(racoon 776) Re: AW: Problems with NAT-T using WinXP SP1 IPSec/L2TP c lient...please?

[Matt Dittbenner <mbditt@plauditdesign.com>]

Jan,

Also, I haven't been able to get NAT working at all, ever. Could you 
send all your configuration files, so I can check for some differences 
or even just try using your exact set-up or something? I can't get it to 
work in any fashion over NAT and its really irking me!

If anyone has any tips, ideas, or checks I should do in order to find 
why this isn't working, I'd really appreciate the help. I'll summarize 
my previous message (probably below in its entirety). I can't get VPN 
over NAT to work. I am using X.509 certificates for IPSec authentication 
and everything works without NAT in the way. I have a firewall & NAT box 
in between the 2 machines, client is Windows XP and server is Linux 2.6. 
See original message for details.

Thanks,
Matt

Lockenvitz Jan EXT wrote:

> Hi,
>
> I'm sorry i can't help you with this reply.
>
> I only want to mention i have the same problem.
>
> When I test it with certificates it's not working. But until 
> now I did not test it without NAT.
> The only way it's working with NAT is when i used PSK, but 
> this does not suit my needs!
>
> With RSA it looks like this:
>
> - ISAKMP (pjase 1) start and is going fine up to the Key Exchange
> - now the racoon server sends Certificat request, but this is not 
>  answered by the windows machine
> - on the windows machine I installed the CA-Certificate an the one 
>  of the windows PC (with SP2) itself
>
> Is the constellation windows --> racoon working anywhere? Then please
> provide some example configs.
>
> Thanx in advance,
> Jan 
>
>
>  
>
> > -----Ursprüngliche Nachricht-----
> > Von: owner-racoon@kame.net [mailto:owner-racoon@kame.net] Im 
> > Auftrag von Matt Dittbenner
> > Gesendet: Dienstag, 21. September 2004 23:27
> > An: racoon@orange.kame.net
> > Betreff: (racoon 766) Problems with NAT-T using WinXP SP1 
> > IPSec/L2TP client...please?
> >
> >
> > Hello,
> >
> > I've been struggling with the configuration files for a while now and 
> > think I am SO close. I have no problems connecting when there 
> > is no NAT 
> > happening, but I can't seem to get the NAT to work (I had SP2 and 
> > uninstalled that in order to just install the 818043 update to see if 
> > that would work better....it didn't). Hopefully, someone can help me 
> > out...I've been trying to fix this for a week and I just want to get 
> > this working.
> >
> > I would REALLY appreciate the aid.... :D
> >
> > Matt
> >
> >
> > This is my network (example):
> >
> > 192.168.1.47   192.168.1.1 & 192.168.2.1        192.168.2.2
> > +--------+           ############              +--------+
> > | WinXP  | --------> # Firewall # -----------> | Racoon |
> > | Client |           #    &     #              |  VPN   |
> > +--------+           #   NAT    #              +--------+
> >                      ############
> >
> >
> > Here is my ipsec.conf:
> > =========================================
> > #!/usr/sbin/setkey -f
> >
> > flush;
> > spdflush;
> >
> > spdadd 192.168.2.2 0.0.0.0 any
> >    -P out ipsec esp/transport//require;
> >
> > spdadd 0.0.0.0 192.168.2.2 any
> >    -P in ipsec esp/transport//require;
> > =========================================
> >
> > Here is my racoon.conf
> > =========================================
> > # $KAME: racoon.conf.in,v 1.18 2001/08/16 06:33:40 itojun Exp $
> >
> > # "path" must be placed before it should be used.
> > # You can overwrite which you defined, but it should not use due to 
> > confusing.
> > path include "/etc/racoon";
> > #include "remote.conf";
> >
> > # search this file for pre_shared_key with various ID key.
> > path pre_shared_key "/etc/racoon/psk.txt";
> >
