[Openswan Users] l2tp/ipsec not working with nat?
Abraham Iglesias
abraham.iglesias at genaker.net
Tue Jan 8 08:53:38 EST 2008
Hi,
I'm trying to establish a l2tp/ipsec tunel with windows xp sp2 and RHEL4
with openswan.
I have achieved the connection with the following scenario:
192.168.1.35 (windows xp)
|
|
192.168.1.2 (ext interface in Linux box)
|
|
10.1.1.1 (int interface in Linux box)
However, when i want to establish the connection from outside in the
internet (with an adsl access) vpn cannot be established.
this would be the scenario:
X.Y.Z.T (windows xp vpn client)
|
|
A.B.C.D (ADSL router wich forwards all packets to 192.168.1.2)
|
|
192.168.1.2 (ext interface in Linux box - Nat for 10.1.1.0/24 network )
|
|
10.1.1.1 (int interface in Linux box)
My configuration is:
**** roadwarriors.conf ******
conn roadwarriors
#
# Configuration for one user with the non-updated Windows 2000/XP.
#
#
# Use a Preshared Key. Disable Perfect Forward Secrecy.
#
authby=secret
pfs=no
auto=add
# we cannot rekey for %any, let client rekey
rekey=no
# Do not enable the line below. It is implicitely used, and
# specifying it will currently break when using nat-t.
# type=transport. See http://bugs.xelerance.com/view.php?id=466
#
#left=%defaultroute
left=192.168.1.2
#leftsubnet=10.1.1.0/24
# or you can use: left=YourIPAddress
#
# Required for original (non-updated) Windows 2000/XP clients.
# to support new clients as well, use leftprotoport=17/%any
leftprotoport=17/0
#
# The remote user.
#
right=%any
rightprotoport=17/1701
rightsubnet=vhost:%priv,%no
**** and ipsec.conf ****
config setup
# Debug-logging controls: "none" for (almost) none, "all" for lots.
# klipsdebug=none
plutodebug=none
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
#,%v4:!192.168.1.0/24
include /etc/ipsec.d/*.conf
These are openswan log files:
*** Start negotiation ****
Jan 8 13:37:27 roma pluto[11140]: packet from 85.52.255.203:500:
ignoring Vendor ID payload [FRAGMENTATION]
Jan 8 13:37:27 roma pluto[11140]: packet from 85.52.255.203:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set
to=106
Jan 8 13:37:27 roma pluto[11140]: packet from 85.52.255.203:500:
ignoring Vendor ID payload [Vid-Initial-Contact]
Jan 8 13:37:27 roma pluto[11140]: "roadwarriors"[6] 85.52.255.203 #32:
responding to Main Mode from unknown peer 85.52.255.203
Jan 8 13:37:27 roma pluto[11140]: "roadwarriors"[6] 85.52.255.203 #32:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jan 8 13:37:27 roma pluto[11140]: "roadwarriors"[6] 85.52.255.203 #32:
STATE_MAIN_R1: sent MR1, expecting MI2
Jan 8 13:37:27 roma pluto[11140]: "roadwarriors"[6] 85.52.255.203 #32:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: both are NATed
Jan 8 13:37:28 roma pluto[11140]: "roadwarriors"[6] 85.52.255.203 #32:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jan 8 13:37:28 roma pluto[11140]: "roadwarriors"[6] 85.52.255.203 #32:
STATE_MAIN_R2: sent MR2, expecting MI3
Jan 8 13:37:28 roma pluto[11140]: "roadwarriors"[6] 85.52.255.203 #32:
Main mode peer ID is ID_FQDN: '@samsung'
Jan 8 13:37:28 roma pluto[11140]: "roadwarriors"[6] 85.52.255.203 #32:
I did not send a certificate because I do not have one.
Jan 8 13:37:28 roma pluto[11140]: "roadwarriors"[6] 85.52.255.203 #32:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jan 8 13:37:28 roma pluto[11140]: "roadwarriors"[6] 85.52.255.203 #32:
STATE_MAIN_R3: sent MR3, ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=o akley_3des_cbc_192 prf=oakley_sha
group=modp2048}
Jan 8 13:37:28 roma pluto[11140]: "roadwarriors"[6] 85.52.255.203 #33:
responding to Quick Mode {msgid:b00a525d}
Jan 8 13:37:28 roma pluto[11140]: "roadwarriors"[6] 85.52.255.203 #33:
transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Jan 8 13:37:28 roma pluto[11140]: "roadwarriors"[6] 85.52.255.203 #33:
STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Jan 8 13:37:28 roma pluto[11140]: "roadwarriors"[6] 85.52.255.203 #33:
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Jan 8 13:37:28 roma pluto[11140]: "roadwarriors"[6] 85.52.255.203 #33:
STATE_QUICK_R2: IPsec SA established {ESP=>0x77c10faa <0x622d178c
xfrm=3DES_0-HMAC _MD5 NATD=85.52.255.203:24727 DPD=none}
*** So far it's ok ****
why is it renegotiated again?
