<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
<title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
<br>
<blockquote cite="mid:481C979B.3090509@dds.nl" type="cite">
<blockquote type="cite">
<pre wrap="">I have found somewhere that I need to be sure that both ends use the
same algo...
</pre>
</blockquote>
<pre wrap=""><!---->Well, yes, but that is not the cause of the problem here. Openswan
proposes reasonable algorithms by default so it should work securely with
lots of peers.</pre>
<blockquote type="cite">
<pre wrap="">key, this is not the issue any more - I needed to reboot... Now all
tests are OK.
</pre>
</blockquote>
<pre wrap=""><!---->I guess it was a NAT issue because I did not see a NAT-T negotiation
result message.</pre>
</blockquote>
<big><tt><small>Yes, it was definitely NAT-T issue... I have solved it
by adding forceencaps=yes. My client is behind NAT and have zone
192.168.14.0/24 and this zone is used on the server. So I guess the
server could not allow connecting directly because the client is
actually behind NAT (that's what the error message says). And the
client did not know that it should use NAT-T...<br>
<br>
But, again, now I have another issue... :)<br>
<br>
IPSec client connects successfully but L2TPd does not work... :( It
says:<br>
<br>
</small></tt><font color="#3333ff"><small><font face="Terminus"><small>May
5 10:22:32 andrix xl2tpd[3166]: Connecting to host vpn.domain, port 1701<br>
May 5 10:22:37 andrix xl2tpd[3166]: Maximum retries exceeded for
tunnel 33521. Closing.<br>
May 5 10:22:37 andrix xl2tpd[3166]: Connection 0 closed to
68.68.44.42, port 1701 (Timeout)<br>
May 5 10:22:42 andrix xl2tpd[3166]: Unable to deliver closing message
for tunnel 33521. Destroying anyway.<br>
May 5 10:22:42 andrix xl2tpd[3166]: Will redial in 15 seconds<br>
</small></font></small></font><tt><small><br>
When IPSec connects it adds the following route:<br>
<br>
</small></tt><font color="#3333ff"><small><font face="Terminus"><small>68.68.44.42
dev eth0 scope link</small></font></small></font><tt><small><br>
<br>
Weird... While L2TP claims that it tries to connect I don't see L2TP
packets anywhere...<br>
I have also tried running:<br>
<font color="#3333ff"><br>
</font></small></tt><font color="#3333ff"><small><font face="Terminus"><small>$
hping2 --udp --baseport 1701 --destport 1701 68.68.44.42<br>
HPING </small></font></small></font></big><big><font color="#3333ff"><small><font
face="Terminus"><small>68.68.44.42</small></font></small></font></big><big><font
color="#3333ff"><small><font face="Terminus"><small> (eth0 </small></font></small></font></big><big><font
color="#3333ff"><small><font face="Terminus"><small>68.68.44.42</small></font></small></font></big><big><font
color="#3333ff"><small><font face="Terminus"><small>): udp mode set,
28 headers + 0 data bytes<br>
ICMP Host Unreachable from ip=192.168.14.2 name=dev.hostname<br>
ICMP Host Unreachable from ip=192.168.14.2 name=</small></font></small></font></big><big><font
color="#3333ff"><small><font face="Terminus"><small>dev.hostname</small></font></small></font></big><br>
<big><font color="#3333ff"><small><font face="Terminus"><small>ICMP
Host Unreachable from ip=192.168.14.2 name=</small></font></small></font></big><big><font
color="#3333ff"><small><font face="Terminus"><small>dev.hostname</small></font></small></font></big><big><tt><small><br>
<br>
And I also do not see any packets...<br>
<br>
Pluto sometimes says in its logs:<br>
<br>
</small></tt><font color="#3333ff"><small><font face="Terminus"><small>May
5 10:22:33 andrix pluto[2427]: ERROR: asynchronous network error report
on eth0 (sport=4500) for message to 68.68.44.42 port 4500, complainant
192.168.14.2: No route to host [errno 113, origin ICMP type 3 code 1
(not authenticated)]</small></font></small></font><tt><small><font
color="#3333ff"><br>
</font><br>
After I disconnect IPSec the same route still remains (I guess it
should disappear). So I delete it manually.<br>
<br>
Also after I disconnect I'm able to see hping2 packets but I still do
not see L2TP (tried running without IPSec). Does xl2tpd somehow checks
for presence of IPSec? When no IPSec connection is available it writes
to logs: </small></tt><font color="#3333ff"><small><font
face="Terminus"><small>udp_xmit failed with err=-1:No such process</small></font></small></font><tt><small>.<br>
<br>
I'm using NETKEY on client side...<br>
<br>
What can be wrong? Where should I look?<br>
<br>
Thanks,<br>
Andriy<br>
</small></tt></big>
</body>
</html>