<div>I am trying to set up a l2tp/ipsec server to connect remote windows users to the office</div>
<div>&nbsp;</div>
<div>All testing is done internally</div>
<div>&nbsp;</div>
<div>Guides I read and used</div>
<div><a href="http://sqls.net/wiki/HOWTO:_Gentoo_Linux_L2TP/IPSEC_VPN_w/_Active_Directory/Radius/X.509_serving_Windows_XP/Vista_Clients">HOWTO: Gentoo Linux L2TP/IPSEC VPN w/ Active Directory/Radius/X.509 serving Windows XP/Vista Clients</a></div>

<div><a href="http://www.jacco2.dds.nl/networking/freeswan-l2tp.html">zUsing a Linux L2TP/IPsec VPN server</a></div>
<div>&nbsp;</div>
<div>
<div>---------</div></div>
<div>|My setup|</div>
<div>---------</div>
<div>&nbsp;</div>
<div>IPs</div>
<div>VPN server wan: <a href="http://212.67.179.18/29">212.67.179.18/29</a></div>
<div>VPN server lan: <a href="http://172.16.0.186/24">172.16.0.186/24</a></div>
<div>Test Client: <a href="http://172.16.0.85">172.16.0.85</a></div>
<div>&nbsp;</div>
<div>
<div>--------------------</div></div>
<div>|Configuration files |</div>
<div>--------------------</div>
<div>&nbsp;</div>
<div>/etc/ipsec/ipsec.conf</div>
<div>----------------------</div>
<div>version 2.0&nbsp;&nbsp;&nbsp;&nbsp; # conforms to second version of ipsec.conf specification<br>config setup<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; plutodebug=none<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; plutostderrlog=/var/log/pluto.log</div>
<div>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; #nat_traversal=yes<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; # virtual_private=%v4:<a href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12">10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12</a><br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; nhelpers=0<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; interfaces=%defaultroute<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; virtual_private=%v4:<a href="http://10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!172.17.147.0/24">10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!172.17.147.0/24</a></div>
<div>&nbsp;</div>
<div>conn %default<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; keyingtries=3<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; compress=no<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; disablearrivalcheck=no<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; keyexchange=ike<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ikelifetime=240m<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; keylife=60m</div>
<div><br>include /etc/ipsec/ipsec.d/examples/no_oe.conf<br>include /etc/ipsec/ipsec.d/proactixvpn.conf</div>
<div>&nbsp;</div>
<div>/etc/ipsec/ipsec.d/proactixvpn.conf</div>
<div>-----------------------------------</div>
<div>conn proactixvpn<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; leftprotoport=17/1701<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; rightprotoport=17/%any<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; rekey=no<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; authby=secret<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; pfs=no<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; type=tunnel<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; left=<a href="http://172.16.0.186">172.16.0.186</a><br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; right=%any<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; rightsubnet=vhost:%no,%priv<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; auto=add</div>
<div>&nbsp;</div>
<div>/etc/ipsec/ipsec.secrets</div>
<div>--------------------</div>
<div># client&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; server&nbsp; secret&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; IP addresses<br>vpnuser *&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &quot;vpnuser&quot; *<br>*&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;vpnuser &nbsp;&quot;vpnuser&quot; *<br><br>/etc/xl2tpd/xl2tpd.conf</div>
<div>---------------------</div>
<div>[global]<br>port = 1701<br>[lns default]<br>ip range=172.16.0.128-191<br>local ip=<a href="http://172.16.0.186">172.16.0.186</a><br>require chap=yes<br>refuse pap=yes<br>require authentication=yes<br>name=ProactixVPN<br>
ppp debug=yes<br>pppoptfile=/etc/ppp/options.xl2tpd<br>length bit=yes</div>
<div><br>/etc/ppp/options.xl2tpd</div>
<div>-----------------------</div>
<div>
<div>ipcp-accept-local<br>ipcp-accept-remote<br>ms-dns <a href="http://172.16.0.2">172.16.0.2</a><br>noccp<br>auth<br>crtscts<br>idle 1800<br>mtu 1400<br>mru 1400<br>+mschap-v2<br>nodefaultroute<br>debug<br>lock<br>proxyarp<br>
connect-delay 5000<br>silent</div>
<div>&nbsp;</div>
<div>When I try to connect from within windows vista It gives a time out</div>
<div>&nbsp;</div>
<div>The contents of /var/log/pluto.log from &#39;/etc/initd/ipsec start&#39; to the timeout&nbsp;in windows vista</div>
<div>&nbsp;</div>
<div>Plutorun started on Fri May 9 11:45:17 CEST 2008<br>Starting Pluto (Openswan Version 2.4.9 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OE_]{vKgCoOI)<br>Setting NAT-Traversal port-4500 floating to off<br>&nbsp;&nbsp; port floating activation criteria nat_t=0/port_fload=1<br>
