[Users] nat_traversal=yes between 2 freeswan => master is DEAF to IKE nego

From: Dominique Blas (ml_at_blas.net)
Date: Mon Sep 16 2002 - 01:34:25 CEST

• Previous message: Alistair Nelson: "[Users] WIN2K VPN Client can ping Freeswan gateway but doesn't attempt to negotiate ipsec on private subnet behind?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi, strange phenomenon indeed. Isn't it ?
Exactly as if there was a filter on UDP dest port 500.

It's the first time I use this NAT-T.

The configuration
================
The kernel is 2.4.19 on the client and 2.4.18 on the server.
But the behaviour is the same with a 2.4.18 on the client side.

Both kernel were patched (ESPinUDP from NAT-Traversal v. 0.2 for the 2.4.18 and ESPinUDP from NAT-Traversal 0.3 for the 2.4.19)
and both freeswan are 1.97+x509 0.9.2 + NAT-Traversal 0.2 + pluto-patch-020708 (*) (the bug fix patch recommended when freeswan is the initiator see http://marc.theaimsgroup.com/?l=linux-ipsec&m=102810540528286&w=2 )

The architecture
===============
Both sides are NATed (a true and full NAT : ip protocol 50 (ESP) passes through it without any inconvenient).

That is to say that VPN is correctly established between roadwarrior and head
thru this double nat WITHOUT NAT-T !

But the router in front of the roadwarrioris is to be replaced by another router in its definitive location.
And that router will not performed a full NAT (only protocols with ports (ie TCP and UDP) will be correctly forwarded, so
ESP will not).

Hence my attemps to make NAT-T work.

Right ?

The phenomenon
================

Everything works fine either the client has or don't have the keyword nat_traversal=yes.
But as soon as the HEAD has this keyword activated this one (the HEAD) seems to be ** DEAF ** .
Logs (syslog or debug) are normal (see thereafter) BUT DON'T MENTION any call from anywhere.

Whereas a tcpdump trace shows UDP500 packets (I tried with packets originating from
a different source port than 500, nothing different) are correctly arriving on the head.

I REPEAT : the only difference is nat_traversal=yes on the head.

WHY this behaviour and WHY ME ?
I'm using leftsubnetwithin and not %virtual, does it matter ?
I'm really far from observing problems during the IPSEC SA nego since there is no IKE SA nego !

