Dear ALL, - help needed very much<br><br>Problem description: <br> <p>There are 3 remote LAN is present. <br> </p><p>This LANs connected between using VPN, also each VPN gateway running <br> l2tpd for win XP "roadwarriors".
<br> . <br> Configuration of OS and software for VPN are identical. <br> </p><p>But on one of VPN gateways (configs and logs listed below) after IPSec <br> tunnel is on (Windows XP <b style="color: black; background-color: rgb(255, 255, 102);">
L2TP</b> client) ppp connection NOT given up <br> (connection <b style="color: black; background-color: rgb(255, 255, 102);">l2tp</b>-cert-org). <br> Certificate exchange passed ïë, eroute shows that tunnel is up, but <br>
after 20-30 seconds connection go down. <br> </p><p>I spend 2 months for resolving this - but f*'n nothing. <br> </p><p>Thanks to All for future advices. <br> </p><p>System & settings : <br> </p><p>ïS: <b style="color: black; background-color: rgb(160, 255, 255);">
Slackware</b> GNU/Linux 10.2 <br> </p><p>root@host:~#uname -a <br> Linux <a href="http://host.domain.com">host.domain.com</a> 2.4.32-ow1-ipsec #2 SMP Thu Jun 1 17:00:58 CEST <br> 2006 i686 unknown unknown GNU/Linux <br> </p>
<p>Version of Openswan: openswan-2.4.5 <br> Add. patches: <br> openswan-2.4.5.kernel-2.4-klips.patch.gz <br> openswan-2.4.5.kernel-2.4-natt.patch.gz <br> </p><p>root@host:~# lsmod <br> Module Size Used by Not tainted
<br> ppp_async 7168 0 (unused) <br> ppp_generic 23208 0 [ppp_async] <br> slhc 4800 0 [ppp_generic] <br> ipsec 333984 2 <br> ipt_LOG 3544 1 (autoclean)
<br> ipt_recent 8772 3 (autoclean) <br> ipt_state 536 5 (autoclean) <br> ipt_multiport 664 17 (autoclean) <br> iptable_mangle 2168 0 (autoclean) (unused) <br> iptable_nat 19294 1 (autoclean)
<br> ip_conntrack 22464 0 (autoclean) [ipt_state iptable_nat] <br> iptable_filter 1740 1 (autoclean) <br> ip_tables 13056 9 [ipt_LOG ipt_recent ipt_state <br> ipt_multiport iptable_mangle iptable_nat iptable_filter]
<br> </p><p>----------------------------------------------- <br> Openswan IPSec Config <br> ----------------------------------------------- <br> </p><p>root@host:~# cat /etc/ipsec.conf <br> # /etc/ipsec.conf - Openswan IPsec configuration file
<br> # RCSID $Id: <a href="http://ipsec.conf.in">ipsec.conf.in</a>,v <a href="http://1.15.2.2">1.15.2.2</a> 2005/11/14 20:10:27 paul Exp $ <br> version 2.0 # conforms to second version of ipsec.conf <br> specification
<br> </p><p># basic configuration <br> config setup <br> forwardcontrol=yes <br> interfaces="ipsec0=eth0" <br> nat_traversal=yes <br> </p><p>virtual_private=%v4:<a href="http://10.0.0.0/8,%v4:192.168.0.0/24,%4:172.16.0.0/12">
10.0.0.0/8,%v4:192.168.0.0/24,%4:172.16.0.0/12</a> <br> #Disable Opportunistic Encryption <br> include /etc/ipsec.d/examples/no_oe.conf <br> # Connections for "roadwarriors" <br> include /etc/ipsec.d/connections/
<b style="color: black; background-color: rgb(255, 255, 102);">l2tp</b>-cert-org.conf <br> </p><p>conn host1-host <br> auto=start <br> left=123.456.788 <br> left<a target="_parent" href="http://groups.google.com.ua/groups/unlock?msg=4b6d10d49bae1a73&hl=uk&_done=/group/comp.os.linux.networking/browse_thread/thread/2ade0da0216204b1/4b6d10d49bae1a73%3Flnk%3Dst%26q%3Dl2tp%2Bslackware%26rnum%3D2%26hl%3Duk">
