[Openswan Users] iOS devices not always be dedected and NATted. (Neville)

Nick Howitt n1ck.h0w1tt at gmail.com
Tue Jan 22 13:07:20 EST 2013


Have you tried setting "forceencaps=yes" in the nat conn?

Nick

On 22/01/2013 10:28, Neville wrote:
> Still failing, but will eventually connected.  Any one shed any light on
> this.
>
> Trace Below.
>
> Failed Connection.
>
> Jan 22 10:22:07 ssl7 pluto[28557]: packet from 46.X.X.X:500: ignoring
> unknown Vendor ID payload [01528bbbc00696121849ab9a1c5b2a5100000001]
> Jan 22 10:22:07 ssl7 pluto[28557]: packet from 46.X.X.X:500: ignoring Vendor
> ID payload [MS NT5 ISAKMPOAKLEY 00000009]
> Jan 22 10:22:07 ssl7 pluto[28557]: packet from 46.X.X.X:500: received Vendor
> ID payload [RFC 3947] method set to=115
> Jan 22 10:22:07 ssl7 pluto[28557]: packet from 46.X.X.X:500: received Vendor
> ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using
> method 115
> Jan 22 10:22:07 ssl7 pluto[28557]: packet from 46.X.X.X:500: ignoring Vendor
> ID payload [FRAGMENTATION]
> Jan 22 10:22:07 ssl7 pluto[28557]: packet from 46.X.X.X:500: ignoring Vendor
> ID payload [MS-Negotiation Discovery Capable]
> Jan 22 10:22:07 ssl7 pluto[28557]: packet from 46.X.X.X:500: ignoring Vendor
> ID payload [Vid-Initial-Contact]
> Jan 22 10:22:07 ssl7 pluto[28557]: packet from 46.X.X.X:500: ignoring Vendor
> ID payload [IKE CGA version 1]
> Jan 22 10:22:07 ssl7 pluto[28557]: "L2TP-PSK-NAT"[41] 192.168.1.127 #112:
> responding to Main Mode from unknown peer 192.168.1.127
> Jan 22 10:22:07 ssl7 pluto[28557]: "L2TP-PSK-NAT"[41] 192.168.1.127 #112:
> OAKLEY_GROUP 20 not supported.  Attribute OAKLEY_GROUP_DESCRIPTION
> Jan 22 10:22:07 ssl7 pluto[28557]: "L2TP-PSK-NAT"[41] 192.168.1.127 #112:
> OAKLEY_GROUP 19 not supported.  Attribute OAKLEY_GROUP_DESCRIPTION
> Jan 22 10:22:07 ssl7 pluto[28557]: "L2TP-PSK-NAT"[41] 192.168.1.127 #112:
> transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
> Jan 22 10:22:07 ssl7 pluto[28557]: "L2TP-PSK-NAT"[41] 192.168.1.127 #112:
> STATE_MAIN_R1: sent MR1, expecting MI2
> Jan 22 10:22:07 ssl7 pluto[28557]: "L2TP-PSK-NAT"[41] 192.168.1.127 #112:
> NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): peer is
> NATed
> Jan 22 10:22:07 ssl7 pluto[28557]: "L2TP-PSK-NAT"[41] 192.168.1.127 #112:
> transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
> Jan 22 10:22:07 ssl7 pluto[28557]: "L2TP-PSK-NAT"[41] 192.168.1.127 #112:
> STATE_MAIN_R2: sent MR2, expecting MI3
> Jan 22 10:22:07 ssl7 pluto[28557]: "L2TP-PSK-NAT"[41] 192.168.1.127 #112:
> Main mode peer ID is ID_IPV4_ADDR: '192.168.1.127'
> Jan 22 10:22:07 ssl7 pluto[28557]: "L2TP-PSK-NAT"[41] 192.168.1.127 #112:
> switched from "L2TP-PSK-NAT" to "L2TP-PSK-NAT"
> Jan 22 10:22:07 ssl7 pluto[28557]: "L2TP-PSK-NAT"[42] 192.168.1.127 #112:
> transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
> Jan 22 10:22:07 ssl7 pluto[28557]: "L2TP-PSK-NAT"[42] 192.168.1.127 #112:
> new NAT mapping for #112, was 46.X.X.X:500, now 46.X.X.X:4500
> Jan 22 10:22:07 ssl7 pluto[28557]: "L2TP-PSK-NAT"[42] 46.X.X.X #112:
> STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
> cipher=aes_256 prf=oakley_sha group=modp2048}
