[Openswan Users] Asynchronous network error w/ Android 2.3 and NAT on both sides

Corrado Primier ilbardo at gmail.com
Tue Feb 21 14:53:32 EST 2012


Hi all,
as the subject says, I'm trying to make work a VPN NATted on both
sides with Android clients.
I hope somebedy can help me because I'm really going mad, I tried
hundreds of configurations and literally *finished* the google search
results on the matter, so I don't really know where to look anymore
:-)

The distro of choice is CentOS 6.2, kernel version
2.6.32-220.4.1.el6.x86_64, and I manually built an RPM of the latest
OpenSwan (2.6.37). I disabled SELinux to avoid problems.
My reference configuration comes from here:
http://confoundedtech.blogspot.com/2011/08/android-nexus-one-ipsec-psk-vpn-with.html
(and in fact the latest comment is mine)

Whenever I try to open a connection from the Android device on a
NATted network I get loads of asynchronous network errors (details and
logs later), while using the same device from a 3g provider that does
not NAT works great.

The server is configured as follows.


/etc/ipsec.conf:
----------------------
config setup
	dumpdir=/var/run/pluto/
	nat_traversal=yes
	interfaces=%defaultroute
	virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:!192.168.42.0/24,%v6:fd00::/8,%v6:fe80::/10
	oe=off
	protostack=netkey
	plutostderrlog=/var/log/pluto.log

conn l2tp
	authby=secret
	auto=add
	pfs=no
	type=transport
	rekey=no
	compress=yes
	left=192.168.42.2
	leftnexthop=192.168.42.1
	leftprotoport=17/1701
	right=%any
	rightnexthop=%defaultroute
	rightprotoport=17/%any
	rightsubnet=vhost:%priv,%no
	forceencaps=yes
	dpddelay=40
	dpdtimeout=130
	dpdaction=clear
----------------------


/etc/ipsec.secrets:
----------------------
: PSK "***REDACTED***"
----------------------


/etc/xl2tpd/xl2tpd.conf:
----------------------
[global]
listen-addr = 192.168.42.2
port = 1701
ipsec saref = no
auth file = /etc/ppp/chap-secrets
debug tunnel = yes
debug avp = yes
debug packet = yes
debug network = yes
debug state = yes

[lns default]
ip range = 192.168.42.101-192.168.42.200
local ip = 192.168.42.3   ; Notice I'm on the same network - necessary
since manual routes on Android are PITA
require chap = yes
refuse pap = yes
require authentication = yes
name = ***REDACTED***
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
----------------------


/etc/ppp/chap-secrets
----------------------
vpn * "***REDACTED***" *
----------------------


/etc/ppp/options.xl2tpd:
----------------------
ipcp-accept-local
ipcp-accept-remote
noccp
auth
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
lock
proxyarp
connect-delay 5000
ms-dns  192.168.42.1
----------------------


