I have a Leaf box with Bering-uclib-2.2
I want to set up VPN tunnels for road warriors (win2k,
linux....). My configuration is as follows :
Client -- Routeur(NAT) -- Internet -- Leaf (VPNs)
I test this configuration with a client without NAT.
All works (authentification with a CA and x509
certificates).
So, I use the NAT-T function for clients behind a NAT
(encapsulation of ipsec packets in udp 4500).
The connection begins with quite good debuging
messages. However, I have the following message which
appears in auth.log :
Oct 22 19:34:30 citi-firewall pluto[30114]:
"test-fw"[5] 82.224.121.151:4500 #14: cannot respond
to IPsec SA request because no connection is known for
134.214.0.0/16===134.214.79.170:4500[C=FR,
ST=Some-State, L=Villeurbanne, O=Laboratoire CITI,
CN=citi-firewall]...82.224.121.151:4500[C=FR,
ST=Some-State, L=Villeurbanne, O=Laboratoire CITI,
CN=FabT, [EMAIL PROTECTED]/32
I read that this error is often caused by a false
configuration of the subnets.
Then, I test to set statically the subnet of my client
in the ipsec.conf file of the server:
leftsubnet=192.168.0.2/32
And ... all works with this modification
However, I can't maintain such a static subnet since
all the roadwarriors clients have different
configurations, and different addresses.
Here are my config files :
__________________________________
Here is my ipsec.conf file :
# basic configuration
config setup
# Debug-logging controls: "none" for (almost)
none, "all" for lots.
klipsdebug=all
plutodebug=all
interfaces="ipsec0=eth0"
nat_traversal=yes
conn %default
keyingtries=0
authby=rsasig
pfs=yes
# sample VPN connection
conn test-fw
# Left security gateway, subnet behind it,
next hop toward right.
#Left security gateway, subnet behind it, next
hop toward left.
left=134.214.79.170
leftsubnet=134.214.0.0/16
leftnexthop=134.214.76.1
leftrsasigkey=%cert
leftcert=citi-firewallCert.pem
leftid=%any
#leftfirewall=yes
right=%any
rightsubnet=192.168.0.2/32
rightnexthop=
rightid="C=FR,ST=Some-State,L=Villeurbanne,O=Laboratoire
CITI,CN=*,E=*"
rightrsasigkey=%cert
rightcert=%any
# To authorize this connection, but not
actually start it, at startup,
# uncomment this.
auto=start
__________________________
Here is the ipsec.conf for the winxp client :
conn CITI
left=134.214.79.170
leftsubnet=134.214.0.0/16
rightca="c=FR,ST=Some-State,L=Villeurbanne,O=Laboratoire
CITI,CN=Fabrice
Theoleyre,[EMAIL PROTECTED]"
right=%any
auto=start
pfs=yes
and the complete error message from auth.log:
Oct 22 20:17:55 citi-firewall pluto[16349]: packet
from 82.224.121.151:500: ignoring Vendor ID payload
[MS NT5 ISAKMPOAKLEY 00000004]
Oct 22 20:17:55 citi-firewall pluto[16349]: packet
from 82.224.121.151:500: ignoring Vendor ID payload
[FRAGMENTATION]
Oct 22 20:17:55 citi-firewall pluto[16349]: packet
from 82.224.121.151:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n]
Oct 22 20:17:55 citi-firewall pluto[16349]: packet
from 82.224.121.151:500: ignoring Vendor ID payload
[26244d38eddb61b3172a36e3d0cfb819]
Oct 22 20:17:55 citi-firewall pluto[16349]:
"test-fw"[1] 82.224.121.151 #1: responding to Main
Mode from unknown peer 82.224.121.151
Oct 22 20:17:55 citi-firewall pluto[16349]:
"test-fw"[1] 82.224.121.151 #1: transition from state
(null) to state STATE_MAIN_R1
Oct 22 20:17:55 citi-firewall pluto[16349]:
"test-fw"[1] 82.224.121.151 #1: NAT-Traversal: Result
