[Openswan Users] Error when connecting from Nokia N80 mobile phone: STATE_MAIN_R2: sent MR2, expecting MI3

lists at higgers.me.uk lists at higgers.me.uk
Thu Jan 10 05:56:16 EST 2008 

Hello all,

I am trying to configure an IPsec connection using Openswan 2.4.9 from  
my Nokia N80 mobile phone to my Opensuse 10.2 linux router.  The  
router uses shorewall to create the iptables rules and I already have  
successfully configured a LAN to LAN VPN to a Draytek Vigor 2900 ADSL  
modem/router.

The connection to the internet from my N80 (using GPRS) is NATed  
through my providers (Orange) network.  If I remove nat_traversal=yes  
from the config I get the following messages in /var/log/messages:


Jan 10 08:44:58 mail pluto[3907]: packet from 193.35.129.169:55650:  
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] method set  
to=108
Jan 10 08:44:58 mail pluto[3907]: packet from 193.35.129.169:55650:  
received Vendor ID payload [XAUTH]
Jan 10 08:44:58 mail pluto[3907]: packet from 193.35.129.169:55650:  
received Vendor ID payload [Cisco-Unity]
Jan 10 08:44:58 mail pluto[3907]: "n80"[4] 193.35.129.169 #6:  
responding to Main Mode from unknown peer 193.35.129.169
Jan 10 08:44:58 mail pluto[3907]: "n80"[4] 193.35.129.169 #6:  
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jan 10 08:44:58 mail pluto[3907]: "n80"[4] 193.35.129.169 #6:  
STATE_MAIN_R1: sent MR1, expecting MI2
Jan 10 08:45:00 mail pluto[3907]: "n80"[4] 193.35.129.169 #6: ignoring  
unknown Vendor ID payload [c8efebeb5e444435c03387a20ac1ce0a]
Jan 10 08:45:00 mail pluto[3907]: "n80"[4] 193.35.129.169 #6:  
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is  
NATed
Jan 10 08:45:00 mail pluto[3907]: "n80"[4] 193.35.129.169 #6:  
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jan 10 08:45:00 mail pluto[3907]: "n80"[4] 193.35.129.169 #6:  
STATE_MAIN_R2: sent MR2, expecting MI3

The corresponding tcpdump output is:

