OpenBSD + IPNAT + VPN - HELP!....
Furmanek, Greg
plug-discuss@lists.PLUG.phoenix.az.us
Mon, 30 Jul 2001 10:46:05 -0400
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
------_=_NextPart_000_01C11906.5CACC810
Content-Type: text/plain;
charset="iso-8859-1"
Can anyone Help with this one.
I have looked online for somre info but
it seams that everything I have tried did not
work.
Why "esp" is not forwarded?
Any suggestions would be appreciated.
Greg
> -----Original Message-----
> From: Greg [mailto:codewolf@earthlink.net]
> Sent: Saturday, July 28, 2001 4:55 PM
> To: misc@openbsd.org
> Subject: Fw: OpenBSD + IPNAT + VPN - HELP!....
>
>
> Hi everyone....
>
> I am trying to setup VPN connection from Windows (Nortel
> Client) through
> OpenBSD (NAT/IPF) to Nortel.
>
> It seems that I get the ISAKMP to negotiate just fine but
> when it comes to the tunnel it is a differnt story:
>
> This is my setup:
>
> | WIN Client |-----------|Open BSD |-----------| Nortel |
>
>
> xl0 - external
> xl1 - internal
> x.x.x.x - Nortel
> y.y.y.y - ip on xl0
> z.z.z.z - ip on host with the client
> k.k.k.k - ip on xl1 - gateway
> ipf.rules
> =========
> # for esp protocol - I have not specify the protocol since
> I allow all
> from this specific host
> pass in quick on xl0 from x.x.x.x/32 to y.y.y.y/32
> pass out quick on xl0 from y.y.y.y/32 to x.x.x.x/32
> pass in quick on xl1 from any to x.x.x.x/32
> pass out quick on xl1 from x.x.x.x/32 to any
>
> #--------------------- UDP ISAKMP KEY
> OTIATION ----------------------
> pass in quick on xl1 proto udp from z.z.z.z port = 500 to
> x.x.x.x/32 port =
> 500 keep state
>
> ipnat.rules
> ===========
> bimap xl0 y.y.y.y/32 -> x.x.x.x/32
>
> External Interface TCPDUMP
> 07:43:27.549341 x.x.x.x.500 > y.y.y.y.500: isakmp v1.0 exchange INFO
> cookie: 706c21ba7b23ffee->bc913c8656d13c01 msgid: 00000000 len: 40
> 07:43:27.550407 y.y.y.y.500 > x.x.x.x.500: isakmp v1.0
> exchange AGGRESSIVE
> cookie: 706c21ba7b23ffee->0000000000000000 msgid: 00000000 len: 324
> 07:43:27.705309 x.x.x.x.500 > y.y.y.y.500: isakmp v1.0 exchange INFO
