<html>
<head>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 10 (filtered)">
<style>
<!--
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
span.emailstyle17
{font-family:Arial;
color:windowtext;}
span.EmailStyle19
{font-family:Arial;
color:navy;}
@page Section1
{size:595.3pt 841.9pt;
margin:72.0pt 90.0pt 72.0pt 90.0pt;}
div.Section1
{page:Section1;}
-->
</style>
</head>
<body lang=EN-GB link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><font size=2 color=blue face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:blue'>I know that this was requested MANY times,
on MANY forums/mailing lists but I still have to find a solution for this
problem.</span></font></p>
<p class=MsoPlainText><font size=2 face="Courier New"><span style='font-size:
10.0pt'> </span></font></p>
<p class=MsoPlainText><font size=2 color=blue face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:blue'>I want to setup IPCop so
it permits a connection to the GREEN network only through a VPN connection to
the laptop (which is a standalone machine, not connected to a network).</span></font></p>
<p class=MsoPlainText><font size=2 face="Courier New"><span style='font-size:
10.0pt'> </span></font></p>
<p class=MsoPlainText><font size=2 color=blue face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:blue'>My configuration is:</span></font></p>
<p class=MsoPlainText><font size=2 face="Courier New"><span style='font-size:
10.0pt'> </span></font></p>
<p class=MsoPlainText><font size=2 face="Courier New"><span style='font-size:
10.0pt'>WinXPSP2 Laptop --> Access point --> IPCop Box (blue)
--> IPCop box green</span></font></p>
<p class=MsoPlainText><font size=2 face="Courier New"><span style='font-size:
10.0pt'>192.168.1.110
192.168.1.100
192.168.0.199</span></font></p>
<p class=MsoPlainText><font size=2 face="Courier New"><span style='font-size:
10.0pt'> </span></font></p>
<p class=MsoPlainText><font size=2 color=blue face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:blue'>The laptop gets its
address from blue interface DHCP</span></font><font color=navy face=Arial><span
style='font-family:Arial;color:navy'>.</span></font></p>
<p class=MsoPlainText><font size=2 face="Courier New"><span style='font-size:
10.0pt'> </span></font></p>
<p class=MsoPlainText><font size=2 color=blue face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:blue'>I have setup the certificates
with IPCop and the laptop VPN connection</span></font><font color=navy
face=Arial><span style='font-family:Arial;color:navy'> </span></font><font
color=blue face=Arial><span style='font-family:Arial;color:blue'>accordingly</span></font><font
color=navy face=Arial><span style='font-family:Arial;color:navy'> to</span></font><font
color=blue face=Arial><span style='font-family:Arial;color:blue'>: <a
href="http://www.jacco2.dds.nl/networking/win2000xp-freeswan.html">http://www.jacco2.dds.nl/networking/win2000xp-freeswan.html</a>
</span></font><font color=navy face=Arial><span style='font-family:Arial;
color:navy'>.</span></font></p>
<p class=MsoPlainText><font size=2 color=blue face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:blue'>Windows XP tries to
connect, but timeout after a while:</span></font><font color=navy face=Arial><span
style='font-family:Arial;color:navy'> </span></font><font color=blue
face=Arial><span style='font-family:Arial;color:blue'>“error 792: The
L2TP connection attempt failed because security negotiation timed out”.</span></font></p>
<p class=MsoPlainText><font size=2 face="Courier New"><span style='font-size:
10.0pt'> </span></font></p>
<p class=MsoPlainText><font size=2 color=blue face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:blue'>On the IPCop box:</span></font></p>
<p class=MsoPlainText><font size=2 face="Courier New"><span style='font-size:
10.0pt'> </span></font></p>
<p class=MsoPlainText><i><font size=2 face="Courier New"><span
style='font-size:10.0pt;font-style:italic'>Mar 18 </span></font></i><i><span style='font-style:italic'>14:43:03</span></i><i><span style='font-style:italic'>
ipcop pluto[695]: "Laptop"[1] 192.168.1.110 #1: cannot respond to
IPsec SA request because no connection is known for 192.168.1.100[C=</span></i><i><span
