[Openswan Users] NAT-T and Transport mode not working?

Michael.Karlinsky at tieto.com Michael.Karlinsky at tieto.com
Thu Jan 7 02:58:05 EST 2010


Hi, thanks for your response.

Here are the infos you have requested. BTW. In wireshark I see incoming (B) ESP-packets containing L2TP-Traffic, but no outgoing ESP-packets. Outgoing L2TP traffic is not encrypted. I can provide pcap-files if you want.

xl2tpd version:  xl2tpd-1.2.4 (compiled with debug flags)
xl2tpd config (identical on A and B except listen-addr)

[global]
;listen-addr = 192.168.10.1
listen-addr = 172.30.64.190

[lns default]
;ip range = 192.168.1.128-192.168.1.254
ip range = 192.168.198.10-192.168.198.10
local ip = 192.168.10.3
require pap = yes
refuse chap = yes
;refuse pap = yes
;require chap = yes
require authentication = yes
name = OpenswanVPNServer
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd
length bit = yes

[lac L2TPserver]
lns = 217.150.156.76
;lns = 62.157.197.28
refuse chap = yes
require pap = yes
require authentication = no
refuse authentication = no
; Name should be the same as the username in the PPP authentication!
name = gemuser
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd.client
length bit = yes

B side /var/log/messages:

