[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

VPN (racoon) problem if client is behind NAT router



Hello folks,

I´ve been trying to set up racoon in order to enable a VPN service to the following scenario: client behind NAT router (D-Link 624 Router) and server not behind NAT router. Client is WinXP default IPSec/L2TP client. Server is running racoon/l2tpd. Everything works fine if the client is not behind the NAT router. But l2tpd does not answer if the client is behind the NAT router.

Here is the output presented by tcpdump in the server side when client is behind the NAT router:

--> tcpdump is started at server side...
# tcpdump -i eth0 host dlink_router_IP
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes

--> client is behind NAT dlink router pinging server_IP.
13:23:31.291663 IP dlink_router_IP > server_IP: icmp 40: echo request seq 52993
13:23:31.293445 IP server_IP > dlink_router_IP: icmp 40: echo reply seq 52993
13:23:32.285920 IP dlink_router_IP > server_IP: icmp 40: echo request seq 53249
13:23:32.285938 IP server_IP > dlink_router_IP: icmp 40: echo reply seq 53249
13:23:33.285931 IP dlink_router_IP > server_IP: icmp 40: echo request seq 53505
13:23:33.285956 IP server_IP > dlink_router_IP: icmp 40: echo reply seq 53505
13:23:34.285783 IP dlink_router_IP > server_IP: icmp 40: echo request seq 53761
13:23:34.285798 IP server_IP > dlink_router_IP: icmp 40: echo reply seq 53761

--> client initiates IKE fase 1.
13:49:13.144062 IP dlink_router_IP.isakmp > server_IP.isakmp: isakmp: phase 1 I ident 13:49:13.152734 IP server_IP.isakmp > dlink_router_IP.isakmp: isakmp: phase 1 R ident 13:49:13.245675 IP dlink_router_IP.isakmp > server_IP.isakmp: isakmp: phase 1 I ident 13:49:13.269127 IP server_IP.isakmp > dlink_router_IP.isakmp: isakmp: phase 1 R ident 13:49:13.468262 IP dlink_router_IP.isakmp > server_IP.isakmp: isakmp: phase 1 I ident[E]
13:49:13.468334 IP dlink_router_IP > server_IP: udp
13:49:13.518407 IP server_IP.isakmp > dlink_router_IP.isakmp: isakmp: phase 1 R ident[E]

--> server initiates IKE fase 2.
13:49:13.521139 IP server_IP.isakmp > dlink_router_IP.isakmp: isakmp: phase 2/others R inf[E] 13:49:13.542921 IP dlink_router_IP.isakmp > server_IP.isakmp: isakmp: phase 2/others I oakley-quick[E] 13:49:13.589755 IP server_IP.isakmp > dlink_router_IP.isakmp: isakmp: phase 2/others R oakley-quick[E] 13:49:13.592939 IP dlink_router_IP.isakmp > server_IP.isakmp: isakmp: phase 2/others I oakley-quick[E]

--> client sends messages using ESP transport but receives no answer from l2tpd.
13:49:13.593924 IP dlink_router_IP > server_IP: ESP(spi=0x09f97a93,seq=0x1)
13:49:14.584549 IP dlink_router_IP > server_IP: ESP(spi=0x09f97a93,seq=0x2)
13:49:16.583697 IP dlink_router_IP > server_IP: ESP(spi=0x09f97a93,seq=0x3)
13:49:20.585038 IP dlink_router_IP > server_IP: ESP(spi=0x09f97a93,seq=0x4)
13:49:28.585377 IP dlink_router_IP > server_IP: ESP(spi=0x09f97a93,seq=0x5)
13:49:38.585972 IP dlink_router_IP > server_IP: ESP(spi=0x09f97a93,seq=0x6)

--> client gives up and terminates IKE fase 2.
13:49:48.854691 IP dlink_router_IP.isakmp > server_IP.isakmp: isakmp: phase 2/others I inf[E] 13:49:48.866354 IP dlink_router_IP.isakmp > server_IP.isakmp: isakmp: phase 2/others I inf[E]

And here is the output presented by racoon in /var/log/messages at server side in the same scenario:

--> IKE fase 1 is started.
Jul 30 13:49:13 obaluae racoon: INFO: respond new phase 1 negotiation: server_IP[500]<=>dlink_router_IP[500]
Jul 30 13:49:13 obaluae racoon: INFO: begin Identity Protection mode.
Jul 30 13:49:13 obaluae racoon: INFO: received Vendor ID: MS NT5 ISAKMPOAKLEY
Jul 30 13:49:13 obaluae racoon: INFO: ISAKMP-SA established server_IP[500]-dlink_router_IP[500] spi:d2e4585e9751a21e:698c5fdffa170895

--> IKE fase 2 is started. Policies are generated automatically (racoon option: generate_policy on). Jul 30 13:49:13 obaluae racoon: INFO: respond new phase 2 negotiation: server_IP[0]<=>dlink_router_IP[0] Jul 30 13:49:13 obaluae racoon: INFO: no policy found, try to generate the policy : client_IP/32[1701] server_IP/32[1701] proto=udp dir=in Jul 30 13:49:13 obaluae racoon: INFO: IPsec-SA established: ESP/Transport dlink_router_IP->server_IP spi=167344787(0x9f97a93) Jul 30 13:49:13 obaluae racoon: INFO: IPsec-SA established: ESP/Transport server_IP->dlink_router_IP spi=437994050(0x1a1b4242) Jul 30 13:49:13 obaluae racoon: ERROR: such policy does not already exist: client_IP/32[1701] server_IP/32[1701] proto=udp dir=in Jul 30 13:49:13 obaluae racoon: ERROR: such policy does not already exist: server_IP/32[1701] client_IP/32[1701] proto=udp dir=out

--> client gives up and terminates IKE fase 2.
Jul 30 13:49:48 obaluae racoon: INFO: purged IPsec-SA proto_id=ESP spi=437994050. Jul 30 13:49:48 obaluae racoon: INFO: purged ISAKMP-SA proto_id=ISAKMP spi=d2e4585e9751a21e:698c5fdffa170895. Jul 30 13:49:49 obaluae racoon: INFO: ISAKMP-SA deleted server_IP[500]-dlink_router_IP[500] spi:d2e4585e9751a21e:698c5fdffa170895

Does anyone know why the packets transported by ESP are not forwarded to l2tpd?

Thanks in advance,

Anderson Oliveira.

IT Support Team
Computer Science Department
Catholic University - Rio de Janeiro - RJ - Brazil



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]