LOGS
======

Here is the head syslog
--------------

Sep 16 00:11:19 vpnhead ipsec__plutorun: Starting Pluto subsystem...
Sep 16 00:11:19 vpnhead ipsec__plutorun: Starting Pluto subsystem...
Sep 16 00:11:19 vpnhead Pluto[7809]: Starting Pluto (FreeS/WAN Version 1.97)
Sep 16 00:11:19 vpnhead Pluto[7809]: including X.509 patch (Version 0.9.12)
Sep 16 00:11:19 vpnhead Pluto[7809]: including NAT-Traversal patch (Version 0.2)
Sep 16 00:11:19 vpnhead Pluto[7809]: Changing to directory '/etc/ipsec.d/cacerts'
Sep 16 00:11:19 vpnhead Pluto[7809]: loaded cacert file 'rootCert.pem' (2589 bytes)
Sep 16 00:11:19 vpnhead Pluto[7809]: loaded cacert file 'babCert.pem' (2179 bytes)
Sep 16 00:11:19 vpnhead Pluto[7809]: Changing to directory '/etc/ipsec.d/crls'
Sep 16 00:11:19 vpnhead Pluto[7809]: loaded crl file 'crl.pem' (682 bytes)
Sep 16 00:11:19 vpnhead Pluto[7809]: could not open my default X.509 cert file '/etc/x509cert.der'
Sep 16 00:11:19 vpnhead Pluto[7809]: OpenPGP certificate file '/etc/pgpcert.pgp' not found
Sep 16 00:11:19 vpnhead Pluto[7809]: loaded host cert file '/etc/ipsec.d/newcerts/lyobabidCert.pem' (1740 bytes)
Sep 16 00:11:19 vpnhead Pluto[7809]: added connection description "ar"
Sep 16 00:11:19 vpnhead Pluto[7809]: listening for IKE messages
Sep 16 00:11:19 vpnhead Pluto[7809]: adding interface ipsec0/eth0 192.168.11.241
Sep 16 00:11:19 vpnhead Pluto[7809]: loading secrets from "/etc/ipsec.secrets"
Sep 16 00:11:19 vpnhead Pluto[7809]: loaded private key file '/etc/ipsec.d/private/lyobabidKey.pem' (1675 bytes)
Sep 16 00:13:19 vpnhead kernel: klips_debug:@ flags = 6 @key = cfc18a60 key = 00000000->00000000 @mask = 00000000
Sep 16 00:13:19 vpnhead kernel: klips_debug:@ flags = 6 @key = cfc18a6c key = ffffffff->ffffffff @mask = 00000000
Sep 16 00:13:19 vpnhead kernel: klips_debug: off = 0
Sep 16 00:13:19 vpnhead kernel: klips_debug:rj_walktree: for: rn=c15cfbc8 rj_b=-3 rj_flags=6 leaf key = 00000000->00000000
Sep 16 00:13:19 vpnhead kernel: klips_debug:rj_walktree: processing leaves, rn=c15cfbf8 rj_b=-3 rj_flags=6 leaf key = ffffffff->ffffffff
Sep 16 00:13:19 vpnhead kernel: klips_debug:rj_walktree: while: base=00000000 rn=c15cfbc8 rj_b=-3 rj_flags=6 leaf key = 00000000->00000000
Sep 16 00:15:05 vpnhead modprobe: modprobe: Can't locate module nls_cp437
Sep 16 00:15:05 vpnhead modprobe: modprobe: Can't locate module nls_cp437
Sep 16 00:15:05 vpnhead modprobe: modprobe: Can't locate module nls_iso8859-1
Sep 16 00:15:05 vpnhead modprobe: modprobe: Can't locate module nls_iso8859-1
Sep 16 00:15:05 vpnhead last message repeated 2 times
Sep 16 00:15:19 vpnhead kernel: klips_debug:@ flags = 6 @key = cfc18a60 key = 00000000->00000000 @mask = 00000000
Sep 16 00:15:19 vpnhead kernel: klips_debug:@ flags = 6 @key = cfc18a6c key = ffffffff->ffffffff @mask = 00000000
Sep 16 00:15:19 vpnhead kernel: klips_debug: off = 0
Sep 16 00:15:19 vpnhead kernel: klips_debug:rj_walktree: for: rn=c15cfbc8 rj_b=-3 rj_flags=6 leaf key = 00000000->00000000
Sep 16 00:15:19 vpnhead kernel: klips_debug:rj_walktree: processing leaves, rn=c15cfbf8 rj_b=-3 rj_flags=6 leaf key = ffffffff->ffffffff
Sep 16 00:15:19 vpnhead kernel: klips_debug:rj_walktree: while: base=00000000 rn=c15cfbc8 rj_b=-3 rj_flags=6 leaf key = 00000000->00000000
Sep 16 00:15:05 vpnhead last message repeated 2 times
Sep 16 00:17:19 vpnhead kernel: klips_debug:@ flags = 6 @key = cfc18a60 key = 00000000->00000000 @mask = 00000000
Sep 16 00:17:19 vpnhead kernel: klips_debug:@ flags = 6 @key = cfc18a6c key = ffffffff->ffffffff @mask = 00000000
Sep 16 00:17:19 vpnhead kernel: klips_debug: off = 0
Sep 16 00:17:19 vpnhead kernel: klips_debug:rj_walktree: for: rn=c15cfbc8 rj_b=-3 rj_flags=6 leaf key = 00000000->00000000
Sep 16 00:17:19 vpnhead kernel: klips_debug:rj_walktree: processing leaves, rn=c15cfbf8 rj_b=-3 rj_flags=6 leaf key = ffffffff->ffffffff
Sep 16 00:17:19 vpnhead kernel: klips_debug:rj_walktree: while: base=00000000 rn=c15cfbc8 rj_b=-3 rj_flags=6 leaf key = 00000000->00000000
Sep 16 00:19:19 vpnhead kernel: klips_debug:@ flags = 6 @key = cfc18a60 key = 00000000->00000000 @mask = 00000000
Sep 16 00:19:19 vpnhead kernel: klips_debug:@ flags = 6 @key = cfc18a6c key = ffffffff->ffffffff @mask = 00000000
