[Openswan Users] Openswan + xl2tpd VPN server behind NAT issue

Иван Кочанов gruzzz88 at mail.ru
Sat Aug 6 03:25:05 EDT 2011 

Hi!
I need help with understanding of problem.
I can't connect to my VPN server which is behind nat router. Log says the following:

/var/log/auth.log
Aug 6 14:21:11 GATE pluto[1565]: adding interface eth1/eth1 192.168.0.8:500
Aug 6 14:21:11 GATE pluto[1565]: adding interface eth1/eth1 192.168.0.8:4500
Aug 6 14:21:11 GATE pluto[1565]: adding interface lo/lo 127.0.0.1:500
Aug 6 14:21:11 GATE pluto[1565]: adding interface lo/lo 127.0.0.1:4500
Aug 6 14:21:11 GATE pluto[1565]: loading secrets from "/etc/ipsec.secrets"
Aug 6 14:21:12 GATE perl: pam_unix(webmin:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=root
Aug 6 14:21:14 GATE webmin[1726]: Webmin starting
Aug 6 14:22:47 GATE sshd[1746]: Accepted password for gateroot from 192.168.0.41 port 4589 ssh2
Aug 6 14:22:47 GATE sshd[1746]: pam_unix(sshd:session): session opened for user gateroot by (uid=0)
Aug 6 14:22:53 GATE sudo: gateroot : TTY=pts/0 ; PWD=/home/gateroot ; USER=root ; COMMAND=/bin/bash
Aug 6 14:23:03 GATE pluto[1565]: packet from 212.94.111.119:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000008]
Aug 6 14:23:03 GATE pluto[1565]: packet from 212.94.111.119:500: received Vendor ID payload [RFC 3947] method set to=109
Aug 6 14:23:03 GATE pluto[1565]: packet from 212.94.111.119:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
Aug 6 14:23:03 GATE pluto[1565]: packet from 212.94.111.119:500: ignoring Vendor ID payload [FRAGMENTATION]
Aug 6 14:23:03 GATE pluto[1565]: packet from 212.94.111.119:500: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
Aug 6 14:23:03 GATE pluto[1565]: packet from 212.94.111.119:500: ignoring Vendor ID payload [Vid-Initial-Contact]
Aug 6 14:23:03 GATE pluto[1565]: packet from 212.94.111.119:500: ignoring Vendor ID payload [IKE CGA version 1]
Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #1: responding to Main Mode from unknown peer 212.94.111.119
Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #1: OAKLEY_GROUP 20 not supported. Attribute OAKLEY_GROUP_DESCRIPTION
Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #1: OAKLEY_GROUP 19 not supported. Attribute OAKLEY_GROUP_DESCRIPTION
Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #1: STATE_MAIN_R1: sent MR1, expecting MI2
Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): i am NATed
Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #1: STATE_MAIN_R2: sent MR2, expecting MI3
Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #1: Main mode peer ID is ID_IPV4_ADDR: '212.94.111.119'
Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #1: new NAT mapping for #1, was 212.94.111.119:500, now 212.94.111.119:4500
Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp2048}
Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #1: Dead Peer Detection (RFC 3706): not enabled because peer did not advertise it
Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #1: the peer proposed: 212.94.111.118/32:17/1701 -> 212.94.111.119/32:17/0
Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #1: NAT-Traversal: received 2 NAT-OA. ignored because peer is not NATed
Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #2: responding to Quick Mode proposal {msgid:01000000}
Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #2: us: 192.168.0.8<192.168.0.8>[212.94.111.118,+S=C]:17/1701---192.168.0.251
Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #2: them: 212.94.111.119[+S=C]:17/1701
Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #2: Dead Peer Detection (RFC 3706): not enabled because peer did not advertise it
Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #2: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0xee920fce <0x0ee59f42 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=212.94.111.119:4500 DPD=none}
Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #1: the peer proposed: 212.94.111.118/32:17/1701 -> 212.94.111.119/32:17/1701
Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #1: NAT-Traversal: received 2 NAT-OA. ignored because peer is not NATed
Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #3: responding to Quick Mode proposal {msgid:02000000}
Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #3: us: 192.168.0.8<192.168.0.8>[212.94.111.118,+S=C]:17/1701---192.168.0.251
Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #3: them: 212.94.111.119[+S=C]:17/1701
Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #3: keeping refhim=4294901761 during rekey
Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #3: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #3: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #3: Dead Peer Detection (RFC 3706): not enabled because peer did not advertise it
Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #3: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #3: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0xe83ba9ff <0xc5934fd6 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=212.94.111.119:4500 DPD=none}
Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #1: received Delete SA(0xee920fce) payload: deleting IPSEC State #2
Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #1: received and ignored informational message
Aug 6 14:23:06 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #1: the peer proposed: 212.94.111.118/32:17/1701 -> 212.94.111.119/32:17/1701
Aug 6 14:23:06 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #1: NAT-Traversal: received 2 NAT-OA. ignored because peer is not NATed
Aug 6 14:23:06 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #4: responding to Quick Mode proposal {msgid:03000000}
Aug 6 14:23:06 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #4: us: 192.168.0.8<192.168.0.8>[212.94.111.118,+S=C]:17/1701---192.168.0.251
Aug 6 14:23:06 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #4: them: 212.94.111.119[+S=C]:17/1701
Aug 6 14:23:06 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #4: keeping refhim=4294901761 during rekey
Aug 6 14:23:06 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #4: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Aug 6 14:23:06 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #4: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Aug 6 14:23:06 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #4: Dead Peer Detection (RFC 3706): not enabled because peer did not advertise it
Aug 6 14:23:06 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #4: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Aug 6 14:23:06 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #4: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0xf6a84cfc <0x80cdf100 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=212.94.111.119:4500 DPD=none}
Aug 6 14:23:06 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #1: received Delete SA(0xe83ba9ff) payload: deleting IPSEC State #3
Aug 6 14:23:06 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #1: received and ignored informational message

