[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

(racoon 771) AW: Problems with NAT-T using WinXP SP1 IPSec/L2TP c lient...please?

To: racoon@orange.kame.net
Subject: (racoon 771) AW: Problems with NAT-T using WinXP SP1 IPSec/L2TP c lient...please?
From: Lockenvitz Jan EXT <Jan.Lockenvitz.extern@icn.siemens.de>
Date: Wed, 22 Sep 2004 09:45:31 +0200
Delivered-to: racoon-archive@kame.net
Delivered-to: racoon-outgo@kame.net
Delivered-to: racoon@orange.kame.net
Reply-to: racoon@kame.net
Sender: owner-racoon@kame.net

Hi,

I'm sorry i can't help you with this reply.

I only want to mention i have the same problem.

When I test it with certificates it's not working. But until 
now I did not test it without NAT.
The only way it's working with NAT is when i used PSK, but 
this does not suit my needs!

With RSA it looks like this:

- ISAKMP (pjase 1) start and is going fine up to the Key Exchange
- now the racoon server sends Certificat request, but this is not 
  answered by the windows machine
- on the windows machine I installed the CA-Certificate an the one 
  of the windows PC (with SP2) itself

Is the constellation windows --> racoon working anywhere? Then please
provide some example configs.

Thanx in advance,
Jan 


> -----Ursprüngliche Nachricht-----
> Von: owner-racoon@kame.net [mailto:owner-racoon@kame.net] Im 
> Auftrag von Matt Dittbenner
> Gesendet: Dienstag, 21. September 2004 23:27
> An: racoon@orange.kame.net
> Betreff: (racoon 766) Problems with NAT-T using WinXP SP1 
> IPSec/L2TP client...please?
> 
> 
> Hello,
> 
> I've been struggling with the configuration files for a while now and 
> think I am SO close. I have no problems connecting when there 
> is no NAT 
> happening, but I can't seem to get the NAT to work (I had SP2 and 
> uninstalled that in order to just install the 818043 update to see if 
> that would work better....it didn't). Hopefully, someone can help me 
> out...I've been trying to fix this for a week and I just want to get 
> this working.
> 
> I would REALLY appreciate the aid.... :D
> 
> Matt
> 
> 
> This is my network (example):
> 
> 192.168.1.47   192.168.1.1 & 192.168.2.1        192.168.2.2
>  +--------+           ############              +--------+
>  | WinXP  | --------> # Firewall # -----------> | Racoon |
>  | Client |           #    &     #              |  VPN   |
>  +--------+           #   NAT    #              +--------+
>                       ############
> 
> 
> Here is my ipsec.conf:
> =========================================
> #!/usr/sbin/setkey -f
> 
> flush;
> spdflush;
> 
> spdadd 192.168.2.2 0.0.0.0 any
>     -P out ipsec esp/transport//require;
> 
> spdadd 0.0.0.0 192.168.2.2 any
>     -P in ipsec esp/transport//require;
> =========================================
> 
> Here is my racoon.conf
> =========================================
> # $KAME: racoon.conf.in,v 1.18 2001/08/16 06:33:40 itojun Exp $
> 
> # "path" must be placed before it should be used.
> # You can overwrite which you defined, but it should not use due to 
> confusing.
> path include "/etc/racoon";
> #include "remote.conf";
> 
> # search this file for pre_shared_key with various ID key.
> path pre_shared_key "/etc/racoon/psk.txt";
> 
> # racoon will look for certificate file in the directory,
> # if the certificate/certificate request payload is received.
> path certificate "/etc/cert";
> 
> # "log" specifies logging level.  It is followed by either 
> "notify", "debug"
> # or "debug2".
> #log debug;
> 
> # "padding" defines some parameter of padding.  You should 
> not touch these.
> padding {
>         maximum_length 20;      # maximum padding length.
>         randomize off;          # enable randomize length.
>         strict_check off;       # enable strict check.
