<html>
<head>
<style>
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 10pt;
font-family:Verdana
}
</style>
</head>
<body class='hmmessage'>
I have made some progress but it is strange to me. May be some of you
experts will have input on this. I can connect using windows l2tp/ipsec
client but only while tcpdump is running on wan interface. I have tried
reducing mtu on ipsec0, wan and ppp but it has no affect. This is a
test setup all private ip, no NAT. If I test it in real world on
public ip, then I suppose I would need a nat patch I would need some
input on that too. Any help would be greatly appreciated.<br><br>connects fine While tcpdump running:<br><br>Jan
1 00:15:10 OpenWrt authpriv.warn pluto[848]: packet from
192.168.20.100:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY
00000006]<br>Jan 1 00:15:10 OpenWrt authpriv.warn pluto[848]: packet
from 192.168.20.100:500: received Vendor ID payload [RFC 3947]
meth=109, but port floating is off<br>Jan 1 00:15:10 OpenWrt
authpriv.warn pluto[848]: packet from 192.168.20.100:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but port
floating is off<br>Jan 1 00:15:10 OpenWrt authpriv.warn pluto[848]: packet from 192.168.20.100:500: ignoring Vendor ID payload [FRAGMENTATION]<br>Jan
1 00:15:10 OpenWrt authpriv.warn pluto[848]: packet from
192.168.20.100:500: ignoring Vendor ID payload [MS-Negotiation
Discovery Capable]<br>Jan 1 00:15:10 OpenWrt authpriv.warn pluto[848]:
packet from 192.168.20.100:500: ignoring Vendor ID payload
[Vid-Initial-Contact]<br>Jan 1 00:15:10 OpenWrt authpriv.warn pluto[848]: packet from 192.168.20.100:500: ignoring Vendor ID payload [IKE CGA version 1]<br>Jan
1 00:15:10 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1]
192.168.20.100 #3: responding to Main Mode from unknown peer
192.168.20.100<br>Jan 1 00:15:10 OpenWrt authpriv.warn pluto[848]:
"roadwarrior-l2tp"[1] 192.168.20.100 #3: OAKLEY_GROUP 20 not
supported. Attribute OAKLEY_GROUP_DESCRIPTION<br>Jan 1 00:15:10
OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1] 192.168.20.100
#3: OAKLEY_GROUP 19 not supported. Attribute OAKLEY_GROUP_DESCRIPTION<br>Jan
1 00:15:10 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1]
192.168.20.100 #3: transition from state STATE_MAIN_R0 to state
STATE_MAIN_R1<br>Jan 1 00:15:10 OpenWrt authpriv.warn pluto[848]:
"roadwarrior-l2tp"[1] 192.168.20.100 #3: STATE_MAIN_R1: sent MR1,
expecting MI2<br>Jan 1 00:15:11 OpenWrt authpriv.warn pluto[848]:
"roadwarrior-l2tp"[1] 192.168.20.100 #3: discarding packet received
during asynchronous work (DNS or crypto) in STATE_MAIN_R1<br>Jan 1
00:15:13 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1]
192.168.20.100 #3: discarding packet received during asynchronous work
(DNS or crypto) in STATE_MAIN_R1<br>Jan 1 00:15:15 OpenWrt
authpriv.warn pluto[848]: "roadwarrior-l2tp"[1] 192.168.20.100 #3:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2<br>Jan 1
00:15:15 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1]
192.168.20.100 #3: STATE_MAIN_R2: sent MR2, expecting MI3<br>Jan 1
00:15:16 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1]
192.168.20.100 #3: discarding packet received during asynchronous work
(DNS or crypto) in STATE_MAIN_R2<br>Jan 1 00:15:18 OpenWrt
authpriv.warn pluto[848]: "roadwarrior-l2tp"[1] 192.168.20.100 #3:
discarding packet received during asynchronous work (DNS or crypto) in
STATE_MAIN_R2<br>Jan 1 00:15:20 OpenWrt authpriv.warn pluto[879]: WARNING: calc_dh_shared(): for OAKLEY_GROUP_MODP2048 took 4832039 usec<br>Jan
1 00:15:20 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1]
192.168.20.100 #3: Main mode peer ID is ID_IPV4_ADDR: '192.168.20.100'<br>Jan
1 00:15:20 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1]
192.168.20.100 #3: transition from state STATE_MAIN_R2 to state
STATE_MAIN_R3<br>Jan 1 00:15:20 OpenWrt authpriv.warn pluto[848]:
"roadwarrior-l2tp"[1] 192.168.20.100 #3: STATE_MAIN_R3: sent MR3,
ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}<br>Jan 1
