Mark Wilson
2011-08-07 09:22:40 UTC
I've recently setup OpenSwan on a KVM VPS running Ubuntu Server 11.04.
I'm using OpenSwan with PSK so that I can create a VPN with the builtin
software on iOS devices.
I have got this to work with NAT-T on an internal network, however if I
am using a public IP (non-NAT'd) e.g. Vodafone 3G connection the IPSEC
connection is rejected.
Tailing the /var/log/auth.log file while connecting shows:
Aug 7 04:18:56 vps1 pluto[951]: packet from 27.252.7.28:500: received
Vendor ID payload [RFC 3947] method set to=109
Aug 7 04:18:56 vps1 pluto[951]: packet from 27.252.7.28:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike] method set to=110
Aug 7 04:18:56 vps1 pluto[951]: packet from 27.252.7.28:500: ignoring
unknown Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
Aug 7 04:18:56 vps1 pluto[951]: packet from 27.252.7.28:500: ignoring
unknown Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
Aug 7 04:18:56 vps1 pluto[951]: packet from 27.252.7.28:500: ignoring
unknown Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
Aug 7 04:18:56 vps1 pluto[951]: packet from 27.252.7.28:500: ignoring
unknown Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
Aug 7 04:18:56 vps1 pluto[951]: packet from 27.252.7.28:500: ignoring
unknown Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
Aug 7 04:18:56 vps1 pluto[951]: packet from 27.252.7.28:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already
using method 110
Aug 7 04:18:56 vps1 pluto[951]: packet from 27.252.7.28:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already
using method 110
Aug 7 04:18:56 vps1 pluto[951]: packet from 27.252.7.28:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but
already using method 110
Aug 7 04:18:56 vps1 pluto[951]: packet from 27.252.7.28:500: received
Vendor ID payload [Dead Peer Detection]
Aug 7 04:18:56 vps1 pluto[951]: "L2TP-PSK-NAT"[11] 27.252.7.28 #39:
responding to Main Mode from unknown peer 27.252.7.28
Aug 7 04:18:56 vps1 pluto[951]: "L2TP-PSK-NAT"[11] 27.252.7.28 #39:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Aug 7 04:18:56 vps1 pluto[951]: "L2TP-PSK-NAT"[11] 27.252.7.28 #39:
STATE_MAIN_R1: sent MR1, expecting MI2
Aug 7 04:18:57 vps1 pluto[951]: "L2TP-PSK-NAT"[11] 27.252.7.28 #39:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): no NAT
detected
Aug 7 04:18:57 vps1 pluto[951]: "L2TP-PSK-NAT"[11] 27.252.7.28 #39:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Aug 7 04:18:57 vps1 pluto[951]: "L2TP-PSK-NAT"[11] 27.252.7.28 #39:
STATE_MAIN_R2: sent MR2, expecting MI3
Aug 7 04:19:00 vps1 pluto[951]: "L2TP-PSK-NAT"[11] 27.252.7.28 #39:
discarding duplicate packet; already STATE_MAIN_R2
Aug 7 04:19:08 vps1 pluto[951]: last message repeated 2 times
Aug 7 04:19:08 vps1 pluto[951]: "L2TP-PSK-NAT"[11] 27.252.7.28 #39:
ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
Aug 7 04:19:08 vps1 pluto[951]: "L2TP-PSK-NAT"[11] 27.252.7.28 #39:
Main mode peer ID is ID_IPV4_ADDR: '27.252.7.28'
Aug 7 04:19:08 vps1 pluto[951]: "L2TP-PSK-NAT"[11] 27.252.7.28 #39:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Aug 7 04:19:08 vps1 pluto[951]: "L2TP-PSK-NAT"[11] 27.252.7.28 #39: new
