[Openswan Users] XL2TP and NAT problems with Ubuntu 9.10 andOpenswan 6.22

Damon Morda damon at epartment54.com
Mon Nov 9 08:52:40 EST 2009


Well, it  looks like I spoke to soon. With 2.6.24rc2, I can  
successfully connect from a system that is NATd, but not from a system  
that has a public IP address. I've included my pluto and xl2tp errors  
below along with the ipsec.conf I'm using. Any ideas?

==> ipsec.conf <==
version 2.0
config setup
         interfaces=%defaultroute
	protostack=netkey
	nat_traversal=yes
         virtual_private= 
%v4 
: 
10.0.0.0 
/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:172.17.17.0/32,%v4:! 
192.168.100.0/24
	#plutodebug=all
	#klipsdebug=all

conn %default
         keyingtries=3
         compress=yes
         disablearrivalcheck=no
         authby=secret
         type=tunnel
         keyexchange=ike
         ikelifetime=240m
         keylife=60m
	forceencaps=yes

conn roadwarrior-net
         leftsubnet=192.168.1.0/24
         also=roadwarrior

conn roadwarrior-all
         leftsubnet=0.0.0.0/0
         also=roadwarrior

conn roadwarrior-l2tp
         leftprotoport=17/0
         rightprotoport=17/1701
         also=roadwarrior

conn roadwarrior-l2tp-osx
         leftprotoport=17/1701
         rightprotoport=17/%any
         also=roadwarrior

conn roadwarrior-l2tp-updatedwin
         leftprotoport=17/1701
         rightprotoport=17/1701
         also=roadwarrior

conn roadwarrior
         pfs=no
         left=%defaultroute
	leftnexthop=%defaultroute
	right=%any
         rightsubnet=vhost:%no,%priv
	auto=add