> cookie: 706c21ba7b23ffee->285de1c413970480 msgid: 00000000 len: 40
> 07:43:27.738159 y.y.y.y.500 > x.x.x.x.500: isakmp v1.0
> exchange AGGRESSIVE
> cookie: 706c21ba7b23ffee->0000000000000000 msgid: 00000000 len: 284
> 07:43:28.193897 x.x.x.x.500 > y.y.y.y.500: isakmp v1.0
> exchange AGGRESSIVE
> cookie: 706c21ba7b23ffee->aa6518a779fa28b9 msgid: 00000000 len: 232
> 07:43:28.229533 y.y.y.y.500 > x.x.x.x.500: isakmp v1.0
> exchange AGGRESSIVE
> encrypted
> cookie: 706c21ba7b23ffee->aa6518a779fa28b9 msgid: 00000000 len: 52
> 07:43:28.452708 x.x.x.x.500 > y.y.y.y.500: isakmp v1.0
> exchange unknown
> encrypted
> cookie: 706c21ba7b23ffee->aa6518a779fa28b9 msgid: bf12bff5 len: 124
> 07:43:28.453900 y.y.y.y.500 > x.x.x.x.500: isakmp v1.0
> exchange unknown
> encrypted
> cookie: 706c21ba7b23ffee->aa6518a779fa28b9 msgid: bf12bff5 len: 76
> 07:43:28.583195 x.x.x.x.500 > y.y.y.y.500: isakmp v1.0
> exchange QUICK_MODE
> encrypted
> cookie: 706c21ba7b23ffee->aa6518a779fa28b9 msgid: b4331353 len: 580
> 07:43:28.648425 y.y.y.y.500 > x.x.x.x.500: isakmp v1.0
> exchange QUICK_MODE
> encrypted
> cookie: 706c21ba7b23ffee->aa6518a779fa28b9 msgid: b4331353 len: 292
> 07:43:28.756717 x.x.x.x.500 > y.y.y.y.500: isakmp v1.0
> exchange QUICK_MODE
> encrypted
> cookie: 706c21ba7b23ffee->aa6518a779fa28b9 msgid: b4331353 len: 52
>
>
> INTERNAL INTERFACE TCPDUMP
> 07:43:27.463431 z.z.z.z.500 > x.x.x.x.500: isakmp v1.0
> exchange AGGRESSIVE
> cookie: 706c21ba7b23ffee->0000000000000000 msgid: 00000000 len: 316
> 07:43:27.549484 x.x.x.x.500 > z.z.z.z.500: isakmp v1.0 exchange INFO
> cookie: 706c21ba7b23ffee->bc913c8656d13c01 msgid: 00000000 len: 40
> 07:43:27.550272 z.z.z.z.500 > x.x.x.x.500: isakmp v1.0
> exchange AGGRESSIVE
> cookie: 706c21ba7b23ffee->0000000000000000 msgid: 00000000 len: 324
> 07:43:27.705446 x.x.x.x.500 > z.z.z.z.500: isakmp v1.0 exchange INFO
> cookie: 706c21ba7b23ffee->285de1c413970480 msgid: 00000000 len: 40
> 07:43:27.738025 z.z.z.z.500 > x.x.x.x.500: isakmp v1.0
> exchange AGGRESSIVE