Jan  6 13:52:36 ipsectest pluto[2498]: listening for IKE messages
Jan  6 13:52:36 ipsectest pluto[2498]: NAT-Traversal: Trying new style NAT-T
Jan  6 13:52:36 ipsectest pluto[2498]: NAT-Traversal: ESPINUDP(1) setup failed for new style NAT-T family IPv4 (errno=19)
Jan  6 13:52:36 ipsectest pluto[2498]: NAT-Traversal: Trying old style NAT-T
Jan  6 13:52:36 ipsectest pluto[2498]: adding interface eth2/eth2 192.168.120.100:500
Jan  6 13:52:36 ipsectest pluto[2498]: adding interface eth2/eth2 192.168.120.100:4500
Jan  6 13:52:36 ipsectest pluto[2498]: adding interface eth1/eth1 172.30.64.190:500
Jan  6 13:52:36 ipsectest pluto[2498]: adding interface eth1/eth1 172.30.64.190:4500
Jan  6 13:52:36 ipsectest pluto[2498]: adding interface eth0/eth0 192.168.255.249:500
Jan  6 13:52:36 ipsectest pluto[2498]: adding interface eth0/eth0 192.168.255.249:4500
Jan  6 13:52:36 ipsectest pluto[2498]: adding interface lo/lo 127.0.0.2:500
Jan  6 13:52:36 ipsectest pluto[2498]: adding interface lo/lo 127.0.0.2:4500
Jan  6 13:52:36 ipsectest pluto[2498]: adding interface lo/lo 127.0.0.1:500
Jan  6 13:52:36 ipsectest pluto[2498]: adding interface lo/lo 127.0.0.1:4500
Jan  6 13:52:36 ipsectest pluto[2498]: adding interface lo/lo ::1:500
Jan  6 13:52:36 ipsectest pluto[2498]: loading secrets from "/etc/ipsec.secrets"
Jan  6 13:52:36 ipsectest pluto[2498]:   loaded private key file '/etc/ipsec.d/private/ipsectest.VPNK.rel234.labKompCA01.valid.pem' (963 bytes)
Jan  6 13:52:36 ipsectest pluto[2498]: loaded private key for keyid: PPK_RSA:AwEAAYVu9
Jan  6 13:52:36 ipsectest pluto[2498]: loaded private key for keyid: PPK_RSA:AQNx16IRF
Jan  6 13:52:36 ipsectest ipsec__plutorun: 003 NAT-Traversal: Trying new style NAT-T
Jan  6 13:52:36 ipsectest ipsec__plutorun: 003 NAT-Traversal: ESPINUDP(1) setup failed for new style NAT-T family IPv4 (errno=19)
Jan  6 13:52:36 ipsectest ipsec__plutorun: 003 NAT-Traversal: Trying old style NAT-T
Jan  6 13:54:29 ipsectest pluto[2498]: packet from 172.30.64.140:500: received Vendor ID payload [Openswan (this version) 2.6.24rc5 ]
Jan  6 13:54:29 ipsectest pluto[2498]: packet from 172.30.64.140:500: received Vendor ID payload [Dead Peer Detection]
Jan  6 13:54:29 ipsectest pluto[2498]: packet from 172.30.64.140:500: received Vendor ID payload [RFC 3947] method set to=109
Jan  6 13:54:29 ipsectest pluto[2498]: packet from 172.30.64.140:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109
Jan  6 13:54:29 ipsectest pluto[2498]: packet from 172.30.64.140:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
Jan  6 13:54:29 ipsectest pluto[2498]: packet from 172.30.64.140:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
Jan  6 13:54:29 ipsectest pluto[2498]: packet from 172.30.64.140:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Jan  6 13:54:29 ipsectest pluto[2498]: "vpnk"[1] 172.30.64.140 #1: responding to Main Mode from unknown peer 172.30.64.140
Jan  6 13:54:29 ipsectest pluto[2498]: "vpnk"[1] 172.30.64.140 #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jan  6 13:54:29 ipsectest pluto[2498]: "vpnk"[1] 172.30.64.140 #1: STATE_MAIN_R1: sent MR1, expecting MI2
Jan  6 13:54:29 ipsectest pluto[2498]: "vpnk"[1] 172.30.64.140 #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): both are NATed
Jan  6 13:54:29 ipsectest pluto[2498]: "vpnk"[1] 172.30.64.140 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jan  6 13:54:29 ipsectest pluto[2498]: "vpnk"[1] 172.30.64.140 #1: STATE_MAIN_R2: sent MR2, expecting MI3
Jan  6 13:54:29 ipsectest pluto[2498]: "vpnk"[1] 172.30.64.140 #1: Main mode peer ID is ID_DER_ASN1_DN: 'C=DE, O=gematik LTU, CN=gematik Konnektor Zulassung 01, S=gematik-Kon
nektor, G=v11.15.3, SN=rel234 C.NK.VPN 000.00, T=KONN.NK'
Jan  6 13:54:29 ipsectest pluto[2498]: "vpnk"[1] 172.30.64.140 #1: switched from "vpnk" to "vpnk"
Jan  6 13:54:29 ipsectest pluto[2498]: "vpnk"[2] 172.30.64.140 #1: deleting connection "vpnk" instance with peer 172.30.64.140 {isakmp=#0/ipsec=#0}
Jan  6 13:54:29 ipsectest pluto[2498]: "vpnk"[2] 172.30.64.140 #1: I am sending my cert
