<br>I am using openswan-2.6.14-1.el5_2.1 and xl2tpd-1.1.12-1 on Centos EL5 (RHEL5). The result with l2tpd-0.69-0.4.20051030.el5 is also the same. <br>I can not establish L2TP vpn connection from Windows XP or Vista. On the Windows side, it only says "Connecting".<br>
<br>All the logs and config portions is attached below.<br><br>Has anybody an idea?<br><br>Regards,<br>Oguz Yilmaz<br><br><br>On the Linux side standard error log is below:<br><br><br><br>Dec 24 21:29:30 2008 pluto[26350]: packet from <a href="http://85.99.218.171:500">85.99.218.171:500</a>: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000005]<br>
Dec 24 21:29:30 2008 pluto[26350]: packet from <a href="http://85.99.218.171:500">85.99.218.171:500</a>: received Vendor ID payload [RFC 3947] method set to=109<br>Dec 24 21:29:30 2008 pluto[26350]: packet from <a href="http://85.99.218.171:500">85.99.218.171:500</a>: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109<br>
Dec 24 21:29:30 2008 pluto[26350]: packet from <a href="http://85.99.218.171:500">85.99.218.171:500</a>: ignoring Vendor ID payload [FRAGMENTATION]<br>Dec 24 21:29:30 2008 pluto[26350]: packet from <a href="http://85.99.218.171:500">85.99.218.171:500</a>: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]<br>
Dec 24 21:29:30 2008 pluto[26350]: packet from <a href="http://85.99.218.171:500">85.99.218.171:500</a>: ignoring Vendor ID payload [Vid-Initial-Contact]<br>Dec 24 21:29:30 2008 pluto[26350]: packet from <a href="http://85.99.218.171:500">85.99.218.171:500</a>: ignoring Vendor ID payload [IKE CGA version 1]<br>
Dec 24 21:29:30 2008 pluto[26350]: \"my.l2tp\"[1] 85.99.218.171 #1: responding to Main Mode from unknown peer 85.99.218.171<br>Dec 24 21:29:30 2008 pluto[26350]: \"my.l2tp\"[1] 85.99.218.171 #1: OAKLEY_GROUP 20 not supported. Attribute OAKLEY_GROUP_DESCRIPTION<br>
Dec 24 21:29:30 2008 pluto[26350]: \"my.l2tp\"[1] 85.99.218.171 #1: OAKLEY_GROUP 19 not supported. Attribute OAKLEY_GROUP_DESCRIPTION<br>Dec 24 21:29:30 2008 pluto[26350]: \"my.l2tp\"[1] 85.99.218.171 #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1<br>
Dec 24 21:29:30 2008 pluto[26350]: \"my.l2tp\"[1] 85.99.218.171 #1: STATE_MAIN_R1: sent MR1, expecting MI2<br>Dec 24 21:29:31 2008 pluto[26350]: \"my.l2tp\"[1] 85.99.218.171 #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): peer is NATed<br>
Dec 24 21:29:31 2008 pluto[26350]: \"my.l2tp\"[1] 85.99.218.171 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2<br>Dec 24 21:29:31 2008 pluto[26350]: \"my.l2tp\"[1] 85.99.218.171 #1: STATE_MAIN_R2: sent MR2, expecting MI3<br>
Dec 24 21:29:31 2008 pluto[26350]: \"my.l2tp\"[1] 85.99.218.171 #1: Main mode peer ID is ID_IPV4_ADDR: \'192.168.2.2\'<br>Dec 24 21:29:31 2008 pluto[26350]: \"my.l2tp\"[1] 85.99.218.171 #1: switched from \"my.l2tp\" to \"my.l2tp\"<br>
Dec 24 21:29:31 2008 pluto[26350]: \"my.l2tp\"[2] 85.99.218.171 #1: deleting connection \"my.l2tp\" instance with peer 85.99.218.171 {isakmp=#0/ipsec=#0}<br>Dec 24 21:29:31 2008 pluto[26350]: \"my.l2tp\"[2] 85.99.218.171 #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3<br>
