<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
<title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
Hi I´ve got a few problems connecting a nated XP using l2tp. The
connection is up and I can ping computers on the corporate lan but when
I for example try to ssh to our database server I get time out, also
samba shares doesn´t work. I get this error message: <b>ERROR:
asynchronous network error report on eth0 (sport=4500)<br>
</b>When browsing through the mailinglist I saw a recomendation to use
leftnexthop, I´ve tried it but it doesn´t work.<br>
<br>
I had no problems when I had another gw with RedHat 9 2.4.20-30.9 and
Openswan-2.1.4 I´ve tried the same ipsec.conf configuration that I had
on that computer with no success.<br>
<br>
In /var/log/secure<br>
Nov 21 22:12:43 dns pluto[9762]: Starting Pluto (Openswan Version 2.4.4
X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID
OEz}FFFfgr_e)<br>
Nov 21 22:12:43 dns pluto[9762]: Setting NAT-Traversal port-4500
floating to on<br>
Nov 21 22:12:43 dns pluto[9762]: port floating activation criteria
nat_t=1/port_fload=1<br>
Nov 21 22:12:43 dns pluto[9762]: including NAT-Traversal patch
(Version 0.6c)<br>
Nov 21 22:12:43 dns pluto[9762]: ike_alg_register_enc(): Activating
OAKLEY_AES_CBC: Ok (ret=0)<br>
Nov 21 22:12:43 dns pluto[9762]: starting up 1 cryptographic helpers<br>
Nov 21 22:12:43 dns pluto[9762]: started helper pid=9763 (fd:6)<br>
Nov 21 22:12:43 dns pluto[9762]: Using KLIPS IPsec interface code on
2.6.12<br>
Nov 21 22:12:43 dns pluto[9762]: Changing to directory
'/etc/ipsec.d/cacerts'<br>
Nov 21 22:12:43 dns pluto[9762]: loaded CA cert file 'cacert.pem'
(1273 bytes)<br>
Nov 21 22:12:43 dns pluto[9762]: Changing to directory
'/etc/ipsec.d/aacerts'<br>
Nov 21 22:12:43 dns pluto[9762]: Changing to directory
'/etc/ipsec.d/ocspcerts'<br>
Nov 21 22:12:43 dns pluto[9762]: Changing to directory
'/etc/ipsec.d/crls'<br>
Nov 21 22:12:43 dns pluto[9762]: loaded crl file 'crl.pem' (516 bytes)<br>
Nov 21 22:12:44 dns pluto[9762]: loaded host cert file
'/etc/ipsec.d/certs/openswan.gw.pem' (3674 bytes)<br>
Nov 21 22:12:44 dns pluto[9762]: added connection description
"roadwarrior-l2tp-x509"<br>
Nov 21 22:12:44 dns pluto[9762]: loaded host cert file
'/etc/ipsec.d/certs/openswan.gw.pem' (3674 bytes)<br>
Nov 21 22:12:45 dns pluto[9762]: listening for IKE messages<br>
Nov 21 22:12:45 dns pluto[9762]: adding interface ipsec0/eth0
195.67.60.45:500<br>
Nov 21 22:12:45 dns pluto[9762]: adding interface ipsec0/eth0
195.67.60.45:4500<br>
Nov 21 22:12:45 dns pluto[9762]: loading secrets from
"/etc/ipsec.secrets"<br>
Nov 21 22:12:45 dns pluto[9762]: loaded private key file
'/etc/ipsec.d/private/openswan.gw.key' (1671 bytes)<br>
Nov 21 22:12:52 dns pluto[9762]: packet from 81.234.233.202:500:
ignoring Vendor ID payload [FRAGMENTATION]<br>
