IPSec behind NAT

ajl119 · Beitrag von **ajl119** » Mi 04.07.2007, 23:08

Is it possible to get L2TP/IPSec to work with securepoint when the outgoing interface is behind a router and hence on a NATed private IP?

I have got PPTP to work but this is not really secure enough.
Our test securepoint system is behind a Netgear FVX538, i have enabled PPTP, L2TP and IPSec passthrough on the Netgear router to stop it messing with the traffic.

And i have forwarded UDP port 500 for Internet Key Exchange (IKE) traffic, UDP port 1701 for L2TP traffic and UDP 4500 to the securepoint unit.
NB: outgoing access is unrestricted.

Thank you in advance

philipp · Beitrag von **philipp** » Do 05.07.2007, 12:47

You have to use certificates.

ajl119 · Beitrag von **ajl119** » Do 05.07.2007, 15:46

Well i think i have certificates working now:
I get:
1) packet from 88.96.193.65:500: ignoring Vendor ID payload [FRAGME NTATION]
2) packet from 88.96.193.65:500: ignoring Vendor ID payload [draft-ietf -ipsec-nat-t-ike-02_n]
3) packet from 88.96.193.65:500: ignoring Vendor ID payload [Vid-Initia l-Contact]
4) "rt2.monitor.york__GT__andrew.lemin_0"[1] 88.96.193.65 #2: respon ding to Main Mode from unknown peer 88.96.193.65
5) "rt2.monitor.york__GT__andrew.lemin_0"[1] 88.96.193.65 #2: discar ding duplicate packet; already STATE_MAIN_R2
6) "rt2.monitor.york__GT__andrew.lemin_0"[1] 88.96.193.65 #2: Peer ID is ID_DER_ASN1_DN: 'C=GB, ST=N.Yorkshire, L=York, O=Monitor C omputer Systems Ltd., OU=Support, CN=andrew.lemin, E=support@ monitorsoft.com'
7) "rt2.monitor.york__GT__andrew.lemin_0"[1] 88.96.193.65 #2: we ha ve a cert and are sending it
"rt2.monitor.york__GT__andrew.lemin_0"[1] 88.96.193.65 #2: sent M R3, ISAKMP SA established
9) "rt2.monitor.york__GT__andrew.lemin_0"[1] 88.96.193.65 #2: canno t respond to IPsec SA request because no connection is known for 88.96.228.109/32===192.168.214.2[C=GB, ST=N.Yorkshire, L=York, O=Monitor Computer Systems Ltd., OU=Support, CN=fw2.monitor.yo rk, E=support@monitorsoft.com]:17/1701...88.96.193.65[C=GB, ST=N .Yorkshire, L=York, O=Monitor Computer Systems Ltd., OU=Support, CN=andrew.lemin, E=support@monitorsoft.com]:17/%any==={192.1 68.200.34/32}
10) "rt2.monitor.york__GT__andrew.lemin_0"[1] 88.96.193.65 #2: sendin g encrypted notification INVALID_ID_INFORMATION to 88.96.193.65: 500
11) "rt2.monitor.york__GT__andrew.lemin_0"[1] 88.96.193.65 #2: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xef0fc73e (perhaps this is a duplicated packet)
12) "rt2.monitor.york__GT__andrew.lemin_0"[1] 88.96.193.65 #2: sendin g encrypted notification INVALID_MESSAGE_ID to 88.96.193.65:500
13) "rt2.monitor.york__GT__andrew.lemin_0"[1] 88.96.193.65 #2: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xef0fc73e (perhaps this is a duplicated packet)
14) "rt2.monitor.york__GT__andrew.lemin_0"[1] 88.96.193.65 #2: sendin g encrypted notification INVALID_MESSAGE_ID to 88.96.193.65:500
15) "rt2.monitor.york__GT__andrew.lemin_0"[1] 88.96.193.65 #2: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xef0fc73e (perhaps this is a duplicated packet)
16) "rt2.monitor.york__GT__andrew.lemin_0"[1] 88.96.193.65 #2: sendin g encrypted notification INVALID_MESSAGE_ID to 88.96.193.65:500
17) "rt2.monitor.york__GT__andrew.lemin_0"[1] 88.96.193.65 #2: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xef0fc73e (perhaps this is a duplicated packet)
.
.
.

Is this failing becuase of: "canno t respond to IPsec SA request because no connection is known for 88.96.228.109/32===192.168.214.2"

Thank you in advance.

ajl119 · Beitrag von **ajl119** » Fr 06.07.2007, 12:54

Whilst trying to investigate this i found in ipsec.conf:

config setup
nat_traversal=no

How do i change this to:

config setup
nat_traversal=yes

philipp · Beitrag von **philipp** » Fr 06.07.2007, 13:16

right-click the firewall on the left side in the manager. choose nat-traversal.

ajl119 · Beitrag von **ajl119** » Fr 06.07.2007, 13:46

This was ticked!

Ticking or un-ticking 'nat-traversal' does not change nat_traversal in ipsec.conf

Still shows:

config setup
nat_traversal=no

Please help

ajl119 · Beitrag von **ajl119** » Fr 06.07.2007, 15:23

I have run:
change ipsec_nat_traversal 1
and:
show ipsec_nat_traversal

This now shows as on, and ipsec.conf shows 'yes'

However i am still having the error:

"rt2.monitor.york__GT__andrew.lemin_0"[1] :4500 #2: c annot respond to IPsec SA request because no connection is known for /32===:4500[C=GB, ST=N.Yorkshire
L=York, O=Monitor Computer Systems Ltd., OU=Support, CN=fw2.m onitor.york, E=support@monitorsoft.com]:17/1701...88.96.193.65:450 0[C=GB, ST=N.Yorkshire, L=York, O=Monitor Computer Systems Ltd ., OU=Support, CN=andrew.lemin, E=support@monitorsoft.com]:17/% any

philipp · Beitrag von **philipp** » Fr 06.07.2007, 16:21

can you send the configuration export to support@securepoint.de?

ajl119 · Beitrag von **ajl119** » Mo 09.07.2007, 15:53

I have sent through the configuration file, a sample log output, and an basic description of our network layout for you.

Thank you very much for your help.

ajl119 · Beitrag von **ajl119** » Di 10.07.2007, 18:20

Could you confirm that you have recieved my email if that is ok?
Thanks.

philipp · Beitrag von **philipp** » Mi 11.07.2007, 11:07

I recieved it, I try to answer today...

ajl119 · Beitrag von **ajl119** » Mi 11.07.2007, 13:30

Thank you. I appreciate your time and help.
If you need anything at all please do not hesitate to email me.

Cheers.