...</a>@<a href="http://host1.domain1.com">host1.domain1.com</a> <br> leftnexthop=123.456.789 <br> leftrsasigkey=0sA.... <br> leftsubnet=<a href="http://192.168.0.0/24">192.168.0.0/24</a> <br> right=
789.654.322 <br> right<a target="_parent" href="http://groups.google.com.ua/groups/unlock?msg=4b6d10d49bae1a73&hl=uk&_done=/group/comp.os.linux.networking/browse_thread/thread/2ade0da0216204b1/4b6d10d49bae1a73%3Flnk%3Dst%26q%3Dl2tp%2Bslackware%26rnum%3D2%26hl%3Duk">
...</a>@<a href="http://host.domain.com">host.domain.com</a> <br> rightnexthop=789.654.321 <br> rightrsasigkey=0sA..... <br> rightsubnet=<a href="http://192.168.1.0/24">192.168.1.0/24</a> <br> type=tunnel
<br> </p><p>conn host-host2 <br> auto=start <br> left=789.654.322 <br> left<a target="_parent" href="http://groups.google.com.ua/groups/unlock?msg=4b6d10d49bae1a73&hl=uk&_done=/group/comp.os.linux.networking/browse_thread/thread/2ade0da0216204b1/4b6d10d49bae1a73%3Flnk%3Dst%26q%3Dl2tp%2Bslackware%26rnum%3D2%26hl%3Duk">
...</a>@<a href="http://host.domain.com">host.domain.com</a> <br> leftnexthop=789.654.321 <br> leftrsasigkey=0slf...... <br> leftsubnet=<a href="http://192.168.1.0/24">192.168.1.0/24</a> <br> right=
159.357.752 <br> right<a target="_parent" href="http://groups.google.com.ua/groups/unlock?msg=4b6d10d49bae1a73&hl=uk&_done=/group/comp.os.linux.networking/browse_thread/thread/2ade0da0216204b1/4b6d10d49bae1a73%3Flnk%3Dst%26q%3Dl2tp%2Bslackware%26rnum%3D2%26hl%3Duk">
...</a>@<a href="http://host2.domain.com">host2.domain.com</a> <br> rightnexthop=159.357.751 <br> rightrsasigkey=0sA.... <br> type=tunnel <br> </p><p>-----------------------------------------------------
<br> <b style="color: black; background-color: rgb(255, 255, 102);">l2tp</b>-cert-org.conf ("roadwarriors" ) connection config <br> ------------------------------------------------------ <br> </p><p>root@host:~# cat /etc/ipsec.d/connections/
<b style="color: black; background-color: rgb(255, 255, 102);">l2tp</b>-cert-org.conf <br> conn <b style="color: black; background-color: rgb(255, 255, 102);">l2tp</b>-cert-org <br> # <br> # Configuration for one user with the non-updated Windows
<br> 2000/XP. <br> # <br> # <br> # Use a certificate. Disable Perfect Forward Secrecy. <br> # <br> authby=rsasig <br> pfs=no <br> auto=add <br> # we cannot rekey for %any, let client rekey
<br> rekey=no <br> # Do not enable the line below. It is implicitely used, and <br> # specifying it will currently break when using nat-t. <br> # type=transport. See <a target="_blank" rel="nofollow" href="http://bugs.xelerance.com/view.php?id=466">
http://bugs.xelerance.com/view.php?id=466</a> <br> type=tunnel <br> # <br> left=789.654.322<br> # or you can use: left=YourIPAddress <br> leftrsasigkey=%cert <br> leftcert=/etc/ipsec.d/certs/mordor.siliciosolar.es.pem
<br> # Work-around for original (non-updated) Windows 2000/XP <br> clients, <br> # to support all clients, use leftprotoport=17/%any <br> leftprotoport=17/0 <br> # <br> # The remote user.
