[Openswan Users] Multiple Windows XP SP2 behind NAT with NAT-T support
Chih-Kung Wang
ckjwang at gmail.com
Fri Sep 28 07:17:23 EDT 2007
- The topology:
Windows XP SP2 - user A <-----> NAT (NAT-Traversal enabled) <----->
(public IP address) OpenSwan 2.4.9
Windows XP SP2 - user B
(private IP segment - 10.1.1.0/24)
- Description
(1) This is a case of L2TP over PSK-based IPsec. OpenSwan 2.4.9 and xl2tpd
1.1.11 are used.
OpenSwan is running on OpenWRT Linux 2.4.30 + KLIPS.
(2) User A first initiate the L2TP/IPsec connection and the connection is
established successfully.
(3) User B secondly tries to connect but fails.
(4) NAT device is an OpenWRT WhiteRussian RC5.
(4) If user A and user B are not under the same NAT, both can connect to
OpenSwan successfully.
-
- Config
<<<<<<<<<<<<<<<<<<<<<ipsec.conf>>>>>>>>>>>>>>>>>>
version 2.0
nat_traversal=yes
nhelpers=0
conn L2TP-PSK
authby=secret
pfs=no
rekey=no
keyingtries=3
left=%defaultroute
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
auto=add
# sample VPN connections, see /etc/ipsec.d/examples/
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
<<<<<<<<<<<<<<<<<<<<<ipsec.secrets>>>>>>>>>>>>>>>>>>
x.x.x.x %any : PSK "ezpacket"
- Logs
===============> User A
<4>Sep 28 19:09:05 (none) pluto[13205]: packet from 220.133.111.25:500:
ignoring
Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
<4>Sep 28 19:09:05 (none) pluto[13205]: packet from 220.133.111.25:500:
ignoring
Vendor ID payload [FRAGMENTATION]
<4>Sep 28 19:09:05 (none) pluto[13205]: packet from 220.133.111.25:500:
received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
<4>Sep 28 19:09:05 (none) pluto[13205]: packet from 220.133.111.25:500:
ignoring
Vendor ID payload [Vid-Initial-Contact]
<4>Sep 28 19:09:05 (none) pluto[13205]: "L2TP-PSK"[3] 220.133.111.25 #3:
respond
ing to Main Mode from unknown peer 220.133.111.25
<4>Sep 28 19:09:05 (none) pluto[13205]: "L2TP-PSK"[3] 220.133.111.25 #3:
transit
ion from state STATE_MAIN_R0 to state STATE_MAIN_R1
<4>Sep 28 19:09:05 (none) pluto[13205]: "L2TP-PSK"[3] 220.133.111.25 #3:
STATE_M
AIN_R1: sent MR1, expecting MI2
<4>Sep 28 19:09:06 (none) pluto[13205]: "L2TP-PSK"[3] 220.133.111.25 #3:
NAT-Tra
versal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
<4>Sep 28 19:09:06 (none) pluto[13205]: "L2TP-PSK"[3] 220.133.111.25 #3:
WARNING
: calc_dh_shared(): for OAKLEY_GROUP_MODP2048 took 220000 usec
<4>Sep 28 19:09:06 (none) pluto[13205]: "L2TP-PSK"[3] 220.133.111.25 #3:
transit
ion from state STATE_MAIN_R1 to state STATE_MAIN_R2
<4>Sep 28 19:09:06 (none) pluto[13205]: "L2TP-PSK"[3] 220.133.111.25 #3:
STATE_M
AIN_R2: sent MR2, expecting MI3
<4>Sep 28 19:09:07 (none) pluto[13205]: "L2TP-PSK"[3] 220.133.111.25 #3:
Main mo
de peer ID is ID_FQDN: '@700m'
<4>Sep 28 19:09:07 (none) pluto[13205]: "L2TP-PSK"[3] 220.133.111.25 #3:
switche
d from "L2TP-PSK" to "L2TP-PSK"
<4>Sep 28 19:09:07 (none) pluto[13205]: "L2TP-PSK"[4] 220.133.111.25 #3:
deletin
g connection "L2TP-PSK" instance with peer 220.133.111.25{isakmp=#0/ipsec=#0}
<4>Sep 28 19:09:07 (none) pluto[13205]: "L2TP-PSK"[4] 220.133.111.25 #3: I
did n
ot send a certificate because I do not have one.