Jan  6 13:54:29 ipsectest pluto[2498]: "vpnk"[2] 172.30.64.140 #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jan  6 13:54:29 ipsectest pluto[2498]: "vpnk"[2] 172.30.64.140 #1: new NAT mapping for #1, was 172.30.64.140:500, now 172.30.64.140:59935
Jan  6 13:54:29 ipsectest pluto[2498]: "vpnk"[2] 172.30.64.140 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=aes_256 prf=oakley_sha group=mod
p1536}
Jan  6 13:54:29 ipsectest pluto[2498]: "vpnk"[2] 172.30.64.140 #1: Dead Peer Detection (RFC 3706): enabled
Jan  6 13:54:29 ipsectest pluto[2498]: "vpnk"[2] 172.30.64.140 #1: the peer proposed: 172.30.64.190/32:17/1701 -> 192.168.0.10/32:17/1701
Jan  6 13:54:29 ipsectest pluto[2498]: "vpnk"[2] 172.30.64.140 #1: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
Jan  6 13:54:29 ipsectest pluto[2498]: "vpnk"[2] 172.30.64.140 #2: responding to Quick Mode proposal {msgid:7c8ae34a}
Jan  6 13:54:29 ipsectest pluto[2498]: "vpnk"[2] 172.30.64.140 #2:     us: 172.30.64.190<172.30.64.190>[C=DE, O=gematik, CN=ipsectest, SN=rel234 VPNK VPN 000.00,+S=C]:17/1701
Jan  6 13:54:29 ipsectest pluto[2498]: "vpnk"[2] 172.30.64.140 #2:   them: 172.30.64.140[C=DE, O=gematik LTU, CN=gematik Konnektor Zulassung 01, S=gematik-Konnektor, G=v11.15
.3, SN=rel234 C.NK.VPN 000.00, T=KONN.NK,+S=C]:17/1701===192.168.0.10/32
Jan  6 13:54:29 ipsectest pluto[2498]: | NAT-OA: 32 tunnel: 1
Jan  6 13:54:29 ipsectest pluto[2498]: "vpnk"[2] 172.30.64.140 #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Jan  6 13:54:29 ipsectest pluto[2498]: "vpnk"[2] 172.30.64.140 #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Jan  6 13:54:29 ipsectest pluto[2498]: "vpnk"[2] 172.30.64.140 #2: Dead Peer Detection (RFC 3706): enabled
Jan  6 13:54:29 ipsectest pluto[2498]: "vpnk"[2] 172.30.64.140 #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Jan  6 13:54:29 ipsectest pluto[2498]: "vpnk"[2] 172.30.64.140 #2: STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0x4bceea88 <0x7b2d75f3 xfrm=AES_256-HMAC_SHA1
 NATOA=192.168.0.10 NATD=172.30.64.140:59935 DPD=enable}
Jan  6 13:54:32 ipsectest xl2tpd[2540]: parse_config: global context descriptor
Jan  6 13:54:32 ipsectest xl2tpd[2540]: parse_config: field is listen-addr, value is 172.30.64.190
Jan  6 13:54:32 ipsectest xl2tpd[2540]: set_listenaddr: Setting listen address to 172.30.64.190
Jan  6 13:54:32 ipsectest xl2tpd[2540]: parse_config: field is ip range, value is 192.168.198.10-192.168.198.10
Jan  6 13:54:32 ipsectest xl2tpd[2540]: range start = c0a8c60a, end = c0a8c60a, sense=4294967295d
Jan  6 13:54:32 ipsectest xl2tpd[2540]: parse_config: field is local ip, value is 192.168.10.3
Jan  6 13:54:32 ipsectest xl2tpd[2540]: parse_config: field is require pap, value is yes
Jan  6 13:54:32 ipsectest xl2tpd[2540]: set_require pap: require pap  flag to 'yes'
Jan  6 13:54:32 ipsectest xl2tpd[2540]: parse_config: field is refuse chap, value is yes
Jan  6 13:54:32 ipsectest xl2tpd[2540]: set_refuse chap: refuse chap  flag to 'yes'
Jan  6 13:54:32 ipsectest xl2tpd[2540]: parse_config: field is require authentication, value is yes
Jan  6 13:54:32 ipsectest xl2tpd[2540]: set_require authentication: require authentication  flag to 'yes'
Jan  6 13:54:32 ipsectest xl2tpd[2540]: parse_config: field is name, value is OpenswanVPNServer
Jan  6 13:54:32 ipsectest xl2tpd[2540]: set_name: name  flag to 'OpenswanVPNServer'
Jan  6 13:54:32 ipsectest xl2tpd[2540]: parse_config: field is ppp debug, value is yes
Jan  6 13:54:32 ipsectest xl2tpd[2540]: set_ppp debug: ppp debug  flag to 'yes'
Jan  6 13:54:32 ipsectest xl2tpd[2540]: parse_config: field is pppoptfile, value is /etc/ppp/options.l2tpd
Jan  6 13:54:32 ipsectest xl2tpd[2540]: set_pppoptfile: pppoptfile  flag to '/etc/ppp/options.l2tpd'
Jan  6 13:54:32 ipsectest xl2tpd[2540]: parse_config: field is length bit, value is yes
Jan  6 13:54:32 ipsectest xl2tpd[2540]: set_length bit: length bit  flag to 'yes'
Jan  6 13:54:32 ipsectest xl2tpd[2540]: parse_config: lac context descriptor L2TPserver
