Hello,<br><br>According to <a href="http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/87671.mspx?mfr=true">http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/87671.mspx?mfr=true</a>, the registry setting disables IPSec altogether and your l2tp connections will not be secured. Of course you can use encryption at pptp level, but this is considered very weak compared to ipsec.<br>
<br>Catalin<br><br><div class="gmail_quote">On Fri, Mar 20, 2009 at 9:27 AM, Janantha Marasinghe <span dir="ltr"><<a href="mailto:janantha@techcert.lk">janantha@techcert.lk</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div bgcolor="#ffffff" text="#000000">
Thank Saso..<br>
<br>
Works perfectly now.!! <br>
<br>
Saso Tavcar wrote:
<blockquote type="cite">Hi!
<br>
<br>
I had the same problem also with latest development packages for xl2tpd
and openswan.
<br>
PPP session does not start with L2TP+IPsec+PSK client configuration!?
<br>
<br>
Try with disabled IPsec on Windows XP client.
<br>
<br>
Run this registry settings and reboot your Windows XP client:
<br>
<br>
Windows Registry Editor Version 5.00
<br>
<br>
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters]
<br>
"prohibitipsec"=dword:00000001
<br>
<br>
<br>
Regards,
<br>
saso
<br><div><div></div><div class="h5">
<br>
<br>
On Mar 20, 2009, at 3:50 AM, Janantha Marasinghe wrote:
<br>
<br>
<blockquote type="cite">Hello,
<br>
<br>
Yes all my clients are Windows XP (Sp3) . I do use xl2tpd for the
tunnel. The configuration of xl2tpd is
<br>
<br>
[global]
<br>
[lns default]
<br>
ip range = 10.8.109.100-10.8.109.110
<br>
local ip = 10.8.109.65
<br>
require chap = yes
<br>
refuse pap = yes
<br>
require authentication = yes
<br>
name = LinuxVPNServer
<br>
ppp debug = yes
<br>
pppoptfile = /etc/ppp/options.xl2tpd
<br>
length bit = yes
<br>
<br>
If this doesn't work I'll upgrade the current openswan as well( I see
an update for it for my FC9). Other
<br>
<br>
Catalin Sanda wrote:
<br>
<blockquote type="cite"><br>
Hello,
<br>
<br>
>From what I can gather, you are trying to use a windows 2000+
client to
<br>
connect to your Linux box. Ipsec seems to work, so now you have to
setup the
<br>
l2tp tunel (i personaly use xl2tp).
<br>
<br>
Unfortunately the setup you are trying to achieve didn't work for me
because
<br>
of a bug in openswan (see the response to one of my earlier posts), so
i had
<br>
to switch to strongswan which worked.
<br>
<br>
Hope this helps,
<br>
Catalin
<br>
<br>
<br>
On Thu, Mar 19, 2009 at 12:52 PM, Janantha Marasinghe
<br>
<a href="mailto:janantha@techcert.lk" target="_blank"><janantha@techcert.lk></a>wrote:
<br>
<br>
<br>
<blockquote type="cite"> Hi Catalin,
<br>
<br>
Thanks your suggestions. I amended as you stated and now it does go to
<br>
state 2. . But after it gets stuck on the following line written at
<br>
/var/log/secure
<br>
<br>
Mar 19 16:16:01 mooshika pluto[32010]: "L2TP-PSK"[2]
roadwarrior-routerip
<br>
#6: STATE_QUICK_R2: IPsec SA established tunnel mode