> Jan 22 10:22:07 ssl7 pluto[28557]: "L2TP-PSK-NAT"[42] 46.X.X.X #112: Dead
> Peer Detection (RFC 3706): not enabled because peer did not advertise it
> Jan 22 10:22:07 ssl7 pluto[28557]: "L2TP-PSK-NAT"[42] 46.X.X.X #112: the
> peer proposed: 91.204.208.146/32:17/1701 -> 192.168.1.127/32:17/0
> Jan 22 10:22:07 ssl7 pluto[28557]: "L2TP-PSK-NAT"[42] 46.X.X.X #112:
> NAT-Traversal: received 2 NAT-OA. using first, ignoring others
> Jan 22 10:22:07 ssl7 pluto[28557]: "L2TP-PSK-NAT"[42] 46.X.X.X #113: new NAT
> mapping for #113, was 46.X.X.X:4500, now 192.168.1.127:4500
> Jan 22 10:22:07 ssl7 pluto[28557]: "L2TP-PSK-NAT"[42] 192.168.1.127 #112:
> new NAT mapping for #112, was 46.X.X.X:4500, now 192.168.1.127:4500
> Jan 22 10:22:07 ssl7 pluto[28557]: "L2TP-PSK-NAT"[42] 192.168.1.127 #113:
> responding to Quick Mode proposal {msgid:01000000}
> Jan 22 10:22:07 ssl7 pluto[28557]: "L2TP-PSK-NAT"[42] 192.168.1.127 #113:
> us: 91.204.208.146:17/1701---91.204.208.146
> Jan 22 10:22:07 ssl7 pluto[28557]: "L2TP-PSK-NAT"[42] 192.168.1.127 #113:
> them: 192.168.1.127:17/1701===192.168.1.127/32
> Jan 22 10:22:07 ssl7 pluto[28557]: "L2TP-PSK-NAT"[42] 192.168.1.127 #113:
> transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
> Jan 22 10:22:07 ssl7 pluto[28557]: "L2TP-PSK-NAT"[42] 192.168.1.127 #113:
> STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
> Jan 22 10:22:08 ssl7 pluto[28557]: "L2TP-PSK-NAT"[42] 192.168.1.127 #113:
> discarding duplicate packet; already STATE_QUICK_R1
> Jan 22 10:22:19 ssl7 last message repeated 3 times
> Jan 22 10:22:24 ssl7 pluto[28557]: "L2TP-PSK-NAT"[41] 192.168.1.127 #111:
> max number of retransmissions (2) reached STATE_MAIN_R2
> Jan 22 10:22:24 ssl7 pluto[28557]: "L2TP-PSK-NAT"[41] 192.168.1.127:
> deleting connection "L2TP-PSK-NAT" instance with peer 192.168.1.127
> {isakmp=#0/ipsec=#0}
>
> Successful Connection after trying 3 times.
>
> Jan 22 10:23:17 ssl7 pluto[28557]: packet from 46.X.X.X:500: ignoring
> unknown Vendor ID payload [01528bbbc00696121849ab9a1c5b2a5100000001]
> Jan 22 10:23:17 ssl7 pluto[28557]: packet from 46.X.X.X:500: ignoring Vendor
> ID payload [MS NT5 ISAKMPOAKLEY 00000009]
> Jan 22 10:23:17 ssl7 pluto[28557]: packet from 46.X.X.X:500: received Vendor
> ID payload [RFC 3947] method set to=115
> Jan 22 10:23:17 ssl7 pluto[28557]: packet from 46.X.X.X:500: received Vendor
> ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using
> method 115
> Jan 22 10:23:17 ssl7 pluto[28557]: packet from 46.X.X.X:500: ignoring Vendor
> ID payload [FRAGMENTATION]
> Jan 22 10:23:17 ssl7 pluto[28557]: packet from 46.X.X.X:500: ignoring Vendor
> ID payload [MS-Negotiation Discovery Capable]
> Jan 22 10:23:17 ssl7 pluto[28557]: packet from 46.X.X.X:500: ignoring Vendor
> ID payload [Vid-Initial-Contact]
> Jan 22 10:23:17 ssl7 pluto[28557]: packet from 46.X.X.X:500: ignoring Vendor
> ID payload [IKE CGA version 1]
> Jan 22 10:23:17 ssl7 pluto[28557]: "L2TP-PSK-NAT"[43] 46.X.X.X #115:
> responding to Main Mode from unknown peer 46.X.X.X
> Jan 22 10:23:17 ssl7 pluto[28557]: "L2TP-PSK-NAT"[43] 46.X.X.X #115:
> OAKLEY_GROUP 20 not supported.  Attribute OAKLEY_GROUP_DESCRIPTION
