Re: [SPAM] [Users] Still problems with NAT-T

Regarding 4., you get the same result if disabling NAT on the router, right? Same problem I have here for the same configuration on both sides, except that my router is Linksys BEFW11S4. :-(

Sorry I couldn't help you.

J-

-----Original Message-----
From: users-owner@mj2.freeswan.org
[mailto:users-owner@mj2.freeswan.org]On Behalf Of Jon Earle
Sent: Wednesday, April 14, 2004 11:31 AM To: users@mj2.freeswan.org; users@lists.strongswan.org Subject: [SPAM] [Users] Still problems with NAT-T

Hello!

Still having trouble getting a Win2k client on the VPN. Sorry for the longish post!

The setup is as follows:

Linux Firewall / VPN Gateway

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.freeswan.org Links 1998-fall 1998-spring 1998-summer 1998-winter 1999-winter announce briefs bugs design freeswan-list hipsec ietf-sectest users users-admin Request more information about Pantek

    |
Internet

    |
Linksys BEFSX41 NAT / router

    |
Win2k Pro

Notes:

1. Linux machine running kernel 2.4.25, strongSwan 2.0.2 (with Modular ALGO support disabled - the kernel was not built with module support).
2. Linksys firmware is 1.46(.5 I think) from last Oct. Newer than what's on the website.)
3. Win2k Pro is running all of the latest updates, including the 818043 update. Also, Marcus' ipsec.exe tool (v2.2.0). The Windows config (two tunnels created - the first to the private network, the second to a remote network accessible only from the corporate site) included in [1], below.
4. The Win2k box can connect without issue if the Linksys is taken out of the picture. See [2] below.

Barf is at http://kronos.honk.org/~earlej/files/barf.txt Oakley is at http://kronos.honk.org/~earlej/files/oakley.txt

Watching logs and such while the connection attempt is made, show:

root@jumpgate:~> tail -f /var/log/auth.log ...

Apr 14 12:27:11 jumpgate pluto[4344]: packet from 68.xxx.xxx.86:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000002] Apr 14 12:27:11 jumpgate pluto[4344]: packet from 68.xxx.xxx.86:500: ignoring Vendor ID payload [FRAGMENTATION] Apr 14 12:27:11 jumpgate pluto[4344]: packet from 68.xxx.xxx.86:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] Apr 14 12:27:11 jumpgate pluto[4344]: "rw_net-fl"[2] 68.xxx.xxx.86 #2: responding to Main Mode from unknown peer 68.xxx.xxx.86 Apr 14 12:27:11 jumpgate pluto[4344]: "rw_net-fl"[2] 68.xxx.xxx.86 #2: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.freeswan.org Links 1998-fall 1998-spring 1998-summer 1998-winter 1999-winter announce briefs bugs design freeswan-list hipsec ietf-sectest users users-admin Request more information about Pantek

Apr 14 12:28:15 jumpgate pluto[4344]: "rw_net-fl"[2] 68.xxx.xxx.86 #2: next payload type of ISAKMP Hash Payload has an unknown value: 247 Apr 14 12:28:15 jumpgate pluto[4344]: "rw_net-fl"[2] 68.xxx.xxx.86 #2: malformed payload in packet
Apr 14 12:28:15 jumpgate pluto[4344]: "rw_net-fl"[2] 68.xxx.xxx.86 #2: sending encrypted notification PAYLOAD_MALFORMED to 68.xxx.xxx.86:500 Apr 14 12:28:21 jumpgate pluto[4344]: "rw_net-fl"[2] 68.xxx.xxx.86 #2: max number of retransmissions (2) reached STATE_MAIN_R2 Apr 14 12:28:21 jumpgate pluto[4344]: "rw_net-fl"[2] 68.xxx.xxx.86: deleting connection "rw_net-fl" instance with peer 68.xxx.xxx.86 {isakmp=#0/ipsec=#0}