mail:~ # tcpdump -i eth2 -vvv net 193.35.128.0/20
tcpdump: listening on eth2, link-type EN10MB (Ethernet), capture size 96 bytes
08:44:58.308409 IP (tos 0x0, ttl  54, id 24345, offset 0, flags  
[none], proto: UDP (17), length: 168) future-is.orange.co.uk.55650 >  
<my_DNS_name>.isakmp: isakmp 1.0 msgid  cookie ->: phase 1 I ident:  
[|sa]
08:44:58.312374 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF],  
proto: UDP (17), length: 184) <my_DNS_name>.isakmp >  
future-is.orange.co.uk.55650: isakmp 1.0 msgid  cookie ->: phase 1 R  
ident: [|sa]
08:45:00.061895 IP (tos 0x0, ttl  54, id 24346, offset 0, flags  
[none], proto: UDP (17), length: 340) future-is.orange.co.uk.55650 >  
<my_DNS_name>.isakmp: isakmp 1.0 msgid  cookie ->: phase 1 I ident:  
[|ke]
08:45:00.136278 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF],  
proto: UDP (17), length: 320) <my_DNS_name>.isakmp >  
future-is.orange.co.uk.55650: isakmp 1.0 msgid  cookie ->: phase 1 R  
ident: [|ke]
08:45:02.332532 IP (tos 0x0, ttl  54, id 24347, offset 0, flags  
[none], proto: UDP (17), length: 108) future-is.orange.co.uk.55661 >  
<my_DNS_name>.ipsec-nat-t: NONESP-encap: isakmp 1.0 msgid  cookie ->:  
phase 1 I ident[E]: [encrypted id]
08:45:10.135529 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF],  
proto: UDP (17), length: 320) <my_DNS_name>.isakmp >  
future-is.orange.co.uk.55650: isakmp 1.0 msgid  cookie ->: phase 1 R  
ident: [|ke]
08:45:11.841086 IP (tos 0x0, ttl  54, id 24348, offset 0, flags  
[none], proto: UDP (17), length: 108) future-is.orange.co.uk.55661 >  
<my_DNS_name>.ipsec-nat-t: NONESP-encap: isakmp 1.0 msgid  cookie ->:  
phase 1 I ident[E]: [encrypted id]
08:45:16.970737 IP (tos 0x0, ttl  54, id 24349, offset 0, flags  
[none], proto: UDP (17), length: 108) future-is.orange.co.uk.55661 >  
<my_DNS_name>.ipsec-nat-t: NONESP-encap: isakmp 1.0 msgid  cookie ->:  
phase 1 I ident[E]: [encrypted id]
08:45:21.761137 IP (tos 0x0, ttl  54, id 24350, offset 0, flags  
[none], proto: UDP (17), length: 108) future-is.orange.co.uk.55661 >  
<my_DNS_name>.ipsec-nat-t: NONESP-encap: isakmp 1.0 msgid  cookie ->:  
phase 1 I ident[E]: [encrypted id]
08:45:26.782164 IP (tos 0x0, ttl  54, id 24351, offset 0, flags  
[none], proto: UDP (17), length: 108) future-is.orange.co.uk.55661 >  
<my_DNS_name>.ipsec-nat-t: NONESP-encap: isakmp 1.0 msgid  cookie ->:  
phase 1 I ident[E]: [encrypted id]
08:45:30.136978 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF],  
proto: UDP (17), length: 320) <my_DNS_name>.isakmp >  
future-is.orange.co.uk.55650: isakmp 1.0 msgid  cookie ->: phase 1 R  
ident: [|ke]
08:45:32.041907 IP (tos 0x0, ttl  54, id 24352, offset 0, flags  
[none], proto: UDP (17), length: 108) future-is.orange.co.uk.55661 >  
<my_DNS_name>.ipsec-nat-t: NONESP-encap: isakmp 1.0 msgid  cookie ->:  
phase 1 I ident[E]: [encrypted id]
08:45:37.681117 IP (tos 0x0, ttl  54, id 24353, offset 0, flags  
[none], proto: UDP (17), length: 108) future-is.orange.co.uk.55661 >  
<my_DNS_name>.ipsec-nat-t: NONESP-encap: isakmp 1.0 msgid  cookie ->:  
phase 1 I ident[E]: [encrypted id]
08:45:46.803364 IP (tos 0x0, ttl  54, id 24354, offset 0, flags  
[none], proto: UDP (17), length: 108) future-is.orange.co.uk.55661 >  
<my_DNS_name>.ipsec-nat-t: NONESP-encap: isakmp 1.0 msgid  cookie ->:  
phase 1 I ident[E]: [encrypted id]
08:45:46.900666 IP (tos 0x0, ttl  54, id 24355, offset 0, flags  
[none], proto: UDP (17), length: 108) future-is.orange.co.uk.55661 >  
<my_DNS_name>.ipsec-nat-t: NONESP-encap: isakmp 1.0 msgid  cookie ->:  
phase 1 I ident[E]: [encrypted id]
08:45:51.881271 IP (tos 0x0, ttl  54, id 24356, offset 0, flags  
[none], proto: UDP (17), length: 124) future-is.orange.co.uk.55661 >  
<my_DNS_name>.ipsec-nat-t: NONESP-encap: isakmp 1.0 msgid  cookie ->:  
phase 1 I inf[E]: [encrypted hash]

It seems that MR2 state is reached but no packets are recevied to  
enable a transition to state MI3.

