[Openswan Users] How to configure nat_traversal in /etc/ipsec.conf

tony.blue.mailinglist at gmx.de tony.blue.mailinglist at gmx.de
Sun Jan 6 15:28:46 EST 2013


Hello,

I try to connect my iPhone through a vpn (IPsec/L2TP) tunnel


1.) within the mobile Internet and
2) within my Wlan.

The network structure looks like this:

LAN (192.168.0.X)
|
iPhone (192.168.4.3)  --- Wlan --- Router/Firewall (192.168.4.254) --- 
Internet (dynamic IP) --- iPhone (dynamic IP)
       | | | |
       +----- VPN2 (ipsec/l2tp) 
--------------+                                +--- VPN1 (ipsec/l2tp) 
-----------------------------+

If I use nat_traversal=yes VPN1 runs, but VPN2 does not work.

If I use nat_traversal=no VPN1 does not work, but VPN2 runs.

How can I configure opsenswan, that VPN1 and VPN2 are running?

----> /etc/ipsec.conf
version 2.0 # conforms to second version of ipsec.conf specification
config setup
         nat_traversal=yes
         nhelpers=0
         oe=off
         protostack=netkey

# Add connections here

conn L2TP-PSK # VPN1
         authby=secret
         pfs=no
         rekey=no
         keyingtries=3
         left=%defaultroute
         leftprotoport=17/1701
         right=%any
         rightprotoport=17/%any
         rightsubnetwithin=0.0.0.0/0
         auto=add

conn L2TP-PSK-WLAN # VPN2
         authby=secret
         pfs=no
         rekey=no
         keyingtries=3
         left=192.168.4.254
         leftprotoport=17/1701
         right=%any
         rightprotoport=17/%any
         rightsubnetwithin=0.0.0.0/0
         auto=add

---> /etc/ipsec.secret
include /var/lib/openswan/ipsec.secrets.inc
(ppp0) XX.XX.XX.XX  %any: PSK "secret1"
(wlan) 192.168.4.254  %any: PSK "secret2"


---> /var/log/auth.log with nat_traversal=yes + try to connect VPN2:

