<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.2900.2722" name=GENERATOR></HEAD>
<BODY>
<DIV><SPAN class=730183008-15092005><FONT face=Verdana size=2>I'm having trouble
getting Openswan to communicate with a Windows XP SP2 client (not NATed). I can
get it to connect using just an IPSec connection (ipsec.exe over a standard
tunnel connection), however it can not connect using Windows' L2TP/IPSec
connection (over a transport connection).</FONT></SPAN></DIV>
<DIV><SPAN class=730183008-15092005><FONT face=Verdana
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=730183008-15092005><FONT face=Verdana size=2>My default
settings in ipsec.conf are:</FONT></SPAN></DIV>
<DIV><SPAN class=730183008-15092005><FONT face=Verdana
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=730183008-15092005><FONT face=Verdana size=2>conn
%default</FONT></SPAN></DIV>
<DIV><SPAN class=730183008-15092005><FONT face=Verdana size=2>
keyingtries=3</FONT></SPAN></DIV>
<DIV><SPAN class=730183008-15092005><FONT face=Verdana size=2>
compress=yes</FONT></SPAN></DIV>
<DIV><SPAN class=730183008-15092005><FONT face=Verdana size=2>
disablearrivalcheck=no</FONT></SPAN></DIV>
<DIV><SPAN class=730183008-15092005><FONT face=Verdana size=2>
authby=rsasig</FONT></SPAN></DIV>
<DIV><SPAN class=730183008-15092005><FONT face=Verdana size=2>
leftrsasigkey=%cert</FONT></SPAN></DIV>
<DIV><SPAN class=730183008-15092005><FONT face=Verdana size=2>
rightrsasigkey=%cert</FONT></SPAN></DIV>
<DIV><SPAN class=730183008-15092005><FONT face=Verdana
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=730183008-15092005><FONT face=Verdana size=2>I have tested
using the Windows ipsec.exe command to connect to a tunnel connection set up as
follows:</FONT></SPAN></DIV>
<DIV><SPAN class=730183008-15092005><FONT face=Verdana
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=730183008-15092005><FONT face=Verdana size=2>conn
standard</FONT></SPAN></DIV>
<DIV><SPAN class=730183008-15092005><FONT face=Verdana size=2>
type=tunnel</FONT></SPAN></DIV>
<DIV><SPAN class=730183008-15092005><FONT face=Verdana size=2>
left=<external IP></FONT></SPAN></DIV>
<DIV><SPAN class=730183008-15092005><FONT face=Verdana size=2>
leftcert=<PEM file></FONT></SPAN></DIV>
<DIV><SPAN class=730183008-15092005><FONT face=Verdana size=2>
leftsubnet=<internal IP Subnet></FONT></SPAN></DIV>
<DIV><SPAN class=730183008-15092005><FONT face=Verdana size=2>
right=%any</FONT></SPAN></DIV>
<DIV><SPAN class=730183008-15092005><FONT face=Verdana size=2>
rightsubnet=vhost:%no,%priv</FONT></SPAN></DIV>
<DIV><SPAN class=730183008-15092005><FONT face=Verdana size=2>
pfs=yes</FONT></SPAN></DIV>
<DIV><SPAN class=730183008-15092005><FONT face=Verdana size=2>
auto=add</FONT></SPAN></DIV>
<DIV><SPAN class=730183008-15092005><FONT face=Verdana
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=730183008-15092005><FONT face=Verdana size=2>I have tested
using the Windows L2TP/IPSec VPN Client to connect to a transport connection set
up as follows:</FONT></SPAN></DIV>
<DIV><SPAN class=730183008-15092005><FONT face=Verdana
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=730183008-15092005><FONT face=Verdana size=2>conn
l2tp</FONT></SPAN></DIV>
<DIV><SPAN class=730183008-15092005><FONT face=Verdana size=2>
type=transport</FONT></SPAN></DIV>
<DIV><SPAN class=730183008-15092005><FONT face=Verdana size=2>
left=<external IP></FONT></SPAN></DIV>
<DIV><SPAN class=730183008-15092005><FONT face=Verdana size=2>
leftcert=<PEM file></FONT></SPAN></DIV>
<DIV><SPAN class=730183008-15092005><FONT face=Verdana size=2>
leftprotoport=17/1701</FONT></SPAN></DIV>
<DIV><SPAN class=730183008-15092005><FONT face=Verdana size=2>
right=%any</FONT></SPAN></DIV>
<DIV><SPAN class=730183008-15092005><FONT face=Verdana size=2>
rightprotoport=17/1701</FONT></SPAN></DIV>
<DIV><SPAN class=730183008-15092005><FONT face=Verdana size=2>
pfs=no</FONT></SPAN></DIV>
<DIV><SPAN class=730183008-15092005><FONT face=Verdana size=2>
auto=add</FONT></SPAN></DIV>
<DIV><SPAN class=730183008-15092005><FONT face=Verdana
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=730183008-15092005><FONT face=Verdana size=2>Basically, I am
logging and allowing all the traffic that comes through using the following
IPtables scripts:</FONT></SPAN></DIV>
<DIV><SPAN class=730183008-15092005><FONT face=Verdana
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=730183008-15092005><FONT face=Verdana size=2>#Mark encrypted
packets</FONT></SPAN></DIV>
<DIV><SPAN class=730183008-15092005><FONT face=Verdana size=2>/sbin/iptables -t
mangle -A PREROUTING -i $IFEXTERN -p 50 -j MARK --set-mark 1</FONT></SPAN></DIV>
<DIV><SPAN class=730183008-15092005><FONT face=Verdana
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=730183008-15092005><FONT face=Verdana size=2>#Log and accept
encrypted packets to host</FONT></SPAN></DIV>
<DIV><SPAN class=730183008-15092005><FONT face=Verdana size=2>/sbin/iptables -t
INPUT -i $IFEXTERN -m mark --mark 1 -j LOG --log-prefix "Marked Traffic: "
--log-level notice --log-tcp-options --log-ip-options</FONT></SPAN></DIV>
<DIV><SPAN class=730183008-15092005><FONT face=Verdana size=2>/sbin/iptables -t
INPUT -i $IFEXTERN -m mark --mark 1 -j ACCEPT</FONT></SPAN></DIV>
<DIV><SPAN class=730183008-15092005><FONT face=Verdana
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=730183008-15092005><FONT face=Verdana size=2>#Log and accept
encrypted packets to internal network</FONT></SPAN></DIV>
<DIV><SPAN class=730183008-15092005><FONT face=Verdana size=2>/sbin/iptables -t
FORWARD -i $IFEXTERN -o $IFINTERN -m mark --mark 1 -j LOG --log-prefix "Marked
Internal Traffic: " --log-level notice --log-tcp-options
--log-ip-options</FONT></SPAN></DIV>
<DIV><SPAN class=730183008-15092005><FONT face=Verdana size=2>/sbin/iptables -t
FORWARD -i $IFEXTERN -o $IFINTERN -m mark --mark 1 -j ACCEPT</FONT></SPAN></DIV>
<DIV><SPAN class=730183008-15092005><FONT face=Verdana
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=730183008-15092005><FONT face=Verdana size=2>When using the
IPSec only connection (conn standard via ipsec.exe), the ESP packets show up as
marked as well as the actual packets contained in these ESP packets, i.e.
the encrypted packets show up as well as the decrypted packets. This is good, it
means the packets have been successfully decrypted and that the packets are
being delivered.</FONT></SPAN></DIV>
<DIV><SPAN class=730183008-15092005><FONT face=Verdana
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=730183008-15092005><FONT face=Verdana size=2>My problem, is
that when using the L2TP/IPSec connection (conn l2tp via L2TP/IPSec VPN
Connection), the ESP packets show up as marked but I see no reference to the
packets contained in these ESP packets. i.e. the decrypted packets are not
showing up? This is bad because to me, this means that the packets are not being
successfully decrypted and that nothing is being delivered.</FONT></SPAN></DIV>
<DIV><SPAN class=730183008-15092005><FONT face=Verdana
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=730183008-15092005><FONT face=Verdana size=2>My L2TP daemon
running on the same machine is sitting idle and not receiving any packets
requesting the initiation of an L2TP session so I can not see how there is any
problem with the L2TP server, this definitely seems to be a problem with getting
the L2TP packets out of the IPSec connection.</FONT></SPAN></DIV>
<DIV><SPAN class=730183008-15092005><FONT face=Verdana
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=730183008-15092005><FONT face=Verdana size=2>Because the ESP
packets are being received and I also see "STATE_QUICK_R2: IPSec SA established"
message in the /var/log/secure log, I am assuming that the tunnel has been set
up successfully, just nothing is being delivered through the
tunnel!</FONT></SPAN></DIV>
