[Openswan Users] Openswan ipsec Nat-traversal errors

Fri Aug 7 13:04:29 EDT 2009

Hi everibody,

I'm trying to do a roadwarrior ipsec/L2tp vpn between a windows XP sp2 client and a debian Lenny server. I installed openswan 2.4.12 (present in the reposetory of debian) i didn't install openswan-moduls because i want to use NETKEY.

I pass the configuration of the VPN between two local networks: 

client -----> VPN_serveur -----> Local network

Unfortunately it doesn't work when i do the same thing with a client who uses internet to establish a connection to the server. I think that i have got some troubles with NAT-Traversal, even if i set the option nat_traversal=yes in the ipsec.conf file.

roadwarrior_client ----------> NAT --->INTERNET -------> NAT---> VPN_serveur ----------> local network

Do you have any suggestions to solve this error:

Aug 7 18:07:45 serveurVpn pluto[10259]: "vpn-l2tp-XP"[1] 80.*.173.59 #6: ERROR: asynchronous network error report on eth0 (sport=500) for message to 80.*.173.59 port 5740, complainant 192.168.4.244: No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]

Thanks by advance

Paul

/etc/ipsec.conf
---------------------------------------------------------
version 2.0 # conforms to second version of ipsec.conf specification

config setup
interfaces="ipsec0=eth0"
#plutodebug="all" 
overridemtu=1440
rp_filter=0
nat_traversal=yes #en standrard pour tous les types de connexions
keep_alive=yes
virtual_private=%v4:10.0.0.0/8,%4:172.16.40.0/24 #,%v4:193.168.0.0/16 #on autorise les classes privées sauf la classe 172.16.0.0/12 à venir au travers d'un NAT-T
nhelpers=0
uniqueids=yes
#forwardcontrol=yes

conn %default
left=192.168.4.244 #adresse exterieur du serveur
keyingtries=3 #on lmimite à 3 le nombre de tentative d'echange de clé
compress=no
disablearrivalcheck=no
leftsendcert=always #le certificat est toujours envoyé
leftcert=vpn-cert.pem
leftrsasigkey=%cert
rightca=%same
rightrsasigkey=%cert
dpddelay=30
dpdtimeout=60
dpdaction=hold
authby=rsasig
type=tunnel
conn vpn-l2tp-XP
#leftid=192.168.4.244
leftprotoport=udp/1701 #accepte uniquement les flux l2tp sur udp
rightprotoport=udp/1701 #accepte uniquement les flux l2tp sur udp
rightsubnet=vhost:%priv,%no #accepte un client derriere un NAT ou une ip publique
right=%any #le client possede une ip dynamique ou inconnue
rightid="/C=FR/ST=*************/O=*******/OU=XP/CN=*/E=*" #identifiant de connexion
auto=add
pfs=no

