[Openswan Users] XL2TP and NAT problems with Ubuntu 9.10 andOpenswan 6.22
Paul Wouters
paul at xelerance.com
Mon Nov 9 13:49:52 EST 2009
On Mon, 9 Nov 2009, Damon Morda wrote:
> Well, it looks like I spoke to soon. With 2.6.24rc2, I can
> successfully connect from a system that is NATd, but not from a system
> that has a public IP address. I've included my pluto and xl2tp errors
> below along with the ipsec.conf I'm using. Any ideas?
I can confirm that, and I ran into this as well today. It seems to have
been a known issue with a known workaround: https://bugs.xelerance.com/issues/973
I'll see about fixing this bug over the next fewdays.
Paul
> ==> ipsec.conf <==
> version 2.0
> config setup
> interfaces=%defaultroute
> protostack=netkey
> nat_traversal=yes
> virtual_private=
> %v4
> :
> 10.0.0.0
> /8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:172.17.17.0/32,%v4:!
> 192.168.100.0/24
> #plutodebug=all
> #klipsdebug=all
>
> conn %default
> keyingtries=3
> compress=yes
> disablearrivalcheck=no
> authby=secret
> type=tunnel
> keyexchange=ike
> ikelifetime=240m
> keylife=60m
> forceencaps=yes
>
> conn roadwarrior-net
> leftsubnet=192.168.1.0/24
> also=roadwarrior
>
> conn roadwarrior-all
> leftsubnet=0.0.0.0/0
> also=roadwarrior
>
> conn roadwarrior-l2tp
> leftprotoport=17/0
> rightprotoport=17/1701
> also=roadwarrior
>
> conn roadwarrior-l2tp-osx
> leftprotoport=17/1701
> rightprotoport=17/%any
> also=roadwarrior
>
> conn roadwarrior-l2tp-updatedwin
> leftprotoport=17/1701
> rightprotoport=17/1701
> also=roadwarrior
>
> conn roadwarrior
> pfs=no
> left=%defaultroute
> leftnexthop=%defaultroute
> right=%any
> rightsubnet=vhost:%no,%priv
> auto=add
>
> #Disable Opportunistic Encryption
> include /etc/ipsec.d/examples/no_oe.conf
>
> ==> auth.log <==
> Nov 9 08:43:34 localhost pluto[4713]: packet from 12x.xxx.xxx.xx:500:
> received Vendor ID payload [RFC 3947] method set to=109
> Nov 9 08:43:34 localhost pluto[4713]: packet from 12x.xxx.xxx.xx:500:
> received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] method set
> to=110
> Nov 9 08:43:34 localhost pluto[4713]: packet from 12x.xxx.xxx.xx:500:
> ignoring unknown Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
> Nov 9 08:43:34 localhost pluto[4713]: packet from 12x.xxx.xxx.xx:500:
> ignoring unknown Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
> Nov 9 08:43:34 localhost pluto[4713]: packet from 12x.xxx.xxx.xx:500:
> ignoring unknown Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
> Nov 9 08:43:34 localhost pluto[4713]: packet from 12x.xxx.xxx.xx:500:
> ignoring unknown Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
> Nov 9 08:43:34 localhost pluto[4713]: packet from 12x.xxx.xxx.xx:500:
> ignoring unknown Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
> Nov 9 08:43:34 localhost pluto[4713]: packet from 12x.xxx.xxx.xx:500:
> received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108,
> but already using method 110
> Nov 9 08:43:34 localhost pluto[4713]: packet from 12x.xxx.xxx.xx:500:
> received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107,
> but already using method 110
> Nov 9 08:43:34 localhost pluto[4713]: packet from 12x.xxx.xxx.xx:500:
> received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106,
> but already using method 110
> Nov 9 08:43:34 localhost pluto[4713]: packet from 12x.xxx.xxx.xx:500:
> received Vendor ID payload [Dead Peer Detection]
> Nov 9 08:43:34 localhost pluto[4713]: "roadwarrior-net"[1]