using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
Oct 22 20:17:56 citi-firewall pluto[16349]:
"test-fw"[1] 82.224.121.151 #1: transition from state
STATE_MAIN_R1 to state STATE_MAIN_R2
Oct 22 20:17:56 citi-firewall pluto[16349]:
"test-fw"[1] 82.224.121.151 #1: Main mode peer ID is
ID_DER_ASN1_DN: 'C=FR, ST=Some-State, L=Villeurbanne,
O=Laboratoire CITI, CN=FabT, [EMAIL PROTECTED]'
Oct 22 20:17:56 citi-firewall pluto[16349]:
"test-fw"[1] 82.224.121.151 #1: transition from state
STATE_MAIN_R2 to state STATE_MAIN_R3
Oct 22 20:17:56 citi-firewall pluto[16349]: | NAT-T:
new mapping 82.224.121.151:500/4500)
Oct 22 20:17:56 citi-firewall pluto[16349]:
"test-fw"[1] 82.224.121.151:4500 #1: sent MR3, ISAKMP
SA established
Oct 22 20:17:56 citi-firewall pluto[16349]:
"test-fw"[1] 82.224.121.151:4500 #1: cannot respond to
IPsec SA request because no connection is known for
134.214.0.0/16===134.214.79.170:4500[C=FR,
ST=Some-State, L=Villeurbanne, O=Laboratoire CITI,
CN=citi-firewall]...82.224.121.151:4500[C=FR,
ST=Some-State, L=Villeurbanne, O=Laboratoire CITI,
CN=FabT, [EMAIL PROTECTED]/32
Oct 22 20:17:56 citi-firewall pluto[16349]:
"test-fw"[1] 82.224.121.151:4500 #1: sending encrypted
notification INVALID_ID_INFORMATION to
82.224.121.151:4500
Oct 22 20:17:57 citi-firewall pluto[16349]:
"test-fw"[1] 82.224.121.151:4500 #1: Quick Mode I1
message is unacceptable because it uses a previously
used Message ID 0xc07af72b (perhaps this is a
duplicated packet)
Oct 22 20:17:57 citi-firewall pluto[16349]:
"test-fw"[1] 82.224.121.151:4500 #1: sending encrypted
notification INVALID_MESSAGE_ID to 82.224.121.151:4500
Oct 22 20:17:59 citi-firewall pluto[16349]:
"test-fw"[1] 82.224.121.151:4500 #1: Quick Mode I1
message is unacceptable because it uses a previously
used Message ID 0xc07af72b (perhaps this is a
duplicated packet)
Oct 22 20:17:59 citi-firewall pluto[16349]:
"test-fw"[1] 82.224.121.151:4500 #1: sending encrypted
notification INVALID_MESSAGE_ID to 82.224.121.151:4500
Oct 22 20:18:03 citi-firewall pluto[16349]:
"test-fw"[1] 82.224.121.151:4500 #1: Quick Mode I1
message is unacceptable because it uses a previously
used Message ID 0xc07af72b (perhaps this is a
duplicated packet)
Oct 22 20:18:11 citi-firewall pluto[16349]:
"test-fw"[1] 82.224.121.151:4500 #1: Quick Mode I1
message is unacceptable because it uses a previously
used Message ID 0xc07af72b (perhaps this is a
duplicated packet)
Oct 22 20:18:11 citi-firewall pluto[16349]:
"test-fw"[1] 82.224.121.151:4500 #1: sending encrypted
notification INVALID_MESSAGE_ID to 82.224.121.151:4500
Oct 22 20:18:13 citi-firewall pluto[16349]:
"test-fw"[1] 82.224.121.151:4500 #1: received Delete
SA payload: deleting ISAKMP State #1
Oct 22 20:18:13 citi-firewall pluto[16349]:
"test-fw"[1] 82.224.121.151:4500: deleting connection
"test-fw" instance with peer 82.224.121.151
Oct 22 20:18:13 citi-firewall pluto[16349]: packet
from 82.224.121.151:4500: received and ignored
informational message
Vous manquez d�espace pour stocker vos mails ?
Yahoo! Mail vous offre GRATUITEMENT 100 Mo !
Cr�ez votre Yahoo! Mail sur http://fr.benefits.yahoo.com/
Le nouveau Yahoo! Messenger est arriv� ! D�couvrez toutes les nouveaut�s pour
dialoguer instantan�ment avec vos amis. A t�l�charger gratuitement sur
http://fr.messenger.yahoo.com
-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