Sep 16 00:19:19 vpnhead kernel: klips_debug: off = 0
Sep 16 00:19:19 vpnhead kernel: klips_debug:rj_walktree: for: rn=c15cfbc8 rj_b=-3 rj_flags=6 leaf key = 00000000->00000000
Sep 16 00:19:19 vpnhead kernel: klips_debug:rj_walktree: processing leaves, rn=c15cfbf8 rj_b=-3 rj_flags=6 leaf key = ffffffff->ffffffff
Sep 16 00:19:19 vpnhead kernel: klips_debug:rj_walktree: while: base=00000000 rn=c15cfbc8 rj_b=-3 rj_flags=6 leaf key = 00000000->00000000
Sep 16 00:21:19 vpnhead kernel: klips_debug:@ flags = 6 @key = cfc18a60 key = 00000000->00000000 @mask = 00000000
Sep 16 00:21:19 vpnhead kernel: klips_debug:@ flags = 6 @key = cfc18a6c key = ffffffff->ffffffff @mask = 00000000
Sep 16 00:21:19 vpnhead kernel: klips_debug: off = 0
Sep 16 00:21:19 vpnhead kernel: klips_debug:rj_walktree: for: rn=c15cfbc8 rj_b=-3 rj_flags=6 leaf key = 00000000->00000000
Sep 16 00:21:19 vpnhead kernel: klips_debug:rj_walktree: processing leaves, rn=c15cfbf8 rj_b=-3 rj_flags=6 leaf key = ffffffff->ffffffff
Sep 16 00:21:19 vpnhead kernel: klips_debug:rj_walktree: while: base=00000000 rn=c15cfbc8 rj_b=-3 rj_flags=6 leaf key = 00000000->00000000
Sep 16 00:23:19 vpnhead kernel: klips_debug:@ flags = 6 @key = cfc18a60 key = 00000000->00000000 @mask = 00000000
Sep 16 00:23:19 vpnhead kernel: klips_debug:@ flags = 6 @key = cfc18a6c key = ffffffff->ffffffff @mask = 00000000
Sep 16 00:23:19 vpnhead kernel: klips_debug: off = 0
Sep 16 00:23:19 vpnhead kernel: klips_debug:rj_walktree: for: rn=c15cfbc8 rj_b=-3 rj_flags=6 leaf key = 00000000->00000000
Sep 16 00:23:19 vpnhead kernel: klips_debug:rj_walktree: processing leaves, rn=c15cfbf8 rj_b=-3 rj_flags=6 leaf key = ffffffff->ffffffff
Sep 16 00:23:19 vpnhead kernel: klips_debug:rj_walktree: while: base=00000000 rn=c15cfbc8 rj_b=-3 rj_flags=6 leaf key = 00000000->00000000
Sep 16 00:25:19 vpnhead kernel: klips_debug:@ flags = 6 @key = cfc18a60 key = 00000000->00000000 @mask = 00000000
Sep 16 00:25:19 vpnhead kernel: klips_debug:@ flags = 6 @key = cfc18a6c key = ffffffff->ffffffff @mask = 00000000
Sep 16 00:25:19 vpnhead kernel: klips_debug: off = 0
Sep 16 00:25:19 vpnhead kernel: klips_debug:rj_walktree: for: rn=c15cfbc8 rj_b=-3 rj_flags=6 leaf key = 00000000->00000000
Sep 16 00:25:19 vpnhead kernel: klips_debug:rj_walktree: processing leaves, rn=c15cfbf8 rj_b=-3 rj_flags=6 leaf key = ffffffff->ffffffff
Sep 16 00:25:19 vpnhead kernel: klips_debug:rj_walktree: while: base=00000000 rn=c15cfbc8 rj_b=-3 rj_flags=6 leaf key = 00000000->00000000
Sep 16 00:27:19 vpnhead kernel: klips_debug:@ flags = 6 @key = cfc18a60 key = 00000000->00000000 @mask = 00000000
Sep 16 00:27:19 vpnhead kernel: klips_debug:@ flags = 6 @key = cfc18a6c key = ffffffff->ffffffff @mask = 00000000
Sep 16 00:27:19 vpnhead kernel: klips_debug: off = 0
Sep 16 00:27:19 vpnhead kernel: klips_debug:rj_walktree: for: rn=c15cfbc8 rj_b=-3 rj_flags=6 leaf key = 00000000->00000000
Sep 16 00:27:19 vpnhead kernel: klips_debug:rj_walktree: processing leaves, rn=c15cfbf8 rj_b=-3 rj_flags=6 leaf key = ffffffff->ffffffff
Sep 16 00:27:19 vpnhead kernel: klips_debug:rj_walktree: while: base=00000000 rn=c15cfbc8 rj_b=-3 rj_flags=6 leaf key = 00000000->00000000
Sep 16 00:29:19 vpnhead kernel: klips_debug:@ flags = 6 @key = cfc18a60 key = 00000000->00000000 @mask = 00000000
Sep 16 00:29:19 vpnhead kernel: klips_debug:@ flags = 6 @key = cfc18a6c key = ffffffff->ffffffff @mask = 00000000
Sep 16 00:29:19 vpnhead kernel: klips_debug: off = 0
Sep 16 00:29:19 vpnhead kernel: klips_debug:rj_walktree: for: rn=c15cfbc8 rj_b=-3 rj_flags=6 leaf key = 00000000->00000000
Sep 16 00:29:19 vpnhead kernel: klips_debug:rj_walktree: processing leaves, rn=c15cfbf8 rj_b=-3 rj_flags=6 leaf key = ffffffff->ffffffff
Sep 16 00:29:19 vpnhead kernel: klips_debug:rj_walktree: while: base=00000000 rn=c15cfbc8 rj_b=-3 rj_flags=6 leaf key = 00000000->00000000
Sep 16 00:31:19 vpnhead kernel: klips_debug:@ flags = 6 @key = cfc18a60 key = 00000000->00000000 @mask = 00000000
Sep 16 00:31:19 vpnhead kernel: klips_debug:@ flags = 6 @key = cfc18a6c key = ffffffff->ffffffff @mask = 00000000
Sep 16 00:31:19 vpnhead kernel: klips_debug: off = 0

