This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSEC VPN working fine but...

Lots of stuff in the /var/log/auth log:

repeatedly:

May 16 15:41:33 (none) pluto[28375]: packet from re.mo.te.IP:4500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
May 16 15:41:33 (none) pluto[28375]: packet from re.mo.te.IP:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
May 16 15:41:33 (none) pluto[28375]: packet from re.mo.te.IP:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
May 16 15:41:33 (none) pluto[28375]: packet from re.mo.te.IP:4500: initial Main Mode message received on lo.ca.l.IP:4500 but no connection has been authorized

every few seconds - the log is getting big now [:)]

THe VPN is working fine (two tunnels) but just these errors repeating and always the same 3 payload descriptions:
[draft-ietf-ipsec-nat-t-ike-03],
[draft-ietf-ipsec-nat-t-ike-02] and
[draft-ietf-ipsec-nat-t-ike-00]

Thanks

This thread was automatically locked due to age.

Parents

0 Andreas Steffen over 22 years ago

The peer wants to establish NAT-traversal using UDP port 4500. This
means that you must activate NAT-T on ASL 4.x

Regards

Andreas
Cancel
Vote Up 0 Vote Down

Cancel
0 oliver.desch over 22 years ago in reply to Andreas Steffen

or disable IPSEC passthrough on the access router [;)]

read you
o|iver
Cancel
Vote Up 0 Vote Down

Cancel
0 norwich over 22 years ago in reply to oliver.desch

Hi,

The VPN is working fine - both ends have T-NAT enabled. Just that the logs are full of these messages....

IPSEC passthrough? Do you mean disable it on one of the Astaro boxes. If so, how do I do that?

Cheers.
Cancel
Vote Up 0 Vote Down

Cancel
0 Simon Shaw over 22 years ago in reply to norwich

No, on the router.
Cancel
Vote Up 0 Vote Down

Cancel
0 norwich over 22 years ago in reply to Simon Shaw

Hi,

Well, I haven't got a router [:)]

One end is an ASL on a T1 - the other is an ASL on an SDSL microwave link. T-NAT is enabled as the SDSL end goes via an ISP proxy NAT.

Without using T-NAT and 'pretending' to have a dynamic IP address on the SDSL end, I get errors due to mismatiching IP addresses (that of the ISP's proxy/NAT).

With TNAT turned on, it works fine - with no log errors coming in. After a while the log errors start but the VPN still works fine.

Would IPSEC passthough on one of the intermediary routers generate these errors but still allow the VPN to work?

Cheers,
peace.
Cancel
Vote Up 0 Vote Down

Cancel
0 Simon Shaw over 22 years ago in reply to norwich

I'd guess it would be the SDSL end thats causing problems.
Does the SDSL box perform NAT-T ?
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Simon Shaw over 22 years ago in reply to norwich

I'd guess it would be the SDSL end thats causing problems.
Does the SDSL box perform NAT-T ?
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 norwich over 22 years ago in reply to Simon Shaw

Yes the Astaro box on the SDSL end (the one collecting the entries in the auth log) has NAT-T enabled to get through the ISPs NAT - so it can establish the connection with the US Astaro box (T1).

In fact, both boxes have NAT-T enabled in their respective connection configurations (I'm assuming both ends need it enabled to get through the intermediary NAT).
Cancel
Vote Up 0 Vote Down

Cancel
0 Simon Shaw over 22 years ago in reply to norwich

Weird your ISP NAT's you !
At a loss, try contacting support.
Cancel
Vote Up 0 Vote Down

Cancel
0 pablito over 22 years ago in reply to norwich

Are you sure the ISP NAT is happening somewhere beyond the local access router?  ISPs typically setup NAT on the router they install as most users don't have firewalls.
Can you ask the ISP to turn off NAT and make it a simple router?  They will then give you a real IP and firewalling and NAT is then up to you.
I had microwave which was great.  I only had to ask that the downlink device they installed be set as a normal router as I would do the firewalling.
Cancel
Vote Up 0 Vote Down

Cancel
0 norwich over 22 years ago in reply to pablito

I've already tried that but they say they cannot do that at the mo. (our 'public' ip address is actually a 192.168 number and they NAT it to our published IP address).
Cancel
Vote Up 0 Vote Down

Cancel
0 Simon Shaw over 22 years ago in reply to norwich

That's totally lame of your ISP.
I'd switch ISP.
Cancel
Vote Up 0 Vote Down

Cancel
0 norwich over 22 years ago in reply to Simon Shaw

At the price we're paying for a 2M link, management would rather have us change firewall to accomodate the connection [:(]

Amyway, paying more for a connection when the current one is working fine - just that it fills up the logs with these messages - isn't really on. I was just trying to work out what was causing them.
Cancel
Vote Up 0 Vote Down

Cancel