RE: [leaf-user] Road-warrior trouble: was Please Help: How to turn on Nat Traversal in Bering?

Tue, 27 Jul 2004 11:43:45 -0700 

OK, at the end is the ipsec barf output (from home fw) for a few pings. 

So voluminous I snipped out much irrelevant stuff, but if anyone needs a section let 
me know.
I included the homefw config, which virtually identical to office except for the IPs. 
 
Interesting message from homefw = something about no NAT detected. That is technically 
correct, since both fw's are masquerading.  Maybe I need to figure out how to wrap the 
ipsec from win2k with UDP?

Any advice would be usefull.
TIA
Rick.

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tibbs, Richard
Sent: Tuesday, July 27, 2004 7:47 AM
To: Erich Titl
Cc: [EMAIL PROTECTED]
Subject: RE: [leaf-user] Road-warrior trouble: was Please Help: How to turn on Nat 
Traversal in Bering?




-----Original Message-----
From: Erich Titl [mailto:[EMAIL PROTECTED] 
Sent: Monday, July 26, 2004 4:00 PM
To: Tibbs, Richard; [EMAIL PROTECTED]
Subject: RE: [leaf-user] Road-warrior trouble: was Please Help: How to turn on Nat 
Traversal in Bering?


Rick

At 19:56 26.07.2004, you wrote:
><After long delay getting back to this...>
>Thanks, Erich!
>Yes, nat_traversal=yes removes the [disabled] portion of the auth.log 
>record. This is on both firewalls below.

Mhhh, so nat-traversal is compiled in


>But, I am having other problems with the home win2k machine. What I am
>doing is using Bering 1.2 at both "home" and "work" firewalls. Home is 
>Bering 1.2 on two floppys, internal network 192.168.1.0/24, ext. static 
>IP 216.12.x.y . Work firewall is Bering CD, internal 192.168.10.0/24 
>external IP 137.45.w.z.
>
>The setup is
>W2k --- homefw --- internet ---university.net -- W2k --- ethsw ---
>workfw
>--- int.subnet
>^            ^                                     ^              ^
>192.168.1.3  216.12.x.y                       137.45.p.q      137.45.w.z 
>192.168.10.0/24
>Can't ping 192.168.10.13                 Can ping 192.168.10.13
>
>The symptom is that with identical road-warrior style configs on both
>W2K
>machines, the results are different.  Also, the university has no firewall 
>(checked with acad. Computing).
>We have university laptops that we take home with the cisco ipsec client 
>and I can attach these to the internal home network and connect up fine... 
>So the university router ACLs appear to allow ipsec traffic in and out.

OK, but NAT occurs on both homefw _and_ workfw?
Rick:Yes, masquerading on outbound traffic (SNAT)

>This is with outbound-filter (same on both win2k security settings)
>source = my ipaddress/32 dest= 192.168.10.0/24
>out-tunnel = 137.45.192.69 --- work fw external IP
>
>inbound-filter
>source= 192.168.10.0/24
>dest=my IP addresss/32
>in-tunnel = 192.168.1.3 (ip address on home win2k machine)

Are these the Cisco settings, so the Cisco VPN client builds a tunnel to 
137.45.192.69?
Rick: Nope, the cisco client connects to, I suspect, a cisco router running a vpn 
server. 

>I get no event errors in the Event Viewer, no shorewall log errors, but
>100% packet loss over all 12 pings.

Pings from where to where?
Rick: Pings from the win2k machine to a machine (192.168.10.13) on the office network.

>The only salient differences seem to be that
>1) in the inbound tunnel address is private address on home w2k, and
>2) going trhough two firewalls instead of one.

Mhhh... at home your source address is in the 192.168.1.0/24 subnet, at 
work it is in the 137.45.x.y subnet
Rick: Yes. 

