[prev in list] [next in list] [prev in thread] [next in thread]
List: strongswan-users
Subject: [strongSwan] strongswan behind NAT problem - L2TP/IPSEC - "cannot
From: "Andrew Lemin" <andrew.lemin () monitorsoft ! com>
Date: 2007-07-12 9:31:34
Message-ID: 003f01c7c467$702fb9c0$22c8a8c0 () monitor ! york
[Download RAW message or body]
Hello List.
I am having real trouble with running strongswan behind NAT for an L2TP/IPSec \
implementation.
I have been working on this for nearly a month now without success :o(
I am fairly new to 'swan' implementations and I really need some help. Please!
I have looked through all the guides and lists I can find but still with no luck.
Thank you in advance.
I am getting the error:
"rt2.monitor.york__GT__andrew.lemin_0"[1] <CLIENT-PUBLIC-IP>:4500 #1: cannot respond \
to IPsec SA request because no connection is known for \
<SERVER-PUBLIC-IP>/32===192.168.214.2:4500[C=GB, ST=yorkshire, L =york, O=MCSLtd, \
OU=Support, CN=rt2.monitor.york_1, \
E=email@address.changed.com]:17/1701...<CLIENT-PUBLIC-IP>:4500[C=GB, ST=yorkshire, \
L=york, O=MCSLtd, OU=Support, CN=andrew.lemin_1, E= \
email@address.changed.com]:17/%any
"rt2.monitor.york__GT__andrew.lemin_0"[1] <CLIENT-PUBLIC-IP>:4500 #1: s ending \
encrypted notification INVALID_ID_INFORMATION to 88.96.19 3.65:4500
Network Setup;
RoadWarrior Client (clients can potentially have local nets in 10.0.0.0/8, \
172.16.0.0/12, 192.168.0.0/16. Been testing with client in 192.168.200.0/24)
|
<CLIENT-NAT-GW-IP>
Client NAT Device
<CLIENT-PUBLIC-IP>
|
INTERNET
|
<SERVER-PUBLIC-IP>
Server Side NAT Device (Netgear FVX538)
<192.168.214.1>
|
<192.168.214.2>
IPSec Server
<192.168.200.15>
|
LAN I WANT TO ALLOW ACCESS TO (192.168.200.0/24)
Ipsec.conf;
version 2
conn block
auto=ignore
conn private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
config setup
plutodebug=control
nat_traversal=yes
conn rt2.monitor.york__GT__andrew.lemin_0
auto=start
authby=rsasig
left=%defaultroute
leftprotoport=17/1701
leftrsasigkey=%cert
leftcert=rt2.monitor.york_1.pem
leftid=
right=%any
rightsubnetwithin=192.168.200.0/24
rightrsasigkey=%cert
rightid="/C=GB/ST=yorkshire/L=york/O=MCSLtd/OU=Support/CN=andrew.lemin_1/emailAddress=email@address.changed.com"
rightprotoport=17/%any
keylife=8h
ikelifetime=1h
pfs=no
keyingtries=1
ike=3des-md5-modp1024
esp=3des-md5
Log;
> *received 312 bytes from <CLIENT-PUBLIC-IP>:500 on eth2
packet from <CLIENT-PUBLIC-IP>:500: ignoring Vendor ID payload [MS NT5 I SAKMPOAKLEY \
00000004] packet from <CLIENT-PUBLIC-IP>:500: ignoring Vendor ID payload [FRAGME \
NTATION] packet from <CLIENT-PUBLIC-IP>:500: received Vendor ID payload [draft-iet \
f-ipsec-nat-t-ike-02_n] packet from <CLIENT-PUBLIC-IP>:500: ignoring Vendor ID \
payload [Vid-Initia l-Contact] | preparse_isakmp_policy: peer requests RSASIG \
authentication | instantiated "rt2.monitor.york__GT__andrew.lemin_0" for \
<SERVER-PUBLIC-IP> | creating state object #1 at 0x810a3e8
> ICOOKIE: 66 b2 74 90 7d 02 46 3b
> RCOOKIE: 7c dd f4 a0 b1 ff 4f 31
> peer: 58 60 c1 41
> state hash entry 5
> inserting event EVENT_SO_DISCARD, timeout in 0 seconds for #1