Basically, what happens in pluto.log is this (where CLIENTIP and
SERVERIP are the two public addresses, and CLIENTIP is dynamic):
----------------------
Plutorun started on Tue Feb 14 11:52:44 CET 2012
adjusting ipsec.d to /etc/ipsec.d
Starting Pluto (Openswan Version 2.6.37; Vendor ID
OEu\134d\134jy\134\134ap) pid:23677
LEAK_DETECTIVE support [disabled]
OCF support for IKE [disabled]
SAref support [disabled]: Protocol not available
SAbind support [disabled]: Protocol not available
NSS support [disabled]
HAVE_STATSD notification support not compiled in
Setting NAT-Traversal port-4500 floating to on
   port floating activation criteria nat_t=1/port_float=1
   NAT-Traversal support  [enabled]
using /dev/urandom as source of random entropy
ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
starting up 1 cryptographic helpers
started helper pid=23678 (fd:4)
Using Linux 2.6 IPsec interface code on 2.6.32-220.4.1.el6.x86_64
(experimental code)
using /dev/urandom as source of random entropy
ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
ike_alg_add(): ERROR: Algorithm already exists
ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)
ike_alg_add(): ERROR: Algorithm already exists
ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
ike_alg_add(): ERROR: Algorithm already exists
ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)
ike_alg_add(): ERROR: Algorithm already exists
ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)
ike_alg_add(): ERROR: Algorithm already exists
ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
Could not change to directory '/etc/ipsec.d/cacerts': /var/run/pluto
Could not change to directory '/etc/ipsec.d/aacerts': /var/run/pluto
Could not change to directory '/etc/ipsec.d/ocspcerts': /var/run/pluto
Could not change to directory '/etc/ipsec.d/crls'
added connection description "l2tp"
listening for IKE messages
adding interface eth0/eth0 192.168.42.2:500
adding interface eth0/eth0 192.168.42.2:4500
adding interface lo/lo 127.0.0.1:500
adding interface lo/lo 127.0.0.1:4500
loading secrets from "/etc/ipsec.secrets"
packet from CLIENTIP:500: received Vendor ID payload [RFC 3947] method
set to=109
packet from CLIENTIP:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
packet from CLIENTIP:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method
109
packet from CLIENTIP:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-00]
packet from CLIENTIP:500: ignoring Vendor ID payload [FRAGMENTATION 80000000]
"l2tp"[1] CLIENTIP #1: responding to Main Mode from unknown peer CLIENTIP
"l2tp"[1] CLIENTIP #1: transition from state STATE_MAIN_R0 to state
STATE_MAIN_R1
"l2tp"[1] CLIENTIP #1: STATE_MAIN_R1: sent MR1, expecting MI2
"l2tp"[1] CLIENTIP #1: NAT-Traversal: Result using RFC 3947
(NAT-Traversal): both are NATed
"l2tp"[1] CLIENTIP #1: transition from state STATE_MAIN_R1 to state
STATE_MAIN_R2
"l2tp"[1] CLIENTIP #1: STATE_MAIN_R2: sent MR2, expecting MI3
"l2tp"[1] CLIENTIP #1: Main mode peer ID is ID_IPV4_ADDR: 'CLIENTIP'
"l2tp"[1] CLIENTIP #1: transition from state STATE_MAIN_R2 to state
STATE_MAIN_R3
"l2tp"[1] CLIENTIP #1: new NAT mapping for #1, was CLIENTIP:500, now
CLIENTIP:4500
"l2tp"[1] CLIENTIP #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
group=modp1024}
"l2tp"[1] CLIENTIP #1: Dead Peer Detection (RFC 3706): not enabled
because peer did not advertise it
"l2tp"[1] CLIENTIP #1: ignoring informational payload, type
IPSEC_INITIAL_CONTACT msgid=00000000
"l2tp"[1] CLIENTIP #1: received and ignored informational message
"l2tp"[1] CLIENTIP #1: the peer proposed: SERVERIP/32:17/1701 ->
CLIENTIP/32:17/0
"l2tp"[1] CLIENTIP #2: responding to Quick Mode proposal {msgid:ff4ff5b4}
"l2tp"[1] CLIENTIP #2:     us:
192.168.42.2<192.168.42.2>[+S=C]:17/1701---192.168.42.1
"l2tp"[1] CLIENTIP #2:   them: 192.168.42.1---CLIENTIP[+S=C]:17/0
"l2tp"[1] CLIENTIP #2: transition from state STATE_QUICK_R0 to state
STATE_QUICK_R1
"l2tp"[1] CLIENTIP #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA
installed, expecting QI2
"l2tp"[1] CLIENTIP #2: Dead Peer Detection (RFC 3706): not enabled
because peer did not advertise it
"l2tp"[1] CLIENTIP #2: transition from state STATE_QUICK_R1 to state
STATE_QUICK_R2
"l2tp"[1] CLIENTIP #2: STATE_QUICK_R2: IPsec SA established transport
mode {ESP/NAT=>0x0d091c69 <0xcc54391c xfrm=3DES_0-HMAC_SHA1 NATOA=none
NATD=CLIENTIP:4500 DPD=none}
ERROR: asynchronous network error report on eth0 (sport=4500) for
message to CLIENTIP port 4500, complainant CLIENTIP: Connection
refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
ERROR: asynchronous network error report on eth0 (sport=4500) for
message to CLIENTIP port 4500, complainant CLIENTIP: Connection
refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
ERROR: asynchronous network error report on eth0 (sport=4500) for
message to CLIENTIP port 4500, complainant CLIENTIP: Connection
refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
ERROR: asynchronous network error report on eth0 (sport=4500) for
message to CLIENTIP port 4500, complainant CLIENTIP: Connection
refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
ERROR: asynchronous network error report on eth0 (sport=4500) for
message to CLIENTIP port 4500, complainant CLIENTIP: Connection
refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
ERROR: asynchronous network error report on eth0 (sport=4500) for
message to CLIENTIP port 4500, complainant CLIENTIP: Connection
refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
forgetting secrets
loading secrets from "/etc/ipsec.secrets"
----------------------


And the connection dies. Hundred of error lines add up as time goes
by, like it's never properly closed. As I said, this does not happen
when right is not NATted, so I'm excluding a role of the firewall, and
forwarding should be ok on the server side, but I can post the
configuration if anybody is interested. Obviously, I often have no
control on client side firewalls.
A curious thing that I noticed running tcpdump is, when a connection
fails like this, the server keeps sending regular nat-keepalive
packets even hours after the connection was closed. I think it's
related to the error quantity I wrote before.

Does anybody have any ideas/pointers/whatever?


Thanks,
Corrado


More information about the Users mailing list