[Openswan Users] R: R: Ipsec/l2tp server behind nat, again

Luigi Iotti luigi at iotti.biz
Thu Sep 25 09:30:20 EDT 2008 

> On Wed, 24 Sep 2008, Lux wrote:
> 
> > 
> virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0
> .0/16,%v4:!192
> > .168.0.0/24
> 
> > "roadwarrior-l2tp"[2] 79.7.5.49 #1: cannot respond to IPsec 
> SA request
> > because no connection is known for
> > 
> 12.34.112.177/32===192.168.0.100<192.168.0.100>[+S=C]:17/1701.
> ..79.7.5.49[@l
> > uxnb.iotti.biz,+S=C]:17/%any===192.168.1.7/32
> 
> Is 12.34.112.177 the NAT'ed IP of the client? If so, that 
> range needs to
> be in the virtual_private= range, which it is not in.

12.34.112.177 is the public IP address through which the openswan server is
visible to the outside world. The real IP address of the openswan server is
192.168.0.100. On my router I forwarded the esp protocol, 500/udp and
4500/udp from 12.34.112.177 to 192.168.0.100.
12.34.112.177 is listed as the target host in the client's l2tp connection.
The client is XP sp3.

> > I don't know if this can be related to the problem, but I 
> found that if I
> > add controlmore to plutodebug=, pluto dies with this in the log:
> > pluto[16835]: | ******parse ISAKMP Oakley attribute:
> > pluto[16835]: |    af+type: OAKLEY_LIFE_DURATION (variable length)
> > pluto[16835]: |    length/value: 4
> 
> Can you add dumpdir=/tmp and then run with controlmore, and run gdb on
> the core in /tmp to see what the crasher is?

My knowledge of gdb is very very basic, but you are welcome to suggest me
further enquiries. In the meantime this is what I was able to find:

gdb /usr/libexec/ipsec/pluto /tmp/core.25478
...
Core was generated by `/usr/libexec/ipsec/pluto --nofork --secretsfile
/etc/ipsec.secrets --debug-cont'.
Program terminated with signal 11, Segmentation fault.
#0  addrtypeof (src=0x0) at
/usr/src/redhat/BUILD/openswan-2.6.14/linux/net/ipsec/addrtypeof.c:25
25      {
(gdb) bt
#0  addrtypeof (src=0x0) at
/usr/src/redhat/BUILD/openswan-2.6.14/linux/net/ipsec/addrtypeof.c:25
#1  0x001e42b7 in find_host_connection2 (func=0x292db5 "main_inI1_outR1",
me=0x9322b08, my_port=500, him=0x0, his_port=500, 
    policy=1) at
/usr/src/redhat/BUILD/openswan-2.6.14/programs/pluto/connections.c:2078
#2  0x00205f99 in main_inI1_outR1 (md=0x9323818) at
/usr/src/redhat/BUILD/openswan-2.6.14/programs/pluto/ikev1_main.c:732
#3  0x00200478 in process_packet_tail (mdp=0x2ce440) at
/usr/src/redhat/BUILD/openswan-2.6.14/programs/pluto/ikev1.c:1716
#4  0x00200aa6 in process_v1_packet (mdp=0x2ce440) at
/usr/src/redhat/BUILD/openswan-2.6.14/programs/pluto/ikev1.c:1268
#5  0x00225733 in process_packet (mdp=0x2ce440) at
/usr/src/redhat/BUILD/openswan-2.6.14/programs/pluto/demux.c:163
#6  0x00225b57 in comm_handle (ifp=0x9322b00) at
/usr/src/redhat/BUILD/openswan-2.6.14/programs/pluto/demux.c:212
#7  0x001f8da8 in call_server () at
/usr/src/redhat/BUILD/openswan-2.6.14/programs/pluto/server.c:761
#8  0x001f5c55 in main (argc=1399801167, argv=0x6577554a) at
/usr/src/redhat/BUILD/openswan-2.6.14/programs/pluto/plutomain.c:833

Thank you.

More information about the Users mailing list