<br> # <br> right=%any <br> rightca=%same <br> rightrsasigkey=%cert <br> rightprotoport=17/1701 <br> rightsubnet=vhost:%priv,%no <br> </p><p>----------------------------------------------------
<br> l2tpd config <br> --------------------------------------------------- <br> </p><p>root@host:~# cat /etc/l2tpd/l2tpd.conf <br> [global] <br> ;listen-addr = <br> </p><p>[lns default] <br> ip range = 192.168.1.140-192.168.1.150
<br> local ip = <a href="http://192.168.10.202">192.168.10.202</a> <br> require chap = yes <br> refuse pap = yes <br> require authentication = yes <br> name = VPNserver <br> ppp debug = yes <br> pppoptfile = /etc/ppp/options.l2tpd
<br> length bit = yes <br> </p><p>-------------------------------------------------------- <br> </p><p>root@host:~# cat /etc/ppp/options.l2tpd <br> ipcp-accept-local <br> ipcp-accept-remote <br> ms-dns <a href="http://192.168.1.3">
192.168.1.3</a> <br> ms-wins <a href="http://192.168.1.3">192.168.1.3</a> <br> noccp <br> auth <br> crtscts <br> idle 1800 <br> mtu 1410 <br> mru 1410 <br> nodefaultroute <br> debug <br> lock <br> proxyarp <br> connect-delay 5000
<br> </p><p>---------------------------------------------------------- <br> iptables rules <br> --------------------------------------------------------- <br> </p><p>################################################### <br>
# <br> # IPSec VPN section starting here <br> # <br> # Allow IPSec connections <br> iptables -A INPUT -p udp -m udp -s 0/0 --sport 500 --dport 500 -j <br> ACCEPT <br> iptables -A OUTPUT -p udp -m udp -d 0/0 --sport 500 --dport 500 -j
<br> ACCEPT <br> iptables -A INPUT -p udp -m udp -s 0/0 --sport 4500 --dport 4500 -j <br> ACCEPT <br> iptables -A OUTPUT -p udp -m udp -d 0/0 --sport 4500 --dport 4500 -j <br> ACCEPT <br> iptables -A INPUT -p 50 -s 0/0 -j ACCEPT
<br> iptables -A OUTPUT -p 50 -d 0/0 -j ACCEPT <br> iptables -A INPUT -p 51 -s 0/0 -j ACCEPT <br> iptables -A OUTPUT -p 51 -d 0/0 -j ACCEPT <br> iptables -A INPUT -s 0/0 -i $OPEN_SWAN_VIRT -j ACCEPT <br> iptables -A OUTPUT -d 0/0 -o $OPEN_SWAN_VIRT -j ACCEPT
<br> # <br> # Ports for l2tpd <br> iptables -A INPUT -p udp -m udp -s 0/0 --dport 1701 -i $OPEN_SWAN_VIRT <br> -j ACCEPT <br> iptables -A OUTPUT -p udp -m udp -d 0/0 --sport 1701 -o $OPEN_SWAN_VIRT <br> -j ACCEPT <br> iptables -t nat -A PREROUTING -p udp -m udp -i $OPEN_SWAN_VIRT --sport
<br> 1701 --dport 1701 -j DNAT --to-destination $LAN_IP <br> # <br> # Packet forwarding for "road warriors" network <br> iptables -A FORWARD -p all -s $RW1 -d $LAN_SUBNET -j ACCEPT <br> iptables -A FORWARD -p all -s $LAN_SUBNET -d $RW1 -j ACCEPT
<br> iptables -A FORWARD -p all -s $RW2 -d $LAN_SUBNET -j ACCEPT <br> iptables -A FORWARD -p all -s $LAN_SUBNET -d $RW2 -j ACCEPT <br> iptables -A FORWARD -p all -s $RW3 -d $LAN_SUBNET -j ACCEPT <br> iptables -A FORWARD -p all -s $LAN_SUBNET -d $RW3 -j ACCEPT
