Hi there,
I have a Fedora Core 6 box and have installed "Linux
Openswan
U2.4.7/K2.6.20-1.2925.fc6 (netkey)" and xl2tpd-1.1.09
on it. This box has
two network interfaces, eth0 for internal connection and
eth1 for external
connection (which has a public IP address).
Using a MS Windows 2000 client with L2TP/IPsec combination,
I can connect to
the Linux box and obtain an internal IP address in the
following two cases:
1) Case 1: the client has a public IP address
2) Case 2: the client is behind a NAT and this NAT allows
outgoing UDP
packets to keep their source port 4500 (this was observed in
the server
log).
However, if I put the client behind _another_ NAT, which
maps the source
port of outgoing UDP packets from 4500 to 1325, I got the
following error in
the server log: "ERROR: asynchronous network error
report on eth1
(sport=4500) for message to 76.104.101.6 port 1325,
complainant
134.126.34.124: No route to host [errno 113, origin ICMP
type 3 code 1 (not
authenticated)"
The server log shows that an IPsec SA is indeed established.
Dumped traffic
indicates that, after the IPsec SA was established, the
client sent the
server several UDP-wrapped ESP packets (source port 1325,
destination port
4500) but the server never responded.
The relevant server log is included below.
---------- /var/log/secure starts ----------
Mar 28 21:01:28 Newton pluto[13304]:
"roadwarrior-l2tp-updatedwin"[6]
76.104.101.6 #12: responding to Quick Mode {msgid:3d5b839c}
Mar 28 21:01:28 Newton pluto[13304]: |
install_inbound_ipsec_sa() checking
if we can route
Mar 28 21:01:28 Newton pluto[13304]: | route owner of
"roadwarrior-l2tp-updatedwin"[6] 76.104.101.6
unrouted: NULL; eroute owner:
NULL
Mar 28 21:01:28 Newton pluto[13304]: | could_route called
for
roadwarrior-l2tp-updatedwin (kind=CK_INSTANCE)
Mar 28 21:01:28 Newton pluto[13304]: | add inbound eroute
76.104.101.6/32:1701 --17-> 134.126.34.124/32:1701 =>
tun.10000 134.126.34.124 (raw_eroute)
Mar 28 21:01:28 Newton pluto[13304]: | finished processing
quick inI1
Mar 28 21:01:28 Newton pluto[13304]: | complete state
transition with STF_OK
Mar 28 21:01:28 Newton pluto[13304]:
"roadwarrior-l2tp-updatedwin"[6]
76.104.101.6 #12: transition from state STATE_QUICK_R0 to
state
STATE_QUICK_R1
Mar 28 21:01:28 Newton pluto[13304]: | sending reply packet
to
76.104.101.6:1325 (from port=4500)
Mar 28 21:01:28 Newton pluto[13304]: | sending 172 bytes for
STATE_QUICK_R0
through eth1:4500 to 76.104.101.6:1325:
Mar 28 21:01:28 Newton pluto[13304]: | inserting event
EVENT_RETRANSMIT,
timeout in 10 seconds for #12
Mar 28 21:01:28 Newton pluto[13304]:
"roadwarrior-l2tp-updatedwin"[6]
76.104.101.6 #12: STATE_QUICK_R1: sent QR1, inbound IPsec SA
installed,
expecting QI2
Mar 28 21:01:28 Newton pluto[13304]: | modecfg pull: noquirk
policy:push
not-client
Mar 28 21:01:28 Newton pluto[13304]: | phase 1 is done,
looking for phase 1
to unpend
Mar 28 21:01:28 Newton pluto[13304]: | next event
EVENT_RETRANSMIT in 10
seconds for #12
Mar 28 21:01:28 Newton pluto[13304]: |
Mar 28 21:01:28 Newton pluto[13304]: | *received 52 bytes
from
