[Openswan Users] Roadwarrior connection (NAT)

lists+openswan at roth.lu lists+openswan at roth.lu
Thu Feb 11 01:07:10 EST 2010 

Hey there,

I am trying to connect my Nokia E71 (roadwarrior behind NAT).
I have tried many things, now I am stuck at STATE_QUICK_R2.


Feb 11 04:35:41 pluto[5172]: Starting Pluto (Openswan Version 2.6.24;
Vendor ID OEU}`hAnwstx) pid:5172
Feb 11 04:35:41 pluto[5172]: Setting NAT-Traversal port-4500 floating to on
Feb 11 04:35:41 pluto[5172]:    port floating activation criteria
nat_t=1/port_float=1
Feb 11 04:35:41 pluto[5172]:    NAT-Traversal support  [enabled]
Feb 11 04:35:41 pluto[5172]: using /dev/urandom as source of random entropy
Feb 11 04:35:41 pluto[5172]: ike_alg_register_enc(): Activating
OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
Feb 11 04:35:41 pluto[5172]: ike_alg_register_enc(): Activating
OAKLEY_TWOFISH_CBC: Ok (ret=0)
Feb 11 04:35:41 pluto[5172]: ike_alg_register_enc(): Activating
OAKLEY_SERPENT_CBC: Ok (ret=0)
Feb 11 04:35:41 pluto[5172]: ike_alg_register_enc(): Activating
OAKLEY_AES_CBC: Ok (ret=0)
Feb 11 04:35:41 pluto[5172]: ike_alg_register_enc(): Activating
OAKLEY_BLOWFISH_CBC: Ok (ret=0)
Feb 11 04:35:41 pluto[5172]: ike_alg_register_hash(): Activating
OAKLEY_SHA2_512: Ok (ret=0)
Feb 11 04:35:41 pluto[5172]: ike_alg_register_hash(): Activating
OAKLEY_SHA2_256: Ok (ret=0)
Feb 11 04:35:41 pluto[5172]: starting up 1 cryptographic helpers
Feb 11 04:35:41 pluto[5172]: started helper pid=5173 (fd:7)
Feb 11 04:35:41 pluto[5172]: Using Linux 2.6 IPsec interface code on
2.6.26-2-686 (experimental code)
Feb 11 04:35:41 pluto[5173]: using /dev/urandom as source of random entropy
Feb 11 04:35:42 pluto[5172]: ike_alg_register_enc(): WARNING: enc alg=0
not found in constants.c:oakley_enc_names
Feb 11 04:35:42 pluto[5172]: ike_alg_register_enc(): Activating <NULL>:
Ok (ret=0)
Feb 11 04:35:42 pluto[5172]: ike_alg_register_enc(): WARNING: enc alg=0
not found in constants.c:oakley_enc_names
Feb 11 04:35:42 pluto[5172]: ike_alg_add(): ERROR: Algorithm already exists
Feb 11 04:35:42 pluto[5172]: ike_alg_register_enc(): Activating <NULL>:
FAILED (ret=-17)
Feb 11 04:35:42 pluto[5172]: ike_alg_register_enc(): WARNING: enc alg=0
not found in constants.c:oakley_enc_names
Feb 11 04:35:42 pluto[5172]: ike_alg_add(): ERROR: Algorithm already exists
Feb 11 04:35:42 pluto[5172]: ike_alg_register_enc(): Activating <NULL>:
FAILED (ret=-17)
Feb 11 04:35:42 pluto[5172]: ike_alg_register_enc(): WARNING: enc alg=0
not found in constants.c:oakley_enc_names
Feb 11 04:35:42 pluto[5172]: ike_alg_add(): ERROR: Algorithm already exists
Feb 11 04:35:42 pluto[5172]: ike_alg_register_enc(): Activating <NULL>:
FAILED (ret=-17)
Feb 11 04:35:42 pluto[5172]: ike_alg_register_enc(): WARNING: enc alg=0
not found in constants.c:oakley_enc_names
Feb 11 04:35:42 pluto[5172]: ike_alg_add(): ERROR: Algorithm already exists
Feb 11 04:35:42 pluto[5172]: ike_alg_register_enc(): Activating <NULL>:
FAILED (ret=-17)
Feb 11 04:35:42 pluto[5172]: ike_alg_register_enc(): WARNING: enc alg=0