style='font-style:italic'>UK</span></i><i><span style='font-style:italic'>,
O=Initiative, CN=initiative.localdomain]:17/1701...192.168.1.110[C=</span></i><i><span
style='font-style:italic'>UK</span></i><i><span style='font-style:italic'>,
O=Initiative, CN=Piero Laptop]:17/1701</span></i></p>
<p class=MsoPlainText><font size=2 face="Courier New"><span style='font-size:
10.0pt'> </span></font></p>
<p class=MsoPlainText><font size=2 color=blue face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:blue'>Output from ipsec auto
--status:</span></font></p>
<p class=MsoPlainText><font size=2 face="Courier New"><span style='font-size:
10.0pt'> </span></font></p>
<p class=MsoPlainText><font size=2 face="Courier New"><span style='font-size:
10.0pt'>[...]</span></font></p>
<p class=MsoPlainText><font size=2 face="Courier New"><span style='font-size:
10.0pt'>000 "Laptop": 192.168.0.0/24===192.168.1.100[C=</span></font>UK,
O=Initiative, CN=initiative.localdomain]...%virtual[C=UK, O=Initiative,
CN=Piero Laptop]</p>
<p class=MsoPlainText><font size=2 face="Courier New"><span style='font-size:
10.0pt'>[...]</span></font></p>
<p class=MsoPlainText><font size=2 face="Courier New"><span style='font-size:
10.0pt'> </span></font></p>
<p class=MsoPlainText><font size=2 color=blue face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:blue'>This is different from
everything I have seen looking around: it looks like the windows client is
trying to negotiate:</span></font></p>
<p class=MsoPlainText><font size=2 face="Courier New"><span style='font-size:
10.0pt'> </span></font></p>
<p class=MsoPlainText><font size=2 face="Courier New"><span style='font-size:
10.0pt'>192.168.1.100 <-> 192.168.1.110</span></font></p>
<p class=MsoPlainText><font size=2 face="Courier New"><span style='font-size:
10.0pt'> </span></font></p>
<p class=MsoPlainText><font size=2 color=blue face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:blue'>instead of:</span></font></p>
<p class=MsoPlainText><font size=2 face="Courier New"><span style='font-size:
10.0pt'> </span></font></p>
<p class=MsoPlainText><font size=2 face="Courier New"><span style='font-size:
10.0pt'>192.168.0.0/24===192.168.1.100 <-> 192.168.1.110</span></font></p>
<p class=MsoPlainText><font size=2 face="Courier New"><span style='font-size:
10.0pt'> </span></font></p>
<p class=MsoPlainText><font size=2 color=blue face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:blue'>so the connection does
not match anything in ipsec.conf</span></font></p>
<p class=MsoPlainText><font size=2 face="Courier New"><span style='font-size:
10.0pt'> </span></font></p>
<p class=MsoPlainText><font size=2 color=blue face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:blue'>This is my
/etc/ipsec.conf (automatically generated by IPCop)</span></font></p>
<p class=MsoPlainText><font size=2 face="Courier New"><span style='font-size:
10.0pt'> </span></font></p>
<p class=MsoPlainText><font size=2 face="Courier New"><span style='font-size:
10.0pt'>config setup</span></font></p>
<p class=MsoPlainText><font size=2 face="Courier New"><span style='font-size:
10.0pt'> interfaces=ipsec0=eth2</span></font></p>
<p class=MsoPlainText><font size=2 face="Courier New"><span style='font-size:
10.0pt'> klipsdebug=none</span></font></p>
<p class=MsoPlainText><font size=2 face="Courier New"><span style='font-size:
10.0pt'> plutodebug=none</span></font></p>
<p class=MsoPlainText><font size=2 face="Courier New"><span style='font-size:
10.0pt'> plutoload=%search</span></font></p>
<p class=MsoPlainText><font size=2 face="Courier New"><span style='font-size:
10.0pt'> plutostart=%search</span></font></p>
<p class=MsoPlainText><font size=2 face="Courier New"><span style='font-size:
10.0pt'> uniqueids=yes</span></font></p>
<p class=MsoPlainText><font size=2 face="Courier New"><span style='font-size:
10.0pt'> nat_traversal=yes</span></font></p>
<p class=MsoPlainText><font size=2 face="Courier New"><span style='font-size:
10.0pt'>
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.0.0/255.255.255.0,%v4:!192.168.1.0/255.255.255.0</span></font></p>
<p class=MsoPlainText><font size=2 face="Courier New"><span style='font-size:
10.0pt'> </span></font></p>