If I add nat_traversal=yes to the N80 section in ipsec.conf the error  
about expecting MI3 disappears but a different error occurs:

Jan 10 10:18:22 mail pluto[7903]: packet from 193.35.129.161:56605:  
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] method set  
to=108
Jan 10 10:18:22 mail pluto[7903]: packet from 193.35.129.161:56605:  
received Vendor ID payload [XAUTH]
Jan 10 10:18:22 mail pluto[7903]: packet from 193.35.129.161:56605:  
received Vendor ID payload [Cisco-Unity]
Jan 10 10:18:22 mail pluto[7903]: packet from 193.35.129.161:56605:  
initial Main Mode message received on <my_ip_address>:500 but no  
connection has been authorized
Jan 10 10:18:27 mail pluto[7903]: packet from 193.35.129.161:56605:  
ignoring Delete SA payload: not encrypted
Jan 10 10:18:27 mail pluto[7903]: packet from 193.35.129.161:56605:  
received and ignored informational message

The relevant section of ipsec.conf is:

conn n80
         # Key exchange
         ike=aes256-sha1-modp1536
         # Data exchange
         esp=aes256-sha1
         # Authentication method PSK
         authby=secret
         nat_traversal=yes
         auto=add
         keyingtries=3
         # Modeconfig setting
         modecfgpull=yes
         pfs=no
         rekey=no
         #       fragicmp=yes
         left=<my_ip_address>
         leftsubnet=192.168.0.0/24
         leftsourceip=192.168.0.1
         leftrsasigkey=none
         leftmodecfgserver=yes
         #        leftxauthserver=yes
         rightrsasigkey=none
         right=%any
         #        rightxauthclient=yes
         rightmodecfgclient=yes
         rightsourceip=192.168.6.252
         rightsubnet=192.168.6.252/32

I've also included the config used to create the VPN policy file on  
the Nokia N80.  I'm not assuming or expecting anyone to be an expert  
on the Nokia VPN client.  I'm including the config in case any of the  
config might indicate a problem to anyone. :-)

SECURITY_FILE_VERSION: 3
[INFO]
VPN
[POLICY]
sa ipsec_1 = {
  esp
  encrypt_alg 12
  max_encrypt_bits 256
  auth_alg 3
  identity_remote 0.0.0.0/0
  src_specific
  hard_lifetime_bytes 0
  hard_lifetime_addtime 3600
  hard_lifetime_usetime 3600
  soft_lifetime_bytes 0
  soft_lifetime_addtime 3600
  soft_lifetime_usetime 3600
  }

remote 0.0.0.0 0.0.0.0 = { ipsec_1(<my_ip_address>) }
inbound = { }
outbound = { }

[IKE]
ADDR: <my_ip_address> 255.255.255.255
MODE: Main
SEND_NOTIFICATION: TRUE
ID_TYPE: 11
FQDN: MobileGroup
GROUP_DESCRIPTION_II: MODP_1536
USE_COMMIT: FALSE
IPSEC_EXPIRE: FALSE
SEND_CERT: FALSE
INITIAL_CONTACT: FALSE
RESPONDER_LIFETIME: TRUE
REPLAY_STATUS: TRUE
USE_INTERNAL_ADDR: FALSE
USE_NAT_PROBE: FALSE
ESP_UDP_PORT: 0
NAT_KEEPALIVE: 60
USE_XAUTH: FALSE
USE_MODE_CFG: TRUE
REKEYING_THRESHOLD: 90
PROPOSALS: 1
ENC_ALG: AES256-CBC
AUTH_METHOD: PRE-SHARED
HASH_ALG: SHA1
GROUP_DESCRIPTION: MODP_1536
GROUP_TYPE: DEFAULT
LIFETIME_KBYTES: 0
LIFETIME_SECONDS: 28800
PRF: NONE
PRESHARED_KEYS:
FORMAT: STRING_FORMAT
KEY: <my_pre_shared_key>

Can anyone suggest where my config might be incorrect?  Or are there  
any tests I can perform to further diagnose the problem?

Kind regards,

Steve.

More information about the Users mailing list