[Openswan Users] Still problems with MacOSX Roadwarriors
alet at librelogiciel.com
alet at librelogiciel.com
Thu Mar 11 17:13:04 EST 2010
Hi there,
still having problems with MacOSX roadwarriors and really I don't know
what to do or even where to look at to solve this problem.
the vpn gateway is running kernel 2.6.26-2-686, openswan 2.6.23+dsfg-1,
xl2tpd 1.2.5+dfsg-1, iproute 20100224-1 and ipsec-tools 1:0.7.1-1.6 all
from unmodified standard Debian packages.
ipsec.conf is as follows :
--- CUT ---
version 2.0
config setup
nat_traversal=yes
nhelpers=0
plutodebug="control klips"
uniqueids=yes
oe=off
protostack=netkey
interfaces=%defaultroute
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.10.66.0/24
conn %default
rekey=no
ikelifetime=8h
keylife=1h
compress=no
disablearrivalcheck=no
authby=rsasig
leftrsasigkey=%cert
leftsendcert=always
rightrsasigkey=%cert
rightca=%same
conn MYVPN-l2tp
leftprotoport=17/1701
rightprotoport=17/%any
type=transport
also=MYVPN
conn MYVPN-all
leftsubnet=0.0.0.0/0
also=MYVPN
conn MYVPN
left=%defaultroute
leftid=@gwvpn.example.com
leftcert=/etc/ipsec.d/certs/gwvpn.example.com.pem
right=%any
rightsubnet=vhost:%priv,%no
rightnexthop=10.10.66.254
pfs=no
auto=add
--- CUT ---
Windows & GNU/Linux roadwarriors can connect without any problem, but when a
MacOSX roadwarrior tries to connect, part of the L2TP dialog takes place
in the clear, as if the IPsec tunnel was only partially up.
In the lines below, NAT.NAT.NAT.NAT is the IP address of the NAT box
behind which I've put both a GNU/Linux and a MacOSX clients. GW.GW.GW.GW
is the IP address of my VPN gateway.
Here's the output of "ipsec auto --status" on the vpn gateway once I've
connected from GNU/Linux and MacOSX :
--- With a GNU/Linux client, it works ---
000 #2: "MYVPN"[1] NAT.NAT.NAT.NAT:64944 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 3322s; newest IPSEC; eroute owner; isakmp#1; idle; import:not set
000 #2: "MYVPN"[1] NAT.NAT.NAT.NAT esp.8b7b4061 at NAT.NAT.NAT.NAT esp.1bb3ccb8 at GW.GW.GW.GW tun.0 at NAT.NAT.NAT.NAT tun.0 at GW.GW.GW.GW ref=0 refhim=4294901761
000 #1: "MYVPN-l2tp"[2] NAT.NAT.NAT.NAT:64944 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_EXPIRE in 3590s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:not set
--- With a MacOSX client, it doesn't work ---
000 #2: "MYVPN-l2tp"[2] NAT.NAT.NAT.NAT:53615 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_EXPIRE in 3552s; newest IPSEC; eroute owner; isakmp#1; idle; import:not set
000 #2: "MYVPN-l2tp"[2] NAT.NAT.NAT.NAT esp.e7daec4 at NAT.NAT.NAT.NAT esp.cd861f79 at GW.GW.GW.GW ref=0 refhim=4294901761
000 #1: "MYVPN-l2tp"[2] NAT.NAT.NAT.NAT:53615 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_EXPIRE in 3551s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:not set
I've captured traces with tcpdump launched on the vpn gateway itself
with a GNU/Linux and a MacOSX clients both behind the same nat box, and
