[Openswan Users] More than one user behind NAT device

Linden Varley Linden.Varley at lisasoft.com
Mon Oct 24 23:28:20 EDT 2011 

I have two users behind a NAT router trying to connect to an OpenSwan server. After they have both connected, the original user can no longer establish an ipsec connection. I need to reset the ADSL Router (NAT device) in order for the user to connect again.

i.e
User1 connects then disconnects
User2 connects then disconnects
User1 can no longer connect.
User2 can still connect.



xl2tpd.conf

[global]

ipsec saref = yes



[lns default]

ip range = <vpnrange>

local ip = <vpnip>

refuse chap = yes

refuse pap = yes

require authentication = yes

ppp debug = yes

pppoptfile = /etc/ppp/options.xl2tpd

length bit = yes



ipsec.conf

config setup

        nat_traversal=yes

        oe=off

        interfaces="%defaultroute"

        protostack=mast

        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4



conn L2TP-PSK-NAT

        rightsubnet=vhost:%priv

        also=L2TP-PSK-noNAT



conn L2TP-PSK-noNAT

        authby=secret

        pfs=no

        auto=add

        keyingtries=3

        rekey=no

        ikelifetime=8h

        keylife=1h

        type=transport

        left=<externalIP>

        right=%any

        rightprotoport=17/%any

        dpddelay=30

        dpdtimeout=120

        dpdaction=clear

        overlapip=yes

        sareftrack=yes



I'm running Debian 6.0.3 with a SAref patched 2.6.32 kernel.

ipsec verify shows

Kernel: IPsec SAref kernel support      [OK]

Kernel: IPsec SAref Bind kernel support [OK]



/var/log/auth.log shows ipsec getting stuck at the following:

pluto[1718]: packet from <Nat External IP>:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]

pluto[1718]: packet from <Nat External IP>:500: ignoring Vendor ID payload [FRAGMENTATION]

pluto[1718]: packet from <Nat External IP>:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106

pluto[1718]: packet from <Nat External IP>:500: ignoring Vendor ID payload [Vid-Initial-Contact]

pluto[1718]: "L2TP-PSK-NAT"[5] <Nat External IP> #6: responding to Main Mode from unknown peer 220.233.77.199

pluto[1718]: "L2TP-PSK-NAT"[5] <Nat External IP> #6: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1

pluto[1718]: "L2TP-PSK-NAT"[5] <Nat External IP> #6: STATE_MAIN_R1: sent MR1, expecting MI2






________________________________
The contents of this email are confidential and may be subject to legal or professional privilege and copyright. No representation is made that this email is free of viruses or other defects. If you have received this communication in error, you may not copy or distribute any part of it or otherwise disclose its contents to anyone. Please advise the sender of your incorrect receipt of this correspondence.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20111025/0e720b2b/attachment.html

More information about the Users mailing list