[Openswan Users] Openswan + xl2tpd VPN server behind NAT issue
Curu Wong
prinbra at gmail.com
Mon Aug 8 23:12:21 EDT 2011
search the list, you may find the answer by yourself.
2011/8/6 Иван Кочанов <gruzzz88 at mail.ru>
> Hi!
> I need help with understanding of problem.
> I can't connect to my VPN server which is behind nat router. Log says the
> following:
>
> /var/log/auth.log
> Aug 6 14:21:11 GATE pluto[1565]: adding interface eth1/eth1
> 192.168.0.8:500
> Aug 6 14:21:11 GATE pluto[1565]: adding interface eth1/eth1
> 192.168.0.8:4500
> Aug 6 14:21:11 GATE pluto[1565]: adding interface lo/lo 127.0.0.1:500
> Aug 6 14:21:11 GATE pluto[1565]: adding interface lo/lo 127.0.0.1:4500
> Aug 6 14:21:11 GATE pluto[1565]: loading secrets from "/etc/ipsec.secrets"
> Aug 6 14:21:12 GATE perl: pam_unix(webmin:auth): authentication failure;
> logname= uid=0 euid=0 tty= ruser= rhost= user=root
> Aug 6 14:21:14 GATE webmin[1726]: Webmin starting
> Aug 6 14:22:47 GATE sshd[1746]: Accepted password for gateroot from
> 192.168.0.41 port 4589 ssh2
> Aug 6 14:22:47 GATE sshd[1746]: pam_unix(sshd:session): session opened for
> user gateroot by (uid=0)
> Aug 6 14:22:53 GATE sudo: gateroot : TTY=pts/0 ; PWD=/home/gateroot ;
> USER=root ; COMMAND=/bin/bash
> Aug 6 14:23:03 GATE pluto[1565]: packet from 212.94.111.119:500: ignoring
> Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000008]
> Aug 6 14:23:03 GATE pluto[1565]: packet from 212.94.111.119:500: received
> Vendor ID payload [RFC 3947] method set to=109
> Aug 6 14:23:03 GATE pluto[1565]: packet from 212.94.111.119:500: received
> Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already
> using method 109
> Aug 6 14:23:03 GATE pluto[1565]: packet from 212.94.111.119:500: ignoring
> Vendor ID payload [FRAGMENTATION]
> Aug 6 14:23:03 GATE pluto[1565]: packet from 212.94.111.119:500: ignoring
> Vendor ID payload [MS-Negotiation Discovery Capable]
> Aug 6 14:23:03 GATE pluto[1565]: packet from 212.94.111.119:500: ignoring
> Vendor ID payload [Vid-Initial-Contact]
> Aug 6 14:23:03 GATE pluto[1565]: packet from 212.94.111.119:500: ignoring
> Vendor ID payload [IKE CGA version 1]
> Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #1:
> responding to Main Mode from unknown peer 212.94.111.119
> Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #1:
> OAKLEY_GROUP 20 not supported. Attribute OAKLEY_GROUP_DESCRIPTION
> Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #1:
> OAKLEY_GROUP 19 not supported. Attribute OAKLEY_GROUP_DESCRIPTION
> Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #1:
> transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
> Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #1:
> STATE_MAIN_R1: sent MR1, expecting MI2
> Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #1:
> NAT-Traversal: Result using RFC 3947 (NAT-Traversal): i am NATed
> Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #1:
> transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
> Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #1:
> STATE_MAIN_R2: sent MR2, expecting MI3
> Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #1: Main
> mode peer ID is ID_IPV4_ADDR: '212.94.111.119'
> Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #1:
> transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
> Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #1: new
> NAT mapping for #1, was 212.94.111.119:500, now 212.94.111.119:4500
> Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #1:
> STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
> cipher=aes_256 prf=oakley_sha group=modp2048}
> Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #1: Dead
> Peer Detection (RFC 3706): not enabled because peer did not advertise it
> Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #1: the
> peer proposed: 212.94.111.118/32:17/1701 -> 212.94.111.119/32:17/0
> Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #1:
> NAT-Traversal: received 2 NAT-OA. ignored because peer is not NATed
> Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #2:
> responding to Quick Mode proposal {msgid:01000000}
> Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #2: us:
> 192.168.0.8<192.168.0.8>[212.94.111.118,+S=C]:17/1701---192.168.0.251
> Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #2: them:
> 212.94.111.119[+S=C]:17/1701
> Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #2:
> transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
> Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #2:
> STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
> Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #2: Dead
> Peer Detection (RFC 3706): not enabled because peer did not advertise it
> Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #2:
> transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
> Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #2:
> STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0xee920fce
> <0x0ee59f42 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=212.94.111.119:4500DPD=none}
> Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #1: the
> peer proposed: 212.94.111.118/32:17/1701 -> 212.94.111.119/32:17/1701
> Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #1:
> NAT-Traversal: received 2 NAT-OA. ignored because peer is not NATed
> Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #3:
> responding to Quick Mode proposal {msgid:02000000}
> Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #3: us:
> 192.168.0.8<192.168.0.8>[212.94.111.118,+S=C]:17/1701---192.168.0.251
> Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #3: them:
> 212.94.111.119[+S=C]:17/1701
> Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #3:
> keeping refhim=4294901761 during rekey
> Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #3:
> transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
> Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #3:
> STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
> Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #3: Dead
> Peer Detection (RFC 3706): not enabled because peer did not advertise it
> Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #3:
> transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
> Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #3:
> STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0xe83ba9ff
> <0xc5934fd6 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=212.94.111.119:4500DPD=none}
> Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #1:
> received Delete SA(0xee920fce) payload: deleting IPSEC State #2
> Aug 6 14:23:03 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #1:
> received and ignored informational message
> Aug 6 14:23:06 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #1: the
> peer proposed: 212.94.111.118/32:17/1701 -> 212.94.111.119/32:17/1701
> Aug 6 14:23:06 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #1:
> NAT-Traversal: received 2 NAT-OA. ignored because peer is not NATed
> Aug 6 14:23:06 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #4:
> responding to Quick Mode proposal {msgid:03000000}
> Aug 6 14:23:06 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #4: us:
> 192.168.0.8<192.168.0.8>[212.94.111.118,+S=C]:17/1701---192.168.0.251
> Aug 6 14:23:06 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #4: them:
> 212.94.111.119[+S=C]:17/1701
> Aug 6 14:23:06 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #4:
> keeping refhim=4294901761 during rekey
> Aug 6 14:23:06 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #4:
> transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
> Aug 6 14:23:06 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #4:
> STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
> Aug 6 14:23:06 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #4: Dead
> Peer Detection (RFC 3706): not enabled because peer did not advertise it
> Aug 6 14:23:06 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #4:
> transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
> Aug 6 14:23:06 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #4:
> STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0xf6a84cfc
> <0x80cdf100 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=212.94.111.119:4500DPD=none}
> Aug 6 14:23:06 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #1:
> received Delete SA(0xe83ba9ff) payload: deleting IPSEC State #3
> Aug 6 14:23:06 GATE pluto[1565]: "L2TP-PSK-NAT"[1] 212.94.111.119 #1:
> received and ignored informational message
>
> I don't understand the reason of my issue...
>
> I have the following configuration of my Ubuntu 10.04 LTS Server.
>
> /etc/ipsec.conf
> version 2.0 # conforms to second version of ipsec.conf specification
> config setup
> dumpdir=/var/run/pluto/
> nat_traversal=yes
> virtual_private=%v4:10.0.0.0/24,%v4:192.168.0.0/16,%v4:!192.168.0.0/24
> oe=off
> protostack=netkey
> include /etc/ipsec.d/l2tp-psk.conf
>
> /etc/ipsec.d/l2tp-psk.conf
> conn L2TP-PSK-NAT
> rightsubnet=vhost:%no,%priv
> also=L2TP-PSK-noNAT
> conn L2TP-PSK-noNAT
> authby=secret
> pfs=no
> auto=add
> keyingtries=3
> rekey=no
> ikelifetime=8h
> keylife=1h
> type=transport
> left=192.168.0.8
> leftid=***WAN_IP***
> leftnexthop=192.168.0.251
> leftprotoport=17/1701
> right=%any
> rightprotoport=17/%any
> dpddelay=30
> dpdtimeout=30
>
> /etc/ipsec.secrets
> 192.168.0.8 %any: "SECRET"
> ***WAN_IP*** %any: "SECRET"
>
> /etc/xl2tpd/xl2tpd.conf
> [global] ; Global parameters:
> port = 1701 ; * Bind to port 1701
> ipsec saref = no
> debug avp = yes
> debug network = yes
> debug packet= yes
> debug state = yes
> debug tunnel = yes
>
> [lns default] ; Our fallthrough LNS definition
> ip range = 192.168.0.232-192.168.0.240 ; * Allocate from this IP range
> hidden bit = no ; * Use hidden AVP's?
> local ip = 192.168.0.231 ; * Our local IP to use
> length bit = yes ; * Use length bit in payload?
> refuse pap = yes ; * Refuse PAP authentication
> refuse chap = yes ; * Refuse CHAP authentication
> require authentication = yes ; * Require peer to authenticate
> name = UbuntuVPNserver ; * Report this as our hostname
> ppp debug = no ; * Turn on PPP debugging
> pppoptfile = /etc/ppp/options.xl2tpd ; * ppp options file
> flow bit = yes ; * Include sequence numbers
>
> /etc/ppp/options.xl2tpd
> ms-dns 192.168.0.1
> ms-dns 192.168.0.252
> ms-wins 192.168.0.1
> require-mschap-v2
> refuse-mschap
> refuse-pap
> refuse-chap
> logfile /var/log/xl2tpd.log
> logfd 2
> asyncmap 0
> auth
> crtscts
> lock
> hide-password
> modem
> mru 1280
> netmask 255.255.255.0
> debug
> mtu 1280
> name l2tpd
> proxyarp
> lcp-echo-interval 30
> lcp-echo-failure 4
> ipcp-accept-local
> ipcp-accept-remote
> noipx
>
> UbuntuVPN(192.168.0.8/24)-------------(192.168.0.251<http://192.168.0.8/24%29-------------%28192.168.0.251>)
> CiscoRouter (***WAN_IP***)--------------INTERNET
>
> I tested my configuration from local network - connection is succesful. I
> also tried a variant without NAT - it also worked.
> On my router I made static IP-to-IP NAT, in my acl permitted all TCP, UDP,
> ESP traffic to my server.
>
>
>
>
>
>
>
>
>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110809/ab55b086/attachment-0001.html
More information about the Users
mailing list