B
Blackbox
GlacierHi,
Now I am setting up a Road warrior VPN connection with Super Fresswan and
Nature Windows XP VPN client, everything work well without NAT, when I
install both Freeswan box and XP behind box, it 's fail to connect.
This is my network scheme:
(Local network: 192.168.100.0/24)-----[192.168.100.1**Linux Freeswan
box**192.168.20.254]------(192.168.20.1*Cisco router + Static
NAT)------Internet
Internet--------(203.1.1.1*DSL Broadband device + Dynamic
NAT*192.168.200.1)-----------(192.168.200.25*Windows XP VPN Client)
- I am using static NAT Freeswan box from
192.168.20.254<----->200.200.200.200 (example)
- DSL have a dynamic internet address, in this time is 203.1.1.1, It's
change frequencily
There is my ipsec.conf:
config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work;
# %defaultroute is okay for most simple cases.
interfaces=%defaultroute
# Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=none
plutodebug=none
# Use auto= parameters in conn descriptions to control startup actions.
plutoload=%search
plutostart=%search
# Close down old connection when new one using same ID shows up.
uniqueids=yes
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
# defaults for subsequent connection descriptions
conn %default
keyingtries=1
compress=yes
disablearrivalcheck=no
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
# accept origin W2K or XP client
conn W2KXP
type=tunnel
authby=secret
pfs=no
#
left=%defaultroute
leftprotoport=17/1701
right=%any
rightprotoport=17/1701
rightsubnetwithin=0.0.0.0/0
#
auto=add
keyingtries=0
THEN TRY TO CONNECT FROM WINDOWS XP VPN Client TO 200.200.200.200 there is
unsuccessful (windows XP I have added some patch)
There are some printout and log:
Ipsec auto --status
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0}
trans={0,0,0} attrs={0,0,0}
000
000 "W2KXP": 192.168.20.254:17/1701---192.168.20.1...%any:17/1701
000 "W2KXP": CAs: '%any'...'%any'
000 "W2KXP": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 0
000 "W2KXP": policy: PSK+ENCRYPT+COMPRESS+TUNNEL; interface: eth0; unrouted
000 "W2KXP": newest ISAKMP SA: #0; newest IPsec SA: #0; eroute owner: #0
000 "W2KXP": IKE algorithms wanted: 5_000-1-5, 5_000-2-5, 5_000-1-2,
5_000-2-2, 5_000-1-1, 5_000-2-1, flags=-strict
000 "W2KXP": IKE algorithms found: 5_192-1_128-5, 5_192-2_160-5,
5_192-1_128-2, 5_192-2_160-2, 5_192-1_128-1, 5_192-2_160-1,
000 "W2KXP": ESP algorithms wanted: 3_000-1, 3_000-2, flags=-strict
000 "W2KXP": ESP algorithms loaded: 3_168-1_128, 3_168-2_160,
/var/log/secure
Sep 20 20:33:07 blackbox pluto[21024]: packet from 203.1.1.1:500: ignoring
Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Sep 20 20:33:07 blackbox pluto[21024]: packet from 203.1.1.1:500: ignoring
Vendor ID payload [FRAGMENTATION]
Sep 20 20:33:07 blackbox pluto[21024]: packet from 203.1.1.1:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Sep 20 20:33:07 blackbox pluto[21024]: packet from 203.1.1.1:500: ignoring
Vendor ID payload [26244d38eddb61b3...]