{ESP=>0x38511bd7
<br>
<0xd834470c xfrm=3DES_0-HMAC_MD5 NATOA=172.16.0.9
<br>
NATD=roadwarrior-routerip:4500 DPD=none}
<br>
<br>
My windows clients give the 678 error message. Do I have to change my
ADSL
<br>
router firewall configuration? Rest of the transitions are below
<br>
<br>
Mar 19 16:16:00 mooshika pluto[32010]: packet from
<br>
roadwarrior-routerip:500: ignoring Vendor ID payload [MS NT5
ISAKMPOAKLEY
<br>
00000004]
<br>
Mar 19 16:16:00 mooshika pluto[32010]: packet from
<br>
roadwarrior-routerip:500: ignoring Vendor ID payload [FRAGMENTATION]
<br>
Mar 19 16:16:00 mooshika pluto[32010]: packet from
<br>
roadwarrior-routerip:500: received Vendor ID payload
<br>
[draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
<br>
Mar 19 16:16:00 mooshika pluto[32010]: packet from
<br>
roadwarrior-routerip:500: ignoring Vendor ID payload
[Vid-Initial-Contact]
<br>
Mar 19 16:16:00 mooshika pluto[32010]: "L2TP-PSK"[2]
roadwarrior-routerip
<br>
#5: responding to Main Mode from unknown peer roadwarrior-routerip
<br>
</blockquote>
</blockquote>
</blockquote>
<br>
</div></div><blockquote type="cite"><div><div></div><div class="h5">
<blockquote type="cite">
<blockquote type="cite">Mar 19 16:16:00 mooshika pluto[32010]:
"L2TP-PSK"[2] roadwarrior-routerip
<br>
#5: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
<br>
Mar 19 16:16:00 mooshika pluto[32010]: "L2TP-PSK"[2]
roadwarrior-routerip
<br>
#5: STATE_MAIN_R1: sent MR1, expecting MI2
<br>
Mar 19 16:16:01 mooshika pluto[32010]: "L2TP-PSK"[2]
roadwarrior-routerip
<br>
#5: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer
is
<br>
NATed
<br>
Mar 19 16:16:01 mooshika pluto[32010]: "L2TP-PSK"[2]
roadwarrior-routerip
<br>
#5: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
<br>
Mar 19 16:16:01 mooshika pluto[32010]: "L2TP-PSK"[2]
roadwarrior-routerip
<br>
#5: STATE_MAIN_R2: sent MR2, expecting MI3
<br>
Mar 19 16:16:01 mooshika pluto[32013]: WARNING: calc_dh_shared(): for
<br>
OAKLEY_GROUP_MODP2048 took 228522 usec
<br>
Mar 19 16:16:01 mooshika pluto[32010]: "L2TP-PSK"[2]
roadwarrior-routerip
<br>
#5: Main mode peer ID is ID_FQDN: '@techcert-37a9ea'
<br>
Mar 19 16:16:01 mooshika pluto[32010]: "L2TP-PSK"[2]
roadwarrior-routerip
<br>
#5: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
<br>
Mar 19 16:16:01 mooshika pluto[32010]: "L2TP-PSK"[2]
roadwarrior-routerip
<br>
#5: new NAT mapping for #5, was roadwarrior-routerip:500, now
<br>
roadwarrior-routerip:4500
<br>
Mar 19 16:16:01 mooshika pluto[32010]: "L2TP-PSK"[2]
roadwarrior-routerip
<br>
#5: STATE_MAIN_R3: sent MR3, ISAKMP SA established
<br>
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
<br>
group=modp2048}
<br>
Mar 19 16:16:01 mooshika pluto[32010]: "L2TP-PSK"[2]
roadwarrior-routerip
<br>
#5: peer client type is FQDN
<br>
Mar 19 16:16:01 mooshika pluto[32010]: "L2TP-PSK"[2]
roadwarrior-routerip
<br>
#5: Applying workaround for MS-818043 NAT-T bug
<br>
Mar 19 16:16:01 mooshika pluto[32010]: "L2TP-PSK"[2]