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf

==> auth.log <==
Nov  9 08:43:34 localhost pluto[4713]: packet from 12x.xxx.xxx.xx:500:  
received Vendor ID payload [RFC 3947] method set to=109
Nov  9 08:43:34 localhost pluto[4713]: packet from 12x.xxx.xxx.xx:500:  
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] method set  
to=110
Nov  9 08:43:34 localhost pluto[4713]: packet from 12x.xxx.xxx.xx:500:  
ignoring unknown Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
Nov  9 08:43:34 localhost pluto[4713]: packet from 12x.xxx.xxx.xx:500:  
ignoring unknown Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
Nov  9 08:43:34 localhost pluto[4713]: packet from 12x.xxx.xxx.xx:500:  
ignoring unknown Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
Nov  9 08:43:34 localhost pluto[4713]: packet from 12x.xxx.xxx.xx:500:  
ignoring unknown Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
Nov  9 08:43:34 localhost pluto[4713]: packet from 12x.xxx.xxx.xx:500:  
ignoring unknown Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
Nov  9 08:43:34 localhost pluto[4713]: packet from 12x.xxx.xxx.xx:500:  
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108,  
but already using method 110
Nov  9 08:43:34 localhost pluto[4713]: packet from 12x.xxx.xxx.xx:500:  
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107,  
but already using method 110
Nov  9 08:43:34 localhost pluto[4713]: packet from 12x.xxx.xxx.xx:500:  
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106,  
but already using method 110
Nov  9 08:43:34 localhost pluto[4713]: packet from 12x.xxx.xxx.xx:500:  
received Vendor ID payload [Dead Peer Detection]
Nov  9 08:43:34 localhost pluto[4713]: "roadwarrior-net"[1]  
12x.xxx.xxx.xx #1: responding to Main Mode from unknown peer  
12x.xxx.xxx.xx
Nov  9 08:43:34 localhost pluto[4713]: "roadwarrior-net"[1]  
12x.xxx.xxx.xx #1: transition from state STATE_MAIN_R0 to state  
STATE_MAIN_R1
Nov  9 08:43:34 localhost pluto[4713]: "roadwarrior-net"[1]  
12x.xxx.xxx.xx #1: STATE_MAIN_R1: sent MR1, expecting MI2
Nov  9 08:43:34 localhost pluto[4713]: "roadwarrior-net"[1]  
12x.xxx.xxx.xx #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t- 
ike (MacOS X): both are NATed
Nov  9 08:43:34 localhost pluto[4713]: "roadwarrior-net"[1]  
12x.xxx.xxx.xx #1: transition from state STATE_MAIN_R1 to state  
STATE_MAIN_R2
Nov  9 08:43:34 localhost pluto[4713]: "roadwarrior-net"[1]  
12x.xxx.xxx.xx #1: STATE_MAIN_R2: sent MR2, expecting MI3
Nov  9 08:43:34 localhost pluto[4713]: "roadwarrior-net"[1]  
12x.xxx.xxx.xx #1: Main mode peer ID is ID_IPV4_ADDR: '12x.xxx.xxx.xx'
Nov  9 08:43:34 localhost pluto[4713]: "roadwarrior-net"[1]  
12x.xxx.xxx.xx #1: transition from state STATE_MAIN_R2 to state  
STATE_MAIN_R3
Nov  9 08:43:34 localhost pluto[4713]: "roadwarrior-net"[1]  
12x.xxx.xxx.xx #1: new NAT mapping for #1, was 12x.xxx.xxx.xx:500, now  
12x.xxx.xxx.xx:4500
Nov  9 08:43:34 localhost pluto[4713]: "roadwarrior-net"[1]  
12x.xxx.xxx.xx #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established  
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha  
group=modp1024}
Nov  9 08:43:34 localhost pluto[4713]: "roadwarrior-net"[1]  
12x.xxx.xxx.xx #1: ignoring informational payload, type  
IPSEC_INITIAL_CONTACT msgid=00000000
Nov  9 08:43:34 localhost pluto[4713]: "roadwarrior-net"[1]  
12x.xxx.xxx.xx #1: received and ignored informational message
Nov  9 08:43:35 localhost pluto[4713]: "roadwarrior-net"[1]  
12x.xxx.xxx.xx #1: the peer proposed: 67.xxx.xxx.xx/32:0/0 ->  
12x.xxx.xxx.xx/32:0/0
Nov  9 08:43:35 localhost pluto[4713]: "roadwarrior-net"[1]  
12x.xxx.xxx.xx #1: peer proposal was reject in a virtual connection  
policy because:
Nov  9 08:43:35 localhost pluto[4713]: "roadwarrior-net"[1]  
12x.xxx.xxx.xx #1:   a private network virtual IP was required, but  
the proposed IP did not match our list (virtual_private=)
Nov  9 08:43:35 localhost pluto[4713]: "roadwarrior-net"[1]  
12x.xxx.xxx.xx #2: responding to Quick Mode proposal {msgid:75ecafb6}
Nov  9 08:43:35 localhost pluto[4713]: "roadwarrior-net"[1]  
12x.xxx.xxx.xx #2:     us: 192.168.1.0/24===67.xxx.xxx.xx 
[+S=C]---67.163.244.1
Nov  9 08:43:35 localhost pluto[4713]: "roadwarrior-net"[1]  
12x.xxx.xxx.xx #2:   them: 12x.xxx.xxx.xx[+S=C]
Nov  9 08:43:35 localhost pluto[4713]: | NAT-OA: 0 tunnel: 0
Nov  9 08:43:35 localhost pluto[4713]: "roadwarrior-net"[1]  
12x.xxx.xxx.xx #2: transition from state STATE_QUICK_R0 to state  
STATE_QUICK_R1
Nov  9 08:43:35 localhost pluto[4713]: "roadwarrior-net"[1]  
12x.xxx.xxx.xx #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA  
installed, expecting QI2
Nov  9 08:43:35 localhost pluto[4713]: "roadwarrior-net"[1]  
12x.xxx.xxx.xx #2: transition from state STATE_QUICK_R1 to state  
STATE_QUICK_R2
Nov  9 08:43:35 localhost pluto[4713]: "roadwarrior-net"[1]  
12x.xxx.xxx.xx #2: STATE_QUICK_R2: IPsec SA established tunnel mode  
{ESP/NAT=>0x038a7551 <0x80ef64f3 xfrm=AES_128-HMAC_SHA1 NATOA=none  
NATD=12x.xxx.xxx.xx:4500 DPD=none}