&nbsp; including NAT-Traversal patch (Version 0.6c) [disabled]<br>ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)<br>no helpers will be started, all cryptographic operations will be done inline<br>Using NETKEY IPsec interface code on 2.6.24-gentoo-r4<br>
Changing to directory &#39;/etc/ipsec/ipsec.d/cacerts&#39;<br>Changing to directory &#39;/etc/ipsec/ipsec.d/aacerts&#39;<br>Changing to directory &#39;/etc/ipsec/ipsec.d/ocspcerts&#39;<br>Changing to directory &#39;/etc/ipsec/ipsec.d/crls&#39;<br>
&nbsp; Warning: empty directory<br>loading secrets from &quot;/etc/ipsec/ipsec.secrets&quot;<br>added connection description &quot;proactixvpn&quot;<br>listening for IKE messages<br>adding interface eth1/eth1 <a href="http://212.67.179.18:500">212.67.179.18:500</a><br>
adding interface eth0/eth0 <a href="http://172.16.0.186:500">172.16.0.186:500</a><br>adding interface lo/lo <a href="http://127.0.0.1:500">127.0.0.1:500</a><br>forgetting secrets<br>loading secrets from &quot;/etc/ipsec/ipsec.secrets&quot;<br>
packet from <a href="http://172.16.0.85:500">172.16.0.85:500</a>: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000006]<br>packet from <a href="http://172.16.0.85:500">172.16.0.85:500</a>: received Vendor ID payload [RFC 3947] meth=110, but port floating is off<br>
packet from <a href="http://172.16.0.85:500">172.16.0.85:500</a>: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but port floating is off<br>packet from <a href="http://172.16.0.85:500">172.16.0.85:500</a>: ignoring Vendor ID payload [FRAGMENTATION]<br>
packet from <a href="http://172.16.0.85:500">172.16.0.85:500</a>: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]<br>packet from <a href="http://172.16.0.85:500">172.16.0.85:500</a>: ignoring Vendor ID payload [Vid-Initial-Contact]<br>
packet from <a href="http://172.16.0.85:500">172.16.0.85:500</a>: ignoring Vendor ID payload [IKE CGA version 1]<br>&quot;proactixvpn&quot;[1] <a href="http://172.16.0.85">172.16.0.85</a> #1: responding to Main Mode from unknown peer <a href="http://172.16.0.85">172.16.0.85</a><br>
&quot;proactixvpn&quot;[1] <a href="http://172.16.0.85">172.16.0.85</a> #1: Diffie-Hellman group 20 is not a supported modp group.&nbsp; Attribute OAKLEY_GROUP_DESCRIPTION<br>&quot;proactixvpn&quot;[1] <a href="http://172.16.0.85">172.16.0.85</a> #1: Diffie-Hellman group 19 is not a supported modp group.&nbsp; Attribute OAKLEY_GROUP_DESCRIPTION<br>
&quot;proactixvpn&quot;[1] <a href="http://172.16.0.85">172.16.0.85</a> #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1<br>&quot;proactixvpn&quot;[1] <a href="http://172.16.0.85">172.16.0.85</a> #1: STATE_MAIN_R1: sent MR1, expecting MI2<br>
&quot;proactixvpn&quot;[1] <a href="http://172.16.0.85">172.16.0.85</a> #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2<br>&quot;proactixvpn&quot;[1] <a href="http://172.16.0.85">172.16.0.85</a> #1: STATE_MAIN_R2: sent MR2, expecting MI3<br>
&quot;proactixvpn&quot;[1] <a href="http://172.16.0.85">172.16.0.85</a> #1: Main mode peer ID is ID_IPV4_ADDR: &#39;<a href="http://172.16.0.85">172.16.0.85</a>&#39;<br>&quot;proactixvpn&quot;[1] <a href="http://172.16.0.85">172.16.0.85</a> #1: I did not send a certificate because I do not have one.<br>
&quot;proactixvpn&quot;[1] <a href="http://172.16.0.85">172.16.0.85</a> #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3<br>&quot;proactixvpn&quot;[1] <a href="http://172.16.0.85">172.16.0.85</a> #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}<br>
&quot;proactixvpn&quot;[1] <a href="http://172.16.0.85">172.16.0.85</a> #2: responding to Quick Mode {msgid:01000000}<br>&quot;proactixvpn&quot;[1] <a href="http://172.16.0.85">172.16.0.85</a> #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1<br>
&quot;proactixvpn&quot;[1] <a href="http://172.16.0.85">172.16.0.85</a> #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2<br>&quot;proactixvpn&quot;[1] <a href="http://172.16.0.85">172.16.0.85</a> #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2<br>
&quot;proactixvpn&quot;[1] <a href="http://172.16.0.85">172.16.0.85</a> #2: STATE_QUICK_R2: IPsec SA established {ESP=&gt;0x66755a59 &lt;0x89f4056b xfrm=AES_128-HMAC_SHA1 NATD=none DPD=none}<br>&quot;proactixvpn&quot;[1] <a href="http://172.16.0.85">172.16.0.85</a> #1: received Delete SA(0x66755a59) payload: deleting IPSEC State #2<br>
&quot;proactixvpn&quot;[1] <a href="http://172.16.0.85">172.16.0.85</a> #1: received and ignored informational message<br>&quot;proactixvpn&quot;[1] <a href="http://172.16.0.85">172.16.0.85</a> #1: received Delete SA payload: deleting ISAKMP State #1<br>
&quot;proactixvpn&quot;[1] <a href="http://172.16.0.85">172.16.0.85</a>: deleting connection &quot;proactixvpn&quot; instance with peer <a href="http://172.16.0.85">172.16.0.85</a> {isakmp=#0/ipsec=#0}<br>packet from <a href="http://172.16.0.85:500">172.16.0.85:500</a>: received and ignored informational message<br>
</div>
<div>Thanks a lot in advance for any help<br></div></div>