[Openswan Users] Openswan + xl2tpd VPN server behind NAT issue
Иван Кочанов
gruzzz88 at mail.ru
Sat Aug 6 03:25:05 EDT 2011
Hi!
I need help with understanding of problem.
I can't connect to my VPN server which is behind nat router. Log says the following:
/var/log/auth.log
Aug 6 14:21:11 GATE pluto[1565]: adding interface eth1/eth1 192.168.0.8:500
Aug 6 14:21:11 GATE pluto[1565]: adding interface eth1/eth1 192.168.0.8:4500
Aug 6 14:21:11 GATE pluto[1565]: adding interface lo/lo 127.0.0.1:500
Aug 6 14:21:11 GATE pluto[1565]: adding interface lo/lo 127.0.0.1:4500
Aug 6 14:21:11 GATE pluto[1565]: loading secrets from "/etc/ipsec.secrets"
Aug 6 14:21:12 GATE perl: pam_unix(webmin:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=root
Aug 6 14:21:14 GATE webmin[1726]: Webmin starting
Aug 6 14:22:47 GATE sshd[1746]: Accepted password for gateroot from 192.168.0.41 port 4589 ssh2
Aug 6 14:22:47 GATE sshd[1746]: pam_unix(sshd:session): session opened for user gateroot by (uid=0)
Aug 6 14:22:53 GATE sudo: gateroot : TTY=pts/0 ; PWD=/home/gateroot ; USER=root ; COMMAND=/bin/bash
Aug 6 14:23:03 GATE pluto[1565]: packet from 212.94.111.119:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000008]
Aug 6 14:23:03 GATE pluto[1565]: packet from 212.94.111.119:500: received Vendor ID payload [RFC 3947] method set to=109
Aug 6 14:23:03 GATE pluto[1565]: packet from 212.94.111.119:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
Aug 6 14:23:03 GATE pluto[1565]: packet from 212.94.111.119:500: ignoring Vendor ID payload [FRAGMENTATION]
Aug 6 14:23:03 GATE pluto[1565]: packet from 212.94.111.119:500: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
Aug 6 14:23:03 GATE pluto[1565]: packet from 212.94.111.119:500: ignoring Vendor ID payload [Vid-Initial-Contact]
Aug 6 14:23:03 GATE pluto[1565]: packet from 212.94.111.119:500: ignoring Vendor ID payload [IKE CGA version 1]
Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #1: responding to Main Mode from unknown peer 212.94.111.119
Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #1: OAKLEY_GROUP 20 not supported. Attribute OAKLEY_GROUP_DESCRIPTION
Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #1: OAKLEY_GROUP 19 not supported. Attribute OAKLEY_GROUP_DESCRIPTION
Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #1: STATE_MAIN_R1: sent MR1, expecting MI2
Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): i am NATed
Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #1: STATE_MAIN_R2: sent MR2, expecting MI3
Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #1: Main mode peer ID is ID_IPV4_ADDR: '212.94.111.119'
Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #1: new NAT mapping for #1, was 212.94.111.119:500, now 212.94.111.119:4500
Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp2048}
Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #1: Dead Peer Detection (RFC 3706): not enabled because peer did not advertise it
Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #1: the peer proposed: 212.94.111.118/32:17/1701 -> 212.94.111.119/32:17/0
Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #1: NAT-Traversal: received 2 NAT-OA. ignored because peer is not NATed
Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #2: responding to Quick Mode proposal {msgid:01000000}
Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #2: us: 192.168.0.8<192.168.0.8>[212.94.111.118,+S=C]:17/1701---192.168.0.251
Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #2: them: 212.94.111.119[+S=C]:17/1701
Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #2: Dead Peer Detection (RFC 3706): not enabled because peer did not advertise it
Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #2: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0xee920fce <0x0ee59f42 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=212.94.111.119:4500 DPD=none}
Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #1: the peer proposed: 212.94.111.118/32:17/1701 -> 212.94.111.119/32:17/1701
Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #1: NAT-Traversal: received 2 NAT-OA. ignored because peer is not NATed
Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #3: responding to Quick Mode proposal {msgid:02000000}
Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #3: us: 192.168.0.8<192.168.0.8>[212.94.111.118,+S=C]:17/1701---192.168.0.251
Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #3: them: 212.94.111.119[+S=C]:17/1701
Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #3: keeping refhim=4294901761 during rekey
Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #3: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #3: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #3: Dead Peer Detection (RFC 3706): not enabled because peer did not advertise it
Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #3: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #3: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0xe83ba9ff <0xc5934fd6 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=212.94.111.119:4500 DPD=none}
Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #1: received Delete SA(0xee920fce) payload: deleting IPSEC State #2
Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #1: received and ignored informational message
Aug 6 14:23:06 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #1: the peer proposed: 212.94.111.118/32:17/1701 -> 212.94.111.119/32:17/1701
Aug 6 14:23:06 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #1: NAT-Traversal: received 2 NAT-OA. ignored because peer is not NATed
Aug 6 14:23:06 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #4: responding to Quick Mode proposal {msgid:03000000}
Aug 6 14:23:06 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #4: us: 192.168.0.8<192.168.0.8>[212.94.111.118,+S=C]:17/1701---192.168.0.251
Aug 6 14:23:06 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #4: them: 212.94.111.119[+S=C]:17/1701
Aug 6 14:23:06 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #4: keeping refhim=4294901761 during rekey
Aug 6 14:23:06 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #4: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Aug 6 14:23:06 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #4: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Aug 6 14:23:06 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #4: Dead Peer Detection (RFC 3706): not enabled because peer did not advertise it
Aug 6 14:23:06 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #4: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Aug 6 14:23:06 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #4: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0xf6a84cfc <0x80cdf100 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=212.94.111.119:4500 DPD=none}
Aug 6 14:23:06 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #1: received Delete SA(0xe83ba9ff) payload: deleting IPSEC State #3
Aug 6 14:23:06 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #1: received and ignored informational message
I don't understand the reason of my issue...
I have the following configuration of my Ubuntu 10.04 LTS Server.
/etc/ipsec.conf
version 2.0 # conforms to second version of ipsec.conf specification
config setup
dumpdir=/var/run/pluto/
nat_traversal=yes
virtual_private=%v4:10.0.0.0/24,%v4:192.168.0.0/16,%v4:!192.168.0.0/24
oe=off
protostack=netkey
include /etc/ipsec.d/l2tp-psk.conf
/etc/ipsec.d/l2tp-psk.conf
conn L2TP-PSK-NAT
rightsubnet=vhost:%no,%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=192.168.0.8
leftid=***WAN_IP***
leftnexthop=192.168.0.251
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
dpddelay=30
dpdtimeout=30
/etc/ipsec.secrets
192.168.0.8 %any: "SECRET"
***WAN_IP*** %any: "SECRET"
/etc/xl2tpd/xl2tpd.conf
[global] ; Global parameters:
port = 1701 ; * Bind to port 1701
ipsec saref = no
debug avp = yes
debug network = yes
debug packet= yes
debug state = yes
debug tunnel = yes
[lns default] ; Our fallthrough LNS definition
ip range = 192.168.0.232-192.168.0.240 ; * Allocate from this IP range
hidden bit = no ; * Use hidden AVP's?
local ip = 192.168.0.231 ; * Our local IP to use
length bit = yes ; * Use length bit in payload?
refuse pap = yes ; * Refuse PAP authentication
refuse chap = yes ; * Refuse CHAP authentication
require authentication = yes ; * Require peer to authenticate
name = UbuntuVPNserver ; * Report this as our hostname
ppp debug = no ; * Turn on PPP debugging
pppoptfile = /etc/ppp/options.xl2tpd ; * ppp options file
flow bit = yes ; * Include sequence numbers
/etc/ppp/options.xl2tpd
ms-dns 192.168.0.1
ms-dns 192.168.0.252
ms-wins 192.168.0.1
require-mschap-v2
refuse-mschap
refuse-pap
refuse-chap
logfile /var/log/xl2tpd.log
logfd 2
asyncmap 0
auth
crtscts
lock
hide-password
modem
mru 1280
netmask 255.255.255.0
debug
mtu 1280
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
ipcp-accept-local
ipcp-accept-remote
noipx
UbuntuVPN(192.168.0.8/24)-------------(192.168.0.251) CiscoRouter (***WAN_IP***)--------------INTERNET
I tested my configuration from local network - connection is succesful. I also tried a variant without NAT - it also worked.
On my router I made static IP-to-IP NAT, in my acl permitted all TCP, UDP, ESP traffic to my server.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110806/088322b4/attachment-0001.html
More information about the Users
mailing list