Nov 21 22:12:52 dns pluto[9762]: packet from 81.234.233.202:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set
to=106<br>
Nov 21 22:12:52 dns pluto[9762]: packet from 81.234.233.202:500:
ignoring Vendor ID payload [Vid-Initial-Contact]<br>
Nov 21 22:12:52 dns pluto[9762]: "roadwarrior-l2tp-x509"[1]
81.234.233.202 #3: responding to Main Mode from unknown peer
81.234.233.202<br>
Nov 21 22:12:52 dns pluto[9762]: "roadwarrior-l2tp-x509"[1]
81.234.233.202 #3: transition from state STATE_MAIN_R0 to state
STATE_MAIN_R1<br>
Nov 21 22:12:52 dns pluto[9762]: "roadwarrior-l2tp-x509"[1]
81.234.233.202 #3: STATE_MAIN_R1: sent MR1, expecting MI2<br>
Nov 21 22:12:53 dns pluto[9762]: "roadwarrior-l2tp-x509"[1]
81.234.233.202 #3: NAT-Traversal: Result using
draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed<br>
Nov 21 22:12:53 dns pluto[9762]: "roadwarrior-l2tp-x509"[1]
81.234.233.202 #3: transition from state STATE_MAIN_R1 to state
STATE_MAIN_R2<br>
Nov 21 22:12:53 dns pluto[9762]: "roadwarrior-l2tp-x509"[1]
81.234.233.202 #3: STATE_MAIN_R2: sent MR2, expecting MI3<br>
Nov 21 22:12:53 dns pluto[9762]: "roadwarrior-l2tp-x509"[1]
81.234.233.202 #3: Main mode peer ID is ID_DER_ASN1_DN: 'C=SE,
ST=Stockholm, O=Test AB, CN=Test Jupps, E=test@test-se'<br>
Nov 21 22:12:53 dns pluto[9762]: "roadwarrior-l2tp-x509"[2]
81.234.233.202 #3: deleting connection "roadwarrior-l2tp-x509" instance
with peer 81.234.233.202 {isakmp=#0/ipsec=#0}<br>
Nov 21 22:12:53 dns pluto[9762]: "roadwarrior-l2tp-x509"[2]
81.234.233.202 #3: I am sending my cert<br>
Nov 21 22:12:53 dns pluto[9762]: "roadwarrior-l2tp-x509"[2]
81.234.233.202 #3: transition from state STATE_MAIN_R2 to state
STATE_MAIN_R3<br>
Nov 21 22:12:53 dns pluto[9762]: | NAT-T: new mapping
81.234.233.202:500/4500)<br>
Nov 21 22:12:53 dns pluto[9762]: "roadwarrior-l2tp-x509"[2]
81.234.233.202 #3: STATE_MAIN_R3: sent MR3, ISAKMP SA established
{auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_sha
group=modp2048}<br>
Nov 21 22:12:53 dns pluto[9762]: "roadwarrior-l2tp-x509"[2]
81.234.233.202 #4: responding to Quick Mode {msgid:de278ffa}<br>
Nov 21 22:12:53 dns pluto[9762]: "roadwarrior-l2tp-x509"[2]
81.234.233.202 #4: transition from state STATE_QUICK_R0 to state
STATE_QUICK_R1<br>
Nov 21 22:12:53 dns pluto[9762]: "roadwarrior-l2tp-x509"[2]
81.234.233.202 #4: STATE_QUICK_R1: sent QR1, inbound IPsec SA
installed, expecting QI2<br>
Nov 21 22:12:53 dns pluto[9762]: "roadwarrior-l2tp-x509"[2]
81.234.233.202 #4: transition from state STATE_QUICK_R1 to state
STATE_QUICK_R2<br>
Nov 21 22:12:53 dns pluto[9762]: "roadwarrior-l2tp-x509"[2]
81.234.233.202 #4: STATE_QUICK_R2: IPsec SA established
{ESP=>0xabdce443 <0xd2a3d59c xfrm=3DES_0-HMAC_MD5
NATD=81.234.233.202:4500 DPD=none}<br>
Nov 21 22:13:37 dns pluto[9762]: ERROR: asynchronous network error
report on eth0 (sport=4500) for message to 81.234.233.202 port 4500,
complainant 195.67.60.45: No route to host [errno 113, origin ICMP type