Jan  6 13:54:32 ipsectest xl2tpd[2540]: parse_config: field is lns, value is 217.150.156.76
Jan  6 13:54:32 ipsectest xl2tpd[2540]: set_lns: setting LNS to '217.150.156.76'
Jan  6 13:54:32 ipsectest xl2tpd[2540]: parse_config: field is refuse chap, value is yes
Jan  6 13:54:32 ipsectest xl2tpd[2540]: set_refuse chap: refuse chap  flag to 'yes'
Jan  6 13:54:32 ipsectest xl2tpd[2540]: parse_config: field is require pap, value is yes
Jan  6 13:54:32 ipsectest xl2tpd[2540]: set_require pap: require pap  flag to 'yes'
Jan  6 13:54:32 ipsectest xl2tpd[2540]: parse_config: field is require authentication, value is no
Jan  6 13:54:32 ipsectest xl2tpd[2540]: set_require authentication: require authentication  flag to 'no'
Jan  6 13:54:32 ipsectest xl2tpd[2540]: parse_config: field is refuse authentication, value is no
Jan  6 13:54:32 ipsectest xl2tpd[2540]: set_refuse authentication: refuse authentication  flag to 'no'
Jan  6 13:54:32 ipsectest xl2tpd[2540]: parse_config: field is name, value is gemuser
Jan  6 13:54:32 ipsectest xl2tpd[2540]: set_name: name  flag to 'gemuser'
Jan  6 13:54:32 ipsectest xl2tpd[2540]: parse_config: field is ppp debug, value is yes
Jan  6 13:54:32 ipsectest xl2tpd[2540]: set_ppp debug: ppp debug  flag to 'yes'
Jan  6 13:54:32 ipsectest xl2tpd[2540]: parse_config: field is pppoptfile, value is /etc/ppp/options.l2tpd.client
Jan  6 13:54:32 ipsectest xl2tpd[2540]: set_pppoptfile: pppoptfile  flag to '/etc/ppp/options.l2tpd.client'
Jan  6 13:54:32 ipsectest xl2tpd[2540]: parse_config: field is length bit, value is yes
Jan  6 13:54:32 ipsectest xl2tpd[2540]: set_length bit: length bit  flag to 'yes'
Jan  6 13:54:32 ipsectest xl2tpd[2540]: setsockopt recvref[22]: Protocol not available
Jan  6 13:54:32 ipsectest xl2tpd[2540]: This binary does not support kernel L2TP.
Jan  6 13:54:32 ipsectest xl2tpd[2541]: xl2tpd version xl2tpd-1.2.4 started on ipsectest PID:2541
Jan  6 13:54:32 ipsectest xl2tpd[2541]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
Jan  6 13:54:32 ipsectest xl2tpd[2541]: Forked by Scott Balmos and David Stipp, (C) 2001
Jan  6 13:54:32 ipsectest xl2tpd[2541]: Inherited by Jeff McAdams, (C) 2002
Jan  6 13:54:32 ipsectest xl2tpd[2541]: Forked again by Xelerance (www.xelerance.com) (C) 2006
Jan  6 13:54:32 ipsectest xl2tpd[2541]: Listening on IP address 172.30.64.190, port 1701
Jan  6 13:54:52 ipsectest xl2tpd[2541]: ourtid = 47706, entropy_buf = ba5a
Jan  6 13:54:52 ipsectest xl2tpd[2541]: check_control: control, cid = 0, Ns = 0, Nr = 0
Jan  6 13:54:54 ipsectest xl2tpd[2541]: trying to send control packet to 47706
Jan  6 13:54:54 ipsectest xl2tpd[2541]: control_xmit: Scheduling and transmitting packet 0
Jan  6 13:54:54 ipsectest xl2tpd[2541]: ourtid = 20392, entropy_buf = 4fa8
Jan  6 13:54:54 ipsectest xl2tpd[2541]: check_control: control, cid = 0, Ns = 0, Nr = 0
Jan  6 13:54:54 ipsectest xl2tpd[2541]: control_finish: Peer requested tunnel 12439 twice, ignoring second one.
Jan  6 13:54:54 ipsectest xl2tpd[2541]: control_zlb: sending control ZLB on tunnel 12439
Jan  6 13:54:54 ipsectest xl2tpd[2541]: call_close: Actually closing tunnel 20392
Jan  6 13:54:54 ipsectest xl2tpd[2541]: ourtid = 32933, entropy_buf = 80a5
Jan  6 13:54:54 ipsectest xl2tpd[2541]: ourcid = 24548, entropy_buf = 5fe4
Jan  6 13:54:54 ipsectest xl2tpd[2541]: check_control: control, cid = 0, Ns = 0, Nr = 0
Jan  6 13:54:54 ipsectest xl2tpd[2541]: control_finish: Peer requested tunnel 12439 twice, ignoring second one.
Jan  6 13:54:54 ipsectest xl2tpd[2541]: control_zlb: sending control ZLB on tunnel 12439
Jan  6 13:54:54 ipsectest xl2tpd[2541]: call_close: Actually closing tunnel 32933
Jan  6 13:54:55 ipsectest xl2tpd[2541]: trying to send control packet to 47706
Jan  6 13:54:55 ipsectest xl2tpd[2541]: control_xmit: Scheduling and transmitting packet 0
Jan  6 13:54:55 ipsectest xl2tpd[2541]: ourtid = 59888, entropy_buf = e9f0
Jan  6 13:54:55 ipsectest xl2tpd[2541]: ourcid = 38673, entropy_buf = 9711
Jan  6 13:54:55 ipsectest xl2tpd[2541]: check_control: control, cid = 0, Ns = 0, Nr = 0