NAT mapping for #39, was 27.252.7.28:500, now 27.252.7.28:4500
Aug 7 04:19:08 vps1 pluto[951]: "L2TP-PSK-NAT"[11] 27.252.7.28 #39:
STATE_MAIN_R3: sent MR3, ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1024}
Aug 7 04:19:09 vps1 pluto[951]: "L2TP-PSK-NAT"[11] 27.252.7.28 #39: the
peer proposed: 216.180.131.23/32:17/1701 -> 27.252.7.28/32:17/0
Aug 7 04:19:09 vps1 pluto[951]: "L2TP-PSK-NAT"[11] 27.252.7.28 #40:
ENCAPSULATION_MODE_UDP_TRANSPORT_RFC must only be used if NAT-Traversal
is detected
Aug 7 04:19:09 vps1 pluto[951]: "L2TP-PSK-NAT"[11] 27.252.7.28 #40:
sending encrypted notification BAD_PROPOSAL_SYNTAX to 27.252.7.28:4500
Aug 7 04:19:12 vps1 pluto[951]: "L2TP-PSK-NAT"[11] 27.252.7.28 #39: the
peer proposed: 216.180.131.23/32:17/1701 -> 27.252.7.28/32:17/55315
Aug 7 04:19:12 vps1 pluto[951]: "L2TP-PSK-NAT"[11] 27.252.7.28 #41:
ENCAPSULATION_MODE_UDP_TRANSPORT_RFC must only be used if NAT-Traversal
is detected
Aug 7 04:19:12 vps1 pluto[951]: "L2TP-PSK-NAT"[11] 27.252.7.28 #41:
sending encrypted notification BAD_PROPOSAL_SYNTAX to 27.252.7.28:4500
Aug 7 04:19:14 vps1 pluto[951]: "L2TP-PSK-NAT"[11] 27.252.7.28 #39: the
peer proposed: 216.180.131.23/32:17/1701 -> 27.252.7.28/32:17/55315
Aug 7 04:19:14 vps1 pluto[951]: "L2TP-PSK-NAT"[11] 27.252.7.28 #42:
ENCAPSULATION_MODE_UDP_TRANSPORT_RFC must only be used if NAT-Traversal
is detected
Aug 7 04:19:14 vps1 pluto[951]: "L2TP-PSK-NAT"[11] 27.252.7.28 #42:
sending encrypted notification BAD_PROPOSAL_SYNTAX to 27.252.7.28:4500
Aug 7 04:19:18 vps1 pluto[951]: "L2TP-PSK-NAT"[11] 27.252.7.28 #39: the
peer proposed: 216.180.131.23/32:17/1701 -> 27.252.7.28/32:17/55315
Aug 7 04:19:18 vps1 pluto[951]: "L2TP-PSK-NAT"[11] 27.252.7.28 #43:
ENCAPSULATION_MODE_UDP_TRANSPORT_RFC must only be used if NAT-Traversal
is detected
Aug 7 04:19:18 vps1 pluto[951]: "L2TP-PSK-NAT"[11] 27.252.7.28 #43:
sending encrypted notification BAD_PROPOSAL_SYNTAX to 27.252.7.28:4500
Aug 7 04:19:24 vps1 pluto[951]: "L2TP-PSK-NAT"[11] 27.252.7.28 #39: the
peer proposed: 216.180.131.23/32:17/1701 -> 27.252.7.28/32:17/55315
Aug 7 04:19:24 vps1 pluto[951]: "L2TP-PSK-NAT"[11] 27.252.7.28 #44:
ENCAPSULATION_MODE_UDP_TRANSPORT_RFC must only be used if NAT-Traversal
is detected
Aug 7 04:19:24 vps1 pluto[951]: "L2TP-PSK-NAT"[11] 27.252.7.28 #44:
sending encrypted notification BAD_PROPOSAL_SYNTAX to 27.252.7.28:4500
Aug 7 04:19:27 vps1 pluto[951]: "L2TP-PSK-NAT"[11] 27.252.7.28 #39: the
peer proposed: 216.180.131.23/32:17/1701 -> 27.252.7.28/32:17/55315
Aug 7 04:19:27 vps1 pluto[951]: "L2TP-PSK-NAT"[11] 27.252.7.28 #45:
ENCAPSULATION_MODE_UDP_TRANSPORT_RFC must only be used if NAT-Traversal
is detected
Aug 7 04:19:27 vps1 pluto[951]: "L2TP-PSK-NAT"[11] 27.252.7.28 #45:
sending encrypted notification BAD_PROPOSAL_SYNTAX to 27.252.7.28:4500
Aug 7 04:19:30 vps1 pluto[951]: "L2TP-PSK-NAT"[11] 27.252.7.28 #39: the
peer proposed: 216.180.131.23/32:17/1701 -> 27.252.7.28/32:17/55315
Aug 7 04:19:30 vps1 pluto[951]: "L2TP-PSK-NAT"[11] 27.252.7.28 #46:
ENCAPSULATION_MODE_UDP_TRANSPORT_RFC must only be used if NAT-Traversal
is detected
