Re: [strongSwan] need some help : ipsec + xl2tpd

Andreas Steffen Fri, 01 May 2009 09:36:43 -0700

Hi Reza,

the problem is the following:


cannot respond to IPsec SA request because no connection is known for
217.128.239.224/32===192.168.1.116:4500
  [C=FR, ST=France, O=Olympe CTI, OU=Ingenierie informatique,
   CN=vpn.olympecti.fr, e=cont...@olympecti.fr]
:17/%any
...
82.229.55.165:4500
  [C=FR, ST=France, O=Olympe CTI, OU=Ingenierie informatique,
   CN=Reza ISSANY, e=issa...@olympecti.fr]
:17/%any

Because you have NAT in between

NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03:
               both are NATed

217.128.239.224 gets translated to 192.168.1.166 due to a Destination
NAT rule.

Therefore you must define

left=%defaultroute             (will take on the address 192.168.1.166)
leftsubnet=217.128.239.224/32

Best regards

Andreas

Reza ISSANY wrote:
> Hello, 
> 
> Please forgive me for my bad english. 
> 
> I have trouble to get working my ipsec + xl2tpd nated VPN. My arch is : 
> 
> VPN BOX : 192.168.1.116/24 
> Left Gateway : 192.168.1.1/24 
> Left public @ : 217.128.239.224 
> 
> I'm testing from : 
> 
> Right Public @ : 82.229.55.165 
> Right gateway : 192.168.7.7/24 
> Right Win XP : 192.168.7.1/24 
> 
> Both are nated. When I try to initiate the connection from XP (I'am using a 
> certificat imported in XP), I have these logs : 
> 
> May 1 16:58:06 integration pluto[24092]: packet from 82.229.55.165:500: 
> ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004] 
> May 1 16:58:06 integration pluto[24092]: packet from 82.229.55.165:500: 
> ignoring Vendor ID payload [FRAGMENTATION] 
> May 1 16:58:06 integration pluto[24092]: packet from 82.229.55.165:500: 
> received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] 
> May 1 16:58:06 integration pluto[24092]: packet from 82.229.55.165:500: 
> ignoring Vendor ID payload [Vid-Initial-Contact] 
> May 1 16:58:06 integration pluto[24092]: "rw"[1] 82.229.55.165 #1: responding 
> to Main Mode from unknown peer 82.229.55.165 
> May 1 16:58:06 integration pluto[24092]: "rw"[1] 82.229.55.165 #1: 
> NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: both are NATed 
> May 1 16:58:06 integration pluto[24092]: "rw"[1] 82.229.55.165 #1: Peer ID is 
> ID_DER_ASN1_DN: 'C=FR, ST=France, O=Olympe CTI, OU=Ingenierie informatique, 
> CN=Reza ISSANY, e=issa...@olympecti.fr' 
> May 1 16:58:06 integration pluto[24092]: "rw"[2] 82.229.55.165 #1: deleting 
> connection "rw" instance with peer 82.229.55.165 {isakmp=#0/ipsec=#0} 
> May 1 16:58:06 integration pluto[24092]: "rw"[2] 82.229.55.165 #1: we have a 
> cert and are sending it upon request 
> May 1 16:58:06 integration pluto[24092]: | NAT-T: new mapping 
> 82.229.55.165:500/4500) 
> May 1 16:58:06 integration pluto[24092]: "rw"[2] 82.229.55.165:4500 #1: sent 
> MR3, ISAKMP SA established 
> May 1 16:58:07 integration pluto[24092]: "rw"[2] 82.229.55.165:4500 #1: 
> cannot respond to IPsec SA request because no connection is known for 
> 217.128.239.224/32===192.168.1.116:4500[C=FR, ST=France, O=Olympe CTI, 
> OU=Ingenierie informatique, CN=vpn.olympecti.fr, 
> e=cont...@olympecti.fr]:17/%any...82.229.55.165:4500[C=FR, ST=France, 
> O=Olympe CTI, OU=Ingenierie informatique, CN=Reza ISSANY, 
> e=issa...@olympecti.fr]:17/%any 