76.104.101.6:1325 on eth1 (port=4500)
Mar 28 21:01:28 Newton pluto[13304]: | processing packet
with exchange
type=ISAKMP_XCHG_QUICK (32)
Mar 28 21:01:28 Newton pluto[13304]: | ICOOKIE: 6f f5 7f b0
d2 76 ab 8b
Mar 28 21:01:28 Newton pluto[13304]: | RCOOKIE: d7 b3 ce 77
ec b9 26 58
Mar 28 21:01:28 Newton pluto[13304]: | peer: 4c 68 65 06
Mar 28 21:01:28 Newton pluto[13304]: | state hash entry 18
Mar 28 21:01:28 Newton pluto[13304]: | peer and cookies
match on #12,
provided msgid 9c835b3d vs 9c835b3d
Mar 28 21:01:28 Newton pluto[13304]: | state object #12
found, in
STATE_QUICK_R1
Mar 28 21:01:28 Newton pluto[13304]: | processing
connection
roadwarrior-l2tp-updatedwin[6] 76.104.101.6
Mar 28 21:01:28 Newton pluto[13304]: | install_ipsec_sa()
for #12: outbound
only
Mar 28 21:01:28 Newton pluto[13304]: | route owner of
"roadwarrior-l2tp-updatedwin"[6] 76.104.101.6
unrouted: NULL; eroute owner:
NULL
Mar 28 21:01:28 Newton pluto[13304]: | could_route called
for
roadwarrior-l2tp-updatedwin (kind=CK_INSTANCE)
Mar 28 21:01:28 Newton pluto[13304]: | sr for #12: unrouted
Mar 28 21:01:28 Newton pluto[13304]: | route owner of
"roadwarrior-l2tp-updatedwin"[6] 76.104.101.6
unrouted: NULL; eroute owner:
NULL
Mar 28 21:01:28 Newton pluto[13304]: | route_and_eroute with
c:
roadwarrior-l2tp-updatedwin (next: none) ero:null
esr:{(nil)} ro:null
rosr:{(nil)} and state: 12
Mar 28 21:01:28 Newton pluto[13304]: | eroute_connection add
eroute
134.126.34.124/32:1701 --17-> 76.104.101.6/32:1701 =>
esp.358dd4bf76.104.101.6 (raw_eroute)
Mar 28 21:01:28 Newton pluto[13304]: | command executing
up-host
Mar 28 21:01:28 Newton pluto[13304]: | trusted_ca called
with a=C=US,
ST=Virginia, L=Harrisonburg, O=JMU, OU=CS, CN=Crypto CA
b=C=US, ST=Virginia,
L=Harrisonburg, O=JMU, OU=CS, CN=Crypto CA
Mar 28 21:01:28 Newton pluto[13304]: | executing up-host:
2>&1
PLUTO_VERSION='1.1' PLUTO_VERB='up-host'
PLUTO_CONNECTION='roadwarrior-l2tp-updatedwin'
PLUTO_NEXT_HOP='76.104.101.6'
PLUTO_INTERFACE='eth1' PLUTO_ME='134.126.34.124'
PLUTO_MY_ID='C=US,
ST=Virginia, L=Harrisonburg, O=JMU, OU=CS, CN=IPsec VPN
Server 02'
PLUTO_MY_CLIENT='134.126.34.124/32'
PLUTO_MY_CLIENT_NET='134.126.34.124'
PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='1701'
PLUTO_MY_PROTOCOL='17' PLUTO_PEER='76.104.101.6'
PLUTO_PEER_ID='C=US,
ST=Virginia, L=Harrisonburg, O=JMU, OU=CS, CN=IPsec VPN
Client 001'
PLUTO_PEER_CLIENT='76.104.101.6/32'
PLUTO_PEER_CLIENT_NET='76.104.101.6'
PLUTO_PEER_CLIENT_MASK='255.255.255.255'
PLUTO_PEER_PORT='1701'
PLUTO_PEER_PROTOCOL='17' PLUTO_PEER_CA='C=US, ST=Virginia,
L=Harrisonburg,
O=JMU, OU=CS, CN=Crypto CA'
PLUTO_CONN_POLICY='RSASIG+ENCRYPT+COMPRESS+TUNNEL+DONTREKEY'
ipsec _updown
Mar 28 21:01:28 Newton pluto[13304]: | route_and_eroute:
firewall_notified:
true
Mar 28 21:01:28 Newton pluto[13304]: | command executing
prepare-host
Mar 28 21:01:28 Newton pluto[13304]: | trusted_ca called
with a=C=US,
ST=Virginia, L=Harrisonburg, O=JMU, OU=CS, CN=Crypto CA
b=C=US, ST=Virginia,
L=Harrisonburg, O=JMU, OU=CS, CN=Crypto CA
Mar 28 21:01:28 Newton pluto[13304]: | executing
