[Openswan Users] ipsec/l2tp server behind NAT

Curu Wong prinbra at gmail.com
Fri Jul 29 14:54:19 EDT 2011 

IPSec tunnels up, but never make it way to l2tp!

xx.xx.xxx.109(public IP of gateway)

yyy.yy.248.161(an windows 7 client connected via ADSL)

yyy.yy.248.161-------->Internet--------->xx.xx.xxx.109(192.168.6.1)----------->
192.168.6.18


=======================================================================
Jul 30 02:41:22 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #661:
received Delete SA(0xfb0f531d) payload: deleting IPSEC State #662
Jul 30 02:41:22 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #661:
received and ignored informational message
Jul 30 02:41:25 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #661: the
peer proposed: xx.xx.xxx.109/32:17/1701 -> yyy.yy.248.161/32:17/1701
Jul 30 02:41:25 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #661:
NAT-Traversal: received 2 NAT-OA. ignored because peer is not NATed
Jul 30 02:41:25 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #664:
responding to Quick Mode proposal {msgid:03000000}
Jul 30 02:41:25 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #664:     us:
192.168.6.18<192.168.6.18>[+S=C]:17/1701---192.168.6.18
Jul 30 02:41:25 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #664:   them:
yyy.yy.248.161[+S=C]:17/1701
Jul 30 02:41:25 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #664: keeping
refhim=4294901761 during rekey
Jul 30 02:41:25 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #664:
transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Jul 30 02:41:25 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #664:
STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Jul 30 02:41:25 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #664:
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Jul 30 02:41:25 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #664:
STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0x06e893de
<0x94e87dbe xfrm=AES_128-HMAC_
SHA1 NATOA=none NATD=yyy.yy.248.161:4500 DPD=none}
Jul 30 02:41:25 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #661:
received Delete SA(0xacc6f55f) payload: deleting IPSEC State #663
Jul 30 02:41:25 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #661:
received and ignored informational message
Jul 30 02:41:29 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #661: the
peer proposed: xx.xx.xxx.109/32:17/1701 -> yyy.yy.248.161/32:17/1701
Jul 30 02:41:29 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #661:
NAT-Traversal: received 2 NAT-OA. ignored because peer is not NATed
Jul 30 02:41:29 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #665:
responding to Quick Mode proposal {msgid:04000000}
Jul 30 02:41:29 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #665:     us:
192.168.6.18<192.168.6.18>[+S=C]:17/1701---192.168.6.18
Jul 30 02:41:29 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #665:   them:
yyy.yy.248.161[+S=C]:17/1701
Jul 30 02:41:29 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #665: keeping
refhim=4294901761 during rekey
Jul 30 02:41:29 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #665:
transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Jul 30 02:41:29 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #665:
STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Jul 30 02:41:29 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #665:
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Jul 30 02:41:29 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #665:
STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0x62e4dbed
<0x60c4b2c4 xfrm=AES_128-HMAC_
SHA1 NATOA=none NATD=yyy.yy.248.161:4500 DPD=none}
Jul 30 02:41:29 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #661:
received Delete SA(0x06e893de) payload: deleting IPSEC State #664
Jul 30 02:41:29 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #661:
received and ignored informational message
Jul 30 02:41:37 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #661: the
peer proposed: xx.xx.xxx.109/32:17/1701 -> yyy.yy.248.161/32:17/1701
Jul 30 02:41:37 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #661:
NAT-Traversal: received 2 NAT-OA. ignored because peer is not NATed
Jul 30 02:41:37 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #666:
responding to Quick Mode proposal {msgid:05000000}
Jul 30 02:41:37 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #666:     us:
192.168.6.18<192.168.6.18>[+S=C]:17/1701---192.168.6.18
Jul 30 02:41:37 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #666:   them:
yyy.yy.248.161[+S=C]:17/1701
Jul 30 02:41:37 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #666: keeping
refhim=4294901761 during rekey
Jul 30 02:41:37 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #666:
transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Jul 30 02:41:37 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #666:
STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Jul 30 02:41:37 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #666:
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Jul 30 02:41:37 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #666:
STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0xe030f135
<0x330430c4 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=yyy.yy.248.161:4500
DPD=none}
Jul 30 02:41:37 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #661:
received Delete SA(0x62e4dbed) payload: deleting IPSEC State #665
Jul 30 02:41:37 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #661:
received and ignored informational message
======================================================================================


Can anyone please help me out ?  I have been trapped here for several days.
still I can't make the ipsec/l2tp vpn server behind NAT work.

