[Openswan Users] Fedora - L2TPD - XP-SP2 Openswan/IPSec problem

Panics Robert pampi at 6b0ne.hu
Thu Nov 1 12:03:04 EDT 2007 

Hello.

I've got some problem with my fedora6 (2.6.22.9-61.fc6) distribution and
openswan-2.4.5-2.1.

I need to create an L2TPD connection from an XP machine. Also the VPN Server
and the client got external (public) IP addresses.

I try to follow this howto http://www.natecarlson.com/linux/ipsec-l2tp.php,
but when I copy the host.example.com.key to the /etc/ipsec.d/priavte and I
restart the service, int he secure.log got an error 

Nov  1 12:43:09 devel pluto[28420]:   loaded private key file
'/etc/ipsec.d/private/host.example.com.key' (741 bytes)
Nov  1 12:43:09 devel pluto[28420]:   error in PKCS#1 private key
Nov  1 12:43:09 devel pluto[28420]: "/etc/ipsec.secrets" line 1: error
loading RSA private key file

Then I got back to the howto, and (if I am right) I recognized that
"nate at example:~/sslca$ mv newreq.pem host.example.com.key" command should be
nate at example:~/sslca$ mv newkey.pem host.example.com.key and also I should
change the pkcs12 converting key for the new key from newkey.pem. This
host.example.com.p12 file which I got imported to my XP computer. 

Now the service started up, but when I try to connect the Windows client
gave me an Error 786, which is specified a certificate error.. 
Ok so I checked the windows xp mmc console, and se the private file is in
the right place at local computer certifacets, and says that also got a
private key file for that certificate.

So I check the log at the server side and got this:

Nov  1 16:41:39 devel pluto[31155]: "roadwarrior-l2tp"[2] 213.16.83.1 #5:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Nov  1 16:41:39 devel pluto[31155]: "roadwarrior-l2tp"[2] 213.16.83.1 #5:
STATE_MAIN_R1: sent MR1, expecting MI2
Nov  1 16:41:40 devel pluto[31155]: "roadwarrior-l2tp"[2] 213.16.83.1 #5:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT
detected
Nov  1 16:41:40 devel pluto[31155]: "roadwarrior-l2tp"[2] 213.16.83.1 #5:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Nov  1 16:41:40 devel pluto[31155]: "roadwarrior-l2tp"[2] 213.16.83.1 #5:
STATE_MAIN_R2: sent MR2, expecting MI3
Nov  1 16:41:40 devel pluto[31155]: "roadwarrior-l2tp"[2] 213.16.83.1 #5:
next payload type of ISAKMP Hash Payload has an unknown value: 104
Nov  1 16:41:40 devel pluto[31155]: "roadwarrior-l2tp"[2] 213.16.83.1 #5:
malformed payload in packet
Nov  1 16:41:40 devel pluto[31155]: "roadwarrior-l2tp"[2] 213.16.83.1 #5:
sending notification PAYLOAD_MALFORMED to 213.16.83.1:500
Nov  1 16:41:40 devel pluto[31155]: "roadwarrior-l2tp"[2] 213.16.83.1 #5:
next payload type of ISAKMP Hash Payload has an unknown value: 56
Nov  1 16:41:40 devel pluto[31155]: "roadwarrior-l2tp"[2] 213.16.83.1 #5:
malformed payload in packet
Nov  1 16:42:50 devel pluto[31155]: "roadwarrior-l2tp"[2] 213.16.83.1 #5:
max number of retransmissions (2) reached STATE_MAIN_R2
Nov  1 16:42:50 devel pluto[31155]: "roadwarrior-l2tp"[2] 213.16.83.1:
deleting connection "roadwarrior-l2tp" instance with peer 213.16.83.1
{isakmp=#0/ipsec
=#0}

Here is my ipsec.conf look like:

config setup
    interfaces=%defaultroute
    nat_traversal=yes
    virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16

conn %default
    keyingtries=1
    compress=yes
    disablearrivalcheck=no
    authby=rsasig
    leftrsasigkey=%cert
    rightrsasigkey=%cert

conn roadwarrior-net
    leftsubnet=192.168.100.1/24
    also=roadwarrior

conn roadwarrior-all
    leftsubnet=0.0.0.0/0
    also=roadwarrior

conn roadwarrior
    left=%defaultroute
    leftcert=/etc/ipsec.d/certs/host.example.com.pem
    right=%any
    rightsubnet=vhost:%no,%priv
    auto=add
    pfs=yes

conn roadwarrior-l2tp
    type=transport
    left=%defaultroute
    leftcert=/etc/ipsec.d/certs/host.example.com.pem
    leftprotoport=17/1701
    right=%any
    rightca=%same
    rightprotoport=17/1701
    pfs=no
    auto=add

conn roadwarrior-l2tp-oldwin
    left=%defaultroute
    leftcert=/etc/ipsec.d/certs/host.example.com.pem
    leftprotoport=17/0
    right=%any
    rightprotoport=17/1701
    rightsubnet=vhost:%no,%priv
    pfs=no
    auto=add

/etc/ipsec.secrets
: RSA host.example.com.key "123456"

I searched google for that error but not find so much, anyone got any ideal?

More information about the Users mailing list