Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.

Close

#59 NAT_T Problem

closed
nobody
None
5
2009-01-16
2007-01-28
Anonymous
No

When NAT_T configured, racoon fails on the following:

Jan 26 18:34:21 fedora racoon: INFO: @(#)ipsec-tools 0.6.5 (http://ipsec-tools.sourceforge.net)
Jan 26 18:34:21 fedora racoon: INFO: @(#)This product linked OpenSSL 0.9.8b 04 May 2006 (http://www.openssl.org/)
Jan 26 18:34:22 fedora racoon: INFO: 70.137.xxx.xxx[4500] used as isakmp port (fd=7)
Jan 26 18:34:22 fedora racoon: INFO: 70.137.xxx.xxx[4500] used for NAT-T
Jan 26 18:34:22 fedora racoon: INFO: 70.137.xxx.xxx[500] used as isakmp port (fd=8)
Jan 26 18:34:22 fedora racoon: INFO: 70.137.xxx.xxx[500] used for NAT-T
Jan 26 18:34:27 fedora racoon: INFO: IPsec-SA request for 208.57.xxx.xxx queued due to no phase1 found.
Jan 26 18:34:27 fedora racoon: INFO: initiate new phase 1 negotiation: 70.137.xxx.xxx[500]<=>208.57.xxx.xxx[500]
Jan 26 18:34:27 fedora racoon: INFO: begin Aggressive mode.
Jan 26 18:34:28 fedora racoon: INFO: received Vendor ID: RFC 3947
Jan 26 18:34:28 fedora racoon: INFO: received Vendor ID: DPD
Jan 26 18:34:28 fedora racoon: INFO: Selected NAT-T version: RFC 3947
Jan 26 18:34:28 fedora racoon: INFO: Hashing 70.137.xxx.xxx[500] with algo #2
Jan 26 18:34:28 fedora racoon: INFO: NAT-D payload #-1 verified
Jan 26 18:34:28 fedora racoon: INFO: Hashing 208.57.xxx.xxx[500] with algo #2
Jan 26 18:34:28 fedora racoon: INFO: NAT-D payload #0 doesn't match
Jan 26 18:34:28 fedora racoon: INFO: NAT detected: PEER
Jan 26 18:34:28 fedora racoon: INFO: KA list add: 70.137.xxx.xxx[4500]->208.57.xxx.xxx[4500]
Jan 26 18:34:28 fedora racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
Jan 26 18:34:28 fedora racoon: INFO: Adding remote and local NAT-D payloads.
Jan 26 18:34:28 fedora racoon: INFO: Hashing 208.57.xxx.xxx[4500] with algo #2
Jan 26 18:34:28 fedora racoon: INFO: Hashing 70.137.xxx.xxx[4500] with algo #2
Jan 26 18:34:28 fedora racoon: INFO: ISAKMP-SA established 70.137.xxx.xxx[4500]-208.57.xxx.xxx[4500] spi:956239d11dcc9fc2:dfcb5e3240fb0b68
Jan 26 18:34:28 fedora racoon: INFO: initiate new phase 2 negotiation: 70.137.xxx.xxx[4500]<=>208.57.xxx.xxx[4500]
Jan 26 18:34:28 fedora racoon: INFO: NAT detected -> UDP encapsulation (ENC_MODE 1->3).
Jan 26 18:34:28 fedora racoon: INFO: NAT detected -> UDP encapsulation (ENC_MODE 1->3).
Jan 26 18:34:28 fedora racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
Jan 26 18:34:28 fedora racoon: INFO: Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1)
Jan 26 18:34:28 fedora racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
Jan 26 18:34:28 fedora racoon: INFO: Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1)
Jan 26 18:34:28 fedora racoon: ERROR: libipsec failed send update_nat (No algorithm specified)
Jan 26 18:34:28 fedora racoon: ERROR: pfkey update failed.
Jan 26 18:34:28 fedora racoon: ERROR: failed to process packet.
Jan 26 18:34:28 fedora racoon: ERROR: phase2 negotiation failed.

Configuration is per NAT_N specs:

timer
{
natt_keepalive 20sec;
}

listen
{
isakmp 192.168.0.100[500];
isakmp_natt 192.168.0.100[4500];
}

remote 70.137.xxx.xxx{
exchange_mode aggressive, main;
my_identifier address;
nat_traversal on;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2 ;
}
}

Discussion

  • Logged In: NO

    I could be reached at azguy987@yahoo.com

     
  • Timo Teras
    Timo Teras
    2009-01-16

    • status: open --> closed
     
  • Timo Teras
    Timo Teras
    2009-01-16

    Closing all sourceforge.net bugs. If this issue has not been cared for please submit a new bug report to https://trac.ipsec-tools.net/ issue tracker. Thank you.