Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Topics - mbertens@xs4all.nl

Pages: [1]
1
Installation and Upgrades / L2TP/IPSEC PSK NAT problem
« on: January 19, 2014, 10:12:33 pm »
Hi, i've configured a L2TP/IPSEC PSK for may android devices, when i connect with my nexus-10 all is fine i can connect to the network from my nexus no problems here.

then i connect my galaxy-ii on a second username/password i get the message;

an 19 20:50:53 system pluto[24539]: "configname"[3] 83.163.45.249 #6: cannot install eroute -- it is in use for "configname"[2] 83.163.45.249 #4

where is 83.163.45.249 my outside public ip address behind NAT

the Zenytal server is on 192.168.178.21 (his outside address). 

When i connect the phone in the 192.168.178.xx network it works, then it sees another address and the phone is connected and working fine.

Zentyal version 3.2

Network overview

Internet <->   DSL-Modem   <->       local net      <-> Zentyal gateway
                   83.163.45.249          192.168.178.0         192.168.178.21

De modem has a WLAN which i use often to test.

Zentyal config:
        Public IP address: 192.168.178.21
        Remote Address: any address   
        PSK Shared Secret: ******************
        Tunnel IP: 192.168.1.220
        pri name server : local
        sec name server : 8.8.8.8
        wins server: none
Range:
        start 192.168.1.221
        end: 192.168.1.239
user settings
        account#1
        password: **********
        ipaddress 192.168.1.221

        account#2
        password: *************
        ipaddress 192.168.1.222

Ive tested with and without the user ip addresses.

I searched with google to similar problems but none of them gave a solution.

i also added the changes in http://trac.zentyal.org/ticket/7788 this solved pertly the problem, only to the NAT one

syslog starting client nexus (in the local WLAN infront of the IPSEC server)

Jan 20 20:27:21 bob pluto[3896]: "pe2mbs.nl"[2] 83.163.45.249 #3: responding to Main Mode from unknown peer 83.163.45.249
Jan 20 20:27:21 bob pluto[3896]: "pe2mbs.nl"[2] 83.163.45.249 #3: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jan 20 20:27:21 bob pluto[3896]: "pe2mbs.nl"[2] 83.163.45.249 #3: STATE_MAIN_R1: sent MR1, expecting MI2
Jan 20 20:27:21 bob pluto[3896]: "pe2mbs.nl"[2] 83.163.45.249 #3: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): both are NATed
Jan 20 20:27:21 bob pluto[3896]: "pe2mbs.nl"[2] 83.163.45.249 #3: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jan 20 20:27:21 bob pluto[3896]: "pe2mbs.nl"[2] 83.163.45.249 #3: STATE_MAIN_R2: sent MR2, expecting MI3
Jan 20 20:27:21 bob pluto[3896]: "pe2mbs.nl"[2] 83.163.45.249 #3: Main mode peer ID is ID_IPV4_ADDR: '192.168.178.20'
Jan 20 20:27:21 bob pluto[3896]: "pe2mbs.nl"[2] 83.163.45.249 #3: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jan 20 20:27:21 bob pluto[3896]: "pe2mbs.nl"[2] 83.163.45.249 #3: new NAT mapping for #3, was 83.163.45.249:63389, now 83.163.45.249:63390
Jan 20 20:27:21 bob pluto[3896]: "pe2mbs.nl"[2] 83.163.45.249 #3: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1024}
Jan 20 20:27:21 bob pluto[3896]: "pe2mbs.nl"[2] 83.163.45.249 #3: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
Jan 20 20:27:21 bob pluto[3896]: "pe2mbs.nl"[2] 83.163.45.249 #3: received and ignored informational message
Jan 20 20:27:22 bob pluto[3896]: "pe2mbs.nl"[2] 83.163.45.249 #3: the peer proposed: 83.163.45.249/32:17/1701 -> 192.168.178.20/32:17/0
Jan 20 20:27:22 bob pluto[3896]: "pe2mbs.nl"[2] 83.163.45.249 #4: responding to Quick Mode proposal {msgid:56f0d3e8}
Jan 20 20:27:22 bob pluto[3896]: "pe2mbs.nl"[2] 83.163.45.249 #4:     us: 192.168.178.21<192.168.178.21>[+S=C]:17/1701
Jan 20 20:27:22 bob pluto[3896]: "pe2mbs.nl"[2] 83.163.45.249 #4:   them: 83.163.45.249[192.168.178.20,+S=C]:17/0
Jan 20 20:27:22 bob pluto[3896]: "pe2mbs.nl"[2] 83.163.45.249 #4: keeping refhim=4294901761 during rekey
Jan 20 20:27:22 bob pluto[3896]: "pe2mbs.nl"[2] 83.163.45.249 #4: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Jan 20 20:27:22 bob pluto[3896]: "pe2mbs.nl"[2] 83.163.45.249 #4: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Jan 20 20:27:22 bob pluto[3896]: "pe2mbs.nl"[2] 83.163.45.249 #4: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Jan 20 20:27:22 bob pluto[3896]: "pe2mbs.nl"[2] 83.163.45.249 #4: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0x0d786ccd <0x80022045 xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=83.163.45.249:63390 DPD=none}