> May 1 16:58:07 integration pluto[24092]: "rw"[2] 82.229.55.165:4500 #1: 
> sending encrypted notification INVALID_ID_INFORMATION to 82.229.55.165:4500 
> May 1 16:58:08 integration pluto[24092]: "rw"[2] 82.229.55.165:4500 #1: Quick 
> Mode I1 message is unacceptable because it uses a previously used Message ID 
> 0x5a047898 (perhaps this is a duplicated packet) 
> May 1 16:58:08 integration pluto[24092]: "rw"[2] 82.229.55.165:4500 #1: 
> sending encrypted notification INVALID_MESSAGE_ID to 82.229.55.165:4500 
> May 1 16:58:10 integration pluto[24092]: "rw"[2] 82.229.55.165:4500 #1: Quick 
> Mode I1 message is unacceptable because it uses a previously used Message ID 
> 0x5a047898 (perhaps this is a duplicated packet) 
> May 1 16:58:10 integration pluto[24092]: "rw"[2] 82.229.55.165:4500 #1: 
> sending encrypted notification INVALID_MESSAGE_ID to 82.229.55.165:4500 
> May 1 16:58:14 integration pluto[24092]: "rw"[2] 82.229.55.165:4500 #1: Quick 
> Mode I1 message is unacceptable because it uses a previously used Message ID 
> 0x5a047898 (perhaps this is a duplicated packet) 
> May 1 16:58:14 integration pluto[24092]: "rw"[2] 82.229.55.165:4500 #1: 
> sending encrypted notification INVALID_MESSAGE_ID to 82.229.55.165:4500 
> May 1 16:58:22 integration pluto[24092]: "rw"[2] 82.229.55.165:4500 #1: Quick 
> Mode I1 message is unacceptable because it uses a previously used Message ID 
> 0x5a047898 (perhaps this is a duplicated packet) 
> May 1 16:58:22 integration pluto[24092]: "rw"[2] 82.229.55.165:4500 #1: 
> sending encrypted notification INVALID_MESSAGE_ID to 82.229.55.165:4500 
> 
>>> ipsec.conf : 
> 
> config setup 
> plutodebug=none 
> # crlcheckinterval=600 
> # strictcrlpolicy=yes 
> # cachecrls=yes 
> nat_traversal=yes 
> # charonstart=no 
> # plutostart=no 
> 
> # Add connections here. 
> 
> conn %default 
> ikelifetime=60m 
> keylife=20m 
> rekeymargin=3m 
> keyingtries=1 
> 
> conn rw 
> authby=rsasig 
> leftrsasigkey=%cert 
> leftcert=vpn.olympecti.fr.pem 
> #left=217.128.239.224 
> left=%defaultroute 
> #left=192.168.1.116 
> #leftnexthop=192.168.1.1 
> #leftnexthop=%defaultroute 
> leftsubnet=192.168.1.0/24 
> leftprotoport=17/%any 
> right=%any 
> rightrsasigkey=%cert 
> rightprotoport=17/%any 
> rightca=%same 
> keyingtries=3 
> pfs=no 
> type=transport 
> auto=add 
> 
> conn block 
> auto=ignore 
> 
> conn clear 
> auto=ignore 
> 
> conn private 
> auto=ignore 
> 
> conn private-or-clear 
> auto=ignore 
> 
> conn clear-or-private 
> auto=ignore 
> 
> conn packetdefault 
> auto=ignore 
> 
>>> xl2tpd.conf : 
> 
> [global] 
> listen-addr = 192.168.1.116 
> debug tunnel = yes 
> 
> [lns default] 
> ip range = 192.168.1.99-192.168.1.101 
> local ip = 192.168.1.99 
> require chap = yes 
> refuse pap = yes 
> require authentication = yes 
> name = LinuxVPNserver 
> ppp debug = yes 
> pppoptfile = /etc/ppp/options.xl2tpd 
> length bit = yes 
> 
> thanks in advance for your helps. 
> 
> 
> --- 
> Reza ISSANY 
> Ingénieur Système 
> ZA Les Playes - Jean Monnet Sud 
> Avenue de Lisbonne 
> 83500 La Seyne sur Mer 
> E-mail : cont...@olympecti.fr 

======================================================================
Andreas Steffen                         andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] need some help : ipsec + xl2tpd

Reply via email to