Dec 24 21:29:31 2008 pluto[26350]: \"my.l2tp\"[2] 85.99.218.171 #1: new NAT mapping for #1, was <a href="http://85.99.218.171:500">85.99.218.171:500</a>, now <a href="http://85.99.218.171:4500">85.99.218.171:4500</a><br>
Dec 24 21:29:31 2008 pluto[26350]: \"my.l2tp\"[2] 85.99.218.171 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}<br>Dec 24 21:29:31 2008 pluto[26350]: \"my.l2tp\"[2] 85.99.218.171 #1: the peer proposed: <a href="http://81.213.213.34/32:17/1701">81.213.213.34/32:17/1701</a> -> <a href="http://192.168.2.2/32:17/1701">192.168.2.2/32:17/1701</a><br>
Dec 24 21:29:31 2008 pluto[26350]: \"my.l2tp\"[2] 85.99.218.171 #1: alloc_bytes1() was mistakenly asked to malloc 0 bytes for st_skey_ar in duplicate_state, please report to <a href="mailto:dev@openswan.org">dev@openswan.org</a><br>
Dec 24 21:29:31 2008 pluto[26350]: \"my.l2tp\"[2] 85.99.218.171 #1: alloc_bytes1() was mistakenly asked to malloc 0 bytes for st_skey_er in duplicate_state, please report to <a href="mailto:dev@openswan.org">dev@openswan.org</a><br>
Dec 24 21:29:31 2008 pluto[26350]: \"my.l2tp\"[2] 85.99.218.171 #1: alloc_bytes1() was mistakenly asked to malloc 0 bytes for st_skey_pi in duplicate_state, please report to <a href="mailto:dev@openswan.org">dev@openswan.org</a><br>
Dec 24 21:29:31 2008 pluto[26350]: \"my.l2tp\"[2] 85.99.218.171 #1: alloc_bytes1() was mistakenly asked to malloc 0 bytes for st_skey_pr in duplicate_state, please report to <a href="mailto:dev@openswan.org">dev@openswan.org</a><br>
Dec 24 21:29:31 2008 pluto[26350]: \"my.l2tp\"[2] 85.99.218.171 #2: responding to Quick Mode proposal {msgid:01000000}<br>Dec 24 21:29:31 2008 pluto[26350]: \"my.l2tp\"[2] 85.99.218.171 #2: us: 81.213.213.34<81.213.213.34>[+S=C]:17/1701---81.213.213.33<br>
Dec 24 21:29:31 2008 pluto[26350]: \"my.l2tp\"[2] 85.99.218.171 #2: them: 85.99.218.171[192.168.2.2,+S=C]:17/1701===<a href="http://192.168.2.2/32">192.168.2.2/32</a><br>Dec 24 21:29:31 2008 pluto[26350]: \"my.l2tp\"[2] 85.99.218.171 #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1<br>
Dec 24 21:29:31 2008 pluto[26350]: \"my.l2tp\"[2] 85.99.218.171 #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2<br>Dec 24 21:29:31 2008 pluto[26350]: \"my.l2tp\"[2] 85.99.218.171 #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2<br>
Dec 24 21:29:31 2008 pluto[26350]: \"my.l2tp\"[2] 85.99.218.171 #2: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0x1cb2eec3 <0xce03546a xfrm=AES_128-HMAC_SHA1 NATOA=192.168.2.2 NATD=<a href="http://85.99.218.171:4500">85.99.218.171:4500</a> DPD=none}<br>
<br>after waiting come time on Windows side it stop trying and Linux is logging: <br><br><br> <br>Dec 24 21:29:36 2008 pluto[26350]: \"my.l2tp\"[2] 85.99.218.171 #1: received Delete SA(0x1cb2eec3) payload: deleting IPSEC State #2<br>
Dec 24 21:29:36 2008 pluto[26350]: \"my.l2tp\"[2] 85.99.218.171 #2: request to replace with shunt a prospective erouted policy with netkey kernel --- experimental<br>Dec 24 21:29:36 2008 pluto[26350]: \"my.l2tp\"[2] 85.99.218.171 #1: received and ignored informational message<br>