Connecting client galaxy (in the local WLAN infront of the IPSEC server)

Jan 20 20:30:04 bob pluto[3896]: "pe2mbs.nl"[2] 83.163.45.249 #5: responding to Main Mode from unknown peer 83.163.45.249
Jan 20 20:30:04 bob pluto[3896]: "pe2mbs.nl"[2] 83.163.45.249 #5: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jan 20 20:30:04 bob pluto[3896]: "pe2mbs.nl"[2] 83.163.45.249 #5: STATE_MAIN_R1: sent MR1, expecting MI2
Jan 20 20:30:05 bob pluto[3896]: "pe2mbs.nl"[2] 83.163.45.249 #5: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): both are NATed
Jan 20 20:30:05 bob pluto[3896]: "pe2mbs.nl"[2] 83.163.45.249 #5: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jan 20 20:30:05 bob pluto[3896]: "pe2mbs.nl"[2] 83.163.45.249 #5: STATE_MAIN_R2: sent MR2, expecting MI3
Jan 20 20:30:05 bob pluto[3896]: "pe2mbs.nl"[2] 83.163.45.249 #5: Main mode peer ID is ID_IPV4_ADDR: '192.168.178.26'
Jan 20 20:30:05 bob pluto[3896]: "pe2mbs.nl"[2] 83.163.45.249 #5: switched from "pe2mbs.nl" to "pe2mbs.nl"
Jan 20 20:30:05 bob pluto[3896]: "pe2mbs.nl"[3] 83.163.45.249 #5: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jan 20 20:30:05 bob pluto[3896]: "pe2mbs.nl"[3] 83.163.45.249 #5: new NAT mapping for #5, was 83.163.45.249:63392, now 83.163.45.249:63393
Jan 20 20:30:05 bob pluto[3896]: "pe2mbs.nl"[3] 83.163.45.249 #5: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1024}
Jan 20 20:30:05 bob pluto[3896]: "pe2mbs.nl"[3] 83.163.45.249 #5: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
Jan 20 20:30:05 bob pluto[3896]: "pe2mbs.nl"[3] 83.163.45.249 #5: received and ignored informational message
Jan 20 20:30:05 bob pluto[3896]: "pe2mbs.nl"[3] 83.163.45.249 #5: the peer proposed: 83.163.45.249/32:17/1701 -> 192.168.178.26/32:17/0
Jan 20 20:30:05 bob pluto[3896]: "pe2mbs.nl"[3] 83.163.45.249 #6: responding to Quick Mode proposal {msgid:27a77d86}
Jan 20 20:30:05 bob pluto[3896]: "pe2mbs.nl"[3] 83.163.45.249 #6:     us: 192.168.178.21<192.168.178.21>[+S=C]:17/1701
Jan 20 20:30:05 bob pluto[3896]: "pe2mbs.nl"[3] 83.163.45.249 #6:   them: 83.163.45.249[192.168.178.26,+S=C]:17/0
Jan 20 20:30:05 bob pluto[3896]: "pe2mbs.nl"[3] 83.163.45.249 #6: cannot install eroute -- it is in use for "pe2mbs.nl"[2] 83.163.45.249 #4
Jan 20 20:30:08 bob pluto[3896]: "pe2mbs.nl"[3] 83.163.45.249 #6: discarding duplicate packet; already STATE_QUICK_R0
Jan 20 20:31:01  pluto[3896]: last message repeated 8 times