roadwarrior-routerip
<br>
#5: IDci was FQDN: \300\370\010k, using NAT_OA=<a href="http://172.16.0.9/32" target="_blank">172.16.0.9/32</a> as IDci
<br>
Mar 19 16:16:01 mooshika pluto[32010]: "L2TP-PSK"[2]
roadwarrior-routerip
<br>
#5: the peer proposed: vpn.server.ip/32:17/1701 ->
<a href="http://172.16.0.9/32:17/1701" target="_blank">172.16.0.9/32:17/1701</a>
<br>
Mar 19 16:16:01 mooshika pluto[32010]: "L2TP-PSK"[2]
roadwarrior-routerip
<br>
#5: alloc_bytes1() was mistakenly asked to malloc 0 bytes for
st_skey_ar in
<br>
duplicate_state, please report to <a href="mailto:dev@openswan.org" target="_blank">dev@openswan.org</a>
<br>
Mar 19 16:16:01 mooshika pluto[32010]: "L2TP-PSK"[2]
roadwarrior-routerip
<br>
#5: alloc_bytes1() was mistakenly asked to malloc 0 bytes for
st_skey_er in
<br>
duplicate_state, please report to <a href="mailto:dev@openswan.org" target="_blank">dev@openswan.org</a>
<br>
Mar 19 16:16:01 mooshika pluto[32010]: "L2TP-PSK"[2]
roadwarrior-routerip
<br>
#5: alloc_bytes1() was mistakenly asked to malloc 0 bytes for
st_skey_pi in
<br>
duplicate_state, please report to <a href="mailto:dev@openswan.org" target="_blank">dev@openswan.org</a>
<br>
Mar 19 16:16:01 mooshika pluto[32010]: "L2TP-PSK"[2]
roadwarrior-routerip
<br>
#5: alloc_bytes1() was mistakenly asked to malloc 0 bytes for
st_skey_pr in
<br>
duplicate_state, please report to <a href="mailto:dev@openswan.org" target="_blank">dev@openswan.org</a>
<br>
Mar 19 16:16:01 mooshika pluto[32010]: "L2TP-PSK"[2]
roadwarrior-routerip
<br>
#6: responding to Quick Mode proposal {msgid:c1ca4ad8}
<br>
Mar 19 16:16:01 mooshika pluto[32010]: "L2TP-PSK"[2]
roadwarrior-routerip
<br>
#6: us: vpn.server.ip<vpn.server.ip>[+S=C]:17/1701
<br>
Mar 19 16:16:01 mooshika pluto[32010]: "L2TP-PSK"[2]
roadwarrior-routerip
<br>
#6: them: roadwarrior-routerip[@techcert-37a9ea,+S=C]:17/1701===
<br>
<a href="http://172.16.0.9/32" target="_blank">172.16.0.9/32</a>
<br>
Mar 19 16:16:01 mooshika pluto[32010]: "L2TP-PSK"[2]
roadwarrior-routerip
<br>
#6: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
<br>
Mar 19 16:16:01 mooshika pluto[32010]: "L2TP-PSK"[2]
roadwarrior-routerip
<br>
#6: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
<br>
Mar 19 16:16:01 mooshika pluto[32010]: "L2TP-PSK"[2]
roadwarrior-routerip
<br>
#6: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
<br>
Mar 19 16:16:01 mooshika pluto[32010]: "L2TP-PSK"[2]
roadwarrior-routerip
<br>
#6: STATE_QUICK_R2: IPsec SA established tunnel mode
{ESP=>0x38511bd7
<br>
<0xd834470c xfrm=3DES_0-HMAC_MD5 NATOA=172.16.0.9
<br>
NATD=roadwarrior-routerip:4500 DPD=none}
<br>
<br>
<br>
<br>
Catalin Sanda wrote:
<br>
<br>
It might help if you have something like:
<br>
<br>
config setup
<br>
#......
<br>
nat_traversal=yes
<br>
virtual_private=%v4:<a href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12" target="_blank">10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12</a>
<br>
<br>
conn L2TP-PSK
<br>
#.......