/var/log/auth.log
------------------------------------------------------------

Aug 7 18:07:29 serveurVpn pluto[10259]: packet from 80.*.173.59:5740: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Aug 7 18:07:29 serveurVpn pluto[10259]: packet from 80.*.173.59:5740: ignoring Vendor ID payload [FRAGMENTATION]
Aug 7 18:07:29 serveurVpn pluto[10259]: packet from 80.*.173.59:5740: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106 
Aug 7 18:07:29 serveurVpn pluto[10259]: packet from 80.*.173.59:5740: ignoring Vendor ID payload [Vid-Initial-Contact]
Aug 7 18:07:29 serveurVpn pluto[10259]: "vpn-l2tp-XP"[1] 80.*.173.59 #1: responding to Main Mode from unknown peer 80.*.173.59
Aug 7 18:07:29 serveurVpn pluto[10259]: "vpn-l2tp-XP"[1] 80.*.173.59 #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Aug 7 18:07:29 serveurVpn pluto[10259]: "vpn-l2tp-XP"[1] 80.*.173.59 #1: STATE_MAIN_R1: sent MR1, expecting MI2
Aug 7 18:07:29 serveurVpn pluto[10259]: packet from 80.*.173.59:5740: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Aug 7 18:07:29 serveurVpn pluto[10259]: packet from 80.*.173.59:5740: ignoring Vendor ID payload [FRAGMENTATION]
Aug 7 18:07:29 serveurVpn pluto[10259]: packet from 80.*.173.59:5740: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106 
Aug 7 18:07:29 serveurVpn pluto[10259]: packet from 80.*.173.59:5740: ignoring Vendor ID payload [Vid-Initial-Contact]
Aug 7 18:07:29 serveurVpn pluto[10259]: "vpn-l2tp-XP"[1] 80.*.173.59 #2: responding to Main Mode from unknown peer 80.*.173.59
Aug 7 18:07:29 serveurVpn pluto[10259]: "vpn-l2tp-XP"[1] 80.*.173.59 #2: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Aug 7 18:07:29 serveurVpn pluto[10259]: "vpn-l2tp-XP"[1] 80.*.173.59 #2: STATE_MAIN_R1: sent MR1, expecting MI2
Aug 7 18:07:30 serveurVpn pluto[10259]: "vpn-l2tp-XP"[1] 80.*.173.59 #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: both are NATed
Aug 7 18:07:30 serveurVpn pluto[10259]: "vpn-l2tp-XP"[1] 80.*.173.59 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Aug 7 18:07:30 serveurVpn pluto[10259]: "vpn-l2tp-XP"[1] 80.*.173.59 #1: STATE_MAIN_R2: sent MR2, expecting MI3
Aug 7 18:07:30 serveurVpn pluto[10259]: "vpn-l2tp-XP"[1] 80.*.173.59 #1: Main mode peer ID is ID_DER_ASN1_DN: 'C=FR, ST=******, O=*******, OU=XP, CN=client_windows, E=censored at yahoo.fr'
Aug 7 18:07:30 serveurVpn pluto[10259]: "vpn-l2tp-XP"[1] 80.*.173.59 #1: no crl from issuer "C=FR, ST=**********, L=*******, O=********, OU=infor, CN=CAvpn, E=censored at yahoo.fr" found (strict=no)
Aug 7 18:07:30 serveurVpn pluto[10259]: "vpn-l2tp-XP"[1] 80.*.173.59 #1: I am sending my cert
Aug 7 18:07:30 serveurVpn pluto[10259]: "vpn-l2tp-XP"[1] 80.*.173.59 #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Aug 7 18:07:30 serveurVpn pluto[10259]: "vpn-l2tp-XP"[1] 80.*.173.59 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}
Aug 7 18:07:30 serveurVpn pluto[10259]: "vpn-l2tp-XP"[1] 80.*.173.59 #1: Dead Peer Detection (RFC 3706): not enabled because peer did not advertise it
Aug 7 18:07:31 serveurVpn pluto[10259]: "vpn-l2tp-XP"[1] 80.*.173.59 #3: responding to Quick Mode {msgid:e8ba7cc0}
Aug 7 18:07:31 serveurVpn pluto[10259]: "vpn-l2tp-XP"[1] 80.*.173.59 #3: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Aug 7 18:07:31 serveurVpn pluto[10259]: "vpn-l2tp-XP"[1] 80.*.173.59 #3: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Aug 7 18:07:31 serveurVpn pluto[10259]: "vpn-l2tp-XP"[1] 80.*.173.59 #3: Dead Peer Detection (RFC 3706): not enabled because peer did not advertise it
