[Openswan Users] Problem setting up ipsec/l12tp vpn through NAT

Stephan v steefsmeel at hotmail.com
Sun Mar 15 09:58:58 EDT 2015


Hi,

for the last couple of days I've been struggling to create a roadwarrior setup that will allow access to my home network with my laptops and phone. Since I'm pretty new to VPN/IPSEC i've had to fix and learn quite a few issues, but now I'm really stuck.

So far logging into the network works for macosx from both within and outside of the network. Windows doesn't work from outside of the network. 
I basically see it establishing the IPSEC tunnel and then immediately receiving a delete message. Here's a part of the logs:

===========================================================================================================

Mar 15 07:22:47 alarmpi pluto[7511]: | warning: NETKEY/XFRM in transport mode accepts ALL encrypted protoport packets between the hosts in violation of RFC 4301, Section 5.2
Mar 15 07:22:47 alarmpi pluto[7511]: | warning: NETKEY/XFRM in transport mode accepts ALL encrypted protoport packets between the hosts in violation of RFC 4301, Section 5.2
Mar 15 07:22:47 alarmpi pluto[7511]: "L2TP-PSK-noNAT"[7] 192.168.0.1 #12: received and ignored informational message
Mar 15 07:22:47 alarmpi pluto[7511]: "L2TP-PSK-noNAT"[7] 192.168.0.1 #12: received Delete SA payload: deleting ISAKMP State #12
Mar 15 07:22:47 alarmpi pluto[7511]: "L2TP-PSK-noNAT"[7] 192.168.0.1: deleting connection "L2TP-PSK-noNAT" instance with peer 192.168.0.1 {isakmp=#0/ipsec=#0}
Mar 15 07:22:47 alarmpi pluto[7511]: | warning: NETKEY/XFRM in transport mode accepts ALL encrypted protoport packets between the hosts in violation of RFC 4301, Section 5.2
Mar 15 07:22:47 alarmpi pluto[7511]: | warning: NETKEY/XFRM in transport mode accepts ALL encrypted protoport packets between the hosts in violation of RFC 4301, Section 5.2
Mar 15 07:22:47 alarmpi pluto[7511]: packet from 192.168.0.1:4500: received and ignored informational message
Mar 15 07:23:12 alarmpi pluto[7511]: packet from 192.168.0.1:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000008]
Mar 15 07:23:12 alarmpi pluto[7511]: packet from 192.168.0.1:500: received Vendor ID payload [RFC 3947] method set to=115
Mar 15 07:23:12 alarmpi pluto[7511]: packet from 192.168.0.1:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 115
Mar 15 07:23:12 alarmpi pluto[7511]: packet from 192.168.0.1:500: ignoring Vendor ID payload [FRAGMENTATION]
Mar 15 07:23:12 alarmpi pluto[7511]: packet from 192.168.0.1:500: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
Mar 15 07:23:12 alarmpi pluto[7511]: packet from 192.168.0.1:500: ignoring Vendor ID payload [Vid-Initial-Contact]
Mar 15 07:23:12 alarmpi pluto[7511]: packet from 192.168.0.1:500: ignoring Vendor ID payload [IKE CGA version 1]
Mar 15 07:23:12 alarmpi pluto[7511]: "L2TP-PSK-noNAT"[8] 192.168.0.1 #17: responding to Main Mode from unknown peer 192.168.0.1
Mar 15 07:23:12 alarmpi pluto[7511]: "L2TP-PSK-noNAT"[8] 192.168.0.1 #17: OAKLEY_GROUP 20 not supported.  Attribute OAKLEY_GROUP_DESCRIPTION
Mar 15 07:23:12 alarmpi pluto[7511]: "L2TP-PSK-noNAT"[8] 192.168.0.1 #17: OAKLEY_GROUP 19 not supported.  Attribute OAKLEY_GROUP_DESCRIPTION
Mar 15 07:23:12 alarmpi pluto[7511]: "L2TP-PSK-noNAT"[8] 192.168.0.1 #17: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Mar 15 07:23:12 alarmpi pluto[7511]: "L2TP-PSK-noNAT"[8] 192.168.0.1 #17: STATE_MAIN_R1: sent MR1, expecting MI2
Mar 15 07:23:12 alarmpi pluto[7511]: "L2TP-PSK-noNAT"[8] 192.168.0.1 #17: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): both are NATed
Mar 15 07:23:12 alarmpi pluto[7511]: "L2TP-PSK-noNAT"[8] 192.168.0.1 #17: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Mar 15 07:23:12 alarmpi pluto[7511]: "L2TP-PSK-noNAT"[8] 192.168.0.1 #17: STATE_MAIN_R2: sent MR2, expecting MI3
Mar 15 07:23:12 alarmpi pluto[7511]: "L2TP-PSK-noNAT"[8] 192.168.0.1 #17: Main mode peer ID is ID_IPV4_ADDR: '192.168.0.121'
Mar 15 07:23:12 alarmpi pluto[7511]: "L2TP-PSK-noNAT"[8] 192.168.0.1 #17: switched from "L2TP-PSK-noNAT" to "L2TP-PSK-noNAT"
Mar 15 07:23:12 alarmpi pluto[7511]: "L2TP-PSK-noNAT"[9] 192.168.0.1 #17: deleting connection "L2TP-PSK-noNAT" instance with peer 192.168.0.1 {isakmp=#0/ipsec=#0}
Mar 15 07:23:12 alarmpi pluto[7511]: "L2TP-PSK-noNAT"[9] 192.168.0.1 #17: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Mar 15 07:23:12 alarmpi pluto[7511]: "L2TP-PSK-noNAT"[9] 192.168.0.1 #17: new NAT mapping for #17, was 192.168.0.1:500, now 192.168.0.1:4500
Mar 15 07:23:12 alarmpi pluto[7511]: "L2TP-PSK-noNAT"[9] 192.168.0.1 #17: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp2048}
Mar 15 07:23:12 alarmpi pluto[7511]: "L2TP-PSK-noNAT"[9] 192.168.0.1 #17: Dead Peer Detection (RFC 3706): not enabled because peer did not advertise it
Mar 15 07:23:12 alarmpi pluto[7511]: "L2TP-PSK-noNAT"[9] 192.168.0.1 #17: the peer proposed: 92.109.12.70/32:17/1701 -> 192.168.0.121/32:17/0
