[strongSwan] Strongswan + L2TP => Main Mode message is part of an unknown exchange

Jthemovie jthemovie at gmail.com
Thu Sep 20 00:56:23 CEST 2012 

Hi all,

I'm trying to set up the following basic configuration :
|-------------------LAN-------------------------------------------|------------------WAN-------------------------------------------------|
VPN SERVER --------------HOME
ROUTER/NAT-|------------(internet)------------Iphone in UMTS (3g) conn
192.168.1.253                192.168.1.1                88.b.c.d
                %any

So here the setup of strongswan :

/etc/ipsec.conf

*version 2.0     # conforms to second version of ipsec.conf specification*
*
*
*config setup*
*  nat_traversal=yes*
*  charonstart=yes*
*  plutostart=yes*
*  plutostderrlog=/var/log/pluto.log*
*  charondebug=4*
*  plutodebug="control controlmore"*
*
*
*conn l2tp-psk-nat*
*  authby=psk*
*  pfs=no*
*  type=transport*
*  left=192.168.1.253*
*  leftprotoport=17/1701*
*  rightprotoport=17/%any*
*  auto=add*
*
*
But when i connect with my iPhone using the native client, i get the
following errors on the server side :

| *received 476 bytes from 213.143.45.130:22656 on eth0
packet from 213.143.45.130:22656: received Vendor ID payload [RFC 3947]
packet from 213.143.45.130:22656: ignoring Vendor ID payload
[4df37928e9fc4fd1b3262170d515c662]
packet from 213.143.45.130:22656: ignoring Vendor ID payload
[8f8d83826d246b6fc7a8a6a428c11de8]
packet from 213.143.45.130:22656: ignoring Vendor ID payload
[439b59f8ba676c4c7737ae22eab8f582]
packet from 213.143.45.130:22656: ignoring Vendor ID payload
[4d1e0e136deafa34c4f3ea9f02ec7285]
packet from 213.143.45.130:22656: ignoring Vendor ID payload
[80d0bb3def54565ee84645d4c85ce3ee]
packet from 213.143.45.130:22656: ignoring Vendor ID payload
[9909b64eed937c6573de52ace952fa6b]
packet from 213.143.45.130:22656: ignoring Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-03]
packet from 213.143.45.130:22656: ignoring Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02]
packet from 213.143.45.130:22656: ignoring Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n]
packet from 213.143.45.130:22656: received Vendor ID payload [Dead Peer
Detection]
| preparse_isakmp_policy: peer requests PSK authentication
| instantiated "l2tp-psk-nat" for 213.143.45.130
| creating state object #2 at 0xb7cc7290
| ICOOKIE:  34 02 3e 36  19 88 b7 f0
| RCOOKIE:  d5 e3 46 c3  b8 4b 24 9d
| peer:  d5 8f 2d 82
| state hash entry 8
| inserting event EVENT_SO_DISCARD, timeout in 0 seconds for #2
"l2tp-psk-nat"[2] 213.143.45.130:22656 #2: responding to Main Mode from
unknown peer 213.143.45.130:22656
| inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #2
| next event EVENT_RETRANSMIT in 10 seconds for #2
|
| *received 228 bytes from 213.143.45.130:22656 on eth0
| ICOOKIE:  34 02 3e 36  19 88 b7 f0
| RCOOKIE:  d5 e3 46 c3  b8 4b 24 9d
| peer:  d5 8f 2d 82
| state hash entry 8
| state object #2 found, in STATE_MAIN_R1
"l2tp-psk-nat"[2] 213.143.45.130:22656 #2: NAT-Traversal: Result using RFC
3947: both are NATed
| inserting event EVENT_NAT_T_KEEPALIVE, timeout in 20 seconds
| inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #2
| next event EVENT_RETRANSMIT in 10 seconds for #2
|
| *received 108 bytes from 213.143.45.136:24190 on eth0
| ICOOKIE:  34 02 3e 36  19 88 b7 f0
| RCOOKIE:  d5 e3 46 c3  b8 4b 24 9d
| peer:  d5 8f 2d 88
| state hash entry 14
| state object not found
| ICOOKIE:  34 02 3e 36  19 88 b7 f0
| RCOOKIE:  00 00 00 00  00 00 00 00
| peer:  d5 8f 2d 88
| state hash entry 15
| state object not found
packet from 213.143.45.136:24190: Main Mode message is part of an unknown
exchange
| next event EVENT_RETRANSMIT in 9 seconds for #2
|
| *time to handle event
| event after this is EVENT_NAT_T_KEEPALIVE in 10 seconds
| handling event EVENT_RETRANSMIT for 213.143.45.130 "l2tp-psk-nat" #2
| inserting event EVENT_RETRANSMIT, timeout in 20 seconds for #2
| next event EVENT_NAT_T_KEEPALIVE in 10 seconds

and then, after a while, the iphone finish by disconnecting :(

If i put my phone on the same localnetwork as the vpn server, everything
goes fine and i get authenticated, but with NAT-T, doesn't work :(
I "nated" the udp ports 1701, 4500 and 500 as well.

Any help would be much appreciated :)

Thanks in advance

A lost user :)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120920/d0d9f07f/attachment.html>

More information about the Users mailing list