here's the result :
--- With a GNU/Linux client, it works ---
08:26:46.057550 IP NAT.NAT.NAT.NAT.56916 > GW.GW.GW.GW.500: isakmp: phase 1 I ident
08:26:46.058550 IP GW.GW.GW.GW.500 > NAT.NAT.NAT.NAT.56916: isakmp: phase 1 R ident
08:26:46.934576 IP NAT.NAT.NAT.NAT.56916 > GW.GW.GW.GW.500: isakmp: phase 1 I ident
08:26:46.939180 IP GW.GW.GW.GW.500 > NAT.NAT.NAT.NAT.56916: isakmp: phase 1 R ident
08:26:47.601297 IP NAT.NAT.NAT.NAT.52470 > GW.GW.GW.GW.4500: NONESP-encap: isakmp: phase 1 I ident[E]
08:26:47.601298 IP NAT.NAT.NAT.NAT > GW.GW.GW.GW: udp
08:26:47.607158 IP GW.GW.GW.GW.4500 > NAT.NAT.NAT.NAT.52470: NONESP-encap: isakmp: phase 1 R ident[E]
08:26:47.607188 IP GW.GW.GW.GW > NAT.NAT.NAT.NAT: udp
08:26:48.384080 IP NAT.NAT.NAT.NAT.52470 > GW.GW.GW.GW.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
08:26:48.393974 IP GW.GW.GW.GW.4500 > NAT.NAT.NAT.NAT.52470: NONESP-encap: isakmp: phase 2/others R oakley-quick[E]
08:26:49.067753 IP NAT.NAT.NAT.NAT.52470 > GW.GW.GW.GW.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
08:26:59.531564 IP NAT.NAT.NAT.NAT.52470 > GW.GW.GW.GW.4500: UDP-encap: ESP(spi=0x0b0c379d,seq=0x1), length 196
08:27:00.531526 IP NAT.NAT.NAT.NAT.52470 > GW.GW.GW.GW.4500: UDP-encap: ESP(spi=0x0b0c379d,seq=0x2), length 196
08:27:01.531541 IP NAT.NAT.NAT.NAT.52470 > GW.GW.GW.GW.4500: UDP-encap: ESP(spi=0x0b0c379d,seq=0x3), length 196
08:27:01.536942 IP GW.GW.GW.GW.4500 > NAT.NAT.NAT.NAT.52470: UDP-encap: ESP(spi=0x0447d919,seq=0x1), length 212
08:27:01.537553 IP GW.GW.GW.GW.4500 > NAT.NAT.NAT.NAT.52470: UDP-encap: ESP(spi=0x0447d919,seq=0x2), length 84
08:27:01.537615 IP NAT.NAT.NAT.NAT.52470 > GW.GW.GW.GW.4500: UDP-encap: ESP(spi=0x0b0c379d,seq=0x4), length 116
08:27:01.537616 IP NAT.NAT.NAT.NAT.52470 > GW.GW.GW.GW.4500: UDP-encap: ESP(spi=0x0b0c379d,seq=0x5), length 148
08:27:01.538128 IP NAT.NAT.NAT.NAT.52470 > GW.GW.GW.GW.4500: UDP-encap: ESP(spi=0x0b0c379d,seq=0x6), length 84
08:27:01.538129 IP NAT.NAT.NAT.NAT.52470 > GW.GW.GW.GW.4500: UDP-encap: ESP(spi=0x0b0c379d,seq=0x7), length 84
08:27:01.538229 IP GW.GW.GW.GW.4500 > NAT.NAT.NAT.NAT.52470: UDP-encap: ESP(spi=0x0447d919,seq=0x3), length 84
08:27:01.538592 IP GW.GW.GW.GW.4500 > NAT.NAT.NAT.NAT.52470: UDP-encap: ESP(spi=0x0447d919,seq=0x4), length 84
08:27:01.538761 IP NAT.NAT.NAT.NAT.52470 > GW.GW.GW.GW.4500: UDP-encap: ESP(spi=0x0b0c379d,seq=0x8), length 84
08:27:01.538762 IP NAT.NAT.NAT.NAT.52470 > GW.GW.GW.GW.4500: UDP-encap: ESP(spi=0x0b0c379d,seq=0x9), length 84
08:27:01.539196 IP GW.GW.GW.GW.4500 > NAT.NAT.NAT.NAT.52470: UDP-encap: ESP(spi=0x0447d919,seq=0x5), length 116
08:27:01.539239 IP GW.GW.GW.GW.4500 > NAT.NAT.NAT.NAT.52470: UDP-encap: ESP(spi=0x0447d919,seq=0x6), length 84
08:27:01.539733 IP NAT.NAT.NAT.NAT.52470 > GW.GW.GW.GW.4500: UDP-encap: ESP(spi=0x0b0c379d,seq=0xa), length 148
