[Openswan Users] L2TP/IPSEC response unencrypted (was openswan-2.6.24rc1 NATed MacOS Kernel crash)
Giovani Moda
giovani at mrinformatica.com.br
Mon Oct 26 18:07:35 EDT 2009
> Will do some more tests later on and let you know.
Confirmed, I'm getting unencrypted server-to-client responses on
external interface (eth0) when using KLIPS with NAT-T. Is this still
#1004? The client is a XP SP2 box, connecting though linux doing NAT.
Here are the logs:
tcpdump -i ipsec0 -nn
tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode
listening on ipsec0, link-type EN10MB (Ethernet), capture size 96 bytes
17:53:24.438872 IP 192.168.2.12.1701 > 192.168.1.67.1701:
l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(S)
*BEARER_CAP() |...
17:53:25.439089 IP 192.168.2.12.1701 > 192.168.1.67.1701:
l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(S)
*BEARER_CAP() |...
17:53:27.440072 IP 192.168.2.12.1701 > 192.168.1.67.1701:
l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(S)
*BEARER_CAP() |...
17:53:31.444660 IP 192.168.2.12.1701 > 192.168.1.67.1701:
l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(S)
*BEARER_CAP() |...
17:53:39.445722 IP 192.168.2.12.1701 > 192.168.1.67.1701:
l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(S)
*BEARER_CAP() |...
17:53:49.448388 IP 192.168.2.12.1701 > 192.168.1.67.1701:
l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(S)
*BEARER_CAP() |...
17:53:59.466098 IP 192.168.1.67.4500 > 192.168.1.5.4500: NONESP-encap:
isakmp: phase 2/others ? inf[E]
17:53:59.488671 IP 192.168.1.67.4500 > 192.168.1.5.4500: NONESP-encap:
isakmp: phase 2/others ? inf[E]
17:55:00.899717 IP 192.168.2.12.1701 > 192.168.1.67.1701:
l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(S)
*BEARER_CAP() |...
17:55:01.895436 IP 192.168.2.12.1701 > 192.168.1.67.1701:
l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(S)
*BEARER_CAP() |...
tcpdump -i eth0 -nn host 192.168.2.12
tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
17:53:26.439133 IP 192.168.1.67.1701 > 192.168.2.12.1701:
l2tp:[TLS](31/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0)
*FRAMING_CAP(AS) *BEARER_CAP() |...
17:53:26.439298 IP 192.168.1.67.1701 > 192.168.2.12.1701:
l2tp:[TLS](31/0)Ns=0,Nr=1 ZLB
17:53:27.439358 IP 192.168.1.67.1701 > 192.168.2.12.1701:
l2tp:[TLS](31/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0)
*FRAMING_CAP(AS) *BEARER_CAP() |...
17:53:27.440305 IP 192.168.1.67.1701 > 192.168.2.12.1701:
l2tp:[TLS](31/0)Ns=0,Nr=1 ZLB
17:53:28.440354 IP 192.168.1.67.1701 > 192.168.2.12.1701:
l2tp:[TLS](31/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0)
*FRAMING_CAP(AS) *BEARER_CAP() |...
17:53:29.440361 IP 192.168.1.67.1701 > 192.168.2.12.1701:
l2tp:[TLS](31/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0)
*FRAMING_CAP(AS) *BEARER_CAP() |...
17:53:30.440361 IP 192.168.1.67.1701 > 192.168.2.12.1701:
l2tp:[TLS](31/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0)
*FRAMING_CAP(AS) *BEARER_CAP() |...
