[strongSwan] Windows 7 client problem

web.tyoma at gmail.com web.tyoma at gmail.com
Wed Jul 11 16:53:41 CEST 2012 

I've tried latest releas. Now tunnel established successfully, but it
doesn't see packets from client. Client is behind the NAT and port 4500 is
used for ESP transmission.

 

Tcpdump:

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

18:22:41.127358 IP 93.xx.xx.230.500 > 192.168.1.110.500: isakmp: phase 1 I
ident

18:22:41.141948 IP 192.168.1.110.500 > 93.xx.xx.230.500: isakmp: phase 1 R
ident

18:22:41.197018 IP 93.xx.xx.230.500 > 192.168.1.110.500: isakmp: phase 1 I
ident

18:22:41.216222 IP 192.168.1.110.500 > 93.xx.xx.230.500: isakmp: phase 1 R
ident

18:22:41.238740 IP 93.xx.xx.230.4500 > 192.168.1.110.4500: NONESP-encap:
isakmp: phase 1 I ident[E]

18:22:41.249776 IP 192.168.1.110.4500 > 93.xx.xx.230.4500: NONESP-encap:
isakmp: phase 1 R ident[E]

18:22:41.255562 IP 93.xx.xx.230.4500 > 192.168.1.110.4500: NONESP-encap:
isakmp: phase 2/others I oakley-quick[E]

18:22:41.262995 IP 192.168.1.110.4500 > 93.xx.xx.230.4500: NONESP-encap:
isakmp: phase 2/others R oakley-quick[E]

18:22:41.266846 IP 93.xx.xx.230.4500 > 192.168.1.110.4500: NONESP-encap:
isakmp: phase 2/others I oakley-quick[E]

 

18:22:41.269434 IP 93.xx.xx.230.4500 > 192.168.1.110.4500: UDP-encap:
ESP(spi=0xc3a80153,seq=0x1), length 164

18:22:42.275561 IP 93.xx.xx.230.4500 > 192.168.1.110.4500: UDP-encap:
ESP(spi=0xc3a80153,seq=0x2), length 164

18:22:44.288046 IP 93.xx.xx.230.4500 > 192.168.1.110.4500: UDP-encap:
ESP(spi=0xc3a80153,seq=0x3), length 164

18:22:48.299741 IP 93.xx.xx.230.4500 > 192.168.1.110.4500: UDP-encap:
ESP(spi=0xc3a80153,seq=0x4), length 164

18:22:56.300409 IP 93.xx.xx.230.4500 > 192.168.1.110.4500: UDP-encap:
ESP(spi=0xc3a80153,seq=0x5), length 164

 

18:22:59.138430 IP 93.xx.xx.230.4500 > 192.168.1.110.4500: NONESP-encap:
isakmp: phase 2/others I inf[E]

18:22:59.138445 IP 93.xx.xx.230.4500 > 192.168.1.110.4500: NONESP-encap:
isakmp: phase 2/others I inf[E]

 

>From 18:22:41.269434 to 18:22:56.300409 there is nothing in the log, even
with loglevel = 4.

 

Log:

05[IKE] IKE_SA c1[3] established between 192.168.1.110[C=RU, ST=Moscow,
O=Company, CN=User test1]...93.xx.xx.230[C=RU, ST=Moscow, O=Company, CN=User
test1]

05[IKE] sending end entity cert "C=RU, ST=Moscow, O=Company, CN=User test1"

05[ENC] generating ID_PROT response 0 [ ID CERT SIG ]

05[NET] sending packet: from 192.168.1.110[4500] to 93.xx.xx.230[4500]

04[NET] received packet: from 93.xx.xx.230[4500] to 192.168.1.110[4500]

04[ENC] parsed QUICK_MODE request 1 [ HASH SA No ID ID NAT-OA NAT-OA ]

04[IKE] received 3600s lifetime, configured 0s

04[IKE] received 250000000 lifebytes, configured 0

04[ENC] generating QUICK_MODE response 1 [ HASH SA No ID ID NAT-OA NAT-OA ]

04[NET] sending packet: from 192.168.1.110[4500] to 93.xx.xx.230[4500]

15[NET] received packet: from 93.xx.xx.230[4500] to 192.168.1.110[4500]

15[ENC] parsed QUICK_MODE request 1 [ HASH ]

15[IKE] CHILD_SA c3{3} established with SPIs c314f6a0_i 3b0a3bcc_o and TS
89.yy.yy.50/32[udp/l2f] === 93.xx.xx.230/32[udp/l2f]

 

--- At this moment there are udp-esp packets to 4500 in tcpdump, but nothing
in log.

