<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EstiloDeEmail17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;}
@page Section1
{size:612.0pt 792.0pt;
margin:70.85pt 3.0cm 70.85pt 3.0cm;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=PT-BR link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><span lang=EN-US>Hello,<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US>After upgrade OpenSwan on Ubuntu, VPN
behind NAT stop to work...with valid ip it's ok!<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US>root@slitaz:~# uname -a<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Linux slitaz 2.6.27-14-server #1 SMP Tue
Jun 30 20:53:11 UTC 2009 i686 GNU/Linux<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Original version (using apt-get):<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>-rw-r--r-- 1 root root 62874 2008-06-27
09:04 xl2tpd_1.2.0+dfsg-1ubuntu1_i386.deb<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>-rw-r--r-- 1 root root 1674322 2008-10-08
12:05 openswan_1%3a2.4.12+dfsg-1.3_i386.deb<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>-rw-r--r-- 1 root root 97706 2009-06-09
15:04 ipsec-tools_1%3a0.7-2.1ubuntu1.8.10.1_i386.deb<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US>New version:<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US>root@slitaz:/usr/src# ls -ltr<o:p></o:p></span></p>
<p class=MsoNormal>-rw-r--r-- 1 root src 541039 2009-03-08 20:27
xl2tpd-1.2.4.tar.gz<o:p></o:p></p>
<p class=MsoNormal><span lang=EN-US>-rw-r--r-- 1 root src 8152865 2009-06-22
23:55 openswan-2.6.22.tar.gz<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US>root@slitaz:~# ipsec --version<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Linux Openswan U2.6.22/K2.6.27-14-server
(netkey)<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>See `ipsec --copyright' for copyright
information.<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Strange noted bahaviors:<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US>- Got stuck in terminal, but after CTRL+C
it's ok<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US>root@slitaz:/etc# /etc/init.d/ipsec restart<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>ipsec_setup: Stopping Openswan IPsec...<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>ipsec_setup: Starting Openswan IPsec
U2.6.22/K2.6.27-14-server...<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US>- Weird NAT/OAKLEY messages on
/var/log/messages<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Aug 3 18:40:40 slitaz ipsec__plutorun:
Starting Pluto subsystem...<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Aug 3 18:40:40 slitaz pluto[17457]:
Starting Pluto (Openswan Version 2.6.22; Vendor ID OElj@]rTMBuM) pid:17457<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Aug 3 18:40:40 slitaz pluto[17457]:
Setting NAT-Traversal port-4500 floating to on<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Aug 3 18:40:40 slitaz pluto[17457]:
port floating activation criteria nat_t=1/port_float=1<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Aug 3 18:40:40 slitaz pluto[17457]:
including NAT-Traversal patch (Version 0.6c)<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Aug 3 18:40:40 slitaz pluto[17457]: using
/dev/urandom as source of random entropy<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Aug 3 18:40:40 slitaz pluto[17457]:
ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Aug 3 18:40:40 slitaz pluto[17457]:
ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Aug 3 18:40:40 slitaz pluto[17457]:
ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Aug 3 18:40:40 slitaz pluto[17457]:
ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Aug 3 18:40:40 slitaz pluto[17457]:
ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Aug 3 18:40:40 slitaz pluto[17457]:
ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Aug 3 18:40:40 slitaz pluto[17457]:
ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Aug 3 18:40:40 slitaz pluto[17457]:
starting up 1 cryptographic helpers<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Aug 3 18:40:40 slitaz pluto[17458]: using
/dev/urandom as source of random entropy<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Aug 3 18:40:40 slitaz pluto[17457]:
started helper pid=17458 (fd:7)<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Aug 3 18:40:40 slitaz pluto[17457]: Using
Linux 2.6 IPsec interface code on 2.6.27-14-server (experimental code)<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:red'>Aug 3 18:40:40 slitaz
pluto[17457]: ike_alg_register_enc(): WARNING: enc alg=0 not found in