Aug 7 18:07:31 serveurVpn pluto[10259]: "vpn-l2tp-XP"[1] 80.*.173.59 #3: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Aug 7 18:07:31 serveurVpn pluto[10259]: "vpn-l2tp-XP"[1] 80.*.173.59 #3: STATE_QUICK_R2: IPsec SA established {ESP=>0x6f448cc2 <0x25e578a5 xfrm=3DES_0-HMAC_MD5 NATD=80.*.173.59:11200 DPD=none}
Aug 7 18:07:31 serveurVpn pluto[10259]: packet from 80.*.173.59:5740: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Aug 7 18:07:31 serveurVpn pluto[10259]: packet from 80.*.173.59:5740: ignoring Vendor ID payload [FRAGMENTATION]
Aug 7 18:07:31 serveurVpn pluto[10259]: packet from 80.*.173.59:5740: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106 
Aug 7 18:07:31 serveurVpn pluto[10259]: packet from 80.*.173.59:5740: ignoring Vendor ID payload [Vid-Initial-Contact]
Aug 7 18:07:31 serveurVpn pluto[10259]: "vpn-l2tp-XP"[1] 80.*.173.59 #4: responding to Main Mode from unknown peer 80.*.173.59
Aug 7 18:07:31 serveurVpn pluto[10259]: "vpn-l2tp-XP"[1] 80.*.173.59 #4: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Aug 7 18:07:31 serveurVpn pluto[10259]: "vpn-l2tp-XP"[1] 80.*.173.59 #4: STATE_MAIN_R1: sent MR1, expecting MI2
Aug 7 18:07:32 serveurVpn pluto[10259]: packet from 80.*.173.59:5740: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Aug 7 18:07:32 serveurVpn pluto[10259]: packet from 80.*.173.59:5740: ignoring Vendor ID payload [FRAGMENTATION]
Aug 7 18:07:32 serveurVpn pluto[10259]: packet from 80.*.173.59:5740: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106 
Aug 7 18:07:32 serveurVpn pluto[10259]: packet from 80.*.173.59:5740: ignoring Vendor ID payload [Vid-Initial-Contact]
Aug 7 18:07:32 serveurVpn pluto[10259]: "vpn-l2tp-XP"[1] 80.*.173.59 #5: responding to Main Mode from unknown peer 80.*.173.59
Aug 7 18:07:32 serveurVpn pluto[10259]: "vpn-l2tp-XP"[1] 80.*.173.59 #5: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Aug 7 18:07:32 serveurVpn pluto[10259]: "vpn-l2tp-XP"[1] 80.*.173.59 #5: STATE_MAIN_R1: sent MR1, expecting MI2
Aug 7 18:07:34 serveurVpn pluto[10259]: "vpn-l2tp-XP"[1] 80.*.173.59 #4: ERROR: asynchronous network error report on eth0 (sport=500) for message to 80.*.173.59 port 5740, complainant 192.168.4.244: No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]
Aug 7 18:07:34 serveurVpn pluto[10259]: "vpn-l2tp-XP"[1] 80.*.173.59 #5: ERROR: asynchronous network error report on eth0 (sport=500) for message to 80.*.173.59 port 5740, complainant 192.168.4.244: No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]
Aug 7 18:07:34 serveurVpn pluto[10259]: packet from 80.*.173.59:5740: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Aug 7 18:07:34 serveurVpn pluto[10259]: packet from 80.*.173.59:5740: ignoring Vendor ID payload [FRAGMENTATION]
Aug 7 18:07:34 serveurVpn pluto[10259]: packet from 80.*.173.59:5740: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106 
Aug 7 18:07:34 serveurVpn pluto[10259]: packet from 80.*.173.59:5740: ignoring Vendor ID payload [Vid-Initial-Contact]
Aug 7 18:07:34 serveurVpn pluto[10259]: "vpn-l2tp-XP"[1] 80.*.173.59 #6: responding to Main Mode from unknown peer 80.*.173.59
Aug 7 18:07:34 serveurVpn pluto[10259]: "vpn-l2tp-XP"[1] 80.*.173.59 #6: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Aug 7 18:07:34 serveurVpn pluto[10259]: "vpn-l2tp-XP"[1] 80.*.173.59 #6: STATE_MAIN_R1: sent MR1, expecting MI2
