[Users] Roadwarrior to Gateway with x509 and NAT-T impossible?

From: Henning Riis Rasmussen (hrr_at_indbakke.dk)
Date: Mon Aug 12 2002 - 15:47:46 CEST

• Next message: Michael Niehren: "[Users] dhcprelay and dhcpd on the same machine"
• Previous message: Ken Bantoft: "[Design] Re: [Users] linuxsecurity article"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi all

I have now tried for a very long time, using several walktroughs, readme
files etc., to make a roadwarrior connect to a FreeS/WAN gateway over a NAT
device.

And it still doesn't work.

My setup is this:

Win2000 SP3 with SSH Sentinel 1.3.2 build 2
    |
Cisco 677 doing NAT
    |
Internet
    |
FreeS/WAN 1.97 with x509 0.9.10 and NAT-T 0.2 on kernel 2.4.18
    |
LAN

I have checked that all IP packets (including fragments) reach the other end
in both directions.

Someone responded earlier on the list, saying he/she had a working setup
with a roadwarrior connection through a NAT device... could you please post
more details on what you did, how your configuration looks etc.

My last attempt has been based on a document from SSH:

http://www.ssh.com/products/sentinel/SSH-Sentinel-1.3-FreeSWAN.pdf

This is what my /etc/ipsec.conf looks like (/etc/ipsec.secrets is now empty
except for a few comment lines followed by blank lines):

# /etc/ipsec.conf - FreeS/WAN IPsec configuration file

# Basic configuration settings used at startup.
#
config setup
        interfaces=%defaultroute
        # Debug-logging controls: "none" for (almost) none, "all" for lots.
        klipsdebug=none
        plutodebug=none
        # Use auto= parameters in conn descriptions to control startup actions.
        plutoload=%search
        plutostart=%search
        # Close down old connection when new one using same ID shows up.
        uniqueids=yes
        # Support NAT-T connections.
        nat_traversal=yes

# Default connection settings inherited by all other connections,
# unless explicitly overridden by those connections.
#
conn %default
        keyingtries=0
        disablearrivalcheck=no
        keyexchange=ike
        ikelifetime=240m
        keylife=60m
        pfs=yes
        compress=no
        authby=rsasig
        right=%any
        rightrsasigkey=%cert
        left=62.79.81.246
        leftnexthop=62.79.81.245
        leftsubnet=192.168.100.0/24
        leftcert=gateway_cert.pem
        auto=add

# Road warrior connection description.
# Assuming the use of SSH Sentinel 1.3.X.
#
conn roadwarrior

And this is what I get in my log on the FreeS/WAN gateway:

Aug 12 14:18:03 firewall ipsec__plutorun: Starting Pluto subsystem...
Aug 12 14:18:03 firewall Pluto[3343]: Starting Pluto (FreeS/WAN Version
1.97)
Aug 12 14:18:03 firewall Pluto[3343]: including X.509 patch (Version
0.9.10)
Aug 12 14:18:03 firewall Pluto[3343]: including NAT-Traversal patch
(Version 0.2)
Aug 12 14:18:03 firewall Pluto[3343]: Changing to directory
'/etc/ipsec.d/cacerts'
Aug 12 14:18:03 firewall Pluto[3343]: loaded cacert file
'mail.tltdocuments.dk.pem' (1529 bytes)
Aug 12 14:18:03 firewall Pluto[3343]: Changing to directory
'/etc/ipsec.d/crls'
Aug 12 14:18:03 firewall Pluto[3343]: Warning: empty directory
Aug 12 14:18:03 firewall Pluto[3343]: loaded my default X.509 cert file
'/etc/x509cert.der' (1138 bytes)
Aug 12 14:18:03 firewall Pluto[3343]: loaded host cert file
'/etc/ipsec.d/gateway_cert.pem' (4885 bytes)
Aug 12 14:18:03 firewall Pluto[3343]: added connection description
"roadwarrior"
Aug 12 14:18:03 firewall Pluto[3343]: listening for IKE messages
Aug 12 14:18:03 firewall Pluto[3343]: adding interface ipsec0/eth2
62.79.81.246
Aug 12 14:18:03 firewall Pluto[3343]: loading secrets from
"/etc/ipsec.secrets"
Aug 12 14:18:16 firewall Pluto[3343]: packet from 213.237.75.4:500: ignoring
Vendor ID payload [SSH Communications Security IPSEC Express version 4.1.0]
Aug 12 14:18:16 firewall Pluto[3343]: packet from 213.237.75.4:500: ignoring
Vendor ID payload [draft-stenberg-ipsec-nat-traversal-01]
Aug 12 14:18:16 firewall Pluto[3343]: packet from 213.237.75.4:500: ignoring
Vendor ID payload [draft-stenberg-ipsec-nat-traversal-02]
Aug 12 14:18:16 firewall Pluto[3343]: packet from 213.237.75.4:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Aug 12 14:18:16 firewall Pluto[3343]: "roadwarrior" 213.237.75.4 #1:
responding to Main Mode from unknown peer 213.237.75.4
Aug 12 14:18:16 firewall Pluto[3343]: "roadwarrior" 213.237.75.4 #1:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-00: peer is NATed
Aug 12 14:18:17 firewall Pluto[3343]: "roadwarrior" 213.237.75.4 #1:
ignoring informational payload, type IPSEC_INITIAL_CONTACT
Aug 12 14:18:17 firewall Pluto[3343]: "roadwarrior" 213.237.75.4 #1: Peer ID
is ID_DER_ASN1_DN: 'C=DK, O=Rise Data, CN=Henning Riis Rasmussen,
E=hrr_at_risedata.dk'
Aug 12 14:18:17 firewall Pluto[3343]: "roadwarrior" 213.237.75.4 #1: Issuer
CRL not found
Aug 12 14:18:17 firewall Pluto[3343]: "roadwarrior" 213.237.75.4 #1: Issuer
CRL not found
Aug 12 14:18:17 firewall Pluto[3343]: "roadwarrior" 213.237.75.4 #1: no
suitable connection for peer 'C=DK, O=Rise Data, CN=Henning Riis Rasmussen,
E=hrr_at_risedata.dk'
Aug 12 14:18:18 firewall Pluto[3343]: "roadwarrior" 213.237.75.4 #1:
ignoring informational payload, type IPSEC_INITIAL_CONTACT
Aug 12 14:18:18 firewall Pluto[3343]: "roadwarrior" 213.237.75.4 #1: Peer ID
is ID_DER_ASN1_DN: 'C=DK, O=Rise Data, CN=Henning Riis Rasmussen,
E=hrr_at_risedata.dk'
Aug 12 14:18:18 firewall Pluto[3343]: "roadwarrior" 213.237.75.4 #1: Issuer
CRL not found
Aug 12 14:18:18 firewall Pluto[3343]: "roadwarrior" 213.237.75.4 #1: Issuer
CRL not found
Aug 12 14:18:18 firewall Pluto[3343]: "roadwarrior" 213.237.75.4 #1: no
suitable connection for peer 'C=DK, O=Rise Data, CN=Henning Riis Rasmussen,
