<div>I am trying to set up a l2tp/ipsec server to connect remote windows users to the office</div>
<div> </div>
<div>All testing is done internally</div>
<div> </div>
<div>Guides I read and used</div>
<div><a href="http://sqls.net/wiki/HOWTO:_Gentoo_Linux_L2TP/IPSEC_VPN_w/_Active_Directory/Radius/X.509_serving_Windows_XP/Vista_Clients">HOWTO: Gentoo Linux L2TP/IPSEC VPN w/ Active Directory/Radius/X.509 serving Windows XP/Vista Clients</a></div>
<div><a href="http://www.jacco2.dds.nl/networking/freeswan-l2tp.html">zUsing a Linux L2TP/IPsec VPN server</a></div>
<div> </div>
<div>
<div>---------</div></div>
<div>|My setup|</div>
<div>---------</div>
<div> </div>
<div>IPs</div>
<div>VPN server wan: <a href="http://212.67.179.18/29">212.67.179.18/29</a></div>
<div>VPN server lan: <a href="http://172.16.0.186/24">172.16.0.186/24</a></div>
<div>Test Client: <a href="http://172.16.0.85">172.16.0.85</a></div>
<div> </div>
<div>
<div>--------------------</div></div>
<div>|Configuration files |</div>
<div>--------------------</div>
<div> </div>
<div>/etc/ipsec/ipsec.conf</div>
<div>----------------------</div>
<div>version 2.0 # conforms to second version of ipsec.conf specification<br>config setup<br> plutodebug=none<br> plutostderrlog=/var/log/pluto.log</div>
<div> #nat_traversal=yes<br> # virtual_private=%v4:<a href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12">10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12</a><br> nhelpers=0<br> interfaces=%defaultroute<br>
virtual_private=%v4:<a href="http://10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!172.17.147.0/24">10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!172.17.147.0/24</a></div>
<div> </div>
<div>conn %default<br> keyingtries=3<br> compress=no<br> disablearrivalcheck=no<br> keyexchange=ike<br> ikelifetime=240m<br> keylife=60m</div>
<div><br>include /etc/ipsec/ipsec.d/examples/no_oe.conf<br>include /etc/ipsec/ipsec.d/proactixvpn.conf</div>
<div> </div>
<div>/etc/ipsec/ipsec.d/proactixvpn.conf</div>
<div>-----------------------------------</div>
<div>conn proactixvpn<br> leftprotoport=17/1701<br> rightprotoport=17/%any<br> rekey=no<br> authby=secret<br> pfs=no<br> type=tunnel<br> left=<a href="http://172.16.0.186">172.16.0.186</a><br>
right=%any<br> rightsubnet=vhost:%no,%priv<br> auto=add</div>
<div> </div>
<div>/etc/ipsec/ipsec.secrets</div>
<div>--------------------</div>
<div># client server secret IP addresses<br>vpnuser * "vpnuser" *<br>* vpnuser "vpnuser" *<br><br>/etc/xl2tpd/xl2tpd.conf</div>
<div>---------------------</div>
<div>[global]<br>port = 1701<br>[lns default]<br>ip range=172.16.0.128-191<br>local ip=<a href="http://172.16.0.186">172.16.0.186</a><br>require chap=yes<br>refuse pap=yes<br>require authentication=yes<br>name=ProactixVPN<br>
ppp debug=yes<br>pppoptfile=/etc/ppp/options.xl2tpd<br>length bit=yes</div>
<div><br>/etc/ppp/options.xl2tpd</div>
<div>-----------------------</div>
<div>
<div>ipcp-accept-local<br>ipcp-accept-remote<br>ms-dns <a href="http://172.16.0.2">172.16.0.2</a><br>noccp<br>auth<br>crtscts<br>idle 1800<br>mtu 1400<br>mru 1400<br>+mschap-v2<br>nodefaultroute<br>debug<br>lock<br>proxyarp<br>
connect-delay 5000<br>silent</div>
<div> </div>
<div>When I try to connect from within windows vista It gives a time out</div>
<div> </div>
<div>The contents of /var/log/pluto.log from '/etc/initd/ipsec start' to the timeout in windows vista</div>
<div> </div>
<div>Plutorun started on Fri May 9 11:45:17 CEST 2008<br>Starting Pluto (Openswan Version 2.4.9 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OE_]{vKgCoOI)<br>Setting NAT-Traversal port-4500 floating to off<br> port floating activation criteria nat_t=0/port_fload=1<br>
including NAT-Traversal patch (Version 0.6c) [disabled]<br>ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)<br>no helpers will be started, all cryptographic operations will be done inline<br>Using NETKEY IPsec interface code on 2.6.24-gentoo-r4<br>
Changing to directory '/etc/ipsec/ipsec.d/cacerts'<br>Changing to directory '/etc/ipsec/ipsec.d/aacerts'<br>Changing to directory '/etc/ipsec/ipsec.d/ocspcerts'<br>Changing to directory '/etc/ipsec/ipsec.d/crls'<br>