<4>Sep 28 19:09:07 (none) pluto[13205]: "L2TP-PSK"[4] 220.133.111.25 #3:
transit
ion from state STATE_MAIN_R2 to state STATE_MAIN_R3
<4>Sep 28 19:09:07 (none) pluto[13205]: "L2TP-PSK"[4] 220.133.111.25 #3:
STATE_M
AIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=oakley
_3des_cbc_192 prf=oakley_sha group=modp2048}
<4>Sep 28 19:09:07 (none) pluto[13205]: "L2TP-PSK"[4] 220.133.111.25 #4:
respond
ing to Quick Mode {msgid:f4dafcdf}
<4>Sep 28 19:09:07 (none) pluto[13205]: "L2TP-PSK"[4] 220.133.111.25 #4:
transit
ion from state STATE_QUICK_R0 to state STATE_QUICK_R1
<4>Sep 28 19:09:07 (none) pluto[13205]: "L2TP-PSK"[4] 220.133.111.25 #4:
STATE_Q
UICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
<4>Sep 28 19:09:08 (none) pluto[13205]: "L2TP-PSK"[4] 220.133.111.25 #4:
transit
ion from state STATE_QUICK_R1 to state STATE_QUICK_R2
<4>Sep 28 19:09:08 (none) pluto[13205]: "L2TP-PSK"[4] 220.133.111.25 #4:
STATE_Q
UICK_R2: IPsec SA established {ESP=>0xaf47c1e2 <0x9f0bf7e6
xfrm=3DES_0-HMAC_MD5
NATD=220.133.111.25:1025 DPD=none}
<7>Sep 28 19:09:09 (none) xl2tpd[11580]: control_finish: Peer requested
tunnel 1
0 twice, ignoring second one.
<5>Sep 28 19:09:09 (none) xl2tpd[11580]: Connection established to
220.133.111.2
5, 1701. Local: 48069, Remote: 10 (ref=0/0). LNS session is 'default'
<5>Sep 28 19:09:09 (none) xl2tpd[11580]: Call established with
220.133.111.25, L
ocal: 48477, Remote: 1, Serial: 0
<5>Sep 28 19:09:09 (none) pppd[14339]: pppd 2.4.3 started by root, uid 0
<7>Sep 28 19:09:09 (none) pppd[14339]: using channel 11
<6>Sep 28 19:09:09 (none) pppd[14339]: Using interface ppp1
<5>Sep 28 19:09:09 (none) pppd[14339]: Connect: ppp1 <--> /dev/pts/0
<7>Sep 28 19:09:09 (none) pppd[14339]: sent [LCP ConfReq id=0x1 <mru 1410>
<asyn
cmap 0x0> <auth chap MD5> <magic 0x465cb2f>]
<7>Sep 28 19:09:09 (none) pppd[14339]: rcvd [LCP ConfAck id=0x1 <mru 1410>
<asyn
cmap 0x0> <auth chap MD5> <magic 0x465cb2f>]
<7>Sep 28 19:09:11 (none) pppd[14339]: rcvd [LCP ConfReq id=0x1 <mru 1400>
<magi
c 0x7af2472d> <pcomp> <accomp> <callback CBCP>]
<7>Sep 28 19:09:11 (none) pppd[14339]: sent [LCP ConfRej id=0x1 <pcomp>
<accomp>
<callback CBCP>]
<7>Sep 28 19:09:11 (none) pppd[14339]: rcvd [LCP ConfReq id=0x2 <mru 1400>
<magi
c 0x7af2472d>]
<7>Sep 28 19:09:11 (none) pppd[14339]: sent [LCP ConfAck id=0x2 <mru 1400>
<magi
c 0x7af2472d>]
<7>Sep 28 19:09:11 (none) pppd[14339]: sent [CHAP Challenge id=0xae
<71f098c677e
554272d8646caee46cefeea073e>, name = "EZPacket"]
<7>Sep 28 19:09:11 (none) pppd[14339]: rcvd [LCP code=0xc id=0x3 7a f2 47 2d
4d
53 52 41 53 56 35 2e 31 30]
<7>Sep 28 19:09:11 (none) pppd[14339]: sent [LCP CodeRej id=0x2 0c 03 00 12
7a f
2 47 2d 4d 53 52 41 53 56 35 2e 31 30]
<7>Sep 28 19:09:11 (none) pppd[14339]: rcvd [LCP code=0xc id=0x4 7a f2 47 2d
4d
