[Openswan Users] Cannot connect to openswan vpn with public ip on windows

Patrick Naubert patrickn at xelerance.com
Sat Jan 23 08:42:07 EST 2016


Rescued from the spam bucket.  Please remember to subscribe to the mailing list before posting to it.

From: Adrian Sender <aasender at gmail.com>
Subject: Cannot connect to openswan vpn with public ip on windows
Date: January 20, 2016 at 1:08:43 AM EST
To: users at lists.openswan.org


Hi Guys,

I am wondering if anyone can help me out with a openswan issue, not sure if this is a known problem, I know Mac has an issue with Public IP and openswan, but I am having a similar issue on Windows 7 using a internet facing public ip address.

The same configuration just changing the windows 7 machine to use nat works perfectly.

root at r-4051-VM:/etc# cat ipsec.conf 
# Manual:     ipsec.conf.5
version2.0

config setup
nat_traversal=no
#nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12 <http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12>
protostack=auto


root at r-4051-VM:/etc/ipsec.d# cat l2tp.conf 
conn L2TP-PSK
        authby=secret
        pfs=no
        rekey=no
        keyingtries=3
        left=xxx.xxx.252.199
        leftprotoport=17/1701
        right=%any
        rightprotoport=17/%any
        auto=add


How to reproduce bug.

1. Install windows 7.
2. Configure network with internet facing public IP address.
3. Enable VPN on source nat address in CS.
4. Setup VPN client with user/pass and preshared key using the windows vpn wizard.
5. Internet facing VPN client on windows 7 fails to connect.
6. Put same windows 7 machine behind NAT, VPN works.

Logs for public IP address, note the connection fails.

root at r-4045-VM:~# cat /var/log/auth.log

Jan 20 00:01:36 r-4045-VM pluto[4569]: packet from 130.244.221.180:500 <http://130.244.221.180:500/>: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000008]
Jan 20 00:01:36 r-4045-VM pluto[4569]: packet from 130.244.221.180:500 <http://130.244.221.180:500/>: received Vendor ID payload [RFC 3947] method set to=109
Jan 20 00:01:36 r-4045-VM pluto[4569]: packet from 130.244.221.180:500 <http://130.244.221.180:500/>: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
Jan 20 00:01:36 r-4045-VM pluto[4569]: packet from 130.244.221.180:500 <http://130.244.221.180:500/>: ignoring Vendor ID payload [FRAGMENTATION]
Jan 20 00:01:36 r-4045-VM pluto[4569]: packet from 130.244.221.180:500 <http://130.244.221.180:500/>: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
Jan 20 00:01:36 r-4045-VM pluto[4569]: packet from 130.244.221.180:500 <http://130.244.221.180:500/>: ignoring Vendor ID payload [Vid-Initial-Contact]
Jan 20 00:01:36 r-4045-VM pluto[4569]: packet from 130.244.221.180:500 <http://130.244.221.180:500/>: ignoring Vendor ID payload [IKE CGA version 1]
Jan 20 00:01:36 r-4045-VM pluto[4569]: "L2TP-PSK"[23] 130.244.221.180 #67: responding to Main Mode from unknown peer 130.244.221.180
Jan 20 00:01:36 r-4045-VM pluto[4569]: "L2TP-PSK"[23] 130.244.221.180 #67: OAKLEY_GROUP 20 not supported. Attribute OAKLEY_GROUP_DESCRIPTION
Jan 20 00:01:36 r-4045-VM pluto[4569]: "L2TP-PSK"[23] 130.244.221.180 #67: OAKLEY_GROUP 19 not supported. Attribute OAKLEY_GROUP_DESCRIPTION
Jan 20 00:01:36 r-4045-VM pluto[4569]: "L2TP-PSK"[23] 130.244.221.180 #67: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jan 20 00:01:36 r-4045-VM pluto[4569]: "L2TP-PSK"[23] 130.244.221.180 #67: STATE_MAIN_R1: sent MR1, expecting MI2
Jan 20 00:01:36 r-4045-VM pluto[4569]: "L2TP-PSK"[23] 130.244.221.180 #67: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
Jan 20 00:01:36 r-4045-VM pluto[4569]: "L2TP-PSK"[23] 130.244.221.180 #67: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jan 20 00:01:36 r-4045-VM pluto[4569]: "L2TP-PSK"[23] 130.244.221.180 #67: STATE_MAIN_R2: sent MR2, expecting MI3
Jan 20 00:01:36 r-4045-VM pluto[4569]: "L2TP-PSK"[23] 130.244.221.180 #67: Main mode peer ID is ID_IPV4_ADDR: '130.244.221.180'
Jan 20 00:01:36 r-4045-VM pluto[4569]: "L2TP-PSK"[23] 130.244.221.180 #67: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jan 20 00:01:36 r-4045-VM pluto[4569]: "L2TP-PSK"[23] 130.244.221.180 #67: STATE_MAIN_R3: sent MR3, ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp2048}
Jan 20 00:01:36 r-4045-VM pluto[4569]: "L2TP-PSK"[23] 130.244.221.180 #67: the peer proposed: 111.112.231.214/32:17/1701 <http://111.112.231.214/32:17/1701> -> 130.244.221.180/32:17/1701 <http://130.244.221.180/32:17/1701>
Jan 20 00:01:36 r-4045-VM pluto[4569]: "L2TP-PSK"[23] 130.244.221.180 #68: responding to Quick Mode proposal {msgid:01000000}
Jan 20 00:01:36 r-4045-VM pluto[4569]: "L2TP-PSK"[23] 130.244.221.180 #68: us: 111.112.231.214<111.112.231.214>[+S=C]:17/1701
Jan 20 00:01:36 r-4045-VM pluto[4569]: "L2TP-PSK"[23] 130.244.221.180 #68: them: 130.244.221.180[+S=C]:17/1701
Jan 20 00:01:36 r-4045-VM pluto[4569]: "L2TP-PSK"[23] 130.244.221.180 #68: keeping refhim=4294901761 during rekey
Jan 20 00:01:36 r-4045-VM pluto[4569]: "L2TP-PSK"[23] 130.244.221.180 #68: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Jan 20 00:01:36 r-4045-VM pluto[4569]: "L2TP-PSK"[23] 130.244.221.180 #68: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Jan 20 00:01:36 r-4045-VM pluto[4569]: "L2TP-PSK"[23] 130.244.221.180 #68: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Jan 20 00:01:36 r-4045-VM pluto[4569]: "L2TP-PSK"[23] 130.244.221.180 #68: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0x1677a1c0 <0x241ef249 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}
Jan 20 00:01:54 r-4045-VM sshd[8198]: Accepted publickey for root from 169.254.0.1 port 38084 ssh2
Jan 20 00:01:54 r-4045-VM sshd[8198]: pam_unix(sshd:session): session opened for user root by (uid=0)
Jan 20 00:01:54 r-4045-VM sshd[8198]: pam_unix(sshd:session): session closed for user root
Jan 20 00:02:11 r-4045-VM pluto[4569]: "L2TP-PSK"[23] 130.244.221.180 #67: received Delete SA(0x1677a1c0) payload: deleting IPSEC State #68
Jan 20 00:02:11 r-4045-VM pluto[4569]: "L2TP-PSK"[23] 130.244.221.180 #67: received and ignored informational message
Jan 20 00:02:11 r-4045-VM pluto[4569]: "L2TP-PSK"[23] 130.244.221.180 #67: received Delete SA payload: deleting ISAKMP State #67
Jan 20 00:02:11 r-4045-VM pluto[4569]: packet from 130.244.221.180:500 <http://130.244.221.180:500/>: received and ignored informational message