What about ipsec barf? Not that I am very good at deciphering it, but it 
holds a lot of information.
Rick: I will give that a try & get back to you later. --- now homefw here, below:
<lots of crud snipped out>
# basic configuration
config setup
        # THIS SETTING MUST BE CORRECT or almost nothing will work;
        # %defaultroute is okay for most simple cases.
        interfaces="ipsec0=eth0"
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        klipsdebug=none
        plutodebug=none
        # Use auto= parameters in conn descriptions to control startup actions.
        plutoload=%search
        plutostart=%search
        # Close down old connection when new one using same ID shows up.
        uniqueids=yes
        nat_traversal=yes


# defaults for subsequent connection descriptions
conn %default
        # How persistent to be in (re)keying negotiations (0 means very).
        keyingtries=0
        # RSA authentication with keys from DNS.
        #authby=rsasig
        #leftrsasigkey=%dns
        #rightrsasigkey=%dns
        authby=secret
        left=216.12.22.89
        leftsubnet=192.168.1.0/24
        leftnexthop=%direct
        leftfirewall=yes
        pfs=yes
        auto=add

conn road-warrior
        right=%any


# connection description for (experimental!) opportunistic encryption
# (requires KEY record in your DNS reverse map; see doc/opportunism.howto)
conn me-to-anyone
        #left=%defaultroute
        #right=%opportunistic
        # uncomment to enable incoming; change to auto=route for outgoing
        #auto=add



# sample VPN connection
conn sample
        # Left security gateway, subnet behind it, next hop toward right.
        left=10.0.0.1
        leftsubnet=172.16.0.0/24
        leftnexthop=10.22.33.44
        # Right security gateway, subnet behind it, next hop toward left.
        right=10.12.12.1
        rightsubnet=192.168.0.0/24
        rightnexthop=10.101.102.103
        # To authorize this connection, but not actually start it, at startup,
        # uncomment this.
        #auto=add
<Lots of stuff snipped out>
Jul 25 20:36:11 firewall ipsec__plutorun: Starting Pluto subsystem...
Jul 25 20:36:11 firewall pluto[4592]: Starting Pluto (FreeS/WAN Version 
super-freeswan-1.99.6.2)
Jul 25 20:36:11 firewall pluto[4592]:   including X.509 patch with traffic selectors 
(Version 0.9.28)
Jul 25 20:36:11 firewall pluto[4592]:   including NAT-Traversal patch (Version 0.5a)
Jul 25 20:36:11 firewall pluto[4592]: ike_alg_register_enc(): Activating 
OAKLEY_AES_CBC: Ok (ret=0)
Jul 25 20:36:11 firewall pluto[4592]: ike_alg_register_enc(): Activating 
OAKLEY_BLOWFISH_CBC: Ok (ret=0)
Jul 25 20:36:11 firewall pluto[4592]: ike_alg_register_enc(): Activating 
OAKLEY_CAST_CBC: Ok (ret=0)
Jul 25 20:36:11 firewall pluto[4592]: ike_alg_register_enc(): Activating 
OAKLEY_SERPENT_CBC: Ok (ret=0)
Jul 25 20:36:11 firewall pluto[4592]: ike_alg_register_hash(): Activating 
OAKLEY_SHA2_256: Ok (ret=0)
Jul 25 20:36:11 firewall pluto[4592]: ike_alg_register_hash(): Activating 
OAKLEY_SHA2_512: Ok (ret=0)
Jul 25 20:36:11 firewall pluto[4592]: ike_alg_register_enc(): Activating 
OAKLEY_TWOFISH_CBC: Ok (ret=0)
Jul 25 20:36:11 firewall pluto[4592]: ike_alg_register_enc(): Activating 
OAKLEY_SSH_PRIVATE_65289: Ok (ret=0)
<lots of stuff snipped out>
Jul 25 20:36:11 firewall pluto[4592]: Could not change to directory 
'/etc/ipsec.d/cacerts'
Jul 25 20:36:11 firewall pluto[4592]: Could not change to directory '/etc/ipsec.d/crls'
Jul 25 20:36:11 firewall pluto[4592]: OpenPGP certificate file '/etc/pgpcert.pgp' not 
found
Jul 25 20:36:11 firewall pluto[4592]: | from whack: got --esp=3des
Jul 25 20:36:11 firewall pluto[4592]: | from whack: got --ike=3des
Jul 25 20:36:11 firewall pluto[4592]: added connection description "sample"
Jul 25 20:36:12 firewall pluto[4592]: | from whack: got --esp=3des
Jul 25 20:36:12 firewall pluto[4592]: | from whack: got --ike=3des
Jul 25 20:36:12 firewall pluto[4592]: added connection description "road-warrior"
Jul 25 20:36:12 firewall pluto[4592]: listening for IKE messages
Jul 25 20:36:12 firewall pluto[4592]: adding interface ipsec0/eth0 216.12.22.89
Jul 25 20:36:12 firewall pluto[4592]: adding interface ipsec0/eth0 216.12.22.89:4500
Jul 25 20:36:12 firewall pluto[4592]: loading secrets from "/etc/ipsec.secrets"

