[Openswan Users] Openswan-2.4.7:INVALID_MESSAGE_ID......cannot respond to IPsec SA request......
yrff_ren
yrff_ren at 163.com
Sat Nov 1 12:06:56 EDT 2008
HELLO:
everyone!
I am trying to study the VPN by the openswan. Now the ipsec VPN passthrough the NAT device make some trouble: INVALID_MESSAGE_ID
and cannot respond to IPsec SA request......in the Quick mode. Why?
What shall i do?
I do it by this way:
1: First,I constructed the VPN system by the openswan-2.4.7 on the CentOS-4.4 without NAT.
The IPsec SA established:
#ipsec auto --up road
104 "road" #1: STATE_MAIN_I1: initiate
003 "road" #1: received Vendor ID payload [Openswan (this version) 2.4.7 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]
003 "road" #1: received Vendor ID payload [Dead Peer Detection]
003 "road" #1: received Vendor ID payload [RFC 3947] method set to=110
106 "road" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "road" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
108 "road" #1: STATE_MAIN_I3: sent MI3, expecting MR3
004 "road" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_md5
group=modp1536}
117 "road" #2: STATE_QUICK_I1: initiate
004 "road" #2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x62bdff15 <0xe3c1013e xfrm=AES_0-HMAC_SHA1
NATD=none DPD=none}
2: Follow above step, constructed the VPN system by the openswan-2.4.7 on the CentOS-4.4 with NAT.
2.1 The VPN network topology with NAT are:
Note:the Router model is: H3C AR 18-21A,this product support the ipsec data passthrough the NAT.(http://www.h3c.com)
left network<--------->Router<-------------->laptop
eth1:192.168.3.33 LAN WAN eth0:192.168.0.22
eth1:192.168.1.9
2.2 Modify "/etc/ipsec.conf" on the left(192.168.3.33):
version 2.0
config setup
nat_traversal=yes
nhelpers=0
conn road
left=192.168.3.33
leftnexthop=%defaultroute
leftid=@laptop
leftrsasigkey=0sAQNgTnRnteuIwjhq/Lm9QdK60buLB3Ggdh8K+dGVHZ63zma3FP9LE2xp9xfysHI7i+7ey1D+YCWC2831h6jim7cJtIA5hI75h2NZtcl0MVxy
LqV++ryYiuceWgEMxG5Qr87nN+040kbZVmNrnJLSurZrrjNelqPuzJivlROcCYdeFHLWUh4PFbUDKmzpVoUy4hCokBnlhH3coasLBIe1+9G/eOz2mlEbjTi8E+0RS
6iIqlfM
WdVMZv3QfRLDYGOMOVJRCXfJWVVJ3gzmj9vhA01ffQ/lfM2FyDPNOjzI384f6vFhkNS6M9Q1mr/v7GCPReHnPKiSs9LuY7mycgr610dFpta1K8AFJQYIPbLeEQma6
GDj
right=192.168.0.22
rightsubnet=192.168.1.0/24
rightid=@vpnserver
rightrsasigkey=0sAQOMxeosF6RzqISPzFLzDI3winmxxBtr+UrFxGakqT1+q8ShGuADZc+iTvDPrJFSVraRVSfm/6yYfiCyWxmdrKQIDGTUQdzPu8PbeErEnny
d21asQsaHyQ3fG6VXZfgYiKTKIcDl1X3MP//0xZqNSh/UxysZ4xedWRrAX2A36PjSzCRhF9Te3k+VASURhkvTNV44zpQNm6kSx0Adm4guaQw6nPrYIVq5wkfLr9iw
mXrMscH
rqcdvesDkevOQJrEYJ/PqB6PbwGsfsDrkEcTF1/gvvXh7cRCEEQ7MLlqHZHXT5TmsJCinVroCnmKQOtfMAsq7sNIqGU/Jm6O25oni95DE9J/TzAaJe5sNwkluLoBT
4Q33
auto=add
include /etc/ipsec.d/examples/no_oe.conf
2.3 Modify "/etc/ipsec.conf" on the laptop(192.168.0.22):
version 2.0
config setup
nat_traversal=yes
nhelpers=0
conn road
left=192.168.0.22
leftid=@vpnserver
leftsubnet=192.168.1.0/24
leftrsasigkey=0sAQOMxeosF6RzqISPzFLzDI3winmxxBtr+UrFxGakqT1+q8ShGuADZc+iTvDPrJFSVraRVSfm/6yYfiCyWxmdrKQIDGTUQdzPu8PbeErEnnyd
21asQsaHyQ3fG6VXZfgYiKTKIcDl1X3MP//0xZqNSh/UxysZ4xedWRrAX2A36PjSzCRhF9Te3k+VASURhkvTNV44zpQNm6kSx0Adm4guaQw6nPrYIVq5wkfLr9iwm
XrMscHr
qcdvesDkevOQJrEYJ/PqB6PbwGsfsDrkEcTF1/gvvXh7cRCEEQ7MLlqHZHXT5TmsJCinVroCnmKQOtfMAsq7sNIqGU/Jm6O25oni95DE9J/TzAaJe5sNwkluLoBT4
Q33
rightnexthop=%defaultroute
right=%any
rightid=@laptop
rightrsasigkey=0sAQNgTnRnteuIwjhq/Lm9QdK60buLB3Ggdh8K+dGVHZ63zma3FP9LE2xp9xfysHI7i+7ey1D+YCWC2831h6jim7cJtIA5hI75h2NZtcl0MVx
yLqV++ryYiuceWgEMxG5Qr87nN+040kbZVmNrnJLSurZrrjNelqPuzJivlROcCYdeFHLWUh4PFbUDKmzpVoUy4hCokBnlhH3coasLBIe1+9G/eOz2mlEbjTi8E+0R
S6iIqlf
MWdVMZv3QfRLDYGOMOVJRCXfJWVVJ3gzmj9vhA01ffQ/lfM2FyDPNOjzI384f6vFhkNS6M9Q1mr/v7GCPReHnPKiSs9LuY7mycgr610dFpta1K8AFJQYIPbLeEQma
6GDj
auto=add
include /etc/ipsec.d/examples/no_oe.conf
2.4 Execute command on the left(192.168.3.33) and laptop(192.168.0.22):
#service ipsec restart