17:53:31.444897 IP 192.168.1.67.1701 > 192.168.2.12.1701:
l2tp:[TLS](31/0)Ns=0,Nr=1 ZLB
17:53:31.444915 IP 192.168.1.67.1701 > 192.168.2.12.1701:
l2tp:[TLS](31/0)Ns=1,Nr=1 *MSGTYPE(StopCCN) *ASSND_TUN_ID(45600)
*RESULT_CODE(1/0 Timeout)
17:53:32.445346 IP 192.168.1.67.1701 > 192.168.2.12.1701:
l2tp:[TLS](31/0)Ns=1,Nr=1 *MSGTYPE(StopCCN) *ASSND_TUN_ID(45600)
*RESULT_CODE(1/0 Timeout)
17:53:33.445351 IP 192.168.1.67.1701 > 192.168.2.12.1701:
l2tp:[TLS](31/0)Ns=1,Nr=1 *MSGTYPE(StopCCN) *ASSND_TUN_ID(45600)
*RESULT_CODE(1/0 Timeout)
17:53:34.446343 IP 192.168.1.67.1701 > 192.168.2.12.1701:
l2tp:[TLS](31/0)Ns=1,Nr=1 *MSGTYPE(StopCCN) *ASSND_TUN_ID(45600)
*RESULT_CODE(1/0 Timeout)
17:53:35.446350 IP 192.168.1.67.1701 > 192.168.2.12.1701:
l2tp:[TLS](31/0)Ns=1,Nr=1 *MSGTYPE(StopCCN) *ASSND_TUN_ID(45600)
*RESULT_CODE(1/0 Timeout)
17:53:39.445984 IP 192.168.1.67.1701 > 192.168.2.12.1701:
l2tp:[TLS](31/0)Ns=0,Nr=1 ZLB
17:53:51.448738 IP 192.168.1.67.1701 > 192.168.2.12.1701:
l2tp:[TLS](31/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0)
*FRAMING_CAP(AS) *BEARER_CAP() |...
17:53:52.449342 IP 192.168.1.67.1701 > 192.168.2.12.1701:
l2tp:[TLS](31/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0)
*FRAMING_CAP(AS) *BEARER_CAP() |...
17:53:53.449370 IP 192.168.1.67.1701 > 192.168.2.12.1701:
l2tp:[TLS](31/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0)
*FRAMING_CAP(AS) *BEARER_CAP() |...
17:53:54.450342 IP 192.168.1.67.1701 > 192.168.2.12.1701:
l2tp:[TLS](31/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0)
*FRAMING_CAP(AS) *BEARER_CAP() |...
17:53:55.450360 IP 192.168.1.67.1701 > 192.168.2.12.1701:
l2tp:[TLS](31/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0)
*FRAMING_CAP(AS) *BEARER_CAP() |...
/var/log/secure
Oct 26 17:53:59 inet pluto[25462]: packet from 192.168.1.5:4500:
received and ignored informational message
Oct 26 17:55:00 inet pluto[25462]: packet from 192.168.1.5:500: ignoring
Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Oct 26 17:55:00 inet pluto[25462]: packet from 192.168.1.5:500: ignoring
Vendor ID payload [FRAGMENTATION]
Oct 26 17:55:00 inet pluto[25462]: packet from 192.168.1.5:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
Oct 26 17:55:00 inet pluto[25462]: packet from 192.168.1.5:500: ignoring
Vendor ID payload [Vid-Initial-Contact]
Oct 26 17:55:00 inet pluto[25462]: "MR-Co"[6] 192.168.1.5 #11:
responding to Main Mode from unknown peer 192.168.1.5
Oct 26 17:55:00 inet pluto[25462]: "MR-Co"[6] 192.168.1.5 #11:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Oct 26 17:55:00 inet pluto[25462]: "MR-Co"[6] 192.168.1.5 #11:
STATE_MAIN_R1: sent MR1, expecting MI2
Oct 26 17:55:00 inet pluto[25462]: "MR-Co"[6] 192.168.1.5 #11:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is
NATed
Oct 26 17:55:00 inet pluto[25462]: "MR-Co"[6] 192.168.1.5 #11:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Oct 26 17:55:00 inet pluto[25462]: "MR-Co"[6] 192.168.1.5 #11:
STATE_MAIN_R2: sent MR2, expecting MI3
Oct 26 17:55:00 inet pluto[25462]: "MR-Co"[6] 192.168.1.5 #11: Main mode
peer ID is ID_DER_ASN1_DN: 'C=BR, ST=Sao Paulo, L=Piracicaba, O=Teste
