[Openswan Users] NAT-T doesn't work as expected
Mihajlo Cvetanović
mcvetanovic at gmail.com
Wed Apr 16 08:03:34 EDT 2008
Hi all,
I have problems with NAT-T. Roadwarrior is FortiClient on WinXP. It works
when not behind NAT. Where should I look for error? Here are two parts of
log file, one for client behind NAT, and another for client with public IP:
Client behind NAT:
===============================================================================================================================================
Apr 16 11:18:46 blabla pluto[2108]: packet from cl1.x.x.x:62960: received
Vendor ID payload [Dead Peer Detection]
Apr 16 11:18:46 blabla pluto[2108]: packet from cl1.x.x.x:62960: ignoring
unknown Vendor ID payload [afca071368a1f1c96b8696fc77570100]
Apr 16 11:18:46 blabla pluto[2108]: packet from cl1.x.x.x:62960: ignoring
unknown Vendor ID payload [6ef67e6852cf311713e50b8b005db7b8]
Apr 16 11:18:46 blabla pluto[2108]: packet from cl1.x.x.x:62960: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] method set to=108
Apr 16 11:18:46 blabla pluto[2108]: packet from cl1.x.x.x:62960: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Apr 16 11:18:46 blabla pluto[2108]: "srv-rw"[1] cl1.x.x.x #1: responding to
Main Mode from unknown peer cl1.x.x.x
Apr 16 11:18:46 blabla pluto[2108]: "srv-rw"[1] cl1.x.x.x #1: transition
from state STATE_MAIN_R0 to state STATE_MAIN_R1
Apr 16 11:18:46 blabla pluto[2108]: "srv-rw"[1] cl1.x.x.x #1: STATE_MAIN_R1:
sent MR1, expecting MI2
Apr 16 11:18:46 blabla pluto[2108]: packet from cl1.x.x.x:62960: received
Vendor ID payload [Dead Peer Detection]
Apr 16 11:18:46 blabla pluto[2108]: packet from cl1.x.x.x:62960: ignoring
unknown Vendor ID payload [afca071368a1f1c96b8696fc77570100]
Apr 16 11:18:46 blabla pluto[2108]: packet from cl1.x.x.x:62960: ignoring
unknown Vendor ID payload [6ef67e6852cf311713e50b8b005db7b8]
Apr 16 11:18:46 blabla pluto[2108]: packet from cl1.x.x.x:62960: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] method set to=108
Apr 16 11:18:46 blabla pluto[2108]: packet from cl1.x.x.x:62960: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Apr 16 11:18:46 blabla pluto[2108]: "srv-rw"[1] cl1.x.x.x #2: responding to
Main Mode from unknown peer cl1.x.x.x
Apr 16 11:18:46 blabla pluto[2108]: "srv-rw"[1] cl1.x.x.x #2: transition
from state STATE_MAIN_R0 to state STATE_MAIN_R1
Apr 16 11:18:46 blabla pluto[2108]: "srv-rw"[1] cl1.x.x.x #2: STATE_MAIN_R1:
sent MR1, expecting MI2
Apr 16 11:18:46 blabla pluto[2108]: "srv-rw"[1] cl1.x.x.x #1: NAT-Traversal:
Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed <-- Mislim
da je ovo "kvaka"!