Mar 15 07:23:12 alarmpi pluto[7511]: "L2TP-PSK-noNAT"[9] 192.168.0.1 #17: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
Mar 15 07:23:12 alarmpi pluto[7511]: "L2TP-PSK-noNAT"[9] 192.168.0.1 #18: responding to Quick Mode proposal {msgid:01000000}
Mar 15 07:23:12 alarmpi pluto[7511]: "L2TP-PSK-noNAT"[9] 192.168.0.1 #18:     us: 192.168.0.103<192.168.0.103>:17/1701
Mar 15 07:23:12 alarmpi pluto[7511]: "L2TP-PSK-noNAT"[9] 192.168.0.1 #18:   them: 192.168.0.1[192.168.0.121]:17/0
Mar 15 07:23:12 alarmpi pluto[7511]: | warning: NETKEY/XFRM in transport mode accepts ALL encrypted protoport packets between the hosts in violation of RFC 4301, Section 5.2
Mar 15 07:23:12 alarmpi pluto[7511]: "L2TP-PSK-noNAT"[9] 192.168.0.1 #18: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Mar 15 07:23:12 alarmpi pluto[7511]: "L2TP-PSK-noNAT"[9] 192.168.0.1 #18: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Mar 15 07:23:12 alarmpi pluto[7511]: | warning: NETKEY/XFRM in transport mode accepts ALL encrypted protoport packets between the hosts in violation of RFC 4301, Section 5.2
Mar 15 07:23:13 alarmpi pluto[7511]: "L2TP-PSK-noNAT"[9] 192.168.0.1 #18: Dead Peer Detection (RFC 3706): not enabled because peer did not advertise it
Mar 15 07:23:13 alarmpi pluto[7511]: "L2TP-PSK-noNAT"[9] 192.168.0.1 #18: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Mar 15 07:23:13 alarmpi pluto[7511]: "L2TP-PSK-noNAT"[9] 192.168.0.1 #18: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0x34f4f065 <0x7bf174a3 xfrm=AES_128-HMAC_SHA1 NATOA=192.168.0.121 NATD=192.168.0.1:4500 DPD=none}
Mar 15 07:23:13 alarmpi pluto[7511]: "L2TP-PSK-noNAT"[9] 192.168.0.1 #17: the peer proposed: 92.109.12.70/32:17/1701 -> 192.168.0.121/32:17/0
Mar 15 07:23:13 alarmpi pluto[7511]: "L2TP-PSK-noNAT"[9] 192.168.0.1 #17: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
Mar 15 07:23:13 alarmpi pluto[7511]: "L2TP-PSK-noNAT"[9] 192.168.0.1 #19: responding to Quick Mode proposal {msgid:02000000}
Mar 15 07:23:13 alarmpi pluto[7511]: "L2TP-PSK-noNAT"[9] 192.168.0.1 #19:     us: 192.168.0.103<192.168.0.103>:17/1701
Mar 15 07:23:13 alarmpi pluto[7511]: "L2TP-PSK-noNAT"[9] 192.168.0.1 #19:   them: 192.168.0.1[192.168.0.121]:17/0
Mar 15 07:23:13 alarmpi pluto[7511]: "L2TP-PSK-noNAT"[9] 192.168.0.1 #19: keeping refhim=4294901761 during rekey
Mar 15 07:23:13 alarmpi pluto[7511]: "L2TP-PSK-noNAT"[9] 192.168.0.1 #19: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Mar 15 07:23:13 alarmpi pluto[7511]: "L2TP-PSK-noNAT"[9] 192.168.0.1 #19: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Mar 15 07:23:13 alarmpi pluto[7511]: | warning: NETKEY/XFRM in transport mode accepts ALL encrypted protoport packets between the hosts in violation of RFC 4301, Section 5.2
Mar 15 07:23:13 alarmpi pluto[7511]: "L2TP-PSK-noNAT"[9] 192.168.0.1 #19: Dead Peer Detection (RFC 3706): not enabled because peer did not advertise it
Mar 15 07:23:13 alarmpi pluto[7511]: "L2TP-PSK-noNAT"[9] 192.168.0.1 #19: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Mar 15 07:23:13 alarmpi pluto[7511]: "L2TP-PSK-noNAT"[9] 192.168.0.1 #19: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0x30f1ec4a <0x25651ad1 xfrm=AES_128-HMAC_SHA1 NATOA=192.168.0.121 NATD=192.168.0.1:4500 DPD=none}
Mar 15 07:23:13 alarmpi pluto[7511]: "L2TP-PSK-noNAT"[9] 192.168.0.1 #17: received Delete SA(0x34f4f065) payload: deleting IPSEC State #18
Mar 15 07:23:13 alarmpi pluto[7511]: "L2TP-PSK-noNAT"[9] 192.168.0.1 #17: received and ignored informational message
Mar 15 07:23:15 alarmpi pluto[7511]: "L2TP-PSK-noNAT"[9] 192.168.0.1 #17: received Delete SA(0x30f1ec4a) payload: deleting IPSEC State #19
Mar 15 07:23:15 alarmpi pluto[7511]: | warning: NETKEY/XFRM in transport mode accepts ALL encrypted protoport packets between the hosts in violation of RFC 4301, Section 5.2
Mar 15 07:23:15 alarmpi pluto[7511]: | warning: NETKEY/XFRM in transport mode accepts ALL encrypted protoport packets between the hosts in violation of RFC 4301, Section 5.2
Mar 15 07:23:15 alarmpi pluto[7511]: "L2TP-PSK-noNAT"[9] 192.168.0.1 #17: received and ignored informational message
Mar 15 07:23:15 alarmpi pluto[7511]: "L2TP-PSK-noNAT"[9] 192.168.0.1 #17: received Delete SA payload: deleting ISAKMP State #17
Mar 15 07:23:15 alarmpi pluto[7511]: "L2TP-PSK-noNAT"[9] 192.168.0.1: deleting connection "L2TP-PSK-noNAT" instance with peer 192.168.0.1 {isakmp=#0/ipsec=#0}
Mar 15 07:23:15 alarmpi pluto[7511]: | warning: NETKEY/XFRM in transport mode accepts ALL encrypted protoport packets between the hosts in violation of RFC 4301, Section 5.2
Mar 15 07:23:15 alarmpi pluto[7511]: | warning: NETKEY/XFRM in transport mode accepts ALL encrypted protoport packets between the hosts in violation of RFC 4301, Section 5.2
Mar 15 07:23:16 alarmpi pluto[7511]: packet from 192.168.0.1:4500: received and ignored informational message