and the head debug showing ... nothing !
--------------------------

Sep 16 00:11:19 vpnhead Pluto[7809]: |
Sep 16 00:11:19 vpnhead Pluto[7809]: | *received whack message
Sep 16 00:11:19 vpnhead Pluto[7809]: | found lo with address 127.0.0.1
Sep 16 00:11:19 vpnhead Pluto[7809]: | found eth0 with address 192.168.11.241
Sep 16 00:11:19 vpnhead Pluto[7809]: | found ipsec0 with address 192.168.11.241
Sep 16 00:11:19 vpnhead Pluto[7809]: | found tr0 with address 192.168.10.245
Sep 16 00:11:19 vpnhead Pluto[7809]: | IP interface tr0 192.168.10.245 has no matching ipsec* interface -- ignored
Sep 16 00:11:19 vpnhead Pluto[7809]: | IP interface lo 127.0.0.1 has no matching ipsec* interface -- ignored
Sep 16 00:11:19 vpnhead Pluto[7809]: | found lo with address 0000:0000:0000:0000:0000:0000:0000:0001
Sep 16 00:11:19 vpnhead Pluto[7809]: | IP interface lo ::1 has no matching ipsec* interface -- ignored
Sep 16 00:11:19 vpnhead Pluto[7809]: | file content is not binary ASN.1
Sep 16 00:11:19 vpnhead Pluto[7809]: | -----BEGIN RSA PRIVATE KEY-----
Sep 16 00:11:19 vpnhead Pluto[7809]: | -----END RSA PRIVATE KEY-----
Sep 16 00:11:19 vpnhead Pluto[7809]: | file coded in PEM format
Sep 16 00:11:19 vpnhead Pluto[7809]: | L0 - RSAPrivateKey:
Sep 16 00:11:19 vpnhead Pluto[7809]: | L1 - version:
Sep 16 00:11:19 vpnhead Pluto[7809]: | L1 - modulus:
Sep 16 00:11:19 vpnhead Pluto[7809]: | L1 - publicExponent:
Sep 16 00:11:19 vpnhead Pluto[7809]: | L1 - privateExponent:
Sep 16 00:11:19 vpnhead Pluto[7809]: | L1 - prime1:
Sep 16 00:11:19 vpnhead Pluto[7809]: | L1 - prime2:
Sep 16 00:11:19 vpnhead Pluto[7809]: | L1 - exponent1:
Sep 16 00:11:19 vpnhead Pluto[7809]: | L1 - exponent2:
Sep 16 00:11:19 vpnhead Pluto[7809]: | L1 - coefficient:
Sep 16 00:11:19 vpnhead Pluto[7809]: | next event EVENT_SHUNT_SCAN in 120 seconds
Sep 16 00:11:28 vpnhead kernel: ipsec0: no IPv6 routers present
Sep 16 00:13:19 vpnhead Pluto[7809]: |
Sep 16 00:13:19 vpnhead Pluto[7809]: | *time to handle event
Sep 16 00:13:19 vpnhead Pluto[7809]: | event after this is EVENT_REINIT_SECRET in 3480 seconds
Sep 16 00:13:19 vpnhead Pluto[7809]: | inserting event EVENT_SHUNT_SCAN, timeout in 120 seconds
Sep 16 00:13:19 vpnhead Pluto[7809]: | next event EVENT_SHUNT_SCAN in 120 seconds
Sep 16 00:15:19 vpnhead Pluto[7809]: |
Sep 16 00:15:19 vpnhead Pluto[7809]: | *time to handle event
Sep 16 00:15:19 vpnhead Pluto[7809]: | event after this is EVENT_REINIT_SECRET in 3360 seconds
Sep 16 00:15:19 vpnhead Pluto[7809]: | inserting event EVENT_SHUNT_SCAN, timeout in 120 seconds
Sep 16 00:15:19 vpnhead Pluto[7809]: | next event EVENT_SHUNT_SCAN in 120 seconds
Sep 16 00:17:19 vpnhead Pluto[7809]: |
Sep 16 00:17:19 vpnhead Pluto[7809]: | *time to handle event
Sep 16 00:17:19 vpnhead Pluto[7809]: | event after this is EVENT_REINIT_SECRET in 3240 seconds