>         exclusive_tail off;     # extract last one octet.
> }
> 
> # if no listen directive is specified, racoon will listen to all
> # available interface addresses.
> listen {
>         #isakmp ::1 [7000];
>         #isakmp 202.249.11.124 [500];
>         #admin [7002];          # administrative's port by kmpstat.
>         #strict_address;        # required all addresses must 
> be bound.
>         isakmp 192.168.2.2 [500];
>         isakmp_natt 192.168.2.2 [4500];
> }
> 
> # Specification of default various timer.
> timer {
>         # These value can be changed per remote node.
>         counter 5;              # maximum trying count to send.
>         interval 20 sec;        # maximum interval to resend.
>         persend 1;              # the number of packets per a send.
> 
>         # timer for waiting to complete each phase.
>         phase1 30 sec;
>         phase2 15 sec;
> }
> 
> remote anonymous {
>         exchange_mode main;
>         generate_policy on;
>         passive on;
>         nat_traversal force;
> 
>         my_identifier asn1dn;
>         peers_identifier asn1dn;
>         certificate_type x509 "vpngateway.cert" "vpngateway.key";
>         verify_cert on;
> 
>         #nonce_size 16;
>         #initial_contact on;
>         #proposal_check obey;   # obey, strict or claim
> 
>         proposal {
>                 encryption_algorithm 3des;
>                 hash_algorithm md5;
>                 authentication_method rsasig;
>                 dh_group modp1024;
>         }
> }
> 
> sainfo anonymous {
>         #lifetime time 28800 sec;
>         #pfs_group modp1024; #for some reason, this breaks 
> the windows 
> client for me
>         encryption_algorithm 3des;
>         authentication_algorithm hmac_md5;
>         compression_algorithm deflate;
> }
> =========================================
> 
> and here is the syslog output when i try to connect over NAT:
> =========================================
> Sep 21 15:57:39 vpn racoon: INFO: respond new phase 1 negotiation: 
> 192.168.2.2[500]<=>192.168.2.1[500]
> Sep 21 15:57:39 vpn racoon: INFO: begin Identity Protection mode.
> Sep 21 15:57:39 vpn racoon: INFO: received Vendor ID: MS NT5 
> ISAKMPOAKLEY
> Sep 21 15:57:39 vpn racoon: INFO: ISAKMP-SA established 
> 192.168.2.2[500]-192.168.2.1[500] 
> spi:0dcfd58cfad7bea6:206fdf658213a2d4
> Sep 21 15:57:39 vpn racoon: INFO: respond new phase 2 negotiation: 
> 192.168.2.2[0]<=>192.168.2.1[0]
> Sep 21 15:57:39 vpn racoon: INFO: IPsec-SA established: ESP/Transport 
> 192.168.2.1->192.168.2.2 spi=195383624(0xba55148)
> Sep 21 15:57:39 vpn racoon: INFO: IPsec-SA established: ESP/Transport 
> 192.168.2.2->192.168.2.1 spi=585058092(0x22df472c)
> Sep 21 15:57:58 vpn racoon: INFO: purged IPsec-SA proto_id=ESP 
> spi=585058092.
> Sep 21 15:57:58 vpn racoon: INFO: purged ISAKMP-SA proto_id=ISAKMP 
> spi=0dcfd58cfad7bea6:206fdf658213a2d4.
> Sep 21 15:57:59 vpn racoon: INFO: ISAKMP-SA deleted 
> 192.168.2.2[500]-192.168.2.1[500] 
> spi:0dcfd58cfad7bea6:206fdf658213a2d4
> =========================================
>

Follow-Ups:
- (racoon 776) Re: AW: Problems with NAT-T using WinXP SP1 IPSec/L2TP c lient...please?
  - From: Matt Dittbenner <mbditt@plauditdesign.com>
- (racoon 774) Re: AW: Problems with NAT-T using WinXP SP1 IPSec/L2TP c lient...please?
  - From: Matt Dittbenner <mbditt@plauditdesign.com>

Prev by Date: (racoon 770) Re: deletion of automatically generated policies and ISAKMP mode config (was: Re: racoon + Cisco VPN Client)
Next by Date: (racoon 772) Problem while pumping data at High Rate
Previous by thread: (racoon 768) Re: can I specify a gssapi_id as a unicode string?
Next by thread: (racoon 774) Re: AW: Problems with NAT-T using WinXP SP1 IPSec/L2TP c lient...please?
Index(es):
- Date
- Thread