constants.c:oakley_enc_names<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:red'>Aug 3 18:40:40 slitaz
pluto[17457]: ike_alg_register_enc(): Activating <NULL>: Ok (ret=0)<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:red'>Aug 3 18:40:40 slitaz
pluto[17457]: ike_alg_register_enc(): WARNING: enc alg=0 not found in
constants.c:oakley_enc_names<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:red'>Aug 3 18:40:40 slitaz
pluto[17457]: ike_alg_add(): ERROR: Algorithm already exists<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:red'>Aug 3 18:40:40 slitaz
pluto[17457]: ike_alg_register_enc(): Activating <NULL>: FAILED (ret=-17)<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:red'>Aug 3 18:40:40 slitaz
pluto[17457]: ike_alg_register_enc(): WARNING: enc alg=0 not found in
constants.c:oakley_enc_names<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:red'>Aug 3 18:40:40 slitaz
pluto[17457]: ike_alg_add(): ERROR: Algorithm already exists<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:red'>Aug 3 18:40:40 slitaz
pluto[17457]: ike_alg_register_enc(): Activating <NULL>: FAILED (ret=-17)<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:red'>Aug 3 18:40:40 slitaz
pluto[17457]: ike_alg_register_enc(): WARNING: enc alg=0 not found in
constants.c:oakley_enc_names<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:red'>Aug 3 18:40:40 slitaz
pluto[17457]: ike_alg_add(): ERROR: Algorithm already exists<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:red'>Aug 3 18:40:40 slitaz
pluto[17457]: ike_alg_register_enc(): Activating <NULL>: FAILED (ret=-17)<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:red'>Aug 3 18:40:40 slitaz
pluto[17457]: ike_alg_register_enc(): WARNING: enc alg=0 not found in
constants.c:oakley_enc_names<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:red'>Aug 3 18:40:40 slitaz
pluto[17457]: ike_alg_add(): ERROR: Algorithm already exists<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:red'>Aug 3 18:40:40 slitaz
pluto[17457]: ike_alg_register_enc(): Activating <NULL>: FAILED (ret=-17)<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:red'>Aug 3 18:40:40 slitaz
pluto[17457]: ike_alg_register_enc(): WARNING: enc alg=0 not found in
constants.c:oakley_enc_names<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:red'>Aug 3 18:40:40 slitaz
pluto[17457]: ike_alg_add(): ERROR: Algorithm already exists<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:red'>Aug 3 18:40:40 slitaz
pluto[17457]: ike_alg_register_enc(): Activating <NULL>: FAILED (ret=-17)<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Aug 3 18:40:40 slitaz pluto[17457]:
Changed path to directory '/etc/ipsec.d/cacerts'<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Aug 3 18:40:40 slitaz pluto[17457]:
loaded CA cert file 'demoCA' (0 bytes)<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Aug 3 18:40:40 slitaz pluto[17457]: file
coded in unknown format, discarded<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Aug 3 18:40:40 slitaz pluto[17457]:
discarded CA cert file 'crl.pem', bad size 0 bytes<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Aug 3 18:40:40 slitaz pluto[17457]:
Changed path to directory '/etc/ipsec.d/aacerts'<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Aug 3 18:40:40 slitaz pluto[17457]:
Changed path to directory '/etc/ipsec.d/ocspcerts'<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Aug 3 18:40:40 slitaz pluto[17457]:
Changing to directory '/etc/ipsec.d/crls'<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Aug 3 18:40:40 slitaz pluto[17457]:
Warning: empty directory<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Aug 3 18:40:40 slitaz pluto[17457]: added
connection description "L2TP-PSK"<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Aug 3 18:40:40 slitaz pluto[17457]:
listening for IKE messages<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:red'>Aug 3 18:40:40 slitaz
pluto[17457]: NAT-Traversal: Trying new style NAT-T<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:red'>Aug 3 18:40:40 slitaz
pluto[17457]: NAT-Traversal: ESPINUDP(1) setup failed for new style NAT-T
family IPv4 (errno=19)<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:red'>Aug 3 18:40:40 slitaz pluto[17457]:
NAT-Traversal: Trying old style NAT-T<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US>- And last the errors on XL2TPD (occurs
with the same errors with old and new packages)<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US>root@slitaz:/etc# xl2tpd -D<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>xl2tpd[17539]: setsockopt recvref[22]:
Protocol not available<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>xl2tpd[17539]: L2TP kernel support not
