[Openswan Users] XL2TP and NAT problems with Ubuntu 9.10 andOpenswan 6.22

Damon Morda damon at epartment54.com
Mon Nov 9 18:03:49 EST 2009


My workaround around was to change:

rightsubnet=vhost:%no,%priv

to

rightsubnet=vhost:%no

Now both NATd and non-NATd devices can successfully connect.

On Nov 9, 2009, at 1:49 PM, Paul Wouters wrote:

> On Mon, 9 Nov 2009, Damon Morda wrote:
>
>> Well, it  looks like I spoke to soon. With 2.6.24rc2, I can
>> successfully connect from a system that is NATd, but not from a  
>> system
>> that has a public IP address. I've included my pluto and xl2tp errors
>> below along with the ipsec.conf I'm using. Any ideas?
>
> I can confirm that, and I ran into this as well today. It seems to  
> have
> been a known issue with a known workaround: https://bugs.xelerance.com/issues/973
>
> I'll see about fixing this bug over the next fewdays.
>
> Paul
>
>> ==> ipsec.conf <==
>> version 2.0
>> config setup
>>        interfaces=%defaultroute
>> 	protostack=netkey
>> 	nat_traversal=yes
>>        virtual_private=
>> %v4
>> :
>> 10.0.0.0
>> /8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:172.17.17.0/32,%v4:!
>> 192.168.100.0/24
>> 	#plutodebug=all
>> 	#klipsdebug=all
>>
>> conn %default
>>        keyingtries=3
>>        compress=yes
>>        disablearrivalcheck=no
>>        authby=secret
>>        type=tunnel
>>        keyexchange=ike
>>        ikelifetime=240m
>>        keylife=60m
>> 	forceencaps=yes
>>
>> conn roadwarrior-net
>>        leftsubnet=192.168.1.0/24
>>        also=roadwarrior
>>
>> conn roadwarrior-all
>>        leftsubnet=0.0.0.0/0
>>        also=roadwarrior
>>
>> conn roadwarrior-l2tp
>>        leftprotoport=17/0
>>        rightprotoport=17/1701
>>        also=roadwarrior
>>
>> conn roadwarrior-l2tp-osx
>>        leftprotoport=17/1701
>>        rightprotoport=17/%any
>>        also=roadwarrior
>>
>> conn roadwarrior-l2tp-updatedwin
>>        leftprotoport=17/1701
>>        rightprotoport=17/1701
>>        also=roadwarrior
>>
>> conn roadwarrior
>>        pfs=no
>>        left=%defaultroute
>> 	leftnexthop=%defaultroute
>> 	right=%any
>>        rightsubnet=vhost:%no,%priv
>> 	auto=add
>>
>> #Disable Opportunistic Encryption
>> include /etc/ipsec.d/examples/no_oe.conf
>>
>> ==> auth.log <==
>> Nov  9 08:43:34 localhost pluto[4713]: packet from 12x.xxx.xxx.xx: 
>> 500:
>> received Vendor ID payload [RFC 3947] method set to=109
>> Nov  9 08:43:34 localhost pluto[4713]: packet from 12x.xxx.xxx.xx: 
>> 500:
>> received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] method set
>> to=110
>> Nov  9 08:43:34 localhost pluto[4713]: packet from 12x.xxx.xxx.xx: 
>> 500:
>> ignoring unknown Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
>> Nov  9 08:43:34 localhost pluto[4713]: packet from 12x.xxx.xxx.xx: 
>> 500:
>> ignoring unknown Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
>> Nov  9 08:43:34 localhost pluto[4713]: packet from 12x.xxx.xxx.xx: 
>> 500:
>> ignoring unknown Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
>> Nov  9 08:43:34 localhost pluto[4713]: packet from 12x.xxx.xxx.xx: 
>> 500:
>> ignoring unknown Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
>> Nov  9 08:43:34 localhost pluto[4713]: packet from 12x.xxx.xxx.xx: 
>> 500:
>> ignoring unknown Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
>> Nov  9 08:43:34 localhost pluto[4713]: packet from 12x.xxx.xxx.xx: 
>> 500:
>> received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108,
>> but already using method 110
>> Nov  9 08:43:34 localhost pluto[4713]: packet from 12x.xxx.xxx.xx: 
>> 500:
>> received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107,
>> but already using method 110
>> Nov  9 08:43:34 localhost pluto[4713]: packet from 12x.xxx.xxx.xx: 
>> 500:
>> received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]  
>> meth=106,
