[Openswan Users] Ipsec restart needed, after Vista with AssumeUDP=0 try, from behind a NAT

FLOC'H Tanguy t.floch at sofrel.com
Mon Dec 14 08:12:51 EST 2009


Hello,

Any idea about this problem ?

I have tried to play with the "keylife" and "ikelifetime" settings, hopping that I could open a new Ipsec session when the timeout has occurred ...

but I'm still not able to establish a new connection, after one "failure because of missing registry key" try.

Best regards,

Tanguy Floc'h

-----Message d'origine-----
De : users-bounces at openswan.org [mailto:users-bounces at openswan.org] De la part de FLOC'H Tanguy
Envoyé : mercredi 2 décembre 2009 18:08
À : users at openswan.org
Objet : [Openswan Users] Ipsec restart needed,after Vista with AssumeUDP=0 try, from behind a NAT

Hi !

I'm currently using Openswan 2.4.15 and Xl2tpd 1.2.4 as VPN Server, for roadwarrior clients (XP SP2 / Vista)

I'm using PSK.

Both Clients and VPN server are located behind a NAT (see schematic bellow).


This configuration is working great, with AssumeUDPEncapsulationContextOnSendRule=2 on XP / Vista clients.

Because of the "roadwarriors behind the same NAT" issue, I can only connect 1 client at a time, which is normal.


The problem I'm facing is:
If I try to connect from computer "Vista 2" (on which the AssumeUDPEncapsulationContextOnSendRule has not been set),
then I can't connect anymore from "Vista 1" or "XP 1". (even if I wait ~ 1 hour)

It seems like the previous "Vista 2" connection failure keeps the Ipsec session 'opened' ... so I can't establish a new connection from the same "public" IP address (ie: 192.168.1.2 here).

If I want to establish a new connection from "XP 1" or "Vista 1", the only solution is to restart ipsec.

Can this problem be fixed, by editing ipsec.conf ? Or is it an openswan problem ?

Network:
(consider 192.168.1.x as a public network, i.e. Internet)
 ____________________________________________________________________________________________________
|                                                                                                    |
| >> Roadwarrior clients side <<                                                                     |
|                                                                                                    |
| XP 1 [172.17.20.226] -------------+                                                                |
| AssumeUDP.. = 2                   |     "Public" network GW (NAT)                                  |
|                                   |                                                                |
| Vista 1 [172.17.23.11] -----------+--[172.17.0.1] - [192.168.1.2] =====("Public Network")..        |
| AssumeUDP.. = 2                   |                                                                |
|                                   |                                                                |
| Vista 2 [172.17.20.91] -----------+                                                                |
| AssumeUDP.. NOT SET                                                                                |
|                                                                                                    |
|                                                                                                    |
|                                                                                                    |
| >> VPN Server Side <<                                                                              |
|                                                                                                    |
|                            "Public" network GW (NAT)              +------ [192.168.0.3] VPN Server |
|                            DNAT UDP:500,4500 > 192.168.0.3        |                                |
|                                                                   |                                |
| ..("Public Network") ===== [192.168.1.1] - [192.168.0.1] ---------+                                |
|                                                                   |                                |
|                                                                   |                                |
|____________________________________________________________________________________________________|

> Scenario 1 (Vista 2 - XP 1 - ipsec restart - XP 1)
Pluto.log:  http://docs.google.com/View?id=dc52kj55_8cdv9wjvf
Ipsec barf: http://docs.google.com/View?id=dc52kj55_7czwqp5hh

> Scenario 2 (Vista 2 - Vista 1 - ipsec restart - Vista 1)
Pluto.log:  http://docs.google.com/View?id=dc52kj55_6fp64nrfq
Ipsec barf: http://docs.google.com/View?id=dc52kj55_5gjtg9ddn

My ipsec.conf:
config setup
	interfaces=%defaultroute
	nat_traversal=yes
	virtual_private=%v4:10.0.0.0/8,%v4:172.17.0.0/16,%v4:192.168.0.0/16,%v4:!192.168.0.0/24
	plutodebug=none
	plutostderrlog=/var/log/pluto.log

conn L2TP-PSK
        #
        authby=secret
        pfs=no
        rekey=no
        keyingtries=3
        # VPN Server IP on the LAN
        left=192.168.0.3
        # LAN GW IP
        leftnexthop=192.168.0.1
        leftprotoport=17/1701
        #
        right=%any
        rightprotoport=17/%any
        rightsubnet=vhost:%no,%priv	
        #
        auto=add

# Disable opportunistic encryption.
include /etc/ipsec/ipsec.d/examples/no_oe.conf


Best regards,

Tanguy Floc'h
_______________________________________________
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with Openswan: 
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155


More information about the Users mailing list