> cookie: 706c21ba7b23ffee->0000000000000000 msgid: 00000000 len: 284
> 07:43:28.194061 x.x.x.x.500 > z.z.z.z.500: isakmp v1.0
> exchange AGGRESSIVE
> cookie: 706c21ba7b23ffee->aa6518a779fa28b9 msgid: 00000000 len: 232
> 07:43:28.229392 z.z.z.z.500 > x.x.x.x.500: isakmp v1.0
> exchange AGGRESSIVE
> encrypted
> cookie: 706c21ba7b23ffee->aa6518a779fa28b9 msgid: 00000000 len: 52
> 07:43:28.452855 x.x.x.x.500 > z.z.z.z.500: isakmp v1.0
> exchange unknown
> encrypted
> cookie: 706c21ba7b23ffee->aa6518a779fa28b9 msgid: bf12bff5 len: 124
> 07:43:28.453769 z.z.z.z.500 > x.x.x.x.500: isakmp v1.0
> exchange unknown
> encrypted
> cookie: 706c21ba7b23ffee->aa6518a779fa28b9 msgid: bf12bff5 len: 76
> 07:43:28.583338 x.x.x.x.500 > z.z.z.z.500: isakmp v1.0
> exchange QUICK_MODE
> encrypted
> cookie: 706c21ba7b23ffee->aa6518a779fa28b9 msgid: b4331353 len: 580
> 07:43:28.648283 z.z.z.z.500 > x.x.x.x.500: isakmp v1.0
> exchange QUICK_MODE
> encrypted
> cookie: 706c21ba7b23ffee->aa6518a779fa28b9 msgid: b4331353 len: 292
> 07:43:28.756855 x.x.x.x.500 > z.z.z.z.500: isakmp v1.0
> exchange QUICK_MODE
> encrypted
> cookie: 706c21ba7b23ffee->aa6518a779fa28b9 msgid: b4331353 len: 52
>
> 07:43:28.759525 esp z.z.z.z > x.x.x.x spi 0x00202AD8 seq 1 len 84
> 07:43:28.759747 k.k.k.k > z.z.z.z: icmp: host x.x.x.x unreachable
> 07:43:29.716258 esp z.z.z.z > x.x.x.x spi 0x00202AD8 seq 2 len 60
> 07:43:29.716470 k.k.k.k > z.z.z.z: icmp: host x.x.x.x unreachable
> 07:43:30.390774 esp z.z.z.z > x.x.x.x spi 0x00202AD8 seq 3 len 116
> 07:43:30.391030 k.k.k.k > z.z.z.z: icmp: host x.x.x.x unreachable
> 07:43:30.391077 esp z.z.z.z > x.x.x.x spi 0x00202AD8 seq 4 len 124
> 07:43:30.391097 esp z.z.z.z > x.x.x.x spi 0x00202AD8 seq 5 len 116
> 07:43:30.391283 k.k.k.k > z.z.z.z: icmp: host x.x.x.x unreachable
> 07:43:30.391457 k.k.k.k > z.z.z.z: icmp: host x.x.x.x unreachable
>
"The sender believes that this E-mail and any attachments were free of any
virus, worm, Trojan horse, and/or malicious code when sent. This message
and its attachments could have been infected during transmission. By
