hi,<br>i know that this is 99% misconfiguration problem, and i try to manage it myself. i didnt want ask because i realize that it is some plain solution, but i am not able to resolve it.<br>whenever i try to connect from win xp, i get 678 error.<br>
it is roadwarrior that has to connect to openswan server behind firewall.<br>i have openswan 2.6.22, xltpd-1.2.4, centos 5, kernel 2.6.18<br><br>thanks again for any help!<br><br>here are my logs and configuration files:<br>
<br><br>--------------------/var/log/secure<br>Aug 1 21:23:08 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #204: responding to Main Mode from unknown peer 89.243.161.215<br>Aug 1 21:23:08 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #204: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1<br>
Aug 1 21:23:08 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #204: STATE_MAIN_R1: sent MR1, expecting MI2<br>Aug 1 21:23:09 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #204: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: both are NATed<br>
Aug 1 21:23:09 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #204: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2<br>Aug 1 21:23:09 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #204: STATE_MAIN_R2: sent MR2, expecting MI3<br>
Aug 1 21:23:10 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #204: Main mode peer ID is ID_FQDN: '@gerard'<br>Aug 1 21:23:10 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #204: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3<br>
Aug 1 21:23:10 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #204: new NAT mapping for #204, was <a href="http://89.243.161.215:500">89.243.161.215:500</a>, now <a href="http://89.243.161.215:4500">89.243.161.215:4500</a><br>
Aug 1 21:23:10 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #204: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}<br>Aug 1 21:23:10 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #204: peer client type is FQDN<br>
Aug 1 21:23:10 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #204: Applying workaround for MS-818043 NAT-T bug<br>Aug 1 21:23:10 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #204: IDci was FQDN: Q\250\313\005, using NAT_OA=<a href="http://192.168.0.2/32">192.168.0.2/32</a> as IDci<br>
Aug 1 21:23:10 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #204: the peer proposed: <a href="http://81.168.203.5/32:17/1701">81.168.203.5/32:17/1701</a> -> <a href="http://192.168.0.2/32:17/0">192.168.0.2/32:17/0</a><br>
Aug 1 21:23:10 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #192: received Delete SA payload: deleting ISAKMP State #192<br>Aug 1 21:23:10 portal pluto[8145]: packet from <a href="http://89.243.161.215:4500">89.243.161.215:4500</a>: received and ignored informational message<br>
Aug 1 21:23:10 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #205: responding to Quick Mode proposal {msgid:a1fec9cb}<br>Aug 1 21:23:10 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #205: us: 192.168.1.126<192.168.1.126>[+S=C]:17/1701---192.168.1.99<br>
Aug 1 21:23:10 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #205: them: 89.243.161.215[@gerard,+S=C]:17/0===<a href="http://192.168.0.2/32">192.168.0.2/32</a><br>Aug 1 21:23:10 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #205: keeping refhim=4294901761 during rekey<br>
Aug 1 21:23:10 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #205: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1<br>Aug 1 21:23:10 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #205: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2<br>
Aug 1 21:23:10 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #205: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2<br>Aug 1 21:23:10 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #205: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0xe2349f07 <0x2e830221 xfrm=3DES_0-HMAC_MD5 NATOA=192.168.0.2 NATD=<a href="http://89.243.161.215:4500">89.243.161.215:4500</a> DPD=none}<br>
Aug 1 21:23:10 portal pluto[8145]: packet from <a href="http://89.243.161.215:500">89.243.161.215:500</a>: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]<br>Aug 1 21:23:10 portal pluto[8145]: packet from <a href="http://89.243.161.215:500">89.243.161.215:500</a>: ignoring Vendor ID payload [FRAGMENTATION]<br>