Sep 16 00:17:19 vpnhead Pluto[7809]: | inserting event EVENT_SHUNT_SCAN, timeout in 120 seconds
Sep 16 00:17:19 vpnhead Pluto[7809]: | next event EVENT_SHUNT_SCAN in 120 seconds
Sep 16 00:19:19 vpnhead Pluto[7809]: |
Sep 16 00:19:19 vpnhead Pluto[7809]: | *time to handle event
Sep 16 00:19:19 vpnhead Pluto[7809]: | event after this is EVENT_REINIT_SECRET in 3120 seconds
Sep 16 00:19:19 vpnhead Pluto[7809]: | inserting event EVENT_SHUNT_SCAN, timeout in 120 seconds
Sep 16 00:19:19 vpnhead Pluto[7809]: | next event EVENT_SHUNT_SCAN in 120 seconds
Sep 16 00:21:19 vpnhead Pluto[7809]: |
Sep 16 00:21:19 vpnhead Pluto[7809]: | *time to handle event
Sep 16 00:21:19 vpnhead Pluto[7809]: | event after this is EVENT_REINIT_SECRET in 3000 seconds
Sep 16 00:21:19 vpnhead Pluto[7809]: | inserting event EVENT_SHUNT_SCAN, timeout in 120 seconds
Sep 16 00:21:19 vpnhead Pluto[7809]: | next event EVENT_SHUNT_SCAN in 120 seconds
Sep 16 00:23:19 vpnhead Pluto[7809]: |
Sep 16 00:23:19 vpnhead Pluto[7809]: | *time to handle event
Sep 16 00:23:19 vpnhead Pluto[7809]: | event after this is EVENT_REINIT_SECRET in 2880 seconds
Sep 16 00:23:19 vpnhead Pluto[7809]: | inserting event EVENT_SHUNT_SCAN, timeout in 120 seconds
Sep 16 00:23:19 vpnhead Pluto[7809]: | next event EVENT_SHUNT_SCAN in 120 seconds
Sep 16 00:25:19 vpnhead Pluto[7809]: |
Sep 16 00:25:19 vpnhead Pluto[7809]: | *time to handle event
Sep 16 00:25:19 vpnhead Pluto[7809]: | event after this is EVENT_REINIT_SECRET in 2760 seconds
Sep 16 00:25:19 vpnhead Pluto[7809]: | inserting event EVENT_SHUNT_SCAN, timeout in 120 seconds
Sep 16 00:25:19 vpnhead Pluto[7809]: | next event EVENT_SHUNT_SCAN in 120 seconds
Sep 16 00:27:19 vpnhead Pluto[7809]: |
Sep 16 00:27:19 vpnhead Pluto[7809]: | *time to handle event
Sep 16 00:27:19 vpnhead Pluto[7809]: | event after this is EVENT_REINIT_SECRET in 2640 seconds
Sep 16 00:27:19 vpnhead Pluto[7809]: | inserting event EVENT_SHUNT_SCAN, timeout in 120 seconds
Sep 16 00:27:19 vpnhead Pluto[7809]: | next event EVENT_SHUNT_SCAN in 120 seconds
Sep 16 00:29:19 vpnhead Pluto[7809]: |
Sep 16 00:29:19 vpnhead Pluto[7809]: | *time to handle event
Sep 16 00:29:19 vpnhead Pluto[7809]: | event after this is EVENT_REINIT_SECRET in 2520 seconds
Sep 16 00:29:19 vpnhead Pluto[7809]: | inserting event EVENT_SHUNT_SCAN, timeout in 120 seconds
Sep 16 00:29:19 vpnhead Pluto[7809]: | next event EVENT_SHUNT_SCAN in 120 seconds
Sep 16 00:31:19 vpnhead Pluto[7809]: |
Sep 16 00:31:19 vpnhead Pluto[7809]: | *time to handle event
Sep 16 00:31:19 vpnhead Pluto[7809]: | event after this is EVENT_REINIT_SECRET in 2400 seconds
Sep 16 00:31:19 vpnhead Pluto[7809]: | inserting event EVENT_SHUNT_SCAN, timeout in 120 seconds
Sep 16 00:31:19 vpnhead Pluto[7809]: | next event EVENT_SHUNT_SCAN in 120 seconds