Aug 7 04:19:30 vps1 pluto[951]: "L2TP-PSK-NAT"[11] 27.252.7.28 #46:
sending encrypted notification BAD_PROPOSAL_SYNTAX to 27.252.7.28:4500
Aug 7 04:19:33 vps1 pluto[951]: "L2TP-PSK-NAT"[11] 27.252.7.28 #39: the
peer proposed: 216.180.131.23/32:17/1701 -> 27.252.7.28/32:17/55315
Aug 7 04:19:33 vps1 pluto[951]: "L2TP-PSK-NAT"[11] 27.252.7.28 #47:
ENCAPSULATION_MODE_UDP_TRANSPORT_RFC must only be used if NAT-Traversal
is detected
Aug 7 04:19:33 vps1 pluto[951]: "L2TP-PSK-NAT"[11] 27.252.7.28 #47:
sending encrypted notification BAD_PROPOSAL_SYNTAX to 27.252.7.28:4500
Aug 7 04:19:38 vps1 pluto[951]: "L2TP-PSK-NAT"[11] 27.252.7.28 #39: the
peer proposed: 216.180.131.23/32:17/1701 -> 27.252.7.28/32:17/55315
Aug 7 04:19:38 vps1 pluto[951]: "L2TP-PSK-NAT"[11] 27.252.7.28 #48:
ENCAPSULATION_MODE_UDP_TRANSPORT_RFC must only be used if NAT-Traversal
is detected
Aug 7 04:19:38 vps1 pluto[951]: "L2TP-PSK-NAT"[11] 27.252.7.28 #48:
sending encrypted notification BAD_PROPOSAL_SYNTAX to 27.252.7.28:4500
Aug 7 04:19:39 vps1 pluto[951]: "L2TP-PSK-NAT"[11] 27.252.7.28 #39:
received Delete SA payload: deleting ISAKMP State #39
Aug 7 04:19:39 vps1 pluto[951]: "L2TP-PSK-NAT"[11] 27.252.7.28:
deleting connection "L2TP-PSK-NAT" instance with peer 27.252.7.28
{isakmp=#0/ipsec=#0}
Aug 7 04:19:39 vps1 pluto[951]: packet from 27.252.7.28:4500: received
and ignored informational message
Has anyone come across this before or successfully setup OpenSwan with a
public (non-Natted) IP?
Cheers
Mark
_______________________________________________
NZLUG mailing list ***@linux.net.nz
http://www.linux.net.nz/cgi-bin/mailman/listinfo/nzlug
I'm using OpenSwan with PSK so that I can create a VPN with the builtin
software on iOS devices.
I have got this to work with NAT-T on an internal network, however if I
am using a public IP (non-NAT'd) e.g. Vodafone 3G connection the IPSEC
connection is rejected.
Tailing the /var/log/auth.log file while connecting shows:
Aug 7 04:18:56 vps1 pluto[951]: packet from 27.252.7.28:500: received
Vendor ID payload [RFC 3947] method set to=109
Aug 7 04:18:56 vps1 pluto[951]: packet from 27.252.7.28:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike] method set to=110
Aug 7 04:18:56 vps1 pluto[951]: packet from 27.252.7.28:500: ignoring
unknown Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
Aug 7 04:18:56 vps1 pluto[951]: packet from 27.252.7.28:500: ignoring
unknown Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
Aug 7 04:18:56 vps1 pluto[951]: packet from 27.252.7.28:500: ignoring
unknown Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
Aug 7 04:18:56 vps1 pluto[951]: packet from 27.252.7.28:500: ignoring
unknown Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
Aug 7 04:18:56 vps1 pluto[951]: packet from 27.252.7.28:500: ignoring
unknown Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
Aug 7 04:18:56 vps1 pluto[951]: packet from 27.252.7.28:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already
using method 110
Aug 7 04:18:56 vps1 pluto[951]: packet from 27.252.7.28:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already
using method 110
