[Openswan Users] Opwenswan and L2TP Problem !

Stanislav Nedelchev stanislav.nedelchev at gmail.com
Thu Jun 2 23:52:16 CEST 2005 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here is my problem
it's worked from my home for a while and now it;s now working,
but my colleague never get connected
we are using winXP SP2 as VPN client .
where can be the problem ?

Thanks in Advance.

root at fw:~# tcpdump -n -f -i eth0 host 84.252.57.99
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
18:02:18.894628 IP 84.252.57.99.500 > 213.91.208.250.500: isakmp: phase
1 I ident
18:02:18.896515 IP 213.91.208.250.500 > 84.252.57.99.500: isakmp: phase
1 R ident
18:02:19.128649 IP 84.252.57.99.500 > 213.91.208.250.500: isakmp: phase
1 I ident
18:02:19.225235 IP 213.91.208.250.500 > 84.252.57.99.500: isakmp: phase
1 R ident
18:02:19.323317 IP 84.252.57.99.500 > 213.91.208.250.500: isakmp: phase
1 I ident[E]
18:02:19.325528 IP 213.91.208.250.500 > 84.252.57.99.500: isakmp: phase
1 R ident[E]
18:02:19.364660 IP 84.252.57.99 > 213.91.208.250: udp
18:02:19.420126 IP 84.252.57.99.500 > 213.91.208.250.500: isakmp: phase
2/others I oakley-quick[E]
18:02:19.425628 IP 213.91.208.250.500 > 84.252.57.99.500: isakmp: phase
2/others R oakley-quick[E]
18:02:19.467523 IP 84.252.57.99.500 > 213.91.208.250.500: isakmp: phase
2/others I oakley-quick[E]
18:02:19.474631 IP 84.252.57.99 > 213.91.208.250:
ESP(spi=0x9dc03add,seq=0x1)
18:02:19.478614 IP 213.91.208.250.1701 > 84.252.57.99.1701:
l2tp:[TLS](3/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0)
*FRAMING_CAP(AS) *BEARER_CAP() |...
18:02:20.478615 IP 213.91.208.250.1701 > 84.252.57.99.1701:
l2tp:[TLS](3/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0)
*FRAMING_CAP(AS) *BEARER_CAP() |...
18:02:20.481420 IP 84.252.57.99 > 213.91.208.250:
ESP(spi=0x9dc03add,seq=0x2)
18:02:20.485501 IP 213.91.208.250.1701 > 84.252.57.99.1701:
l2tp:[TLS](3/0)Ns=0,Nr=1 ZLB
18:02:21.478825 IP 213.91.208.250.1701 > 84.252.57.99.1701:
l2tp:[TLS](3/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0)
*FRAMING_CAP(AS) *BEARER_CAP() |...
18:02:22.516747 IP 84.252.57.99 > 213.91.208.250:
ESP(spi=0x9dc03add,seq=0x3)
18:02:26.561328 IP 84.252.57.99 > 213.91.208.250:
ESP(spi=0x9dc03add,seq=0x4)
18:02:34.475383 IP 84.252.57.99 > 213.91.208.250:
ESP(spi=0x9dc03add,seq=0x5)
18:02:44.482796 IP 84.252.57.99 > 213.91.208.250:
ESP(spi=0x9dc03add,seq=0x6)
18:02:54.504596 IP 84.252.57.99.500 > 213.91.208.250.500: isakmp: phase
2/others I inf[E]
18:02:54.506424 IP 213.91.208.250.500 > 84.252.57.99.500: isakmp: phase
2/others R inf[E]
18:02:54.510630 IP 84.252.57.99.500 > 213.91.208.250.500: isakmp: phase
2/others I inf[E]
18:02:54.613795 IP 213.91.208.250.500 > 84.252.57.99.500: isakmp: phase
2/others R inf[E]


