[Openswan Users] Nat-traversal isn't detected.

Grzegorz Sterniczuk grzegorz.sterniczuk at scanx.pl
Tue Mar 27 15:21:05 EDT 2012 

Hello,

I have one router behind nat (this isn't my network, and nat is made by
some linuxbox - i don't have access to it) that worked till today.
Nothing has been changed (on my routers). Now not-nated side is not
detecting NAT-traversal.

On both sides is Centos 6 with openswan 2.6.32.

Till today morning:
Mar 27 10:28:44 router pluto[13151]: packet from 77.252.XXX.XXX:500: received Vendor ID payload [Openswan (this version) 2.6.32 ]
Mar 27 10:28:44 router pluto[13151]: packet from 77.252.XXX.XXX:500: received Vendor ID payload [Dead Peer Detection]
Mar 27 10:28:44 router pluto[13151]: packet from 77.252.XXX.XXX:500: received Vendor ID payload [RFC 3947] method set to=109 
Mar 27 10:28:44 router pluto[13151]: packet from 77.252.XXX.XXX:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109
Mar 27 10:28:44 router pluto[13151]: packet from 77.252.XXX.XXX:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
Mar 27 10:28:44 router pluto[13151]: packet from 77.252.XXX.XXX:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
Mar 27 10:28:44 router pluto[13151]: packet from 77.252.XXX.XXX:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Mar 27 10:28:44 router pluto[13151]: "nat-network" #1345: responding to Main Mode
Mar 27 10:28:44 router pluto[13151]: "nat-network" #1345: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Mar 27 10:28:44 router pluto[13151]: "nat-network" #1345: STATE_MAIN_R1: sent MR1, expecting MI2
Mar 27 10:28:44 router pluto[13151]: "nat-network" #1343: received Vendor ID payload [Openswan (this version) 2.6.32 ]
Mar 27 10:28:44 router pluto[13151]: "nat-network" #1343: received Vendor ID payload [Dead Peer Detection]
Mar 27 10:28:44 router pluto[13151]: "nat-network" #1343: received Vendor ID payload [RFC 3947] method set to=109 
Mar 27 10:28:44 router pluto[13151]: "nat-network" #1343: enabling possible NAT-traversal with method 4
Mar 27 10:28:44 router pluto[13151]: "nat-network" #1343: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Mar 27 10:28:44 router pluto[13151]: "nat-network" #1343: STATE_MAIN_I2: sent MI2, expecting MR2
Mar 27 10:28:44 router pluto[13151]: "nat-network" #1345: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): peer is NATed
Mar 27 10:28:44 router pluto[13151]: "nat-network" #1345: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Mar 27 10:28:44 router pluto[13151]: "nat-network" #1345: STATE_MAIN_R2: sent MR2, expecting MI3
Mar 27 10:28:44 router pluto[13151]: "nat-network" #1343: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): peer is NATed
Mar 27 10:28:44 router pluto[13151]: "nat-network" #1343: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Mar 27 10:28:44 router pluto[13151]: "nat-network" #1343: STATE_MAIN_I3: sent MI3, expecting MR3
Mar 27 10:28:44 router pluto[13151]: "nat-network" #1345: Main mode peer ID is ID_IPV4_ADDR: '192.168.0.11'
Mar 27 10:28:44 router pluto[13151]: "nat-network" #1345: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Mar 27 10:28:44 router pluto[13151]: "nat-network" #1345: new NAT mapping for #1345, was 77.252.XXX.XXX:500, now 77.252.XXX.XXX:4500
Mar 27 10:28:44 router pluto[13151]: "nat-network" #1345: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha group=modp2048}
Mar 27 10:28:44 router pluto[13151]: "nat-network" #1345: Dead Peer Detection (RFC 3706): enabled
Mar 27 10:28:44 router pluto[13151]: "nat-network" #1343: received Vendor ID payload [CAN-IKEv2]
Mar 27 10:28:44 router pluto[13151]: "nat-network" #1343: Main mode peer ID is ID_IPV4_ADDR: '192.168.0.11'
Mar 27 10:28:44 router pluto[13151]: "nat-network" #1343: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Mar 27 10:28:44 router pluto[13151]: "nat-network" #1343: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha group=modp2048}
Mar 27 10:28:44 router pluto[13151]: "nat-network" #1343: Dead Peer Detection (RFC 3706): enabled
Mar 27 10:28:44 router pluto[13151]: "nat-network" #1346: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1343 msgid:6d3f1e8b proposal=defaults pfsgroup=OAKLEY_GROUP_MODP2048}
Mar 27 10:28:44 router pluto[13151]: "nat-network" #1345: the peer proposed: 172.AAA.AAA.0/24:0/0 -> 172.XXX.XXX.0/24:0/0
Mar 27 10:28:44 router pluto[13151]: "nat-network" #1347: responding to Quick Mode proposal {msgid:94d4c712}
Mar 27 10:28:44 router pluto[13151]: "nat-network" #1347:     us: 172.AAA.AAA.0/24===213.AAA.AAA.130<213.AAA.AAA.130>[+S=C]---213.AAA.AAA.129
Mar 27 10:28:44 router pluto[13151]: "nat-network" #1347:   them: 77.252.XXX.XXX<77.252.XXX.XXX>[192.168.0.11,+S=C]===172.XXX.XXX.0/24
Mar 27 10:28:44 router pluto[13151]: "nat-network" #1347: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Mar 27 10:28:44 router pluto[13151]: "nat-network" #1347: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Mar 27 10:28:44 router pluto[13151]: "nat-network" #1346: Dead Peer Detection (RFC 3706): enabled
Mar 27 10:28:44 router pluto[13151]: "nat-network" #1346: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Mar 27 10:28:44 router pluto[13151]: "nat-network" #1346: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0xf709e1ce <0x0444d5ea xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=77.252.XXX.XXX:4500 DPD=enabled}
Mar 27 10:28:44 router pluto[13151]: "nat-network" #1347: Dead Peer Detection (RFC 3706): enabled
Mar 27 10:28:44 router pluto[13151]: "nat-network" #1347: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Mar 27 10:28:44 router pluto[13151]: "nat-network" #1347: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0x46d6ba45 <0xfc7bad27 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=77.252.XXX.XXX:4500 DPD=enabled}

