[Openswan Users] NAT-Traversal not working with Openswan 2.6.20
Danny Woodruffe
Danny.Woodruffe at lixxus.co.uk
Wed Mar 4 10:06:18 EST 2009
Hello, I cannot get NAT-Traversal working with Openswan, but the
configuration works well when there is no natting involved.
I'm using XP SP3 and openswan-2.6.20 running on Centos-5.2
1. The AssumeUDPEncapsulationContextOnSendRule value on the XP client is
set to 2.
2. The client internal IP is 192.168.2.111
3. The natted IP is 84.201.183.1
4. The server IP is 84.201.191.137
5. My config is:
version 2
config setup
nat_traversal=yes
virtual_private=%v4:192.168.0.0/16,%v4:!192.168.10.0/24,%v4:10.0.0.0/8
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
conn west-l2tp-psk
left=84.201.191.137
leftnexthop=84.201.191.129
leftprotoport=17/1701
rightprotoport=17/%any
rightsubnet=vhost:,%priv,%no
right=%any
auto=add
authby=secret
pfs=no
6. Here is the eror message:
Mar 4 10:49:01 s10-mail pluto[11001]: packet from 84.201.183.1:500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Mar 4 10:49:01 s10-mail pluto[11001]: packet from 84.201.183.1:500:
ignoring Vendor ID payload [FRAGMENTATION]
Mar 4 10:49:01 s10-mail pluto[11001]: packet from 84.201.183.1:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set
to=106
Mar 4 10:49:01 s10-mail pluto[11001]: packet from 84.201.183.1:500:
ignoring Vendor ID payload [Vid-Initial-Contact]
Mar 4 10:49:01 s10-mail pluto[11001]: "west-l2tp-psk"[11] 84.201.183.1
#6: responding to Main Mode from unknown peer 84.201.183.1
Mar 4 10:49:01 s10-mail pluto[11001]: "west-l2tp-psk"[11] 84.201.183.1
#6: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Mar 4 10:49:01 s10-mail pluto[11001]: "west-l2tp-psk"[11] 84.201.183.1
#6: STATE_MAIN_R1: sent MR1, expecting MI2
Mar 4 10:49:02 s10-mail pluto[11001]: "west-l2tp-psk"[11] 84.201.183.1
#6: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer
is NATed
Mar 4 10:49:02 s10-mail pluto[11001]: "west-l2tp-psk"[11] 84.201.183.1
#6: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Mar 4 10:49:02 s10-mail pluto[11001]: "west-l2tp-psk"[11] 84.201.183.1
#6: STATE_MAIN_R2: sent MR2, expecting MI3
Mar 4 10:49:02 s10-mail pluto[11001]: "west-l2tp-psk"[11] 84.201.183.1
#6: Main mode peer ID is ID_FQDN: '@lixxus-35e4ff1a'
Mar 4 10:49:02 s10-mail pluto[11001]: "west-l2tp-psk"[11] 84.201.183.1
#6: switched from "west-l2tp-psk" to "west-l2tp-psk"
Mar 4 10:49:02 s10-mail pluto[11001]: "west-l2tp-psk"[12] 84.201.183.1
#6: deleting connection "west-l2tp-psk" instance with peer 84.201.183.1
{isakmp=#0/ipsec=#0}
Mar 4 10:49:02 s10-mail pluto[11001]: "west-l2tp-psk"[12] 84.201.183.1
#6: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Mar 4 10:49:02 s10-mail pluto[11001]: "west-l2tp-psk"[12] 84.201.183.1
#6: new NAT mapping for #6, was 84.201.183.1:500, now 84.201.183.1:4500
Mar 4 10:49:02 s10-mail pluto[11001]: "west-l2tp-psk"[12] 84.201.183.1
#6: STATE_MAIN_R3: sent MR3, ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
group=modp2048}
Mar 4 10:49:02 s10-mail pluto[11001]: "west-l2tp-psk"[12] 84.201.183.1
#6: peer client type is FQDN
Mar 4 10:49:02 s10-mail pluto[11001]: "west-l2tp-psk"[12] 84.201.183.1
#6: Applying workaround for MS-818043 NAT-T bug
Mar 4 10:49:02 s10-mail pluto[11001]: "west-l2tp-psk"[12] 84.201.183.1
#6: IDci was FQDN: T\311\277\211, using NAT_OA=192.168.2.111/32 as IDci
Mar 4 10:49:02 s10-mail pluto[11001]: "west-l2tp-psk"[12] 84.201.183.1
#6: the peer proposed: 84.201.191.137/32:17/1701 ->
192.168.2.111/32:17/0
Mar 4 10:49:02 s10-mail pluto[11001]: "west-l2tp-psk"[12] 84.201.183.1
#6: cannot respond to IPsec SA request because no connection is known
for
84.201.191.137<84.201.191.137>[+S=C]:17/1701...84.201.183.1[@lixxus-35e4
ff1a,+S=C]:17/%any===192.168.2.111/32
Mar 4 10:49:02 s10-mail pluto[11001]: "west-l2tp-psk"[12] 84.201.183.1
#6: sending encrypted notification INVALID_ID_INFORMATION to
84.201.183.1:4500
Mar 4 10:49:02 s10-mail pluto[11001]: "west-l2tp-psk"[12] 84.201.183.1
#6: peer client type is FQDN
Mar 4 10:49:02 s10-mail pluto[11001]: "west-l2tp-psk"[12] 84.201.183.1
#6: Applying workaround for MS-818043 NAT-T bug
Mar 4 10:49:02 s10-mail pluto[11001]: "west-l2tp-psk"[12] 84.201.183.1
#6: IDci was FQDN: T\311\277\211, using NAT_OA=192.168.2.111/32 as IDci
Mar 4 10:49:02 s10-mail pluto[11001]: "west-l2tp-psk"[12] 84.201.183.1
#6: the peer proposed: 84.201.191.137/32:17/1701 ->
192.168.2.111/32:17/0
Mar 4 10:49:02 s10-mail pluto[11001]: "west-l2tp-psk"[12] 84.201.183.1
#6: cannot respond to IPsec SA request because no connection is known
for
84.201.191.137<84.201.191.137>[+S=C]:17/1701...84.201.183.1[@lixxus-35e4
ff1a,+S=C]:17/%any===192.168.2.111/32
Mar 4 10:49:02 s10-mail pluto[11001]: "west-l2tp-psk"[12] 84.201.183.1
#6: sending encrypted notification INVALID_ID_INFORMATION to
84.201.183.1:4500
Mar 4 10:49:04 s10-mail pluto[11001]: "west-l2tp-psk"[12] 84.201.183.1
#6: peer client type is FQDN
Mar 4 10:49:04 s10-mail pluto[11001]: "west-l2tp-psk"[12] 84.201.183.1
#6: Applying workaround for MS-818043 NAT-T bug
Mar 4 10:49:04 s10-mail pluto[11001]: "west-l2tp-psk"[12] 84.201.183.1
#6: IDci was FQDN: T\311\277\211, using NAT_OA=192.168.2.111/32 as IDci
Mar 4 10:49:04 s10-mail pluto[11001]: "west-l2tp-psk"[12] 84.201.183.1
#6: the peer proposed: 84.201.191.137/32:17/1701 ->
192.168.2.111/32:17/0
Mar 4 10:49:04 s10-mail pluto[11001]: "west-l2tp-psk"[12] 84.201.183.1
#6: cannot respond to IPsec SA request because no connection is known
for
84.201.191.137<84.201.191.137>[+S=C]:17/1701...84.201.183.1[@lixxus-35e4
ff1a,+S=C]:17/%any===192.168.2.111/32
Mar 4 10:49:04 s10-mail pluto[11001]: "west-l2tp-psk"[12] 84.201.183.1
#6: sending encrypted notification INVALID_ID_INFORMATION to
84.201.183.1:4500
Mar 4 10:49:08 s10-mail pluto[11001]: "west-l2tp-psk"[12] 84.201.183.1
#6: peer client type is FQDN
Mar 4 10:49:08 s10-mail pluto[11001]: "west-l2tp-psk"[12] 84.201.183.1
#6: Applying workaround for MS-818043 NAT-T bug
Mar 4 10:49:08 s10-mail pluto[11001]: "west-l2tp-psk"[12] 84.201.183.1
#6: IDci was FQDN: T\311\277\211, using NAT_OA=192.168.2.111/32 as IDci
Mar 4 10:49:08 s10-mail pluto[11001]: "west-l2tp-psk"[12] 84.201.183.1
#6: the peer proposed: 84.201.191.137/32:17/1701 ->
192.168.2.111/32:17/0
Mar 4 10:49:08 s10-mail pluto[11001]: "west-l2tp-psk"[12] 84.201.183.1
#6: cannot respond to IPsec SA request because no connection is known
for
84.201.191.137<84.201.191.137>[+S=C]:17/1701...84.201.183.1[@lixxus-35e4
ff1a,+S=C]:17/%any===192.168.2.111/32
Mar 4 10:49:08 s10-mail pluto[11001]: "west-l2tp-psk"[12] 84.201.183.1
#6: sending encrypted notification INVALID_ID_INFORMATION to
84.201.183.1:4500
Mar 4 10:49:16 s10-mail pluto[11001]: "west-l2tp-psk"[12] 84.201.183.1
#6: peer client type is FQDN
Mar 4 10:49:16 s10-mail pluto[11001]: "west-l2tp-psk"[12] 84.201.183.1
#6: Applying workaround for MS-818043 NAT-T bug
Mar 4 10:49:16 s10-mail pluto[11001]: "west-l2tp-psk"[12] 84.201.183.1
#6: IDci was FQDN: T\311\277\211, using NAT_OA=192.168.2.111/32 as IDci
Mar 4 10:49:16 s10-mail pluto[11001]: "west-l2tp-psk"[12] 84.201.183.1
#6: the peer proposed: 84.201.191.137/32:17/1701 ->
192.168.2.111/32:17/0
Mar 4 10:49:16 s10-mail pluto[11001]: "west-l2tp-psk"[12] 84.201.183.1
#6: cannot respond to IPsec SA request because no connection is known
for
84.201.191.137<84.201.191.137>[+S=C]:17/1701...84.201.183.1[@lixxus-35e4
ff1a,+S=C]:17/%any===192.168.2.111/32
Mar 4 10:49:16 s10-mail pluto[11001]: "west-l2tp-psk"[12] 84.201.183.1
#6: sending encrypted notification INVALID_ID_INFORMATION to
84.201.183.1:4500
Mar 4 10:49:30 s10-mail pluto[11001]: "west-l2tp-psk"[12] 84.201.183.1
#6: received Delete SA payload: deleting ISAKMP State #6
Mar 4 10:49:30 s10-mail pluto[11001]: "west-l2tp-psk"[12] 84.201.183.1:
deleting connection "west-l2tp-psk" instance with peer 84.201.183.1
{isakmp=#0/ipsec=#0}
Mar 4 10:49:30 s10-mail pluto[11001]: packet from 84.201.183.1:4500:
received and ignored informational message
Any advice would be greatly appreciated.
Thanks
Danny
More information about the Users
mailing list