not found in constants.c:oakley_enc_names
Feb 11 04:35:42 pluto[5172]: ike_alg_add(): ERROR: Algorithm already exists
Feb 11 04:35:42 pluto[5172]: ike_alg_register_enc(): Activating <NULL>:
FAILED (ret=-17)
Feb 11 04:35:42 pluto[5172]: Changed path to directory
'/etc/ipsec.d/cacerts'
Feb 11 04:35:42 pluto[5172]: Changed path to directory
'/etc/ipsec.d/aacerts'
Feb 11 04:35:42 pluto[5172]: Changed path to directory
'/etc/ipsec.d/ocspcerts'
Feb 11 04:35:42 pluto[5172]: Changing to directory '/etc/ipsec.d/crls'
Feb 11 04:35:42 pluto[5172]:   Warning: empty directory
Feb 11 04:35:42 pluto[5172]: added connection description "E71-p-new"
Feb 11 04:35:42 pluto[5172]: listening for IKE messages
Feb 11 04:35:42 pluto[5172]: NAT-Traversal: Trying new style NAT-T
Feb 11 04:35:42 pluto[5172]: NAT-Traversal: ESPINUDP(1) setup failed for
new style NAT-T family IPv4 (errno=19)
Feb 11 04:35:42 pluto[5172]: NAT-Traversal: Trying old style NAT-T
Feb 11 04:35:42 pluto[5172]: adding interface vmnet1/vmnet1
192.168.189.1:500
Feb 11 04:35:42 pluto[5172]: adding interface vmnet1/vmnet1
192.168.189.1:4500
Feb 11 04:35:42 pluto[5172]: adding interface tun0/tun0 10.8.0.1:500
Feb 11 04:35:42 pluto[5172]: adding interface tun0/tun0 10.8.0.1:4500
Feb 11 04:35:42 pluto[5172]: adding interface eth0/eth0 192.168.2.9:500
Feb 11 04:35:42 pluto[5172]: adding interface eth0/eth0 192.168.2.9:4500
Feb 11 04:35:42 pluto[5172]: adding interface eth0/eth0 10.28.39.1:500
Feb 11 04:35:42 pluto[5172]: adding interface eth0/eth0 10.28.39.1:4500
Feb 11 04:35:42 pluto[5172]: adding interface eth0/eth0 78.46.43.yyy:500
Feb 11 04:35:42 pluto[5172]: adding interface eth0/eth0 78.46.43.yyy:4500
[...]
Feb 11 04:35:42 pluto[5172]: loading secrets from "/etc/ipsec.secrets"
Feb 11 04:35:42 pluto[5172]: loaded private key for keyid: PPK_RSA:AQN08sfaL
Feb 11 04:35:57 pluto[5172]: packet from 83.217.154.xxx:500:
Informational Exchange is for an unknown (expired?) SA with MSGID:0x19fea24e
Feb 11 04:35:57 pluto[5172]: packet from 83.217.154.xxx:500:
Informational Exchange is for an unknown (expired?) SA with MSGID:0xc97ca44e
Feb 11 04:36:09 pluto[5172]: packet from 83.217.154.xxx:500: received
Vendor ID payload [XAUTH]
Feb 11 04:36:09 pluto[5172]: packet from 83.217.154.xxx:500: received
Vendor ID payload [Cisco-Unity]
Feb 11 04:36:09 pluto[5172]: "E71-p-new"[1] 83.217.154.xxx #1:
responding to Main Mode from unknown peer 83.217.154.xxx
Feb 11 04:36:09 pluto[5172]: "E71-p-new"[1] 83.217.154.xxx #1:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Feb 11 04:36:09 pluto[5172]: "E71-p-new"[1] 83.217.154.xxx #1:
STATE_MAIN_R1: sent MR1, expecting MI2
Feb 11 04:36:10 pluto[5172]: "E71-p-new"[1] 83.217.154.xxx #1: ignoring
unknown Vendor ID payload [47504505f0b56af8ce73b0f3466cd999]
Feb 11 04:36:10 pluto[5172]: "E71-p-new"[1] 83.217.154.xxx #1:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Feb 11 04:36:10 pluto[5172]: "E71-p-new"[1] 83.217.154.xxx #1:
STATE_MAIN_R2: sent MR2, expecting MI3
Feb 11 04:36:10 pluto[5172]: "E71-p-new"[1] 83.217.154.xxx #1: Main mode
