[Openswan Users] Road-Warrior not working with NATed router
Roland Plüss
roland at rptd.ch
Fri Jul 24 14:38:30 EDT 2009
I'm trying to get a road-warrior from an office connected to the main
server. For this I used a similar setup as I did for laptops connecting
over wireless. For some reason though it does not work. It looks like
some NAT is in the way. In general transition from R2 to R3 is not
working. Everything up to this point works. The server gateway is not
NATed but the office computer is. The following logs I gathered from the
problem.
>>> server
*** tcpdump -vvv -i eth0 port 500
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 68
bytes
IP (tos 0x0, ttl 61, id 0, offset 0, flags [DF], proto UDP (17), length
340) IP_PUB_OFFICE.50846 > 192.168.0.2.isakmp: [|isakmp]
IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length
164) 192.168.0.2.isakmp > IP_PUB_OFFICE.50846: [|isakmp]
IP (tos 0x0, ttl 61, id 0, offset 0, flags [DF], proto UDP (17), length
312) IP_PUB_OFFICE.50846 > 192.168.0.2.isakmp: [|isakmp]
IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length
460) 192.168.0.2.isakmp > IP_PUB_OFFICE.50846: [|isakmp]
IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length
460) 192.168.0.2.isakmp > IP_PUB_OFFICE.50846: [|isakmp]
IP (tos 0x0, ttl 61, id 0, offset 0, flags [DF], proto UDP (17), length
312) IP_PUB_OFFICE.50846 > 192.168.0.2.isakmp: [|isakmp]
IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length
460) 192.168.0.2.isakmp > IP_PUB_OFFICE.50846: [|isakmp]
*** tail -n 20 /var/log/auth.log
Jul 23 12:26:31 [pluto] packet from IP_PUB_OFFICE:50846: ignoring
unknown Vendor ID payload [4f45606c50487c5662707575]
Jul 23 12:26:31 [pluto] packet from IP_PUB_OFFICE:50846: received Vendor
ID payload [Dead Peer Detection]
Jul 23 12:26:31 [pluto] packet from IP_PUB_OFFICE:50846: received Vendor
ID payload [RFC 3947] method set to=109
Jul 23 12:26:31 [pluto] packet from IP_PUB_OFFICE:50846: received Vendor
ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using
method 109
Jul 23 12:26:31 [pluto] packet from IP_PUB_OFFICE:50846: received Vendor
ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using
method 109
Jul 23 12:26:31 [pluto] packet from IP_PUB_OFFICE:50846: received Vendor
ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using
method 109
Jul 23 12:26:31 [pluto] packet from IP_PUB_OFFICE:50846: received Vendor
ID payload [draft-ietf-ipsec-nat-t-ike-00]
Jul 23 12:26:31 [pluto] "roadwarrior"[2] IP_PUB_OFFICE #4: responding to
Main Mode from unknown peer IP_PUB_OFFICE
Jul 23 12:26:31 [pluto] "roadwarrior"[2] IP_PUB_OFFICE #4: transition
from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jul 23 12:26:31 [pluto] "roadwarrior"[2] IP_PUB_OFFICE #4:
STATE_MAIN_R1: sent MR1, expecting MI2
Jul 23 12:26:31 [pluto] "roadwarrior"[2] IP_PUB_OFFICE #4:
NAT-Traversal: Result using RFC 3947 (NAT-Traversal): both are NATed
Jul 23 12:26:31 [pluto] "roadwarrior"[2] IP_PUB_OFFICE #4: transition
from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jul 23 12:26:31 [pluto] "roadwarrior"[2] IP_PUB_OFFICE #4:
STATE_MAIN_R2: sent MR2, expecting MI3
Jul 23 12:26:41 [pluto] "roadwarrior"[2] IP_PUB_OFFICE #4: discarding
duplicate packet; already STATE_MAIN_R2
Jul 23 12:27:41 [pluto] "roadwarrior"[2] IP_PUB_OFFICE #4: max number of
retransmissions (2) reached STATE_MAIN_R2
Jul 23 12:27:41 [pluto] "roadwarrior"[2] IP_PUB_OFFICE: deleting
connection "roadwarrior" instance with peer IP_PUB_OFFICE
{isakmp=#0/ipsec=#0}
<<<<<<<<
And here from the office computer
>>> office
*** tcpdump -i eth0 -vvv port 500
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96
bytes
IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length