Apr 16 11:18:46 blabla pluto[2108]: "srv-rw"[1] cl1.x.x.x #1: transition
from state STATE_MAIN_R1 to state STATE_MAIN_R2
Apr 16 11:18:46 blabla pluto[2108]: "srv-rw"[1] cl1.x.x.x #1: STATE_MAIN_R2:
sent MR2, expecting MI3
Apr 16 11:18:47 blabla pluto[2108]: "srv-rw"[1] cl1.x.x.x #1: Main mode peer
ID is ID_DER_ASN1_DN: 'C=RS, ST=Serbia, O=blabla, OU=blabla, CN=Aleksandar
Markovic, E=markoni at blabla.co.yu'
Apr 16 11:18:47 blabla pluto[2108]: "srv-rw"[1] cl1.x.x.x #1: crl update for
"C=RS, ST=Serbia, L=Belgrade, O=blabla, CN=No.1" is overdue since Mar 25
15:20:26 UTC 2008
Apr 16 11:18:47 blabla pluto[2108]: "srv-rw"[1] cl1.x.x.x #1: I am sending
my cert
Apr 16 11:18:47 blabla pluto[2108]: "srv-rw"[1] cl1.x.x.x #1: transition
from state STATE_MAIN_R2 to state STATE_MAIN_R3
Apr 16 11:18:47 blabla pluto[2108]: | NAT-T: new mapping
cl1.x.x.x:62960/62961)Apr 16 11:18:47 blabla pluto[2108]: "srv-rw"[1]
cl1.x.x.x #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established
{auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_md5
group=modp1536}
Apr 16 11:18:48 blabla pluto[2108]: "srv-rw"[1] cl1.x.x.x #1: cannot respond
to IPsec SA request because no connection is known for
10.78.83.0/24===srv.x.x.x[C=RS, ST=Serbia, O=blabla,
CN=Test]...cl1.x.x.x[C=RS, ST=Serbia, O=blabla, OU=blabla, CN=Aleksandar
Markovic, E=markoni at blabla.co.yu]===192.168.0.214/32
Apr 16 11:18:48 blabla pluto[2108]: "srv-rw"[1] cl1.x.x.x #1: sending
encrypted notification INVALID_ID_INFORMATION to cl1.x.x.x:62961
Apr 16 11:18:57 blabla pluto[2108]: "srv-rw"[1] cl1.x.x.x #1: Quick Mode I1
message is unacceptable because it uses a previously used Message ID
0x7cfad2cf (perhaps this is a duplicated packet)
Apr 16 11:18:57 blabla pluto[2108]: "srv-rw"[1] cl1.x.x.x #1: sending
encrypted notification INVALID_MESSAGE_ID to cl1.x.x.x:62961
Apr 16 11:19:01 blabla pluto[2108]: "srv-rw"[1] cl1.x.x.x #1: received
Delete SA payload: deleting ISAKMP State #1
Apr 16 11:19:01 blabla pluto[2108]: packet from cl1.x.x.x:62961: received
and ignored informational message
Apr 16 11:19:56 blabla pluto[2108]: "srv-rw"[1] cl1.x.x.x #2: max number of
retransmissions (2) reached STATE_MAIN_R1
Apr 16 11:19:56 blabla pluto[2108]: "srv-rw"[1] cl1.x.x.x: deleting
connection "srv-rw" instance with peer cl1.x.x.x {isakmp=#0/ipsec=#0}
===============================================================================================================================================
===============================================================================================================================================
Client in the clear:
===============================================================================================================================================
Apr 16 11:21:47 blabla pluto[2108]: packet from cl2.x.x.x:500: received
Vendor ID payload [Dead Peer Detection]
Apr 16 11:21:47 blabla pluto[2108]: packet from cl2.x.x.x:500: ignoring
unknown Vendor ID payload [afca071368a1f1c96b8696fc77570100]
Apr 16 11:21:47 blabla pluto[2108]: packet from cl2.x.x.x:500: ignoring
unknown Vendor ID payload [6ef67e6852cf311713e50b8b005db7b8]
Apr 16 11:21:47 blabla pluto[2108]: packet from cl2.x.x.x:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] method set to=108