53 52 41 53 2d 30 2d 37 30 30 4d]
<7>Sep 28 19:09:11 (none) pppd[14339]: sent [LCP CodeRej id=0x3 0c 04 00 14
7a f
2 47 2d 4d 53 52 41 53 2d 30 2d 37 30 30 4d]
<7>Sep 28 19:09:11 (none) pppd[14339]: rcvd [CHAP Response id=0xae
<cbad58839c85
e97528de0013df111852>, name = "ezpacket"]
<4>Sep 28 19:09:11 (none) pppd[14339]: Warning - secret file
/etc/ppp/chap-secre
ts has world and/or group access
<7>Sep 28 19:09:11 (none) pppd[14339]: sent [CHAP Success id=0xae "Access
grante
d"]
<7>Sep 28 19:09:11 (none) pppd[14339]: sent [IPCP ConfReq id=0x1 <compress
VJ 0f
01> <addr 192.168.1.253>]
<7>Sep 28 19:09:11 (none) pppd[14339]: rcvd [CCP ConfReq id=0x5 <mppe +H -M
-S -
L -D +C>]
<4>Sep 28 19:09:11 (none) pppd[14339]: Unsupported protocol 'Compression
Control
Protocol' (0x80fd) received
<7>Sep 28 19:09:11 (none) pppd[14339]: sent [LCP ProtRej id=0x4 80 fd 01 05
00 0
a 12 06 01 00 00 01]
<7>Sep 28 19:09:11 (none) pppd[14339]: rcvd [IPCP ConfReq id=0x6 <addr
0.0.0.0>
<ms-dns1 0.0.0.0> <ms-wins 0.0.0.0> <ms-dns3 0.0.0.0> <ms-wins 0.0.0.0>]
<7>Sep 28 19:09:11 (none) pppd[14339]: sent [IPCP ConfRej id=0x6 <ms-wins
0.0.0.
0> <ms-wins 0.0.0.0>]
<7>Sep 28 19:09:11 (none) pppd[14339]: rcvd [IPCP ConfRej id=0x1 <compress
VJ 0f
01>]
<7>Sep 28 19:09:11 (none) pppd[14339]: sent [IPCP ConfReq id=0x2 <addr
192.168.1
.253>]
<7>Sep 28 19:09:11 (none) pppd[14339]: rcvd [IPCP ConfReq id=0x7 <addr
0.0.0.0>
<ms-dns1 0.0.0.0> <ms-dns3 0.0.0.0>]
<7>Sep 28 19:09:11 (none) pppd[14339]: sent [IPCP ConfNak id=0x7 <addr
192.168.1
.128> <ms-dns1 192.168.1.1> <ms-dns3 192.168.1.1>]
<7>Sep 28 19:09:11 (none) pppd[14339]: rcvd [IPCP ConfAck id=0x2 <addr
192.168.1
.253>]
<7>Sep 28 19:09:11 (none) pppd[14339]: rcvd [IPCP ConfReq id=0x8 <addr
192.168.1
.128> <ms-dns1 192.168.1.1> <ms-dns3 192.168.1.1>]
<7>Sep 28 19:09:11 (none) pppd[14339]: sent [IPCP ConfAck id=0x8 <addr
192.168.1
.128> <ms-dns1 192.168.1.1> <ms-dns3 192.168.1.1>]
<6>Sep 28 19:09:11 (none) pppd[14339]: found interface br0 for proxy arp
<5>Sep 28 19:09:11 (none) pppd[14339]: local IP address 192.168.1.253
<5>Sep 28 19:09:11 (none) pppd[14339]: remote IP address 192.168.1.128
<7>Sep 28 19:09:11 (none) pppd[14339]: Script /etc/ppp/ip-up started (pid
14344)
<7>Sep 28 19:09:11 (none) pppd[14339]: Script /etc/ppp/ip-up finished (pid
14344
), status = 0x1
===============> User B
<4>Sep 28 19:12:51 (none) pluto[13205]: packet from 220.133.111.25:500:
ignoring
Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
<4>Sep 28 19:12:51 (none) pluto[13205]: packet from 220.133.111.25:500:
ignoring
Vendor ID payload [FRAGMENTATION]
<4>Sep 28 19:12:51 (none) pluto[13205]: packet from 220.133.111.25:500:
received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
<4>Sep 28 19:12:51 (none) pluto[13205]: packet from 220.133.111.25:500:
ignoring
