[Openswan Users] lt2p ipsec vpn does not connect. Cannot find whats wrong.
JP CR
jprollerskate at hotmail.com
Mon Jan 3 00:11:13 EST 2011
Hello,
Iam trying to get this configuration to work in a server behind a NAT, also the server is behind a router that only accepts ICMP, UDP, and TCP connections. For this last reason Iam using forceencaps=yes , and offcourse nat_traversal=yes ... am getting the messages below after it appears to negotiate the ipsec connection correctly. Please note that I have tested the below config witha server in my home LAN (no nat/firewalls in between off course) and it works perfectly.
Openswan version 2.6.23
Lt2p version: 1.2.5
Kernel: 2.6.32-24
Here is my ipsec config:
ubuntu at ip-10-112-49-52:~$ cat /etc/ipsec.conf
version 2.0
config setup
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
oe=off
protostack=netkey
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=10.112.49.52
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
forceencaps=yes
auth.log
NOTE: Some IPs have been replaced for security reasons:
189.199.62.74 is a fake public IP representing the remote server
181.199.62.74 is a fake public IP representing the public IP of my home router.
Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: packet from 181.199.62.74:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: packet from 181.199.62.74:500: ignoring Vendor ID payload [FRAGMENTATION]
Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: packet from 181.199.62.74:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: packet from 181.199.62.74:500: ignoring Vendor ID payload [Vid-Initial-Contact]
Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: "L2TP-PSK-NAT"[2] 181.199.62.74 #53: responding to Main Mode from unknown peer 181.199.62.74
Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: "L2TP-PSK-NAT"[2] 181.199.62.74 #53: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: "L2TP-PSK-NAT"[2] 181.199.62.74 #53: STATE_MAIN_R1: sent MR1, expecting MI2
Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: "L2TP-PSK-NAT"[2] 181.199.62.74 #52: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: "L2TP-PSK-NAT"[2] 181.199.62.74 #52: STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0x0cae746c <0xc70e0aa0 xfrm=3DES_0-HMAC_MD5 NATOA=192.170.1.3 NATD=181.199.62.74:4500 DPD=none}
Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: "L2TP-PSK-NAT"[2] 181.199.62.74 #51: received Delete SA(0x0cae746c) payload: deleting IPSEC State #52
Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: "L2TP-PSK-NAT"[2] 181.199.62.74 #51: netlink recvfrom() of response to our XFRM_MSG_DELPOLICY message for policy eroute_connection delete inbound was too long: 100 > 36
Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: "L2TP-PSK-NAT"[2] 181.199.62.74 #51: netlink recvfrom() of response to our XFRM_MSG_DELPOLICY message for policy eroute_connection delete inbound was too long: 100 > 36
Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: "L2TP-PSK-NAT"[2] 181.199.62.74 #51: netlink recvfrom() of response to our XFRM_MSG_DELPOLICY message for policy unk255.10000 at 10.112.49.52 was too long: 168 > 36
Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: "L2TP-PSK-NAT"[2] 181.199.62.74 #51: netlink recvfrom() of response to our XFRM_MSG_DELPOLICY message for policy unk255.10000 at 10.112.49.52 was too long: 168 > 36
Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: | raw_eroute result=0
Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: "L2TP-PSK-NAT"[2] 181.199.62.74 #51: received and ignored informational message
Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: "L2TP-PSK-NAT"[2] 181.199.62.74 #49: received Delete SA(0x3026ac20) payload: deleting IPSEC State #50
Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: "L2TP-PSK-NAT"[2] 181.199.62.74 #49: netlink recvfrom() of response to our XFRM_MSG_DELPOLICY message for policy unk255.10000 at 10.112.49.52 was too long: 168 > 36
Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: "L2TP-PSK-NAT"[2] 181.199.62.74 #49: netlink recvfrom() of response to our XFRM_MSG_DELPOLICY message for policy unk255.10000 at 10.112.49.52 was too long: 168 > 36
Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: | raw_eroute result=0
Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: "L2TP-PSK-NAT"[2] 181.199.62.74 #49: received and ignored informational message
Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: "L2TP-PSK-NAT"[2] 181.199.62.74 #47: received Delete SA(0x99f52203) payload: deleting IPSEC State #48
Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: "L2TP-PSK-NAT"[2] 181.199.62.74 #47: netlink recvfrom() of response to our XFRM_MSG_DELPOLICY message for policy unk255.10000 at 10.112.49.52 was too long: 168 > 36
Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: "L2TP-PSK-NAT"[2] 181.199.62.74 #47: netlink recvfrom() of response to our XFRM_MSG_DELPOLICY message for policy unk255.10000 at 10.112.49.52 was too long: 168 > 36
Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: | raw_eroute result=0
Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: "L2TP-PSK-NAT"[2] 181.199.62.74 #47: received and ignored informational message
Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: "L2TP-PSK-NAT"[2] 181.199.62.74 #45: received Delete SA(0x39497c19) payload: deleting IPSEC State #46
Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: "L2TP-PSK-NAT"[2] 181.199.62.74 #45: netlink recvfrom() of response to our XFRM_MSG_DELPOLICY message for policy unk255.10000 at 10.112.49.52 was too long: 168 > 36
Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: "L2TP-PSK-NAT"[2] 181.199.62.74 #45: netlink recvfrom() of response to our XFRM_MSG_DELPOLICY message for policy unk255.10000 at 10.112.49.52 was too long: 168 > 36
Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: | raw_eroute result=0
Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: "L2TP-PSK-NAT"[2] 181.199.62.74 #45: received and ignored informational message
Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: "L2TP-PSK-NAT"[2] 181.199.62.74 #43: received Delete SA(0x944681bc) payload: deleting IPSEC State #44
Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: "L2TP-PSK-NAT"[2] 181.199.62.74 #43: netlink recvfrom() of response to our XFRM_MSG_DELPOLICY message for policy unk255.10000 at 10.112.49.52 was too long: 168 > 36
Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: "L2TP-PSK-NAT"[2] 181.199.62.74 #43: netlink recvfrom() of response to our XFRM_MSG_DELPOLICY message for policy unk255.10000 at 10.112.49.52 was too long: 168 > 36
Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: | raw_eroute result=0
Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: "L2TP-PSK-NAT"[2] 181.199.62.74 #43: received and ignored informational message
Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: "L2TP-PSK-NAT"[2] 181.199.62.74 #41: received Delete SA(0xbf5f0234) payload: deleting IPSEC State #42
Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: "L2TP-PSK-NAT"[2] 181.199.62.74 #41: netlink recvfrom() of response to our XFRM_MSG_DELPOLICY message for policy unk255.10000 at 10.112.49.52 was too long: 168 > 36
Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: "L2TP-PSK-NAT"[2] 181.199.62.74 #41: netlink recvfrom() of response to our XFRM_MSG_DELPOLICY message for policy unk255.10000 at 10.112.49.52 was too long: 168 > 36
Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: | raw_eroute result=0
Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: "L2TP-PSK-NAT"[2] 181.199.62.74 #41: received and ignored informational message
Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: packet from 181.199.62.74:4500: Informational Exchange is for an unknown (expired?) SA with MSGID:0x3362d7ee
Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: packet from 181.199.62.74:4500: Informational Exchange is for an unknown (expired?) SA with MSGID:0x62e101ae
Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: packet from 181.199.62.74:4500: Informational Exchange is for an unknown (expired?) SA with MSGID:0x13335b0d
Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: packet from 181.199.62.74:4500: Informational Exchange is for an unknown (expired?) SA with MSGID:0xbbdba4d8
Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: packet from 181.199.62.74:4500: Informational Exchange is for an unknown (expired?) SA with MSGID:0x9f9b1385
Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: packet from 181.199.62.74:4500: Informational Exchange is for an unknown (expired?) SA with MSGID:0xaff01be8
Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: packet from 181.199.62.74:4500: Informational Exchange is for an unknown (expired?) SA with MSGID:0x6b605417
Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: packet from 181.199.62.74:4500: Informational Exchange is for an unknown (expired?) SA with MSGID:0x53f3de1c
Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: packet from 181.199.62.74:4500: Informational Exchange is for an unknown (expired?) SA with MSGID:0x5dc88fda
Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: packet from 181.199.62.74:4500: Informational Exchange is for an unknown (expired?) SA with MSGID:0xbf0d6282
Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: packet from 181.199.62.74:4500: Informational Exchange is for an unknown (expired?) SA with MSGID:0x99dc2e71
Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: packet from 181.199.62.74:4500: Informational Exchange is for an unknown (expired?) SA with MSGID:0xcf73a1fe
Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: packet from 181.199.62.74:4500: Informational Exchange is for an unknown (expired?) SA with MSGID:0x5e0e2b61
Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: packet from 181.199.62.74:4500: Informational Exchange is for an unknown (expired?) SA with MSGID:0x3a6290eb
Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: packet from 181.199.62.74:4500: Informational Exchange is for an unknown (expired?) SA with MSGID:0x479a71ba
Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: packet from 181.199.62.74:4500: Informational Exchange is for an unknown (expired?) SA with MSGID:0x2bf119ba
Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: packet from 181.199.62.74:4500: Informational Exchange is for an unknown (expired?) SA with MSGID:0x5602aea4
Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: packet from 181.199.62.74:500: ignoring Delete SA payload: not encrypted
Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: packet from 181.199.62.74:500: received and ignored informational message
Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: packet from 181.199.62.74:4500: Informational Exchange is for an unknown (expired?) SA with MSGID:0xe451d0cf
Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: packet from 181.199.62.74:4500: Informational Exchange is for an unknown (expired?) SA with MSGID:0xb3409413
Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: packet from 181.199.62.74:4500: Informational Exchange is for an unknown (expired?) SA with MSGID:0x12af66a1
Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: "L2TP-PSK-NAT"[2] 181.199.62.74 #51: received Delete SA payload: deleting ISAKMP State #51
Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: packet from 181.199.62.74:4500: received and ignored informational message
Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: "L2TP-PSK-NAT"[2] 181.199.62.74 #49: received Delete SA payload: deleting ISAKMP State #49
Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: packet from 181.199.62.74:4500: received and ignored informational message
Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: "L2TP-PSK-NAT"[2] 181.199.62.74 #47: received Delete SA payload: deleting ISAKMP State #47
Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: packet from 181.199.62.74:4500: received and ignored informational message
Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: "L2TP-PSK-NAT"[2] 181.199.62.74 #45: received Delete SA payload: deleting ISAKMP State #45
Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: packet from 181.199.62.74:4500: received and ignored informational message
Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: "L2TP-PSK-NAT"[2] 181.199.62.74 #43: received Delete SA payload: deleting ISAKMP State #43
Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: packet from 181.199.62.74:4500: received and ignored informational message
Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: "L2TP-PSK-NAT"[2] 181.199.62.74 #41: received Delete SA payload: deleting ISAKMP State #41
Jan 3 04:54:50 ip-10-112-49-52 pluto[3797]: packet from 181.199.62.74:4500: received and ignored informational message
Thanks
Gunther
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110103/2bca7c16/attachment.html
More information about the Users
mailing list