[Openswan Users] NAT-Traversal issue

Ozai ozai.tien at gmail.com
Fri Nov 8 05:53:31 UTC 2013


Hi Dan,

Because I do not ues certificates to do authentication.so I ignore it.

Best Regards,
Ozai
  ----- Original Message ----- 
  From: Dan Cave 
  To: Bart Smink ; Ozai 
  Cc: users at lists.openswan.org 
  Sent: Friday, November 08, 2013 6:35 PM
  Subject: Re: [Openswan Users] NAT-Traversal issue


  Um.. not sure if anyone picked up on these messages that shows issues with certs.


  om entropy
  Nov  8 09:00:13 authpriv warn pluto[8242]: Could not change to directory '/var/ipsec.d/cacerts': No such file or directory
  Nov  8 09:00:13 authpriv warn pluto[8242]: Could not change to directory '/var/ipsec.d/aacerts': No such file or directory
  Nov  8 09:00:13 authpriv warn pluto[8242]: Could not change to directory '/var/ipsec.d/ocspcerts': No such file or directory
  Nov  8 09:00:13 authpriv warn pluto[8242]: Could not change to directory '/var/ipsec.d/crls': 2 No such file or directory
  Nov  8 09:00:13 authpriv warn pluto[8242]: added connection description "test"
  Nov  8 09:00:13 daemon err ipsec__plutorun: 002 added connection description "test"
  Nov  8 09:00:14 authpriv warn pluto[8242]: listening for IKE messages


  I'd start by trying to fix that? #maybeRelevant?


  Sent from Samsung Mobile


  -------- Original message --------
  From: Bart Smink 
  Date:08/11/2013 10:23 (GMT+00:00) 
  To: Ozai 
  Cc: users at lists.openswan.org 
  Subject: Re: [Openswan Users] NAT-Traversal issue 


  Hi Ozai,


  It could be that the router that is in front of the client that is trying to connect is altering the packages with IPsec-passthrough functions. Sometimes this breaks the connection and it is better to turn these features off. You could try to connect directly and see if that works. On the openswan 2.6.38 computer, what kernel version do you run? And which linux distribution? And the NAT is done by which device?


  Greetings,


  Bart




  2013/11/8 Ozai <ozai.tien at gmail.com>

    Dear Sirs,

    The messages are from server.It seem that client did not transform the IP address.So the server can not check antyhing.It seem the NAT traversal could not work.What kernel feature do I need to enable?or anything else I need to check?
    Can someone point me in the right direction?Please help,Thank's.