Jan  6 13:54:55 ipsectest xl2tpd[2541]: control_finish: Peer requested tunnel 12439 twice, ignoring second one.
Jan  6 13:54:55 ipsectest xl2tpd[2541]: control_zlb: sending control ZLB on tunnel 12439
Jan  6 13:54:55 ipsectest xl2tpd[2541]: call_close: Actually closing tunnel 59888
Jan  6 13:54:56 ipsectest xl2tpd[2541]: trying to send control packet to 47706
Jan  6 13:54:56 ipsectest xl2tpd[2541]: control_xmit: Scheduling and transmitting packet 0
Jan  6 13:54:56 ipsectest xl2tpd[2541]: ourtid = 32347, entropy_buf = 7e5b
Jan  6 13:54:56 ipsectest xl2tpd[2541]: ourcid = 6153, entropy_buf = 1809
Jan  6 13:54:56 ipsectest xl2tpd[2541]: check_control: control, cid = 0, Ns = 0, Nr = 0
Jan  6 13:54:56 ipsectest xl2tpd[2541]: control_finish: Peer requested tunnel 12439 twice, ignoring second one.
Jan  6 13:54:56 ipsectest xl2tpd[2541]: control_zlb: sending control ZLB on tunnel 12439
Jan  6 13:54:56 ipsectest xl2tpd[2541]: call_close: Actually closing tunnel 32347
Jan  6 13:54:57 ipsectest xl2tpd[2541]: trying to send control packet to 47706
Jan  6 13:54:57 ipsectest xl2tpd[2541]: control_xmit: Scheduling and transmitting packet 0
Jan  6 13:54:58 ipsectest xl2tpd[2541]: trying to send control packet to 47706
Jan  6 13:54:58 ipsectest xl2tpd[2541]: control_xmit: Scheduling and transmitting packet 0
Jan  6 13:54:59 ipsectest xl2tpd[2541]: trying to send control packet to 47706
Jan  6 13:54:59 ipsectest xl2tpd[2541]: Maximum retries exceeded for tunnel 47706.  Closing.
and IPSec status:
000 "vpnk": 172.30.64.190<172.30.64.190>[C=DE, O=gematik, CN=ipsectest, SN=rel234 VPNK VPN 000.00,+S=C]:17/1701...%virtual[+S=C]:17/1701===?; unrouted; eroute owner: #0
000 "vpnk":     myip=unset; hisip=unset; mycert=ipsectest.VPNK.rel234.labKompCA01.valid.cer;
000 "vpnk":   CAs: 'C=DE, O=gematik, CN=gematik Labortest Komponenten CA01'...'%any'
000 "vpnk":   ike_life: 86400s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "vpnk":   policy: RSASIG+ENCRYPT+PFS+IKEv2ALLOW; prio: 32,32; interface: eth1;
000 "vpnk":   dpd: action:hold; delay:60; timeout:10;
000 "vpnk":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "vpnk":   IKE algorithms wanted: AES_CBC(7)_256-SHA1(2)-MODP1536(5); flags=-strict
000 "vpnk":   IKE algorithms found:  AES_CBC(7)_256-SHA1(2)_160-5,
000 "vpnk":   ESP algorithms wanted: AES(12)_256-SHA1(2); flags=-strict
000 "vpnk":   ESP algorithms loaded: AES(12)_256-SHA1(2)_160
000 "vpnk"[2]: 172.30.64.190<172.30.64.190>[C=DE, O=gematik, CN=ipsectest, SN=rel234 VPNK VPN 000.00,+S=C]:17/1701...172.30.64.140[C=DE, O=gematik LTU, CN=gematik Konnektor Zulassung 01, S=gematik-Konnektor, G=v11.15.3, SN=rel234 C.NK.VPN 000.00, T=KONN.NK,+S=C]:17/1701; erouted; eroute owner: #2
000 "vpnk"[2]:     myip=unset; hisip=unset; mycert=ipsectest.VPNK.rel234.labKompCA01.valid.cer;
000 "vpnk"[2]:   CAs: 'C=DE, O=gematik, CN=gematik Labortest Komponenten CA01'...'%any'
000 "vpnk"[2]:   ike_life: 86400s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "vpnk"[2]:   policy: RSASIG+ENCRYPT+PFS+IKEv2ALLOW; prio: 32,32; interface: eth1;
000 "vpnk"[2]:   dpd: action:hold; delay:60; timeout:10;
000 "vpnk"[2]:   newest ISAKMP SA: #1; newest IPsec SA: #2;
000 "vpnk"[2]:   IKE algorithms wanted: AES_CBC(7)_256-SHA1(2)-MODP1536(5); flags=-strict
000 "vpnk"[2]:   IKE algorithms found:  AES_CBC(7)_256-SHA1(2)_160-5,
000 "vpnk"[2]:   IKE algorithm newest: AES_CBC_256-SHA1-MODP1536
000 "vpnk"[2]:   ESP algorithms wanted: AES(12)_256-SHA1(2); flags=-strict
000 "vpnk"[2]:   ESP algorithms loaded: AES(12)_256-SHA1(2)_160
000 "vpnk"[2]:   ESP algorithm newest: AES_256-HMAC_SHA1; pfsgroup=<Phase1>
000
000 #2: "vpnk"[2] 172.30.64.140:59935 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 3193s; newest IPSEC; eroute owner; isakmp#1; idle; import:not set
000 #2: "vpnk"[2] 172.30.64.140 esp.4bceea88 at 172.30.64.140 esp.7b2d75f3 at 172.30.64.190 ref=0 refhim=4294901761
000 #1: "vpnk"[2] 172.30.64.140:59935 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 85993s; newest ISAKMP; lastdpd=17s(seq in:24089 out:0); idle; import:not set