11 code 1 (not authenticated)]<br>
<br>
/var/log/messages<br>
Nov 21 15:27:03 dns l2tpd[2073]: setsockopt recvref: Protocol not
available<br>
Nov 21 15:27:03 dns l2tpd[2073]: This binary does not support kernel
L2TP.<br>
Nov 21 15:27:03 dns l2tpd[2074]: l2tpd version xl2tpd-1.1.05 started on
dns.cyberstore.se PID:2074<br>
Nov 21 15:27:03 dns l2tpd[2074]: Written by Mark Spencer, Copyright (C)
1998, Adtran, Inc.<br>
Nov 21 15:27:03 dns l2tpd[2074]: Forked by Scott Balmos and David
Stipp, (C) 2001<br>
Nov 21 15:27:03 dns l2tpd[2074]: Inherited by Jeff McAdams, (C) 2002<br>
Nov 21 15:27:03 dns l2tpd[2074]: Listening on IP address 0.0.0.0, port
1701<br>
Nov 21 22:12:55 dns l2tpd[2074]: Connection established to
81.234.233.202, 1701. Local: 56619, Remote: 4 (ref=0/0). LNS session
is 'default'<br>
Nov 21 22:12:55 dns pppd[10142]: pppd 2.4.2 started by root, uid 0<br>
Nov 21 22:12:55 dns l2tpd[2074]: Call established with 81.234.233.202,
Local: 58598, Remote: 1, Serial: 0<br>
Nov 21 22:12:55 dns pppd[10142]: Using interface ppp0<br>
Nov 21 22:12:55 dns pppd[10142]: Connect: ppp0 <--> /dev/pts/1<br>
Nov 21 22:12:55 dns pppd[10142]: Unsupported protocol 'Compression
Control Protocol' (0x80fd) received<br>
Nov 21 22:12:55 dns pppd[10142]: found interface eth1 for proxy arp<br>
Nov 21 22:12:55 dns pppd[10142]: local IP address 192.168.31.34<br>
Nov 21 22:12:55 dns pppd[10142]: remote IP address 192.168.31.36<br>
Nov 21 22:13:18 dns kernel: eth1: Promiscuous mode enabled.<br>
Nov 21 22:13:18 dns kernel: device eth1 entered promiscuous mode<br>
Nov 21 22:13:22 dns kernel: device eth1 left promiscuous mode<br>
Nov 21 22:16:11 dns pppd[10142]: LCP terminated by peer (X
2M-W^@<M-Mt^@^@^@^@)<br>
Nov 21 22:16:11 dns l2tpd[2074]: control_finish: Connection closed to
81.234.233.202, serial 0 ()<br>
Nov 21 22:16:11 dns pppd[10142]: Terminating on signal 15.<br>
Nov 21 22:16:11 dns pppd[10142]: Modem hangup<br>
Nov 21 22:16:11 dns pppd[10142]: Connection terminated.<br>
Nov 21 22:16:11 dns pppd[10142]: Connect time 3.3 minutes.<br>
Nov 21 22:16:11 dns pppd[10142]: Sent 6109 bytes, received 4032 bytes.<br>
Nov 21 22:16:11 dns pppd[10142]: Connect time 3.3 minutes.<br>
Nov 21 22:16:11 dns pppd[10142]: Sent 6109 bytes, received 4032 bytes.<br>
Nov 21 22:16:11 dns pppd[10142]: Exit.<br>
Nov 21 22:16:11 dns l2tpd[2074]: control_finish: Connection closed to
81.234.233.202, port 1701 (), Local: 56619, Remote: 4<br>
<br>
<br>
First I tried with the roadwarrior configs that has a # infront of them
and yesterday I tried the one which is active in this config but its
the same result<br>
my ipsec.conf:<br>
version 2.0<br>
<br>
config setup<br>
interfaces=%defaultroute<br>
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.31.0/24<br>
nat_traversal=yes<br>
overridemtu=1300<br>
<br>
conn %default<br>
keyingtries=1<br>