<DIV><SPAN class=730183008-15092005><FONT face=Verdana
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=730183008-15092005><FONT face=Verdana size=2>Is there any
reason that the packets would then not be being decrypted
properly?</FONT></SPAN></DIV>
<DIV><SPAN class=730183008-15092005><FONT face=Verdana
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=730183008-15092005><FONT face=Verdana size=2>If I haven't
mentioned it before, I am running on RHEL 4 with native 26sec on kernel
2.6.9-11.EL and tested this on both openswan 2.3.1 (AT RPM from rpmfind.net) and
openswan 2.4.0 (built manually via RPM using SPEC file from
openswan.2.3.0-1.rhel.src.rpm on <A
href="http://www.openswan.org">http://www.openswan.org</A>)</FONT></SPAN></DIV>
<DIV><SPAN class=730183008-15092005><FONT face=Verdana
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=730183008-15092005><FONT face=Verdana size=2>Not sure if this
is related, but when I disconnect the IPSec only connection (conn standard via
ipsec.exe), Openswan successfully removes the route from /sbin/route and also
the connection details from setkey -D and setkey -DP.</FONT></SPAN></DIV>
<DIV><SPAN class=730183008-15092005><FONT face=Verdana
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=730183008-15092005><FONT face=Verdana size=2>/var/log/secure
shows the following when this occurs:</FONT></SPAN></DIV>
<DIV><SPAN class=730183008-15092005><FONT face=Verdana size=2>
received Delete SA(...) payload: deleting IPSEC State #2</FONT></SPAN></DIV>
<DIV><SPAN class=730183008-15092005><FONT face=Verdana size=2>
deleting connection "standard" instance with peer <client IP address>
{isakamp=#0/ipsec=#0}</FONT></SPAN></DIV>
<DIV><SPAN class=730183008-15092005></SPAN><SPAN class=730183008-15092005><FONT
face=Verdana size=2> received and ignored informational
message</FONT></SPAN></DIV>
<DIV><SPAN class=730183008-15092005><FONT face=Verdana size=2>
received Delete SA payload: deleting ISAKMP State #1</FONT></SPAN></DIV>
<DIV><SPAN class=730183008-15092005><FONT face=Verdana
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=730183008-15092005><FONT face=Verdana size=2>When I disconnect
the L2TP/IPSec connection (conn l2tp via L2TP/IPSec Client), the route still
exists in /sbin/route as do the connection details in setkey -D and setkey
-DP.</FONT></SPAN></DIV>
<DIV><SPAN class=730183008-15092005><FONT face=Verdana
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=730183008-15092005><FONT face=Verdana size=2>/var/log/secure
shows the following when this occurs:</FONT></SPAN></DIV>
<DIV><SPAN class=730183008-15092005><FONT face=Verdana size=2>
packet from <client IP address>:500: Informational Exchange is for an
unknown (expired?) SA</FONT></SPAN></DIV>
<DIV><SPAN class=730183008-15092005><FONT face=Verdana size=2>
received Delete SA payload: deleting ISAKMP State #3</FONT></SPAN></DIV>
<DIV><SPAN class=730183008-15092005><FONT face=Verdana size=2>
packet from <client IP address>:500: received and ignored informational
message</FONT></SPAN></DIV>
<DIV><SPAN class=730183008-15092005><FONT face=Verdana size=2>
<DIV><SPAN class=730183008-15092005><FONT face=Verdana size=2>
packet from <client IP address>:500: Informational Exchange is for an
unknown (expired?) SA</FONT></SPAN></DIV>
<DIV><SPAN class=730183008-15092005></SPAN> </DIV>
<DIV><SPAN class=730183008-15092005>Any ideas would be greatly
appreciated!?!?!</SPAN></DIV>
<DIV><SPAN class=730183008-15092005></SPAN> </DIV>
<DIV><SPAN class=730183008-15092005>If there is any more information that you
need me to send, let me know...</SPAN></DIV>
<DIV><SPAN class=730183008-15092005></SPAN> </DIV>
<DIV><SPAN class=730183008-15092005>Thanks in advance,
<DIV><SPAN class=730183008-15092005><FONT face=Verdana
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=730183008-15092005><FONT face=Verdana
size=2>Mark</FONT></SPAN></DIV></SPAN></DIV></FONT></SPAN></DIV></BODY></HTML>