prepare-host: 2>&1
PLUTO_VERSION='1.1' PLUTO_VERB='prepare-host'
PLUTO_CONNECTION='roadwarrior-l2tp-updatedwin'
PLUTO_NEXT_HOP='76.104.101.6'
PLUTO_INTERFACE='eth1' PLUTO_ME='134.126.34.124'
PLUTO_MY_ID='C=US,
ST=Virginia, L=Harrisonburg, O=JMU, OU=CS, CN=IPsec VPN
Server 02'
PLUTO_MY_CLIENT='134.126.34.124/32'
PLUTO_MY_CLIENT_NET='134.126.34.124'
PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='1701'
PLUTO_MY_PROTOCOL='17' PLUTO_PEER='76.104.101.6'
PLUTO_PEER_ID='C=US,
ST=Virginia, L=Harrisonburg, O=JMU, OU=CS, CN=IPsec VPN
Client 001'
PLUTO_PEER_CLIENT='76.104.101.6/32'
PLUTO_PEER_CLIENT_NET='76.104.101.6'
PLUTO_PEER_CLIENT_MASK='255.255.255.255'
PLUTO_PEER_PORT='1701'
PLUTO_PEER_PROTOCOL='17' PLUTO_PEER_CA='C=US, ST=Virginia,
L=Harrisonburg,
O=JMU, OU=CS, CN=Crypto CA'
PLUTO_CONN_POLICY='RSASIG+ENCRYPT+COMPRESS+TUNNEL+DONTREKEY'
ipsec _updown
Mar 28 21:01:28 Newton pluto[13304]: | command executing
route-host
Mar 28 21:01:28 Newton pluto[13304]: | trusted_ca called
with a=C=US,
ST=Virginia, L=Harrisonburg, O=JMU, OU=CS, CN=Crypto CA
b=C=US, ST=Virginia,
L=Harrisonburg, O=JMU, OU=CS, CN=Crypto CA
Mar 28 21:01:28 Newton pluto[13304]: | executing route-host:
2>&1
PLUTO_VERSION='1.1' PLUTO_VERB='route-host'
PLUTO_CONNECTION='roadwarrior-l2tp-updatedwin'
PLUTO_NEXT_HOP='76.104.101.6'
PLUTO_INTERFACE='eth1' PLUTO_ME='134.126.34.124'
PLUTO_MY_ID='C=US,
ST=Virginia, L=Harrisonburg, O=JMU, OU=CS, CN=IPsec VPN
Server 02'
PLUTO_MY_CLIENT='134.126.34.124/32'
PLUTO_MY_CLIENT_NET='134.126.34.124'
PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='1701'
PLUTO_MY_PROTOCOL='17' PLUTO_PEER='76.104.101.6'
PLUTO_PEER_ID='C=US,
ST=Virginia, L=Harrisonburg, O=JMU, OU=CS, CN=IPsec VPN
Client 001'
PLUTO_PEER_CLIENT='76.104.101.6/32'
PLUTO_PEER_CLIENT_NET='76.104.101.6'
PLUTO_PEER_CLIENT_MASK='255.255.255.255'
PLUTO_PEER_PORT='1701'
PLUTO_PEER_PROTOCOL='17' PLUTO_PEER_CA='C=US, ST=Virginia,
L=Harrisonburg,
O=JMU, OU=CS, CN=Crypto CA'
PLUTO_CONN_POLICY='RSASIG+ENCRYPT+COMPRESS+TUNNEL+DONTREKEY'
ipsec _updown
Mar 28 21:01:28 Newton pluto[13304]: | route_and_eroute:
instance
"roadwarrior-l2tp-updatedwin"[6] 76.104.101.6,
setting eroute_owner
{spd=0x8e17ad4,sr=0x8e17ad4} to #12 (was #0)
(newest_ipsec_sa=#0)
Mar 28 21:01:28 Newton pluto[13304]: | inI2: instance
roadwarrior-l2tp-updatedwin[6], setting newest_ipsec_sa to
#12 (was #0)
(spd.eroute=#12)
Mar 28 21:01:28 Newton pluto[13304]: | complete state
transition with STF_OK
Mar 28 21:01:28 Newton pluto[13304]:
"roadwarrior-l2tp-updatedwin"[6]
76.104.101.6 #12: transition from state STATE_QUICK_R1 to
state
STATE_QUICK_R2
Mar 28 21:01:28 Newton pluto[13304]: | inserting event
EVENT_SA_EXPIRE,
timeout in 3600 seconds for #12
Mar 28 21:01:28 Newton pluto[13304]:
"roadwarrior-l2tp-updatedwin"[6]
76.104.101.6 #12: STATE_QUICK_R2: IPsec SA established
{ESP=>0x358dd4bf
<0x90c3e1a6 xfrm=3DES_0-HMAC_MD5 NATD=76.104.101.6:1325
DPD=none}
Mar 28 21:01:28 Newton pluto[13304]: | modecfg pull: noquirk
policy:push
not-client
Mar 28 21:01:28 Newton pluto[13304]: | phase 1 is done,
looking for phase 1
to unpend