Jan 8 13:37:28 roma pluto[11140]: packet from 85.52.255.203:500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Jan 8 13:37:28 roma pluto[11140]: packet from 85.52.255.203:500:
ignoring Vendor ID payload [FRAGMENTATION]
Jan 8 13:37:28 roma pluto[11140]: packet from 85.52.255.203:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set
to=106
Jan 8 13:37:28 roma pluto[11140]: packet from 85.52.255.203:500:
ignoring Vendor ID payload [Vid-Initial-Contact]
Jan 8 13:37:28 roma pluto[11140]: "roadwarriors"[6] 85.52.255.203 #34:
responding to Main Mode from unknown peer 85.52.255.203
Jan 8 13:37:28 roma pluto[11140]: "roadwarriors"[6] 85.52.255.203 #34:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jan 8 13:37:28 roma pluto[11140]: "roadwarriors"[6] 85.52.255.203 #34:
STATE_MAIN_R1: sent MR1, expecting MI2
Jan 8 13:37:28 roma pluto[11140]: "roadwarriors"[6] 85.52.255.203 #34:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: both are NATed
Jan 8 13:37:28 roma pluto[11140]: "roadwarriors"[6] 85.52.255.203 #34:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jan 8 13:37:28 roma pluto[11140]: "roadwarriors"[6] 85.52.255.203 #34:
STATE_MAIN_R2: sent MR2, expecting MI3
Jan 8 13:37:29 roma pluto[11140]: "roadwarriors"[6] 85.52.255.203 #34:
Main mode peer ID is ID_FQDN: '@samsung'
Jan 8 13:37:29 roma pluto[11140]: "roadwarriors"[6] 85.52.255.203 #34:
I did not send a certificate because I do not have one.
Jan 8 13:37:29 roma pluto[11140]: "roadwarriors"[6] 85.52.255.203 #34:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jan 8 13:37:29 roma pluto[11140]: "roadwarriors"[6] 85.52.255.203 #34:
STATE_MAIN_R3: sent MR3, ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=o akley_3des_cbc_192 prf=oakley_sha
group=modp2048}
Jan 8 13:37:29 roma pluto[11140]: "roadwarriors"[6] 85.52.255.203 #35:
responding to Quick Mode {msgid:25aebd0f}
Jan 8 13:37:29 roma pluto[11140]: "roadwarriors"[6] 85.52.255.203 #35:
transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Jan 8 13:37:29 roma pluto[11140]: "roadwarriors"[6] 85.52.255.203 #35:
STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Jan 8 13:37:29 roma pluto[11140]: "roadwarriors"[6] 85.52.255.203 #35:
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Jan 8 13:37:29 roma pluto[11140]: "roadwarriors"[6] 85.52.255.203 #35:
STATE_QUICK_R2: IPsec SA established {ESP=>0x4782e869 <0xdeb241a0
xfrm=3DES_0-HMAC _MD5 NATD=85.52.255.203:24727 DPD=none}
Jan 8 13:37:29 roma pluto[11140]: packet from 85.52.255.203:500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Jan 8 13:37:29 roma pluto[11140]: packet from 85.52.255.203:500:
ignoring Vendor ID payload [FRAGMENTATION]
Jan 8 13:37:29 roma pluto[11140]: packet from 85.52.255.203:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set
to=106
Jan 8 13:37:29 roma pluto[11140]: packet from 85.52.255.203:500:
ignoring Vendor ID payload [Vid-Initial-Contact]
Jan 8 13:37:29 roma pluto[11140]: "roadwarriors"[6] 85.52.255.203 #36:
responding to Main Mode from unknown peer 85.52.255.203
Jan 8 13:37:29 roma pluto[11140]: "roadwarriors"[6] 85.52.255.203 #36:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jan 8 13:37:29 roma pluto[11140]: "roadwarriors"[6] 85.52.255.203 #36:
STATE_MAIN_R1: sent MR1, expecting MI2
Jan 8 13:37:30 roma pluto[11140]: "roadwarriors"[6] 85.52.255.203 #36:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: both are NATed
Jan 8 13:37:30 roma pluto[11140]: "roadwarriors"[6] 85.52.255.203 #36:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jan 8 13:37:30 roma pluto[11140]: "roadwarriors"[6] 85.52.255.203 #36:
STATE_MAIN_R2: sent MR2, expecting MI3
Jan 8 13:37:30 roma pluto[11140]: "roadwarriors"[6] 85.52.255.203 #36:
Main mode peer ID is ID_FQDN: '@samsung'
Jan 8 13:37:30 roma pluto[11140]: "roadwarriors"[6] 85.52.255.203 #36:
I did not send a certificate because I do not have one.