PS: mail hopefully sent to mailing list now.

________________________________________
From: users-bounces at openswan.org [users-bounces at openswan.org] On Behalf Of No body ist Perfect [news.listener at gmail.com]
Sent: Tuesday, January 05, 2010 7:35 PM
To: users at lists.openswan.org
Subject: Re: [Openswan Users] NAT-T and Transport mode not working?

Hi !
Post you conf files openswan and xl2tpd version and log fron xl2tpd too
thanks

Am 05.01.2010 09:51, schrieb Michael.Karlinsky at tieto.com:
> Hi All,
> there still seems to be a problem regarding NAT-T and Transport-Mode.
> My setup:
> A: 192.168.0.10 <--> NAT-Router: 172.30.64.140 (DHCP) <--> B: 172.30.64.190
> Both systems running a recent SUSE Linux Kernel:
> A: Linux Openswan U2.6.24rc5/K2.6.27.39-0.2-pae (netkey)
> B: Linux Openswan U2.6.24rc5/K2.6.27.39-0.2-default (netkey)
> I use the following configuration for A and B:
> A:
> conn konnektor
> left=192.168.0.10
> leftrsasigkey=%cert
> leftcert=konnektor001.NK.rel234.labKompCA01.valid.cer
> leftid=%fromcert
> leftprotoport=17/1701
> right=172.30.64.190
> rightrsasigkey=%cert
> rightcert=ipsectest.VPNK.rel234.labKompCA01.valid.cer
> rightid=%fromcert
> rightprotoport=17/1701
> auto=start
> authby=rsasig
> pfs=yes
> rekey=yes
> dpddelay=60
> dpdtimeout=10
> dpdaction=hold
> ike=aes256-sha1-modp1536
> ikelifetime=86400s
> phase2alg=aes256-sha1
> keylife=3600s
> #type=transport
> type=tunnel
> B:
> conn vpnk
> left=%any
> leftrsasigkey=%cert
> leftprotoport=17/1701
> leftsubnet=vhost:%priv
> right=172.30.64.190
> rightrsasigkey=%cert
> rightcert=ipsectest.VPNK.rel234.labKompCA01.valid.cer
> rightid=%fromcert
> rightprotoport=17/1701
> auto=add
> authby=rsasig
> pfs=yes
> rekey=yes
> dpddelay=60
> dpdtimeout=10
> dpdaction=hold
> ike=aes256-sha1-modp1536
> ikelifetime=86400s
> phase2alg=aes256-sha1
> keylife=3600s
> #type=transport
> type=tunnel
> Using Tunnel Mode all is fine.
> Jan 5 09:27:51 ipsectest pluto[26734]: "vpnk"[2] 172.30.64.140 #2:
> STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0x4555e56f
> <0xdc695732 xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=172.30.64.140:65193
> DPD=enabled}
> [...]
> Jan 5 09:28:07 ipsectest pppd[26778]: PAP peer authentication succeeded
> for gemuser
> Using Transport Mode IPSec is still OK, but no PPP connection is possible.
>
> Hope you can help. If you need more info and logfiles please tell me and
> I will provide them.
> Kind regards,
> Michael Karlinsky
>
>
>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155


_______________________________________________
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155


More information about the Users mailing list