reading the message and opening any attachments, the recipient accepts full
responsibility for taking protective and remedial action about viruses and
other defects. The sender's employer is not liable for any loss or damage
arising in any way from this message or its attachments."
------_=_NextPart_000_01C11906.5CACC810
Content-Type: application/ms-tnef
Content-Transfer-Encoding: base64
eJ8+IhEOAQaQCAAEAAAAAAABAAEAAQeQBgAIAAAA5AQAAAAAAADoAAEIgAcAGAAAAElQTS5NaWNy
b3NvZnQgTWFpbC5Ob3RlADEIAQWAAwAOAAAA0QcHAB4ACgAuAAUAAQA7AQEggAMADgAAANEHBwAe
AAoALQAQAAEARQEBCYABACEAAAAyQUU1NkJDOEU1ODJENTExQUU2MTAwOTAyN0IwRkEzRgAwBwEE
gAEAJgAAAFJFOiBPcGVuQlNEICsgSVBOQVQgKyBWUE4gLSBIRUxQIS4uLi4AEQkBDYAEAAIAAAAC
AAIAAQOQBgCMDwAAMAAAAAMAAYAIIAYAAAAAAMAAAAAAAABGAAAAAFKFAAA/cQEAHgACgAggBgAA
AAAAwAAAAAAAAEYAAAAAVIUAAAEAAAAEAAAAOS4wAAsAA4AIIAYAAAAAAMAAAAAAAABGAAAAAAaF
AAAAAAAAAwAEgAggBgAAAAAAwAAAAAAAAEYAAAAAAYUAAAAAAAALAAWACCAGAAAAAADAAAAAAAAA
RgAAAAADhQAAAAAAAAsABoAIIAYAAAAAAMAAAAAAAABGAAAAAA6FAAAAAAAAAwAHgAggBgAAAAAA
wAAAAAAAAEYAAAAAEIUAAAAAAAADAAiACCAGAAAAAADAAAAAAAAARgAAAAARhQAAAAAAAAMACYAI
IAYAAAAAAMAAAAAAAABGAAAAABiFAAAAAAAAAgEJEAEAAABWCgAAUgoAALAcAABMWkZ1Bmfp+wMA
CgByY3BnMTI1wjIDQ3RleHQA9AH3/wqAAqQD5AcTAoAP4wBQBFY/CFUHshEVDlEDAQIAY2jhCsBz
ZXQyBgAGwxEVtjMERhOnMBIcAfE0A8XfFbkQxREjCO8J9zsZ3w4wdjUREgxgYwBQCwkBZDO+NgLR
C8QSEAORAHB5AiCAZSBIZWxwIAPwWHRoIB/ABAAgHxEupwqiCoQKgEkgE9B2HzDZGXBvawmAIDFs
C4AfMNsCEAXAcwNwGeAgC4ACEHggYnUO4CCTH7AiwGWsYW0EIB/AYQVAZSGARHJ5H/FuZyAhRXST
CIEiAGRpIgBubyOlYncFsGsuIArjIMZXkGh5ICIHkHAiIyC3BCAmsSKCdwsRCYA/IIpGQR7wIsB1
Z2cHkHROaQIgBCAnQHVsIgBi0R8wYXBwGeBjBzAOsGpkIHtHGeBnIIoghD7UIC0vck8FEGcLgAdA
cwXQB5BzYStQL3Mu9kbJA2E6IC3yIFsAwAMQOHRvOgWgAQAnQGxmdkAkUAAgaCJBJ3AfIHS+XS72
BmACMDHQBhB0CHDAZGF5LCBKLAAokAwyODWQAdAwMSA0ojocICBQTS72VDKghCBtBABjQG9wCfA8
YnMtEAWwLiU0kXVipmoFkDThRncx0E84ISBCU0QgKyWQUE50QVQ6gVY6wC9gH0BFcExQIS474S72
PC5I/mkk5CBCO/8vUCFAJGAmAf55JWIykCQxNTAfgDsyBaA+bh8gOZArkSKAA2EgV5ELgGRvdwQg
KE4ZgdsfYDyXQyJANMEpH+EDYL0rMGgu9joWQqA64C86sF5GRAEjYEK0Po9JJCJlPyR2IUArUAVA