08:27:01.541776 IP GW.GW.GW.GW.4500 > NAT.NAT.NAT.NAT.52470: UDP-encap: ESP(spi=0x0447d919,seq=0x7), length 84
08:27:01.543627 IP NAT.NAT.NAT.NAT.52470 > GW.GW.GW.GW.4500: UDP-encap: ESP(spi=0x0b0c379d,seq=0xb), length 116
08:27:01.633217 IP GW.GW.GW.GW.4500 > NAT.NAT.NAT.NAT.52470: UDP-encap: ESP(spi=0x0447d919,seq=0x8), length 116
08:27:01.633965 IP NAT.NAT.NAT.NAT.52470 > GW.GW.GW.GW.4500: UDP-encap: ESP(spi=0x0b0c379d,seq=0xc), length 116
08:27:04.544324 IP NAT.NAT.NAT.NAT.52470 > GW.GW.GW.GW.4500: UDP-encap: ESP(spi=0x0b0c379d,seq=0xd), length 116
08:27:04.545139 IP GW.GW.GW.GW.4500 > NAT.NAT.NAT.NAT.52470: UDP-encap: ESP(spi=0x0447d919,seq=0x9), length 116
08:27:04.545210 IP GW.GW.GW.GW.4500 > NAT.NAT.NAT.NAT.52470: UDP-encap: ESP(spi=0x0447d919,seq=0xa), length 84
08:27:04.545248 IP GW.GW.GW.GW.4500 > NAT.NAT.NAT.NAT.52470: UDP-encap: ESP(spi=0x0447d919,seq=0xb), length 100
08:27:04.545709 IP NAT.NAT.NAT.NAT.52470 > GW.GW.GW.GW.4500: UDP-encap: ESP(spi=0x0b0c379d,seq=0xe), length 84
08:27:04.545846 IP NAT.NAT.NAT.NAT.52470 > GW.GW.GW.GW.4500: UDP-encap: ESP(spi=0x0b0c379d,seq=0xf), length 116
08:27:04.545850 IP NAT.NAT.NAT.NAT.52470 > GW.GW.GW.GW.4500: UDP-encap: ESP(spi=0x0b0c379d,seq=0x10), length 84
08:27:04.545918 IP NAT.NAT.NAT.NAT.52470 > GW.GW.GW.GW.4500: UDP-encap: ESP(spi=0x0b0c379d,seq=0x11), length 100
08:27:04.547153 IP GW.GW.GW.GW.4500 > NAT.NAT.NAT.NAT.52470: UDP-encap: ESP(spi=0x0447d919,seq=0xc), length 84
08:27:04.547196 IP GW.GW.GW.GW.4500 > NAT.NAT.NAT.NAT.52470: UDP-encap: ESP(spi=0x0447d919,seq=0xd), length 100
08:27:04.547819 IP NAT.NAT.NAT.NAT.52470 > GW.GW.GW.GW.4500: UDP-encap: ESP(spi=0x0b0c379d,seq=0x12), length 116
08:27:04.549680 IP GW.GW.GW.GW.4500 > NAT.NAT.NAT.NAT.52470: UDP-encap: ESP(spi=0x0447d919,seq=0xe), length 116
08:27:07.148489 IP NAT.NAT.NAT.NAT.52470 > GW.GW.GW.GW.4500: isakmp-nat-keep-alive
08:27:07.148491 IP NAT.NAT.NAT.NAT.52470 > GW.GW.GW.GW.4500: isakmp-nat-keep-alive
08:27:27.148882 IP NAT.NAT.NAT.NAT.52470 > GW.GW.GW.GW.4500: isakmp-nat-keep-alive
08:27:27.148884 IP NAT.NAT.NAT.NAT.52470 > GW.GW.GW.GW.4500: isakmp-nat-keep-alive
--- With a MacOSX client, it doesn't work ---
08:23:27.704415 IP NAT.NAT.NAT.NAT.57748 > GW.GW.GW.GW.500: isakmp: phase 1 I ident
08:23:27.707038 IP GW.GW.GW.GW.500 > NAT.NAT.NAT.NAT.57748: isakmp: phase 1 R ident
08:23:27.728992 IP NAT.NAT.NAT.NAT.57748 > GW.GW.GW.GW.500: isakmp: phase 1 I ident
08:23:27.731893 IP GW.GW.GW.GW.500 > NAT.NAT.NAT.NAT.57748: isakmp: phase 1 R ident
08:23:27.773051 IP NAT.NAT.NAT.NAT.61543 > GW.GW.GW.GW.4500: NONESP-encap: isakmp: phase 1 I ident[E]
08:23:27.773052 IP NAT.NAT.NAT.NAT > GW.GW.GW.GW: udp
08:23:27.778862 IP GW.GW.GW.GW.4500 > NAT.NAT.NAT.NAT.61543: NONESP-encap: isakmp: phase 1 R ident[E]
08:23:27.778876 IP GW.GW.GW.GW > NAT.NAT.NAT.NAT: udp
08:23:27.805703 IP NAT.NAT.NAT.NAT.61543 > GW.GW.GW.GW.4500: NONESP-encap: isakmp: phase 2/others I inf[E]