Jan  6 20:42:55 micky pluto[7159]: "L2TP-PSK-WLAN"[2] 192.168.4.3 #12: 
responding to Main Mode from unknown peer 192.168.4.3
Jan  6 20:42:55 micky pluto[7159]: "L2TP-PSK-WLAN"[2] 192.168.4.3 #12: 
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jan  6 20:42:55 micky pluto[7159]: "L2TP-PSK-WLAN"[2] 192.168.4.3 #12: 
STATE_MAIN_R1: sent MR1, expecting MI2
Jan  6 20:42:55 micky pluto[7159]: "L2TP-PSK-WLAN"[2] 192.168.4.3 #12: 
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): no NAT 
detected
Jan  6 20:42:55 micky pluto[7159]: "L2TP-PSK-WLAN"[2] 192.168.4.3 #12: 
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jan  6 20:42:55 micky pluto[7159]: "L2TP-PSK-WLAN"[2] 192.168.4.3 #12: 
STATE_MAIN_R2: sent MR2, expecting MI3
Jan  6 20:42:55 micky pluto[7159]: "L2TP-PSK-WLAN"[2] 192.168.4.3 #12: 
ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
Jan  6 20:42:55 micky pluto[7159]: "L2TP-PSK-WLAN"[2] 192.168.4.3 #12: 
Main mode peer ID is ID_IPV4_ADDR: '192.168.4.3'
Jan  6 20:42:55 micky pluto[7159]: "L2TP-PSK-WLAN"[2] 192.168.4.3 #12: 
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jan  6 20:42:55 micky pluto[7159]: "L2TP-PSK-WLAN"[2] 192.168.4.3 #12: 
new NAT mapping for #12, was 192.168.4.3:500, now 192.168.4.3:4500
Jan  6 20:42:55 micky pluto[7159]: "L2TP-PSK-WLAN"[2] 192.168.4.3 #12: 
STATE_MAIN_R3: sent MR3, ISAKMP SA established 
{auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1024}
Jan  6 20:42:56 micky pluto[7159]: "L2TP-PSK-WLAN"[2] 192.168.4.3 #12: 
the peer proposed: 192.168.4.254/32:17/1701 -> 192.168.4.3/32:17/0
Jan  6 20:42:56 micky pluto[7159]: "L2TP-PSK-WLAN"[2] 192.168.4.3 #13: 
ENCAPSULATION_MODE_UDP_TRANSPORT_RFC must only be used if NAT-Traversal 
is detected
Jan  6 20:42:56 micky pluto[7159]: "L2TP-PSK-WLAN"[2] 192.168.4.3 #13: 
sending encrypted notification BAD_PROPOSAL_SYNTAX to 192.168.4.3:4500
Jan  6 20:42:59 micky pluto[7159]: "L2TP-PSK-WLAN"[2] 192.168.4.3 #12: 
the peer proposed: 192.168.4.254/32:17/1701 -> 192.168.4.3/32:17/52511
...
Jan  6 20:43:23 micky pluto[7159]: "L2TP-PSK-WLAN"[2] 192.168.4.3 #22: 
ENCAPSULATION_MODE_UDP_TRANSPORT_RFC must only be used if NAT-Traversal 
is detected
Jan  6 20:43:23 micky pluto[7159]: "L2TP-PSK-WLAN"[2] 192.168.4.3 #22: 
sending encrypted notification BAD_PROPOSAL_SYNTAX to 192.168.4.3:4500
Jan  6 20:43:26 micky pluto[7159]: "L2TP-PSK-WLAN"[2] 192.168.4.3 #12: 
received Delete SA payload: deleting ISAKMP State #12
Jan  6 20:43:26 micky pluto[7159]: "L2TP-PSK-WLAN"[2] 192.168.4.3: 
deleting connection "L2TP-PSK-WLAN" instance with peer 192.168.4.3 
{isakmp=#0/ipsec=#0}
Jan  6 20:43:26 micky pluto[7159]: packet from 192.168.4.3:4500: 
received and ignored informational message


-----> /etc/ipsec.conf:

# /etc/ipsec.conf - Openswan IPsec configuration file
version 2.0 # conforms to second version of ipsec.conf specification

# basic configuration
config setup
         # plutodebug / klipsdebug = "all", "none" or a combation from 
below:
         # "raw crypt parsing emitting control klips pfkey natt x509 
private"
         # eg: plutodebug="control parsing"
         #
         # ONLY enable plutodebug=all or klipsdebug=all if you are a 
developer !!
         #
         # NAT-TRAVERSAL support, see README.NAT-Traversal
         nat_traversal=yes
         # 
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
         #
         # enable this if you see "failed to find any available worker"
         nhelpers=0
         oe=off
         protostack=netkey

# Add connections here

conn L2TP-PSK
         authby=secret
         pfs=no
         rekey=no
         keyingtries=3
         left=%defaultroute
         leftprotoport=17/1701
         right=%any
         rightprotoport=17/%any
         rightsubnetwithin=0.0.0.0/0
         auto=add
         # sample VPN connections, see /etc/ipsec.d/examples/


         #Disable Opportunistic Encryption
         # include /etc/ipsec.d/examples/no_oe.conf

conn L2TP-PSK-WLAN
         authby=secret
         pfs=no
         rekey=no
         keyingtries=3
         left=192.168.4.254
#       leftnexthop=%defaultroute
         leftprotoport=17/1701
         right=%any
         rightprotoport=17/%any
         rightsubnetwithin=0.0.0.0/0
         auto=add
         # sample VPN connections, see /etc/ipsec.d/examples/


         #Disable Opportunistic Encryption
         # include /etc/ipsec.d/examples/no_oe.conf



More information about the Users mailing list