    Best Regards,
    Ozai

    Nov  8 09:00:09 daemon err ipsec_setup: Starting Openswan IPsec U2.6.38/K2.6.30...
    Nov  8 09:00:09 daemon err ipsec_setup: Using NETKEY(XFRM) stack
    Nov  8 09:00:11 authpriv err ipsec__plutorun: Starting Pluto subsystem...
    Nov  8 09:00:11 user warn syslog: adjusting ipsec.d to /var/ipsec.d
    Nov  8 09:00:11 daemon err ipsec__plutorun: adjusting ipsec.d to /var/ipsec.d
    Nov  8 09:00:11 authpriv warn pluto[8242]: WARNING: 1DES is enabled
    Nov  8 09:00:11 authpriv warn pluto[8242]: LEAK_DETECTIVE support [disabled]
    Nov  8 09:00:11 authpriv warn pluto[8242]: OCF support for IKE [disabled]
    Nov  8 09:00:11 authpriv warn pluto[8242]: NSS support [disabled]
    Nov  8 09:00:11 authpriv warn pluto[8242]: HAVE_STATSD notification support not compiled in
    Nov  8 09:00:11 authpriv warn pluto[8242]: Setting NAT-Traversal port-4500 floating to off
    Nov  8 09:00:11 authpriv warn pluto[8242]:    port floating activation criteria nat_t=0/port_float=1
    Nov  8 09:00:11 authpriv warn pluto[8242]:    NAT-Traversal support  [disabled]
    Nov  8 09:00:11 authpriv warn pluto[8242]: using /dev/urandom as source of random entropy
    Nov  8 09:00:11 daemon err ipsec_setup: ...Openswan IPsec started
    Nov  8 09:00:11 authpriv warn pluto[8242]: starting up 1 cryptographic helpers
    Nov  8 09:00:11 authpriv warn pluto[8242]: started helper pid=8244 (fd:6)
    Nov  8 09:00:11 authpriv warn pluto[8244]: using /dev/urandom as source of random entropy
    Nov  8 09:00:13 authpriv warn pluto[8242]: Could not change to directory '/var/ipsec.d/cacerts': No such file or directory
    Nov  8 09:00:13 authpriv warn pluto[8242]: Could not change to directory '/var/ipsec.d/aacerts': No such file or directory
    Nov  8 09:00:13 authpriv warn pluto[8242]: Could not change to directory '/var/ipsec.d/ocspcerts': No such file or directory
    Nov  8 09:00:13 authpriv warn pluto[8242]: Could not change to directory '/var/ipsec.d/crls': 2 No such file or directory
    Nov  8 09:00:13 authpriv warn pluto[8242]: added connection description "test"
    Nov  8 09:00:13 daemon err ipsec__plutorun: 002 added connection description "test"
    Nov  8 09:00:14 authpriv warn pluto[8242]: listening for IKE messages
    Nov  8 09:00:14 authpriv warn pluto[8242]: adding interface eth3.1/eth3.1 192.17.200.110:500
    Nov  8 09:00:14 authpriv warn pluto[8242]: adding interface br0/br0 192.168.12.254:500
    Nov  8 09:00:14 authpriv warn pluto[8242]: adding interface lo/lo 127.0.0.1:500
    Nov  8 09:00:14 authpriv warn pluto[8242]: adding interface lo/lo ::1:500
    Nov  8 09:00:14 authpriv warn pluto[8242]: loading secrets from "/var/ipsec.secrets"
    Nov  8 09:00:15 authpriv warn pluto[8242]: "test": deleting connection
    Nov  8 09:00:15 authpriv warn pluto[8242]: added connection description "test"
    Nov  8 09:00:15 authpriv warn pluto[8242]: "test" #1: initiating Main Mode
    Nov  8 09:00:15 authpriv warn pluto[8242]: "test" #1: ERROR: asynchronous network error report on eth3.1 (sport=500) for message to 192.17.200.79 port 500, complainant 192.17.200.79: Connection refused [errno 146, origin ICMP type 3 code 3 (not
    Nov  8 09:00:20 authpriv warn pluto[8242]: packet from 192.17.200:1: received Vendor ID payload [Dead Peer Detection]
    Nov  8 09:00:20 authpriv warn pluto[8242]: "test" #2: responding to Main Mode
    Nov  8 09:00:20 authpriv warn pluto[8242]: "test" #2: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
    Nov  8 09:00:20 authpriv warn pluto[8242]: "test" #2: STATE_MAIN_R1: sent MR1, expecting MI2
    Nov  8 09:00:21 authpriv warn pluto[8242]: "test" #2: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
    Nov  8 09:00:21 authpriv warn pluto[8242]: "test" #2: STATE_MAIN_R2: sent MR2, expecting MI3
