This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

[ASL 6.001] NATed roadwarriors don't work

I'm currently testing Astaro ASL to make a VPN Gateway.
I've got a problem with roadwarriors.
They work when not nated (POTS access), but they don't when nated (GPRS Access) in both L2TP and plain IPSEC.

The error is :
2005:07:22-10:11:35 (none) pluto[28176]: "D_Test_UXVPN_IPSEC_0"[8] 194.51.100.246 #11: cannot respond to IPsec SA request because no connection is known for 3.0.0.0/8===84.101.x.x[C=FR, ST=xxx, L=Vxxxx, O=Exxxxx, OU=Inxxxxxx, CN=uxvpn, E=root@localhost]...194.51.x.x[C=FR, ST=xxx, L=Vxxxx, O=Exxxxx, OU=Ixxxxxxx, CN=groxxxxx, E=groxxxxx@mydomain.fr]===10.15.x.x/32

Is it a known issue ? Is there a solution?

Other thing.
I've got the same problem (and error) when in plain ipsec with NCP client for example, when i don't use "local ip" but 'manual ip'.

Info :
All of this work with openswan, kernel 2.6 and ipsec native on a Mandriva distrib. But I'd like to make Astaro working because i'm interested by some features attributing an address pool depending on the distinguish name of the x509 cert.

Thanks.

This thread was automatically locked due to age.

Parents

0 NimmdirKeks over 20 years ago

Hi,

what do you use as your VPN ID?
If you use IP, and it dosent match with the actual IP it wont work of course. The message in clear says, you have a nice IP, but sorry I cant find any SPI, matching your IP address.
Try using either e-mail or c-name for the roadwarriors, IPs in generally wont work.

Chris
Cancel
Vote Up 0 Vote Down

Cancel
0 Systems_Networks over 20 years ago in reply to NimmdirKeks

Where do you precise this ?
In CA Management, i have :
"X.509 DN from CERT/CSR body" for VPN ID
Cancel
Vote Up 0 Vote Down

Cancel
0 maygyver over 20 years ago in reply to Systems_Networks

You have to use email as VPN identifier and have to specify a virtual IP for the certificate.

Astaro user since 2001 - Astaro/Sophos Partner since 2008
Cancel
Vote Up 0 Vote Down

Cancel
0 Systems_Networks over 20 years ago in reply to maygyver

Why do i need Email with NAT as it's working with no nated client ? And how can i change VPNID for the certificate ?
About Virtual IP. Do you mean i need to put a virtual ip for each client certificate ? it's an huge job.
Moreover Astaro is not my CA, so i'd have to import all certificates first. I can't do that.
Cancel
Vote Up 0 Vote Down

Cancel
0 NimmdirKeks over 20 years ago in reply to Systems_Networks

Hi,

are you some department of General Electric? 3.0.0.0/8 is reserved for them.
How does your endpoints look like, in the VPN configuration? I guess the remote endpoint on the astaro is wrong.

Chris
Cancel
Vote Up 0 Vote Down

Cancel
0 Systems_Networks over 20 years ago in reply to NimmdirKeks

3.0.0.0/8 is for our private use. I doesn't cause any problem on our openswan/mandriva 2005 LE server.

Remote are roadwarriors.
Cancel
Vote Up 0 Vote Down

Cancel
0 NimmdirKeks over 20 years ago in reply to Systems_Networks

Hi,

please consider that 3.0.0.0 is public routable, so if you have a leak somewhere it will get routed to the inet. There is purpose for the 3 private subnet blocks assigned in RFC.

So I guess your remote endpoint for the connection is set to any.

Chris
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 NimmdirKeks over 20 years ago in reply to Systems_Networks

Hi,

please consider that 3.0.0.0 is public routable, so if you have a leak somewhere it will get routed to the inet. There is purpose for the 3 private subnet blocks assigned in RFC.

So I guess your remote endpoint for the connection is set to any.

Chris
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Systems_Networks over 20 years ago in reply to NimmdirKeks

I have got 'ANY' for remote endpoint but I can't make any other choice. It's fixed by the application.

3.0.0.0 is used as private network for years where i am and i can't change.
Can somebody explain why it's work with non-nated roadwarriors ? With POTS for example.

Thanks
Cancel
Vote Up 0 Vote Down

Cancel
0 Systems_Networks over 20 years ago in reply to Systems_Networks

I really need HELP because i'd like to use ASTARO but it has to do all what i need.

So, from the begining :
I want to connect to Astaro VPN with Windows 2000/XP roadwarriors using the native L2TP client.
I use a RoadWarrior CA (i use x509 certs for authentication) connection type with L2TP on. In L2TP configuration, i use an IPSEC-Pool.
Nat-transversal is activated.

All works very well with non-nated client but the client say the server didn't answered with the same but nated client.

I think this is routing problem according to the logs but i'm not able to find what it is.

The interestings logs (I think) :
* IPSEC VPN LOG
2005:08:25-10:44:38 (none) pluto[17997]: unknown cmsg: level 0, type 8, len 24
2005:08:25-10:44:38 (none) pluto[17997]: ERROR: asynchronous network error report on ppp0 for message to 213.223.190.x port 12717, complainant 84.101.106.x: No route to host [errno 113, origin ICMP type 11 code 1 (not authenticated)]
2005:08:25-10:44:42 (none) pluto[17997]: unknown cmsg: level 0, type 8, len 24
2005:08:25-10:44:42 (none) pluto[17997]: ERROR: asynchronous network error report on ppp0 for message to 213.223.190.x port 12717, complainant 84.101.106.x: No route to host [errno 113, origin ICMP type 11 code 1 (not authenticated)]

* VPN Status
----- Nated ---------
000 #20: "S_Test_UXVPN_1"[7] 213.223.93.x:20075 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 1893s; newest ISAKMP; nodpd
000 #19: "S_Test_UXVPN_1"[7] 213.223.93.x:20075 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 1767s; nodpd
000 #18: "S_Test_UXVPN_1"[7] 213.223.93.x:20075 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 1675s; nodpd
000 #24: "S_Test_UXVPN_1"[13] 213.223.190.x:12717 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 2238s; newest ISAKMP; nodpd
000 #30: "S_Test_UXVPN_1"[15] 213.223.190.x:15435 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 5413s; newest ISAKMP; nodpd
000 #29: "S_Test_UXVPN_1"[15] 213.223.190.x:15434 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 5048s; nodpd
----------------
--- Non Nated --
000 #32: "S_Test_UXVPN_1"[19] 62.147.102.x:500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 1317s; newest IPSEC; eroute owner
000 #32: "S_Test_UXVPN_1"[19] 62.147.102.x used 21s ago;esp.25e6db04@62.147.102.xesp.6c88382c@84.101.106.x

* VPN routes
----- non nated -----
78         84.101.106.x/32  -> 62.147.102.x/32:1701 => esp0x25e6db04@62.147.102.x:17
-----------------------
---------- nated -------
0          84.101.106.x/32  -> 213.223.93.x/32:1701 => %trap:17
0          84.101.106.x/32  -> 213.223.190.x/32:1701 => %trap:17
0          84.101.106.x/32  -> 213.223.190.x/32:1701 => %trap:17
------------------------
Cancel
Vote Up 0 Vote Down

Cancel