Vendor ID payload [Vid-Initial-Contact]
<4>Sep 28 19:12:51 (none) pluto[13205]: "L2TP-PSK"[4] 220.133.111.25 #5:
respond
ing to Main Mode from unknown peer 220.133.111.25
<4>Sep 28 19:12:51 (none) pluto[13205]: "L2TP-PSK"[4] 220.133.111.25 #5:
transit
ion from state STATE_MAIN_R0 to state STATE_MAIN_R1
<4>Sep 28 19:12:51 (none) pluto[13205]: "L2TP-PSK"[4] 220.133.111.25 #5:
STATE_M
AIN_R1: sent MR1, expecting MI2
<4>Sep 28 19:12:51 (none) pluto[13205]: "L2TP-PSK"[4] 220.133.111.25 #5:
NAT-Tra
versal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
<4>Sep 28 19:12:52 (none) pluto[13205]: "L2TP-PSK"[4] 220.133.111.25 #5:
WARNING
: calc_dh_shared(): for OAKLEY_GROUP_MODP2048 took 210000 usec
<4>Sep 28 19:12:52 (none) pluto[13205]: "L2TP-PSK"[4] 220.133.111.25 #5:
transit
ion from state STATE_MAIN_R1 to state STATE_MAIN_R2
<4>Sep 28 19:12:52 (none) pluto[13205]: "L2TP-PSK"[4] 220.133.111.25 #5:
STATE_M
AIN_R2: sent MR2, expecting MI3
<4>Sep 28 19:12:52 (none) pluto[13205]: "L2TP-PSK"[4] 220.133.111.25 #5:
Main mo
de peer ID is ID_FQDN: '@x31'
<4>Sep 28 19:12:52 (none) pluto[13205]: "L2TP-PSK"[4] 220.133.111.25 #5:
switche
d from "L2TP-PSK" to "L2TP-PSK"
<4>Sep 28 19:12:52 (none) pluto[13205]: "L2TP-PSK"[5] 220.133.111.25 #5: I
did n
ot send a certificate because I do not have one.
<4>Sep 28 19:12:52 (none) pluto[13205]: "L2TP-PSK"[5] 220.133.111.25 #5:
transit
ion from state STATE_MAIN_R2 to state STATE_MAIN_R3
<4>Sep 28 19:12:52 (none) pluto[13205]: "L2TP-PSK"[5] 220.133.111.25 #5:
STATE_M
AIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=oakley
_3des_cbc_192 prf=oakley_sha group=modp2048}
<4>Sep 28 19:12:52 (none) pluto[13205]: "L2TP-PSK"[5] 220.133.111.25 #6:
respond
ing to Quick Mode {msgid:c2ea9131}
<4>Sep 28 19:12:52 (none) pluto[13205]: "L2TP-PSK"[5] 220.133.111.25 #6:
cannot
install eroute -- it is in use for "L2TP-PSK"[4] 220.133.111.25 #4
<4>Sep 28 19:12:52 (none) pluto[13205]: "L2TP-PSK"[5] 220.133.111.25 #5:
Quick M
ode I1 message is unacceptable because it uses a previously used Message ID
0xc2
ea9131 (perhaps this is a duplicated packet)
<4>Sep 28 19:12:52 (none) pluto[13205]: "L2TP-PSK"[5] 220.133.111.25 #5:
sending
encrypted notification INVALID_MESSAGE_ID to 220.133.111.25:4500
<4>Sep 28 19:12:54 (none) pluto[13205]: "L2TP-PSK"[5] 220.133.111.25 #5:
Quick M
ode I1 message is unacceptable because it uses a previously used Message ID
0xc2
ea9131 (perhaps this is a duplicated packet)
<4>Sep 28 19:12:54 (none) pluto[13205]: "L2TP-PSK"[5] 220.133.111.25 #5:
sending
encrypted notification INVALID_MESSAGE_ID to 220.133.111.25:4500
- pluto keep complaining about duplicate msg id.
- Any idea?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20070928/c819f573/attachment-0001.html
More information about the Users
mailing list