2.5 Execute command on the left(192.168.3.33):
#ipsec auto --up road
104 "road" #1: STATE_MAIN_I1: initiate
003 "road" #1: received Vendor ID payload [Openswan (this version) 2.4.7 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]
003 "road" #1: received Vendor ID payload [Dead Peer Detection]
003 "road" #1: received Vendor ID payload [RFC 3947] method set to=110
106 "road" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "road" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): i am NATed
108 "road" #1: STATE_MAIN_I3: sent MI3, expecting MR3
004 "road" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_md5
group=modp1536}
117 "road" #2: STATE_QUICK_I1: initiate
010 "road" #2: STATE_QUICK_I1: retransmission; will wait 20s for response
010 "road" #2: STATE_QUICK_I1: retransmission; will wait 40s for response
031 "road" #2: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick
Mode message: perhaps peer likes no proposal
000 "road" #2: starting keying attempt 2 of an unlimited number, but releasing whack
2.6 We will educe the ipsec data pass through the NAT failed from the above informations!!!Why??
2.7 The log file of ipsec on the left(192.168.3.33) are:
Oct 29 15:33:00 beijing5000 pluto[3083]: "road" #1: initiating Main Mode
Oct 29 15:33:00 beijing5000 pluto[3083]: "road" #1: received Vendor ID payload [Openswan (this version) 2.4.7
PLUTO_SENDS_VENDORID
PLUTO_USES_KEYRR]
Oct 29 15:33:00 beijing5000 pluto[3083]: "road" #1: received Vendor ID payload [Dead Peer Detection]
Oct 29 15:33:00 beijing5000 pluto[3083]: "road" #1: received Vendor ID payload [RFC 3947] method set to=110
Oct 29 15:33:00 beijing5000 pluto[3083]: "road" #1: enabling possible NAT-traversal with method RFC 3947 (NAT-
Traversal)
Oct 29 15:33:00 beijing5000 pluto[3083]: "road" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Oct 29 15:33:00 beijing5000 pluto[3083]: "road" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Oct 29 15:33:00 beijing5000 pluto[3083]: "road" #1: I did not send a certificate because I do not have one.
Oct 29 15:33:00 beijing5000 pluto[3083]: "road" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): i am NATed
Oct 29 15:33:00 beijing5000 pluto[3083]: "road" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Oct 29 15:33:00 beijing5000 pluto[3083]: "road" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Oct 29 15:33:00 beijing5000 pluto[3083]: "road" #1: Main mode peer ID is ID_FQDN: '@vpnserver'
Oct 29 15:33:00 beijing5000 pluto[3083]: "road" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Oct 29 15:33:00 beijing5000 pluto[3083]: "road" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG
cipher=oakley_3des_cbc
_192 prf=oakley_md5 group=modp1536}
Oct 29 15:33:00 beijing5000 pluto[3083]: "road" #2: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP {using
isakmp#1}
Oct 29 15:33:00 beijing5000 pluto[3083]: "road" #1: ignoring informational payload, type INVALID_ID_INFORMATION
Oct 29 15:33:00 beijing5000 pluto[3083]: "road" #1: received and ignored informational message
Oct 29 15:33:10 beijing5000 pluto[3083]: "road" #1: ignoring informational payload, type INVALID_MESSAGE_ID
Oct 29 15:33:10 beijing5000 pluto[3083]: "road" #1: received and ignored informational message
Oct 29 15:33:30 beijing5000 pluto[3083]: "road" #1: ignoring informational payload, type INVALID_MESSAGE_ID
Oct 29 15:33:30 beijing5000 pluto[3083]: "road" #1: received and ignored informational message
Oct 29 15:34:10 beijing5000 pluto[3083]: "road" #2: max number of retransmissions (2) reached STATE_QUICK_I1. No
acceptable respons
e to our first Quick Mode message: perhaps peer likes no proposal
2.8 The log file of ipsec on the laptop(192.168.0.22) are:
Oct 29 15:25:41 shanghai5000 pluto[30593]: packet from 192.168.0.1:12291: received Vendor ID payload [Openswan (this
version) 2.4.7 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]
