[Openswan Users] Ipsec VPN from windows machines

Agent Smith news8080 at yahoo.com
Thu Apr 3 11:41:56 EDT 2008 

compiled it myself and no other iked running. I set
forceencaps=yes in the connection entry but now
something different happens, now when the first client
connects, it keeps rekeying, it tells me 'IPsec SA
established' but right after that I see this in the
logs, it looks like it keeps rekeying?? the connection
never establishes and the other thing I noticed too is
now it says 'both are NATed' where before it said
'Peer is NATed'

Apr  3 11:37:43 med-idxgtw pluto[10209]: "CERT"[2]
146.9.nat.router #420: transition from state
STATE_QUICK_R1 to state STATE_QUICK_R2
Apr  3 11:37:43 med-idxgtw pluto[10209]: "CERT"[2]
146.9.nat.router #420: STATE_QUICK_R2: IPsec SA
established {ESP/NAT=>0x2be9bd45 <0x80c303b9
xfrm=3DES_0-HMAC_SHA1 NATD=146.9.nat.router:1026
DPD=none}
Apr  3 11:37:43 med-idxgtw pluto[10209]: packet from
146.9.nat.router:500: ignoring Vendor ID payload [MS
NT5 ISAKMPOAKLEY 00000004]
Apr  3 11:37:43 med-idxgtw pluto[10209]: packet from
146.9.nat.router:500: ignoring Vendor ID payload
[FRAGMENTATION]
Apr  3 11:37:43 med-idxgtw pluto[10209]: packet from
146.9.nat.router:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n] method set to=106 
Apr  3 11:37:43 med-idxgtw pluto[10209]: packet from
146.9.nat.router:500: ignoring Vendor ID payload
[Vid-Initial-Contact]
Apr  3 11:37:43 med-idxgtw pluto[10209]: "CERT"[2]
146.9.nat.router #421: responding to Main Mode from
unknown peer 146.9.nat.router
Apr  3 11:37:43 med-idxgtw pluto[10209]: "CERT"[2]
146.9.nat.router #421: transition from state
STATE_MAIN_R0 to state STATE_MAIN_R1
Apr  3 11:37:43 med-idxgtw pluto[10209]: "CERT"[2]
146.9.nat.router #421: STATE_MAIN_R1: sent MR1,
expecting MI2
Apr  3 11:37:43 med-idxgtw pluto[10209]: "CERT"[2]
146.9.nat.router #421: NAT-Traversal: Result using
draft-ietf-ipsec-nat-t-ike-02/03: both are NATed
Apr  3 11:37:43 med-idxgtw pluto[10209]: "CERT"[2]
146.9.nat.router #421: transition from state
STATE_MAIN_R1 to state STATE_MAIN_R2
Apr  3 11:37:43 med-idxgtw pluto[10209]: "CERT"[2]
146.9.nat.router #421: STATE_MAIN_R2: sent MR2,
expecting MI3
Apr  3 11:37:43 med-idxgtw pluto[10209]: "CERT"[2]
146.9.nat.router #421: Main mode peer ID is
ID_DER_ASN1_DN: 'C=US, ST=Michigan, L=Detroit, O=Wayne
State University, OU=MSIS, CN=userauth2,
E=userauth2 at med.wayne.edu'
Apr  3 11:37:43 med-idxgtw pluto[10209]: "CERT"[2]
146.9.nat.router #421: I am sending my cert
Apr  3 11:37:43 med-idxgtw pluto[10209]: "CERT"[2]
146.9.nat.router #421: transition from state
STATE_MAIN_R2 to state STATE_MAIN_R3
Apr  3 11:37:43 med-idxgtw pluto[10209]: "CERT"[2]
146.9.nat.router #421: STATE_MAIN_R3: sent MR3, ISAKMP
SA established {auth=OAKLEY_RSA_SIG
cipher=oakley_3des_cbc_192 prf=oakley_sha
group=modp1024}
Apr  3 11:37:43 med-idxgtw pluto[10209]: "CERT"[2]
146.9.nat.router #409: received Delete SA payload:
deleting ISAKMP State #409
Apr  3 11:37:43 med-idxgtw pluto[10209]: packet from
146.9.nat.router:1026: received and ignored
informational message
Apr  3 11:37:43 med-idxgtw pluto[10209]: "CERT"[2]
146.9.nat.router #422: responding to Quick Mode
{msgid:23c734f0}
Apr  3 11:37:43 med-idxgtw pluto[10209]: "CERT"[2]
146.9.nat.router #422: transition from state
STATE_QUICK_R0 to state STATE_QUICK_R1
Apr  3 11:37:43 med-idxgtw pluto[10209]: "CERT"[2]
146.9.nat.router #422: STATE_QUICK_R1: sent QR1,
inbound IPsec SA installed, expecting QI2
Apr  3 11:37:43 med-idxgtw pluto[10209]: "CERT"[2]
146.9.nat.router #422: transition from state
STATE_QUICK_R1 to state STATE_QUICK_R2
Apr  3 11:37:43 med-idxgtw pluto[10209]: "CERT"[2]
146.9.nat.router #422: STATE_QUICK_R2: IPsec SA
established {ESP/NAT=>0xfc462064 <0xec05909a
xfrm=3DES_0-HMAC_SHA1 NATD=146.9.nat.router:1026
DPD=none}