<br>
rightsubnet=vhost:%no,%priv
<br>
<br>
<br>
<br>
On Thu, Mar 19, 2009 at 10:09 AM, Janantha
Marasinghe<a href="mailto:janantha@techcert.lk" target="_blank"><janantha@techcert.lk></a>
<a href="mailto:janantha@techcert.lk" target="_blank"><janantha@techcert.lk></a>wrote:
<br>
<br>
<br>
<br>
Thanks Andrew,
<br>
<br>
I have included nat_traversal=yes in the ipsec.conf and restarted the
<br>
services but still the same!
<br>
<br>
<br>
<br>
andrew colin wrote:
<br>
<br>
I think you do not have nat traversal enabled that is why.
<br>
<br>
On Thu, Mar 19, 2009 at 5:54 AM, Janantha
Marasinghe<a href="mailto:janantha@techcert.lk" target="_blank"><janantha@techcert.lk></a> <a href="mailto:janantha@techcert.lk" target="_blank"><janantha@techcert.lk></a>
<a href="mailto:janantha@techcert.lk" target="_blank"><janantha@techcert.lk></a> <a href="mailto:janantha@techcert.lk" target="_blank"><janantha@techcert.lk></a> wrote:
<br>
<br>
<br>
Dear All,
<br>
<br>
Currently I'm trying to connect to my openswan server. My network
setup
<br>
is given below. When I try to connect using a fully up to date SP3
<br>
Windows XP system .. I see the following error in the vpn server's
<br>
secure log
<br>
<br>
Mar 19 09:06:02 mooshika pluto[18623]: "L2TP-PSK"[4]
<br>
roadwarrior-routerip #2: cannot respond to IPsec SA request because no
<br>
connection is known for
<br>
vpn.server.ip<vpn.server.ip>[+S=C]:17/1701...roadwarrior-routerip[@computername-37a9ea,+S=C]:17/1701===<a href="http://172.16.0.9/32" target="_blank">172.16.0.9/32</a>
<br>
<br>
Mar 19 09:06:02 mooshika pluto[18623]: "L2TP-PSK"[4]
<br>
roadwarrior-routerip #2: sending encrypted notification
<br>
INVALID_ID_INFORMATION to roadwarrior-routerip:4500
<br>
Mar 19 09:06:03 mooshika pluto[18623]: "L2TP-PSK"[4]
<br>
roadwarrior-routerip #2: peer client type is FQDN
<br>
Mar 19 09:06:03 mooshika pluto[18623]: "L2TP-PSK"[4]
<br>
roadwarrior-routerip #2: Applying workaround for MS-818043 NAT-T bug
<br>
Mar 19 09:06:03 mooshika pluto[18623]: "L2TP-PSK"[4]
<br>
roadwarrior-routerip #2: IDci was FQDN: \300\370\010k, using
<br>
NAT_OA=<a href="http://172.16.0.9/32" target="_blank">172.16.0.9/32</a> as IDci
<br>
Mar 19 09:06:03 mooshika pluto[18623]: "L2TP-PSK"[4]
<br>
roadwarrior-routerip #2: the peer proposed: vpn.server.ip/32:17/1701
-><a href="http://172.16.0.9/32:17/1701" target="_blank">172.16.0.9/32:17/1701</a>
<br>
Mar 19 09:06:03 mooshika pluto[18623]: "L2TP-PSK"[4]
<br>
roadwarrior-routerip #2: cannot respond to IPsec SA request because no
<br>
connection is known for
<br>
vpn.server.ip<vpn.server.ip>[+S=C]:17/1701...roadwarrior-routerip[@computer-37a9ea,+S=C]:17/1701===<a href="http://172.16.0.9/32" target="_blank">172.16.0.9/32</a>
<br>
<br>
<br>
<br>
private network172.16.0.0/<a href="http://255.255.255.240" target="_blank">255.255.255.240</a> --> ADSL Router(NAT
enabled)
<br>
---------Internet--------------OpenswanVPN(Public IP Address)
<br>
<br>
My IPsec.conf is
<br>
<br>
# /etc/ipsec.conf - Openswan IPsec configuration file
<br>
#
<br>
# Manual: ipsec.conf.5
<br>
#
<br>
# Please place your own config files in /etc/ipsec.d/ ending in .conf
<br>
<br>
version 2.0 # conforms to second version of ipsec.conf
specification
<br>
<br>
# basic configuration
<br>
config setup
<br>
# Debug-logging controls: "none" for (almost) none, "all" for
lots.
