<div dir="ltr">Hi, <div><br></div><div>I have a VPN setup between libreswan (pluto+netkey) and a racoon (racoon+netkey), the racoon is behind a NAT device. The negotiation somehow failed saying that "<span style="font-variant-ligatures:no-common-ligatures;background-color:rgb(0,0,0);color:rgb(41,249,20);font-family:"andale mono";font-size:18px">NAT-D payload #0 doesn't match"</span></div>
<div><br></div><div>On libreswan side, I have ipsec.conf</div><div><div>config setup</div><div> protostack=netkey</div><div> plutodebug=all</div><div> listen=10.2.128.240</div><div> dumpdir=/var/run/pluto</div><div>conn conn_vvr-0-ipsectunnel-0</div><div> authby=secret</div><div> left=10.2.128.240</div><div> right=10.2.128.241</div><div> ike=3des-sha1;modp1024</div><div> phase2alg=3des-sha1;modp1024</div><div> ikelifetime=28800s</div><div> salifetime=3600s</div><div> dpddelay=15</div><div> dpdtimeout=25</div><div> dpdaction=hold</div></div><div><div> leftsubnet=<a href="http://10.100.0.0/24">10.100.0.0/24</a></div><div> rightsubnet=<a href="http://10.100.1.0/24">10.100.1.0/24</a></div><div> type=tunnel</div><div> auto=start</div></div><div><br></div><div>on racoon, we have racoon.conf</div><div><div># Phase 1 (Main Mode) Configuration</div><div>remote 10.2.128.240 {</div><div> exchange_mode main;</div><div> proposal_check obey;</div><div> lifetime time 28800 seconds;</div><div> nat_traversal on;</div><div> #script "phase1-up.sh" phase1_up;</div><div> #script "phase1-down.sh" phase1_down;</div><div> dpd_delay 15; dpd_retry 5; dpd_maxfail 5;</div><div> proposal {</div><div> encryption_algorithm 3des;</div><div> hash_algorithm sha1;</div><div> dh_group modp1024;</div><div> authentication_method pre_shared_key;</div><div> }</div><div>}</div><div><br></div><div># Phase 2 (Quick Mode) Configuration/Proposal (for IPsec SA).</div><div>sainfo anonymous {</div><div> encryption_algorithm 3des;</div><div> authentication_algorithm hmac_sha1;</div><div> pfs_group modp1024;</div><div> lifetime time 3600 seconds;</div><div> compression_algorithm deflate;</div><div>}</div><div><br></div><div>listen {</div><div> isakmp 10.0.0.1[500];</div><div> isakmp_natt 10.0.0.1[4500];</div><div> strict_address;</div><div>}</div></div><div><br></div><div>algorithms all match, but the third negotiation packet has problem.</div><div><br></div><div>Log message on racoon:</div><div><div><br></div><div>Mar 30 19:47:02 testhost-601-1 racoon: INFO: respond new phase 1 negotiation: 10.0.0.1[500]<=>10.2.128.240[500] </div><div>Mar 30 19:47:02 testhost-601-1 racoon: INFO: begin Identity Protection mode. </div><div>Mar 30 19:47:02 testhost-601-1 racoon: INFO: received Vendor ID: DPD </div><div>Mar 30 19:47:02 testhost-601-1 racoon: INFO: received Vendor ID: FRAGMENTATION </div><div>Mar 30 19:47:02 testhost-601-1 racoon: INFO: received Vendor ID: RFC 3947 </div><div>Mar 30 19:47:02 testhost-601-1 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03 </div><div>Mar 30 19:47:02 testhost-601-1 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 </div><div>Mar 30 19:47:02 testhost-601-1 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 </div><div>Mar 30 19:47:02 testhost-601-1 racoon: [10.2.128.240] INFO: Selected NAT-T version: RFC 3947 </div><div>Mar 30 19:47:02 testhost-601-1 racoon: [10.0.0.1] INFO: Hashing 10.0.0.1[500] with algo #2 </div><div><b>Mar 30 19:47:02 testhost-601-1 racoon: INFO: NAT-D payload #0 doesn't match </b> </div><div>Mar 30 19:47:02 testhost-601-1 racoon: [10.2.128.240] INFO: Hashing 10.2.128.240[500] with algo #2 </div><div>Mar 30 19:47:02 testhost-601-1 racoon: INFO: NAT-D payload #1 verified </div><div>Mar 30 19:47:02 testhost-601-1 racoon: INFO: NAT detected: ME </div><div>Mar 30 19:47:02 testhost-601-1 racoon: [10.2.128.240] INFO: Hashing 10.2.128.240[500] with algo #2 </div><div>Mar 30 19:47:02 testhost-601-1 racoon: [10.0.0.1] INFO: Hashing 10.0.0.1[500] with algo #2 </div><div>Mar 30 19:47:02 testhost-601-1 racoon: INFO: Adding remote and local NAT-D payloads. </div><div>Mar 30 19:47:02 testhost-601-1 racoon: INFO: NAT-T: ports changed to: 10.2.128.240[4500]<->10.0.0.1[4500] </div><div>Mar 30 19:47:02 testhost-601-1 racoon: INFO: KA list add: 10.0.0.1[4500]->10.2.128.240[4500] </div><div><b>Mar 30 19:47:52 testhost-601-1 racoon: ERROR: phase1 negotiation failed due to time up. 80b77211a2f1ddba:141872152ca7772f</b></div><div>Mar 30 19:47:52 testhost-601-1 racoon: INFO: KA remove: 10.0.0.1[4500]->10.2.128.240[4500] </div><div>Mar 30 19:47:58 testhost-601-1 racoon: INFO: respond new phase 1 negotiation: 10.0.0.1[500]<=>10.2.128.240[500]</div></div><div>...</div><div><br></div><div>Log on libreswan side is attached. </div><div><br></div><div>Can somebody help check if anything is wrong? Is this scenario even supported?</div><div><br></div><div><br></div><div>Thanks,</div><div>Xinwei</div><div><br></div></div>