[Openswan Users] XL2TPD/Double NAT issue
Gerald Vogt
vogt at spamcop.net
Fri Oct 5 21:56:28 EDT 2007
Jacco de Leeuw wrote:
> Gerald Vogt wrote:
>
>> I am setting up a L2TP server with PSK to be accessed from road
>> warriors. If I access the server from a computer with a public IP
>> address everything works fine. If, however, the computer is also behind
>> a different NAT router it does not work.
>> conn L2TP-PSK
>> leftprotoport=17/1701
>> right=%any
>> rightprotoport=17/%any
>
> Sounds a bit similar to this bug:
> http://bugs.xelerance.com/view.php?id=773
>
> What happens if you try:
> rightprotoport=17/1701
>
> Mac clients can't connect then but how about Windows clients?
O.K. I have tested the Windows XP SP2 client now. I expected Windows to
be the lesser problem that's why I have used the Mac before. However,
Windows is even worse. Windows does not connect regardless whether the
client is NATed or not. The windows client seems to start all over again
although the IPsec SA gets established (see Logs below). This happens
always, whether I change the configuration from %any to 1701 or not.
The Windows client only connects as long as there is no NAT between the
server and the client.
The NATed Mac client gets to the "IPsec SA established" regardless of
the setting. The packets still arrive on the ipsec0 interface as before.
I have attached the openswan log below.
I have also attached the openswan log of the non NATed Mac client which
successfully connects to the L2TP server and gets the ppp tunnel up.
Thx, Gerald
Logs
NATed Windows Client------------------------------------------------
Oct 6 10:19:36 localhost pluto[16098]: packet from 1.0.0.2:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Oct 6 10:19:36 localhost pluto[16098]: packet from 1.0.0.2:500: ignoring Vendor ID payload [FRAGMENTATION]
Oct 6 10:19:36 localhost pluto[16098]: packet from 1.0.0.2:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
Oct 6 10:19:36 localhost pluto[16098]: packet from 1.0.0.2:500: ignoring Vendor ID payload [Vid-Initial-Contact]
Oct 6 10:19:36 localhost pluto[16098]: "L2TP-PSK"[1] 1.0.0.2 #1: responding to Main Mode from unknown peer 1.0.0.2
Oct 6 10:19:36 localhost pluto[16098]: "L2TP-PSK"[1] 1.0.0.2 #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Oct 6 10:19:36 localhost pluto[16098]: "L2TP-PSK"[1] 1.0.0.2 #1: STATE_MAIN_R1: sent MR1, expecting MI2
Oct 6 10:19:36 localhost pluto[16098]: "L2TP-PSK"[1] 1.0.0.2 #1: NAT-Traversal: Result using unknown method: both are NATed
Oct 6 10:19:36 localhost pluto[16098]: "L2TP-PSK"[1] 1.0.0.2 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Oct 6 10:19:36 localhost pluto[16098]: "L2TP-PSK"[1] 1.0.0.2 #1: STATE_MAIN_R2: sent MR2, expecting MI3
Oct 6 10:19:36 localhost pluto[16098]: "L2TP-PSK"[1] 1.0.0.2 #1: Main mode peer ID is ID_FQDN: '@Karpfen'
Oct 6 10:19:36 localhost pluto[16098]: "L2TP-PSK"[1] 1.0.0.2 #1: switched from "L2TP-PSK" to "L2TP-PSK"
Oct 6 10:19:36 localhost pluto[16098]: "L2TP-PSK"[2] 1.0.0.2 #1: deleting connection "L2TP-PSK" instance with peer 1.0.0.2 {isakmp=#0/ipsec=#0}
Oct 6 10:19:36 localhost pluto[16098]: "L2TP-PSK"[2] 1.0.0.2 #1: I did not send a certificate because I do not have one.
