www.zeroshell.org

hoepp · Joined: 17 Mar 2009 Posts: 7 Location: Germany

Hi,
I have a problem with setting up L2TP VPN with zeroshell. My configuration is as follows:

Internet <---> DLS-Router <---> zeroshell
0.0.0.0 192.168.XXX.1 192..168.XXX.XXX

The Internet address of the router is a dynDNS address.
Here's the IPSEC log:
_________________________________________________________

11:58:46 INFO: @(#)ipsec-tools 0.6.4 (http://ipsec-tools.sourceforge.net)
11:58:46 INFO: @(#)This product linked OpenSSL 0.9.8i 15 Sep 2008 (http://www.openssl.org/)
11:58:46 INFO: 192.168.XXX.XXX[4500] used as isakmp port (fd=6)
11:58:46 INFO: 192.168.XXX.XXX[4500] used for NAT-T
11:58:46 INFO: 192.168.XXX.XXX[500] used as isakmp port (fd=7)
11:58:46 INFO: 192.168.XXX.XXX[500] used for NAT-T
14:51:25 INFO: respond new phase 1 negotiation: 192.168.XXX.XXX[500]<=>80.80.YYY.YYY[23837]
14:51:25 INFO: begin Identity Protection mode.
14:51:25 INFO: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY
14:51:25 INFO: received Vendor ID: FRAGMENTATION
14:51:25 INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
14:51:25 INFO: Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02
14:51:26 INFO: Hashing 192.168.XXX.XXX[500] with algo #1
14:51:26 INFO: NAT-D payload #0 doesn't match
14:51:26 INFO: Hashing 80.80.YYY.YYY[23837] with algo #1
14:51:26 INFO: NAT-D payload #1 doesn't match
14:51:26 INFO: NAT detected: ME PEER
14:51:26 INFO: Hashing 80.80.YYY.YYY[23837] with algo #1
14:51:26 INFO: Hashing 192.168.XXX.XXX[500] with algo #1
14:51:26 INFO: Adding remote and local NAT-D payloads.
14:51:27 INFO: NAT-T: ports changed to: 80.80.YYY.YYY[16553]<->192.168.XXX.XXX[4500]
14:51:27 INFO: KA list add: 192.168.XXX.XXX[4500]->80.80.YYY.YYY[16553]
14:51:27 INFO: ISAKMP-SA established 192.168.XXX.XXX[4500]-80.80.YYY.YYY[16553] spi:11623ca26e1d5e55:8897fcae4f15e576
14:51:27 INFO: respond new phase 2 negotiation: 192.168.XXX.XXX[4500]<=>80.80.YYY.YYY[16553]
14:51:27 INFO: no policy found, try to generate the policy : 80.80.YYY.YYY/32[16553] ZZZ.ZZZ.ZZZ.ZZZ/32[1701] proto=udp dir=in
14:51:27 INFO: Adjusting my encmode UDP-Transport->Transport
14:51:27 INFO: Adjusting peer's encmode UDP-Transport(61444)->Transport(2)
14:51:27 WARNING: authtype mismatched: my:hmac-md5 peer:hmac-sha
14:51:27 INFO: IPsec-SA established: ESP/Transport 80.80.YYY.YYY[16553]->192.168.XXX.XXX[4500] spi=102415966(0x61abe5e)
14:51:27 INFO: IPsec-SA established: ESP/Transport 192.168.XXX.XXX[4500]->80.80.YYY.YYY[16553] spi=10807808(0xa4ea00)
14:51:27 ERROR: such policy does not already exist: "80.80.YYY.YYY/32[16553] ZZZ.ZZZ.ZZZ.ZZZ/32[1701] proto=udp dir=in"
14:51:27 ERROR: such policy does not already exist: "ZZZ.ZZZ.ZZZ.ZZZ/32[1701] 80.80.YYY.YYY/32[16553] proto=udp dir=out"
14:52:06 INFO: purging ISAKMP-SA spi=11623ca26e1d5e55:8897fcae4f15e576.
14:52:06 INFO: purged ISAKMP-SA spi=11623ca26e1d5e55:8897fcae4f15e576.
14:52:06 ERROR: unknown Informational exchange received.
14:52:07 INFO: ISAKMP-SA deleted 192.168.XXX.XXX[4500]-80.80.YYY.YYY[16553] spi:11623ca26e1d5e55:8897fcae4f15e576
14:52:07 INFO: KA remove: 192.168.XXX.XXX[4500]->80.80.YYY.YYY[16553]
15:39:27 INFO: IPsec-SA expired: ESP/Transport 80.80.YYY.YYY[0]->192.168.XXX.XXX[0] spi=102415966(0x61abe5e)
15:39:27 INFO: IPsec-SA expired: ESP/Transport 192.168.XXX.XXX[0]->80.80.YYY.YYY[0] spi=10807808(0xa4ea00)
15:51:27 INFO: IPsec-SA expired: ESP/Transport 80.80.YYY.YYY[0]->192.168.XXX.XXX[0] spi=102415966(0x61abe5e)
15:51:27 INFO: IPsec-SA expired: ESP/Transport 192.168.XXX.XXX[0]->80.80.YYY.YYY[0] spi=10807808(0xa4ea00)
_________________________________________________________

The strange thing here is that the ports of the IPsec-SA are different. While establishing the WPsec-SA the ports are 16553 and 4500 and during expiration the ports are 0.

I found an article on the IPSEC-Tools bug-tracking page
https://trac.ipsec-tools.net/ticket/2 which seems to state that there is a problem running racoon on linux.

My question: Am I doing something wrong or is indeed racoon to blame in this setup ?