"rt2.monitor.york__GT__andrew.lemin_0"[1] <CLIENT-PUBLIC-IP> #1: respon ding to Main \
Mode from unknown peer <CLIENT-PUBLIC-IP> | inserting event EVENT_RETRANSMIT, timeout \
in 10 seconds for #1 | next event EVENT_RETRANSMIT in 10 seconds for #1
> *received 360 bytes from <CLIENT-PUBLIC-IP>:500 on eth2
> ICOOKIE: 66 b2 74 90 7d 02 46 3b
> RCOOKIE: 7c dd f4 a0 b1 ff 4f 31
> peer: 58 60 c1 41
> state hash entry 5
> state object #1 found, in STATE_MAIN_R1
"rt2.monitor.york__GT__andrew.lemin_0"[1] <CLIENT-PUBLIC-IP> #1: NAT-T raversal: \
Result using draft-ietf-ipsec-nat-t-ike-02/03: both are NATe d
> inserting event EVENT_NAT_T_KEEPALIVE, timeout in 20 seconds
> inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #1
> next event EVENT_RETRANSMIT in 10 seconds for #1
> *received 1404 bytes from <CLIENT-PUBLIC-IP>:4500 on eth2
> ICOOKIE: 66 b2 74 90 7d 02 46 3b
> RCOOKIE: 7c dd f4 a0 b1 ff 4f 31
> peer: 58 60 c1 41
> state hash entry 5
> state object #1 found, in STATE_MAIN_R2
"rt2.monitor.york__GT__andrew.lemin_0"[1] <CLIENT-PUBLIC-IP> #1: Peer ID is \
ID_DER_ASN1_DN: 'C=GB, ST=yorkshire, L=york, O=MCSLtd, OU= Support, \
CN=andrew.lemin_1, E=email@address.changed.com' | subject: 'C=GB, ST=yorkshire, \
L=york, O=MCSLtd, OU=Support, CN =andrew.lemin_1, E=email@address.changed.com' | \
issuer: 'C=GB, ST=yorkshire, L=york, O=MCSLtd, OU=Support, CN= ca2.monitor.york, \
E=email@address.changed.com' | authkey: \
f5:e2:bb:d5:51:73:19:ad:2d:2b:65:96:ea:ea:1c:1a:ab:bd:d7 :89 | not before : Jan 01 \
00:00:00 UTC 2000 | current time: Jul 12 08:56:01 UTC 2007
> not after : Jul 06 00:00:00 UTC 2010
> certificate is valid
> issuer cacert found
> certificate signature is valid
> crl found
> crl signature is valid
> serial number: 03
> crl is valid
> certificate is good
> subject: 'C=GB, ST=yorkshire, L=york, O=MCSLtd, OU=Support, CN =ca2.monitor.york, \
> E=email@address.changed.com'
> issuer: 'C=GB, ST=yorkshire, L=york, O=MCSLtd, OU=Support, CN= ca2.monitor.york, \
> E=email@address.changed.com'
> authkey: f5:e2:bb:d5:51:73:19:ad:2d:2b:65:96:ea:ea:1c:1a:ab:bd:d7 :89
> not before : Jan 01 00:00:00 UTC 2000
> current time: Jul 12 08:56:01 UTC 2007
> not after : Jul 06 00:00:00 UTC 2017
> certificate is valid
> issuer cacert found
> certificate signature is valid
> reached self-signed root ca
> an RSA Sig check passed with *AwEAAdSg1 [preloaded key]
> peer CA: 'C=GB, ST=yorkshire, L=york, O=MCSLtd, OU=Support , CN=ca2.monitor.york, \
> E=email@address.changed.com'
> requested CA: 'C=GB, ST=yorkshire, L=york, O=MCSLtd, OU=Suppo rt, \
> CN=ca2.monitor.york, E=email@address.changed.com'
> offered CA: 'C=GB, ST=yorkshire, L=york, O=MCSLtd, OU=Suppor t, \
> CN=ca2.monitor.york, E=email@address.changed.com'
> our certificate policy is ALWAYS_SEND
"rt2.monitor.york__GT__andrew.lemin_0"[1] <CLIENT-PUBLIC-IP> #1: we ha ve a cert and \
are sending it | signing hash with RSA Key *AwEAAeEXt
> NAT-T: new mapping <CLIENT-PUBLIC-IP>:500/4500)
> inserting event EVENT_SA_REPLACE, timeout in 3330 seconds for #1
"rt2.monitor.york__GT__andrew.lemin_0"[1] <CLIENT-PUBLIC-IP>:4500 #1: s ent MR3, \
ISAKMP SA established | next event EVENT_NAT_T_KEEPALIVE in 20 seconds