<p class=MsoPlainText><font size=2 face="Courier New"><span style='font-size:
10.0pt'>conn %default</span></font></p>
<p class=MsoPlainText><font size=2 face="Courier New"><span style='font-size:
10.0pt'> keyingtries=0</span></font></p>
<p class=MsoPlainText><font size=2 face="Courier New"><span style='font-size:
10.0pt'> disablearrivalcheck=no</span></font></p>
<p class=MsoPlainText><font size=2 face="Courier New"><span style='font-size:
10.0pt'> </span></font></p>
<p class=MsoPlainText><font size=2 face="Courier New"><span style='font-size:
10.0pt'>conn Laptop</span></font></p>
<p class=MsoPlainText><font size=2 face="Courier New"><span style='font-size:
10.0pt'> left=192.168.1.100</span></font></p>
<p class=MsoPlainText><font size=2 face="Courier New"><span style='font-size:
10.0pt'> leftsubnet=192.168.0.0/24</span></font></p>
<p class=MsoPlainText><font size=2 face="Courier New"><span style='font-size:
10.0pt'> leftcert=/var/ipcop/certs/hostcert.pem</span></font></p>
<p class=MsoPlainText><font size=2 face="Courier New"><span style='font-size:
10.0pt'> right=%any</span></font></p>
<p class=MsoPlainText><font size=2 face="Courier New"><span style='font-size:
10.0pt'> rightsubnet=vhost:%no,%priv</span></font></p>
<p class=MsoPlainText><font size=2 face="Courier New"><span style='font-size:
10.0pt'> rightcert=/var/ipcop/certs/Laptopcert.pem</span></font></p>
<p class=MsoPlainText><font size=2 face="Courier New"><span style='font-size:
10.0pt'> authby=rsasig</span></font></p>
<p class=MsoPlainText><font size=2 face="Courier New"><span style='font-size:
10.0pt'> auto=add</span></font></p>
<p class=MsoPlainText><font size=2 face="Courier New"><span style='font-size:
10.0pt'> </span></font></p>
<p class=MsoPlainText><font size=2 color=blue face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:blue'>That should mean that the
blue interface (left=192.168.1.100) should allow from any IP address
(right=%any) a connection to the green subnet (leftsubnet=192.168.0.0/24)
through the VPN .</span></font></p>
<p class=MsoPlainText><font size=2 face="Courier New"><span style='font-size:
10.0pt'> </span></font></p>
<p class=MsoPlainText><font size=2 color=blue face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:blue'>On the IPCop box message
log:</span></font></p>
<p class=MsoPlainText><font size=2 face="Courier New"><span style='font-size:
10.0pt'>Mar 18 </span></font>14:43:02 ipcop pluto[695]: packet from
192.168.1.110:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]</p>
<p class=MsoPlainText><font size=2 face="Courier New"><span style='font-size:
10.0pt'>Mar 18 </span></font>14:43:02 ipcop pluto[695]: packet from
192.168.1.110:500: ignoring Vendor ID payload [FRAGMENTATION]</p>
<p class=MsoPlainText><font size=2 face="Courier New"><span style='font-size:
10.0pt'>Mar 18 </span></font>14:43:02 ipcop pluto[695]: packet from
192.168.1.110:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]</p>
<p class=MsoPlainText><font size=2 face="Courier New"><span style='font-size:
10.0pt'>Mar 18 </span></font>14:43:02 ipcop pluto[695]: packet from
192.168.1.110:500: ignoring Vendor ID payload
[26244d38eddb61b3172a36e3d0cfb819]</p>
<p class=MsoPlainText><font size=2 face="Courier New"><span style='font-size:
10.0pt'>Mar 18 </span></font>14:43:02 ipcop pluto[695]: "Laptop"[1]
192.168.1.110 #1: responding to Main Mode from unknown peer 192.168.1.110</p>
<p class=MsoPlainText><font size=2 face="Courier New"><span style='font-size:
10.0pt'>Mar 18 </span></font>14:43:02 ipcop pluto[695]: "Laptop"[1]
192.168.1.110 #1: transition from state (null) to state STATE_MAIN_R1</p>
<p class=MsoPlainText><font size=2 face="Courier New"><span style='font-size:
10.0pt'>Mar 18 </span></font>14:43:02 ipcop pluto[695]: "Laptop"[1]
192.168.1.110 #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03:
no NAT detected</p>
<p class=MsoPlainText><font size=2 face="Courier New"><span style='font-size:
10.0pt'>Mar 18 </span></font>14:43:02 ipcop pluto[695]: "Laptop"[1]
192.168.1.110 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2</p>
<p class=MsoPlainText><font size=2 face="Courier New"><span style='font-size:
10.0pt'>Mar 18 </span></font>14:43:03 ipcop pluto[695]: "Laptop"[1]
