Hosting Provided By

[Users] Nat-t, winxp, certs and PSK

From: Philipp Snizek <psnizek(at)seaan.net>
Date: Fri Feb 27 2004 - 02:42:46 EST

Notebook is winxp, fully pachted. When using PSK NAT-T works perfectly. When using certs the SA isn't established. If there is no NAT, the cert works perfectly and the SA is established. Same cert on linux road warrior works for both, NAT and no NAT.

Log on Gateway if trying there is NAT inbetween:

Feb 26 18:46:15 jerk pluto[9349]: packet from 213.200.254.138:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000003]

Feb 26 18:46:15 jerk pluto[9349]: "psnizek3"[57] 213.200.254.138

#2867: responding to Main Mode from unknown peer 213.200.254.138
Feb 26 18:47:19 jerk pluto[9349]: "psnizek3"[57] 213.200.254.138
#2867: encrypted Informational Exchange message is invalid because it
is for incomplete ISAKMP SA
Feb 26 18:47:25 jerk pluto[9349]: "psnizek3"[57] 213.200.254.138
#2867: max number of retransmissions (2) reached STATE_MAIN_R2
Feb 26 18:47:25 jerk pluto[9349]: "psnizek3"[57] 213.200.254.138: deleting connection "psnizek3" instance with peer 213.200.254.138 Feb 26 18:48:00 jerk pluto[9349]: packet from 213.200.254.138:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000003] Feb 26 18:48:00 jerk pluto[9349]: "psnizek3"[58] 213.200.254.138
#2868: responding to Main Mode from unknown peer 213.200.254.138
Feb 26 18:48:00 jerk pluto[9349]: packet from 213.200.254.138:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000003] Feb 26 18:48:00 jerk pluto[9349]: "psnizek3"[58] 213.200.254.138
#2869: responding to Main Mode from unknown peer 213.200.254.138
Feb 26 18:48:48 jerk pluto[9349]: packet from 213.200.246.227:500: Informational Exchange is for an unknown (expired?) SA Feb 26 18:49:03 jerk pluto[9349]: "psnizek3"[58] 213.200.254.138
#2868: encrypted Informational Exchange message is invalid because it
is for incomplete ISAKMP SA
Feb 26 18:49:10 jerk pluto[9349]: "psnizek3"[58] 213.200.254.138
#2868: max number of retransmissions (2) reached STATE_MAIN_R2
Feb 26 18:49:10 jerk pluto[9349]: "psnizek3"[58] 213.200.254.138
#2869: max number of retransmissions (2) reached STATE_MAIN_R1

Log on Gateway if there is no NAT inbetween:

Feb 27 08:22:15 jerk pluto[9349]: packet from 213.200.246.234:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000003]

Feb 27 08:22:15 jerk pluto[9349]: "psnizek3"[71] 213.200.246.234

#3332: responding to Main Mode from unknown peer 213.200.246.234
Feb 27 08:22:15 jerk pluto[9349]: "psnizek3"[71] 213.200.246.234
#3332: Main mode peer ID is ID_DER_ASN1_DN: 'C=CH, ST=Aargau,
O=seaan.net ag,
CN=grisedale.seaan.net'
Feb 27 08:22:15 jerk pluto[9349]: "psnizek3"[71] 213.200.246.234
#3332: Issuer CRL not found
Feb 27 08:22:15 jerk pluto[9349]: "psnizek3"[71] 213.200.246.234
#3332: Issuer CRL not found
Feb 27 08:22:15 jerk pluto[9349]: "psnizek3"[71] 213.200.246.234
#3332: sent MR3, ISAKMP SA established
Feb 27 08:22:15 jerk pluto[9349]: "psnizek0"[3] 213.200.246.234 #3333: responding to Quick Mode
Feb 27 08:22:16 jerk pluto[9349]: "psnizek0"[3] 213.200.246.234 #3333: IPsec SA established

Notebook config:

conn seaan

	left=%any
	right=213.200.246.230
	rightsubnet=192.168.20.0/255.255.255.0
	rightca="C=CH,ST=Aargau,L=Reinach,O=seaan.net
ag,CN=mx.seaan.net"
	network=auto
	authmode=sha1
	auto=start
	pfs=yes

Do you need help?

Gateway config:

conn psnizek0

        authby=rsasig
        auth=esp
        type=tunnel
        keyexchange=ike
        pfs=yes
        leftsubnet=192.168.20.0/24
        left=213.200.246.230
        leftcert=mx.seaan.net.cert.pem
        leftid="C=CH, ST=Aargau, O=seaan.net ag, CN=mx.seaan.net"
        leftnexthop=213.200.246.225
        right=%any
        rightcert=grisedale.seaan.net.cert
        rightid="C=CH, ST=Aargau, O=seaan.net ag,
CN=grisedale.seaan.net"
        rightnexthop=
        auto=add

conn psnizek3
        authby=rsasig
        auth=esp
        type=tunnel
        keyexchange=ike
        pfs=yes
        leftsubnet=192.168.20.0/24
        left=213.200.246.230
        leftcert=mx.seaan.net.cert.pem
        leftid="C=CH, ST=Aargau, O=seaan.net ag, CN=mx.seaan.net"
        leftnexthop=213.200.246.225
        right=%any
        rightsubnetwithin=192.168.0.0/16
        rightcert=grisedale.seaan.net.cert
        rightid="C=CH, ST=Aargau, O=seaan.net ag,
CN=grisedale.seaan.net"
        rightnexthop=
        auto=add

Is there something I forgot to configure on the xp box regarding NAT-T? Thank you very much

Regards
Philipp

FreeS/WAN Users mailing list
users@lists.freeswan.org
https://mj2.freeswan.org/cgi-bin/mj_wwwusr Received on Fri Feb 27 02:49:22 2004

This message: [ Message body ]
Next message: Craig Morris: "[Users] Errorcompiling super-freeswan 1.99.8 under Redhat 9"
Previous message: Majordomo(at)lists.tislabs.com: "[Users] Majordomo results: test"
In reply to Demba Traore: "[Users] connection's probleme"
Next in thread: Andreas Steffen: "Re: [Users] Nat-t, winxp, certs and PSK"
Reply: Andreas Steffen: "Re: [Users] Nat-t, winxp, certs and PSK"
Reply: Philipp Snizek: "Re: [Users] Nat-t, winxp, certs and PSK ---> getting OT."

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 13:02:06 EDT