Aug 1 21:23:10 portal pluto[8145]: packet from <a href="http://89.243.161.215:500">89.243.161.215:500</a>: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106<br>Aug 1 21:23:10 portal pluto[8145]: packet from <a href="http://89.243.161.215:500">89.243.161.215:500</a>: ignoring Vendor ID payload [Vid-Initial-Contact]<br>
Aug 1 21:23:10 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #206: responding to Main Mode from unknown peer 89.243.161.215<br>Aug 1 21:23:10 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #206: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1<br>
Aug 1 21:23:10 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #206: STATE_MAIN_R1: sent MR1, expecting MI2<br>Aug 1 21:23:11 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #206: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: both are NATed<br>
Aug 1 21:23:11 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #206: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2<br>Aug 1 21:23:11 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #206: STATE_MAIN_R2: sent MR2, expecting MI3<br>
Aug 1 21:23:11 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #204: received Delete SA(0xe2349f07) payload: deleting IPSEC State #205<br>Aug 1 21:23:11 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #204: received and ignored informational message<br>
Aug 1 21:23:11 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #202: received Delete SA(0xdeb96beb) payload: deleting IPSEC State #203<br>Aug 1 21:23:11 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #202: received and ignored informational message<br>
Aug 1 21:23:11 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #200: received Delete SA(0x675df714) payload: deleting IPSEC State #201<br>Aug 1 21:23:11 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #200: received and ignored informational message<br>
Aug 1 21:23:11 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #198: received Delete SA(0x5f2a52d7) payload: deleting IPSEC State #199<br>Aug 1 21:23:11 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #198: received and ignored informational message<br>
Aug 1 21:23:11 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #196: received Delete SA(0x43995075) payload: deleting IPSEC State #197<br>Aug 1 21:23:11 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #196: received and ignored informational message<br>
Aug 1 21:23:11 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #194: received Delete SA(0xaf4afd63) payload: deleting IPSEC State #195<br>Aug 1 21:23:11 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #194: received and ignored informational message<br>
Aug 1 21:23:11 portal pluto[8145]: packet from <a href="http://89.243.161.215:4500">89.243.161.215:4500</a>: Informational Exchange is for an unknown (expired?) SA with MSGID:0x9f1d4f45<br>Aug 1 21:23:11 portal pluto[8145]: packet from <a href="http://89.243.161.215:4500">89.243.161.215:4500</a>: Informational Exchange is for an unknown (expired?) SA with MSGID:0x0cfdfe3d<br>
Aug 1 21:23:11 portal pluto[8145]: packet from <a href="http://89.243.161.215:4500">89.243.161.215:4500</a>: Informational Exchange is for an unknown (expired?) SA with MSGID:0x908e64f7<br>Aug 1 21:23:11 portal pluto[8145]: packet from <a href="http://89.243.161.215:4500">89.243.161.215:4500</a>: Informational Exchange is for an unknown (expired?) SA with MSGID:0xea804dbc<br>
Aug 1 21:23:11 portal pluto[8145]: packet from <a href="http://89.243.161.215:4500">89.243.161.215:4500</a>: Informational Exchange is for an unknown (expired?) SA with MSGID:0xbb82ccdc<br>Aug 1 21:23:11 portal pluto[8145]: packet from <a href="http://89.243.161.215:4500">89.243.161.215:4500</a>: Informational Exchange is for an unknown (expired?) SA with MSGID:0x06be4a52<br>
Aug 1 21:23:11 portal pluto[8145]: packet from <a href="http://89.243.161.215:4500">89.243.161.215:4500</a>: Informational Exchange is for an unknown (expired?) SA with MSGID:0xae70b9d7<br>Aug 1 21:23:11 portal pluto[8145]: packet from <a href="http://89.243.161.215:4500">89.243.161.215:4500</a>: Informational Exchange is for an unknown (expired?) SA with MSGID:0xeb8d2a0e<br>
Aug 1 21:23:11 portal pluto[8145]: packet from <a href="http://89.243.161.215:4500">89.243.161.215:4500</a>: Informational Exchange is for an unknown (expired?) SA with MSGID:0x3d8c118c<br>Aug 1 21:23:11 portal pluto[8145]: packet from <a href="http://89.243.161.215:4500">89.243.161.215:4500</a>: Informational Exchange is for an unknown (expired?) SA with MSGID:0xa9ad6d8c<br>