Despite the tcpdump trace showing the attempts from the client
---------------------------------------

00:11:28.502955 c.c.c.c.500 > 192.168.11.241.500: isakmp: phase 1 I ident:
        (p: #0 protoid=isakmp transform=4
            (t: #0 id=ike (type=lifetype value=sec)(type=lifeduration value=0e10)(type=enc value=3des)(type=hash value=md5)(type=auth value=rsa sig)(type=group desc value=0005))
            (t: #1 id=ike (type=lifetype value=sec)(type=lifeduration value=0e10)(type=enc value=3des)(type=hash value=sha1)(type=auth value=rsa sig)(type=group desc value=0005))
            (t: #2 id=ike (type=lifetype value=sec)(type=lifeduration value=0e10)(type=enc value=3des)(type=hash value=sha1)(type=auth value=rsa sig)(type=group desc value=modp1024))
            (t: #3 id=ike (type=lifetype value=sec)(type=lifeduration value=0e10)(type=enc value=3des)(type=hash value=md5)(type=auth value=rsa sig)(type=group desc value=modp1024))))
    (vid: len=16) (DF)
00:11:38.494563 c.c.c.c.500 > 192.168.11.241.500: isakmp: phase 1 I ident:
        (p: #0 protoid=isakmp transform=4
            (t: #0 id=ike (type=lifetype value=sec)(type=lifeduration value=0e10)(type=enc value=3des)(type=hash value=md5)(type=auth value=rsa sig)(type=group desc value=0005))
            (t: #1 id=ike (type=lifetype value=sec)(type=lifeduration value=0e10)(type=enc value=3des)(type=hash value=sha1)(type=auth value=rsa sig)(type=group desc value=0005))
            (t: #2 id=ike (type=lifetype value=sec)(type=lifeduration value=0e10)(type=enc value=3des)(type=hash value=sha1)(type=auth value=rsa sig)(type=group desc value=modp1024))
            (t: #3 id=ike (type=lifetype value=sec)(type=lifeduration value=0e10)(type=enc value=3des)(type=hash value=md5)(type=auth value=rsa sig)(type=group desc value=modp1024))))
    (vid: len=16) (DF)
00:11:58.487822 c.c.c.c.500 > 192.168.11.241.500: isakmp: phase 1 I ident:
        (p: #0 protoid=isakmp transform=4
            (t: #0 id=ike (type=lifetype value=sec)(type=lifeduration value=0e10)(type=enc value=3des)(type=hash value=md5)(type=auth value=rsa sig)(type=group desc value=0005))
            (t: #1 id=ike (type=lifetype value=sec)(type=lifeduration value=0e10)(type=enc value=3des)(type=hash value=sha1)(type=auth value=rsa sig)(type=group desc value=0005))
            (t: #2 id=ike (type=lifetype value=sec)(type=lifeduration value=0e10)(type=enc value=3des)(type=hash value=sha1)(type=auth value=rsa sig)(type=group desc value=modp1024))
            (t: #3 id=ike (type=lifetype value=sec)(type=lifeduration value=0e10)(type=enc value=3des)(type=hash value=md5)(type=auth value=rsa sig)(type=group desc value=modp1024))))
    (vid: len=16) (DF)
00:12:38.475252 c.c.c.c.500 > 192.168.11.241.500: isakmp: phase 1 I ident:
        (p: #0 protoid=isakmp transform=4
            (t: #0 id=ike (type=lifetype value=sec)(type=lifeduration value=0e10)(type=enc value=3des)(type=hash value=md5)(type=auth value=rsa sig)(type=group desc value=0005))
            (t: #1 id=ike (type=lifetype value=sec)(type=lifeduration value=0e10)(type=enc value=3des)(type=hash value=sha1)(type=auth value=rsa sig)(type=group desc value=0005))
            (t: #2 id=ike (type=lifetype value=sec)(type=lifeduration value=0e10)(type=enc value=3des)(type=hash value=sha1)(type=auth value=rsa sig)(type=group desc value=modp1024))
            (t: #3 id=ike (type=lifetype value=sec)(type=lifeduration value=0e10)(type=enc value=3des)(type=hash value=md5)(type=auth value=rsa sig)(type=group desc value=modp1024))))
    (vid: len=16) (DF)
00:13:18.459431 c.c.c.c.500 > 192.168.11.241.500: isakmp: phase 1 I ident:
        (p: #0 protoid=isakmp transform=4
            (t: #0 id=ike (type=lifetype value=sec)(type=lifeduration value=0e10)(type=enc value=3des)(type=hash value=md5)(type=auth value=rsa sig)(type=group desc value=0005))
            (t: #1 id=ike (type=lifetype value=sec)(type=lifeduration value=0e10)(type=enc value=3des)(type=hash value=sha1)(type=auth value=rsa sig)(type=group desc value=0005))
            (t: #2 id=ike (type=lifetype value=sec)(type=lifeduration value=0e10)(type=enc value=3des)(type=hash value=sha1)(type=auth value=rsa sig)(type=group desc value=modp1024))
            (t: #3 id=ike (type=lifetype value=sec)(type=lifeduration value=0e10)(type=enc value=3des)(type=hash value=md5)(type=auth value=rsa sig)(type=group desc value=modp1024))))
    (vid: len=16) (DF)