Apr 16 11:21:47 blabla pluto[2108]: packet from cl2.x.x.x:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Apr 16 11:21:47 blabla pluto[2108]: "srv-rw"[2] cl2.x.x.x #3: responding to
Main Mode from unknown peer cl2.x.x.x
Apr 16 11:21:47 blabla pluto[2108]: "srv-rw"[2] cl2.x.x.x #3: transition
from state STATE_MAIN_R0 to state STATE_MAIN_R1
Apr 16 11:21:47 blabla pluto[2108]: "srv-rw"[2] cl2.x.x.x #3: STATE_MAIN_R1:
sent MR1, expecting MI2
Apr 16 11:21:48 blabla pluto[2108]: packet from cl2.x.x.x:500: received
Vendor ID payload [Dead Peer Detection]
Apr 16 11:21:48 blabla pluto[2108]: packet from cl2.x.x.x:500: ignoring
unknown Vendor ID payload [afca071368a1f1c96b8696fc77570100]
Apr 16 11:21:48 blabla pluto[2108]: packet from cl2.x.x.x:500: ignoring
unknown Vendor ID payload [6ef67e6852cf311713e50b8b005db7b8]
Apr 16 11:21:48 blabla pluto[2108]: packet from cl2.x.x.x:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] method set to=108
Apr 16 11:21:48 blabla pluto[2108]: packet from cl2.x.x.x:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Apr 16 11:21:48 blabla pluto[2108]: "srv-rw"[2] cl2.x.x.x #4: responding to
Main Mode from unknown peer cl2.x.x.x
Apr 16 11:21:48 blabla pluto[2108]: "srv-rw"[2] cl2.x.x.x #4: transition
from state STATE_MAIN_R0 to state STATE_MAIN_R1
Apr 16 11:21:48 blabla pluto[2108]: "srv-rw"[2] cl2.x.x.x #4: STATE_MAIN_R1:
sent MR1, expecting MI2
Apr 16 11:21:48 blabla pluto[2108]: "srv-rw"[2] cl2.x.x.x #3: NAT-Traversal:
Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
Apr 16 11:21:48 blabla pluto[2108]: "srv-rw"[2] cl2.x.x.x #3: transition
from state STATE_MAIN_R1 to state STATE_MAIN_R2
Apr 16 11:21:48 blabla pluto[2108]: "srv-rw"[2] cl2.x.x.x #3: STATE_MAIN_R2:
sent MR2, expecting MI3
Apr 16 11:21:48 blabla pluto[2108]: "srv-rw"[2] cl2.x.x.x #3: Main mode peer
ID is ID_DER_ASN1_DN: 'C=RS, ST=Serbia, O=blabla, OU=blabla, CN=Miroslav
Havram, E=miroslav at blabla.co.yu'
Apr 16 11:21:49 blabla pluto[2108]: "srv-rw"[2] cl2.x.x.x #3: crl update for
"C=RS, ST=Serbia, L=Belgrade, O=blabla, CN=No.1" is overdue since Mar 25
15:20:26 UTC 2008
Apr 16 11:21:49 blabla pluto[2108]: "srv-rw"[2] cl2.x.x.x #3: I am sending
my cert
Apr 16 11:21:49 blabla pluto[2108]: "srv-rw"[2] cl2.x.x.x #3: transition
from state STATE_MAIN_R2 to state STATE_MAIN_R3
Apr 16 11:21:49 blabla pluto[2108]: "srv-rw"[2] cl2.x.x.x #3: STATE_MAIN_R3:
sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG
cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1536}
Apr 16 11:21:49 blabla pluto[2108]: "srv-rw"[2] cl2.x.x.x #5: responding to
Quick Mode {msgid:b5656d7e}
Apr 16 11:21:50 blabla pluto[2108]: "srv-rw"[2] cl2.x.x.x #5: transition
from state STATE_QUICK_R0 to state STATE_QUICK_R1
Apr 16 11:21:50 blabla pluto[2108]: "srv-rw"[2] cl2.x.x.x #5:
STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Apr 16 11:22:00 blabla pluto[2108]: "srv-rw"[2] cl2.x.x.x #5: transition
from state STATE_QUICK_R1 to state STATE_QUICK_R2
Apr 16 11:22:00 blabla pluto[2108]: "srv-rw"[2] cl2.x.x.x #5:
STATE_QUICK_R2: IPsec SA established {ESP=>0x5634f0d7 <0x9212e26f
xfrm=3DES_0-HMAC_MD5 NATD=none DPD=none}
===============================================================================================================================================
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080416/5a466016/attachment-0001.html
More information about the Users
mailing list