Aug 1 21:23:11 portal pluto[8145]: packet from <a href="http://89.243.161.215:4500">89.243.161.215:4500</a>: Informational Exchange is for an unknown (expired?) SA with MSGID:0x6467e715<br>Aug 1 21:23:11 portal pluto[8145]: packet from <a href="http://89.243.161.215:4500">89.243.161.215:4500</a>: Informational Exchange is for an unknown (expired?) SA with MSGID:0x7f941a82<br>
Aug 1 21:23:11 portal pluto[8145]: packet from <a href="http://89.243.161.215:4500">89.243.161.215:4500</a>: Informational Exchange is for an unknown (expired?) SA with MSGID:0x03e01815<br>Aug 1 21:23:11 portal pluto[8145]: packet from <a href="http://89.243.161.215:4500">89.243.161.215:4500</a>: Informational Exchange is for an unknown (expired?) SA with MSGID:0x7a429c6b<br>
Aug 1 21:23:11 portal pluto[8145]: packet from <a href="http://89.243.161.215:4500">89.243.161.215:4500</a>: Informational Exchange is for an unknown (expired?) SA with MSGID:0x9d5a6331<br>Aug 1 21:23:11 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #206: Main mode peer ID is ID_FQDN: '@gerard'<br>
Aug 1 21:23:11 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #206: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3<br>Aug 1 21:23:11 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #206: new NAT mapping for #206, was <a href="http://89.243.161.215:500">89.243.161.215:500</a>, now <a href="http://89.243.161.215:4500">89.243.161.215:4500</a><br>
Aug 1 21:23:11 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #206: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}<br>Aug 1 21:23:11 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #206: byte 2 of ISAKMP Hash Payload must be zero, but is not<br>
Aug 1 21:23:11 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #206: malformed payload in packet<br>Aug 1 21:23:11 portal pluto[8145]: | payload malformed after IV<br>Aug 1 21:23:11 portal pluto[8145]: | 96 98 74 d4 ec cd e0 cb<br>
Aug 1 21:23:11 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #206: sending notification PAYLOAD_MALFORMED to <a href="http://89.243.161.215:4500">89.243.161.215:4500</a><br>Aug 1 21:23:11 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #204: received Delete SA payload: deleting ISAKMP State #204<br>
Aug 1 21:23:11 portal pluto[8145]: packet from <a href="http://89.243.161.215:4500">89.243.161.215:4500</a>: received and ignored informational message<br>Aug 1 21:23:11 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #202: received Delete SA payload: deleting ISAKMP State #202<br>
Aug 1 21:23:11 portal pluto[8145]: packet from <a href="http://89.243.161.215:4500">89.243.161.215:4500</a>: received and ignored informational message<br>Aug 1 21:23:11 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #200: received Delete SA payload: deleting ISAKMP State #200<br>
Aug 1 21:23:11 portal pluto[8145]: packet from <a href="http://89.243.161.215:4500">89.243.161.215:4500</a>: received and ignored informational message<br>Aug 1 21:23:11 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #198: received Delete SA payload: deleting ISAKMP State #198<br>
Aug 1 21:23:11 portal pluto[8145]: packet from <a href="http://89.243.161.215:4500">89.243.161.215:4500</a>: received and ignored informational message<br>Aug 1 21:23:11 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #196: received Delete SA payload: deleting ISAKMP State #196<br>
Aug 1 21:23:11 portal pluto[8145]: packet from <a href="http://89.243.161.215:4500">89.243.161.215:4500</a>: received and ignored informational message<br>Aug 1 21:23:11 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #194: received Delete SA payload: deleting ISAKMP State #194<br>
Aug 1 21:23:11 portal pluto[8145]: packet from <a href="http://89.243.161.215:4500">89.243.161.215:4500</a>: received and ignored informational message<br><br>--------------/etc/ipsec.conf<br>version 2.0 <br> <br>config setup<br>
nat_traversal=yes<br> virtual_private=%v4:<a href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.1.0/24">10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.1.0/24</a><br> oe=off<br>
protostack=netkey<br> interfaces=%defaultroute<br><br>conn roadwarrior<br> keyingtries=3<br> rekey=no<br> compress=yes<br> disablearrivalcheck=no<br> authby=secret<br> type=tunnel<br>