--- At this moment I've pressed "Cancel" on client;

 

14[NET] received packet: from 93.xx.xx.230[4500] to 192.168.1.110[4500]

14[ENC] parsed INFORMATIONAL_V1 request 3608576823 [ HASH D ]

14[IKE] received DELETE for ESP CHILD_SA with SPI 3b0a3bcc

14[IKE] closing CHILD_SA c3{3} with SPIs c314f6a0_i (224 bytes) 3b0a3bcc_o
(0 bytes) and TS 89.yy.yy.50/32[udp/l2f] === 93.xx.xx.230/32[udp/l2f]

14[NET] received packet: from 93.xx.xx.230[4500] to 192.168.1.110[4500]

14[ENC] parsed INFORMATIONAL_V1 request 1319403265 [ HASH D ]

14[IKE] received DELETE for IKE_SA c1[3]

14[IKE] deleting IKE_SA c1[3] between 192.168.1.110[C=RU, ST=Moscow,
O=Company, CN=User test1]...93.xx.xx.230[C=RU, ST=Moscow, O=Company, CN=User
test1]

 

Connections scheme:

[Client, 192.168.1.38] - [NAT Router, 93.xx.xx.230] -- : internet : -- [NAT
router, 89.yy.yy.50; 4500, 500, 1701 are forwarded to 192.168.1.110] -
[ipsec server, 192.168.1.110]

 

Ipsec.conf:

conn %default

        leftauth=pubkey

        rightauth=pubkey

        rekey=no

        leftcert=/usr/local/etc/ipsec.d/certs/gateway.pem

        rightca=%same

 

conn common

        type=transport

        keyexchange=ikev1

        auto=add

        rightprotoport=17/%any

        leftprotoport=17/1701

        right=%any

 

conn c3

        leftsubnet=89.xx.xx.50/32

        left=192.168.1.110

        leftfirewall=yes

        also=common

 

Best regards,

Artem Popov.

 

From: John Mara [mailto:jaymara22 at hotmail.com] 
Sent: Wednesday, July 11, 2012 3:59 AM
To: web.tyoma at gmail.com; users at lists.strongswan.org
Subject: RE: [strongSwan] Windows 7 client problem

 

Hi

Paste you options.xl2tpd conf here and also let me know whether you are
using chap or chap v2

  _____  

From:  <mailto:web.tyoma at gmail.com> web.tyoma at gmail.com
To:  <mailto:Users at lists.strongswan.org> Users at lists.strongswan.org
Date: Wed, 11 Jul 2012 00:21:15 +0400
Subject: [strongSwan] Windows 7 client problem

Hi,

 

I'm trying to setup linux ipsec\l2tp server.

When Win7 client connects to server I have error in log:

 

vpn pluto[]: "doublenat"[4] IP:54189 #6: NAT-Traversal: received 2 NAT-OA.
using first, ignoring others

vpn pluto[]: "doublenat"[4] IP:54189 #6: responding to Quick Mode

vpn pluto[]: "doublenat"[4] IP:54189 #5: ignoring informational payload,
type INVALID_HASH_INFORMATION

vpn pluto[]: "doublenat"[4] IP:54189 #5: received Delete SA payload:
deleting ISAKMP State #5

 

Same error appears with PSK and RSA auth.

Win7 client shows "error 789" immediately after Connect button pressed. 

Server is behind the NAT, ports 4500, 500 and 1701 are forwarded. I've tried
clients with public IP and behind NAT with same result.

Is it a bug #108, or I misconfigured something? Is there working example
where client and server are both NATed?

 

My ipsec.conf: http://paste.org.ru/?p6y9js

 

Best regards,

Artem Popov.

 

 


_______________________________________________ Users mailing list
<mailto:Users at lists.strongswan.org> Users at lists.strongswan.org
<https://lists.strongswan.org/mailman/listinfo/users>
https://lists.strongswan.org/mailman/listinfo/users 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120711/bbddde64/attachment.html>

More information about the Users mailing list