Discussion:
[strongSwan] strongswan and roadwarrior connections
Reza ISSANY
2009-04-22 12:15:48 UTC
Permalink
Hi,

Sorry for my bad english.

I'm trying to configure a L2tp connection for XP and Vista clients,
but I can't get worked this connection.

The IPsec SA is established, but nothing is logged by xl2tpd.
I have imported the cert file in the win xp laptop using mmc.

This test is done in LAN (no nat) :

Apr 22 14:10:04 integration pluto[22101]: "rw"[1] 192.168.1.110 #1: responding to Main Mode from unknown peer 192.168.1.110
Apr 22 14:10:04 integration pluto[22101]: "rw"[1] 192.168.1.110 #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
Apr 22 14:10:04 integration pluto[22101]: "rw"[1] 192.168.1.110 #1: Peer ID is ID_DER_ASN1_DN: 'C=FR, ST=Some-State, L=reza, O=Internet Widgits Pty Ltd, OU=reza, CN=reza'
Apr 22 14:10:04 integration pluto[22101]: "rw"[2] 192.168.1.110 #1: deleting connection "rw" instance with peer 192.168.1.110 {isakmp=#0/ipsec=#0}
Apr 22 14:10:04 integration pluto[22101]: "rw"[2] 192.168.1.110 #1: we have a cert and are sending it upon request
Apr 22 14:10:04 integration pluto[22101]: "rw"[2] 192.168.1.110 #1: sent MR3, ISAKMP SA established
Apr 22 14:10:04 integration pluto[22101]: "rw"[2] 192.168.1.110 #2: responding to Quick Mode
Apr 22 14:10:04 integration pluto[22101]: "rw"[2] 192.168.1.110 #2: IPsec SA established {ESP=>0x16cc3604 <0x6fdbde27}

000 #4: "rw"[4] 192.168.1.110 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 1105s; newest IPSEC; eroute owner
000 #4: "rw"[4] 192.168.1.110 esp.9c79a349-Q0ErXNX1RuYplVYytttZ+***@public.gmane.org (0 bytes) esp.3afee3cf-***@public.gmane.org (321 bytes, 3s ago); transport
000 #3: "rw"[4] 192.168.1.110 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 3504s; newest ISAKMP

When this connection will work in local, I'll test it with a remote client that have nat.

Any idea please ? Thanks for your helps.

config setup
#plutodebug=all
# crlcheckinterval=600
# strictcrlpolicy=yes
# cachecrls=yes
nat_traversal=yes
# charonstart=no
# plutostart=no

conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1

conn rw
# strongswan
authby=rsasig
leftrsasigkey=%cert
leftcert=integration.pem
left=192.168.1.116
leftnexthop=192.168.1.1
leftprotoport=17/1701
#client
right=%any
rightrsasigkey=%cert
rightprotoport=17/1701
rightsubnetwithin=192.168.0.0/16
keyingtries=3
pfs=no
auto=add

conn block
auto=ignore

conn clear
auto=ignore

conn private
auto=ignore

conn private-or-clear
auto=ignore

conn clear-or-private
auto=ignore

conn packetdefault
auto=ignore


azer
Reza ISSANY
2009-04-22 13:28:02 UTC
Permalink
Hello,

Now I can connect when my client is in the same LAN.

If I try to connect from laptop that have nat, I have this log :
Apr 22 15:17:33 integration pluto[28738]: "rw"[2] 192.168.1.77:4500 #2: NAT-Traversal: Transport mode disabled due to security concerns
Apr 22 15:17:33 integration pluto[28738]: "rw"[2] 192.168.1.77:4500 #2: sending encrypted notification BAD_PROPOSAL_SYNTAX to 192.168.1.77:4500
Apr 22 15:17:35 integration pluto[28738]: "rw"[2] 192.168.1.77:4500 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xb190816e (perhaps this is a duplicated packet)
Apr 22 15:17:35 integration pluto[28738]: "rw"[2] 192.168.1.77:4500 #1: sending encrypted notification INVALID_MESSAGE_ID to 192.168.1.77:4500
Apr 22 15:17:37 integration pluto[28738]: "rw"[2] 192.168.1.77:4500 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xb190816e (perhaps this is a duplicated packet)
Apr 22 15:17:37 integration pluto[28738]: "rw"[2] 192.168.1.77:4500 #1: sending encrypted notification INVALID_MESSAGE_ID to 192.168.1.77:4500
Apr 22 15:17:41 integration pluto[28738]: "rw"[2] 192.168.1.77:4500 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xb190816e (perhaps this is a duplicated packet)
Apr 22 15:17:41 integration pluto[28738]: "rw"[2] 192.168.1.77:4500 #1: sending encrypted notification INVALID_MESSAGE_ID to 192.168.1.77:4500
Apr 22 15:17:48 integration pluto[28738]: "rw"[2] 192.168.1.77:4500 #1: received Delete SA payload: deleting ISAKMP State #1
Apr 22 15:17:48 integration pluto[28738]: "rw"[2] 192.168.1.77:4500: deleting connection "rw" instance with peer 192.168.1.77 {isakmp=#0/ipsec=#0}

