[Openswan Users] nat traversal cant work
kelvin
kanava88 at gmail.com
Tue Jan 29 03:21:01 EST 2008
my topology like this:
192.168.30.12 ========192.168.30.112---192.168.37.112========192.168.37.113
server1
server2(nat) client1
client1 want to make vpn connection to server1 through nat devices(server2)
below is the ipsec.conf configuration file and log messages
server1 :
conn nat-t
left=192.168.30.12
right=192.168.30.112
leftid=@12.test.com
rightid=@dhcp.test.com
authby=rsasig
auto=ignore
leftrsasigkey= ...
rightrsasigkey=...
client1:
conn nat-t
left=192.168.37.113
right=192.168.30.12
leftid=@dhcp.test.com
rightid=@12.test.com
authby=rsasig
auto=ignore
leftrsasigkey=....
rightrsasigkey=....
error information about the quick mode from /var/log/messages:
***parse ISAKMP Hash Payload:
Jan 20 08:20:57 server12 pluto[7433]: | next payload type: ISAKMP_NEXT_SA
Jan 20 08:20:57 server12 pluto[7433]: | length: 20
Jan 20 08:20:57 server12 pluto[7433]: | ***parse ISAKMP Security Association
Payload:
Jan 20 08:20:57 server12 pluto[7433]: | next payload type:
ISAKMP_NEXT_NONCE
Jan 20 08:20:57 server12 pluto[7433]: | length: 136
Jan 20 08:20:57 server12 pluto[7433]: | DOI: ISAKMP_DOI_IPSEC
Jan 20 08:20:57 server12 pluto[7433]: | ***parse ISAKMP Nonce Payload:
Jan 20 08:20:57 server12 pluto[7433]: | next payload type: ISAKMP_NEXT_KE
Jan 20 08:20:57 server12 pluto[7433]: | length: 20
Jan 20 08:20:57 server12 pluto[7433]: | ***parse ISAKMP Key Exchange
Payload:
Jan 20 08:20:57 server12 pluto[7433]: | next payload type: ISAKMP_NEXT_ID
Jan 20 08:20:57 server12 pluto[7433]: | length: 196
Jan 20 08:20:57 server12 pluto[7433]: | ***parse ISAKMP Identification
Payload (IPsec DOI):
Jan 20 08:20:57 server12 pluto[7433]: | next payload type: ISAKMP_NEXT_ID
Jan 20 08:20:57 server12 pluto[7433]: | length: 12
Jan 20 08:20:57 server12 pluto[7433]: | ID type: ID_IPV4_ADDR
Jan 20 08:20:57 server12 pluto[7433]: | Protocol ID: 0
Jan 20 08:20:57 server12 pluto[7433]: | port: 0
Jan 20 08:20:57 server12 pluto[7433]: | ***parse ISAKMP Identification
Payload (IPsec DOI):
Jan 20 08:20:57 server12 pluto[7433]: | next payload type:
ISAKMP_NEXT_NONE
Jan 20 08:20:57 server12 pluto[7433]: | length: 12
Jan 20 08:20:57 server12 pluto[7433]: | ID type: ID_IPV4_ADDR
Jan 20 08:20:57 server12 pluto[7433]: | Protocol ID: 0
Jan 20 08:20:57 server12 pluto[7433]: | port: 0
Jan 20 08:20:57 server12 pluto[7433]: | removing 4 bytes of padding
Jan 20 08:20:57 server12 pluto[7433]: | HASH(1) computed:
Jan 20 08:20:57 server12 pluto[7433]: | f3 51 5b e7 90 9b b7 c4 13 82 78
4c 62 20 0e 38
Jan 20 08:20:57 server12 pluto[7433]: | peer client is 192.168.37.113
Jan 20 08:20:57 server12 pluto[7433]: | peer client protocol/port is 0/0
Jan 20 08:20:57 server12 pluto[7433]: | our client is 192.168.30.12
Jan 20 08:20:57 server12 pluto[7433]: | our client protocol/port is 0/0
Jan 20 08:20:57 server12 pluto[7433]: | find_client_connection starting with
nat-t
Jan 20 08:20:57 server12 pluto[7433]: | looking for 192.168.30.12/32:0/0->
192.168.37.113/32:0/0
Jan 20 08:20:57 server12 pluto[7433]: | concrete checking against sr#0
192.168.30.12/32 -> 192.168.30.112/32
Jan 20 08:20:57 server12 pluto[7433]: | match_id a=@dhcp.test.com
Jan 20 08:20:57 server12 pluto[7433]: | b=@dhcp.test.com
Jan 20 08:20:57 server12 pluto[7433]: | results matched
Jan 20 08:20:57 server12 pluto[7433]: | trusted_ca called with a=(empty)
b=(empty)
Jan 20 08:20:57 server12 pluto[7433]: | fc_try trying nat-t:
192.168.30.12/32:0/0 -> 192.168.37.113/32:0/0 vs nat-t:192.168.30.12/32:0/0->
192.168.30.112/32:0/0
Jan 20 08:20:57 server12 pluto[7433]: | fc_try concluding with none [0]
Jan 20 08:20:57 server12 pluto[7433]: | fc_try nat-t gives none
Jan 20 08:20:57 server12 pluto[7433]: | find_host_pair: comparing to
192.168.30.12:500 192.168.30.112:500
Jan 20 08:20:57 server12 pluto[7433]: | checking hostpair 192.168.30.12/32->
192.168.30.112/32 is not found
Jan 20 08:20:57 server12 pluto[7433]: | concluding with d = none
Jan 20 08:20:57 server12 pluto[7433]: "nat-t" #1: cannot respond to IPsec SA
request because no connection is known for 192.168.30.12[@12.test.com
]...192.168.30.112[@dhcp.t
est.com]===192.168.37.113/32
Jan 20 08:20:57 server12 pluto[7433]: | complete state transition with
(null)
Jan 20 08:20:57 server12 pluto[7433]: "nat-t" #1: sending encrypted
notification INVALID_ID_INFORMATION to 192.168.30.112:4500
i initiate vpn form client1 to server1. when i input "ipsec auto --up nat-t"
in the shell of client1,below is the output in screen.
vpnclient:~ # ipsec auto --add nat-t
vpnclient:~ # ipsec auto --up nat-t
104 "nat-t" #1: STATE_MAIN_I1: initiate
003 "nat-t" #1: received Vendor ID payload [Openswan (this version) 2.4.4
X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]
003 "nat-t" #1: received Vendor ID payload [Dead Peer Detection]
003 "nat-t" #1: received Vendor ID payload [RFC 3947] method set to=109
106 "nat-t" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "nat-t" #1: NAT-Traversal: Result using 3: i am NATed
108 "nat-t" #1: STATE_MAIN_I3: sent MI3, expecting MR3
004 "nat-t" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG
cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1536}
117 "nat-t" #2: STATE_QUICK_I1: initiate
010 "nat-t" #2: STATE_QUICK_I1: retransmission; will wait 20s for response
010 "nat-t" #2: STATE_QUICK_I1: retransmission; will wait 40s for response
031 "nat-t" #2: max number of retransmissions (2) reached STATE_QUICK_I1.
No acceptable response to our first Quick Mode message: perhaps peer likes
no proposal
000 "nat-t" #2: starting keying attempt 2 of an unlimited number, but
releasing whack
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080129/a0b69ef8/attachment-0001.html
More information about the Users
mailing list