Aug 7 18:07:37 serveurVpn pluto[10259]: "vpn-l2tp-XP"[1] 80.*.173.59 #6: ERROR: asynchronous network error report on eth0 (sport=500) for message to 80.*.173.59 port 5740, complainant 192.168.4.244: No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]
Aug 7 18:07:38 serveurVpn pluto[10259]: packet from 80.*.173.59:5740: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Aug 7 18:07:38 serveurVpn pluto[10259]: packet from 80.*.173.59:5740: ignoring Vendor ID payload [FRAGMENTATION]
Aug 7 18:07:38 serveurVpn pluto[10259]: packet from 80.*.173.59:5740: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106 
Aug 7 18:07:38 serveurVpn pluto[10259]: packet from 80.*.173.59:5740: ignoring Vendor ID payload [Vid-Initial-Contact]
Aug 7 18:07:38 serveurVpn pluto[10259]: "vpn-l2tp-XP"[1] 80.*.173.59 #7: responding to Main Mode from unknown peer 80.*.173.59
Aug 7 18:07:38 serveurVpn pluto[10259]: "vpn-l2tp-XP"[1] 80.*.173.59 #7: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Aug 7 18:07:38 serveurVpn pluto[10259]: "vpn-l2tp-XP"[1] 80.*.173.59 #7: STATE_MAIN_R1: sent MR1, expecting MI2
Aug 7 18:07:41 serveurVpn pluto[10259]: "vpn-l2tp-XP"[1] 80.*.173.59 #7: ERROR: asynchronous network error report on eth0 (sport=500) for message to 80.*.173.59 port 5740, complainant 192.168.4.244: No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]
Aug 7 18:07:41 serveurVpn pluto[10259]: "vpn-l2tp-XP"[1] 80.*.173.59 #2: ERROR: asynchronous network error report on eth0 (sport=500) for message to 80.*.173.59 port 11200, complainant 192.168.4.244: No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]
Aug 7 18:07:41 serveurVpn pluto[10259]: "vpn-l2tp-XP"[1] 80.*.173.59 #4: ERROR: asynchronous network error report on eth0 (sport=500) for message to 80.*.173.59 port 5740, complainant 192.168.4.244: No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]
Aug 7 18:07:45 serveurVpn pluto[10259]: "vpn-l2tp-XP"[1] 80.*.173.59 #5: ERROR: asynchronous network error report on eth0 (sport=500) for message to 80.*.173.59 port 5740, complainant 192.168.4.244: No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]
Aug 7 18:07:45 serveurVpn pluto[10259]: "vpn-l2tp-XP"[1] 80.*.173.59 #6: ERROR: asynchronous network error report on eth0 (sport=500) for message to 80.*.173.59 port 5740, complainant 192.168.4.244: No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]
Aug 7 18:07:46 serveurVpn pluto[10259]: packet from 80.*.173.59:5740: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Aug 7 18:07:46 serveurVpn pluto[10259]: packet from 80.*.173.59:5740: ignoring Vendor ID payload [FRAGMENTATION]
Aug 7 18:07:46 serveurVpn pluto[10259]: packet from 80.*.173.59:5740: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106 
Aug 7 18:07:46 serveurVpn pluto[10259]: packet from 80.*.173.59:5740: ignoring Vendor ID payload [Vid-Initial-Contact]
Aug 7 18:07:46 serveurVpn pluto[10259]: "vpn-l2tp-XP"[1] 80.*.173.59 #8: responding to Main Mode from unknown peer 80.*.173.59
Aug 7 18:07:46 serveurVpn pluto[10259]: "vpn-l2tp-XP"[1] 80.*.173.59 #8: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Aug 7 18:07:46 serveurVpn pluto[10259]: "vpn-l2tp-XP"[1] 80.*.173.59 #8: STATE_MAIN_R1: sent MR1, expecting MI2

 Créez votre adresse électronique prenom.nom at laposte.net 
 1 Go d'espace de stockage, anti-spam et anti-virus intégrés.