Jul 26 21:14:07 firewall pluto[4592]: "road-warrior"[1] 137.45.192.69 #394: 
retransmitting in response to duplicate packet; already STATE_MAIN_R3
Jul 26 21:14:08 firewall pluto[4592]: "road-warrior"[1] 137.45.192.69 #394: 
Informational Exchange message for an established ISAKMP SA must be encrypted
Jul 26 21:14:48 firewall pluto[4592]: packet from 137.45.192.69:500: received Vendor 
ID payload [draft-ietf-ipsec-nat-t-ike-03]
Jul 26 21:14:48 firewall pluto[4592]: packet from 137.45.192.69:500: ignoring Vendor 
ID payload [draft-ietf-ipsec-nat-t-ike-02]
Jul 26 21:14:48 firewall pluto[4592]: packet from 137.45.192.69:500: ignoring Vendor 
ID payload [draft-ietf-ipsec-nat-t-ike-00]
Jul 26 21:14:48 firewall pluto[4592]: "road-warrior"[1] 137.45.192.69 #395: responding 
to Main Mode from unknown peer 137.45.192.69
Jul 26 21:14:48 firewall pluto[4592]: "road-warrior"[1] 137.45.192.69 #395: 
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
Jul 26 21:14:48 firewall pluto[4592]: "road-warrior"[1] 137.45.192.69 #395: Main mode 
peer ID is ID_IPV4_ADDR: '137.45.192.69'
Jul 26 21:14:48 firewall pluto[4592]: "road-warrior"[1] 137.45.192.69 #395: sent MR3, 
ISAKMP SA established
Jul 26 21:14:48 firewall pluto[4592]: "road-warrior"[1] 137.45.192.69 #395: 
Informational Exchange message for an established ISAKMP SA must be encrypted
Jul 26 21:14:58 firewall pluto[4592]: "road-warrior"[1] 137.45.192.69 #395: 
retransmitting in response to duplicate packet; already STATE_MAIN_R3
Jul 26 21:14:58 firewall pluto[4592]: "road-warrior"[1] 137.45.192.69 #395: 
Informational Exchange message for an established ISAKMP SA must be encrypted
Jul 26 21:15:18 firewall pluto[4592]: "road-warrior"[1] 137.45.192.69 #395: 
retransmitting in response to duplicate packet; already STATE_MAIN_R3
Jul 26 21:15:18 firewall pluto[4592]: "road-warrior"[1] 137.45.192.69 #395: 
Informational Exchange message for an established ISAKMP SA must be encrypted
Jul 26 21:15:58 firewall pluto[4592]: packet from 137.45.192.69:500: received Vendor 
ID payload [draft-ietf-ipsec-nat-t-ike-03]
Jul 26 21:15:58 firewall pluto[4592]: packet from 137.45.192.69:500: ignoring Vendor 
ID payload [draft-ietf-ipsec-nat-t-ike-02]
Jul 26 21:15:58 firewall pluto[4592]: packet from 137.45.192.69:500: ignoring Vendor 
ID payload [draft-ietf-ipsec-nat-t-ike-00]
Jul 26 21:15:58 firewall pluto[4592]: "road-warrior"[1] 137.45.192.69 #396: responding 
to Main Mode from unknown peer 137.45.192.69
Jul 26 21:15:59 firewall pluto[4592]: "road-warrior"[1] 137.45.192.69 #396: 
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
Jul 26 21:15:59 firewall pluto[4592]: "road-warrior"[1] 137.45.192.69 #396: Main mode 
peer ID is ID_IPV4_ADDR: '137.45.192.69'