######################################################

[root at med-idxgtw ~]# ps -ef | egrep -i
'ipsec|pluto|ike'
root      7387     1  0 11:08 pts/0    00:00:00
/bin/sh /usr/local/lib/ipsec/_plutorun --debug none
--uniqueids yes --nocrsend  --strictcrlpolicy no
--nat_traversal yes --keep_alive  --protostack auto
--force_keepalive  --disable_port_floating 
--virtual_private
%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
--crlcheckinterval 0 --ocspuri  --nhelpers  --dump 
--opts  --stderrlog  --wait no --pre  --post  --log
daemon.error --pid /var/run/pluto/pluto.pid
root      7388  7387  0 11:08 pts/0    00:00:00
/bin/sh /usr/local/lib/ipsec/_plutorun --debug none
--uniqueids yes --nocrsend  --strictcrlpolicy no
--nat_traversal yes --keep_alive  --protostack auto
--force_keepalive  --disable_port_floating 
--virtual_private
%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
--crlcheckinterval 0 --ocspuri  --nhelpers  --dump 
--opts  --stderrlog  --wait no --pre  --post  --log
daemon.error --pid /var/run/pluto/pluto.pid
root      7389  7388  0 11:08 pts/0    00:00:00
/usr/local/libexec/ipsec/pluto --nofork --secretsfile
/etc/ipsec.secrets --ipsecdir /etc/ipsec.d
--debug-none --use-auto --uniqueids --nat_traversal
--virtual_private
%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
root      7390  7389  0 11:08 pts/0    00:00:00 pluto
helper  #  0                                          
                                                      
                                                      
                                               
root      7391     1  0 11:08 pts/0    00:00:00 logger
-s -p daemon.error -t ipsec__plutorun
root      7395  7387  0 11:08 pts/0    00:00:00
/bin/sh /usr/local/lib/ipsec/_plutoload --wait no
--post 
root      7509  7389  0 11:08 pts/0    00:00:00
_pluto_adns
root      7627  7579  0 11:13 pts/1    00:00:00 egrep
-i ipsec|pluto|ike



[root at med-idxgtw ~]# rpm -qa | grep ipsec-tools
ipsec-tools-0.3.3-6.rhel4.1
[root at med-idxgtw ~]# 


--- Marco Berizzi <pupilla at hotmail.com> wrote:

> Agent Smith wrote:
> 
> > root at med-idxgtw:~\[root at med-idxgtw ~]# ip -s x s
> > src 146.9.osw.box dst 146.9.nat.router
> > proto ipv6-crypt spi 0xa23e7f96(2722004886) reqid
> > 16393(0x00004009) mode transport
> > replay-window 32 seq 0x00000000
> > auth hmac(sha1)
> > 0x2707d9d3974bcec81e5eb5b41e3949f93c962fcd (160
> bits)
> > enc cbc(des3_ede)
> > 0x8af1852fa7eab334554cd3275fb352fa178ce0376d6f66ae
> > (192 bits)
> > encap (not implemented yet!)
> 
> here is your problem:
> 
> encap (not implemented yet!)
> 
> this is a really odd message.
> When there is a peer behind nat you should get
> this:
> 
> encap type espinudp sport 4500 dport 4500 addr
> 0.0.0.0
> 
> Another thing I see which is is wrong is that
> there is no dir fwd policy.
> Did you compile yourself the kernel? Are you
> running some other ike daemon on this box?
> 
> 
> 



      ____________________________________________________________________________________
You rock. That's why Blockbuster's offering you one month of Blockbuster Total Access, No Cost.  
http://tc.deals.yahoo.com/tc/blockbuster/text5.com

More information about the Users mailing list