peer ID is ID_KEY_ID: '@#0x69697076706e'
Feb 11 04:36:10 pluto[5172]: "E71-p-new"[1] 83.217.154.xxx #1: switched
from "E71-p-new" to "E71-p-new"
Feb 11 04:36:10 pluto[5172]: "E71-p-new"[2] 83.217.154.xxx #1: deleting
connection "E71-p-new" instance with peer 83.217.154.xxx
{isakmp=#0/ipsec=#0}
Feb 11 04:36:10 pluto[5172]: "E71-p-new"[2] 83.217.154.xxx #1:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Feb 11 04:36:10 pluto[5172]: "E71-p-new"[2] 83.217.154.xxx #1:
STATE_MAIN_R3: sent MR3, ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1536}
Feb 11 04:36:10 pluto[5172]: "E71-p-new"[2] 83.217.154.xxx #1:
modecfg_inR0(STF_OK)
Feb 11 04:36:10 pluto[5172]: "E71-p-new"[2] 83.217.154.xxx #1:
transition from state STATE_MODE_CFG_R0 to state STATE_MODE_CFG_R1
Feb 11 04:36:10 pluto[5172]: "E71-p-new"[2] 83.217.154.xxx #1:
STATE_MODE_CFG_R1: ModeCfg Set sent, expecting Ack
Feb 11 04:36:11 pluto[5172]: "E71-p-new"[2] 83.217.154.xxx #1: ignoring
informational payload, type IPSEC_REPLAY_STATUS msgid=00000000
Feb 11 04:36:11 pluto[5172]: "E71-p-new"[2] 83.217.154.xxx #1: the peer
proposed: 0.0.0.0/0:0/0 -> 10.28.39.2/32:0/0
Feb 11 04:36:11 pluto[5172]: "E71-p-new"[2] 83.217.154.xxx #2:
responding to Quick Mode proposal {msgid:ce2d8251}
Feb 11 04:36:11 pluto[5172]: "E71-p-new"[2] 83.217.154.xxx #2:     us:
0.0.0.0/0===78.46.43.yyy<78.46.43.yyy>[MS+S=C]
Feb 11 04:36:11 pluto[5172]: "E71-p-new"[2] 83.217.154.xxx #2:   them:
83.217.154.xxx[@#0x69697076706e,+MC+S=C]===10.28.39.2/32
Feb 11 04:36:11 pluto[5172]: | NAT-OA: 0 tunnel: 0
Feb 11 04:36:12 pluto[5172]: "E71-p-new"[2] 83.217.154.xxx #2:
transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Feb 11 04:36:12 pluto[5172]: "E71-p-new"[2] 83.217.154.xxx #2:
STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Feb 11 04:36:12 pluto[5172]: "E71-p-new"[2] 83.217.154.xxx #2:
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Feb 11 04:36:12 pluto[5172]: "E71-p-new"[2] 83.217.154.xxx #2:
STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0x66414da3
<0xe64014d9 xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=none DPD=none}


In any case, no data is going through the line.
Or maybe it's a routing issue?
When I ping the remote address (i.e. 10.28.39.2) from the gateway I can
see ESP packets going to 83.217.154.xxx. There is no reply however.
I see nothing at all coming from 83.217.154.xxx (gateway doing NAT with
client behind it).

Here's the config

conn E71-p-new
        # Authentication method PSK
        authby=secret
        pfs=no
        auto=add
        rekey=no
        keylife=86400s
        # Modeconfig setting
        modecfgpull=yes
        type=tunnel
        # local endpoint
        left=78.46.43.yyy
        leftsubnet=0.0.0.0/0
        leftmodecfgserver=yes
        leftsourceip=10.28.39.1
        #
        right=%any
        rightmodecfgclient=yes
        rightsourceip=10.28.39.2
        rightsubnet=10.28.39.2/32


Debug is off. Tell me what parts you would want me to switch on.

Thanks.

JM

More information about the Users mailing list