Aug 7 04:18:56 vps1 pluto[951]: packet from 27.252.7.28:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but
already using method 110
Aug 7 04:18:56 vps1 pluto[951]: packet from 27.252.7.28:500: received
Vendor ID payload [Dead Peer Detection]
Aug 7 04:18:56 vps1 pluto[951]: "L2TP-PSK-NAT"[11] 27.252.7.28 #39:
responding to Main Mode from unknown peer 27.252.7.28
Aug 7 04:18:56 vps1 pluto[951]: "L2TP-PSK-NAT"[11] 27.252.7.28 #39:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Aug 7 04:18:56 vps1 pluto[951]: "L2TP-PSK-NAT"[11] 27.252.7.28 #39:
STATE_MAIN_R1: sent MR1, expecting MI2
Aug 7 04:18:57 vps1 pluto[951]: "L2TP-PSK-NAT"[11] 27.252.7.28 #39:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): no NAT
detected
Aug 7 04:18:57 vps1 pluto[951]: "L2TP-PSK-NAT"[11] 27.252.7.28 #39:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Aug 7 04:18:57 vps1 pluto[951]: "L2TP-PSK-NAT"[11] 27.252.7.28 #39:
STATE_MAIN_R2: sent MR2, expecting MI3
Aug 7 04:19:00 vps1 pluto[951]: "L2TP-PSK-NAT"[11] 27.252.7.28 #39:
discarding duplicate packet; already STATE_MAIN_R2
Aug 7 04:19:08 vps1 pluto[951]: last message repeated 2 times
Aug 7 04:19:08 vps1 pluto[951]: "L2TP-PSK-NAT"[11] 27.252.7.28 #39:
ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
Aug 7 04:19:08 vps1 pluto[951]: "L2TP-PSK-NAT"[11] 27.252.7.28 #39:
Main mode peer ID is ID_IPV4_ADDR: '27.252.7.28'
Aug 7 04:19:08 vps1 pluto[951]: "L2TP-PSK-NAT"[11] 27.252.7.28 #39:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Aug 7 04:19:08 vps1 pluto[951]: "L2TP-PSK-NAT"[11] 27.252.7.28 #39: new
NAT mapping for #39, was 27.252.7.28:500, now 27.252.7.28:4500
Aug 7 04:19:08 vps1 pluto[951]: "L2TP-PSK-NAT"[11] 27.252.7.28 #39:
STATE_MAIN_R3: sent MR3, ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1024}
Aug 7 04:19:09 vps1 pluto[951]: "L2TP-PSK-NAT"[11] 27.252.7.28 #39: the
peer proposed: 216.180.131.23/32:17/1701 -> 27.252.7.28/32:17/0
Aug 7 04:19:09 vps1 pluto[951]: "L2TP-PSK-NAT"[11] 27.252.7.28 #40:
ENCAPSULATION_MODE_UDP_TRANSPORT_RFC must only be used if NAT-Traversal
is detected
Aug 7 04:19:09 vps1 pluto[951]: "L2TP-PSK-NAT"[11] 27.252.7.28 #40:
sending encrypted notification BAD_PROPOSAL_SYNTAX to 27.252.7.28:4500
Aug 7 04:19:12 vps1 pluto[951]: "L2TP-PSK-NAT"[11] 27.252.7.28 #39: the
peer proposed: 216.180.131.23/32:17/1701 -> 27.252.7.28/32:17/55315
Aug 7 04:19:12 vps1 pluto[951]: "L2TP-PSK-NAT"[11] 27.252.7.28 #41:
ENCAPSULATION_MODE_UDP_TRANSPORT_RFC must only be used if NAT-Traversal
is detected
Aug 7 04:19:12 vps1 pluto[951]: "L2TP-PSK-NAT"[11] 27.252.7.28 #41:
sending encrypted notification BAD_PROPOSAL_SYNTAX to 27.252.7.28:4500
Aug 7 04:19:14 vps1 pluto[951]: "L2TP-PSK-NAT"[11] 27.252.7.28 #39: the
peer proposed: 216.180.131.23/32:17/1701 -> 27.252.7.28/32:17/55315
Aug 7 04:19:14 vps1 pluto[951]: "L2TP-PSK-NAT"[11] 27.252.7.28 #42:
ENCAPSULATION_MODE_UDP_TRANSPORT_RFC must only be used if NAT-Traversal
is detected
Aug 7 04:19:14 vps1 pluto[951]: "L2TP-PSK-NAT"[11] 27.252.7.28 #42:
sending encrypted notification BAD_PROPOSAL_SYNTAX to 27.252.7.28:4500
Aug 7 04:19:18 vps1 pluto[951]: "L2TP-PSK-NAT"[11] 27.252.7.28 #39: the
