65 06  00 00 00
00  00 00 00 00
---------- /var/log/secure ends ----------

What caused the problem? The type of the second NAT? How to bypass it?

Thanks,

Steve

More information about the Users mailing list