Sep 20 20:33:07 blackbox pluto[21024]: "W2KXP"[1] 203.1.1.1 #1: responding
to Main Mode from unknown peer 203.1.1.1
Sep 20 20:33:08 blackbox pluto[21024]: "W2KXP"[1] 203.1.1.1 #1:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: both are NATed
Sep 20 20:33:08 blackbox pluto[21024]: "W2KXP"[1] 203.1.1.1 #1: Main mode
peer ID is ID_FQDN: '@ctl.test.com'
Sep 20 20:33:08 blackbox pluto[21024]: "W2KXP"[2] 203.1.1.1 #1: deleting
connection "W2KXP" instance with peer 203.1.1.1
Sep 20 20:33:08 blackbox pluto[21024]: | NAT-T: new mapping
203.1.1.1:500/4500)
Sep 20 20:33:08 blackbox pluto[21024]: "W2KXP"[2] 203.1.1.1:4500 #1: sent
MR3, ISAKMP SA established
Sep 20 20:33:08 blackbox pluto[21024]: "W2KXP"[2] 203.1.1.1:4500 #1: packet
rejected: should have been encrypted
Sep 20 20:33:08 blackbox pluto[21024]: "W2KXP"[2] 203.1.1.1:4500 #1: sending
encrypted notification INVALID_FLAGS to 203.1.1.1:4500
Sep 20 20:33:08 blackbox pluto[21024]: "W2KXP"[2] 203.1.1.1:4500 #1: cannot
respond to IPsec SA request because no connection is known for
200.200.200.200/32===192.168.20.254:4500:17/1701...203.1.1.1:4500[@ctl.saigo
nctt.com]:17/1701===3238890626
Sep 20 20:33:08 blackbox pluto[21024]: "W2KXP"[2] 203.1.1.1:4500 #1: sending
encrypted notification INVALID_ID_INFORMATION to 203.1.1.1:4500
Sep 20 20:33:09 blackbox pluto[21024]: "W2KXP"[2] 203.1.1.1:4500 #1: Quick
Mode I1 message is unacceptable because it uses a previously used Message ID
0x12cfffe3 (perhaps this is a duplicated packet)
I don't know why? And confuse about:
cannot respond to IPsec SA request because no connection is known for
200.200.200.200/32===192.168.20.254:4500:17/1701...203.1.1.1:4500[@ctl.saigo
nctt.com]:17/1701===3238890626
WHY 200.200.200.200/32 behind 192.168.20.254:4500:17/1701 ???
I HAVE TO ADD NAT-TRAVERSAL BOTH FREESWAN AND WINDOWS XP (Patch 818043)
Please help me, I pay a week for search in Internet but nothing found
Thank you in advance
Now I am setting up a Road warrior VPN connection with Super Fresswan and
Nature Windows XP VPN client, everything work well without NAT, when I
install both Freeswan box and XP behind box, it 's fail to connect.
This is my network scheme:
(Local network: 192.168.100.0/24)-----[192.168.100.1**Linux Freeswan
box**192.168.20.254]------(192.168.20.1*Cisco router + Static
NAT)------Internet
Internet--------(203.1.1.1*DSL Broadband device + Dynamic
NAT*192.168.200.1)-----------(192.168.200.25*Windows XP VPN Client)
- I am using static NAT Freeswan box from
192.168.20.254<----->200.200.200.200 (example)
- DSL have a dynamic internet address, in this time is 203.1.1.1, It's
change frequencily
There is my ipsec.conf:
config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work;