corresponding to
-----------

104 "BAR" #1: STATE_MAIN_I1: initiate
010 "BAR" #1: STATE_MAIN_I1: retransmission; will wait 20s for response
010 "BAR" #1: STATE_MAIN_I1: retransmission; will wait 40s for response
010 "BAR" #1: STATE_MAIN_I1: retransmission; will wait 40s for response
010 "BAR" #1: STATE_MAIN_I1: retransmission; will wait 40s for response
010 "BAR" #1: STATE_MAIN_I1: retransmission; will wait 40s for response
010 "BAR" #1: STATE_MAIN_I1: retransmission; will wait 40s for response
010 "BAR" #1: STATE_MAIN_I1: retransmission; will wait 40s for response
010 "BAR" #1: STATE_MAIN_I1: retransmission; will wait 40s for response
010 "BAR" #1: STATE_MAIN_I1: retransmission; will wait 40s for response
010 "BAR" #1: STATE_MAIN_I1: retransmission; will wait 40s for response
010 "BAR" #1: STATE_MAIN_I1: retransmission; will wait 40s for response
010 "BAR" #1: STATE_MAIN_I1: retransmission; will wait 40s for response
010 "BAR" #1: STATE_MAIN_I1: retransmission; will wait 40s for response
010 "BAR" #1: STATE_MAIN_I1: retransmission; will wait 40s for response
010 "BAR" #1: STATE_MAIN_I1: retransmission; will wait 40s for response
010 "BAR" #1: STATE_MAIN_I1: retransmission; will wait 40s for response
010 "BAR" #1: STATE_MAIN_I1: retransmission; will wait 40s for response
010 "BAR" #1: STATE_MAIN_I1: retransmission; will wait 40s for response
010 "BAR" #1: STATE_MAIN_I1: retransmission; will wait 40s for response
010 "BAR" #1: STATE_MAIN_I1: retransmission; will wait 40s for response
031 "BAR" #1: max number of retransmissions (20) reached STATE_MAIN_I1. No acceptable response to our first IKE message

Normal behaviour
================

As soon as I comment the line nat_traversal=yes on the head side
and reload freeswan I can see, in debug :

Sep 16 01:21:10 vpnhead Pluto[8219]: | *received 176 bytes from c.c.c.c:500 on eth0
Sep 16 01:21:10 vpnhead Pluto[8219]: | 4a 16 2d 9e f6 0f c9 17 00 00 00 00 00 00 00 00
Sep 16 01:21:10 vpnhead Pluto[8219]: | 01 10 02 00 00 00 00 00 00 00 00 b0 00 00 00 94
[...]
Sep 16 01:21:10 vpnhead Pluto[8219]: | **parse ISAKMP Message:
Sep 16 01:21:10 vpnhead Pluto[8219]: | initiator cookie:
Sep 16 01:21:10 vpnhead Pluto[8219]: | 4a 16 2d 9e f6 0f c9 17
Sep 16 01:21:10 vpnhead Pluto[8219]: | responder cookie:
Sep 16 01:21:10 vpnhead Pluto[8219]: | 00 00 00 00 00 00 00 00
Sep 16 01:21:10 vpnhead Pluto[8219]: | next payload type: ISAKMP_NEXT_SA
Sep 16 01:21:10 vpnhead Pluto[8219]: | ISAKMP version: ISAKMP Version 1.0

and in syslog :