keyexchange=ike<br> ikelifetime=590m<br> keylife=50m<br> pfs=no<br> left=192.168.1.126<br> leftnexthop=192.168.1.99<br> leftprotoport=17/1701<br> right=%any<br> rightprotoport=17/0<br>
rightsubnet=vhost:%no,%priv<br> auto=add<br><br><br>-------------------/etc/ipsec.secrets<br>192.168.1.126 %any : PSK "reallyreallylongpassword"<br><br>------------------- /etc/ppp/options.xl2tpd<br>
ipcp-accept-local<br>ipcp-accept-remote<br>ms-dns 192.168.1.99<br>noccp<br>auth<br>crtscts<br>idle 1800<br>mtu 1410<br>mru 1410<br>nodefaultroute<br>debug<br>lock<br>proxyarp<br>connect-delay 5000<br>silent<br><br>-------------------/etc/ppp/chap-secrets<br>
user1 * "password" <a href="http://192.168.1.128/25">192.168.1.128/25</a><br>* user1 "password" <a href="http://192.168.1.128/25">192.168.1.128/25</a><br><br>-------------------/etc/xl2tpd/xl2tpd.conf<br>
[global]<br>; listen-addr = 192.168.1.98<br><br>[lns default]<br>ip range = 192.168.1.128-192.168.1.254<br>local ip = 192.168.1.126<br>require chap = yes<br>refuse pap = yes<br>require authentication = yes<br>name = LinuxVPNserver<br>
ppp debug = yes<br>pppoptfile = /etc/ppp/options.xl2tpd<br>length bit = yes<br><br>----------------/etc/sysconfig/iptables<br>*filter<br>:INPUT ACCEPT [0:0]<br>:FORWARD ACCEPT [0:0]<br>:OUTPUT ACCEPT [0:0]<br>:RH-Firewall-1-INPUT - [0:0]<br>
-A INPUT -j RH-Firewall-1-INPUT<br>-A FORWARD -j RH-Firewall-1-INPUT<br>-A RH-Firewall-1-INPUT -i lo -j ACCEPT<br>-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT<br>-A RH-Firewall-1-INPUT -p 50 -j ACCEPT<br>-A RH-Firewall-1-INPUT -p 51 -j ACCEPT<br>
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT<br>-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT<br>-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT<br>-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT<br>
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT<br>-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT<br>-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT<br>
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT<br>-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT<br>-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT<br>
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT<br>-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 8080 -j ACCEPT<br>-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 2812 -j ACCEPT<br>
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 10000 -j ACCEPT<br>-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT<br>-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5901 -j ACCEPT<br>
#vpn<br>-A RH-Firewall-1-INPUT -i ppp+ -j ACCEPT<br>-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT<br>-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 500 -j ACCEPT<br>-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 4500 -j ACCEPT<br>
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 4500 -j ACCEPT<br>-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited<br>COMMIT<br><br>-------------------/etc/sysctl.conf<br># Kernel sysctl configuration file for Red Hat Linux<br>
#<br># For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and<br># sysctl.conf(5) for more details.<br><br># Controls IP packet forwarding<br>net.ipv4.ip_forward = 1<br><br># Controls source route verification<br>
net.ipv4.conf.default.rp_filter = 0<br><br>net.ipv4.conf.all.send_redirects = 0<br>net.ipv4.conf.default.send_redirects = 0<br>net.ipv4.icmp_ignore_bogus_error_responses = 1<br>net.ipv4.conf.all.log_martians = 0<br>net.ipv4.conf.default.log_martians = 0<br>
<br>net.ipv4.conf.default.accept_source_route = 0<br>net.ipv4.conf.all.accept_redirects = 0<br>net.ipv4.conf.default.accept_redirects = 0<br><br># Do not accept source routing<br>net.ipv4.conf.default.accept_source_route = 0<br>
<br># Controls the System Request debugging functionality of the kernel<br>kernel.sysrq = 0<br><br># Controls whether core dumps will append the PID to the core filename<br># Useful for debugging multi-threaded applications<br>
kernel.core_uses_pid = 1<br><br># Controls the use of TCP syncookies<br>net.ipv4.tcp_syncookies = 1<br><br># Controls the maximum size of a message, in bytes<br>kernel.msgmnb = 65536<br><br># Controls the default maxmimum size of a mesage queue<br>
kernel.msgmax = 65536<br><br># Controls the maximum shared segment size, in bytes<br>kernel.shmmax = 4294967295<br><br># Controls the maximum number of shared memory segments, in pages<br>kernel.shmall = 268435456<br><br>