> 12x.xxx.xxx.xx #1: responding to Main Mode from unknown peer
> 12x.xxx.xxx.xx
> Nov 9 08:43:34 localhost pluto[4713]: "roadwarrior-net"[1]
> 12x.xxx.xxx.xx #1: transition from state STATE_MAIN_R0 to state
> STATE_MAIN_R1
> Nov 9 08:43:34 localhost pluto[4713]: "roadwarrior-net"[1]
> 12x.xxx.xxx.xx #1: STATE_MAIN_R1: sent MR1, expecting MI2
> Nov 9 08:43:34 localhost pluto[4713]: "roadwarrior-net"[1]
> 12x.xxx.xxx.xx #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-
> ike (MacOS X): both are NATed
> Nov 9 08:43:34 localhost pluto[4713]: "roadwarrior-net"[1]
> 12x.xxx.xxx.xx #1: transition from state STATE_MAIN_R1 to state
> STATE_MAIN_R2
> Nov 9 08:43:34 localhost pluto[4713]: "roadwarrior-net"[1]
> 12x.xxx.xxx.xx #1: STATE_MAIN_R2: sent MR2, expecting MI3
> Nov 9 08:43:34 localhost pluto[4713]: "roadwarrior-net"[1]
> 12x.xxx.xxx.xx #1: Main mode peer ID is ID_IPV4_ADDR: '12x.xxx.xxx.xx'
> Nov 9 08:43:34 localhost pluto[4713]: "roadwarrior-net"[1]
> 12x.xxx.xxx.xx #1: transition from state STATE_MAIN_R2 to state
> STATE_MAIN_R3
> Nov 9 08:43:34 localhost pluto[4713]: "roadwarrior-net"[1]
> 12x.xxx.xxx.xx #1: new NAT mapping for #1, was 12x.xxx.xxx.xx:500, now
> 12x.xxx.xxx.xx:4500
> Nov 9 08:43:34 localhost pluto[4713]: "roadwarrior-net"[1]
> 12x.xxx.xxx.xx #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established
> {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
> group=modp1024}
> Nov 9 08:43:34 localhost pluto[4713]: "roadwarrior-net"[1]
> 12x.xxx.xxx.xx #1: ignoring informational payload, type
> IPSEC_INITIAL_CONTACT msgid=00000000
> Nov 9 08:43:34 localhost pluto[4713]: "roadwarrior-net"[1]
> 12x.xxx.xxx.xx #1: received and ignored informational message
> Nov 9 08:43:35 localhost pluto[4713]: "roadwarrior-net"[1]
> 12x.xxx.xxx.xx #1: the peer proposed: 67.xxx.xxx.xx/32:0/0 ->
> 12x.xxx.xxx.xx/32:0/0
> Nov 9 08:43:35 localhost pluto[4713]: "roadwarrior-net"[1]
> 12x.xxx.xxx.xx #1: peer proposal was reject in a virtual connection
> policy because:
> Nov 9 08:43:35 localhost pluto[4713]: "roadwarrior-net"[1]
> 12x.xxx.xxx.xx #1: a private network virtual IP was required, but
> the proposed IP did not match our list (virtual_private=)
> Nov 9 08:43:35 localhost pluto[4713]: "roadwarrior-net"[1]
> 12x.xxx.xxx.xx #2: responding to Quick Mode proposal {msgid:75ecafb6}
> Nov 9 08:43:35 localhost pluto[4713]: "roadwarrior-net"[1]
> 12x.xxx.xxx.xx #2: us: 192.168.1.0/24===67.xxx.xxx.xx
> [+S=C]---67.163.244.1
> Nov 9 08:43:35 localhost pluto[4713]: "roadwarrior-net"[1]
> 12x.xxx.xxx.xx #2: them: 12x.xxx.xxx.xx[+S=C]
> Nov 9 08:43:35 localhost pluto[4713]: | NAT-OA: 0 tunnel: 0
> Nov 9 08:43:35 localhost pluto[4713]: "roadwarrior-net"[1]
> 12x.xxx.xxx.xx #2: transition from state STATE_QUICK_R0 to state
> STATE_QUICK_R1
> Nov 9 08:43:35 localhost pluto[4713]: "roadwarrior-net"[1]
> 12x.xxx.xxx.xx #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA
> installed, expecting QI2
> Nov 9 08:43:35 localhost pluto[4713]: "roadwarrior-net"[1]
> 12x.xxx.xxx.xx #2: transition from state STATE_QUICK_R1 to state
> STATE_QUICK_R2
> Nov 9 08:43:35 localhost pluto[4713]: "roadwarrior-net"[1]
> 12x.xxx.xxx.xx #2: STATE_QUICK_R2: IPsec SA established tunnel mode
> {ESP/NAT=>0x038a7551 <0x80ef64f3 xfrm=AES_128-HMAC_SHA1 NATOA=none
> NATD=12x.xxx.xxx.xx:4500 DPD=none}
>
> ==> syslog <==
> Nov 9 08:43:37 localhost xl2tpd[1501]: control_finish: Peer requested
> tunnel 18 twice, ignoring second one.