    Nov  8 09:00:21 authpriv warn pluto[8242]: "test" #2: Main mode peer ID is ID_IPV4_ADDR: '192.168.11.2'
    Nov  8 09:00:21 authpriv warn pluto[8242]: "test" #2: no suitable connection for peer '192.168.11.2'
    Nov  8 09:00:21 authpriv warn pluto[8242]: "test" #2: sending encrypted notification INVALID_ID_INFORMATION to 192.17.200.79:1
    Nov  8 09:00:25 authpriv warn pluto[8242]: "test" #1: ERROR: asynchronous network error report on eth3.1 (sport=500) for message to 192.17.200.79 port 500, complainant 192.17.200.79: Connection refused [errno 146, origin ICMP type 3 code 3 (not
    Nov  8 09:00:31 authpriv warn pluto[8242]: "test" #2: no suitable connection for peer '192.168.11.2'
    Nov  8 09:00:31 authpriv warn pluto[8242]: "test" #2: sending encrypted notification INVALID_ID_INFORMATION to 192.17.200.79:1
    Nov  8 09:00:45 authpriv warn pluto[8242]: "test" #1: ERROR: asynchronous network error report on eth3.1 (sport=500) for message to 192.17.200.79 port 500, complainant 192.17.200.79: Connection refused [errno 146, origin ICMP type 3 code 3 (not
    Nov  8 09:00:51 authpriv warn pluto[8242]: "test" #2: no suitable connection for peer '192.168.11.2'
    Nov  8 09:00:51 authpriv warn pluto[8242]: "test" #2: sending encrypted notification INVALID_ID_INFORMATION to 192.17.200.79:1
    Nov  8 09:01:25 authpriv warn pluto[8242]: "test" #1: ERROR: asynchronous network error report on eth3.1 (sport=500) for message to 192.17.200.79 port 500, complainant 192.17.200.79: Connection refused [errno 146, origin ICMP type 3 code 3 (not
    Nov  8 09:01:31 authpriv warn pluto[8242]: packet from 192.17.200.79:1: received Vendor ID payload [Openswan (this version) 2.6.38 ]
    Nov  8 09:01:31 authpriv warn pluto[8242]: packet from 192.17.200.79:1: received Vendor ID payload [Dead Peer Detection]
    Nov  8 09:01:31 authpriv warn pluto[8242]: "test" #3: responding to Main Mode
    Nov  8 09:01:31 authpriv warn pluto[8242]: "test" #3: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
    Nov  8 09:01:31 authpriv warn pluto[8242]: "test" #3: STATE_MAIN_R1: sent MR1, expecting MI2
    Nov  8 09:01:31 authpriv warn pluto[8242]: "test" #3: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
    Nov  8 09:01:31 authpriv warn pluto[8242]: "test" #3: STATE_MAIN_R2: sent MR2, expecting MI3
    Nov  8 09:01:31 authpriv warn pluto[8242]: "test" #3: Main mode peer ID is ID_IPV4_ADDR: '192.168.11.2'
    Nov  8 09:01:31 authpriv warn pluto[8242]: "test" #3: no suitable connection for peer '192.168.11.2'
    Nov  8 09:01:31 authpriv warn pluto[8242]: "test" #3: sending encrypted notification INVALID_ID_INFORMATION to 192.17.200.79:1
    Nov  8 09:01:41 authpriv warn pluto[8242]: "test" #3: Main mode peer ID is ID_IPV4_ADDR: '192.168.11.2'
    Nov  8 09:01:41 authpriv warn pluto[8242]: "test" #3: no suitable connection for peer '192.168.11.2'
    Nov  8 09:01:41 authpriv warn pluto[8242]: "test" #3: sending encrypted notification INVALID_ID_INFORMATION to 192.17.200.79:1
    Nov  8 09:02:01 authpriv warn pluto[8242]: "test" #3: Main mode peer ID is ID_IPV4_ADDR: '192.168.11.2'
    Nov  8 09:02:01 authpriv warn pluto[8242]: "test" #3: no suitable connection for peer '192.168.11.2'
    Nov  8 09:02:01 authpriv warn pluto[8242]: "test" #3: sending encrypted notification INVALID_ID_INFORMATION to 192.17.200.79:1
    Nov  8 09:02:05 authpriv warn pluto[8242]: "test" #1: ERROR: asynchronous network error report on eth3.1 (sport=500) for message to 192.17.200.79 port 500, complainant 192.17.200.79: Connection refused [errno 146, origin ICMP type 3 code 3 (not
    Nov  8 09:02:41 authpriv warn pluto[8242]: packet from 192.17.200.79:1: received Vendor ID payload [Dead Peer Detection]
    Nov  8 09:02:41 authpriv warn pluto[8242]: "test" #4: responding to Main Mode