> Jan 22 10:23:17 ssl7 pluto[28557]: "L2TP-PSK-NAT"[43] 46.X.X.X #115:
> OAKLEY_GROUP 19 not supported.  Attribute OAKLEY_GROUP_DESCRIPTION
> Jan 22 10:23:17 ssl7 pluto[28557]: "L2TP-PSK-NAT"[43] 46.X.X.X #115:
> transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
> Jan 22 10:23:17 ssl7 pluto[28557]: "L2TP-PSK-NAT"[43] 46.X.X.X #115:
> STATE_MAIN_R1: sent MR1, expecting MI2
> Jan 22 10:23:17 ssl7 pluto[28557]: "L2TP-PSK-NAT"[43] 46.X.X.X #115:
> NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): peer is
> NATed
> Jan 22 10:23:17 ssl7 pluto[28557]: "L2TP-PSK-NAT"[43] 46.X.X.X #115:
> transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
> Jan 22 10:23:17 ssl7 pluto[28557]: "L2TP-PSK-NAT"[43] 46.X.X.X #115:
> STATE_MAIN_R2: sent MR2, expecting MI3
> Jan 22 10:23:17 ssl7 pluto[28557]: "L2TP-PSK-NAT"[43] 46.X.X.X #115: Main
> mode peer ID is ID_IPV4_ADDR: '192.168.1.127'
> Jan 22 10:23:17 ssl7 pluto[28557]: "L2TP-PSK-NAT"[43] 46.X.X.X #115:
> switched from "L2TP-PSK-NAT" to "L2TP-PSK-NAT"
> Jan 22 10:23:17 ssl7 pluto[28557]: "L2TP-PSK-NAT"[44] 46.X.X.X #115:
> transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
> Jan 22 10:23:17 ssl7 pluto[28557]: "L2TP-PSK-NAT"[44] 46.X.X.X #115: new NAT
> mapping for #115, was 46.X.X.X:500, now 46.X.X.X:4500
> Jan 22 10:23:17 ssl7 pluto[28557]: "L2TP-PSK-NAT"[44] 46.X.X.X #115:
> STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
> cipher=aes_256 prf=oakley_sha group=modp2048}
> Jan 22 10:23:17 ssl7 pluto[28557]: "L2TP-PSK-NAT"[44] 46.X.X.X #115: Dead
> Peer Detection (RFC 3706): not enabled because peer did not advertise it
> Jan 22 10:23:17 ssl7 pluto[28557]: "L2TP-PSK-NAT"[44] 46.X.X.X #115: the
> peer proposed: 91.204.208.146/32:17/1701 -> 192.168.1.127/32:17/0
> Jan 22 10:23:17 ssl7 pluto[28557]: "L2TP-PSK-NAT"[44] 46.X.X.X #115:
> NAT-Traversal: received 2 NAT-OA. using first, ignoring others
> Jan 22 10:23:17 ssl7 pluto[28557]: "L2TP-PSK-NAT"[44] 46.X.X.X #116:
> responding to Quick Mode proposal {msgid:01000000}
> Jan 22 10:23:17 ssl7 pluto[28557]: "L2TP-PSK-NAT"[44] 46.X.X.X #116:     us:
> 91.204.208.146:17/1701---91.204.208.146
> Jan 22 10:23:17 ssl7 pluto[28557]: "L2TP-PSK-NAT"[44] 46.X.X.X #116:   them:
> 46.X.X.X[192.168.1.127]:17/1701===192.168.1.127/32
> Jan 22 10:23:17 ssl7 pluto[28557]: "L2TP-PSK-NAT"[44] 46.X.X.X #116:
> transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
> Jan 22 10:23:17 ssl7 pluto[28557]: "L2TP-PSK-NAT"[44] 46.X.X.X #116:
> STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
> Jan 22 10:23:17 ssl7 pluto[28557]: "L2TP-PSK-NAT"[44] 46.X.X.X #116: Dead
> Peer Detection (RFC 3706): not enabled because peer did not advertise it
> Jan 22 10:23:17 ssl7 pluto[28557]: "L2TP-PSK-NAT"[44] 46.X.X.X #116:
> transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
> Jan 22 10:23:17 ssl7 pluto[28557]: "L2TP-PSK-NAT"[44] 46.X.X.X #116:
> STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0xa0128c7c
> <0x1484e9a3 xfrm=AES_128-HMAC_SHA1 NATOA=192.168.1.127 NATD=46.X.X.X:4500
> DPD=none}
>
> Thx
> Nev
>
>
>
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155



More information about the Users mailing list