Here is the same machine but I changed the networking so I am on NAT, no other configuration settings were changed. In this case I am able to connect to the Cloudstack Remote Access VPN.


root at r-4045-VM:~# cat /var/log/auth.log

Jan 19 23:34:10 r-4045-VM pluto[4569]: packet from 139.233.222.112:500 <http://139.233.222.112:500/>: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000008]
Jan 19 23:34:10 r-4045-VM pluto[4569]: packet from 139.233.222.112:500 <http://139.233.222.112:500/>: received Vendor ID payload [RFC 3947] method set to=109
Jan 19 23:34:10 r-4045-VM pluto[4569]: packet from 139.233.222.112:500 <http://139.233.222.112:500/>: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
Jan 19 23:34:10 r-4045-VM pluto[4569]: packet from 139.233.222.112:500 <http://139.233.222.112:500/>: ignoring Vendor ID payload [FRAGMENTATION]
Jan 19 23:34:10 r-4045-VM pluto[4569]: packet from 139.233.222.112:500 <http://139.233.222.112:500/>: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
Jan 19 23:34:10 r-4045-VM pluto[4569]: packet from 139.233.222.112:500 <http://139.233.222.112:500/>: ignoring Vendor ID payload [Vid-Initial-Contact]
Jan 19 23:34:10 r-4045-VM pluto[4569]: packet from 139.233.222.112:500 <http://139.233.222.112:500/>: ignoring Vendor ID payload [IKE CGA version 1]
Jan 19 23:34:10 r-4045-VM pluto[4569]: "L2TP-PSK"[28] 139.233.222.112 #65: responding to Main Mode from unknown peer 139.233.222.112
Jan 19 23:34:10 r-4045-VM pluto[4569]: "L2TP-PSK"[28] 139.233.222.112 #65: OAKLEY_GROUP 20 not supported. Attribute OAKLEY_GROUP_DESCRIPTION
Jan 19 23:34:10 r-4045-VM pluto[4569]: "L2TP-PSK"[28] 139.233.222.112 #65: OAKLEY_GROUP 19 not supported. Attribute OAKLEY_GROUP_DESCRIPTION
Jan 19 23:34:10 r-4045-VM pluto[4569]: "L2TP-PSK"[28] 139.233.222.112 #65: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jan 19 23:34:10 r-4045-VM pluto[4569]: "L2TP-PSK"[28] 139.233.222.112 #65: STATE_MAIN_R1: sent MR1, expecting MI2
Jan 19 23:34:10 r-4045-VM pluto[4569]: "L2TP-PSK"[28] 139.233.222.112 #65: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): peer is NATed
Jan 19 23:34:10 r-4045-VM pluto[4569]: "L2TP-PSK"[28] 139.233.222.112 #65: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jan 19 23:34:10 r-4045-VM pluto[4569]: "L2TP-PSK"[28] 139.233.222.112 #65: STATE_MAIN_R2: sent MR2, expecting MI3
Jan 19 23:34:10 r-4045-VM pluto[4569]: "L2TP-PSK"[28] 139.233.222.112 #65: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.82'
Jan 19 23:34:10 r-4045-VM pluto[4569]: "L2TP-PSK"[28] 139.233.222.112 #65: switched from "L2TP-PSK" to "L2TP-PSK"
Jan 19 23:34:10 r-4045-VM pluto[4569]: "L2TP-PSK"[29] 139.233.222.112 #65: deleting connection "L2TP-PSK" instance with peer 139.233.222.112 {isakmp=#0/ipsec=#0}
Jan 19 23:34:10 r-4045-VM pluto[4569]: "L2TP-PSK"[29] 139.233.222.112 #65: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jan 19 23:34:10 r-4045-VM pluto[4569]: "L2TP-PSK"[29] 139.233.222.112 #65: new NAT mapping for #65, was 139.233.222.112:500 <http://139.233.222.112:500/>, now 139.233.222.112:4500 <http://139.233.222.112:4500/>
Jan 19 23:34:10 r-4045-VM pluto[4569]: "L2TP-PSK"[29] 139.233.222.112 #65: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp2048}