Oct 6 10:19:36 localhost pluto[16098]: "L2TP-PSK"[2] 1.0.0.2 #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Oct 6 10:19:36 localhost pluto[16098]: "L2TP-PSK"[2] 1.0.0.2 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}
Oct 6 10:19:36 localhost pluto[16098]: "L2TP-PSK"[2] 1.0.0.2 #2: responding to Quick Mode {msgid:f16bacc4}
Oct 6 10:19:36 localhost pluto[16098]: "L2TP-PSK"[2] 1.0.0.2 #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Oct 6 10:19:36 localhost pluto[16098]: "L2TP-PSK"[2] 1.0.0.2 #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Oct 6 10:19:37 localhost pluto[16098]: "L2TP-PSK"[2] 1.0.0.2 #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Oct 6 10:19:37 localhost pluto[16098]: "L2TP-PSK"[2] 1.0.0.2 #2: STATE_QUICK_R2: IPsec SA established {ESP=>0x034b9cf8 <0x8e3168cf xfrm=3DES_0-HMAC_MD5 NATD=1.0.0.2:4500 DPD=none}
Oct 6 10:19:37 localhost pluto[16098]: packet from 1.0.0.2:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Oct 6 10:19:37 localhost pluto[16098]: packet from 1.0.0.2:500: ignoring Vendor ID payload [FRAGMENTATION]
Oct 6 10:19:37 localhost pluto[16098]: packet from 1.0.0.2:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
Oct 6 10:19:37 localhost pluto[16098]: packet from 1.0.0.2:500: ignoring Vendor ID payload [Vid-Initial-Contact]
Oct 6 10:19:37 localhost pluto[16098]: "L2TP-PSK"[2] 1.0.0.2 #3: responding to Main Mode from unknown peer 1.0.0.2
Oct 6 10:19:37 localhost pluto[16098]: "L2TP-PSK"[2] 1.0.0.2 #3: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Oct 6 10:19:37 localhost pluto[16098]: "L2TP-PSK"[2] 1.0.0.2 #3: STATE_MAIN_R1: sent MR1, expecting MI2
Oct 6 10:19:37 localhost pluto[16098]: "L2TP-PSK"[2] 1.0.0.2 #3: NAT-Traversal: Result using unknown method: both are NATed
Oct 6 10:19:37 localhost pluto[16098]: "L2TP-PSK"[2] 1.0.0.2 #3: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Oct 6 10:19:37 localhost pluto[16098]: "L2TP-PSK"[2] 1.0.0.2 #3: STATE_MAIN_R2: sent MR2, expecting MI3
Oct 6 10:19:37 localhost pluto[16098]: "L2TP-PSK"[2] 1.0.0.2 #3: Main mode peer ID is ID_FQDN: '@Karpfen'
Oct 6 10:19:37 localhost pluto[16098]: "L2TP-PSK"[2] 1.0.0.2 #3: I did not send a certificate because I do not have one.
Oct 6 10:19:37 localhost pluto[16098]: "L2TP-PSK"[2] 1.0.0.2 #3: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Oct 6 10:19:37 localhost pluto[16098]: "L2TP-PSK"[2] 1.0.0.2 #3: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}
Oct 6 10:19:37 localhost pluto[16098]: "L2TP-PSK"[2] 1.0.0.2 #4: responding to Quick Mode {msgid:f1f58ea1}
Oct 6 10:19:37 localhost pluto[16098]: "L2TP-PSK"[2] 1.0.0.2 #4: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Oct 6 10:19:37 localhost pluto[16098]: "L2TP-PSK"[2] 1.0.0.2 #4: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Oct 6 10:19:37 localhost pluto[16098]: "L2TP-PSK"[2] 1.0.0.2 #4: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Oct 6 10:19:37 localhost pluto[16098]: "L2TP-PSK"[2] 1.0.0.2 #4: STATE_QUICK_R2: IPsec SA established {ESP=>0x32ad3757 <0x8e3168d0 xfrm=3DES_0-HMAC_MD5 NATD=1.0.0.2:4500 DPD=none}
Oct 6 10:19:37 localhost pluto[16098]: packet from 1.0.0.2:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
... and it starts again like before.
Non NATed windows client-------------------------------------
Oct 6 10:22:16 localhost pluto[16352]: packet from 1.0.0.3:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Oct 6 10:22:16 localhost pluto[16352]: packet from 1.0.0.3:500: ignoring Vendor ID payload [FRAGMENTATION]
Oct 6 10:22:16 localhost pluto[16352]: packet from 1.0.0.3:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
Oct 6 10:22:16 localhost pluto[16352]: packet from 1.0.0.3:500: ignoring Vendor ID payload [Vid-Initial-Contact]
Oct 6 10:22:16 localhost pluto[16352]: "L2TP-PSK"[3] 1.0.0.3 #74: responding to Main Mode from unknown peer 1.0.0.3
Oct 6 10:22:16 localhost pluto[16352]: "L2TP-PSK"[3] 1.0.0.3 #74: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Oct 6 10:22:16 localhost pluto[16352]: "L2TP-PSK"[3] 1.0.0.3 #74: STATE_MAIN_R1: sent MR1, expecting MI2
Oct 6 10:22:17 localhost pluto[16352]: "L2TP-PSK"[3] 1.0.0.3 #74: NAT-Traversal: Result using unknown method: i am NATed
Oct 6 10:22:17 localhost pluto[16352]: "L2TP-PSK"[3] 1.0.0.3 #74: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Oct 6 10:22:17 localhost pluto[16352]: "L2TP-PSK"[3] 1.0.0.3 #74: STATE_MAIN_R2: sent MR2, expecting MI3
Oct 6 10:22:17 localhost pluto[16352]: "L2TP-PSK"[3] 1.0.0.3 #74: Main mode peer ID is ID_IPV4_ADDR: '1.0.0.3'
Oct 6 10:22:17 localhost pluto[16352]: "L2TP-PSK"[3] 1.0.0.3 #74: I did not send a certificate because I do not have one.