Now:
Mar 27 21:00:46 router pluto[9961]: packet from 77.252.XXX.XXX:500: received Vendor ID payload [Openswan (this version) 2.6.32 ]
Mar 27 21:00:46 router pluto[9961]: packet from 77.252.XXX.XXX:500: received Vendor ID payload [Dead Peer Detection]
Mar 27 21:00:46 router pluto[9961]: packet from 77.252.XXX.XXX:500: received Vendor ID payload [RFC 3947] method set to=109 
Mar 27 21:00:46 router pluto[9961]: packet from 77.252.XXX.XXX:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109
Mar 27 21:00:46 router pluto[9961]: packet from 77.252.XXX.XXX:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
Mar 27 21:00:46 router pluto[9961]: packet from 77.252.XXX.XXX:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
Mar 27 21:00:46 router pluto[9961]: packet from 77.252.XXX.XXX:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Mar 27 21:00:46 router pluto[9961]: "nat-network" #265: responding to Main Mode
Mar 27 21:00:46 router pluto[9961]: "nat-network" #265: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Mar 27 21:00:46 router pluto[9961]: "nat-network" #265: STATE_MAIN_R1: sent MR1, expecting MI2
Mar 27 21:00:46 router pluto[9961]: "nat-network" #265: ERROR: asynchronous network error report on eth1 (sport=500) for message to 77.252.XXX.XXX port 500, complainant 77.252.XXX.XXX: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
Mar 27 21:00:46 router pluto[9961]: "nat-network" #264: ERROR: asynchronous network error report on eth1 (sport=500) for message to 77.252.XXX.XXX port 500, complainant 77.252.XXX.XXX: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]

Can anybody help to debug/repair this?

-- 
Grzegorz Sterniczuk

More information about the Users mailing list