Dec 24 21:29:36 2008 pluto[26350]: \"my.l2tp\"[2] 85.99.218.171 #1: received Delete SA payload: deleting ISAKMP State #1<br>Dec 24 21:29:36 2008 pluto[26350]: \"my.l2tp\"[2] <a href="http://85.99.218.171">85.99.218.171</a>: deleting connection \"my.l2tp\" instance with peer 85.99.218.171 {isakmp=#0/ipsec=#0}<br>
Dec 24 21:29:36 2008 pluto[26350]: \"my.l2tp\": request to delete a unrouted policy with netkey kernel --- experimental<br>Dec 24 21:29:36 2008 pluto[26350]: packet from <a href="http://85.99.218.171:4500">85.99.218.171:4500</a>: received and ignored informational message<br>
<br>While Windows is waiting, I can see in tcdump logs:<br><br><br><br>20:53:03.189571 IP 81.213.213.34.1701 > 85.99.218.171.1701: l2tp:[TLS](13/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP() |...<br>
20:53:03.189798 IP 81.213.213.34.1701 > 85.99.218.171.1701: l2tp:[TLS](13/0)Ns=0,Nr=1 ZLB<br>20:53:04.191453 IP 81.213.213.34.1701 > 85.99.218.171.1701: l2tp:[TLS](13/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP() |...<br>
20:53:04.194545 IP 85.99.218.171.4500 > 81.213.213.34.4500: UDP-encap: ESP(spi=0x9781aebc,seq=0x3), length 148<br>20:53:04.194939 IP 81.213.213.34.1701 > 85.99.218.171.1701: l2tp:[TLS](13/0)Ns=0,Nr=1 ZLB<br>20:53:05.193286 IP 81.213.213.34.1701 > 85.99.218.171.1701: l2tp:[TLS](13/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP() |...<br>
20:53:06.195141 IP 81.213.213.34.1701 > 85.99.218.171.1701: l2tp:[TLS](13/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP() |...<br>20:53:07.197001 IP 81.213.213.34.1701 > 85.99.218.171.1701: l2tp:[TLS](13/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP() |...<br>
20:53:08.198966 IP 81.213.213.34.1701 > 85.99.218.171.1701: l2tp:[TLS](13/0)Ns=1,Nr=1 *MSGTYPE(StopCCN) *ASSND_TUN_ID(6794) *RESULT_CODE(1/0 Timeout)<br>20:53:08.203889 IP 85.99.218.171.4500 > 81.213.213.34.4500: UDP-encap: ESP(spi=0x9781aebc,seq=0x4), length 148<br>
20:53:08.204161 IP 81.213.213.34.1701 > 85.99.218.171.1701: l2tp:[TLS](13/0)Ns=0,Nr=1 ZLB<br>20:53:09.199735 IP 81.213.213.34.1701 > 85.99.218.171.1701: l2tp:[TLS](13/0)Ns=1,Nr=1 *MSGTYPE(StopCCN) *ASSND_TUN_ID(6794) *RESULT_CODE(1/0 Timeout)<br>
20:53:10.200590 IP 81.213.213.34.1701 > 85.99.218.171.1701: l2tp:[TLS](13/0)Ns=1,Nr=1 *MSGTYPE(StopCCN) *ASSND_TUN_ID(6794) *RESULT_CODE(1/0 Timeout)<br>20:53:11.201452 IP 81.213.213.34.1701 > 85.99.218.171.1701: l2tp:[TLS](13/0)Ns=1,Nr=1 *MSGTYPE(StopCCN) *ASSND_TUN_ID(6794) *RESULT_CODE(1/0 Timeout)<br>
20:53:12.202314 IP 81.213.213.34.1701 > 85.99.218.171.1701: l2tp:[TLS](13/0)Ns=1,Nr=1 *MSGTYPE(StopCCN) *ASSND_TUN_ID(6794) *RESULT_CODE(1/0 Timeout)<br>20:53:16.206136 IP 85.99.218.171.4500 > 81.213.213.34.4500: UDP-encap: ESP(spi=0x9781aebc,seq=0x5), length 148<br>
20:53:18.207467 IP 81.213.213.34.1701 > 85.99.218.171.1701: l2tp:[TLS](13/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP() |...<br>20:53:19.208339 IP 81.213.213.34.1701 > 85.99.218.171.1701: l2tp:[TLS](13/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP() |...<br>