Sincerely hoepp

vpn_rollercoaster · Joined: 30 Aug 2008 Posts: 80

14:51:27 INFO: IPsec-SA established: ESP/Transport 80.80.YYY.YYY[16553]->192.168.XXX.XXX[4500] spi=102415966(0x61abe5e)
14:51:27 INFO: IPsec-SA established: ESP/Transport 192.168.XXX.XXX[4500]->80.80.YYY.YYY[16553] spi=10807808(0xa4ea00)
14:51:27 ERROR: such policy does not already exist: "80.80.YYY.YYY/32[16553] ZZZ.ZZZ.ZZZ.ZZZ/32[1701] proto=udp dir=in"
14:51:27 ERROR: such policy does not already exist: "ZZZ.ZZZ.ZZZ.ZZZ/32[1701] 80.80.YYY.YYY/32[16553] proto=udp dir=out"

You can't run L2TP with NAT on your router.

It looks like you have Computer1 with a private ip address behind a nat'd router trying to make a L2TP session with a zeroshell box.
You will need to put your Computer1 in a DMZ so that it gets the public IP address needed to make the L2TP session work.

If it's the other way around then you need to give your zeroshell box a public IP address on the wan interface or put it in a DMZ. Either way L2TP is designed to work best with 2 public IP addresses. One on the calling station and one on the RAS.

If you want to test this without changing your configs just dialup (analog phone line/56k modem) to the internet and connect to your zeroshell box.

hoepp · Joined: 17 Mar 2009 Posts: 7 Location: Germany

Thank you for this information.

The setup was zeroshell (192.168) behind a NAT router with dynDNS ZZZ and the road warrior was a Windows Mobile Phone (80.80).

I was under the impression that this should work anyway because at least MS talks about this

http://support.microsoft.com/kb/926179/en-us

BTW: I forgot: I've modified my racoon.conf template file by adding the following section:

listen {
isakmp 192.168.XXX.XXX [500]
isakmp_natt 192.168.XXX.XXX [4500]
}

without this I do not even get the "ISAKMP-SA established" message but receive time-out messages only.

Best regards
Hoepp

vpn_rollercoaster · Joined: 30 Aug 2008 Posts: 80

NAT-t is not supported on zeroshell or at least not last time I checked. There's a checkbox there with the option but you'll get a warning if you try it saying that it's not supported.

If IP address space is limited for your vpn application you can put the zeroshell router with the public IP address to accomplish your L2TP sessions without further configurations and place your NAT router behind zeroshell.

hoepp · Joined: 17 Mar 2009 Posts: 7 Location: Germany

According to fulvio, it should work. See here:
http://www.zeroshell.net/eng/forum/viewtopic.php?t=966

After finding this post I even started trying harder to get a successfull connection.

Regards
hoepp

vpn_rollercoaster · Joined: 30 Aug 2008 Posts: 80

The easiest way to resolve this is to connect zeroshell directly to the ISP uplink giving it a global IP address.

What kernel and build of zeroshell are you using?
What is the manufacturer and model number of the NAT router that zeroshell is behind?
What ports are being forwarded to zeroshell(1723,500,4500)?
What IP traffic is being allowed thru the firewall to zeroshell (ICMP,GRE)?
What features on the NAT router are enabled such as PPTP,L2TP,IPSec Pass-thru?

Have you attempted to connect from the LAN to verify that you can even establish a connection locally?

hoepp · Joined: 17 Mar 2009 Posts: 7 Location: Germany

Thank you offering your help.

I will try to answer the questions:
What kernel and build of zeroshell are you using?
I'm using standard CD-ROM version of ZS 1.0 beta 11

What is the manufacturer and model number of the NAT router that zeroshell is behind?
It's a Samsung SMT-G 3210 Phone WLAN with fw 3.01. AFAIK it's using a linux 2.4 kernel

What ports are being forwarded to zeroshell(1723,500,4500)?
I'm forwaring UDP traffic of the following port: 500, 4500 and 1701 (I'm using L2TP not PPTP)

What IP traffic is being allowed thru the firewall to zeroshell (ICMP,GRE)?
I don't understand this question, sorry.

What features on the NAT router are enabled such as PPTP,L2TP,IPSec Pass-thru?
I doubt that the stupid Samsung is offering anything like that.

Have you attempted to connect from the LAN to verify that you can even establish a connection locally?

I've tried this on both ends of ZS:
It fails if I connect to 192.168.XXX.XXX (the side that's connected to the outside.
I have a successfull connect if I connect to the 10.XXX.XXX.XXX side of my ZS.

Thank you for reading all this Smile

hoepp

vpn_rollercoaster · Joined: 30 Aug 2008 Posts: 80

I sent this to your private messages.

Gideon · Joined: 09 Sep 2009 Posts: 1

Hi.
I have similar problem.
i am trying to connect to zeroshell l2tp VPN from a client behinde a NAT.
When i enable NAT-T option in zeroshell, i'm reciving:

ERROR: such policy does not already exist: "93.175.xxx.xxx/32[64370] 91.205.xxx.xxx/32[1701] proto=udp dir=in"
ERROR: such policy does not already exist: "91.205.xxx.xxx/32[1701] 93.175.xxx.xxx/32[64370] proto=udp dir=out"

but when im first connect from NAT machine, then from machine behinde NAT all working till i reboot server or restart l2tp daemon

I'm using Release 1.0.beta12, client - WinXP SP3 full updated

edit:
same error i am reciving even when connection OK. But if im not connecting from NAT macine beforehand connection from machine behinde NAT stop at this lines.