Co, CN=mr.testdomain.com.br'
Oct 26 17:55:00 inet pluto[25462]: "MR-Co"[6] 192.168.1.5 #11: I am
sending my cert
Oct 26 17:55:00 inet pluto[25462]: "MR-Co"[6] 192.168.1.5 #11:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Oct 26 17:55:00 inet pluto[25462]: "MR-Co"[6] 192.168.1.5 #11: new NAT
mapping for #11, was 192.168.1.5:500, now 192.168.1.5:4500
Oct 26 17:55:00 inet pluto[25462]: "MR-Co"[6] 192.168.1.5 #11:
STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}
Oct 26 17:55:00 inet pluto[25462]: "MR-Co"[6] 192.168.1.5 #11: peer
client type is FQDN
Oct 26 17:55:00 inet pluto[25462]: "MR-Co"[6] 192.168.1.5 #11: Applying
workaround for MS-818043 NAT-T bug
Oct 26 17:55:00 inet pluto[25462]: "MR-Co"[6] 192.168.1.5 #11: IDci was
FQDN: \300\250\001C, using NAT_OA=192.168.2.12/32 as IDci
Oct 26 17:55:00 inet pluto[25462]: "MR-Co"[6] 192.168.1.5 #11: the peer
proposed: 192.168.1.67/32:17/1701 -> 192.168.2.12/32:17/0
Oct 26 17:55:00 inet pluto[25462]: "MR-Co"[6] 192.168.1.5 #12:
responding to Quick Mode proposal {msgid:d0e5306a}
Oct 26 17:55:00 inet pluto[25462]: "MR-Co"[6] 192.168.1.5 #12: us:
192.168.1.67<192.168.1.67>[+S=C]:17/1701
Oct 26 17:55:00 inet pluto[25462]: "MR-Co"[6] 192.168.1.5 #12: them:
192.168.1.5[C=BR, ST=Sao Paulo, L=Piracicaba, O=Teste Co,
CN=mr.testdomain.com.br,+S=C]:17/1701===?
Oct 26 17:55:00 inet pluto[25462]: "MR-Co"[6] 192.168.1.5 #12:
transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Oct 26 17:55:00 inet pluto[25462]: "MR-Co"[6] 192.168.1.5 #12:
STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Oct 26 17:55:00 inet pluto[25462]: "MR-Co"[6] 192.168.1.5 #12:
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Oct 26 17:55:00 inet pluto[25462]: "MR-Co"[6] 192.168.1.5 #12:
STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0xf5299cee
<0x92b8cd66 xfrm=3DES_0-HMAC_MD5 NATOA=192.168.2.12
NATD=192.168.1.5:4500 DPD=none}
Oct 26 17:55:35 inet pluto[25462]: "MR-Co"[6] 192.168.1.5 #11: received
Delete SA(0xf5299cee) payload: deleting IPSEC State #12
Oct 26 17:55:35 inet pluto[25462]: "MR-Co"[6] 192.168.1.5 #11: received
and ignored informational message
Oct 26 17:55:35 inet pluto[25462]: "MR-Co"[6] 192.168.1.5 #11: received
Delete SA payload: deleting ISAKMP State #11
Oct 26 17:55:35 inet pluto[25462]: "MR-Co"[6] 192.168.1.5: deleting
connection "MR-Co" instance with peer 192.168.1.5 {isakmp=#0/ipsec=#0}
/etc/ipsec.conf
config setup
klipsdebug=none
plutodebug=none
interfaces="ipsec0=eth0"
nat_traversal=yes
uniqueids=yes
virtual_private=%v4:10.0.0.0/8,%v4:172.31.0.0/12,%v4:!192.168.0.0/24,%v4
:192.168.1.0/24,%v4:192.168.2.0/24
protostack=klips
oe=off
conn %default
compress=yes
disablearrivalcheck=no
conn MR-Co
authby=rsasig
rightcert=mr.pem
rightid="C=BR, ST=Sao Paulo, L=Piracicaba, O=Teste Co,
CN=mr.testdomain.com.br"
auto=add
also=l2tp-ipsec
conn l2tp-ipsec
pfs=no
type=transport
left=192.168.1.67
leftcert=inet.pem
leftrsasigkey=%cert
leftprotoport=17/1701
right=%any
rightca=%same
rightprotoport=17/%any
rightrsasigkey=%cert
rightsubnet=vhost:%no,%priv
rekey=no
More information about the Users
mailing list