<br> iptables -A FORWARD -p all -s $RW4 -d $LAN_SUBNET -j ACCEPT <br> iptables -A FORWARD -p all -s $LAN_SUBNET -d $RW4 -j ACCEPT <br> iptables -A FORWARD -p all -s $RW5 -d $LAN_SUBNET -j ACCEPT <br> iptables -A FORWARD -p all -s $LAN_SUBNET -d $RW5 -j ACCEPT
<br> iptables -A FORWARD -p all -s $RW6 -d $LAN_SUBNET -j ACCEPT <br> iptables -A FORWARD -p all -s $LAN_SUBNET -d $RW6 -j ACCEPT <br> iptables -A FORWARD -p all -s $RW7 -d $LAN_SUBNET -j ACCEPT <br> iptables -A FORWARD -p all -s $LAN_SUBNET -d $RW7 -j ACCEPT
<br> # <br> # Packet forwarding for COMPANY2 subnet <br> iptables -A FORWARD -p all -s $COMPANY2_SUBNET1 -d $LAN_SUBNET -j <br> ACCEPT <br> iptables -A FORWARD -p all -s $LAN_SUBNET -d $COMPANY2_SUBNET1 -j <br> ACCEPT <br>
</p><p># Packet forwarding for COMPANY1 subnet <br> iptables -A FORWARD -p all -s $COMPANY1_SUBNET -d $LAN_SUBNET -j ACCEPT <br> iptables -A FORWARD -p all -s $LAN_SUBNET -d $COMPANY1_SUBNET -j ACCEPT <br> </p><p># <br> #
<br> # Rules for COMPANY2 internal network <br> iptables -t nat -A POSTROUTING -s $EXT_IP -d $COMPANY2_SUBNET1 -j SNAT <br> --to-source $LAN_IP <br> # <br> # Rules for COMPANY1 internal network <br> iptables -t nat -A POSTROUTING -s $EXT_IP -d $COMPANY1_SUBNET -j SNAT
<br> --to-source $LAN_IP <br> </p><p># Make nat a for "road warriors" network (ppp interface) <br> iptables -t nat -A POSTROUTING -s $LAN_SUBNET -d $RW1 -j SNAT <br> --to-source $PPP_IP <br> iptables -t nat -A POSTROUTING -s $PPP_IP -d $RW1 -j SNAT --to-source
<br> $LAN_IP <br> iptables -t nat -A POSTROUTING -s $LAN_SUBNET -d $RW2 -j SNAT <br> --to-source $PPP_IP <br> iptables -t nat -A POSTROUTING -s $PPP_IP -d $RW2 -j SNAT --to-source <br> $LAN_IP <br> iptables -t nat -A POSTROUTING -s $LAN_SUBNET -d $RW3 -j SNAT
<br> --to-source $PPP_IP <br> iptables -t nat -A POSTROUTING -s $PPP_IP -d $RW3 -j SNAT --to-source <br> $LAN_IP <br> iptables -t nat -A POSTROUTING -s $LAN_SUBNET -d $RW4 -j SNAT <br> --to-source $PPP_IP <br> iptables -t nat -A POSTROUTING -s $PPP_IP -d $RW4 -j SNAT --to-source
<br> $LAN_IP <br> iptables -t nat -A POSTROUTING -s $LAN_SUBNET -d $RW5 -j SNAT <br> --to-source $PPP_IP <br> iptables -t nat -A POSTROUTING -s $PPP_IP -d $RW5 -j SNAT --to-source <br> $LAN_IP <br> iptables -t nat -A POSTROUTING -s $LAN_SUBNET -d $RW6 -j SNAT
<br> --to-source $PPP_IP <br> iptables -t nat -A POSTROUTING -s $PPP_IP -d $RW6 -j SNAT --to-source <br> $LAN_IP <br> iptables -t nat -A POSTROUTING -s $LAN_SUBNET -d $RW7 -j SNAT <br> --to-source $PPP_IP <br> iptables -t nat -A POSTROUTING -s $PPP_IP -d $RW7 -j SNAT --to-source
<br> $LAN_IP <br> # <br> # IPSec VPN section ends <br> # <br> ############################################################################## <br> </p>---------------------------------------------------------- <br> piece of /var/log/secure
<br> ---------------------------------------------------------<br><p>----------------------------------------------------------<br>piece of /var/log/secure<br>---------------------------------------------------------</p>Feb 19 20:32:45 host pluto[12966]: "l2tp-cert-org"[17]