Oct 6 10:22:17 localhost pluto[16352]: "L2TP-PSK"[3] 1.0.0.3 #74: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Oct 6 10:22:17 localhost pluto[16352]: "L2TP-PSK"[3] 1.0.0.3 #74: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}
Oct 6 10:22:17 localhost pluto[16352]: "L2TP-PSK"[3] 1.0.0.3 #75: responding to Quick Mode {msgid:0d09440a}
Oct 6 10:22:17 localhost pluto[16352]: "L2TP-PSK"[3] 1.0.0.3 #75: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Oct 6 10:22:17 localhost pluto[16352]: "L2TP-PSK"[3] 1.0.0.3 #75: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Oct 6 10:22:17 localhost pluto[16352]: "L2TP-PSK"[3] 1.0.0.3 #75: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Oct 6 10:22:17 localhost pluto[16352]: "L2TP-PSK"[3] 1.0.0.3 #75: STATE_QUICK_R2: IPsec SA established {ESP=>0x7a1a2d04 <0x9a199a18 xfrm=3DES_0-HMAC_MD5 NATD=1.0.0.3:4500 DPD=none}
Oct 6 10:22:17 localhost pluto[16352]: packet from 1.0.0.3:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
... and again and again and again...
NATed Mac client---------------------------------------------
Oct 6 10:27:25 localhost pluto[16650]: packet from 1.0.0.2:1: received Vendor ID payload [RFC 3947] method set to=110
Oct 6 10:27:25 localhost pluto[16650]: packet from 1.0.0.2:1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] meth=109, but already using method 110
Oct 6 10:27:25 localhost pluto[16650]: packet from 1.0.0.2:1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 110
Oct 6 10:27:25 localhost pluto[16650]: packet from 1.0.0.2:1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 110
Oct 6 10:27:25 localhost pluto[16650]: "L2TP-PSK"[3] 1.0.0.2 #91: responding to Main Mode from unknown peer 1.0.0.2
Oct 6 10:27:25 localhost pluto[16650]: "L2TP-PSK"[3] 1.0.0.2 #91: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Oct 6 10:27:25 localhost pluto[16650]: "L2TP-PSK"[3] 1.0.0.2 #91: STATE_MAIN_R1: sent MR1, expecting MI2
Oct 6 10:27:25 localhost pluto[16650]: "L2TP-PSK"[3] 1.0.0.2 #91: ignoring Vendor ID payload [KAME/racoon]
Oct 6 10:27:25 localhost pluto[16650]: "L2TP-PSK"[3] 1.0.0.2 #91: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): both are NATed
Oct 6 10:27:25 localhost pluto[16650]: "L2TP-PSK"[3] 1.0.0.2 #91: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Oct 6 10:27:25 localhost pluto[16650]: "L2TP-PSK"[3] 1.0.0.2 #91: STATE_MAIN_R2: sent MR2, expecting MI3
Oct 6 10:27:25 localhost pluto[16650]: "L2TP-PSK"[3] 1.0.0.2 #91: Main mode peer ID is ID_IPV4_ADDR: '192.168.4.106'
Oct 6 10:27:25 localhost pluto[16650]: "L2TP-PSK"[3] 1.0.0.2 #91: switched from "L2TP-PSK" to "L2TP-PSK"
Oct 6 10:27:25 localhost pluto[16650]: "L2TP-PSK"[4] 1.0.0.2 #91: I did not send a certificate because I do not have one.