>> but already using method 110
>> Nov  9 08:43:34 localhost pluto[4713]: packet from 12x.xxx.xxx.xx: 
>> 500:
>> received Vendor ID payload [Dead Peer Detection]
>> Nov  9 08:43:34 localhost pluto[4713]: "roadwarrior-net"[1]
>> 12x.xxx.xxx.xx #1: responding to Main Mode from unknown peer
>> 12x.xxx.xxx.xx
>> Nov  9 08:43:34 localhost pluto[4713]: "roadwarrior-net"[1]
>> 12x.xxx.xxx.xx #1: transition from state STATE_MAIN_R0 to state
>> STATE_MAIN_R1
>> Nov  9 08:43:34 localhost pluto[4713]: "roadwarrior-net"[1]
>> 12x.xxx.xxx.xx #1: STATE_MAIN_R1: sent MR1, expecting MI2
>> Nov  9 08:43:34 localhost pluto[4713]: "roadwarrior-net"[1]
>> 12x.xxx.xxx.xx #1: NAT-Traversal: Result using draft-ietf-ipsec-nat- 
>> t-
>> ike (MacOS X): both are NATed
>> Nov  9 08:43:34 localhost pluto[4713]: "roadwarrior-net"[1]
>> 12x.xxx.xxx.xx #1: transition from state STATE_MAIN_R1 to state
>> STATE_MAIN_R2
>> Nov  9 08:43:34 localhost pluto[4713]: "roadwarrior-net"[1]
>> 12x.xxx.xxx.xx #1: STATE_MAIN_R2: sent MR2, expecting MI3
>> Nov  9 08:43:34 localhost pluto[4713]: "roadwarrior-net"[1]
>> 12x.xxx.xxx.xx #1: Main mode peer ID is ID_IPV4_ADDR:  
>> '12x.xxx.xxx.xx'
>> Nov  9 08:43:34 localhost pluto[4713]: "roadwarrior-net"[1]
>> 12x.xxx.xxx.xx #1: transition from state STATE_MAIN_R2 to state
>> STATE_MAIN_R3
>> Nov  9 08:43:34 localhost pluto[4713]: "roadwarrior-net"[1]
>> 12x.xxx.xxx.xx #1: new NAT mapping for #1, was 12x.xxx.xxx.xx:500,  
>> now
>> 12x.xxx.xxx.xx:4500
>> Nov  9 08:43:34 localhost pluto[4713]: "roadwarrior-net"[1]
>> 12x.xxx.xxx.xx #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established
>> {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
>> group=modp1024}
>> Nov  9 08:43:34 localhost pluto[4713]: "roadwarrior-net"[1]
>> 12x.xxx.xxx.xx #1: ignoring informational payload, type
>> IPSEC_INITIAL_CONTACT msgid=00000000
>> Nov  9 08:43:34 localhost pluto[4713]: "roadwarrior-net"[1]
>> 12x.xxx.xxx.xx #1: received and ignored informational message
>> Nov  9 08:43:35 localhost pluto[4713]: "roadwarrior-net"[1]
>> 12x.xxx.xxx.xx #1: the peer proposed: 67.xxx.xxx.xx/32:0/0 ->
>> 12x.xxx.xxx.xx/32:0/0
>> Nov  9 08:43:35 localhost pluto[4713]: "roadwarrior-net"[1]
>> 12x.xxx.xxx.xx #1: peer proposal was reject in a virtual connection
>> policy because:
>> Nov  9 08:43:35 localhost pluto[4713]: "roadwarrior-net"[1]
>> 12x.xxx.xxx.xx #1:   a private network virtual IP was required, but
>> the proposed IP did not match our list (virtual_private=)
>> Nov  9 08:43:35 localhost pluto[4713]: "roadwarrior-net"[1]
>> 12x.xxx.xxx.xx #2: responding to Quick Mode proposal {msgid:75ecafb6}
>> Nov  9 08:43:35 localhost pluto[4713]: "roadwarrior-net"[1]
>> 12x.xxx.xxx.xx #2:     us: 192.168.1.0/24===67.xxx.xxx.xx
>> [+S=C]---67.163.244.1
>> Nov  9 08:43:35 localhost pluto[4713]: "roadwarrior-net"[1]
>> 12x.xxx.xxx.xx #2:   them: 12x.xxx.xxx.xx[+S=C]
>> Nov  9 08:43:35 localhost pluto[4713]: | NAT-OA: 0 tunnel: 0
>> Nov  9 08:43:35 localhost pluto[4713]: "roadwarrior-net"[1]
>> 12x.xxx.xxx.xx #2: transition from state STATE_QUICK_R0 to state
>> STATE_QUICK_R1
>> Nov  9 08:43:35 localhost pluto[4713]: "roadwarrior-net"[1]
>> 12x.xxx.xxx.xx #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA
>> installed, expecting QI2
>> Nov  9 08:43:35 localhost pluto[4713]: "roadwarrior-net"[1]
>> 12x.xxx.xxx.xx #2: transition from state STATE_QUICK_R1 to state
>> STATE_QUICK_R2
>> Nov  9 08:43:35 localhost pluto[4713]: "roadwarrior-net"[1]
>> 12x.xxx.xxx.xx #2: STATE_QUICK_R2: IPsec SA established tunnel mode
>> {ESP/NAT=>0x038a7551 <0x80ef64f3 xfrm=AES_128-HMAC_SHA1 NATOA=none
>> NATD=12x.xxx.xxx.xx:4500 DPD=none}
>>
>> ==> syslog <==
>> Nov  9 08:43:37 localhost xl2tpd[1501]: control_finish: Peer  
>> requested
>> tunnel 18 twice, ignoring second one.
>> Nov  9 08:43:38 localhost xl2tpd[1501]: control_finish: Peer  
>> requested