Jan 8 13:37:30 roma pluto[11140]: "roadwarriors"[6] 85.52.255.203 #36:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jan 8 13:37:30 roma pluto[11140]: "roadwarriors"[6] 85.52.255.203 #36:
STATE_MAIN_R3: sent MR3, ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=o akley_3des_cbc_192 prf=oakley_sha
group=modp2048}
Jan 8 13:37:30 roma pluto[11140]: "roadwarriors"[6] 85.52.255.203 #37:
responding to Quick Mode {msgid:c5647ac2}
Jan 8 13:37:30 roma pluto[11140]: "roadwarriors"[6] 85.52.255.203 #37:
transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Jan 8 13:37:30 roma pluto[11140]: "roadwarriors"[6] 85.52.255.203 #37:
STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Jan 8 13:37:30 roma pluto[11140]: "roadwarriors"[6] 85.52.255.203 #37:
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Jan 8 13:37:30 roma pluto[11140]: "roadwarriors"[6] 85.52.255.203 #37:
STATE_QUICK_R2: IPsec SA established {ESP=>0xfd83f044 <0x06343a09
xfrm=3DES_0-HMAC _MD5 NATD=85.52.255.203:24727 DPD=none}
Jan 8 13:37:30 roma pluto[11140]: packet from 85.52.255.203:500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Jan 8 13:37:30 roma pluto[11140]: packet from 85.52.255.203:500:
ignoring Vendor ID payload [FRAGMENTATION]
Jan 8 13:37:30 roma pluto[11140]: packet from 85.52.255.203:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set
to=106
Jan 8 13:37:30 roma pluto[11140]: packet from 85.52.255.203:500:
ignoring Vendor ID payload [Vid-Initial-Contact]
Jan 8 13:37:30 roma pluto[11140]: "roadwarriors"[6] 85.52.255.203 #38:
responding to Main Mode from unknown peer 85.52.255.203
Jan 8 13:37:30 roma pluto[11140]: "roadwarriors"[6] 85.52.255.203 #38:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jan 8 13:37:31 roma pluto[11140]: "roadwarriors"[6] 85.52.255.203 #38:
STATE_MAIN_R1: sent MR1, expecting MI2
Jan 8 13:37:31 roma pluto[11140]: ERROR: asynchronous network error
report on eth0 (sport=500) for message to 85.52.255.203 port 500,
complainant 192.168 .1.3: Connection refused [errno 111, origin ICMP
type 3 code 3 (not authenticated)]
Jan 8 13:37:31 roma pluto[11140]: packet from 85.52.255.203:500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Jan 8 13:37:31 roma pluto[11140]: packet from 85.52.255.203:500:
ignoring Vendor ID payload [FRAGMENTATION]
Jan 8 13:37:31 roma pluto[11140]: packet from 85.52.255.203:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set
to=106
Jan 8 13:37:31 roma pluto[11140]: packet from 85.52.255.203:500:
ignoring Vendor ID payload [Vid-Initial-Contact]
Jan 8 13:37:31 roma pluto[11140]: "roadwarriors"[6] 85.52.255.203 #39:
responding to Main Mode from unknown peer 85.52.255.203
Jan 8 13:37:31 roma pluto[11140]: "roadwarriors"[6] 85.52.255.203 #39:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jan 8 13:37:31 roma pluto[11140]: "roadwarriors"[6] 85.52.255.203 #39:
STATE_MAIN_R1: sent MR1, expecting MI2
Jan 8 13:37:31 roma pluto[11140]: ERROR: asynchronous network error
report on eth0 (sport=500) for message to 85.52.255.203 port 500,
complainant 192.168 .1.3: Connection refused [errno 111, origin ICMP
type 3 code 3 (not authenticated)]
Jan 8 13:37:33 roma pluto[11140]: packet from 85.52.255.203:500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Jan 8 13:37:33 roma pluto[11140]: packet from 85.52.255.203:500:
ignoring Vendor ID payload [FRAGMENTATION]
Jan 8 13:37:33 roma pluto[11140]: packet from 85.52.255.203:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set
to=106
Jan 8 13:37:33 roma pluto[11140]: packet from 85.52.255.203:500:
ignoring Vendor ID payload [Vid-Initial-Contact]
Jan 8 13:37:33 roma pluto[11140]: "roadwarriors"[6] 85.52.255.203 #40:
responding to Main Mode from unknown peer 85.52.255.203