peer proposed: 216.180.131.23/32:17/1701 -> 27.252.7.28/32:17/55315
Aug 7 04:19:18 vps1 pluto[951]: "L2TP-PSK-NAT"[11] 27.252.7.28 #43:
ENCAPSULATION_MODE_UDP_TRANSPORT_RFC must only be used if NAT-Traversal
is detected
Aug 7 04:19:18 vps1 pluto[951]: "L2TP-PSK-NAT"[11] 27.252.7.28 #43:
sending encrypted notification BAD_PROPOSAL_SYNTAX to 27.252.7.28:4500
Aug 7 04:19:24 vps1 pluto[951]: "L2TP-PSK-NAT"[11] 27.252.7.28 #39: the
peer proposed: 216.180.131.23/32:17/1701 -> 27.252.7.28/32:17/55315
Aug 7 04:19:24 vps1 pluto[951]: "L2TP-PSK-NAT"[11] 27.252.7.28 #44:
ENCAPSULATION_MODE_UDP_TRANSPORT_RFC must only be used if NAT-Traversal
is detected
Aug 7 04:19:24 vps1 pluto[951]: "L2TP-PSK-NAT"[11] 27.252.7.28 #44:
sending encrypted notification BAD_PROPOSAL_SYNTAX to 27.252.7.28:4500
Aug 7 04:19:27 vps1 pluto[951]: "L2TP-PSK-NAT"[11] 27.252.7.28 #39: the
peer proposed: 216.180.131.23/32:17/1701 -> 27.252.7.28/32:17/55315
Aug 7 04:19:27 vps1 pluto[951]: "L2TP-PSK-NAT"[11] 27.252.7.28 #45:
ENCAPSULATION_MODE_UDP_TRANSPORT_RFC must only be used if NAT-Traversal
is detected
Aug 7 04:19:27 vps1 pluto[951]: "L2TP-PSK-NAT"[11] 27.252.7.28 #45:
sending encrypted notification BAD_PROPOSAL_SYNTAX to 27.252.7.28:4500
Aug 7 04:19:30 vps1 pluto[951]: "L2TP-PSK-NAT"[11] 27.252.7.28 #39: the
peer proposed: 216.180.131.23/32:17/1701 -> 27.252.7.28/32:17/55315
Aug 7 04:19:30 vps1 pluto[951]: "L2TP-PSK-NAT"[11] 27.252.7.28 #46:
ENCAPSULATION_MODE_UDP_TRANSPORT_RFC must only be used if NAT-Traversal
is detected
Aug 7 04:19:30 vps1 pluto[951]: "L2TP-PSK-NAT"[11] 27.252.7.28 #46:
sending encrypted notification BAD_PROPOSAL_SYNTAX to 27.252.7.28:4500
Aug 7 04:19:33 vps1 pluto[951]: "L2TP-PSK-NAT"[11] 27.252.7.28 #39: the
peer proposed: 216.180.131.23/32:17/1701 -> 27.252.7.28/32:17/55315
Aug 7 04:19:33 vps1 pluto[951]: "L2TP-PSK-NAT"[11] 27.252.7.28 #47:
ENCAPSULATION_MODE_UDP_TRANSPORT_RFC must only be used if NAT-Traversal
is detected
Aug 7 04:19:33 vps1 pluto[951]: "L2TP-PSK-NAT"[11] 27.252.7.28 #47:
sending encrypted notification BAD_PROPOSAL_SYNTAX to 27.252.7.28:4500
Aug 7 04:19:38 vps1 pluto[951]: "L2TP-PSK-NAT"[11] 27.252.7.28 #39: the
peer proposed: 216.180.131.23/32:17/1701 -> 27.252.7.28/32:17/55315
Aug 7 04:19:38 vps1 pluto[951]: "L2TP-PSK-NAT"[11] 27.252.7.28 #48:
ENCAPSULATION_MODE_UDP_TRANSPORT_RFC must only be used if NAT-Traversal
is detected
Aug 7 04:19:38 vps1 pluto[951]: "L2TP-PSK-NAT"[11] 27.252.7.28 #48:
sending encrypted notification BAD_PROPOSAL_SYNTAX to 27.252.7.28:4500
Aug 7 04:19:39 vps1 pluto[951]: "L2TP-PSK-NAT"[11] 27.252.7.28 #39:
received Delete SA payload: deleting ISAKMP State #39
Aug 7 04:19:39 vps1 pluto[951]: "L2TP-PSK-NAT"[11] 27.252.7.28:
deleting connection "L2TP-PSK-NAT" instance with peer 27.252.7.28
{isakmp=#0/ipsec=#0}
Aug 7 04:19:39 vps1 pluto[951]: packet from 27.252.7.28:4500: received
and ignored informational message
Has anyone come across this before or successfully setup OpenSwan with a
public (non-Natted) IP?
Cheers
Mark
_______________________________________________
NZLUG mailing list ***@linux.net.nz
http://www.linux.net.nz/cgi-bin/mailman/listinfo/nzlug