Jul 26 21:15:59 firewall pluto[4592]: "road-warrior"[1] 137.45.192.69 #396: sent MR3, 
ISAKMP SA established
Jul 26 21:15:59 firewall pluto[4592]: "road-warrior"[1] 137.45.192.69 #396: 
Informational Exchange message for an established ISAKMP SA must be encrypted
Jul 26 21:16:09 firewall pluto[4592]: "road-warrior"[1] 137.45.192.69 #396: 
retransmitting in response to duplicate packet; already STATE_MAIN_R3
Jul 26 21:16:09 firewall pluto[4592]: "road-warrior"[1] 137.45.192.69 #396: 
Informational Exchange message for an established ISAKMP SA must be encrypted
Jul 26 21:16:29 firewall pluto[4592]: "road-warrior"[1] 137.45.192.69 #396: 
retransmitting in response to duplicate packet; already STATE_MAIN_R3
Jul 26 21:16:29 firewall pluto[4592]: "road-warrior"[1] 137.45.192.69 #396: 
Informational Exchange message for an established ISAKMP SA must be encrypted
Jul 26 21:17:09 firewall pluto[4592]: packet from 137.45.192.69:500: received Vendor 
ID payload [draft-ietf-ipsec-nat-t-ike-03]
Jul 26 21:17:09 firewall pluto[4592]: packet from 137.45.192.69:500: ignoring Vendor 
ID payload [draft-ietf-ipsec-nat-t-ike-02]
Jul 26 21:17:09 firewall pluto[4592]: packet from 137.45.192.69:500: ignoring Vendor 
ID payload [draft-ietf-ipsec-nat-t-ike-00]
Jul 26 21:17:09 firewall pluto[4592]: "road-warrior"[1] 137.45.192.69 #397: responding 
to Main Mode from unknown peer 137.45.192.69
Jul 26 21:17:09 firewall pluto[4592]: "road-warrior"[1] 137.45.192.69 #397: 
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
Jul 26 21:17:10 firewall pluto[4592]: "road-warrior"[1] 137.45.192.69 #397: Main mode 
peer ID is ID_IPV4_ADDR: '137.45.192.69'
Jul 26 21:17:10 firewall pluto[4592]: "road-warrior"[1] 137.45.192.69 #397: sent MR3, 
ISAKMP SA established
Jul 26 21:17:10 firewall pluto[4592]: "road-warrior"[1] 137.45.192.69 #397: 
Informational Exchange message for an established ISAKMP SA must be encrypted
Jul 26 21:17:20 firewall pluto[4592]: "road-warrior"[1] 137.45.192.69 #397: 
retransmitting in response to duplicate packet; already STATE_MAIN_R3
Jul 26 21:17:20 firewall pluto[4592]: "road-warrior"[1] 137.45.192.69 #397: 
Informational Exchange message for an established ISAKMP SA must be encrypted
Jul 26 21:17:40 firewall pluto[4592]: "road-warrior"[1] 137.45.192.69 #397: 
retransmitting in response to duplicate packet; already STATE_MAIN_R3
Jul 26 21:17:40 firewall pluto[4592]: "road-warrior"[1] 137.45.192.69 #397: 
Informational Exchange message for an established ISAKMP SA must be encrypted
Jul 26 21:18:19 firewall pluto[4592]: packet from 137.45.192.69:500: received Vendor 
ID payload [draft-ietf-ipsec-nat-t-ike-03]
Jul 26 21:18:19 firewall pluto[4592]: packet from 137.45.192.69:500: ignoring Vendor 
ID payload [draft-ietf-ipsec-nat-t-ike-02]