Oct 29 15:25:41 shanghai5000 pluto[30593]: packet from 192.168.0.1:12291: received Vendor ID payload [Dead Peer
Detection]
Oct 29 15:25:41 shanghai5000 pluto[30593]: packet from 192.168.0.1:12291: received Vendor ID payload [RFC 3947]
method set to=110
Oct 29 15:25:41 shanghai5000 pluto[30593]: packet from 192.168.0.1:12291: received Vendor ID payload [draft-ietf-
ipsec-nat-t-ike-03] meth=108, but already using method 110
Oct 29 15:25:41 shanghai5000 pluto[30593]: packet from 192.168.0.1:12291: received Vendor ID payload [draft-ietf-
ipsec-nat-t-ike-02] meth=107, but already using method 110
Oct 29 15:25:41 shanghai5000 pluto[30593]: packet from 192.168.0.1:12291: received Vendor ID payload [draft-ietf-
ipsec-nat-t-ike-02_n] meth=106, but already using method 110
Oct 29 15:25:41 shanghai5000 pluto[30593]: packet from 192.168.0.1:12291: received Vendor ID payload [draft-ietf-
ipsec-nat-t-ike-00]
Oct 29 15:25:41 shanghai5000 pluto[30593]: "road"[3] 192.168.0.1 #3: responding to Main Mode from unknown peer
192.168.0.1
Oct 29 15:25:41 shanghai5000 pluto[30593]: "road"[3] 192.168.0.1 #3: transition from state STATE_MAIN_R0 to state
STATE_MAIN_R1
Oct 29 15:25:41 shanghai5000 pluto[30593]: "road"[3] 192.168.0.1 #3: STATE_MAIN_R1: sent MR1, expecting MI2
Oct 29 15:25:41 shanghai5000 pluto[30593]: "road"[3] 192.168.0.1 #3: NAT-Traversal: Result using RFC 3947 (NAT-
Traversal): peer is NATed
Oct 29 15:25:41 shanghai5000 pluto[30593]: "road"[3] 192.168.0.1 #3: transition from state STATE_MAIN_R1 to state
STATE_MAIN_R2
Oct 29 15:25:41 shanghai5000 pluto[30593]: "road"[3] 192.168.0.1 #3: STATE_MAIN_R2: sent MR2, expecting MI3
Oct 29 15:25:41 shanghai5000 pluto[30593]: "road"[3] 192.168.0.1 #3: Main mode peer ID is ID_FQDN: '@laptop'
Oct 29 15:25:41 shanghai5000 pluto[30593]: "road"[3] 192.168.0.1 #3: I did not send a certificate because I do not
have one.
Oct 29 15:25:42 shanghai5000 pluto[30593]: "road"[3] 192.168.0.1 #3: transition from state STATE_MAIN_R2 to state
STATE_MAIN_R3
Oct 29 15:25:42 shanghai5000 pluto[30593]: | NAT-T: new mapping 192.168.0.1:12291/12290)
Oct 29 15:25:42 shanghai5000 pluto[30593]: "road"[3] 192.168.0.1 #3: STATE_MAIN_R3: sent MR3, ISAKMP SA established
{auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1536}
Oct 29 15:25:42 shanghai5000 pluto[30593]: "road"[3] 192.168.0.1 #3: cannot respond to IPsec SA request because no
connection is known for 192.168.1.0/24===192.168.0.22[@vpnserver]...192.168.0.1[@laptop]===192.168.3.33/32
Oct 29 15:25:42 shanghai5000 pluto[30593]: "road"[3] 192.168.0.1 #3: sending encrypted notification
INVALID_ID_INFORMATION to 192.168.0.1:12290
Oct 29 15:25:52 shanghai5000 pluto[30593]: "road"[3] 192.168.0.1 #3: Quick Mode I1 message is unacceptable because
it uses a previously used Message ID 0x19529c28 (perhaps this is a duplicated packet)
Oct 29 15:25:52 shanghai5000 pluto[30593]: "road"[3] 192.168.0.1 #3: sending encrypted notification
INVALID_MESSAGE_ID to 192.168.0.1:12290
Oct 29 15:26:12 shanghai5000 pluto[30593]: "road"[3] 192.168.0.1 #3: Quick Mode I1 message is unacceptable because
it uses a previously used Message ID 0x19529c28 (perhaps this is a duplicated packet)
Oct 29 15:26:12 shanghai5000 pluto[30593]: "road"[3] 192.168.0.1 #3: sending encrypted notification
INVALID_MESSAGE_ID to 192.168.0.1:12290
2.9
#ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.4.7/K2.6.9-42.EL (netkey)
Checking for IPsec support in kernel [OK]
NETKEY detected, testing for disabled ICMP send_redirects [OK]
NETKEY detected, testing for disabled ICMP accept_redirects [OK]
Checking for RSA private key (/etc/ipsec.secrets) [OK]
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [OK]
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
Thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20081102/6a9ef908/attachment-0001.html
More information about the Users
mailing list