Jan 8 13:37:33 roma pluto[11140]: "roadwarriors"[6] 85.52.255.203 #40:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jan 8 13:37:33 roma pluto[11140]: "roadwarriors"[6] 85.52.255.203 #40:
STATE_MAIN_R1: sent MR1, expecting MI2
Jan 8 13:37:33 roma pluto[11140]: ERROR: asynchronous network error
report on eth0 (sport=500) for message to 85.52.255.203 port 500,
complainant 192.168 .1.3: Connection refused [errno 111, origin ICMP
type 3 code 3 (not authenticated)]
Jan 8 13:37:37 roma pluto[11140]: packet from 85.52.255.203:500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Jan 8 13:37:37 roma pluto[11140]: packet from 85.52.255.203:500:
ignoring Vendor ID payload [FRAGMENTATION]
Jan 8 13:37:37 roma pluto[11140]: packet from 85.52.255.203:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set
to=106
Jan 8 13:37:37 roma pluto[11140]: packet from 85.52.255.203:500:
ignoring Vendor ID payload [Vid-Initial-Contact]
Jan 8 13:37:37 roma pluto[11140]: "roadwarriors"[6] 85.52.255.203 #41:
responding to Main Mode from unknown peer 85.52.255.203
Jan 8 13:37:37 roma pluto[11140]: "roadwarriors"[6] 85.52.255.203 #41:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jan 8 13:37:37 roma pluto[11140]: "roadwarriors"[6] 85.52.255.203 #41:
STATE_MAIN_R1: sent MR1, expecting MI2
Jan 8 13:37:37 roma pluto[11140]: ERROR: asynchronous network error
report on eth0 (sport=500) for message to 85.52.255.203 port 500,
complainant 192.168 .1.3: Connection refused [errno 111, origin ICMP
type 3 code 3 (not authenticated)]
Jan 8 13:37:41 roma last message repeated 2 times
Jan 8 13:37:42 roma pluto[11140]: ERROR: asynchronous network error
report on eth0 (sport=4500) for message to 85.52.255.203 port 24727,
complainant 192. 168.1.3: Connection refused [errno 111, origin ICMP
type 3 code 3 (not authenticated)]
Jan 8 13:37:43 roma pluto[11140]: ERROR: asynchronous network error
report on eth0 (sport=500) for message to 85.52.255.203 port 500,
complainant 192.168 .1.3: Connection refused [errno 111, origin ICMP
type 3 code 3 (not authenticated)]
Jan 8 13:37:45 roma pluto[11140]: packet from 85.52.255.203:500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Jan 8 13:37:45 roma pluto[11140]: packet from 85.52.255.203:500:
ignoring Vendor ID payload [FRAGMENTATION]
Jan 8 13:37:45 roma pluto[11140]: packet from 85.52.255.203:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set
to=106
Jan 8 13:37:45 roma pluto[11140]: packet from 85.52.255.203:500:
ignoring Vendor ID payload [Vid-Initial-Contact]
Jan 8 13:37:45 roma pluto[11140]: "roadwarriors"[6] 85.52.255.203 #42:
responding to Main Mode from unknown peer 85.52.255.203
Jan 8 13:37:45 roma pluto[11140]: "roadwarriors"[6] 85.52.255.203 #42:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jan 8 13:37:45 roma pluto[11140]: "roadwarriors"[6] 85.52.255.203 #42:
STATE_MAIN_R1: sent MR1, expecting MI2
Jan 8 13:37:45 roma pluto[11140]: ERROR: asynchronous network error
report on eth0 (sport=4500) for message to 85.52.255.203 port 24727,
complainant 192. 168.1.3: Connection refused [errno 111, origin ICMP
type 3 code 3 (not authenticated)]
Jan 8 13:37:45 roma pluto[11140]: ERROR: asynchronous network error
report on eth0 (sport=500) for message to 85.52.255.203 port 500,
complainant 192.168 .1.3: Connection refused [errno 111, origin ICMP
type 3 code 3 (not authenticated)]
Jan 8 13:37:45 roma pluto[11140]: ERROR: asynchronous network error
report on eth0 (sport=4500) for message to 85.52.255.203 port 24727,
complainant 192. 168.1.3: Connection refused [errno 111, origin ICMP
type 3 code 3 (not authenticated)]
Jan 8 13:37:47 roma pluto[11140]: ERROR: asynchronous network error
report on eth0 (sport=500) for message to 85.52.255.203 port 500,
complainant 192.168.1.3: Connection refused [errno 111, origin ICMP type
3 code 3 (not authenticated)]
More information about the Users
mailing list