00:15:20 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1]
192.168.20.100 #3: the peer proposed: 192.168.20.1/32:17/0 ->
192.168.20.100/32:17/1701<br>Jan 1 00:15:20 OpenWrt authpriv.warn
pluto[848]: "roadwarrior-l2tp"[1] 192.168.20.100 #4: responding to
Quick Mode proposal {msgid:01000000}<br>Jan 1 00:15:20 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1] 192.168.20.100 #4: us: 192.168.20.1[+S=C]:17/0<br>Jan 1 00:15:20 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1] 192.168.20.100 #4: them: 192.168.20.100[+S=C]:17/1701<br>Jan
1 00:15:20 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1]
192.168.20.100 #4: transition from state STATE_QUICK_R0 to state
STATE_QUICK_R1<br>Jan 1 00:15:20 OpenWrt authpriv.warn pluto[848]:
"roadwarrior-l2tp"[1] 192.168.20.100 #4: STATE_QUICK_R1: sent QR1,
inbound IPsec SA installed, expecting QI2<br>Jan 1 00:15:22 OpenWrt
authpriv.warn pluto[848]: "roadwarrior-l2tp"[1] 192.168.20.100 #4:
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2<br>Jan 1
00:15:22 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1]
192.168.20.100 #4: STATE_QUICK_R2: IPsec SA established tunnel mode
{ESP=>0x5f46ef61 <0x4a92c57f xfrm=AES_128-HMAC_SHA1
NATOA=<invalid> NATD=<invalid>:500 DPD=none}<br>Jan 1 00:15:22 OpenWrt daemon.debug xl2tpd[877]: control_finish: Peer requested tunnel 20 twice, ignoring second one.<br>Jan
1 00:15:22 OpenWrt daemon.notice xl2tpd[877]: Connection established to
192.168.20.100, 1701. Local: 63325, Remote: 20 (ref=0/0). LNS session
is 'default'<br>Jan 1 00:15:22 OpenWrt daemon.debug xl2tpd[877]:
result_code_avp: result code not appropriate for
Incoming-Call-Request. Ignoring.<br>Jan 1 00:15:22 OpenWrt daemon.debug xl2tpd[877]: start_pppd: I'm running:<br>Jan 1 00:15:22 OpenWrt daemon.debug xl2tpd[877]: "/usr/sbin/pppd"<br>Jan 1 00:15:22 OpenWrt daemon.debug xl2tpd[877]: "passive"<br>Jan 1 00:15:22 OpenWrt daemon.debug xl2tpd[877]: "-detach"<br>Jan 1 00:15:22 OpenWrt daemon.debug xl2tpd[877]: "192.168.1.1:192.168.1.10"<br>Jan 1 00:15:22 OpenWrt daemon.debug xl2tpd[877]: "refuse-pap"<br>Jan 1 00:15:22 OpenWrt daemon.debug xl2tpd[877]: "auth"<br>Jan 1 00:15:22 OpenWrt daemon.debug xl2tpd[877]: "require-chap"<br>Jan 1 00:15:22 OpenWrt daemon.debug xl2tpd[877]: "name"<br>Jan 1 00:15:22 OpenWrt daemon.debug xl2tpd[877]: "LinuxVPNserver"<br>Jan 1 00:15:22 OpenWrt daemon.debug xl2tpd[877]: "debug"<br>Jan 1 00:15:22 OpenWrt daemon.debug xl2tpd[877]: "file"<br>Jan 1 00:15:22 OpenWrt daemon.debug xl2tpd[877]: "/etc/ppp/options.l2tpd"<br>Jan 1 00:15:22 OpenWrt daemon.debug xl2tpd[877]: "/dev/pts/2"<br>Jan 1 00:15:23 OpenWrt daemon.notice xl2tpd[877]: Call established with 192.168.20.100, Local: 65211, Remote: 1, Serial: 0<br><br><br><br>Will not connect without tcpdump running:<br><br>Jan
1 00:08:27 OpenWrt authpriv.warn pluto[848]: packet from
192.168.20.100:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY
00000006]<br>Jan 1 00:08:27 OpenWrt authpriv.warn pluto[848]: packet
from 192.168.20.100:500: received Vendor ID payload [RFC 3947]
meth=109, but port floating is off<br>Jan 1 00:08:27 OpenWrt
authpriv.warn pluto[848]: packet from 192.168.20.100:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but port
floating is off<br>Jan 1 00:08:27 OpenWrt authpriv.warn pluto[848]: packet from 192.168.20.100:500: ignoring Vendor ID payload [FRAGMENTATION]<br>Jan
1 00:08:27 OpenWrt authpriv.warn pluto[848]: packet from
192.168.20.100:500: ignoring Vendor ID payload [MS-Negotiation
Discovery Capable]<br>Jan 1 00:08:27 OpenWrt authpriv.warn pluto[848]:
packet from 192.168.20.100:500: ignoring Vendor ID payload
[Vid-Initial-Contact]<br>Jan 1 00:08:27 OpenWrt authpriv.warn pluto[848]: packet from 192.168.20.100:500: ignoring Vendor ID payload [IKE CGA version 1]<br>Jan
1 00:08:27 OpenWrt authpriv.warn pluto[848]: "roadwarrior-net"[1]
192.168.20.100 #1: responding to Main Mode from unknown peer
192.168.20.100<br>Jan 1 00:08:27 OpenWrt authpriv.warn pluto[848]:
"roadwarrior-net"[1] 192.168.20.100 #1: OAKLEY_GROUP 20 not supported.
