[Openswan Users] Tunnel established but no traffic / NAT-T issues?

Peter McGill petermcgill at goco.net
Mon Mar 17 10:10:46 EDT 2008


Can someone else please help Pawel with this,
it's already beyond my level of expertise.
I avoid using NAT-T and have little experience there,
I've also never used XAUTH.

Pawel, my only suggestion which won't solve your problem,
but may help others to diagnose it, is to disable your
debug logging. The debug options, are intended for developer
use not user use, and don't help the average case, only
hinder by cluttering the logs and making hard to read.
Only set plutodebug= if asked by a developer.

Peter McGill
 

> -----Original Message-----
> From: users-bounces at openswan.org 
> [mailto:users-bounces at openswan.org] On Behalf Of Pawel Osiczko
> Sent: March 16, 2008 12:00 PM
> To: users at openswan.org
> Subject: [Openswan Users] Tunnel established but no traffic / 
> NAT-T issues?
> 
> Hi!
> 
> Thanks to Peter, I was able to establish a VPN tunnel to 
> Sonicwall from
> an exposed/non-natted client. However from behind a firewall 
> that does NAT
> I cannot pass traffic via ipsec tunnel. Software used in this case is:
> openswan-2.4.10.kernel-2.6.22-natt.patch + klips ipsec module 
> from 4.12 on a vanilla 2.6.22.19 kernel. The setup is as follows:
> 
> openswan client -> nat/fwall -> the internet tubes -> 
> sonicwall -> dest lan
> 192.168.1.0/24                                      1.2.3.4   
>    192.168.26.0/24
> 
> The connection is established with:
> 
> root at chayka [etc]> vpn-up
> 002 "group" #3: initiating Aggressive Mode #3, connection "group"
> 112 "group" #3: STATE_AGGR_I1: initiate
> 003 "group" #3: ignoring unknown Vendor ID payload [5b362bc820f70001]
> 003 "group" #3: received Vendor ID payload 
> [draft-ietf-ipsec-nat-t-ike-00]
> 003 "group" #3: ignoring unknown Vendor ID payload [404bf439522ca3f6]
> 003 "group" #3: received Vendor ID payload [XAUTH]
> 002 "group" #3: Aggressive mode peer ID is ID_FQDN: '@0123456789AB'
> 003 "group" #3: NAT-Traversal: Result using 
> draft-ietf-ipsec-nat-t-ike-00/01: i am NATed
> 002 "group" #3: Aggressive mode peer ID is ID_FQDN: '@0123456789AB'
> 002 "group" #3: transition from state STATE_AGGR_I1 to state 
> STATE_AGGR_I2
> 004 "group" #3: STATE_AGGR_I2: sent AI2, ISAKMP SA 
> established {auth=OAKLEY_PRESHARED_KEY 
> cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
> 041 "group" #3: group prompt for Username:
> Name enter:   user1
> 040 "group" #3: group prompt for Password:
> Enter secret: 
> 002 "group" #3: XAUTH: Answering XAUTH challenge with user='user1'
> 002 "group" #3: transition from state STATE_XAUTH_I0 to state 
> STATE_XAUTH_I1
> 004 "group" #3: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set
> 002 "group" #3: XAUTH: Successfully Authenticated
> 002 "group" #3: transition from state STATE_XAUTH_I0 to state 
> STATE_XAUTH_I1
> 004 "group" #3: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set
> 002 "group" #4: initiating Quick Mode 
> PSK+ENCRYPT+TUNNEL+UP+AGGRESSIVE {using isakmp#3}
> 117 "group" #4: STATE_QUICK_I1: initiate
> 002 "group" #4: transition from state STATE_QUICK_I1 to state 
> STATE_QUICK_I2
> 004 "group" #4: STATE_QUICK_I2: sent QI2, IPsec SA 
> established {ESP=>0x477c8e8d <0xc49894ce 
> xfrm=3DES_0-HMAC_SHA1 NATD=1.2.3.4:500 DPD=none}
> 
> The traffic, from the client to the lan, does not seem to 
> make it to the
> destination lan.
> 
> # tcpdump -i ipsec0
> tcpdump: verbose output suppressed, use -v or -vv for full 
> protocol decode
> listening on ipsec0, link-type EN10MB (Ethernet), capture 
> size 96 bytes
> 09:03:17.950282 IP 192.168.1.103 > 192.168.16.200: ICMP echo 
> request, id 22314, seq 5, length 64
> 09:03:18.950054 IP 192.168.1.103 > 192.168.16.200: ICMP echo 
> request, id 22314, seq 6, length 64
> ...
> 
> Attached is the barf. Any hints as to how to get this tunnel working?
> 
> Thank you very much!
> 
> --p
> 



More information about the Users mailing list