Sep 16 01:21:07 vpnhead ipsec__plutorun: Starting Pluto subsystem...
Sep 16 01:21:08 vpnhead Pluto[8219]: Starting Pluto (FreeS/WAN Version 1.97)
Sep 16 01:21:08 vpnhead Pluto[8219]: including X.509 patch (Version 0.9.12)
Sep 16 01:21:08 vpnhead Pluto[8219]: including NAT-Traversal patch (Version 0.2) [disabled]
Sep 16 01:21:08 vpnhead Pluto[8219]: Changing to directory '/etc/ipsec.d/cacerts'
Sep 16 01:21:08 vpnhead Pluto[8219]: loaded cacert file 'rootCert.pem' (2589 bytes)
Sep 16 01:21:08 vpnhead Pluto[8219]: loaded cacert file 'babCert.pem' (2179 bytes)
Sep 16 01:21:08 vpnhead Pluto[8219]: Changing to directory '/etc/ipsec.d/crls'
Sep 16 01:21:08 vpnhead Pluto[8219]: loaded crl file 'crl.pem' (682 bytes)
Sep 16 01:21:08 vpnhead Pluto[8219]: could not open my default X.509 cert file '/etc/x509cert.der'
Sep 16 01:21:08 vpnhead Pluto[8219]: OpenPGP certificate file '/etc/pgpcert.pgp' not found
Sep 16 01:21:08 vpnhead Pluto[8219]: loaded host cert file '/etc/ipsec.d/newcerts/lyobabidCert.pem' (1740 bytes)
Sep 16 01:21:08 vpnhead Pluto[8219]: added connection description "ar"
Sep 16 01:21:08 vpnhead Pluto[8219]: listening for IKE messages
Sep 16 01:21:08 vpnhead Pluto[8219]: adding interface ipsec0/eth0 192.168.11.241
Sep 16 01:21:08 vpnhead Pluto[8219]: loading secrets from "/etc/ipsec.secrets"
Sep 16 01:21:08 vpnhead Pluto[8219]: loaded private key file '/etc/ipsec.d/private/lyobabidKey.pem' (1675 bytes)
Sep 16 01:21:22 vpnhead Pluto[8219]: "ar" c.c.c.c #3: responding to Main Mode from unknown peer c.c.c.c
Sep 16 01:21:22 vpnhead Pluto[8219]: "ar" c.c.c.c #3: Peer ID is ID_FQDN: '@vpn.toto.com'
Sep 16 01:21:22 vpnhead Pluto[8219]: "ar" c.c.c.c #3: Next CRL update was expected on Jul 01 17:55:01 UTC 2002
Sep 16 01:21:22 vpnhead Pluto[8219]: "ar" c.c.c.c #3: Issuer CRL not found
Sep 16 01:21:22 vpnhead Pluto[8219]: "ar" c.c.c.c #3: Issuer CRL not found
Sep 16 01:21:23 vpnhead Pluto[8219]: "ar" c.c.c.c #3: sent MR3, ISAKMP SA established
Sep 16 01:21:23 vpnhead Pluto[8219]: "ar" c.c.c.c #4: responding to Quick Mode
Sep 16 01:21:23 vpnhead Pluto[8219]: "ar" c.c.c.c. #4: IPsec SA established

The ipsec.conf files
==================
The configuration on both sides is classical.

Client configuration
------------

# /etc/ipsec.conf - FreeS/WAN IPSEC configuration file

# More elaborate and more varied sample configurations can be found
# in doc/examples.

# basic configuration
config setup
        # THIS SETTING MUST BE CORRECT or almost nothing will work;
        # %defaultroute is okay for most simple cases.
        interfaces=%defaultroute
        # Debug-logging controls: "none" for (almost) none, "all" for lots.
        #klipsdebug=all
        #plutodebug=all
        # Use auto= parameters in conn descriptions to control startup actions.
        uniqueids=yes
        plutoload=%search
        plutostart=%search
        syslog=local0.info
        nocrsend=yes
        nat_traversal=yes

# defaults for subsequent connection descriptions
conn %default
        # How persistent to be in (re)keying negotiations (0 means very).
        keyingtries=1
        authby=rsasig
        pfs=yes
        compress=yes

conn BAR
        leftid=@vpn.toto.com
        leftcert=newcerts/barbabidCert.pem
        left=%defaultroute
        leftsubnet=192.168.25.0/24
        leftnexthop=
        rightcert=newcerts/lyobabidCert.pem
        right=h.h.h.h
        rightsubnet=192.168.10.0/23
        auto=add
        keyingtries=0

head configuration
-------------
# /etc/ipsec.conf - FreeS/WAN IPSEC configuration file

# More elaborate and more varied sample configurations can be found
# in doc/examples.

# basic configuration
config setup
        # THIS SETTING MUST BE CORRECT or almost nothing will work;
        # %defaultroute is okay for most simple cases.
        interfaces=%defaultroute
        # Debug-logging controls: "none" for (almost) none, "all" for lots.
        #klipsdebug=all
        #plutodebug=all
        # Use auto= parameters in conn descriptions to control startup actions.
        #uniqueids=yes
        plutoload=%search
        plutostart=%search
        syslog=local0.info
        nocrsend=yes
        nat_traversal=yes

# defaults for subsequent connection descriptions
conn %default
        # How persistent to be in (re)keying negotiations (0 means very).
        keyingtries=1
        left=%any
        #leftnexthop=
        leftrsasigkey=%cert
        right=192.168.11.241
        rightsubnet=192.168.10.0/23
        rightnexthop=192.168.11.249
        rightrsasigkey=%cert
        rightcert=newcerts/lyobabidCert.pem
        auto=add
        authby=rsasig
        pfs=yes
        compress=yes

conn ar
        leftsubnetwithin=192.168.0.0/16
        leftid=@vpn.toto.com
        auto=add

Thank for any advice !

db

(*) In fact a version of this patch adapted for x509 0.9.2 since the original patch was for x509 0.9.0.

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• Previous message: Alistair Nelson: "[Users] WIN2K VPN Client can ping Freeswan gateway but doesn't attempt to negotiate ipsec on private subnet behind?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Sep 16 2002 - 05:20:06 CEST