Oct 6 10:27:25 localhost pluto[16650]: "L2TP-PSK"[4] 1.0.0.2 #91: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Oct 6 10:27:25 localhost pluto[16650]: "L2TP-PSK"[4] 1.0.0.2 #91: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
Oct 6 10:27:25 localhost pluto[16650]: "L2TP-PSK"[4] 1.0.0.2 #91: ignoring informational payload, type IPSEC_INITIAL_CONTACT
Oct 6 10:27:25 localhost pluto[16650]: "L2TP-PSK"[4] 1.0.0.2 #91: received and ignored informational message
Oct 6 10:27:26 localhost pluto[16650]: "L2TP-PSK"[4] 1.0.0.2 #92: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
Oct 6 10:27:26 localhost pluto[16650]: "L2TP-PSK"[4] 1.0.0.2 #92: responding to Quick Mode {msgid:7573b862}
Oct 6 10:27:26 localhost pluto[16650]: "L2TP-PSK"[4] 1.0.0.2 #92: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Oct 6 10:27:26 localhost pluto[16650]: "L2TP-PSK"[4] 1.0.0.2 #92: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Oct 6 10:27:27 localhost pluto[16650]: "L2TP-PSK"[4] 1.0.0.2 #92: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Oct 6 10:27:27 localhost pluto[16650]: "L2TP-PSK"[4] 1.0.0.2 #92: STATE_QUICK_R2: IPsec SA established {ESP=>0x0e47d9f6 <0x765de43d xfrm=AES_128-HMAC_SHA1 NATD=1.0.0.2:1024 DPD=none}
... where it ends until I cancel the connection attempt.
Non NATed Mac client-------------------------------------------
Oct 6 10:51:50 localhost pluto[17533]: packet from 1.0.0.4:500: received Vendor ID payload [RFC 3947] method set to=110
Oct 6 10:51:50 localhost pluto[17533]: packet from 1.0.0.4:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] meth=109, but already using method 110
Oct 6 10:51:50 localhost pluto[17533]: packet from 1.0.0.4:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 110
Oct 6 10:51:50 localhost pluto[17533]: packet from 1.0.0.4:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 110
Oct 6 10:51:50 localhost pluto[17533]: "L2TP-PSK"[3] 1.0.0.4 #5: responding to Main Mode from unknown peer 1.0.0.4
Oct 6 10:51:50 localhost pluto[17533]: "L2TP-PSK"[3] 1.0.0.4 #5: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Oct 6 10:51:50 localhost pluto[17533]: "L2TP-PSK"[3] 1.0.0.4 #5: STATE_MAIN_R1: sent MR1, expecting MI2
Oct 6 10:51:50 localhost pluto[17533]: "L2TP-PSK"[3] 1.0.0.4 #5: ignoring Vendor ID payload [KAME/racoon]
Oct 6 10:51:50 localhost pluto[17533]: "L2TP-PSK"[3] 1.0.0.4 #5: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): i am NATed
Oct 6 10:51:50 localhost pluto[17533]: "L2TP-PSK"[3] 1.0.0.4 #5: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Oct 6 10:51:50 localhost pluto[17533]: "L2TP-PSK"[3] 1.0.0.4 #5: STATE_MAIN_R2: sent MR2, expecting MI3
Oct 6 10:51:50 localhost pluto[17533]: "L2TP-PSK"[3] 1.0.0.4 #5: Main mode peer ID is ID_IPV4_ADDR: '1.0.0.4'
Oct 6 10:51:50 localhost pluto[17533]: "L2TP-PSK"[3] 1.0.0.4 #5: I did not send a certificate because I do not have one.
Oct 6 10:51:50 localhost pluto[17533]: "L2TP-PSK"[3] 1.0.0.4 #5: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Oct 6 10:51:50 localhost pluto[17533]: "L2TP-PSK"[3] 1.0.0.4 #5: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
Oct 6 10:51:51 localhost pluto[17533]: "L2TP-PSK"[3] 1.0.0.4 #6: NAT-Traversal: received 2 NAT-OA. ignored because peer is not NATed
Oct 6 10:51:51 localhost pluto[17533]: "L2TP-PSK"[3] 1.0.0.4 #6: responding to Quick Mode {msgid:0de16027}
Oct 6 10:51:51 localhost pluto[17533]: "L2TP-PSK"[3] 1.0.0.4 #6: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Oct 6 10:51:51 localhost pluto[17533]: "L2TP-PSK"[3] 1.0.0.4 #6: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Oct 6 10:51:52 localhost pluto[17533]: "L2TP-PSK"[3] 1.0.0.4 #6: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Oct 6 10:51:52 localhost pluto[17533]: "L2TP-PSK"[3] 1.0.0.4 #6: STATE_QUICK_R2: IPsec SA established {ESP=>0x052065a5 <0xf1f13731 xfrm=AES_128-HMAC_SHA1 NATD=1.0.0.4:4500 DPD=none}
... this is how far the openswan logs go, however, next
the xl2tpd responds and establishes the ppp tunnel.
More information about the Users
mailing list