[Openswan Users] NAT connection problem

Holger Rabbach (ICT) Holger.Rabbach at ict.om.org
Fri Aug 6 08:49:08 EDT 2010 

Hi all,

I've spent quite a bit of time trying to get to the root of the problem I have with my Openswan setup, but can't seem to find useful answers anywhere, so maybe someone on this list can point me in the right direction.

My setup:

CentOS 5.5 server with Openswan 2.6.21, with a direct Internet connection, no firewall currently installed, IP address replaced with "my.ip.address" in log and config file examples
Windows 7 client on a NATed network
xl2tpd installed (but the problem seems to appear before I even get to the l2tp stage)

The problem:

When trying to connect from my Windows client (internal network IP 10.0.0.110), I see the following in /var/log/secure and the connection fails:
Aug  6 14:21:45 vpn pluto[5446]: packet from 79.205.118.89:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000008]
Aug  6 14:21:45 vpn pluto[5446]: packet from 79.205.118.89:500: received Vendor ID payload [RFC 3947] method set to=109
Aug  6 14:21:45 vpn pluto[5446]: packet from 79.205.118.89:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using meth
od 109
Aug  6 14:21:45 vpn pluto[5446]: packet from 79.205.118.89:500: ignoring Vendor ID payload [FRAGMENTATION]
Aug  6 14:21:45 vpn pluto[5446]: packet from 79.205.118.89:500: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
Aug  6 14:21:45 vpn pluto[5446]: packet from 79.205.118.89:500: ignoring Vendor ID payload [Vid-Initial-Contact]
Aug  6 14:21:45 vpn pluto[5446]: packet from 79.205.118.89:500: ignoring Vendor ID payload [IKE CGA version 1]
Aug  6 14:21:45 vpn pluto[5446]: "L2TP-PSK-NAT"[1] 79.205.118.89 #1: responding to Main Mode from unknown peer 79.205.118.89
Aug  6 14:21:45 vpn pluto[5446]: "L2TP-PSK-NAT"[1] 79.205.118.89 #1: OAKLEY_GROUP 20 not supported.  Attribute OAKLEY_GROUP_DESCRIPTION
Aug  6 14:21:45 vpn pluto[5446]: "L2TP-PSK-NAT"[1] 79.205.118.89 #1: OAKLEY_GROUP 19 not supported.  Attribute OAKLEY_GROUP_DESCRIPTION
Aug  6 14:21:45 vpn pluto[5446]: "L2TP-PSK-NAT"[1] 79.205.118.89 #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Aug  6 14:21:45 vpn pluto[5446]: "L2TP-PSK-NAT"[1] 79.205.118.89 #1: STATE_MAIN_R1: sent MR1, expecting MI2
Aug  6 14:21:45 vpn pluto[5446]: "L2TP-PSK-NAT"[1] 79.205.118.89 #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): peer is NATed
Aug  6 14:21:45 vpn pluto[5446]: packet from 79.205.118.89:500: pluto_do_crypto: helper (-1) is  exiting
Aug  6 14:21:45 vpn pluto[5446]: packet from 79.205.118.89:500: pluto_do_crypto: helper (-1) is  exiting
Aug  6 14:21:45 vpn pluto[5446]: "L2TP-PSK-NAT"[1] 79.205.118.89 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Aug  6 14:21:45 vpn pluto[5446]: "L2TP-PSK-NAT"[1] 79.205.118.89 #1: STATE_MAIN_R2: sent MR2, expecting MI3
Aug  6 14:21:46 vpn pluto[5446]: "L2TP-PSK-NAT"[1] 79.205.118.89 #1: Main mode peer ID is ID_IPV4_ADDR: '10.0.0.110'
Aug  6 14:21:46 vpn pluto[5446]: "L2TP-PSK-NAT"[1] 79.205.118.89 #1: switched from "L2TP-PSK-NAT" to "L2TP-PSK-NAT"
Aug  6 14:21:46 vpn pluto[5446]: "L2TP-PSK-NAT"[2] 79.205.118.89 #1: deleting connection "L2TP-PSK-NAT" instance with peer 79.205.118.89 {isakmp=#0/ipsec=#0}
Aug  6 14:21:46 vpn pluto[5446]: "L2TP-PSK-NAT"[2] 79.205.118.89 #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Aug  6 14:21:46 vpn pluto[5446]: "L2TP-PSK-NAT"[2] 79.205.118.89 #1: new NAT mapping for #1, was 79.205.118.89:500, now 79.205.118.89:4500
Aug  6 14:21:46 vpn pluto[5446]: "L2TP-PSK-NAT"[2] 79.205.118.89 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256
 prf=oakley_sha group=modp2048}
Aug  6 14:21:46 vpn pluto[5446]: "L2TP-PSK-NAT"[2] 79.205.118.89 #1: the peer proposed: my.ip.address/32:17/1701 -> 10.0.0.110/32:17/0
Aug  6 14:21:46 vpn pluto[5446]: "L2TP-PSK-NAT"[2] 79.205.118.89 #1: cannot respond to IPsec SA request because no connection is known for my.ip.address<my.ip.address>[+S=C]:17/1701...79.205.118.89[10.0.0.110,+S=C]:17/1701===10.0.0.110/32
[...]

Configuration files:

/etc/ipsec.conf:
# basic configuration
config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        # klipsdebug=none
        # plutodebug="control parsing"
        # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
        protostack=netkey
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!10.0.1.0/24
        oe=off
        # Enable this if you see "failed to find any available worker"
        nhelpers=0

#You may put your configuration (.conf) file in the "/etc/ipsec.d/" and uncomment this.
include /etc/ipsec.d/*.conf

/etc/ipsec.d/l2tp-psk.conf
conn L2TP-PSK-NAT
        rightsubnet=vhost:%no,%priv
        also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
        authby=secret
        pfs=no
        auto=add
        keyingtries=3
        rekey=no
        ikelifetime=8h
        keylife=1h
        type=transport
        left=my.ip.address
        leftnexthop=my.next.ip.address
        leftprotoport=17/1701
        right=%any
        rightprotoport=17/0

Any help pointing me in the right direction would be very much appreciated :)

Best regards,
Holger

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20100806/610c6c20/attachment-0001.html

More information about the Users mailing list