20:53:20.209196 IP 81.213.213.34.1701 > 85.99.218.171.1701: l2tp:[TLS](13/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP() |...<br>20:53:21.210059 IP 81.213.213.34.1701 > 85.99.218.171.1701: l2tp:[TLS](13/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP() |...<br>
20:53:22.210910 IP 81.213.213.34.1701 > 85.99.218.171.1701: l2tp:[TLS](13/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP() |...<br>20:53:23.211872 IP 81.213.213.34.1701 > 85.99.218.171.1701: l2tp:[TLS](13/0)Ns=1,Nr=1 *MSGTYPE(StopCCN) *ASSND_TUN_ID(53161) *RESULT_CODE(1/0 Timeout)<br>
20:53:24.212643 IP 81.213.213.34.1701 > 85.99.218.171.1701: l2tp:[TLS](13/0)Ns=1,Nr=1 *MSGTYPE(StopCCN) *ASSND_TUN_ID(53161) *RESULT_CODE(1/0 Timeout)<br>20:53:25.213503 IP 81.213.213.34.1701 > 85.99.218.171.1701: l2tp:[TLS](13/0)Ns=1,Nr=1 *MSGTYPE(StopCCN) *ASSND_TUN_ID(53161) *RESULT_CODE(1/0 Timeout)<br>
20:53:26.214358 IP 81.213.213.34.1701 > 85.99.218.171.1701: l2tp:[TLS](13/0)Ns=1,Nr=1 *MSGTYPE(StopCCN) *ASSND_TUN_ID(53161) *RESULT_CODE(1/0 Timeout)<br>20:53:26.220209 IP 85.99.218.171.4500 > 81.213.213.34.4500: UDP-encap: ESP(spi=0x9781aebc,seq=0x6), length 148<br>
20:53:26.220482 IP 81.213.213.34.1701 > 85.99.218.171.1701: l2tp:[TLS](13/0)Ns=0,Nr=1 ZLB<br>20:53:27.216225 IP 81.213.213.34.1701 > 85.99.218.171.1701: l2tp:[TLS](13/0)Ns=1,Nr=1 *MSGTYPE(StopCCN) *ASSND_TUN_ID(53161) *RESULT_CODE(1/0 Timeout)<br>
<br><br><br>########################################################<br><br>ipsec.conf is:<br><br>version 2.0<br><br>config setup<br> interfaces=%defaultroute<br> klipsdebug=none<br> plutodebug=none<br>
nat_traversal=yes<br> virtual_private=%v4:<a href="http://10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.1.0/24">10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.1.0/24</a><br> uniqueids=yes<br>
protostack=netkey<br><br>conn %default<br> auto=add<br><br>conn my.l2tp<br> authby=secret<br> auth=esp<br> left=81.213.213.34<br> leftnexthop=81.213.213.33<br> right=%any<br>
rightsubnet=vhost:%no,%priv<br> rekey=no<br> pfs=no<br> rightid=%any<br> leftprotoport=17/1701<br> auto=add<br> rightprotoport=17/1701<br> keyingtries=3<br><br>#include /etc/ipsec.d/*.conf<br>
<br>conn block<br> auto=ignore<br><br>conn private<br> auto=ignore<br><br>conn private-or-clear<br> auto=ignore<br><br>conn clear-or-private<br> auto=ignore<br><br>conn clear<br> auto=ignore<br><br>conn packetdefault<br>
auto=ignore<br><br><br>#########################################################<br><br>xl2tpd.conf is:<br><br>[global]<br>listen-addr = 81.213.213.34<br><br>[lns default]<br>ip range = 192.168.0.240-192.168.0.254<br>
local ip = 192.168.0.3<br>require chap = yes<br>refuse pap = yes<br>require authentication = yes<br>name = LinuxVPNserver<br>ppp debug = yes<br>pppoptfile = /etc/ppp/options.xl2tpd<br>length bit = yes<br><br><br>###########################################################<br>
<br><br>