L2TP/IPsec VPN connection with client behind NAT

poorlittlelinuxuser · 09-14-2012, 06:52 AM

Hi, everyone. I have a problem with my L2TP/IPsec VPN setup.

Map:

My server <---> Internet <---> Router (NAT) <---> My client
(public IP) (Public IP) 192.168.0.XXX

I used openswan xl2tpd to setup the vpn server on debian.

The server received the request properly, but xl2tpd daemon never received any thing.

So I digged out /var/log/auth.log, found the following:

Code:

pluto[4599]: "L2TP-PSK-NAT"[3] MY.CLIENT.IP.ADDRESS #8: responding to Main Mode from unknown peer MY.CLIENT.IP.ADDRESS
pluto[4599]: "L2TP-PSK-NAT"[3] MY.CLIENT.IP.ADDRESS #8: OAKLEY_GROUP 20 not supported.  Attribute OAKLEY_GROUP_DESCRIPTION
pluto[4599]: "L2TP-PSK-NAT"[3] MY.CLIENT.IP.ADDRESS #8: OAKLEY_GROUP 19 not supported.  Attribute OAKLEY_GROUP_DESCRIPTION
pluto[4599]: "L2TP-PSK-NAT"[3] MY.CLIENT.IP.ADDRESS #8: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
pluto[4599]: "L2TP-PSK-NAT"[3] MY.CLIENT.IP.ADDRESS #8: STATE_MAIN_R1: sent MR1, expecting MI2
pluto[4599]: "L2TP-PSK-NAT"[3] MY.CLIENT.IP.ADDRESS #8: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): both are NATed
pluto[4599]: "L2TP-PSK-NAT"[3] MY.CLIENT.IP.ADDRESS #8: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
pluto[4599]: "L2TP-PSK-NAT"[3] MY.CLIENT.IP.ADDRESS #8: STATE_MAIN_R2: sent MR2, expecting MI3
pluto[4599]: "L2TP-PSK-NAT"[3] MY.CLIENT.IP.ADDRESS #8: Main mode peer ID is ID_IPV4_ADDR: '192.168.0.102'
pluto[4599]: "L2TP-PSK-NAT"[3] MY.CLIENT.IP.ADDRESS #8: switched from "L2TP-PSK-NAT" to "L2TP-PSK-NAT"
pluto[4599]: "L2TP-PSK-NAT"[4] MY.CLIENT.IP.ADDRESS #8: deleting connection "L2TP-PSK-NAT" instance with peer MY.CLIENT.IP.ADDRESS {isakmp=#0/ipsec=#0}
pluto[4599]: "L2TP-PSK-NAT"[4] MY.CLIENT.IP.ADDRESS #8: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
pluto[4599]: "L2TP-PSK-NAT"[4] MY.CLIENT.IP.ADDRESS #8: new NAT mapping for #8, was MY.CLIENT.IP.ADDRESS:500, now MY.CLIENT.IP.ADDRESS:4500
pluto[4599]: "L2TP-PSK-NAT"[4] MY.CLIENT.IP.ADDRESS #8: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp2048}
pluto[4599]: "L2TP-PSK-NAT"[4] MY.CLIENT.IP.ADDRESS #8: the peer proposed: VPN.SERVER.IP.ADDRESS/32:17/1701 -> 192.168.0.102/32:17/0
pluto[4599]: "L2TP-PSK-NAT"[4] MY.CLIENT.IP.ADDRESS #8: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
pluto[4599]: "L2TP-PSK-NAT"[4] MY.CLIENT.IP.ADDRESS #9: responding to Quick Mode proposal {msgid:01000000}
pluto[4599]: "L2TP-PSK-NAT"[4] MY.CLIENT.IP.ADDRESS #9:     us: VPN.SERVER.IP.ADDRESS<VPN.SERVER.IP.ADDRESS>[+S=C]:17/1701
pluto[4599]: "L2TP-PSK-NAT"[4] MY.CLIENT.IP.ADDRESS #9:   them: MY.CLIENT.IP.ADDRESS[192.168.0.102,+S=C]:17/1701===192.168.0.102/32

Then it just retry several time and give up, because server IP cant connect to the 192.168.0.102 :S

I am a newbie to linux, Please help

Ser Olmy · 09-15-2012, 04:28 PM

This is not so much a Linux problem as an IPsec issue. From the log:

Code:

pluto[4599]: "L2TP-PSK-NAT"[3] MY.CLIENT.IP.ADDRESS #8: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): both are NATed

OK, so both your PC and the VPN server are behind NAT. That means the server you're trying to establish a connection with has a private IP address, and the public IP belongs to a NATing router that's forwarding the relevant ports and protocols. That should work, as long as both parties adhere to RFC 3947.

Then this happens:

Code:

pluto[4599]: "L2TP-PSK-NAT"[4] MY.CLIENT.IP.ADDRESS #8: new NAT mapping for #8, was MY.CLIENT.IP.ADDRESS:500, now MY.CLIENT.IP.ADDRESS:4500
pluto[4599]: "L2TP-PSK-NAT"[4] MY.CLIENT.IP.ADDRESS #8: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp2048}
pluto[4599]: "L2TP-PSK-NAT"[4] MY.CLIENT.IP.ADDRESS #8: the peer proposed: VPN.SERVER.IP.ADDRESS/32:17/1701 -> 192.168.0.102/32:17/0
pluto[4599]: "L2TP-PSK-NAT"[4] MY.CLIENT.IP.ADDRESS #8: NAT-Traversal: received 2 NAT-OA. using first, ignoring others

I haven't seen this particular log format before, but lines 1 and 3 look a bit odd. As for line 1, does "MY.CLIENT.IP.ADDRESS" refer to a private or public IP adress? It should be your public IP.

Line 3 looke odd for the same reason, but I'm not sure if the entry says "we'll be using the punlic server IP rathern than 192.168.0.102" or if the addresses refer to connection endpoints. Perhaps someone with more detailed knowledge of the log format can clarify.

poorlittlelinuxuser · 09-16-2012, 09:41 PM

Thanks Ser Olmy

The MY.CLIENT.IP.ADDRESS and VPN.SERVER.IP.ADDRESS are both public IP.

It seems the server (public IP) was trying to connect to the client's private IP, which does not make any sense to me.

I will try to put my client in DMZ to see if it works.