08:23:28.807074 IP NAT.NAT.NAT.NAT.61543 > GW.GW.GW.GW.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
08:23:28.811059 IP GW.GW.GW.GW.4500 > NAT.NAT.NAT.NAT.61543: NONESP-encap: isakmp: phase 2/others R oakley-quick[E]
08:23:28.812312 IP NAT.NAT.NAT.NAT.61543 > GW.GW.GW.GW.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
08:23:28.813547 IP NAT.NAT.NAT.NAT.61543 > GW.GW.GW.GW.4500: UDP-encap: ESP(spi=0xa985859e,seq=0x1), length 116
08:23:29.647753 IP NAT.NAT.NAT.NAT.61543 > GW.GW.GW.GW.4500: UDP-encap: ESP(spi=0xa985859e,seq=0x2), length 116
08:23:30.820474 IP GW.GW.GW.GW.1701 > NAT.NAT.NAT.NAT.49208: l2tp:[TLS](7/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *RANDOM_VECTOR(80506a5f9400fdd7bce4f956f4566be9) *PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP() *FIRM_VER(1680) *HOST_NAME(gwvpn.example.com) *VENDOR_NAME(xelerance.com) *ASSND_TUN_ID(47464) *RECV_WIN_SIZE(4)
08:23:30.820684 IP NAT.NAT.NAT.NAT > GW.GW.GW.GW: ICMP NAT.NAT.NAT.NAT udp port 49208 unreachable, length 36
08:23:30.820829 IP GW.GW.GW.GW.1701 > NAT.NAT.NAT.NAT.49208: l2tp:[TLS](7/0)Ns=0,Nr=1 ZLB
08:23:30.821015 IP NAT.NAT.NAT.NAT > GW.GW.GW.GW: ICMP NAT.NAT.NAT.NAT udp port 49208 unreachable, length 36
08:23:31.648233 IP NAT.NAT.NAT.NAT.61543 > GW.GW.GW.GW.4500: UDP-encap: ESP(spi=0xa985859e,seq=0x3), length 116
08:23:31.648491 IP GW.GW.GW.GW.1701 > NAT.NAT.NAT.NAT.49208: l2tp:[TLS](7/0)Ns=0,Nr=1 ZLB
08:23:31.648746 IP NAT.NAT.NAT.NAT > GW.GW.GW.GW: ICMP NAT.NAT.NAT.NAT udp port 49208 unreachable, length 36
08:23:31.820545 IP GW.GW.GW.GW.1701 > NAT.NAT.NAT.NAT.49208: l2tp:[TLS](7/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *RANDOM_VECTOR(80506a5f9400fdd7bce4f956f4566be9) *PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP() *FIRM_VER(1680) *HOST_NAME(gwvpn.example.com) *VENDOR_NAME(xelerance.com) *ASSND_TUN_ID(47464) *RECV_WIN_SIZE(4)
08:23:31.820792 IP NAT.NAT.NAT.NAT > GW.GW.GW.GW: ICMP NAT.NAT.NAT.NAT udp port 49208 unreachable, length 36
08:23:32.824587 IP GW.GW.GW.GW.1701 > NAT.NAT.NAT.NAT.49208: l2tp:[TLS](7/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *RANDOM_VECTOR(80506a5f9400fdd7bce4f956f4566be9) *PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP() *FIRM_VER(1680) *HOST_NAME(gwvpn.example.com) *VENDOR_NAME(xelerance.com) *ASSND_TUN_ID(47464) *RECV_WIN_SIZE(4)
08:23:32.824746 IP NAT.NAT.NAT.NAT > GW.GW.GW.GW: ICMP NAT.NAT.NAT.NAT udp port 49208 unreachable, length 36
08:23:33.825077 IP GW.GW.GW.GW.1701 > NAT.NAT.NAT.NAT.49208: l2tp:[TLS](7/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *RANDOM_VECTOR(80506a5f9400fdd7bce4f956f4566be9) *PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP() *FIRM_VER(1680) *HOST_NAME(gwvpn.example.com) *VENDOR_NAME(xelerance.com) *ASSND_TUN_ID(47464) *RECV_WIN_SIZE(4)
08:23:33.825207 IP NAT.NAT.NAT.NAT > GW.GW.GW.GW: ICMP NAT.NAT.NAT.NAT udp port 49208 unreachable, length 36