>> tunnel 18 twice, ignoring second one.
>> Nov  9 08:43:42 localhost xl2tpd[1501]: control_finish: Peer  
>> requested
>> tunnel 18 twice, ignoring second one.
>> Nov  9 08:43:42 localhost xl2tpd[1501]: Maximum retries exceeded for
>> tunnel 64994.  Closing.
>> Nov  9 08:43:50 localhost xl2tpd[1501]: control_finish: Peer  
>> requested
>> tunnel 18 twice, ignoring second one.
>> Nov  9 08:43:50 localhost xl2tpd[1501]: Connection 18 closed to
>> 12x.xxx.xxx.xx, port 64166 (Timeout)
>>
>> On Nov 8, 2009, at 5:34 PM, Damon Morda wrote:
>>
>>> Sorry, turns out I had to install a few packages to compile it.
>>> Specifically...
>>>
>>> build-essential
>>> libgmp3-dev
>>> bison
>>> libgmp
>>> flex
>>> xmlto
>>>
>>> Once those were installed, I was able to compile and install
>>> openswan 2.6.24rc2 successfully. This version resolved my VPN woes,
>>> if you need any logs, config files, etc to help your development
>>> efforts, let me know.
>>>
>>> On Nov 8, 2009, at 5:30 PM, Randy Wyatt wrote:
>>>
>>>> Did you specify gmp-dir in your config ?
>>>>
>>>> gmplib.org
>>>>
>>>>
>>>> -----Original Message-----
>>>> From: users-bounces at openswan.org on behalf of Damon Morda
>>>> Sent: Sun 11/8/2009 2:02 PM
>>>> To: Tuomo Soini
>>>> Cc: Users at openswan.org
>>>> Subject: Re: [Openswan Users] XL2TP and NAT problems with Ubuntu
>>>> 9.10 andOpenswan 6.22
>>>>
>>>> I've downloaded 2.6.24rc2, but can't get it to build using the  
>>>> "make
>>>> programs install" method. I receive the following error.
>>>>
>>>> In file included from /home/user/openswan-2.6.24rc2/include/ 
>>>> certs.h:
>>>> 24,
>>>>                 from /home/user/openswan-2.6.24rc2/lib/libopenswan/
>>>> id.c:39:
>>>> /home/user/openswan-2.6.24rc2/include/secrets.h:20:41: error:  
>>>> gmp.h:
>>>> No such file or directory
>>>> In file included from /home/user/openswan-2.6.24rc2/include/ 
>>>> certs.h:
>>>> 24,
>>>>                 from /home/user/openswan-2.6.24rc2/lib/libopenswan/
>>>> id.c:39:
>>>> /home/user/openswan-2.6.24rc2/include/secrets.h:43: error: expected
>>>> specifier-qualifier-list before 'MP_INT'
>>>> /home/user/openswan-2.6.24rc2/include/secrets.h:54: error: expected
>>>> specifier-qualifier-list before 'MP_INT'
>>>> make[3]: *** [id.o] Error 1
>>>> make[3]: Leaving directory `/home/user/openswan-2.6.24rc2/
>>>> OBJ.linux.i386/lib/libopenswan'
>>>> make[2]: *** [programs] Error 1
>>>> make[2]: Leaving directory `/home/user/openswan-2.6.24rc2/
>>>> OBJ.linux.i386/lib'
>>>> make[1]: *** [programs] Error 1
>>>> make[1]: Leaving directory `/home/user/openswan-2.6.24rc2/
>>>> OBJ.linux.i386'
>>>> make: *** [programs] Error 2
>>>>
>>>> Ideas?
>>>>
>>>> On Nov 8, 2009, at 2:32 PM, Tuomo Soini wrote:
>>>>
>>>>> Damon Morda wrote:
>>>>>> Hello everyone,
>>>>>
>>>>>> OS: Ubuntu Linux 9.10 Server
>>>>>> Kernel: 2.6.31-14
>>>>>> Openswan: Linux Openswan U2.6.22/K2.6.31-14-generic-pae (netkey)
>>>>>> xl2tpd version: xl2tpd-1.2.4
>>>>>
>>>>> Openswan-2.6.x where x < 24rc2 won't work with natted transport
>>>> mode.
>>>>> Upgrading to 2.6.24rc2 will help us to nail possible bugs caused  
>>>>> by
>>>>> fixing this issue. If you can, please test it.
>>>>>
>>>>> --
>>>>> Tuomo Soini <tis at foobar.fi>
>>>>> Foobar Linux services
>>>>> +358 40 5240030
>>>>> Foobar Oy <http://foobar.fi/>
>>>>
>>>> _______________________________________________
>>>> Users at openswan.org
>>>> http://lists.openswan.org/mailman/listinfo/users
>>>> Building and Integrating Virtual Private Networks with Openswan:
>>>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>>>
>>>>
>>>
>>
>> _______________________________________________
>> Users at openswan.org
>> http://lists.openswan.org/mailman/listinfo/users
>> Building and Integrating Virtual Private Networks with Openswan:
>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>



More information about the Users mailing list