E=hrr_at_risedata.dk'
Aug 12 14:18:20 firewall Pluto[3343]: "roadwarrior" 213.237.75.4 #1:
ignoring informational payload, type IPSEC_INITIAL_CONTACT
Aug 12 14:18:20 firewall Pluto[3343]: "roadwarrior" 213.237.75.4 #1: Peer ID
is ID_DER_ASN1_DN: 'C=DK, O=Rise Data, CN=Henning Riis Rasmussen,
E=hrr_at_risedata.dk'
Aug 12 14:18:20 firewall Pluto[3343]: "roadwarrior" 213.237.75.4 #1: Issuer
CRL not found
Aug 12 14:18:20 firewall Pluto[3343]: "roadwarrior" 213.237.75.4 #1: Issuer
CRL not found
Aug 12 14:18:20 firewall Pluto[3343]: "roadwarrior" 213.237.75.4 #1: no
suitable connection for peer 'C=DK, O=Rise Data, CN=Henning Riis Rasmussen,
E=hrr_at_risedata.dk'
Aug 12 14:18:24 firewall Pluto[3343]: "roadwarrior" 213.237.75.4 #1:
ignoring informational payload, type IPSEC_INITIAL_CONTACT
Aug 12 14:18:24 firewall Pluto[3343]: "roadwarrior" 213.237.75.4 #1: Peer ID
is ID_DER_ASN1_DN: 'C=DK, O=Rise Data, CN=Henning Riis Rasmussen,
E=hrr_at_risedata.dk'
Aug 12 14:18:24 firewall Pluto[3343]: "roadwarrior" 213.237.75.4 #1: Issuer
CRL not found
Aug 12 14:18:24 firewall Pluto[3343]: "roadwarrior" 213.237.75.4 #1: Issuer
CRL not found
Aug 12 14:18:24 firewall Pluto[3343]: "roadwarrior" 213.237.75.4 #1: no
suitable connection for peer 'C=DK, O=Rise Data, CN=Henning Riis Rasmussen,
E=hrr_at_risedata.dk'
Aug 12 14:18:26 firewall Pluto[3343]: "roadwarrior" 213.237.75.4 #1:
ignoring informational payload, type IPSEC_INITIAL_CONTACT
Aug 12 14:18:26 firewall Pluto[3343]: "roadwarrior" 213.237.75.4 #1: Peer ID
is ID_DER_ASN1_DN: 'C=DK, O=Rise Data, CN=Henning Riis Rasmussen,
E=hrr_at_risedata.dk'
Aug 12 14:18:26 firewall Pluto[3343]: "roadwarrior" 213.237.75.4 #1: Issuer
CRL not found
Aug 12 14:18:26 firewall Pluto[3343]: "roadwarrior" 213.237.75.4 #1: Issuer
CRL not found
Aug 12 14:18:26 firewall Pluto[3343]: "roadwarrior" 213.237.75.4 #1: no
suitable connection for peer 'C=DK, O=Rise Data, CN=Henning Riis Rasmussen,
E=hrr_at_risedata.dk'
Aug 12 14:18:46 firewall Pluto[3343]: "roadwarrior" 213.237.75.4 #1:
ignoring informational payload, type IPSEC_INITIAL_CONTACT
Aug 12 14:18:46 firewall Pluto[3343]: "roadwarrior" 213.237.75.4 #1: Peer ID
is ID_DER_ASN1_DN: 'C=DK, O=Rise Data, CN=Henning Riis Rasmussen,
E=hrr_at_risedata.dk'
Aug 12 14:18:46 firewall Pluto[3343]: "roadwarrior" 213.237.75.4 #1: Issuer
CRL not found
Aug 12 14:18:46 firewall Pluto[3343]: "roadwarrior" 213.237.75.4 #1: Issuer
CRL not found
Aug 12 14:18:46 firewall Pluto[3343]: "roadwarrior" 213.237.75.4 #1: no
suitable connection for peer 'C=DK, O=Rise Data, CN=Henning Riis Rasmussen,
E=hrr_at_risedata.dk'
Aug 12 14:19:26 firewall Pluto[3343]: "roadwarrior" 213.237.75.4 #1: max
number of retransmissions (2) reached STATE_MAIN_R2
Aug 12 14:19:26 firewall Pluto[3343]: "roadwarrior" 213.237.75.4: deleting
connection "roadwarrior" instance with peer 213.237.75.4

Regards
Henning

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• Next message: Michael Niehren: "[Users] dhcprelay and dhcpd on the same machine"
• Previous message: Ken Bantoft: "[Design] Re: [Users] linuxsecurity article"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Aug 12 2002 - 18:19:34 CEST