==> syslog <==
Nov  9 08:43:37 localhost xl2tpd[1501]: control_finish: Peer requested  
tunnel 18 twice, ignoring second one.
Nov  9 08:43:38 localhost xl2tpd[1501]: control_finish: Peer requested  
tunnel 18 twice, ignoring second one.
Nov  9 08:43:42 localhost xl2tpd[1501]: control_finish: Peer requested  
tunnel 18 twice, ignoring second one.
Nov  9 08:43:42 localhost xl2tpd[1501]: Maximum retries exceeded for  
tunnel 64994.  Closing.
Nov  9 08:43:50 localhost xl2tpd[1501]: control_finish: Peer requested  
tunnel 18 twice, ignoring second one.
Nov  9 08:43:50 localhost xl2tpd[1501]: Connection 18 closed to  
12x.xxx.xxx.xx, port 64166 (Timeout)

On Nov 8, 2009, at 5:34 PM, Damon Morda wrote:

> Sorry, turns out I had to install a few packages to compile it.  
> Specifically...
>
> build-essential
> libgmp3-dev
> bison
> libgmp
> flex
> xmlto
>
> Once those were installed, I was able to compile and install  
> openswan 2.6.24rc2 successfully. This version resolved my VPN woes,  
> if you need any logs, config files, etc to help your development  
> efforts, let me know.
>
> On Nov 8, 2009, at 5:30 PM, Randy Wyatt wrote:
>
>> Did you specify gmp-dir in your config ?
>>
>> gmplib.org
>>
>>
>> -----Original Message-----
>> From: users-bounces at openswan.org on behalf of Damon Morda
>> Sent: Sun 11/8/2009 2:02 PM
>> To: Tuomo Soini
>> Cc: Users at openswan.org
>> Subject: Re: [Openswan Users] XL2TP and NAT problems with Ubuntu  
>> 9.10 andOpenswan 6.22
>>
>> I've downloaded 2.6.24rc2, but can't get it to build using the "make
>> programs install" method. I receive the following error.
>>
>> In file included from /home/user/openswan-2.6.24rc2/include/certs.h: 
>> 24,
>>                  from /home/user/openswan-2.6.24rc2/lib/libopenswan/
>> id.c:39:
>> /home/user/openswan-2.6.24rc2/include/secrets.h:20:41: error: gmp.h:
>> No such file or directory
>> In file included from /home/user/openswan-2.6.24rc2/include/certs.h: 
>> 24,
>>                  from /home/user/openswan-2.6.24rc2/lib/libopenswan/
>> id.c:39:
>> /home/user/openswan-2.6.24rc2/include/secrets.h:43: error: expected
>> specifier-qualifier-list before 'MP_INT'
>> /home/user/openswan-2.6.24rc2/include/secrets.h:54: error: expected
>> specifier-qualifier-list before 'MP_INT'
>> make[3]: *** [id.o] Error 1
>> make[3]: Leaving directory `/home/user/openswan-2.6.24rc2/
>> OBJ.linux.i386/lib/libopenswan'
>> make[2]: *** [programs] Error 1
>> make[2]: Leaving directory `/home/user/openswan-2.6.24rc2/
>> OBJ.linux.i386/lib'
>> make[1]: *** [programs] Error 1
>> make[1]: Leaving directory `/home/user/openswan-2.6.24rc2/
>> OBJ.linux.i386'
>> make: *** [programs] Error 2
>>
>> Ideas?
>>
>> On Nov 8, 2009, at 2:32 PM, Tuomo Soini wrote:
>>
>> > Damon Morda wrote:
>> >> Hello everyone,
>> >
>> >> OS: Ubuntu Linux 9.10 Server
>> >> Kernel: 2.6.31-14
>> >> Openswan: Linux Openswan U2.6.22/K2.6.31-14-generic-pae (netkey)
>> >> xl2tpd version: xl2tpd-1.2.4
>> >
>> > Openswan-2.6.x where x < 24rc2 won't work with natted transport  
>> mode.
>> > Upgrading to 2.6.24rc2 will help us to nail possible bugs caused by
>> > fixing this issue. If you can, please test it.
>> >
>> > --
>> > Tuomo Soini <tis at foobar.fi>
>> > Foobar Linux services
>> > +358 40 5240030
>> > Foobar Oy <http://foobar.fi/>
>>
>> _______________________________________________
>> Users at openswan.org
>> http://lists.openswan.org/mailman/listinfo/users
>> Building and Integrating Virtual Private Networks with Openswan:
>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>
>>
>



More information about the Users mailing list