detected.<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>xl2tpd[17539]: xl2tpd version xl2tpd-1.2.4
started on slitaz. PID:17539<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>xl2tpd[17539]: Written by Mark Spencer,
Copyright (C) 1998, Adtran, Inc.<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>xl2tpd[17539]: Forked by Scott Balmos and
David Stipp, (C) 2001<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>xl2tpd[17539]: Inherited by Jeff McAdams,
(C) 2002<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>xl2tpd[17539]: Forked again by Xelerance
(www.xelerance.com) (C) 2006<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>xl2tpd[17539]: Listening on IP address
0.0.0.0, port 1701<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:red'>xl2tpd[17539]:
control_finish: Peer requested tunnel 12 twice, ignoring second one.<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:red'>xl2tpd[17539]:
control_finish: Peer requested tunnel 12 twice, ignoring second one.<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:red'>xl2tpd[17539]:
control_finish: Peer requested tunnel 12 twice, ignoring second one.<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>xl2tpd[17539]: Maximum retries exceeded for
tunnel 41505. Closing.<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Below my working config used on my debian
and ubuntu boxes:<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US>debian:/etc/ppp# cat options.xl2tpd<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>require-mschap-v2<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>ms-dns 192.168.2.254<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>ms-dns 200.20.0.18<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>ms-wins 192.168.2.254<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>asyncmap 0<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>auth<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>#noauth<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>crtscts<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>lock<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>hide-password<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>modem<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>debug<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>name l2tpd<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>proxyarp<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>lcp-echo-interval 30<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>lcp-echo-failure 4<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US>debian:/etc/xl2tpd# cat xl2tpd.conf<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>[global]<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>ipsec saref = yes<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US>[lns default]<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>ip range = 155.132.0.10-155.132.0.20<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>local ip = 155.132.0.203<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>refuse chap = yes<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>refuse pap = yes<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>require authentication = yes<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>ppp debug = yes<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>pppoptfile = /etc/ppp/options.xl2tpd<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>length bit = yes<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US>debian:/etc# cat ipsec.conf<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US># /etc/ipsec.conf - Openswan IPsec
configuration file<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>version 2.0 # conforms to second
version of ipsec.conf specification<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US>config setup<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US> nat_traversal=yes<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US> nhelpers=0<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US> </span>protostack=netkey<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>include /etc/ipsec.d/examples/no_oe.conf<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal><span lang=EN-US>conn L2TP-PSK<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US> authby=secret<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US> pfs=no<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US> auto=add<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US> keyingtries=3<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US> rekey=no<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US> type=transport<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US> left=%defaultroute<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US> leftprotoport=17/1701<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US> right=%any<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US> rightsubnet=vhost:%no,%priv<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US> rightprotoport=17/1701<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US>debian:/etc# cat ipsec.secrets<o:p></o:p></span></p>