After few search on net, I have recompiled strongswan with --enable-nat-transport, but, no changes.

conn rw
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
leftcert=vpn.olympecti.fr.pem
left=192.168.1.116
leftnexthop=192.168.1.1
leftprotoport=17/1701
right=%any
rightprotoport=17/1701
keyingtries=3
pfs=no

Please help :s

----- Mail Original -----
De: "Reza ISSANY" <***@olympecti.fr>
À: ***@lists.strongswan.org
Envoyé: Mercredi 22 Avril 2009 14h15:48 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne
Objet: [strongSwan] strongswan and roadwarrior connections

Hi,

Sorry for my bad english.

I'm trying to configure a L2tp connection for XP and Vista clients,
but I can't get worked this connection.

The IPsec SA is established, but nothing is logged by xl2tpd.
I have imported the cert file in the win xp laptop using mmc.

This test is done in LAN (no nat) :

Apr 22 14:10:04 integration pluto[22101]: "rw"[1] 192.168.1.110 #1: responding to Main Mode from unknown peer 192.168.1.110
Apr 22 14:10:04 integration pluto[22101]: "rw"[1] 192.168.1.110 #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
Apr 22 14:10:04 integration pluto[22101]: "rw"[1] 192.168.1.110 #1: Peer ID is ID_DER_ASN1_DN: 'C=FR, ST=Some-State, L=reza, O=Internet Widgits Pty Ltd, OU=reza, CN=reza'
Apr 22 14:10:04 integration pluto[22101]: "rw"[2] 192.168.1.110 #1: deleting connection "rw" instance with peer 192.168.1.110 {isakmp=#0/ipsec=#0}
Apr 22 14:10:04 integration pluto[22101]: "rw"[2] 192.168.1.110 #1: we have a cert and are sending it upon request
Apr 22 14:10:04 integration pluto[22101]: "rw"[2] 192.168.1.110 #1: sent MR3, ISAKMP SA established
Apr 22 14:10:04 integration pluto[22101]: "rw"[2] 192.168.1.110 #2: responding to Quick Mode
Apr 22 14:10:04 integration pluto[22101]: "rw"[2] 192.168.1.110 #2: IPsec SA established {ESP=>0x16cc3604 <0x6fdbde27}

000 #4: "rw"[4] 192.168.1.110 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 1105s; newest IPSEC; eroute owner
000 #4: "rw"[4] 192.168.1.110 ***@192.168.1.110 (0 bytes) ***@192.168.1.116 (321 bytes, 3s ago); transport
000 #3: "rw"[4] 192.168.1.110 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 3504s; newest ISAKMP

When this connection will work in local, I'll test it with a remote client that have nat.

Any idea please ? Thanks for your helps.

config setup
#plutodebug=all
# crlcheckinterval=600
# strictcrlpolicy=yes
# cachecrls=yes
nat_traversal=yes
# charonstart=no
# plutostart=no

conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1

conn rw
# strongswan
authby=rsasig
leftrsasigkey=%cert
leftcert=integration.pem
left=192.168.1.116
leftnexthop=192.168.1.1
leftprotoport=17/1701
#client
right=%any
rightrsasigkey=%cert
rightprotoport=17/1701
rightsubnetwithin=192.168.0.0/16
keyingtries=3
pfs=no
auto=add

conn block
auto=ignore

conn clear
auto=ignore

conn private
auto=ignore

conn private-or-clear
auto=ignore

conn clear-or-private
auto=ignore

conn packetdefault
auto=ignore


azer
_______________________________________________
Users mailing list
***@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Loading...