> > # racoon will look for certificate file in the directory,
> > # if the certificate/certificate request payload is received.
> > path certificate "/etc/cert";
> >
> > # "log" specifies logging level.  It is followed by either 
> > "notify", "debug"
> > # or "debug2".
> > #log debug;
> >
> > # "padding" defines some parameter of padding.  You should 
> > not touch these.
> > padding {
> >        maximum_length 20;      # maximum padding length.
> >        randomize off;          # enable randomize length.
> >        strict_check off;       # enable strict check.
> >        exclusive_tail off;     # extract last one octet.
> > }
> >
> > # if no listen directive is specified, racoon will listen to all
> > # available interface addresses.
> > listen {
> >        #isakmp ::1 [7000];
> >        #isakmp 202.249.11.124 [500];
> >        #admin [7002];          # administrative's port by kmpstat.
> >        #strict_address;        # required all addresses must 
> > be bound.
> >        isakmp 192.168.2.2 [500];
> >        isakmp_natt 192.168.2.2 [4500];
> > }
> >
> > # Specification of default various timer.
> > timer {
> >        # These value can be changed per remote node.
> >        counter 5;              # maximum trying count to send.
> >        interval 20 sec;        # maximum interval to resend.
> >        persend 1;              # the number of packets per a send.
> >
> >        # timer for waiting to complete each phase.
> >        phase1 30 sec;
> >        phase2 15 sec;
> > }
> >
> > remote anonymous {
> >        exchange_mode main;
> >        generate_policy on;
> >        passive on;
> >        nat_traversal force;
> >
> >        my_identifier asn1dn;
> >        peers_identifier asn1dn;
> >        certificate_type x509 "vpngateway.cert" "vpngateway.key";
> >        verify_cert on;
> >
> >        #nonce_size 16;
> >        #initial_contact on;
> >        #proposal_check obey;   # obey, strict or claim
> >
> >        proposal {
> >                encryption_algorithm 3des;
> >                hash_algorithm md5;
> >                authentication_method rsasig;
> >                dh_group modp1024;
> >        }
> > }
> >
> > sainfo anonymous {
> >        #lifetime time 28800 sec;
> >        #pfs_group modp1024; #for some reason, this breaks 
> > the windows 
> > client for me
> >        encryption_algorithm 3des;
> >        authentication_algorithm hmac_md5;
> >        compression_algorithm deflate;
> > }
> > =========================================
> >
> > and here is the syslog output when i try to connect over NAT:
> > =========================================
> > Sep 21 15:57:39 vpn racoon: INFO: respond new phase 1 negotiation: 
> > 192.168.2.2[500]<=>192.168.2.1[500]
> > Sep 21 15:57:39 vpn racoon: INFO: begin Identity Protection mode.
> > Sep 21 15:57:39 vpn racoon: INFO: received Vendor ID: MS NT5 
> > ISAKMPOAKLEY
> > Sep 21 15:57:39 vpn racoon: INFO: ISAKMP-SA established 
> > 192.168.2.2[500]-192.168.2.1[500] 
> > spi:0dcfd58cfad7bea6:206fdf658213a2d4
> > Sep 21 15:57:39 vpn racoon: INFO: respond new phase 2 negotiation: 
> > 192.168.2.2[0]<=>192.168.2.1[0]
> > Sep 21 15:57:39 vpn racoon: INFO: IPsec-SA established: ESP/Transport 
> > 192.168.2.1->192.168.2.2 spi=195383624(0xba55148)
> > Sep 21 15:57:39 vpn racoon: INFO: IPsec-SA established: ESP/Transport 
> > 192.168.2.2->192.168.2.1 spi=585058092(0x22df472c)
> > Sep 21 15:57:58 vpn racoon: INFO: purged IPsec-SA proto_id=ESP 
> > spi=585058092.
> > Sep 21 15:57:58 vpn racoon: INFO: purged ISAKMP-SA proto_id=ISAKMP 
> > spi=0dcfd58cfad7bea6:206fdf658213a2d4.
> > Sep 21 15:57:59 vpn racoon: INFO: ISAKMP-SA deleted 
> > 192.168.2.2[500]-192.168.2.1[500] 
> > spi:0dcfd58cfad7bea6:206fdf658213a2d4
> > =========================================
> >
> >    
>
>