<p class=MsoNormal>: RSA /etc/ipsec.d/private/debianKey.pem<o:p></o:p></p>
<p class=MsoNormal><span lang=EN-US>: PSK "PASSWORD"<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US>debian:/etc/ppp# cat chap-secrets<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US># Secrets for authentication using CHAP<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US># client server
secret IP addresses<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>user l2tpd password
"155.132.0.10"<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>l2tpd user password
"155.132.0.10"<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-size:14.0pt'>Ofcourse Debian
keeps running OK behind NAT....<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US>debian:/etc/ppp# ipsec --version<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Linux Openswan U2.4.12/K2.6.26-2-686
(netkey)<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>See `ipsec --copyright' for copyright
information.<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US>-rw-r--r-- 1 root root 60866 2008-03-31
18:47 xl2tpd_1.2.0+dfsg-1_i386.deb<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>-rw-r--r-- 1 root root 1730858 2009-03-30
20:47 openswan_1%3a2.4.12+dfsg-1.3+lenny1_i386.deb<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>-rw-r--r-- 1 root root 99098 2009-05-20
12:48 ipsec-tools_1%3a0.7.1-1.3+lenny2_i386.deb<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US>debian:/var/log# tail -f
/var/log/daemon.log<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Aug 3 18:25:32 debian ipsec_setup:
...Openswan IPsec stopped<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Aug 3 18:25:32 debian ipsec_setup:
Stopping Openswan IPsec...<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Aug 3 18:25:33 debian ipsec_setup: NETKEY
on eth1 201.24.73.ZZZ/255.255.255.248 broadcast 201.24.73.BBB<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Aug 3 18:25:33 debian ipsec_setup:
...Openswan IPsec started<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Aug 3 18:25:33 debian ipsec_setup:
Starting Openswan IPsec 2.4.12...<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US>debian:/etc/ppp# xl2tpd -D<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>xl2tpd[3361]: Enabling IPsec SAref
processing for L2TP transport mode SAs<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>xl2tpd[3361]: IPsec SAref does not work
with L2TP kernel mode yet, enabling forceuserspace=yes<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>xl2tpd[3361]: setsockopt recvref: Protocol
not available<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>xl2tpd[3361]: L2TP kernel support not
detected.<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>xl2tpd[3361]: xl2tpd version xl2tpd-1.2.0
started on debian PID:3361<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>xl2tpd[3361]: Written by Mark Spencer,
Copyright (C) 1998, Adtran, Inc.<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>xl2tpd[3361]: Forked by Scott Balmos and
David Stipp, (C) 2001<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>xl2tpd[3361]: Inherited by Jeff McAdams,
(C) 2002<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>xl2tpd[3361]: Forked again by Xelerance
(www.xelerance.com) (C) 2006<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>xl2tpd[3361]: Listening on IP address
201.24.73.ZZZ, port 1701<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>xl2tpd[3361]: control_finish: Peer
requested tunnel 5 twice, ignoring second one.<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>xl2tpd[3361]: Connection established to
201.24.73.XXX, 1701. Local: 55369, Remote: 5 (ref=0/0). LNS session is
'default'<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>xl2tpd[3361]: check_control: Received out
of order control packet on tunnel 5 (got 4, expected 3)<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>xl2tpd[3361]: handle_packet: bad control
packet!<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>xl2tpd[3361]: start_pppd: I'm running:<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>xl2tpd[3361]: "/usr/sbin/pppd"<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>xl2tpd[3361]: "passive"<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>xl2tpd[3361]: "-detach"<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>xl2tpd[3361]:
"155.132.0.203:155.132.0.10"<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>xl2tpd[3361]: "refuse-pap"<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>xl2tpd[3361]: "refuse-chap"<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>xl2tpd[3361]: "auth"<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>xl2tpd[3361]: "debug"<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>xl2tpd[3361]: "file"<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>xl2tpd[3361]:
"/etc/ppp/options.xl2tpd"<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>xl2tpd[3361]: "/dev/pts/1"<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>xl2tpd[3361]: Call established with
201.24.73.XXX, Local: 9389, Remote: 1, Serial: 0<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US>debian:/etc# tail -f /var/log/auth.log<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Aug 3 18:57:53 debian pluto[3015]: packet
from 201.24.73.XXX:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY
00000004]<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Aug 3 18:57:53 debian pluto[3015]: packet
from 201.24.73.XXX:500: ignoring Vendor ID payload [FRAGMENTATION]<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Aug 3 18:57:53 debian pluto[3015]: packet
from 201.24.73.XXX:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n] method set to=106<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Aug 3 18:57:53 debian pluto[3015]:
"L2TP-PSK"[1] 201.24.73.XXX #1: responding to Main Mode from unknown
peer 201.24.73.XXX<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Aug 3 18:57:53 debian pluto[3015]:
"L2TP-PSK"[1] 201.24.73.XXX #1: transition from state STATE_MAIN_R0
to state STATE_MAIN_R1<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Aug 3 18:57:53 debian pluto[3015]:
"L2TP-PSK"[1] 201.24.73.XXX #1: STATE_MAIN_R1: sent MR1, expecting
MI2<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Aug 3 18:57:54 debian pluto[3015]:
"L2TP-PSK"[1] 201.24.73.XXX #1: NAT-Traversal: Result using
draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Aug 3 18:57:54 debian pluto[3015]:
"L2TP-PSK"[1] 201.24.73.XXX #1: transition from state STATE_MAIN_R1
to state STATE_MAIN_R2<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Aug 3 18:57:54 debian pluto[3015]:
"L2TP-PSK"[1] 201.24.73.XXX #1: STATE_MAIN_R2: sent MR2, expecting
MI3<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Aug 3 18:57:54 debian pluto[3015]:
"L2TP-PSK"[1] 201.24.73.XXX #1: Main mode peer ID is ID_FQDN:
'@winxp'<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Aug 3 18:57:54 debian pluto[3015]:
"L2TP-PSK"[1] 201.24.73.XXX #1: switched from "L2TP-PSK" to
"L2TP-PSK"<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Aug 3 18:57:54 debian pluto[3015]:
"L2TP-PSK"[2] 201.24.73.XXX #1: deleting connection
"L2TP-PSK" instance with peer 201.24.73.XXX {isakmp=#0/ipsec=#0}<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Aug 3 18:57:54 debian pluto[3015]: "L2TP-PSK"[2]
201.24.73.XXX #1: I did not send a certificate because I do not have one.<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Aug 3 18:57:54 debian pluto[3015]:
"L2TP-PSK"[2] 201.24.73.XXX #1: transition from state STATE_MAIN_R2
to state STATE_MAIN_R3<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Aug 3 18:57:54 debian pluto[3015]:
"L2TP-PSK"[2] 201.24.73.XXX #1: STATE_MAIN_R3: sent MR3, ISAKMP SA
established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192
prf=oakley_sha group=modp2048}<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Aug 3 18:57:54 debian pluto[3015]:
"L2TP-PSK"[2] 201.24.73.XXX #2: responding to Quick Mode {msgid:c25f786b}<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Aug 3 18:57:54 debian pluto[3015]:
"L2TP-PSK"[2] 201.24.73.XXX #2: transition from state STATE_QUICK_R0
to state STATE_QUICK_R1<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Aug 3 18:57:54 debian pluto[3015]:
"L2TP-PSK"[2] 201.24.73.XXX #2: STATE_QUICK_R1: sent QR1, inbound
IPsec SA installed, expecting QI2<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Aug 3 18:57:54 debian pluto[3015]:
"L2TP-PSK"[2] 201.24.73.XXX #2: transition from state STATE_QUICK_R1
to state STATE_QUICK_R2<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Aug 3 18:57:54 debian pluto[3015]:
"L2TP-PSK"[2] 201.24.73.XXX #2: STATE_QUICK_R2: IPsec SA established
{ESP=>0x1f1bb521 <0xd43e3428 xfrm=3DES_0-HMAC_MD5 NATD=201.24.73.XXX:4500
DPD=none}<o:p></o:p></span></p>
<p class=MsoNormal><o:p> </o:p></p>
</div>
</body>
</html>