951.753.852 #112: responding to Main Mode from unknown peer 951.753.852<br>Feb
19 20:32:45 host pluto[12966]: "l2tp-cert-org"[17] 951.753.852 #112:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1<br>Feb 19 20:32:45 host pluto[12966]: "l2tp-cert-org"[17] 951.753.852 #112: STATE_MAIN_R1: sent MR1, expecting MI2<br>Feb
19 20:32:45 host pluto[12966]: "l2tp-cert-org"[17] 951.753.852 #112:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2<br>Feb 19 20:32:45 host pluto[12966]: "l2tp-cert-org"[17] 951.753.852 #112: STATE_MAIN_R2: sent MR2, expecting MI3<br>Feb
19 20:32:46 host pluto[12966]: "l2tp-cert-org"[17] 951.753.852 #112:
Main mode peer ID is ID_DER_ASN1_DN: 'C=ES, ST=Ciudad Real,
L=Puertollano, O=Silicio Solar S.A.U., OU=IT Department,
CN=<a href="http://host.domain.com">host.domain.com</a>, E=<a href="mailto:admin@domain.com">admin@domain.com</a>'<br>Feb 19 20:32:46 host
pluto[12966]: "l2tp-cert-org"[17] 951.753.852 #112: end certificate
with identical subject and issuer not accepted<br>Feb 19 20:32:46 host pluto[12966]: "l2tp-cert-org"[17] 951.753.852 #112: X.509 certificate rejected<br>Feb
19 20:32:46 host pluto[12966]: "l2tp-cert-org"[18] 951.753.852 #112:
deleting connection "l2tp-cert-org" instance with peer 951.753.852
{isakmp=#0/ipsec=#0}<br>Feb 19 20:32:46 host pluto[12966]: "l2tp-cert-org"[18] 951.753.852 #112: I am sending my cert<br>Feb
19 20:32:46 host pluto[12966]: "l2tp-cert-org"[18] 951.753.852 #112:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3<br>Feb 19
20:32:46 host pluto[12966]: "l2tp-cert-org"[18] 951.753.852 #112:
STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}<br>Feb 19 20:32:46 host pluto[12966]: "l2tp-cert-org"[18] 951.753.852 #113: responding to Quick Mode {msgid:6bf34503}<br>Feb
19 20:32:46 host pluto[12966]: "l2tp-cert-org"[18] 951.753.852 #113:
transition from state STATE_QUICK_R0 to state STATE_QUICK_R1<br>Feb 19
20:32:46 host pluto[12966]: "l2tp-cert-org"[18] 951.753.852 #113:
STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2<br>Feb
19 20:32:46 host pluto[12966]: "l2tp-cert-org"[18] 951.753.852 #113:
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2<br>Feb 19
20:32:46 host pluto[12966]: "l2tp-cert-org"[18] 951.753.852 #113:
STATE_QUICK_R2: IPsec SA established {ESP=>0x1f8aa8cd <0x26a293c4
xfrm=3DES_0-HMAC_MD5 NATD=none DPD=none}<br>Feb 19 20:33:21 host
pluto[12966]: "l2tp-cert-org"[18] 951.753.852 #112: received Delete
SA(0x1f8aa8cd) payload: deleting IPSEC State #113<br>Feb 19 20:33:21 host pluto[12966]: "l2tp-cert-org"[18] 951.753.852 #112: received and ignored informational message<br>Feb 19 20:33:21 host pluto[12966]: "l2tp-cert-org"[18]
951.753.852 #112: received Delete SA payload: deleting ISAKMP State #112<br>Feb
19 20:33:21 host pluto[12966]: "l2tp-cert-org"[18] 951.753.852:
deleting connection "l2tp-cert-org" instance with peer 951.753.852
{isakmp=#0/ipsec=#0}<br>