I don't understand the reason of my issue...

I have the following configuration of my Ubuntu 10.04 LTS Server.

/etc/ipsec.conf
 version 2.0 # conforms to second version of ipsec.conf specification
 config setup 
 dumpdir=/var/run/pluto/
 nat_traversal=yes
 virtual_private=%v4:10.0.0.0/24,%v4:192.168.0.0/16,%v4:!192.168.0.0/24
 oe=off
 protostack=netkey
 include /etc/ipsec.d/l2tp-psk.conf

/etc/ipsec.d/l2tp-psk.conf
 conn L2TP-PSK-NAT
 rightsubnet=vhost:%no,%priv
 also=L2TP-PSK-noNAT
 conn L2TP-PSK-noNAT
 authby=secret
 pfs=no
 auto=add
 keyingtries=3
 rekey=no
 ikelifetime=8h
 keylife=1h
 type=transport
 left=192.168.0.8
 leftid=***WAN_IP***
 leftnexthop=192.168.0.251
 leftprotoport=17/1701
 right=%any
 rightprotoport=17/%any
 dpddelay=30
 dpdtimeout=30

/etc/ipsec.secrets
 192.168.0.8 %any: "SECRET"
 ***WAN_IP*** %any: "SECRET"

/etc/xl2tpd/xl2tpd.conf
 [global] ; Global parameters:
 port = 1701 ; * Bind to port 1701
 ipsec saref = no
 debug avp = yes
 debug network = yes
 debug packet= yes
 debug state = yes
 debug tunnel = yes

 [lns default] ; Our fallthrough LNS definition
 ip range = 192.168.0.232-192.168.0.240 ; * Allocate from this IP range
 hidden bit = no ; * Use hidden AVP's?
 local ip = 192.168.0.231 ; * Our local IP to use
 length bit = yes ; * Use length bit in payload?
 refuse pap = yes ; * Refuse PAP authentication
 refuse chap = yes ; * Refuse CHAP authentication
 require authentication = yes ; * Require peer to authenticate
 name = UbuntuVPNserver ; * Report this as our hostname
 ppp debug = no ; * Turn on PPP debugging
 pppoptfile = /etc/ppp/options.xl2tpd ; * ppp options file
 flow bit = yes ; * Include sequence numbers

/etc/ppp/options.xl2tpd
 ms-dns 192.168.0.1
 ms-dns 192.168.0.252
 ms-wins 192.168.0.1
 require-mschap-v2
 refuse-mschap
 refuse-pap
 refuse-chap
 logfile /var/log/xl2tpd.log
 logfd 2 
 asyncmap 0
 auth
 crtscts
 lock 
 hide-password
 modem
 mru 1280
 netmask 255.255.255.0
 debug
 mtu 1280
 name l2tpd
 proxyarp
 lcp-echo-interval 30
 lcp-echo-failure 4
 ipcp-accept-local
 ipcp-accept-remote
 noipx

UbuntuVPN(192.168.0.8/24)-------------(192.168.0.251) CiscoRouter (***WAN_IP***)--------------INTERNET

I tested my configuration from local network - connection is succesful. I also tried a variant without NAT - it also worked.
On my router I made static IP-to-IP NAT, in my acl permitted all TCP, UDP, ESP traffic to my server.








-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110806/088322b4/attachment-0001.html

More information about the Users mailing list