H8AfMElTsEFLTVBAQh8gZybA8SzSIGp1K3AigCJSI4f9L1B3SSADoCQRBaAHgkBRv0kSNTBBQQMg
JBEgEWEmYV8BIASRJCEykCUgOjwuVLsgAiARbSsBQJJPD3xCEL5JO1BDlVIQL3NTFHw6En8nkDpS
UwtGVVIQPC8vBXj+bBZAO3AOwQSRB0BW2DZw9ztwC4BX3S5aEzthQrQu9vx5LluTJ5BY8R+AQaFX
UZku9nouXVNcF2hvSrH7H6UfMGNDsy72J3BgE1wZbVjSZyzhKbB5LvYFIGbcLnIsAAeQLvY9Y3Yu
9rYjIoMowSAskCbAbxlRvyeQO2EllilCKNAssWYokGdJEmUnAJBuYx8wPxls/xlwB+BpAS72QdMf
82a0DeAfXkMu9gqwBBELgCBxdZ8N4GBwXHRBxFoVLzMUMP9AUVuVbhFriwhgBUBsj255/0BCbahr
j3BINnBB0x7hcf/fb190DW2sHuFV3iNTGVMYM2WhZaFVREmgSVVLRZJZRJdUSTrgSU9SYT9cAX4v
MNpzX1iyZSMgdW5kH4BB011WcBmBY2Ag/jU2UEBCWZ1uEoLELvaDMv0h4GUfgCtwLOFV3gUgMBD2
dGKfY45iB3AscFdDcVl2LYQKVd5FV8UlkFkiZoMA0B8wVENQRFVJkAEu9jA3OjQzOjKANy41NDkz
NDZwf1oVj7CDQVt3kKIx0AQAYcRrbR+AdjEuFkAOwMcTwSVwSTFORk8u9gWgByHQCJAx0DcwNmMy
gDFiYTdiMjNOQQEwsD5iYzkxM2PgODY1NmSVwTZhJHD9L/BkMdA2UJcUIaAJ8DHQ3jRcx484gzCX
8DeRCpDhD5A5kcwu9pKnQUdHUsBFU1NJVkWTf5SP/5cWlxeWr5eybiAXYJgunrDwNTMwOZAvkT+S
T5Nfl56vi0A2ADUBADFjkADkMzmoIDQ4oM+Xn6L38DM4MTWjwJmfmq+bv/+cz6dPnu+f/6p/MdA2
AKJe6DguMY/gOKngo9+k70+vX7BvsX+UnmFhlgAxsjiU4Dc5jfA2AGKjwI+0n7Wjdei2lzIyOaOQ
/jOtP65Pua+6v8RmaCAlIP8FMAmAu7+8z73fvu+rYg5B7bYuNA5AyBA4t4+4n8P/66aETUBrJrB3
C5DGH8cvV8g/yU/KVGIAQDLV0Gb/NsCrUw4gtg/MsanQg0HB7//C/89f0G/Rf9KP05/Ur9W+xDc2
1u81ODO3IDbAD80/zk/aj6aTUVVJQ+BLX01PRMX/3V/eb+/ff+CHj2DjMDOjkMs1qiD14g82qhA0
DjDYX9lv5Z9/5q/nv+jP6d/q7+v/tbI558uvo2CWEDcxt3/kf/Dv//H/8w/0H/Uv9j/3T8tcRt9Q
TlRFUjrQTAWERphBQ0WOP49GNDaP8P/jMF1G71/7z8R/uz8AD7MP+7QfoXsx4f6Po+6B+j0Iuf+l
f6aPDU+U/5YPqs8Rn4Mw/wgQhLAIvwnPCt8L7xZvDg/vDx8Zn6IfoyY0CEAS/xQP/xUfFi8hf6kv
I58ab6xZHBD/NsAcbx1/Ho8fnyofIb8iz+8tT7XPttUucDaQHiefMg//Mx80LzU/AY83X7/vwPks
oP8cTzEPPG89f/5vPo8/n0Cv/0G/y1/MZywg4247T0av22//SP9KD0sfTC/gv9af16bh4P+jwES/
Rc9SL1M/VE9VX1Zv/1d/4O/h/+MCwbDNHlDvXS///U9Iz2AvYT9iTwKf7O/t+f+28MHAWz9cT2h/
aY9qn2uv/2y/bc9u3/h/+YZPz2cvc5//dK91v3bPd99473n/A597r+etEE5gWRBlc4owcbVyaKog
iPBpQhB4foAyHBDEQUTNEHNlcVlwWSImIDjPiFM3NJlway43jXN9yChBY38AemBob4xzdIm3XrBy
ZWFHwfZiWTAunTmjYBFg7rDNEN+I74n/iwVEkIuSNi6OkXN/jUByUI1/jo+Pnwdao6Au/9gRhNAS
4JIPkx+LBW+TWXDzEW6agzEwo6CWj5efmK//nl+fYYTQmx+cL4r2EuCd0/9Znp8lt2GkX6VviwVZ
