[Openswan Users] Openswan server nated not working in 2.6.24 on rhel5

Aliet Santiesteban Sifontes alietsantiesteban at gmail.com
Wed Jan 20 02:47:25 EST 2010 

Hi list, I've been testing openswan on rhel 5.4 all this week trying
to succesfull do a l2tp over ipsec using current openswan redhat
released rpm, and also latest openswan version 2.6.24rc5 and xl2tpd
1.2.4, setup is like this:

Win Xp Client(public address)<--->(Public IP address)Office DSL
Router<---Private Nated Network--->Openswan Server
In winXP I have applied the fixes to the registry.
Openswan and xl2tpd using current working configs from examples of
setups using version 2.4.15 as:

http://lists.openswan.org/pipermail/users/2009-December/017946.html

Router is mapping all the ports related to ipsec, udp 500, udp 4500 etc

Ipsec seems to be established but never negotiates l2tp, it hangs at:

Jan 20 02:49:55 myserver pluto[21357]: "L2TP-PSK"[4] 200.200.181.173
#9: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0x52009499
<0xea4ffefa xfrm=3DES_0-HMAC_MD5 NATOA=none NATD=200.200.181.173:4500
DPD=none}

Complete log:

Jan 20 02:49:51 myserver pluto[21357]: packet from
200.200.181.173:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY
00000004]
Jan 20 02:49:51 myserver pluto[21357]: packet from
200.200.181.173:500: ignoring Vendor ID payload [FRAGMENTATION]
Jan 20 02:49:51 myserver pluto[21357]: packet from
200.200.181.173:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
Jan 20 02:49:51 myserver pluto[21357]: packet from
200.200.181.173:500: ignoring Vendor ID payload [Vid-Initial-Contact]
Jan 20 02:49:51 myserver pluto[21357]: "L2TP-PSK"[4] 200.200.181.173
#8: responding to Main Mode from unknown peer 200.200.181.173
Jan 20 02:49:51 myserver pluto[21357]: "L2TP-PSK"[4] 200.200.181.173
#8: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jan 20 02:49:51 myserver pluto[21357]: "L2TP-PSK"[4] 200.200.181.173
#8: STATE_MAIN_R1: sent MR1, expecting MI2
Jan 20 02:49:52 myserver pluto[21357]: "L2TP-PSK"[4] 200.200.181.173
#8: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: i am
NATed
Jan 20 02:49:52 myserver pluto[21357]: "L2TP-PSK"[4] 200.200.181.173
#8: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jan 20 02:49:52 myserver pluto[21357]: "L2TP-PSK"[4] 200.200.181.173
#8: STATE_MAIN_R2: sent MR2, expecting MI3
Jan 20 02:49:53 myserver pluto[21357]: "L2TP-PSK"[4] 200.200.181.173
#8: Main mode peer ID is ID_IPV4_ADDR: '200.200.181.173'
Jan 20 02:49:53 myserver pluto[21357]: "L2TP-PSK"[4] 200.200.181.173
#8: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jan 20 02:49:53 myserver pluto[21357]: "L2TP-PSK"[4] 200.200.181.173
#8: new NAT mapping for #8, was 200.200.181.173:500, now
200.200.181.173:4500
Jan 20 02:49:53 myserver pluto[21357]: "L2TP-PSK"[4] 200.200.181.173
#8: STATE_MAIN_R3: sent MR3, ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
group=modp2048}
Jan 20 02:49:54 myserver pluto[21357]: "L2TP-PSK"[4] 200.200.181.173
#8: peer client type is FQDN
Jan 20 02:49:54 myserver pluto[21357]: "L2TP-PSK"[4] 200.200.181.173
#8: Applying workaround for MS-818043 NAT-T bug
Jan 20 02:49:54 myserver pluto[21357]: "L2TP-PSK"[4] 200.200.181.173
#8: IDci was FQDN: \275\230\134\355, using NAT_OA=0.0.0.0/32 as IDci
Jan 20 02:49:54 myserver pluto[21357]: "L2TP-PSK"[4] 200.200.181.173
#8: the peer proposed: 189.152.92.237/32:17/1701 -> 0.0.0.0/32:17/0
Jan 20 02:49:54 myserver pluto[21357]: "L2TP-PSK"[4] 200.200.181.173
#9: responding to Quick Mode proposal {msgid:9b66c46d}
Jan 20 02:49:54 myserver pluto[21357]: "L2TP-PSK"[4] 200.200.181.173
#9:     us: 192.168.1.2<192.168.1.2>[+S=C]:17/1701---192.168.1.1
Jan 20 02:49:54 myserver pluto[21357]: "L2TP-PSK"[4] 200.200.181.173
#9:   them: 200.200.181.173[+S=C]:17/1701===?
Jan 20 02:49:54 myserver pluto[21357]: | NAT-OA: 4 tunnel: 1
Jan 20 02:49:54 myserver pluto[21357]: "L2TP-PSK"[4] 200.200.181.173
#9: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Jan 20 02:49:54 myserver pluto[21357]: "L2TP-PSK"[4] 200.200.181.173
#9: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting
QI2
Jan 20 02:49:55 myserver pluto[21357]: "L2TP-PSK"[4] 200.200.181.173
#9: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Jan 20 02:49:55 myserver pluto[21357]: "L2TP-PSK"[4] 200.200.181.173
#9: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0x52009499
<0xea4ffefa xfrm=3DES_0-HMAC_MD5 NATOA=none NATD=200.200.181.173:4500
DPD=none}

Any ideas??, I will appreciate your help...
best regards, Aliet

More information about the Users mailing list