Tried Ubuntu 10.04 lts with its own openswan , still fai. tried CentOS,
still fail. all fail.

use DNAT and one-to-one nat on the gw, still fail.

I will go mad without solving this. Seems other people with the identical
config will work smoothly, But I always fail. why? What did I miss ?

here's my  ipsec.conf
==================================================================
config setup
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
        oe=off
        protostack=netkey

conn l2tp-psk
        left=192.168.6.18
        leftprotoport=17/1701
        right=%any
        rightprotoport=17/%any
        rightsubnet=vhost:%priv,%no
        pfs=no
        rekey=no
        type=transport
        authby=secret
        auto=add
======================================

/etc/xl2tpd/xl2tpd.conf
======================================
[global]
listen-addr = 192.168.6.18
debug tunnel= yes
[lns default]
ip range = 192.168.6.100-192.168.6.200
local ip = 192.168.6.99
assign ip = yes
require chap = yes
refuse pap = yes
require authentication = yes
pppoptfile = /etc/ppp/ppp-options.xl2tpd
length bit = yes
========================================


Thanks  anyone here for your kind help!


2011/7/28 Curu Wong <prinbra at gmail.com>

> Maybe this has nothing to do with xl2tpd.
>
> I know that l2tp/ipsec will use transport mode. However, I managed to run
> the server in tunnel mode. and let an Linux client( use openswan+ xl2tpd)
> connect to the server, it works.
>
> Then, when I change from tunnel mode to transport, connection failed(ipsec
> tunnel still up, but never goes to l2tp).
>
> Again, I tcpdump on mast0 interface. and find that when in transport mode,
> the destination address packets from client has been changed to the internal
> address of the server. thus I think. even this packet can goes to l2tpd, it
> will never goes back to the client, because client never know the server's
> internal address
>
> on clientA.
> ping GW(S.111.111.111)
> ========================================================================
> 22:53:28.841232 IP 192.168.9.106 > 192.168.11.19: ICMP echo request, id
> 53249, seq 1, length 64
> 22:53:29.838744 IP 192.168.9.106 > 192.168.11.19: ICMP echo request, id
> 53249, seq 2, length 64
> 22:53:30.840031 IP 192.168.9.106 > 192.168.11.19: ICMP echo request, id
> 53249, seq 3, length 64
> 22:53:31.843266 IP 192.168.9.106 > 192.168.11.19: ICMP echo request, id
> 53249, seq 4, length 64
> ========================================================================
>
> by the way, I add this line to my previous config to make it work  in
> tunnel mode
> =============================
> leftsubnet=S.111.111.111/32 #public IP of the gw
> =============================
>
> and add the public  IP as an alias interface
>
> ip addr add S.111.111.111/32 dev eth0 label eth0:0
>
> I don't know why in transport mode, the dst IP changed to l2tp/ipsec GW's
> internal IP, the tcpdump when using tunnel mode shows  the public
> IP(S.111.111.111) and that works fine.
>
>
>
>
>
> 2011/7/28 Paul Wouters <paul at xelerance.com>
>
>> On Thu, 28 Jul 2011, Curu Wong wrote:
>>
>>  Now I am testing ipsec/l2tp with the server itself behind NAT. here's the
>>> new network topology:
>>>
>>> clientA(192.168.9.106)----->**clientGWA(A.111.111.111)------**-->Server
>>> GW(S.111.111.111)------>l2tp/**ipsec GW(192.168.11.19)
>>>
>>
>>
>>>  but, there's nothing happen to xl2tpd. the log just stops at this line:
>>> ==============================**========================
>>> Jul 28 14:38:13 tvpn xl2tpd[1660]: Listening on IP address 0.0.0.0, port
>>> 1701
>>>
>>
>> Specify the real IP address in listen-addr, do not let it default to ANY.
>>
>> Paul
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110730/d3ecbecc/attachment-0001.html

More information about the Users mailing list