Attribute OAKLEY_GROUP_DESCRIPTION<br>Jan 1 00:08:27 OpenWrt
authpriv.warn pluto[848]: "roadwarrior-net"[1] 192.168.20.100 #1:
OAKLEY_GROUP 19 not supported. Attribute OAKLEY_GROUP_DESCRIPTION<br>Jan
1 00:08:27 OpenWrt authpriv.warn pluto[848]: "roadwarrior-net"[1]
192.168.20.100 #1: transition from state STATE_MAIN_R0 to state
STATE_MAIN_R1<br>Jan 1 00:08:27 OpenWrt authpriv.warn pluto[848]: "roadwarrior-net"[1] 192.168.20.100 #1: STATE_MAIN_R1: sent MR1, expecting MI2<br>Jan
1 00:08:27 OpenWrt authpriv.warn pluto[848]: "roadwarrior-net"[1]
192.168.20.100 #1: transition from state STATE_MAIN_R1 to state
STATE_MAIN_R2<br>Jan 1 00:08:27 OpenWrt authpriv.warn pluto[848]: "roadwarrior-net"[1] 192.168.20.100 #1: STATE_MAIN_R2: sent MR2, expecting MI3<br>Jan
1 00:08:28 OpenWrt authpriv.warn pluto[848]: "roadwarrior-net"[1]
192.168.20.100 #1: Main mode peer ID is ID_IPV4_ADDR: '192.168.20.100'<br>Jan
1 00:08:28 OpenWrt authpriv.warn pluto[848]: "roadwarrior-net"[1]
192.168.20.100 #1: transition from state STATE_MAIN_R2 to state
STATE_MAIN_R3<br>Jan 1 00:08:28 OpenWrt authpriv.warn pluto[848]:
"roadwarrior-net"[1] 192.168.20.100 #1: STATE_MAIN_R3: sent MR3, ISAKMP
SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192
prf=oakley_sha group=modp2048}<br>Jan 1 00:08:28 OpenWrt authpriv.warn
pluto[848]: "roadwarrior-net"[1] 192.168.20.100 #1: the peer proposed:
192.168.20.1/32:0/0 -> 192.168.20.100/32:0/0<br>Jan 1 00:08:28
OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1] 192.168.20.100
#2: responding to Quick Mode proposal {msgid:01000000}<br>Jan 1 00:08:28 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1] 192.168.20.100 #2: us: 192.168.20.1[+S=C]:17/0<br>Jan 1 00:08:28 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1] 192.168.20.100 #2: them: 192.168.20.100[+S=C]:17/1701<br>Jan
1 00:08:28 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1]
192.168.20.100 #2: transition from state STATE_QUICK_R0 to state
STATE_QUICK_R1<br>Jan 1 00:08:28 OpenWrt authpriv.warn pluto[848]:
"roadwarrior-l2tp"[1] 192.168.20.100 #2: STATE_QUICK_R1: sent QR1,
inbound IPsec SA installed, expecting QI2<br>Jan 1 00:08:30 OpenWrt daemon.debug xl2tpd[877]: control_finish: Peer requested tunnel 19 twice, ignoring second one.<br>Jan 1 00:08:31 OpenWrt daemon.debug xl2tpd[877]: control_finish: Peer requested tunnel 19 twice, ignoring second one.<br>Jan 1 00:08:35 OpenWrt daemon.debug xl2tpd[877]: control_finish: Peer requested tunnel 19 twice, ignoring second one.<br>Jan 1 00:08:35 OpenWrt daemon.notice xl2tpd[877]: Maximum retries exceeded for tunnel 44841. Closing.<br>Jan 1 00:08:35 OpenWrt daemon.info xl2tpd[877]: Connection 19 closed to 192.168.20.100, port 1701 (Timeout)<br>Jan
1 00:08:35 OpenWrt authpriv.warn pluto[848]: "roadwarrior-net"[1]
192.168.20.100 #1: ignoring Delete SA payload: PROTO_IPSEC_ESP
SA(0xb82c5a58) not found (maybe expired)<br>Jan 1 00:08:35 OpenWrt
authpriv.warn pluto[848]: "roadwarrior-net"[1] 192.168.20.100 #1:
received and ignored informational message<br>Jan 1 00:08:35 OpenWrt
authpriv.warn pluto[848]: "roadwarrior-net"[1] 192.168.20.100 #1:
received Delete SA payload: deleting ISAKMP State #1<br>Jan 1 00:08:35
OpenWrt authpriv.warn pluto[848]: "roadwarrior-net"[1] 192.168.20.100:
deleting connection "roadwarrior-net" instance with peer 192.168.20.100
{isakmp=#0/ipsec=#0}<br>Jan 1 00:08:35 OpenWrt authpriv.warn pluto[848]: packet from 192.168.20.100:500: received and ignored informational message</body>
</html>