Jan 19 23:34:10 r-4045-VM pluto[4569]: "L2TP-PSK"[29] 139.233.222.112 #65: the peer proposed: 111.112.231.214/32:17/1701 <http://111.112.231.214/32:17/1701> -> 192.168.1.82/32:17/0 <http://192.168.1.82/32:17/0>
Jan 19 23:34:10 r-4045-VM pluto[4569]: "L2TP-PSK"[29] 139.233.222.112 #65: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
Jan 19 23:34:10 r-4045-VM pluto[4569]: "L2TP-PSK"[29] 139.233.222.112 #66: responding to Quick Mode proposal
{msgid:01000000}

Jan 19 23:34:10 r-4045-VM pluto[4569]: "L2TP-PSK"[29] 139.233.222.112 #66: us: 111.112.231.214<111.112.231.214>[+S=C]:17/1701
Jan 19 23:34:10 r-4045-VM pluto[4569]: "L2TP-PSK"[29] 139.233.222.112 #66: them: 139.233.222.112[192.168.1.82,+S=C]:17/1701
Jan 19 23:34:10 r-4045-VM pluto[4569]: "L2TP-PSK"[29] 139.233.222.112 #66: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Jan 19 23:34:10 r-4045-VM pluto[4569]: "L2TP-PSK"[29] 139.233.222.112 #66: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Jan 19 23:34:10 r-4045-VM pluto[4569]: "L2TP-PSK"[29] 139.233.222.112 #66: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Jan 19 23:34:10 r-4045-VM pluto[4569]: "L2TP-PSK"[29] 139.233.222.112 #66: STATE_QUICK_R2: IPsec SA established tunnel mode
{ESP=>0xe3a6868c <0xbfcf6dcb xfrm=AES_128-HMAC_SHA1 NATOA=192.168.1.82 NATD=139.233.222.112:4500 <http://139.233.222.112:4500/> DPD=none}

Jan 19 23:34:28 r-4045-VM pluto[4569]: "L2TP-PSK"[29] 139.233.222.112 #65: received Delete SA(0xe3a6868c) payload: deleting IPSEC State #66
Jan 19 23:34:28 r-4045-VM pluto[4569]: "L2TP-PSK"[29] 139.233.222.112 #65: received and ignored informational message
Jan 19 23:34:28 r-4045-VM pluto[4569]: "L2TP-PSK"[29] 139.233.222.112 #65: received Delete SA payload: deleting ISAKMP State #65
Jan 19 23:34:28 r-4045-VM pluto[4569]: "L2TP-PSK"[29] 139.233.222.112 <http://139.233.222.112/>: deleting connection "L2TP-PSK" instance with peer 139.233.222.112
{isakmp=#0/ipsec=#0}

Jan 19 23:34:28 r-4045-VM pluto[4569]: packet from 139.233.222.112:4500 <http://139.233.222.112:4500/>: received and ignored informational message
Jan 19 23:35:01 r-4045-VM CRON[7995]: pam_unix(cron:session): session closed for user root

Regards,
Adrian Sender



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20160123/ca72c030/attachment-0001.html>


More information about the Users mailing list