Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: lists.freeswan.org > users > 04 > 043574.html (Request Expert lists.freeswan.org Support)

[Users] Still problems with NAT-T

From: Jon Earle <je_fsw(at)kronos.honk.org>
Date: Wed Apr 14 2004 - 13:31:03 EDT


Hello!

Still having trouble getting a Win2k client on the VPN. Sorry for the longish post!

The setup is as follows:

Linux Firewall / VPN Gateway

|

Internet

|

Linksys BEFSX41 NAT / router

|

Win2k Pro

Notes:

  1. Linux machine running kernel 2.4.25, strongSwan 2.0.2 (with Modular ALGO support disabled - the kernel was not built with module support).
  2. Linksys firmware is 1.46(.5 I think) from last Oct. Newer than what's on the website.)
  3. Win2k Pro is running all of the latest updates, including the 818043 update. Also, Marcus' ipsec.exe tool (v2.2.0). The Windows config (two tunnels created - the first to the private network, the second to a remote network accessible only from the corporate site) included in [1], below.
  4. The Win2k box can connect without issue if the Linksys is taken out of the picture. See [2] below.
Do you need help?X

Barf is at http://kronos.honk.org/~earlej/files/barf.txt Oakley is at http://kronos.honk.org/~earlej/files/oakley.txt

Watching logs and such while the connection attempt is made, show:

root@jumpgate:~> tail -f /var/log/auth.log ...

Apr 14 12:27:11 jumpgate pluto[4344]: packet from 68.xxx.xxx.86:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000002] Apr 14 12:27:11 jumpgate pluto[4344]: packet from 68.xxx.xxx.86:500: ignoring Vendor ID payload [FRAGMENTATION] Apr 14 12:27:11 jumpgate pluto[4344]: packet from 68.xxx.xxx.86:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] Apr 14 12:27:11 jumpgate pluto[4344]: "rw_net-fl"[2] 68.xxx.xxx.86 #2: responding to Main Mode from unknown peer 68.xxx.xxx.86 Apr 14 12:27:11 jumpgate pluto[4344]: "rw_net-fl"[2] 68.xxx.xxx.86 #2: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed

Apr 14 12:28:15 jumpgate pluto[4344]: "rw_net-fl"[2] 68.xxx.xxx.86 #2: next payload type of ISAKMP Hash Payload has an unknown value: 247 Apr 14 12:28:15 jumpgate pluto[4344]: "rw_net-fl"[2] 68.xxx.xxx.86 #2: malformed payload in packet
Apr 14 12:28:15 jumpgate pluto[4344]: "rw_net-fl"[2] 68.xxx.xxx.86 #2: sending encrypted notification PAYLOAD_MALFORMED to 68.xxx.xxx.86:500 Apr 14 12:28:21 jumpgate pluto[4344]: "rw_net-fl"[2] 68.xxx.xxx.86 #2: max number of retransmissions (2) reached STATE_MAIN_R2 Apr 14 12:28:21 jumpgate pluto[4344]: "rw_net-fl"[2] 68.xxx.xxx.86: deleting connection "rw_net-fl" instance with peer 68.xxx.xxx.86 {isakmp=#0/ipsec=#0}

root@jumpgate:~> tcpdump -ni eth1 host 68.xxx.xxx.86 tcpdump: listening on eth1 

12:27:11.314132 68.xxx.xxx.86.500 > 207.xxx.xxx.38.500: isakmp: phase 1 I
ident: [|sa]
12:27:11.314818 207.xxx.xxx.38.500 > 68.xxx.xxx.86.500: isakmp: phase 1 R
ident: [|sa] (DF)
12:27:11.541996 68.xxx.xxx.86.500 > 207.xxx.xxx.38.500: isakmp: phase 1 I
ident: [|ke]
12:27:11.558759 207.xxx.xxx.38.500 > 68.xxx.xxx.86.500: isakmp: phase 1 R
ident: [|ke] (DF)
12:27:21.553138 207.xxx.xxx.38.500 > 68.xxx.xxx.86.500: isakmp: phase 1 R
ident: [|ke] (DF)
12:27:41.553139 207.xxx.xxx.38.500 > 68.xxx.xxx.86.500: isakmp: phase 1 R
ident: [|ke] (DF)
12:28:15.191124 68.xxx.xxx.86.4500 > 207.xxx.xxx.38.4500:  udp 88
12:28:15.191637 207.xxx.xxx.38.500 > 68.xxx.xxx.86.500: isakmp: phase
2/others R inf[E]: [|hash] (DF)

The pressure from above is on to get this working... might have to resort to PSK or removal of the FreeS/WAN box (replacement w/ Linksys router) if I can't make it work!

Any help you might offer would be appreciated!

Do you need more help?X

Cheers!
Jon

[1]

conn rw 

	right=207.xxx.xxx.38
	rightsubnet=192.168.0.0/24
	rightca="C=CA, S=Ontario, L=Ottawa, O=The Coolest Corporation,
OU=IT Department, CN=Coolest CA, E=sysadmin@mydomain.com"
	left=%any
	network=auto
	auto=start
	pfs=yes

conn fl
	right=207.xxx.xxx.38
	rightsubnet=69.xxx.xxx.0/24
	rightca="C=CA, S=Ontario, L=Ottawa, O=The Coolest Corporation,
OU=IT Department, CN=Coolest CA, E=sysadmin@mydomain.com"
	left=%any
	network=auto
	auto=start
	pfs=yes

[2]

root@jumpgate:~> tail -f /var/log/auth.log Apr 14 13:11:06 jumpgate pluto[4751]: packet from 68.xxx.xxx.5:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000002] Apr 14 13:11:06 jumpgate pluto[4751]: packet from 68.xxx.xxx.5:500: ignoring Vendor ID payload [FRAGMENTATION] Apr 14 13:11:06 jumpgate pluto[4751]: packet from 68.xxx.xxx.5:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] Apr 14 13:11:06 jumpgate pluto[4751]: "rw_net-fl"[2] 68.xxx.xxx.5 #2: responding to Main Mode from unknown peer 68.xxx.xxx.5 Apr 14 13:11:07 jumpgate pluto[4751]: "rw_net-fl"[2] 68.xxx.xxx.5 #2: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
Apr 14 13:11:07 jumpgate pluto[4751]: "rw_net-fl"[2] 68.xxx.xxx.5 #2: Peer ID is ID_DER_ASN1_DN: ...
Apr 14 13:11:07 jumpgate pluto[4751]: "rw_net-fl"[3] 68.xxx.xxx.5 #2: deleting connection "rw_net-fl" instance with peer 68.xxx.xxx.5 {isakmp=#0/ipsec=#0}
Apr 14 13:11:07 jumpgate pluto[4751]: "rw_net-fl"[3] 68.xxx.xxx.5 #2: sent MR3, ISAKMP SA established
Apr 14 13:11:07 jumpgate pluto[4751]: "rw_host"[1] 68.xxx.xxx.5 #3: responding to Quick Mode
Apr 14 13:11:07 jumpgate pluto[4751]: "rw_host"[1] 68.xxx.xxx.5 #3: IPsec SA established {ESP=>0x484af362 <0x20ea5dc8} 

-- 
Jon Earle
Software Developer / Network Manager
Specializing in Open Source Software Solutions
http://kronos.honk.org/~earlej/
_______________________________________________
FreeS/WAN Users mailing list
users@lists.freeswan.org
https://mj2.freeswan.org/cgi-bin/mj_wwwusr
Received on Wed Apr 14 13:45:03 2004

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 13:02:32 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library