08:23:34.825116 IP GW.GW.GW.GW.1701 > NAT.NAT.NAT.NAT.49208: l2tp:[TLS](7/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *RANDOM_VECTOR(80506a5f9400fdd7bce4f956f4566be9) *PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP() *FIRM_VER(1680) *HOST_NAME(gwvpn.example.com) *VENDOR_NAME(xelerance.com) *ASSND_TUN_ID(47464) *RECV_WIN_SIZE(4)
08:23:34.825326 IP NAT.NAT.NAT.NAT > GW.GW.GW.GW: ICMP NAT.NAT.NAT.NAT udp port 49208 unreachable, length 36
08:23:35.648898 IP NAT.NAT.NAT.NAT.61543 > GW.GW.GW.GW.4500: UDP-encap: ESP(spi=0xa985859e,seq=0x4), length 116
08:23:35.649250 IP GW.GW.GW.GW.1701 > NAT.NAT.NAT.NAT.49208: l2tp:[TLS](7/0)Ns=0,Nr=1 ZLB
08:23:35.649393 IP NAT.NAT.NAT.NAT > GW.GW.GW.GW: ICMP NAT.NAT.NAT.NAT udp port 49208 unreachable, length 36
08:23:43.650244 IP NAT.NAT.NAT.NAT.61543 > GW.GW.GW.GW.4500: UDP-encap: ESP(spi=0xa985859e,seq=0x5), length 116
08:23:43.650602 IP GW.GW.GW.GW.1701 > NAT.NAT.NAT.NAT.49208: l2tp:[TLS](7/0)Ns=0,Nr=1 ZLB
08:23:43.650764 IP NAT.NAT.NAT.NAT > GW.GW.GW.GW: ICMP NAT.NAT.NAT.NAT udp port 49208 unreachable, length 36
08:23:43.650846 IP GW.GW.GW.GW.1701 > NAT.NAT.NAT.NAT.49208: l2tp:[TLS](7/0)Ns=1,Nr=1 *MSGTYPE(StopCCN) *RANDOM_VECTOR(d60fc9802b4450d8ab10dc131e6f3242) *ASSND_TUN_ID(47464) *RESULT_CODE(1/0 Timeout)
08:23:43.650991 IP NAT.NAT.NAT.NAT > GW.GW.GW.GW: ICMP NAT.NAT.NAT.NAT udp port 49208 unreachable, length 36
08:23:44.652497 IP GW.GW.GW.GW.1701 > NAT.NAT.NAT.NAT.49208: l2tp:[TLS](7/0)Ns=1,Nr=1 *MSGTYPE(StopCCN) *RANDOM_VECTOR(d60fc9802b4450d8ab10dc131e6f3242) *ASSND_TUN_ID(47464) *RESULT_CODE(1/0 Timeout)
08:23:44.652751 IP NAT.NAT.NAT.NAT > GW.GW.GW.GW: ICMP NAT.NAT.NAT.NAT udp port 49208 unreachable, length 36
08:23:45.652572 IP GW.GW.GW.GW.1701 > NAT.NAT.NAT.NAT.49208: l2tp:[TLS](7/0)Ns=1,Nr=1 *MSGTYPE(StopCCN) *RANDOM_VECTOR(d60fc9802b4450d8ab10dc131e6f3242) *ASSND_TUN_ID(47464) *RESULT_CODE(1/0 Timeout)
08:23:45.652733 IP NAT.NAT.NAT.NAT > GW.GW.GW.GW: ICMP NAT.NAT.NAT.NAT udp port 49208 unreachable, length 36
08:23:46.654287 IP GW.GW.GW.GW.1701 > NAT.NAT.NAT.NAT.49208: l2tp:[TLS](7/0)Ns=1,Nr=1 *MSGTYPE(StopCCN) *RANDOM_VECTOR(d60fc9802b4450d8ab10dc131e6f3242) *ASSND_TUN_ID(47464) *RESULT_CODE(1/0 Timeout)
08:23:46.654468 IP NAT.NAT.NAT.NAT > GW.GW.GW.GW: ICMP NAT.NAT.NAT.NAT udp port 49208 unreachable, length 36
08:23:47.656902 IP GW.GW.GW.GW.1701 > NAT.NAT.NAT.NAT.49208: l2tp:[TLS](7/0)Ns=1,Nr=1 *MSGTYPE(StopCCN) *RANDOM_VECTOR(d60fc9802b4450d8ab10dc131e6f3242) *ASSND_TUN_ID(47464) *RESULT_CODE(1/0 Timeout)
08:23:47.657075 IP NAT.NAT.NAT.NAT > GW.GW.GW.GW: ICMP NAT.NAT.NAT.NAT udp port 49208 unreachable, length 36
As can be seen above, with the GNU/Linux client all the traffic is
encrypted, but this is not the case with the MacOSX client.
Any idea what's wrong with my setup ?
Thanks in advance for any help.
Jerome Alet
More information about the Users
mailing list