Mar 28 21:01:28 Newton pluto[13304]: | next event
EVENT_NAT_T_KEEPALIVE in
20 seconds
Mar 28 21:01:33 Newton pluto[13304]: | rejected packet:
Mar 28 21:01:33 Newton pluto[13304]: | 35 8d d4 bf 00 00
00 03 46 92 2b
8a a3 45 61 ae
Mar 28 21:01:33 Newton pluto[13304]: | bf 99 f9 2b a6 8c
a7 eb 02 01 a4
fc 78 0f e7 54
Mar 28 21:01:33 Newton pluto[13304]: | 9a 1f 0a 58 9f 7a
cb f2 53 2b 31
cd 74 a3 dd f4
Mar 28 21:01:33 Newton pluto[13304]: | 66 1d 1f a3 ba 6a
bf ca c5 09 e3
45 5e a0 e1 f4
Mar 28 21:01:33 Newton pluto[13304]: | 9c d0 e8 d6 09 0a
d3 cc 94 04 fb
9a 74 ef 26 d8
Mar 28 21:01:33 Newton pluto[13304]: | ad 8d 0e 27 08 e9
ff 99 08 44 dd
6d f4 5b 23 8f
Mar 28 21:01:33 Newton pluto[13304]: | b7 28 4b ad 71 46
8e c0 11 37 e5
99 3c b9 9e 35
Mar 28 21:01:33 Newton pluto[13304]: | a7 b5 67 f1 b1 51
85 c6 83 5f bf
37 1c d9 18 c1
Mar 28 21:01:33 Newton pluto[13304]: | 9f e6 59 21 83 8a
19 14 63 71 ed
e3 cb 0c 59 96
Mar 28 21:01:33 Newton pluto[13304]: | a9 9d b3 7e
Mar 28 21:01:33 Newton pluto[13304]: | control:
Mar 28 21:01:33 Newton pluto[13304]: | 18 00 00 00 00 00
00 00 08 00 00
00 01 00 00 00
Mar 28 21:01:33 Newton pluto[13304]: | 86 7e 22 7c 86 7e
22 7c 2c 00 00
00 00 00 00 00
Mar 28 21:01:33 Newton pluto[13304]: | 0b 00 00 00 71 00
00 00 02 03 01
00 00 00 00 00
Mar 28 21:01:33 Newton pluto[13304]: | 00 00 00 00 02 00
00 00 86 7e 22
7c 00 00 00 00
Mar 28 21:01:33 Newton pluto[13304]: | 00 00 00 00
Mar 28 21:01:33 Newton pluto[13304]: | name:
Mar 28 21:01:33 Newton pluto[13304]: | 02 00 05 2d 4c 68
65 06 00 00 00
00 00 00 00 00
Mar 28 21:01:33 Newton pluto[13304]: ERROR: asynchronous
network error
report on eth1 (sport=4500) for message to 76.104.101.6 port
1325,
complainant 134.126.34.124: No route to host [errno 113,
origin ICMP type 3
code 1 (not authenticated)]
Mar 28 21:01:33 Newton pluto[13304]: | rejected packet:
Mar 28 21:01:33 Newton pluto[13304]: | 35 8d d4 bf 00 00
00 04 9f e6 59
21 83 8a 19 14
Mar 28 21:01:33 Newton pluto[13304]: | cf a8 a5 00 1f 6f
60 06 76 71 3f
55 bf 69 71 5d
Mar 28 21:01:33 Newton pluto[13304]: | 8e 6d 04 ff 16 d4
b0 09 40 3e 9d
a0 71 d4 fd 3e
Mar 28 21:01:33 Newton pluto[13304]: | c0 3b 35 08
Mar 28 21:01:33 Newton pluto[13304]: | control:
Mar 28 21:01:33 Newton pluto[13304]: | 18 00 00 00 00 00
00 00 08 00 00
00 01 00 00 00
Mar 28 21:01:33 Newton pluto[13304]: | 86 7e 22 7c 86 7e
22 7c 2c 00 00
00 00 00 00 00
Mar 28 21:01:33 Newton pluto[13304]: | 0b 00 00 00 71 00
00 00 02 03 01
00 00 00 00 00
Mar 28 21:01:33 Newton pluto[13304]: | 00 00 00 00 02 00
00 00 86 7e 22
7c 00 00 00 00
Mar 28 21:01:33 Newton pluto[13304]: | 00 00 00 00
Mar 28 21:01:33 Newton pluto[13304]: | name:
Mar 28 21:01:33 Newton pluto[13304]: | 02 00 05 2d 4c 68
65 06 00 00 00
00 00 00 00 00
---------- /var/log/secure ends ----------
What caused the problem? The type of the second NAT? How to
bypass it?
Thanks,
Steve
_______________________________________________
Usersopenswan.org
http
://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with
Openswan:
http://www.amazon.com/gp/product/1904811
256/104-3099591-2946327?n=283155
|
