This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

NAT-T and IKE rekeying

I have VPN net-to-net tunel with one peer nated (two Astaro boxes 5.102). I use RSA keys with FQDN as ID. The VPN is established without any problems, but if the IKE SA expires (7200sec) the VPN is broken. Following messages are recorded every 40 sec in IPSec VPN log:
packet from 193.165.232.148:4500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
packet from 193.165.232.148:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
packet from 193.165.232.148:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
packet from 193.165.232.148:4500: initial Main Mode message received on 10.0.0.101:4500 but no connection has been authorized with policy=RSASIG
Similar problem was discussed on Open/Swan forum and resolved by a patch (http://lists.virus.org/users-openswan-0410/msg00281.html)
Any sugestions?
Thanks
Karel

This thread was automatically locked due to age.

Parents

0 Mischel over 20 years ago

I have the same problem with RSA keys if the IKE SA expires... One of the remote site have no public ip address. I use Nat-T option.

local network---ASL(public IP)- - -INET - - - router(public IP)---ASL(Private IP)---Local network.

If use PSK authentication of remote Station, then VPN tunel works fine.

Mischel
Cancel
Vote Up 0 Vote Down

Cancel
0 Xeno over 20 years ago in reply to Mischel

Could you please try with X509? If that's a bug, maybe it does not appear with X509?

Xeno
Cancel
Vote Up 0 Vote Down

Cancel
0 Mischel over 20 years ago in reply to Xeno

X509 = not work-problem, if the IKE SA expires
RSA = not work- problem, if the IKE SA expires
PSK = work only one VPN, more VPN not work- problem, if the IKE SA expires
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Mischel over 20 years ago in reply to Xeno

X509 = not work-problem, if the IKE SA expires
RSA = not work- problem, if the IKE SA expires
PSK = work only one VPN, more VPN not work- problem, if the IKE SA expires
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 bagira over 20 years ago in reply to Mischel

How many tunnels do you use on that machine? Are there more than one dynamic endpoints? If so, you cannot use different keys (RSA/PSK) for those connections. Please post more details about the configuration!
/bagira
Cancel
Vote Up 0 Vote Down

Cancel
0 Kavi over 20 years ago in reply to bagira

I tested it with only one active VPN, with X509 cert and then with RSA keys - the same problem. The VPN is etablished without any problem but is broken when IKE Main Mode rekeying is initiated. During this 2 hour period  VPN works fine and also the Quick Mode is initiated and SA is established without error.
My configuration:
Local network (central) --- ASL box -- (Public IP) --- Internet ---  (Public IP) --- ADSL modem --- (private IP) --- ASL box --- Local network (branch)

Now I solved the problem:
On the central ASL box I set the remote peer address of the branch office as dynamic (even if it is static).
Now I have three VPNs from central point to 3 branch offices, two of them  are behind ADSL modem  (NAT) and it works fine for  48 hours. But I thing this is not a correct solution, it can be a bug in ASL.
Karel
Cancel
Vote Up 0 Vote Down

Cancel
0 Mischel over 20 years ago in reply to bagira

My configuration :

Computer_1: ASL 4.025, public IP on external interface
Computer_2: ASL 5.102, private IP on external interface

I tested Authentication of remote station with X509, PSK, RSA key.
I tested 1,2 and 3 VPNs between ASL on Computer_1 and Computer_2.
I setted only one dynamic endpoint for ASL on Computer_2.

[Computer_1](Public_IP_1)- -INET- -Masquerading_Router(Public_IP_2)- -[Computer_2](10.10.10.8)

Fragment of Log on Computer_2

packet from Public_IP_1:4500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
packet from Public_IP_1:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
packet from Public_IP_1:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
packet from Public_IP_1:4500: initial Main Mode message received on 10.10.10.8:4500 but no connection has been authorized with policy=RSASIG

Fragment of Log on Computer_1

packet from Public_IP_2:12295: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
packet from Public_IP_2:12295: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
packet from Public_IP_2:12295: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
"VPN_1"[3] Public_IP_2:12295 #72: responding to Main Mode from unknown peer Public_IP_2:12295
"VPN_1"[3] Public_IP_2:12295 #72: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
"VPN_1"[3] Public_IP_2:12295 #72: Main mode peer ID is ID_FQDN: '@bob.jut.com'
"VPN_1"[3] Public_IP_2:12295 #72: sent MR3, ISAKMP SA established
"VPN_1"[1] Public_IP_2:12295 #73: responding to Quick Mode
"VPN_1"[1] Public_IP_2:12295 #73: IPsec SA established
"VPN_1"[1] Public_IP_2:12295 #71: max number of retransmissions (20) reached STATE_MAIN_I1.  No acceptable response to our first IKE message

I have the same problem with X509 and the RSA keys . The VPN was etablished but was broken after IKE rekeying  initiated.

With PSK Authentication VPN was not broken after rekeying  initiated.
Cancel
Vote Up 0 Vote Down

Cancel
0 Mischel over 20 years ago in reply to bagira

Additional Information:

Computer_1 - ASL 4.025, full log :
http://www.geocities.com/linuxastaro/vpn-asl-1.txt

Computer_2: ASL 5.102, full log :
http://www.geocities.com/linuxastaro/vpn-asl-2.txt

The IKE SA expires and the VPN is broken on 04:02:25.
Cancel
Vote Up 0 Vote Down

Cancel
0 mdallagi over 20 years ago in reply to Kavi

Hi,

I have the same problem with one central box nated and two end point boxes nated.
Do you know if Astaro has solved this problem?

------------------------------------
ASL 5.200 on each boxes.
Cancel
Vote Up 0 Vote Down

Cancel