    Nov  8 09:02:41 authpriv warn pluto[8242]: "test" #4: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
    Nov  8 09:02:41 authpriv warn pluto[8242]: "test" #4: STATE_MAIN_R1: sent MR1, expecting MI2
    Nov  8 09:02:41 authpriv warn pluto[8242]: "test" #3: max number of retransmissions (2) reached STATE_MAIN_R2
    Nov  8 09:02:41 authpriv warn pluto[8242]: "test" #4: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
    Nov  8 09:02:41 authpriv warn pluto[8242]: "test" #4: STATE_MAIN_R2: sent MR2, expecting MI3
    Nov  8 09:02:41 authpriv warn pluto[8242]: "test" #4: Main mode peer ID is ID_IPV4_ADDR: '192.168.11.2'
    Nov  8 09:02:41 authpriv warn pluto[8242]: "test" #4: no suitable connection for peer '192.168.11.2'
    Nov  8 09:02:41 authpriv warn pluto[8242]: "test" #4: sending encrypted notification INVALID_ID_INFORMATION to 192.17.200.79:1
    Nov  8 09:02:45 authpriv warn pluto[8242]: "test" #1: ERROR: asynchronous network error report on eth3.1 (sport=500) for message to 192.17.200.79 port 500, complainant 192.17.200.79: Connection refused [errno 146, origin ICMP type 3 code 3 (not
    Nov  8 09:02:51 authpriv warn pluto[8242]: "test" #4: no suitable connection for peer '192.168.11.2'
    Nov  8 09:02:51 authpriv warn pluto[8242]: "test" #4: sending encrypted notification INVALID_ID_INFORMATION to 192.17.200.79:1
    Nov  8 09:03:11 authpriv warn pluto[8242]: "test" #4: Main mode peer ID is ID_IPV4_ADDR: '192.168.11.2'
    Nov  8 09:03:11 authpriv warn pluto[8242]: "test" #4: no suitable connection for peer '192.168.11.2'
    Nov  8 09:03:11 authpriv warn pluto[8242]: "test" #4: sending encrypted notification INVALID_ID_INFORMATION to 192.17.200.79:1
    Nov  8 09:03:25 authpriv warn pluto[8242]: "test" #1: max number of retransmissions (5) reached STATE_MAIN_I1.  No response (or no acceptable response) to our first IKE message
    Nov  8 09:03:25 authpriv warn pluto[8242]: "test" #5: initiating Main Mode to replace #1
    Nov  8 09:03:25 authpriv warn pluto[8242]: "test" #5: ERROR: asynchronous network error report on eth3.1 (sport=500) for message to 192.17.200.79 port 500, complainant 192.17.200.79: Connection refused [errno 146, origin ICMP type 3 code 3 (not
    Nov  8 09:03:51 authpriv warn pluto[8242]: packet from 192.17.200.79:1: received Vendor ID payload [Openswan (this version) 2.6.38 ]
    Nov  8 09:03:51 authpriv warn pluto[8242]: packet from 192.17.200.79:1: received Vendor ID payload [Dead Peer Detection]
    Nov  8 09:03:51 authpriv warn pluto[8242]: "test" #6: responding to Main Mode
    Nov  8 09:03:51 authpriv warn pluto[8242]: "test" #6: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
    Nov  8 09:03:51 authpriv warn pluto[8242]: "test" #6: STATE_MAIN_R1: sent MR1, expecting MI2
    Nov  8 09:03:51 authpriv warn pluto[8242]: "test" #4: max number of retransmissions (2) reached STATE_MAIN_R2
    Nov  8 09:03:55 authpriv warn pluto[8242]: "test" #5: ERROR: asynchronous network error report on eth3.1 (sport=500) for message to 192.17.200.79 port 500, complainant 192.17.200.79: Connection refused [errno 146, origin ICMP type 3 code 3 (not
    Nov  8 09:04:01 authpriv warn pluto[8242]: "test" #6: STATE_MAIN_R2: sent MR2, expecting MI3
    Nov  8 09:04:01 authpriv warn pluto[8242]: "test" #6: Main mode peer ID is ID_IPV4_ADDR: '192.168.11.2'
    Nov  8 09:04:01 authpriv warn pluto[8242]: "test" #6: no suitable connection for peer '192.168.11.2'
    Nov  8 09:04:01 authpriv warn pluto[8242]: "test" #6: sending encrypted notification INVALID_ID_INFORMATION to 192.17.200.79:1
      ----- Original Message ----- 
      From: Ozai 
      To: users at lists.openswan.org 
      Sent: Tuesday, November 05, 2013 6:17 PM
      Subject: NAT-Traversal issue