> Nov 9 08:43:38 localhost xl2tpd[1501]: control_finish: Peer requested
> tunnel 18 twice, ignoring second one.
> Nov 9 08:43:42 localhost xl2tpd[1501]: control_finish: Peer requested
> tunnel 18 twice, ignoring second one.
> Nov 9 08:43:42 localhost xl2tpd[1501]: Maximum retries exceeded for
> tunnel 64994. Closing.
> Nov 9 08:43:50 localhost xl2tpd[1501]: control_finish: Peer requested
> tunnel 18 twice, ignoring second one.
> Nov 9 08:43:50 localhost xl2tpd[1501]: Connection 18 closed to
> 12x.xxx.xxx.xx, port 64166 (Timeout)
>
> On Nov 8, 2009, at 5:34 PM, Damon Morda wrote:
>
>> Sorry, turns out I had to install a few packages to compile it.
>> Specifically...
>>
>> build-essential
>> libgmp3-dev
>> bison
>> libgmp
>> flex
>> xmlto
>>
>> Once those were installed, I was able to compile and install
>> openswan 2.6.24rc2 successfully. This version resolved my VPN woes,
>> if you need any logs, config files, etc to help your development
>> efforts, let me know.
>>
>> On Nov 8, 2009, at 5:30 PM, Randy Wyatt wrote:
>>
>>> Did you specify gmp-dir in your config ?
>>>
>>> gmplib.org
>>>
>>>
>>> -----Original Message-----
>>> From: users-bounces at openswan.org on behalf of Damon Morda
>>> Sent: Sun 11/8/2009 2:02 PM
>>> To: Tuomo Soini
>>> Cc: Users at openswan.org
>>> Subject: Re: [Openswan Users] XL2TP and NAT problems with Ubuntu
>>> 9.10 andOpenswan 6.22
>>>
>>> I've downloaded 2.6.24rc2, but can't get it to build using the "make
>>> programs install" method. I receive the following error.
>>>
>>> In file included from /home/user/openswan-2.6.24rc2/include/certs.h:
>>> 24,
>>> from /home/user/openswan-2.6.24rc2/lib/libopenswan/
>>> id.c:39:
>>> /home/user/openswan-2.6.24rc2/include/secrets.h:20:41: error: gmp.h:
>>> No such file or directory
>>> In file included from /home/user/openswan-2.6.24rc2/include/certs.h:
>>> 24,
>>> from /home/user/openswan-2.6.24rc2/lib/libopenswan/
>>> id.c:39:
>>> /home/user/openswan-2.6.24rc2/include/secrets.h:43: error: expected
>>> specifier-qualifier-list before 'MP_INT'
>>> /home/user/openswan-2.6.24rc2/include/secrets.h:54: error: expected
>>> specifier-qualifier-list before 'MP_INT'
>>> make[3]: *** [id.o] Error 1
>>> make[3]: Leaving directory `/home/user/openswan-2.6.24rc2/
>>> OBJ.linux.i386/lib/libopenswan'
>>> make[2]: *** [programs] Error 1
>>> make[2]: Leaving directory `/home/user/openswan-2.6.24rc2/
>>> OBJ.linux.i386/lib'
>>> make[1]: *** [programs] Error 1
>>> make[1]: Leaving directory `/home/user/openswan-2.6.24rc2/
>>> OBJ.linux.i386'
>>> make: *** [programs] Error 2
>>>
>>> Ideas?
>>>
>>> On Nov 8, 2009, at 2:32 PM, Tuomo Soini wrote:
>>>
>>>> Damon Morda wrote:
>>>>> Hello everyone,
>>>>
>>>>> OS: Ubuntu Linux 9.10 Server
>>>>> Kernel: 2.6.31-14
>>>>> Openswan: Linux Openswan U2.6.22/K2.6.31-14-generic-pae (netkey)
>>>>> xl2tpd version: xl2tpd-1.2.4
>>>>
>>>> Openswan-2.6.x where x < 24rc2 won't work with natted transport
>>> mode.
>>>> Upgrading to 2.6.24rc2 will help us to nail possible bugs caused by
>>>> fixing this issue. If you can, please test it.
>>>>
>>>> --
>>>> Tuomo Soini <tis at foobar.fi>
>>>> Foobar Linux services
>>>> +358 40 5240030
>>>> Foobar Oy <http://foobar.fi/>
>>>
>>> _______________________________________________
>>> Users at openswan.org
>>> http://lists.openswan.org/mailman/listinfo/users
>>> Building and Integrating Virtual Private Networks with Openswan:
>>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>>
>>>
>>
>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
More information about the Users
mailing list