compress=yes<br>
disablearrivalcheck=no<br>
authby=rsasig<br>
leftrsasigkey=%cert<br>
rightrsasigkey=%cert<br>
<br>
#conn roadwarrior-net<br>
# leftsubnet=192.168.31.0/24<br>
# also=roadwarrior<br>
<br>
#conn roadwarrior<br>
# left=%defaultroute<br>
# leftnexthop=195.67.60.1<br>
# leftcert=openswan.gw.pem<br>
# right=%any<br>
# rightsubnet=vhost:%no,%priv<br>
# auto=add<br>
# pfs=yes<br>
<br>
#conn roadwarrior-l2tp<br>
# #type=transport<br>
# left=%defaultroute<br>
# leftnexthop=195.67.60.1<br>
# leftcert=openswan.gw.pem<br>
# leftprotoport=17/1701<br>
# right=%any<br>
# rightprotoport=17/1701<br>
# pfs=no<br>
# auto=add<br>
<br>
#conn roadwarrior-l2tp-oldwin<br>
# left=%defaultroute<br>
# leftcert=openswan.gw.pem<br>
# leftprotoport=17/0<br>
# right=%any<br>
# rightprotoport=17/1701<br>
# rightsubnet=vhost:%no,%priv<br>
# pfs=no<br>
# auto=add<br>
<br>
conn roadwarrior-l2tp-x509<br>
left=195.67.60.45<br>
leftnexthop=195.67.60.1<br>
leftprotoport=17/1701<br>
leftrsasigkey=%cert<br>
leftcert=openswan.gw.pem<br>
rightprotoport=17/%any<br>
rightsubnet=vhost:%priv,%no<br>
right=%any<br>
rightrsasigkey=%cert<br>
auto=add<br>
authby=rsasig<br>
pfs=no<br>
# type=transport<br>
# rightca=%same<br>
<br>
/var/log/messages on our database server to which I tried to ssh<br>
Nov 21 22:15:13 systemq sshd[27965]: fatal: Timeout before
authentication for ::ffff:192.168.31.34<br>
<br>
192.168.31.34 is the local ip of the Openswan GW... shouldn´t the ip I
get from PPP(192.168.31.36) be listed as the From adress??<br>
<br>
Hopefully you can help me with this problem..<br>
<br>
Regards<br>
Ola Albertsson<br>
<br>
<div class="moz-signature">-- <br>
<style type="text/css">
<!--
.style11 {
font-family:serif;
font-size: 12px}
.style13 {
font-family:serif;
font-size: 16px;
font-weight: bold;
}
-->
</style>
<table border="0" cellpadding="0" cellspacing="0" width="312">
<tbody>
<tr>
<td align="left" valign="top" width="253">
<div class="style13" align="left">Ola Albertsson </div>
</td>
<td width="59">
<div align="center"><img
src="cid:part1.08020207.01010200@qwert.se" alt="" height="57"
width="50"></div>
</td>
</tr>
<tr>
<td colspan="2"><span class="style13">Qwert Cyberstore AB</span> <br>
<img src="cid:part2.06000701.03000401@qwert.se" alt="" height="1"
width="310"></td>
</tr>
<tr>
<td colspan="2"><span class="style11">Romansvägen 6, 13tr. Box
4090, 131 04 Nacka </span></td>
</tr>
<tr>
<td colspan="2"><span class="style11"><strong>Telefon</strong>
08-556 74 470 <strong>Fax</strong> 08-601 96 89 <strong>Mobil</strong>
0736-172 285</span></td>
</tr>
<tr>
<td colspan="2"><span class="style11"><strong>E-post</strong>
<a class="moz-txt-link-abbreviated" href="mailto:ola@qwert.se">ola@qwert.se</a> <strong>Internet</strong> <a class="moz-txt-link-abbreviated" href="http://www.qwert.se">www.qwert.se</a> </span></td>
</tr>
</tbody>
</table>
<p> </p>
</div>
</body>
</html>