      Hi Sirs,

      I setup a openswan VPN client behind the NAT.The test environment is as below.
      It did not work.The traffic did not seem to pass to server.
      I got a message like "NAT-Traversal: ESPINUDP(1) not supported by kernel for family IPv4".
      It seem the NAT Traversal issue.What kernel feature do I need to enable?or anything else I need to check?
      Can someone point me in the right direction?Please help,Thank's.


         2.6.38 client--------------------NAT------------------ 2.6.38 Server
      192.168.15.x          192.168.11.x             192.17.200.x               192.168.12.x



      Nov  5 10:01:11 daemon err ipsec_setup: Starting Openswan IPsec U2.6.38/K2.6.30...
      Nov  5 10:01:11 daemon err ipsec_setup: Using NETKEY(XFRM) stack
      Nov  5 10:01:13 authpriv err ipsec__plutorun: Starting Pluto subsystem...
      Nov  5 10:01:13 user warn syslog: adjusting ipsec.d to /var/ipsec.d
      Nov  5 10:01:13 authpriv warn pluto[11706]: WARNING: 1DES is enabled
      Nov  5 10:01:13 authpriv warn pluto[11706]: LEAK_DETECTIVE support [disabled]
      Nov  5 10:01:13 authpriv warn pluto[11706]: OCF support for IKE [disabled]
      Nov  5 10:01:13 authpriv warn pluto[11706]: NSS support [disabled]
      Nov  5 10:01:13 authpriv warn pluto[11706]: HAVE_STATSD notification support not compiled in
      Nov  5 10:01:13 authpriv warn pluto[11706]: Setting NAT-Traversal port-4500 floating to on
      Nov  5 10:01:13 authpriv warn pluto[11706]:    port floating activation criteria nat_t=1/port_float=1
      Nov  5 10:01:13 authpriv warn pluto[11706]:    NAT-Traversal support  [enabled]
      Nov  5 10:01:13 authpriv warn pluto[11706]: using /dev/urandom as source of random entropy
      Nov  5 10:01:13 daemon err ipsec__plutorun: adjusting ipsec.d to /var/ipsec.d
      Nov  5 10:01:13 authpriv warn pluto[11706]: starting up 1 cryptographic helpers
      Nov  5 10:01:13 authpriv warn pluto[11711]: using /dev/urandom as source of random entropy
      Nov  5 10:01:13 authpriv warn pluto[11706]: started helper pid=11711 (fd:6)
      Nov  5 10:01:13 daemon err ipsec_setup: ...Openswan IPsec started
      Nov  5 10:01:15 authpriv warn pluto[11706]: Could not change to directory '/var/ipsec.d/cacerts': No such file or directory
      Nov  5 10:01:15 authpriv warn pluto[11706]: Could not change to directory '/var/ipsec.d/aacerts': No such file or directory
      Nov  5 10:01:15 authpriv warn pluto[11706]: Could not change to directory '/var/ipsec.d/ocspcerts': No such file or directory
      Nov  5 10:01:15 authpriv warn pluto[11706]: Could not change to directory '/var/ipsec.d/crls': 2 No such file or directory
      Nov  5 10:01:15 authpriv warn pluto[11706]: added connection description "test"
      Nov  5 10:01:15 daemon err ipsec__plutorun: 002 added connection description "test"
      Nov  5 10:01:15 authpriv warn pluto[11706]: listening for IKE messages
      Nov  5 10:01:15 authpriv warn pluto[11706]: NAT-Traversal: ESPINUDP(1) not supported by kernel for family IPv4
      Nov  5 10:01:15 authpriv warn pluto[11706]: adding interface eth0.1/eth0.1 192.168.11.2:500
      Nov  5 10:01:15 daemon err ipsec__plutorun: 003 NAT-Traversal: ESPINUDP(1) not supported by kernel for family IPv4
      Nov  5 10:01:15 authpriv warn pluto[11706]: NAT-Traversal: ESPINUDP(2) not supported by kernel for family IPv4
      Nov  5 10:01:15 authpriv warn pluto[11706]: NAT-Traversal port floating turned off
      Nov  5 10:01:15 daemon err ipsec__plutorun: 003 NAT-Traversal: ESPINUDP(2) not supported by kernel for family IPv4
      Nov  5 10:01:15 authpriv warn pluto[11706]: NAT-Traversal is turned OFF due to lack of KERNEL support: 0/0
      Nov  5 10:01:15 authpriv warn pluto[11706]: adding interface eth0.1/eth0.1 192.168.11.2:4500
      Nov  5 10:01:15 authpriv warn pluto[11706]: adding interface br0/br0 192.168.15.254:500
      Nov  5 10:01:15 authpriv warn pluto[11706]: adding interface lo/lo 127.0.0.1:500
      Nov  5 10:01:15 authpriv warn pluto[11706]: adding interface lo/lo ::1:500
      Nov  5 10:01:15 authpriv warn pluto[11706]: loading secrets from "/var/ipsec.secrets"
      Nov  5 10:01:17 authpriv warn pluto[11706]: "test": deleting connection
      Nov  5 10:01:17 authpriv warn pluto[11706]: added connection description "test"
      Nov  5 10:01:18 authpriv warn pluto[11706]: "test" #1: initiating Main Mode
      Nov  5 10:01:18 authpriv warn pluto[11706]: "test" #1: received Vendor ID payload [Openswan (this version) 2.6.38 ]
      Nov  5 10:01:18 authpriv warn pluto[11706]: "test" #1: received Vendor ID payload [Dead Peer Detection]
      Nov  5 10:01:18 authpriv warn pluto[11706]: "test" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
      Nov  5 10:01:18 authpriv warn pluto[11706]: "test" #1: STATE_MAIN_I2: sent MI2, expecting MR2
      Nov  5 10:01:18 authpriv warn pluto[11706]: "test" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
      Nov  5 10:01:18 authpriv warn pluto[11706]: "test" #1: STATE_MAIN_I3: sent MI3, expecting MR3
      Nov  5 10:01:18 authpriv warn pluto[11706]: "test" #1: ignoring informational payload, type INVALID_ID_INFORMATION msgid=00000000
      Nov  5 10:01:18 authpriv warn pluto[11706]: "test" #1: received and ignored informational message