192.168.1.110 #1: Main mode peer ID is ID_DER_ASN1_DN: 'C=UK, O=Initiative,
CN=Piero Laptop'</p>
<p class=MsoPlainText><font size=2 face="Courier New"><span style='font-size:
10.0pt'>Mar 18 </span></font>14:43:03 ipcop pluto[695]: "Laptop"[1]
192.168.1.110 #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3</p>
<p class=MsoPlainText><font size=2 face="Courier New"><span style='font-size:
10.0pt'>Mar 18 </span></font>14:43:03 ipcop pluto[695]: "Laptop"[1]
192.168.1.110 #1: sent MR3, ISAKMP SA established</p>
<p class=MsoPlainText><b><font size=2 face="Courier New"><span
style='font-size:10.0pt;font-weight:bold'>Mar 18 </span></font></b><b><span style='font-weight:bold'>14:43:03</span></b><b><span style='font-weight:bold'>
ipcop pluto[695]: "Laptop"[1] 192.168.1.110 #1: cannot respond to
IPsec SA request because no connection is known for 192.168.1.100[C=</span></b><b><span
style='font-weight:bold'>UK</span></b><b><span style='font-weight:bold'>,
O=Initiative, CN=initiative.localdomain]:17/1701...192.168.1.110[C=</span></b><b><span
style='font-weight:bold'>UK</span></b><b><span style='font-weight:bold'>,
O=Initiative, CN=Piero Laptop]:17/1701</span></b></p>
<p class=MsoPlainText><font size=2 face="Courier New"><span style='font-size:
10.0pt'>Mar 18 </span></font>14:43:03 ipcop pluto[695]: "Laptop"[1]
192.168.1.110 #1: sending encrypted notification INVALID_ID_INFORMATION to
192.168.1.110:500</p>
<p class=MsoPlainText><font size=2 face="Courier New"><span style='font-size:
10.0pt'>Mar 18 </span></font>14:43:03 ipcop pluto[695]: "Laptop"[1]
192.168.1.110 #1: Quick Mode I1 message is unacceptable because it uses a
previously used Message ID 0xbfa9483d (perhaps this is a duplicated packet)</p>
<p class=MsoPlainText><font size=2 face="Courier New"><span style='font-size:
10.0pt'>Mar 18 </span></font>14:43:03 ipcop pluto[695]: "Laptop"[1]
192.168.1.110 #1: sending encrypted notification INVALID_MESSAGE_ID to
192.168.1.110:500</p>
<p class=MsoPlainText><font size=2 face="Courier New"><span style='font-size:
10.0pt'>Mar 18 </span></font>14:43:05 ipcop pluto[695]: "Laptop"[1]
192.168.1.110 #1: Quick Mode I1 message is unacceptable because it uses a
previously used Message ID 0xbfa9483d (perhaps this is a duplicated packet)</p>
<p class=MsoPlainText><font size=2 face="Courier New"><span style='font-size:
10.0pt'>Mar 18 </span></font>14:43:05 ipcop pluto[695]: "Laptop"[1]
192.168.1.110 #1: sending encrypted notification INVALID_MESSAGE_ID to
192.168.1.110:500</p>
<p class=MsoPlainText><font size=2 face="Courier New"><span style='font-size:
10.0pt'>Mar 18 </span></font>14:43:09 ipcop pluto[695]: "Laptop"[1]
192.168.1.110 #1: Quick Mode I1 message is unacceptable because it uses a
previously used Message ID 0xbfa9483d (perhaps this is a duplicated packet)</p>
<p class=MsoPlainText><font size=2 face="Courier New"><span style='font-size:
10.0pt'>Mar 18 </span></font>14:43:09 ipcop pluto[695]: "Laptop"[1]
192.168.1.110 #1: sending encrypted notification INVALID_MESSAGE_ID to
192.168.1.110:500</p>
<p class=MsoPlainText><font size=2 face="Courier New"><span style='font-size:
10.0pt'> </span></font></p>
<p class=MsoPlainText><font size=2 color=blue face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:blue'>Another strange thing: it
seems that the VPN server sends some messages back to the windows machines (<u>that
receives them, I see them with Ethereal</u>) but the windows machine ignores
them, and keep retrying sending the same message (and getting back an error, as
the message is a duplicate). </span></font></p>
<p class=MsoPlainText><font size=2 face="Courier New"><span style='font-size:
10.0pt'> </span></font></p>
<p class=MsoPlainText><font size=2 color=blue face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:blue'>I hope that someone is
able to help me</span></font><font color=navy face=Arial><span
style='font-family:Arial;color:navy'>.</span></font></p>
<p class=MsoPlainText><font size=2 color=navy face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:navy'> </span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'> </span></font></p>
</div>
</body>
</html>
<p>Send instant messages to your online friends http://uk.messenger.yahoo.com