> *received 316 bytes from <CLIENT-PUBLIC-IP>:4500 on eth2
> ICOOKIE: 66 b2 74 90 7d 02 46 3b
> RCOOKIE: 7c dd f4 a0 b1 ff 4f 31
> peer: 58 60 c1 41
> state hash entry 5
> state object not found
> ICOOKIE: 66 b2 74 90 7d 02 46 3b
> RCOOKIE: 7c dd f4 a0 b1 ff 4f 31
> peer: 58 60 c1 41
> state hash entry 5
> state object #1 found, in STATE_MAIN_R3
> our client is <SERVER-PUBLIC-IP>
> our client protocol/port is 17/1701
> no valid attribute cert found
"rt2.monitor.york__GT__andrew.lemin_0"[1] <CLIENT-PUBLIC-IP>:4500 #1: c annot respond \
to IPsec SA request because no connection is known for \
<SERVER-PUBLIC-IP>/32===192.168.214.2:4500[C=GB, ST=yorkshire, L =york, O=MCSLtd, \
OU=Support, CN=rt2.monitor.york_1, E=support@ \
monitorsoft.com]:17/1701...<CLIENT-PUBLIC-IP>:4500[C=GB, ST=yorkshire, L=york, \
O=MCSLtd, OU=Support, CN=andrew.lemin_1, E=support@m onitorsoft.com]:17/%any
"rt2.monitor.york__GT__andrew.lemin_0"[1] <CLIENT-PUBLIC-IP>:4500 #1: s ending \
encrypted notification INVALID_ID_INFORMATION to <CLIENT-PUBLIC-IP>:4500
> state transition function for STATE_QUICK_R0 failed: INVALID_ID_IN FORMATION
> next event EVENT_NAT_T_KEEPALIVE in 20 seconds
IN=eth2 OUT= MAC=00:0d:88:cc:ff:5d:00:14:6c:84:f2:df:08:00 SRC= 192.168.214.1 \
DST=192.168.214.2 LEN=78 TOS=0x00 PREC=0x00 T TL=64 ID=0 DF PROTO=UDP SPT=1320 \
DPT=137 LEN=58 | *received 316 bytes from <CLIENT-PUBLIC-IP>:4500 on eth2
> ICOOKIE: 66 b2 74 90 7d 02 46 3b
> RCOOKIE: 7c dd f4 a0 b1 ff 4f 31
> peer: 58 60 c1 41
> state hash entry 5
> state object not found
> ICOOKIE: 66 b2 74 90 7d 02 46 3b
> RCOOKIE: 7c dd f4 a0 b1 ff 4f 31
> peer: 58 60 c1 41
> state hash entry 5
> state object #1 found, in STATE_MAIN_R3
"rt2.monitor.york__GT__andrew.lemin_0"[1] <CLIENT-PUBLIC-IP>:4500 #1: Q uick Mode I1 \
message is unacceptable because it uses a previously used Message ID 0x6c066afc \
(perhaps this is a duplicated packet) "rt2.monitor.york__GT__andrew.lemin_0"[1] \
<CLIENT-PUBLIC-IP>:4500 #1: s ending encrypted notification INVALID_MESSAGE_ID to \
<CLIENT-PUBLIC-IP> :4500 | next event EVENT_NAT_T_KEEPALIVE in 19 seconds
> *received 316 bytes from <CLIENT-PUBLIC-IP>:4500 on eth2
> ICOOKIE: 66 b2 74 90 7d 02 46 3b
> RCOOKIE: 7c dd f4 a0 b1 ff 4f 31
> peer: 58 60 c1 41
> state hash entry 5
> state object not found
> ICOOKIE: 66 b2 74 90 7d 02 46 3b
> RCOOKIE: 7c dd f4 a0 b1 ff 4f 31
> peer: 58 60 c1 41
> state hash entry 5
> state object #1 found, in STATE_MAIN_R3
"rt2.monitor.york__GT__andrew.lemin_0"[1] <CLIENT-PUBLIC-IP>:4500 #1: Q uick Mode I1 \
message is unacceptable because it uses a previously used Message ID 0x6c066afc \
(perhaps this is a duplicated packet) "rt2.monitor.york__GT__andrew.lemin_0"[1] \
<CLIENT-PUBLIC-IP>:4500 #1: s ending encrypted notification INVALID_MESSAGE_ID to \
<CLIENT-PUBLIC-IP> :4500
Ipsec status;
# ipsec status
000 "rt2.monitor.york__GT__andrew.lemin_0": 192.168.214.2[C=GB, ST=yorkshire, L=york, \
O=MCSLtd, OU=Support, CN=rt2.monitor.york_1, E=support@monitorso.0/24}; unrouted; \
eroute owner: #0 000 "rt2.monitor.york__GT__andrew.lemin_0": newest ISAKMP SA: #0; \
newest IPsec SA: #0; 000
_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic