[Openswan Users] L2TP/IPSec not working without NAT
Muenz, Michael
m.muenz at spam-fetish.org
Tue Apr 24 03:02:51 EDT 2012
Hey List,
I'm running a fresh 2.6.38 openswan installation with xl2tpd 1.3.1
without any problems (Site-2-Site and RW).
Users can login from everywhere with UTMS, DSL etc. but only as long as
they are natted (road warriors of course.
Here's one log from a user (UMTS) without NAT:
Apr 23 14:11:18 ipsec-gw pluto[26464]: packet from X.X.X.X:500: ignoring
Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Apr 23 14:11:18 ipsec-gw pluto[26464]: packet from X.X.X.X:500: ignoring
Vendor ID payload [FRAGMENTATION]
Apr 23 14:11:18 ipsec-gw pluto[26464]: packet from X.X.X.X:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
Apr 23 14:11:18 ipsec-gw pluto[26464]: packet from X.X.X.X:500: ignoring
Vendor ID payload [Vid-Initial-Contact]
Apr 23 14:11:18 ipsec-gw pluto[26464]: "l2tp-X.509"[1311] X.X.X.X #3125:
responding to Main Mode from unknown peer X.X.X.X
Apr 23 14:11:18 ipsec-gw pluto[26464]: "l2tp-X.509"[1311] X.X.X.X #3125:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Apr 23 14:11:18 ipsec-gw pluto[26464]: "l2tp-X.509"[1311] X.X.X.X #3125:
STATE_MAIN_R1: sent MR1, expecting MI2
Apr 23 14:11:19 ipsec-gw pluto[26464]: "l2tp-X.509"[1311] X.X.X.X #3125:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT
detected
Apr 23 14:11:19 ipsec-gw pluto[26464]: "l2tp-X.509"[1311] X.X.X.X #3125:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Apr 23 14:11:19 ipsec-gw pluto[26464]: "l2tp-X.509"[1311] X.X.X.X #3125:
STATE_MAIN_R2: sent MR2, expecting MI3
Apr 23 14:11:19 ipsec-gw pluto[26464]: "l2tp-X.509"[1311] X.X.X.X #3125:
Main mode peer ID is ID_DER_ASN1_DN: 'C=DE, ST=XY, L=XY,
O=XY,CN=user.XY.com'
Apr 23 14:11:19 ipsec-gw pluto[26464]: "l2tp-X.509"[1311] X.X.X.X #3125:
switched from "l2tp-X.509" to "l2tp-X.509"
Apr 23 14:11:19 ipsec-gw pluto[26464]: "l2tp-X.509"[1312] X.X.X.X #3125:
deleting connection "l2tp-X.509" instance with peer X.X.X.X
{isakmp=#0/ipsec=#0}
Apr 23 14:11:19 ipsec-gw pluto[26464]: "l2tp-X.509"[1312] X.X.X.X #3125:
I am sending my cert
Apr 23 14:11:19 ipsec-gw pluto[26464]: "l2tp-X.509"[1312] X.X.X.X #3125:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Apr 23 14:11:19 ipsec-gw pluto[26464]: "l2tp-X.509"[1312] X.X.X.X #3125:
STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}
Apr 23 14:11:19 ipsec-gw pluto[26464]: "l2tp-X.509"[1312] X.X.X.X #3125:
Dead Peer Detection (RFC 3706): not enabled because peer did not
advertise it
Apr 23 14:11:19 ipsec-gw pluto[26464]: "l2tp-X.509"[1312] X.X.X.X #3125:
the peer proposed: Y.Y.Y.Y/32:17/1701 -> X.X.X.X/32:17/0
Apr 23 14:11:19 ipsec-gw pluto[26464]: "l2tp-X.509"[1312] X.X.X.X #3125:
cannot respond to IPsec SA request because no connection is known for
Y.Y.Y.Y<Y.Y.Y.Y>[C=DE, ST=XY, L=XY, O=XY,
CN=ipsec-gw.XY.com]:17/1701...X.X.X.X[C=DE, ST=XY, L=XY, O=XY,
CN=user.XY.com]:17/%any
Apr 23 14:11:19 ipsec-gw pluto[26464]: "l2tp-X.509"[1312] X.X.X.X #3125:
sending encrypted notification INVALID_ID_INFORMATION to X.X.X.X:500
Apr 23 14:11:20 ipsec-gw pluto[26464]: "l2tp-X.509"[1312] X.X.X.X #3125:
the peer proposed: Y.Y.Y.Y/32:17/1701 -> X.X.X.X/32:17/0
Apr 23 14:11:20 ipsec-gw pluto[26464]: "l2tp-X.509"[1312] X.X.X.X #3125:
cannot respond to IPsec SA request because no connection is known for
Y.Y.Y.Y<Y.Y.Y.Y>[C=DE, ST=XY, L=XY, O=XY,
CN=ipsec-gw.XY.com]:17/1701...X.X.X.X[C=DE, ST=XY, L=XY, O=XY,
CN=user.XY.com]:17/%any
This is my config:
config setup
interfaces="ipsec0=eth0"
nat_traversal=yes
virtual_private=internal-networks
uniqueids=yes
plutowait=no
protostack=klips
conn l2tp-X.509
authby=rsasig
pfs=no
auto=add
rekey=no
dpddelay=10
dpdtimeout=90
dpdaction=clear
ikelifetime=8h
keylife=1h
type=transport
left=Y.Y.Y.Y
leftid=%fromcert
leftrsasigkey=%cert
leftcert=/etc/ipsec.d/certs/ipsec-gw.XY.com.cer
leftprotoport=17/1701
right=%any
rightca=%same
rightrsasigkey=%cert
rightprotoport=17/%any
rightsubnet=vhost:%priv,%no
When the client logs in via an other service provider where it get's
natted, the connection works fine.
I did some testing switching vhost priv and no without success.
Any ideas?
Thanks
Michael
More information about the Users
mailing list