When i change the calling ip address in the client galaxy (in the local WLAN infront of the IPSEC server)

Jan 20 20:33:26 bob pluto[3896]: "pe2mbs.nl"[4] 192.168.178.26 #7: responding to Main Mode from unknown peer 192.168.178.26
Jan 20 20:33:26 bob pluto[3896]: "pe2mbs.nl"[4] 192.168.178.26 #7: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jan 20 20:33:26 bob pluto[3896]: "pe2mbs.nl"[4] 192.168.178.26 #7: STATE_MAIN_R1: sent MR1, expecting MI2
Jan 20 20:33:27 bob pluto[3896]: "pe2mbs.nl"[4] 192.168.178.26 #7: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
Jan 20 20:33:27 bob pluto[3896]: "pe2mbs.nl"[4] 192.168.178.26 #7: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jan 20 20:33:27 bob pluto[3896]: "pe2mbs.nl"[4] 192.168.178.26 #7: STATE_MAIN_R2: sent MR2, expecting MI3
Jan 20 20:33:27 bob pluto[3896]: "pe2mbs.nl"[4] 192.168.178.26 #7: Main mode peer ID is ID_IPV4_ADDR: '192.168.178.26'
Jan 20 20:33:27 bob pluto[3896]: "pe2mbs.nl"[4] 192.168.178.26 #7: deleting connection "pe2mbs.nl" instance with peer 83.163.45.249 {isakmp=#5/ipsec=#0}
Jan 20 20:33:27 bob pluto[3896]: "pe2mbs.nl" #6: deleting state (STATE_QUICK_R0)
Jan 20 20:33:27 bob pluto[3896]: "pe2mbs.nl" #5: deleting state (STATE_MAIN_R3)
Jan 20 20:33:27 bob pluto[3896]: "pe2mbs.nl"[4] 192.168.178.26 #7: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jan 20 20:33:27 bob pluto[3896]: "pe2mbs.nl"[4] 192.168.178.26 #7: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1024}
Jan 20 20:33:27 bob pluto[3896]: "pe2mbs.nl"[4] 192.168.178.26 #7: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
Jan 20 20:33:27 bob pluto[3896]: "pe2mbs.nl"[4] 192.168.178.26 #7: received and ignored informational message
Jan 20 20:33:28 bob pluto[3896]: "pe2mbs.nl"[4] 192.168.178.26 #7: the peer proposed: 192.168.178.21/32:17/1701 -> 192.168.178.26/32:17/0
Jan 20 20:33:28 bob pluto[3896]: "pe2mbs.nl"[4] 192.168.178.26 #8: responding to Quick Mode proposal {msgid:de73d3c1}
Jan 20 20:33:28 bob pluto[3896]: "pe2mbs.nl"[4] 192.168.178.26 #8:     us: 192.168.178.21<192.168.178.21>[+S=C]:17/1701
Jan 20 20:33:28 bob pluto[3896]: "pe2mbs.nl"[4] 192.168.178.26 #8:   them: 192.168.178.26[+S=C]:17/0
Jan 20 20:33:28 bob pluto[3896]: "pe2mbs.nl"[4] 192.168.178.26 #8: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Jan 20 20:33:28 bob pluto[3896]: "pe2mbs.nl"[4] 192.168.178.26 #8: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Jan 20 20:33:29 bob pluto[3896]: "pe2mbs.nl"[4] 192.168.178.26 #8: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Jan 20 20:33:29 bob pluto[3896]: "pe2mbs.nl"[4] 192.168.178.26 #8: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0x0a178747 <0x841c743c xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=none DPD=none}




I hope that someone can help me with this problem.

Regards
mbertens

Pages: [1]