      config setup
                      nat_traversal=yes
                      keep_alive=60
                      oe=off
                      protostack=netkey
                      interfaces=%defaultroute

      conn test
                      left=192.168.11.2
                      leftsubnet=192.168.15.0/24
                      rightsubnet=192.168.12.0/24
                      connaddrfamily=ipv4
                      right=192.17.200.110
                      ike=3des-md5;modp1024!
                      ikelifetime=480m
                      type=tunnel
                      salifetime=60m
                      phase2alg=3des-hmac_md5!
                      pfs=no
                      phase2=esp
                      keyexchange=ike
                      authby=secret
                      auto=add

      Best Regards,
      Ozai

    _______________________________________________
    Users at lists.openswan.org
    https://lists.openswan.org/mailman/listinfo/users
    Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
    Building and Integrating Virtual Private Networks with Openswan:
    http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155





  -- 
  **** DISCLAIMER ****

  "This e-mail and any attachment thereto may contain information which is confidential and/or protected by intellectual property rights and are intended for the sole use of the recipient(s) named above. 
  Any use of the information contained herein (including, but not limited to, total or partial reproduction, communication or distribution in any form) by other persons than the designated recipient(s) is prohibited. 
  If you have received this e-mail in error, please notify the sender either by telephone or by e-mail and delete the material from any computer".

  Thank you for your cooperation. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20131108/b7f16117/attachment-0001.html>


More information about the Users mailing list