root at fw:~# tcpdump -n -f -i ipsec0 host 84.252.57.99
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ipsec0, link-type EN10MB (Ethernet), capture size 96 bytes
18:03:44.588528 IP 84.252.57.99.1701 > 213.91.208.250.1701:
l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(S)
*BEARER_CAP() |...
18:03:45.592545 IP 84.252.57.99.1701 > 213.91.208.250.1701:
l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(S)
*BEARER_CAP() |...
18:03:47.587679 IP 84.252.57.99.1701 > 213.91.208.250.1701:
l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(S)
*BEARER_CAP() |...
18:03:47.592293 IP 213.91.208.250.1701 > 84.252.57.99.1701:
l2tp:[TLS](4/0)Ns=0,Nr=1 ZLB
18:03:47.592512 IP 213.91.208.250 > 84.252.57.99:
ESP(spi=0xa7bcae4e,seq=0x1)
18:03:47.598581 IP 213.91.208.250.1701 > 84.252.57.99.1701:
l2tp:[TLS](4/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0)
*FRAMING_CAP(AS) *BEARER_CAP() |...
18:03:47.598797 IP 213.91.208.250 > 84.252.57.99:
ESP(spi=0xa7bcae4e,seq=0x2)
18:03:48.598769 IP 213.91.208.250.1701 > 84.252.57.99.1701:
l2tp:[TLS](4/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0)
*FRAMING_CAP(AS) *BEARER_CAP() |...
18:03:48.599007 IP 213.91.208.250 > 84.252.57.99:
ESP(spi=0xa7bcae4e,seq=0x3)
18:03:49.608666 IP 213.91.208.250.1701 > 84.252.57.99.1701:
l2tp:[TLS](4/0)Ns=1,Nr=1 *MSGTYPE(StopCCN) *ASSND_TUN_ID(23967)
*RESULT_CODE(1/0 Timeout)
18:03:49.608877 IP 213.91.208.250 > 84.252.57.99:
ESP(spi=0xa7bcae4e,seq=0x4)
18:03:50.608773 IP 213.91.208.250.1701 > 84.252.57.99.1701:
l2tp:[TLS](4/0)Ns=1,Nr=1 *MSGTYPE(StopCCN) *ASSND_TUN_ID(23967)
*RESULT_CODE(1/0 Timeout)
18:03:50.608982 IP 213.91.208.250 > 84.252.57.99:
ESP(spi=0xa7bcae4e,seq=0x5)
18:03:51.590446 IP 84.252.57.99.1701 > 213.91.208.250.1701:
l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(S)
*BEARER_CAP() |...
18:03:51.595079 IP 213.91.208.250.1701 > 84.252.57.99.1701:
l2tp:[TLS](4/0)Ns=0,Nr=1 ZLB
18:03:51.595288 IP 213.91.208.250 > 84.252.57.99:
ESP(spi=0xa7bcae4e,seq=0x6)
18:03:51.618544 IP 213.91.208.250.1701 > 84.252.57.99.1701:
l2tp:[TLS](4/0)Ns=1,Nr=1 *MSGTYPE(StopCCN) *ASSND_TUN_ID(23967)
*RESULT_CODE(1/0 Timeout)
18:03:51.618747 IP 213.91.208.250 > 84.252.57.99:
ESP(spi=0xa7bcae4e,seq=0x7)
18:03:52.618589 IP 213.91.208.250.1701 > 84.252.57.99.1701:
l2tp:[TLS](4/0)Ns=1,Nr=1 *MSGTYPE(StopCCN) *ASSND_TUN_ID(23967)
*RESULT_CODE(1/0 Timeout)
18:03:52.618796 IP 213.91.208.250 > 84.252.57.99:
ESP(spi=0xa7bcae4e,seq=0x8)
18:03:53.618756 IP 213.91.208.250.1701 > 84.252.57.99.1701:
l2tp:[TLS](4/0)Ns=1,Nr=1 *MSGTYPE(StopCCN) *ASSND_TUN_ID(23967)
*RESULT_CODE(1/0 Timeout)
18:03:53.618967 IP 213.91.208.250 > 84.252.57.99:
ESP(spi=0xa7bcae4e,seq=0x9)



Here is the configuration files.

root at fw:~# cat /etc/l2tpd/l2tpd.conf
 [global]
 port = 1701
 access control = no
 rand source = dev
 [lns default]
 exclusive = no
 ip range = 192.168.0.200-192.168.0.250
 local ip = 192.168.0.3
 require chap = yes
 refuse pap = yes
 ppp debug = yes
 pppoptfile = /etc/ppp/options.l2tpd
 length bit = yes



root at fw:~# cat /etc/ipsec.conf
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file

# More elaborate and more varied sample configurations can be found
# in FreeS/WAN's doc/examples file, and in the HTML documentation.



# basic configuration
config setup
        # THIS SETTING MUST BE CORRECT or almost nothing will work;
        # %defaultroute is okay for most simple cases.
        # def interfaces=%defaultroute
        interfaces="ipsec0=eth0"
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        klipsdebug=none
        plutodebug=none
        # Use auto= parameters in conn descriptions to control startup
actions.
         plutoload=%search
         plutostart=%search
        # Close down old connection when new one using same ID shows up.
        uniqueids=yes
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16


# defaults for subsequent connection descriptions
# (these defaults will soon go away)
conn %default
        keyingtries=0
        # def disablearrivalcheck=no
        # def authby=rsasig
        # def leftrsasigkey=%dns
        # rightrsasigkey=%dns


conn RoadWar
        left= 213.91.208.250
        leftnexthop= 213.91.208.249
        authby=secret
        auto=add
        keyingtries=1
        pfs=no
        right=%any
        leftprotoport=17/1701
        rightsubnet=vhost:%no,%priv
        rightprotoport=17/1701



root at fw:~# cat /etc/ppp/options.l2tpd
ipcp-accept-local
ipcp-accept-remote
#ms-dns  192.168.0.10
#ms-wins 192.168.0.10
#noccp
auth
crtscts
idle 1800
mtu 1410
mru 1410
#nodefaultroute
debug
lock
proxyarp
connect-delay 5000
#silent
logfd 2
logfile /var/log/l2tpd.log
root at fw:~#

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCn2NvI1Upp0RIqpERAgiRAJ9QrlMn/KhM62y742+QBBesubWPwwCgmrg/
5BQ2UA5K1CubpYcy9Oz3NuQ=
=In/S
-----END PGP SIGNATURE-----

More information about the Users mailing list