# %defaultroute is okay for most simple cases.
interfaces=%defaultroute
# Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=none
plutodebug=none
# Use auto= parameters in conn descriptions to control startup actions.
plutoload=%search
plutostart=%search
# Close down old connection when new one using same ID shows up.
uniqueids=yes
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
# defaults for subsequent connection descriptions
conn %default
keyingtries=1
compress=yes
disablearrivalcheck=no
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
# accept origin W2K or XP client
conn W2KXP
type=tunnel
authby=secret
pfs=no
#
left=%defaultroute
leftprotoport=17/1701
right=%any
rightprotoport=17/1701
rightsubnetwithin=0.0.0.0/0
#
auto=add
keyingtries=0
THEN TRY TO CONNECT FROM WINDOWS XP VPN Client TO 200.200.200.200 there is
unsuccessful (windows XP I have added some patch)
There are some printout and log:
Ipsec auto --status
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0}
trans={0,0,0} attrs={0,0,0}
000
000 "W2KXP": 192.168.20.254:17/1701---192.168.20.1...%any:17/1701
000 "W2KXP": CAs: '%any'...'%any'
000 "W2KXP": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 0
000 "W2KXP": policy: PSK+ENCRYPT+COMPRESS+TUNNEL; interface: eth0; unrouted
000 "W2KXP": newest ISAKMP SA: #0; newest IPsec SA: #0; eroute owner: #0
000 "W2KXP": IKE algorithms wanted: 5_000-1-5, 5_000-2-5, 5_000-1-2,
5_000-2-2, 5_000-1-1, 5_000-2-1, flags=-strict
000 "W2KXP": IKE algorithms found: 5_192-1_128-5, 5_192-2_160-5,
5_192-1_128-2, 5_192-2_160-2, 5_192-1_128-1, 5_192-2_160-1,
000 "W2KXP": ESP algorithms wanted: 3_000-1, 3_000-2, flags=-strict
000 "W2KXP": ESP algorithms loaded: 3_168-1_128, 3_168-2_160,
/var/log/secure
Sep 20 20:33:07 blackbox pluto[21024]: packet from 203.1.1.1:500: ignoring
Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Sep 20 20:33:07 blackbox pluto[21024]: packet from 203.1.1.1:500: ignoring
Vendor ID payload [FRAGMENTATION]
Sep 20 20:33:07 blackbox pluto[21024]: packet from 203.1.1.1:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Sep 20 20:33:07 blackbox pluto[21024]: packet from 203.1.1.1:500: ignoring
Vendor ID payload [26244d38eddb61b3...]
Sep 20 20:33:07 blackbox pluto[21024]: "W2KXP"[1] 203.1.1.1 #1: responding
to Main Mode from unknown peer 203.1.1.1
Sep 20 20:33:08 blackbox pluto[21024]: "W2KXP"[1] 203.1.1.1 #1:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: both are NATed
Sep 20 20:33:08 blackbox pluto[21024]: "W2KXP"[1] 203.1.1.1 #1: Main mode
peer ID is ID_FQDN: '@ctl.test.com'
Sep 20 20:33:08 blackbox pluto[21024]: "W2KXP"[2] 203.1.1.1 #1: deleting
connection "W2KXP" instance with peer 203.1.1.1
Sep 20 20:33:08 blackbox pluto[21024]: | NAT-T: new mapping
203.1.1.1:500/4500)
Sep 20 20:33:08 blackbox pluto[21024]: "W2KXP"[2] 203.1.1.1:4500 #1: sent
MR3, ISAKMP SA established
Sep 20 20:33:08 blackbox pluto[21024]: "W2KXP"[2] 203.1.1.1:4500 #1: packet
rejected: should have been encrypted
Sep 20 20:33:08 blackbox pluto[21024]: "W2KXP"[2] 203.1.1.1:4500 #1: sending
encrypted notification INVALID_FLAGS to 203.1.1.1:4500
Sep 20 20:33:08 blackbox pluto[21024]: "W2KXP"[2] 203.1.1.1:4500 #1: cannot
respond to IPsec SA request because no connection is known for
200.200.200.200/32===192.168.20.254:4500:17/1701...203.1.1.1:4500[@ctl.saigo
nctt.com]:17/1701===3238890626
Sep 20 20:33:08 blackbox pluto[21024]: "W2KXP"[2] 203.1.1.1:4500 #1: sending
encrypted notification INVALID_ID_INFORMATION to 203.1.1.1:4500
Sep 20 20:33:09 blackbox pluto[21024]: "W2KXP"[2] 203.1.1.1:4500 #1: Quick
Mode I1 message is unacceptable because it uses a previously used Message ID
0x12cfffe3 (perhaps this is a duplicated packet)
I don't know why? And confuse about:
cannot respond to IPsec SA request because no connection is known for
200.200.200.200/32===192.168.20.254:4500:17/1701...203.1.1.1:4500[@ctl.saigo
nctt.com]:17/1701===3238890626
WHY 200.200.200.200/32 behind 192.168.20.254:4500:17/1701 ???
I HAVE TO ADD NAT-TRAVERSAL BOTH FREESWAN AND WINDOWS XP (Patch 818043)
Please help me, I pay a week for search in Internet but nothing found
Thank you in advance