Jul 26 21:18:19 firewall pluto[4592]: packet from 137.45.192.69:500: ignoring Vendor 
ID payload [draft-ietf-ipsec-nat-t-ike-00]
Jul 26 21:18:19 firewall pluto[4592]: "road-warrior"[1] 137.45.192.69 #398: responding 
to Main Mode from unknown peer 137.45.192.69
Jul 26 21:18:19 firewall pluto[4592]: "road-warrior"[1] 137.45.192.69 #398: 
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
Jul 26 21:18:19 firewall pluto[4592]: "road-warrior"[1] 137.45.192.69 #398: Main mode 
peer ID is ID_IPV4_ADDR: '137.45.192.69'
Jul 26 21:18:19 firewall pluto[4592]: "road-warrior"[1] 137.45.192.69 #398: sent MR3, 
ISAKMP SA established
Jul 26 21:18:20 firewall pluto[4592]: "road-warrior"[1] 137.45.192.69 #398: 
Informational Exchange message for an established ISAKMP SA must be encrypted
Jul 26 21:18:30 firewall pluto[4592]: "road-warrior"[1] 137.45.192.69 #398: 
retransmitting in response to duplicate packet; already STATE_MAIN_R3
Jul 26 21:18:30 firewall pluto[4592]: "road-warrior"[1] 137.45.192.69 #398: 
Informational Exchange message for an established ISAKMP SA must be encrypted
Jul 26 21:18:50 firewall pluto[4592]: "road-warrior"[1] 137.45.192.69 #398: 
retransmitting in response to duplicate packet; already STATE_MAIN_R3
Jul 26 21:18:50 firewall pluto[4592]: "road-warrior"[1] 137.45.192.69 #398: 
Informational Exchange message for an established ISAKMP SA must be encrypted
Jul 26 21:19:30 firewall pluto[4592]: packet from 137.45.192.69:500: received Vendor 
ID payload [draft-ietf-ipsec-nat-t-ike-03]
Jul 26 21:19:30 firewall pluto[4592]: packet from 137.45.192.69:500: ignoring Vendor 
ID payload [draft-ietf-ipsec-nat-t-ike-02]
Jul 26 21:19:30 firewall pluto[4592]: packet from 137.45.192.69:500: ignoring Vendor 
ID payload [draft-ietf-ipsec-nat-t-ike-00]
Jul 26 21:19:30 firewall pluto[4592]: "road-warrior"[1] 137.45.192.69 #399: responding 
to Main Mode from unknown peer 137.45.192.69
Jul 26 21:19:30 firewall pluto[4592]: "road-warrior"[1] 137.45.192.69 #399: 
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
Jul 26 21:19:30 firewall pluto[4592]: "road-warrior"[1] 137.45.192.69 #399: Main mode 
peer ID is ID_IPV4_ADDR: '137.45.192.69'
Jul 26 21:19:30 firewall pluto[4592]: "road-warrior"[1] 137.45.192.69 #399: sent MR3, 
ISAKMP SA establ



cheers

Erich

THINK
P�ntenstrasse 39
8143 Stallikon
mailto:[EMAIL PROTECTED]
PGP Fingerprint: BC9A 25BC 3954 3BC8 C024 8D8A B7D4 FF9D 05B8 0A16




-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today. 
http://ads.osdn.com/?ad_idG21&alloc_id040&op=ick
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED] 
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html


-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_idG21&alloc_id040&op=click
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Reply via email to