340) 192.168.4.2.isakmp > IP_PUB_SERVER.isakmp: isakmp 1.0 msgid cookie
->: phase 1 I ident: [|sa]
IP (tos 0x0, ttl 61, id 0, offset 0, flags [DF], proto UDP (17), length
164) IP_PUB_SERVER.isakmp > 192.168.4.2.isakmp: isakmp 1.0 msgid cookie
->: phase 1 R ident: [|sa]
IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length
312) 192.168.4.2.isakmp > IP_PUB_SERVER.isakmp: isakmp 1.0 msgid cookie
->: phase 1 I ident: [|ke]
IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length
312) 192.168.4.2.isakmp > IP_PUB_SERVER.isakmp: isakmp 1.0 msgid cookie
->: phase 1 I ident: [|ke]
IP (tos 0x0, ttl 61, id 0, offset 0, flags [DF], proto UDP (17), length
460) IP_PUB_SERVER.isakmp > 192.168.4.2.isakmp: isakmp 1.0 msgid cookie
->: phase 1 R ident: [|ke]
IP (tos 0x0, ttl 61, id 0, offset 0, flags [DF], proto UDP (17), length
460) IP_PUB_SERVER.isakmp > 192.168.4.2.isakmp: isakmp 1.0 msgid cookie
->: phase 1 R ident: [|ke]
*** tail -n 20 /var/log/auth.log
Jul 23 12:26:31 pluto[10977]: "roadwarrior" #6: initiating Main Mode
Jul 23 12:26:31 pluto[10977]: "roadwarrior" #6: ignoring unknown Vendor
ID payload [4f4540784e47627163627858]
Jul 23 12:26:31 pluto[10977]: "roadwarrior" #6: received Vendor ID
payload [Dead Peer Detection]
Jul 23 12:26:31 pluto[10977]: "roadwarrior" #6: received Vendor ID
payload [RFC 3947] method set to=109
Jul 23 12:26:31 pluto[10977]: "roadwarrior" #6: enabling possible
NAT-traversal with method RFC 3947 (NAT-Traversal)
Jul 23 12:26:31 pluto[10977]: "roadwarrior" #6: transition from state
STATE_MAIN_I1 to state STATE_MAIN_I2
Jul 23 12:26:31 pluto[10977]: "roadwarrior" #6: STATE_MAIN_I2: sent MI2,
expecting MR2
Jul 23 12:26:43 pluto[10977]: "roadwarrior" #6: NAT-Traversal: Result
using RFC 3947 (NAT-Traversal): both are NATed
Jul 23 12:26:43 pluto[10977]: "roadwarrior" #6: I am sending my cert
Jul 23 12:26:43 pluto[10977]: "roadwarrior" #6: I am sending a
certificate request
Jul 23 12:26:43 pluto[10977]: "roadwarrior" #6: transition from state
STATE_MAIN_I2 to state STATE_MAIN_I3
Jul 23 12:26:43 pluto[10977]: "roadwarrior" #6: STATE_MAIN_I3: sent MI3,
expecting MR3
Jul 23 12:27:01 pluto[10977]: "roadwarrior" #6: discarding duplicate
packet; already STATE_MAIN_I3
Jul 23 12:27:53 pluto[10977]: "roadwarrior" #6: max number of
retransmissions (2) reached STATE_MAIN_I3. Possible authentication
failure: no acceptable response to our first encrypted message
<<<<<<<<
What especially stumps me is that the logs contain talk about "both are
NATed" which is incorrect. Only the office computer is NATed the server
not. It also works in the wireless case. Concerning the configuration it
looks like this:
<<< server
version 2.0
config setup
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.0.0/24,%v4:!192.168.1.0/24,%v4:!192.168.2.0/24
nhelpers=0
conn roadwarrior
left=192.168.0.2
leftsubnet=192.168.4.0/24
leftnexthop=%defaultroute
leftrsasigkey=%cert
leftcert=gateway_roadwarrior_cert.pem
right=%any
rightca=%same
rightrsasigkey=%cert
rightnexthop=%defaultroute
pfs=yes
auto=add
auth=esp
authby=rsasig
compress=yes
keyingtries=1
disablearrivalcheck=no
<<<<<<<
And on the office computer
<<< office
version 2.0
config setup
nat_traversal=yes
nhelpers=0
conn roadwarrior
left=192.168.4.2
#leftnexthop=%defaultroute
leftrsasigkey=%cert
leftcert=roadwarrior_ppzg_cert.pem
right=IP_PUB_SERVER
rightsubnet=192.168.4.0/24
rightca=%same
rightrsasigkey=%cert
#rightnexthop=%defaultroute
pfs=yes
auto=add
auth=esp
authby=rsasig
compress=yes
keyingtries=1
disablearrivalcheck=no
<<<<<<<
Any ideas what could be wrong?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://lists.openswan.org/pipermail/users/attachments/20090724/9d5b60cf/attachment.bin
More information about the Users
mailing list