E54Pv58VcXKfz6Dfoe+sPzHMwH+NX66Pr58EnAdwLpKCMWyUYWlfEGYlIGZzisDHBQO3c6pwIlRo
SBCLMEpuLEByenBlbIMAdnmo8CB0R9Cz4LlwfsAgSEUtbbawbCBH4GSlunF5unB0dLAxbVlA2nS5
UHe4sEgQZrSgSBAEb2a6s3ZpcnVzIiy7sG9ybb0gVHLsb2pH4LOhcoswvSC6gRYvvVBNAGG5AGNp
b3+9AIKxLEC7sLhAi7C4cXTcLiAGsLnSu2BzKHBIAZ26gmm7kbsKgsB1bLqgv0fQuTC40YuhtsA2
AGOCEVAgZHVytsBnuWByqUfgc21+wHO/QG7AcXZCuuC0oWTEc7hBwPpv/nBZQMRyus29IMZStKC/
MMeqYLtxunBjY2WCALlQfmbC0LpgtKCpAMVQxTBi97pQwbC64Ga+wbsggvDEge5wvbCCEMPwacMx
uoK0oH+7YMYAvwDJscyQxVC6cGL/v1Cz4LzTuUHHE8ZRuMAsQO3D0nPAc7hWJ7lQzTC2kPxvebix
ueFe4LPguQCwYr/Lc7rC0UDBELxQz4FhujA/wULEYMUwxIG2wLqzd2F7y2G9sG25tMD2vsHBvS4K
Ii6UfdfwAAAeAHAAAQAAACIAAABPcGVuQlNEICsgSVBOQVQgKyBWUE4gLSBIRUxQIS4uLi4AAAAC
AXEAAQAAABsAAAABwRfB4y9ArH20g4kR1YWcAGAIyvAOAFD+FPAAAwAuAAAAAAALAAIAAQAAAAMA
CVkBAAAAHgBCEAEAAAAyAAAAPDAwY2UwMWMxMTdjMCRiOTljYjg2MCQwNTAxYThjMEBhei5zcHJp
bnRiYmQubmV0PgAAAAMA3j+vbwAAQAA5ABDIrFwGGcEBAwDxPwkEAAAeADFAAQAAAAgAAABHRlVS
TUFOAAMAGkAAAAAAHgAwQAEAAAAIAAAAR0ZVUk1BTgADABlAAAAAAAMA/T/kBAAAAwAmAAAAAAAD
ADYAAAAAAAsA8hABAAAAAwCAEP////8CAUcAAQAAADIAAABjPVVTO2E9IDtwPUhGUztsPUhJVC1Q
SFgtTUFJTC0wMTA3MzAxNDQ2MDVaLTIyMDQ2AAAAAgH5PwEAAABDAAAAAAAAANynQMjAQhAatLkI
ACsv4YIBAAAAAAAAAC9PPUhGUy9PVT1ISVQvQ049UkVDSVBJRU5UUy9DTj1HRlVSTUFOAAAeAPg/
AQAAAA8AAABGdXJtYW5laywgR3JlZwAAHgA4QAEAAAAIAAAAR0ZVUk1BTgACAfs/AQAAAEMAAAAA
AAAA3KdAyMBCEBq0uQgAKy/hggEAAAAAAAAAL089SEZTL09VPUhJVC9DTj1SRUNJUElFTlRTL0NO
PUdGVVJNQU4AAB4A+j8BAAAADwAAAEZ1cm1hbmVrLCBHcmVnAAAeADlAAQAAAAgAAABHRlVSTUFO
AEAABzBuQlXrBRnBAUAACDCu8iQ/BhnBAR4APQABAAAABQAAAFJFOiAAAAAAHgAdDgEAAAAiAAAA
T3BlbkJTRCArIElQTkFUICsgVlBOIC0gSEVMUCEuLi4uAAAAHgA1EAEAAAA6AAAAPEU1NDY4RDBD
MEIyREQ0MTFBRTUyMDA5MDI3QjBGQTNGMDFCRkU3MjRASElULVBIWC1NQUlMLTM+AAAACwApAAAA
AAALACMAAAAAAAMABhARnKVLAwAHEHMSAAADABAQAAAAAAMAERAAAAAAHgAIEAEAAABlAAAAQ0FO
QU5ZT05FSEVMUFdJVEhUSElTT05FSUhBVkVMT09LRURPTkxJTkVGT1JTT01SRUlORk9CVVRJVFNF
QU1TVEhBVEVWRVJZVEhJTkdJSEFWRVRSSUVERElETk9UV09SS1dIWQAAAAACAX8AAQAAADoAAAA8
RTU0NjhEMEMwQjJERDQxMUFFNTIwMDkwMjdCMEZBM0YwMUJGRTcyNEBISVQtUEhYLU1BSUwtMz4A
AACaRA==
------_=_NextPart_000_01C11906.5CACC810--