==========================================================================================================

The establishing and deleting goes on for a few times and then the windows client gives up. Since this doesn't happen when I'm on the local network I'm guessing it's NAT, but I can't tell from the logs. 

BTW openswan is running on an archlinux raspberry pi.

Some versions:
===================================================================
ipsec --version : Linux Openswan U2.6.42/K3.18.8-4-ARCH (netkey)
uname -a: Linux alarmpi 3.18.8-4-ARCH #1 PREEMPT Thu Mar 5 18:05:39 MST 2015 armv6l GNU/Linux
xl2tpd version:  xl2tpd-1.3.6
===================================================================
My ipsec config:
================================================================================================================
conn L2TP-PSK-noNAT
    authby=secret
    #shared secret. Use rsasig for certificates.

    pfs=no
    #Enable pfs

    auto=add
    #the ipsec tunnel should be started and routes created when the ipsec daemon itself starts.

    keyingtries=3
    #Only negotiate a conn. 3 times.

    ikelifetime=8h
    keylife=1h

    type=transport
    #because we use l2tp as tunnel protocol

    left=192.168.0.103
    #left=%any
    leftprotoport=17/1701
    right=%any
    rightprotoport=17/0

    dpddelay=10
    # Dead Peer Dectection (RFC 3706) keepalives delay
    dpdtimeout=20
    #  length of time (in seconds) we will idle without hearing either an R_U_THERE poll from our peer, or an R_U_THERE_ACK reply.
    dpdaction=clear
    # When a DPD enabled peer is declared dead, what action should be taken. clear means the eroute and SA with both be cleared.

=============================================================================================================

Any hints or clues would be greatly appreciated!








 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20150315/44db6678/attachment.html>


More information about the Users mailing list