root@jumpgate:~> tcpdump -ni eth1 host 68.xxx.xxx.86 tcpdump: listening on eth1

12:27:11.314132 68.xxx.xxx.86.500 > 207.xxx.xxx.38.500: isakmp: phase 1 I
ident: [|sa]
12:27:11.314818 207.xxx.xxx.38.500 > 68.xxx.xxx.86.500: isakmp: phase 1 R
ident: [|sa] (DF)
12:27:11.541996 68.xxx.xxx.86.500 > 207.xxx.xxx.38.500: isakmp: phase 1 I
ident: [|ke]
12:27:11.558759 207.xxx.xxx.38.500 > 68.xxx.xxx.86.500: isakmp: phase 1 R
ident: [|ke] (DF)
12:27:21.553138 207.xxx.xxx.38.500 > 68.xxx.xxx.86.500: isakmp: phase 1 R
ident: [|ke] (DF)
12:27:41.553139 207.xxx.xxx.38.500 > 68.xxx.xxx.86.500: isakmp: phase 1 R
ident: [|ke] (DF)
12:28:15.191124 68.xxx.xxx.86.4500 > 207.xxx.xxx.38.4500:  udp 88
12:28:15.191637 207.xxx.xxx.38.500 > 68.xxx.xxx.86.500: isakmp: phase

The pressure from above is on to get this working... might have to resort to PSK or removal of the FreeS/WAN box (replacement w/ Linksys router) if I can't make it work!

Any help you might offer would be appreciated!

Cheers!
Jon

[1]

conn rw

	right=207.xxx.xxx.38
	rightsubnet=192.168.0.0/24
	rightca="C=CA, S=Ontario, L=Ottawa, O=The Coolest Corporation,
OU=IT Department, CN=Coolest CA, E=sysadmin@mydomain.com"
	left=%any
	network=auto
	auto=start
	pfs=yes

conn fl
	right=207.xxx.xxx.38
	rightsubnet=69.xxx.xxx.0/24
	rightca="C=CA, S=Ontario, L=Ottawa, O=The Coolest Corporation,
OU=IT Department, CN=Coolest CA, E=sysadmin@mydomain.com"
	left=%any
	network=auto
	auto=start
	pfs=yes

[2]

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.freeswan.org Links 1998-fall 1998-spring 1998-summer 1998-winter 1999-winter announce briefs bugs design freeswan-list hipsec ietf-sectest users users-admin Request more information about Pantek

root@jumpgate:~> tail -f /var/log/auth.log Apr 14 13:11:06 jumpgate pluto[4751]: packet from 68.xxx.xxx.5:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000002] Apr 14 13:11:06 jumpgate pluto[4751]: packet from 68.xxx.xxx.5:500: ignoring Vendor ID payload [FRAGMENTATION] Apr 14 13:11:06 jumpgate pluto[4751]: packet from 68.xxx.xxx.5:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] Apr 14 13:11:06 jumpgate pluto[4751]: "rw_net-fl"[2] 68.xxx.xxx.5 #2: responding to Main Mode from unknown peer 68.xxx.xxx.5 Apr 14 13:11:07 jumpgate pluto[4751]: "rw_net-fl"[2] 68.xxx.xxx.5 #2: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
Apr 14 13:11:07 jumpgate pluto[4751]: "rw_net-fl"[2] 68.xxx.xxx.5 #2: Peer ID is ID_DER_ASN1_DN: ...
Apr 14 13:11:07 jumpgate pluto[4751]: "rw_net-fl"[3] 68.xxx.xxx.5 #2: deleting connection "rw_net-fl" instance with peer 68.xxx.xxx.5 {isakmp=#0/ipsec=#0}
Apr 14 13:11:07 jumpgate pluto[4751]: "rw_net-fl"[3] 68.xxx.xxx.5 #2: sent MR3, ISAKMP SA established
Apr 14 13:11:07 jumpgate pluto[4751]: "rw_host"[1] 68.xxx.xxx.5 #3: responding to Quick Mode
Apr 14 13:11:07 jumpgate pluto[4751]: "rw_host"[1] 68.xxx.xxx.5 #3: IPsec SA established {ESP=>0x484af362 <0x20ea5dc8}

--
Jon Earle
Software Developer / Network Manager
Specializing in Open Source Software Solutions
http://kronos.honk.org/~earlej/
_______________________________________________
FreeS/WAN Users mailing list
users@lists.freeswan.org
https://mj2.freeswan.org/cgi-bin/mj_wwwusr

_______________________________________________
FreeS/WAN Users mailing list
users@lists.freeswan.org
https://mj2.freeswan.org/cgi-bin/mj_wwwusr