Warning: empty directory<br>loading secrets from "/etc/ipsec/ipsec.secrets"<br>added connection description "proactixvpn"<br>listening for IKE messages<br>adding interface eth1/eth1 <a href="http://212.67.179.18:500">212.67.179.18:500</a><br>
adding interface eth0/eth0 <a href="http://172.16.0.186:500">172.16.0.186:500</a><br>adding interface lo/lo <a href="http://127.0.0.1:500">127.0.0.1:500</a><br>forgetting secrets<br>loading secrets from "/etc/ipsec/ipsec.secrets"<br>
packet from <a href="http://172.16.0.85:500">172.16.0.85:500</a>: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000006]<br>packet from <a href="http://172.16.0.85:500">172.16.0.85:500</a>: received Vendor ID payload [RFC 3947] meth=110, but port floating is off<br>
packet from <a href="http://172.16.0.85:500">172.16.0.85:500</a>: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but port floating is off<br>packet from <a href="http://172.16.0.85:500">172.16.0.85:500</a>: ignoring Vendor ID payload [FRAGMENTATION]<br>
packet from <a href="http://172.16.0.85:500">172.16.0.85:500</a>: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]<br>packet from <a href="http://172.16.0.85:500">172.16.0.85:500</a>: ignoring Vendor ID payload [Vid-Initial-Contact]<br>
packet from <a href="http://172.16.0.85:500">172.16.0.85:500</a>: ignoring Vendor ID payload [IKE CGA version 1]<br>"proactixvpn"[1] <a href="http://172.16.0.85">172.16.0.85</a> #1: responding to Main Mode from unknown peer <a href="http://172.16.0.85">172.16.0.85</a><br>
"proactixvpn"[1] <a href="http://172.16.0.85">172.16.0.85</a> #1: Diffie-Hellman group 20 is not a supported modp group. Attribute OAKLEY_GROUP_DESCRIPTION<br>"proactixvpn"[1] <a href="http://172.16.0.85">172.16.0.85</a> #1: Diffie-Hellman group 19 is not a supported modp group. Attribute OAKLEY_GROUP_DESCRIPTION<br>
"proactixvpn"[1] <a href="http://172.16.0.85">172.16.0.85</a> #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1<br>"proactixvpn"[1] <a href="http://172.16.0.85">172.16.0.85</a> #1: STATE_MAIN_R1: sent MR1, expecting MI2<br>
"proactixvpn"[1] <a href="http://172.16.0.85">172.16.0.85</a> #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2<br>"proactixvpn"[1] <a href="http://172.16.0.85">172.16.0.85</a> #1: STATE_MAIN_R2: sent MR2, expecting MI3<br>
"proactixvpn"[1] <a href="http://172.16.0.85">172.16.0.85</a> #1: Main mode peer ID is ID_IPV4_ADDR: '<a href="http://172.16.0.85">172.16.0.85</a>'<br>"proactixvpn"[1] <a href="http://172.16.0.85">172.16.0.85</a> #1: I did not send a certificate because I do not have one.<br>
"proactixvpn"[1] <a href="http://172.16.0.85">172.16.0.85</a> #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3<br>"proactixvpn"[1] <a href="http://172.16.0.85">172.16.0.85</a> #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}<br>
"proactixvpn"[1] <a href="http://172.16.0.85">172.16.0.85</a> #2: responding to Quick Mode {msgid:01000000}<br>"proactixvpn"[1] <a href="http://172.16.0.85">172.16.0.85</a> #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1<br>
"proactixvpn"[1] <a href="http://172.16.0.85">172.16.0.85</a> #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2<br>"proactixvpn"[1] <a href="http://172.16.0.85">172.16.0.85</a> #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2<br>
"proactixvpn"[1] <a href="http://172.16.0.85">172.16.0.85</a> #2: STATE_QUICK_R2: IPsec SA established {ESP=>0x66755a59 <0x89f4056b xfrm=AES_128-HMAC_SHA1 NATD=none DPD=none}<br>"proactixvpn"[1] <a href="http://172.16.0.85">172.16.0.85</a> #1: received Delete SA(0x66755a59) payload: deleting IPSEC State #2<br>
"proactixvpn"[1] <a href="http://172.16.0.85">172.16.0.85</a> #1: received and ignored informational message<br>"proactixvpn"[1] <a href="http://172.16.0.85">172.16.0.85</a> #1: received Delete SA payload: deleting ISAKMP State #1<br>
"proactixvpn"[1] <a href="http://172.16.0.85">172.16.0.85</a>: deleting connection "proactixvpn" instance with peer <a href="http://172.16.0.85">172.16.0.85</a> {isakmp=#0/ipsec=#0}<br>packet from <a href="http://172.16.0.85:500">172.16.0.85:500</a>: received and ignored informational message<br>
</div>
<div>Thanks a lot in advance for any help<br></div></div>