<br>
# klipsdebug=none
<br>
# plutodebug="control parsing"
<br>
# For Red Hat Enterprise Linux and Fedora, leave
protostack=netkey
<br>
protostack=netkey
<br>
<br>
conn L2TP-PSK
<br>
#
<br>
authby=secret
<br>
pfs=no
<br>
rekey=no
<br>
keyingtries=3
<br>
#
<br>
# ----------------------------------------------------------
<br>
# The VPN server.
<br>
#
<br>
# Allow incoming connections on the external network interface.
<br>
# If you want to use a different interface or if there is no
<br>
# defaultroute, you can use: left=your.ip.addr.ess
<br>
#
<br>
left=public.ip.address.of.vpn.server
<br>
#
<br>
leftprotoport=17/1701
<br>
# If you insist on supporting non-updated Windows clients,
<br>
# you can use: leftprotoport=17/%any
<br>
#
<br>
# ----------------------------------------------------------
<br>
# The remote user(s).
<br>
#
<br>
# Allow incoming connections only from this IP address.
<br>
right=%any
<br>
# If you want to allow multiple connections from any IP address,
<br>
# you can use: right=%any
<br>
#
<br>
rightprotoport=17/1701
<br>
#
<br>
# ----------------------------------------------------------
<br>
# Change 'ignore' to 'add' to enable this configuration.
<br>
#
<br>
auto=add
<br>
<br>
include /etc/ipsec.d/no_oe.conf
<br>
<br>
Do I have to put additional information in the ipsec.conf to include
<br>
172.16.0.0./<a href="http://255.255.255.240" target="_blank">255.255.255.240</a> ?
<br>
<br>
--
<br>
<br>
_______________________________________________Users@openswan.orghttp://<a href="http://lists.openswan.org/mailman/listinfo/users" target="_blank">lists.openswan.org/mailman/listinfo/users</a>
<br>
Building and Integrating Virtual Private Networks with
Openswan:<a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a>
<br>
<br>
<br>
--
<br>
<br>
<br>
_______________________________________________Users@openswan.orghttp://<a href="http://lists.openswan.org/mailman/listinfo/users" target="_blank">lists.openswan.org/mailman/listinfo/users</a>
<br>
Building and Integrating Virtual Private Networks with
Openswan:<a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a>
<br>
<br>
<br>
<br>
--
<br>
<br>
<br>
</blockquote>
<br>
<br>
</blockquote>
<br>
-- <br>
<br></div></div>
_______________________________________________
<br>
<a href="mailto:Users@openswan.org" target="_blank">Users@openswan.org</a>
<br><div class="im">
<a href="http://lists.openswan.org/mailman/listinfo/users" target="_blank">http://lists.openswan.org/mailman/listinfo/users</a>
<br>
Building and Integrating Virtual Private Networks with Openswan:
<br>
<a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a>
<br>
</div></blockquote>
<br>
<br>
</blockquote>
<br>
<div>-- <br>
<img src="cid:part1.08000302.06020001@techcert.lk">
</div>
</div>
<br>_______________________________________________<br>
<a href="mailto:Users@openswan.org">Users@openswan.org</a><br>
<a href="http://lists.openswan.org/mailman/listinfo/users" target="_blank">http://lists.openswan.org/mailman/listinfo/users</a><br>
Building and Integrating Virtual Private Networks with Openswan:<br>
<a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a><br>
<br></blockquote></div><br>