Hi, I'm trying to setup a L2TP/IPsec server using openswan/xl2tpd. Here is my network topology :<br><br>REM.OTE.NET.0/24===vpn server (REM.OTE.NET.178)=== internet === (HO.ME.NET.254) NAT DEVICE (<a href="http://192.168.1.0/24">192.168.1.0/24</a>)<br>
=== client (192.168.1.63)<br><br>When I'm trying to connect from my client (MacOS10.5) the connection fails and I get "cannot respond to IPsec SA request because no connection is known for..." messages on the server side. I've tried several setups on the server, based on several howtos and other messages found on the web, but the result is always the same.<br>
<br>If someone could help, I'm surely missing somethine but I can't figure out what...<br><br>thx<br><br>Brian<br><br>/etc/ipsec.conf is as follows :<br><br>version 2.0 # conforms to second version of ipsec.conf specification<br>
<br># basic configuration<br>config setup<br> protostack=netkey<br> nat_traversal=yes<br> virtual_private=%v4:!REM.OTE.NET.0/24<br> oe=off<br> nhelpers=1<br> interfaces=%defaultroute<br>
<br>conn roadwarrior-l2tp<br> type=transport<br> authby=secret<br> left=REM.OTE.NET.178<br> leftsubnet=REM.OTE.NET.0/24<br> leftprotoport=17/1701<br> rightsubnet=vhost:%no,%priv<br>
rightsubnetwithin=<a href="http://192.168.1.0/24">192.168.1.0/24</a><br> right=%any<br> rightprotoport=17/0<br> pfs=no<br> auto=add<br><br><br><br>[root@vpn ~]# ipsec auto --status<br>000 using kernel interface: netkey<br>
000 interface lo/lo ::1<br>000 interface lo/lo 127.0.0.1<br>000 interface lo/lo 127.0.0.1<br>000 interface eth0/eth0 REM.OTE.NET.178<br>000 interface eth0/eth0 REM.OTE.NET.178<br>000 %myid = (none)<br>000 debug none<br>000 <br>
000 virtual_private (%priv):<br>000 - allowed 0 subnets: <br>000 - disallowed 1 subnet: REM.OTE.NET.0/24<br>000 WARNING: Either virtual_private= was not specified, or there was a syntax <br>000 error in that line. 'left/rightsubnet=%priv' will not work!<br>
000 <br>000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64<br>000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192<br>000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40, keysizemax=128<br>
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448<br>000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0<br>000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256<br>
000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=128, keysizemax=256<br>000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256<br>000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256<br>
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256<br>000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=128, keysizemax=256<br>000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8, keysizemin=128, keysizemax=256<br>
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8, keysizemin=128, keysizemax=256<br>000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256<br>000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256<br>
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128<br>000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160<br>000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256<br>
000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160<br>000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128<br>000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0<br>
000 <br>000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131<br>000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC, blocksize=8, keydeflen=128<br>000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192<br>
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128<br>000 algorithm IKE encrypt: id=65004, name=OAKLEY_SERPENT_CBC, blocksize=16, keydeflen=128<br>000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC, blocksize=16, keydeflen=128<br>
000 algorithm IKE encrypt: id=65289, name=OAKLEY_TWOFISH_CBC_SSH, blocksize=16, keydeflen=128<br>000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16<br>000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20<br>
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32<br>000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64<br>000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024<br>000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536<br>
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048<br>000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072<br>000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096<br>
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144<br>000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192<br>000 <br>000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0} <br>
000 <br>000 "roadwarrior-l2tp": REM.OTE.NET.0/24===REM.OTE.NET.178<REM.OTE.NET.178>[+S=C]:17/1701...%virtual[+S=C]:17/0===?; unrouted; eroute owner: #0<br>000 "roadwarrior-l2tp": myip=unset; hisip=unset;<br>
000 "roadwarrior-l2tp": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0<br>000 "roadwarrior-l2tp": policy: PSK+ENCRYPT+IKEv2ALLOW+lKOD+rKOD; prio: 24,32; interface: eth0; <br>
000 "roadwarrior-l2tp": newest ISAKMP SA: #0; newest IPsec SA: #0; <br>000 <br>000 <br><br><br>/var/log/secure :<br><br><br>Apr 10 19:55:17 vpn ipsec__plutorun: Starting Pluto subsystem...<br>Apr 10 19:55:17 vpn pluto[30646]: nss directory plutomain: /etc/ipsec.d<br>
Apr 10 19:55:17 vpn pluto[30646]: NSS Initialized<br>Apr 10 19:55:17 vpn pluto[30646]: Non-fips mode set in /proc/sys/crypto/fips_enabled<br>Apr 10 19:55:17 vpn pluto[30646]: Non-fips mode set in /proc/sys/crypto/fips_enabled<br>
Apr 10 19:55:17 vpn pluto[30646]: Starting Pluto (Openswan Version 2.6.21; Vendor ID OE~q\177kZNr}Wk) pid:30646<br>Apr 10 19:55:17 vpn pluto[30646]: Setting NAT-Traversal port-4500 floating to on<br>Apr 10 19:55:17 vpn pluto[30646]: port floating activation criteria nat_t=1/port_float=1<br>
Apr 10 19:55:17 vpn pluto[30646]: including NAT-Traversal patch (Version 0.6c)<br>Apr 10 19:55:17 vpn pluto[30646]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)<br>Apr 10 19:55:17 vpn pluto[30646]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)<br>
Apr 10 19:55:17 vpn pluto[30646]: ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)<br>Apr 10 19:55:17 vpn pluto[30646]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)<br>Apr 10 19:55:17 vpn pluto[30646]: ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)<br>
Apr 10 19:55:17 vpn pluto[30646]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)<br>Apr 10 19:55:17 vpn pluto[30646]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)<br>Apr 10 19:55:17 vpn pluto[30646]: starting up 1 cryptographic helpers<br>
Apr 10 19:55:17 vpn pluto[30646]: main fd(10) helper fd(11)<br>Apr 10 19:55:17 vpn pluto[30646]: started helper (thread) pid=1102211392 (fd:10)<br>Apr 10 19:55:17 vpn pluto[30646]: Using Linux 2.6 IPsec interface code on 2.6.18-164.15.1.el5xen (experimental code)<br>
Apr 10 19:55:17 vpn pluto[30646]: ike_alg_register_enc(): WARNING: enc alg=0 not found in constants.c:oakley_enc_names <br>Apr 10 19:55:17 vpn pluto[30646]: ike_alg_register_enc(): Activating <NULL>: Ok (ret=0)<br>
Apr 10 19:55:17 vpn pluto[30646]: ike_alg_register_enc(): WARNING: enc alg=0 not found in constants.c:oakley_enc_names <br>Apr 10 19:55:17 vpn pluto[30646]: ike_alg_add(): ERROR: Algorithm already exists<br>Apr 10 19:55:17 vpn pluto[30646]: ike_alg_register_enc(): Activating <NULL>: FAILED (ret=-17)<br>
Apr 10 19:55:17 vpn pluto[30646]: ike_alg_register_enc(): WARNING: enc alg=0 not found in constants.c:oakley_enc_names <br>Apr 10 19:55:17 vpn pluto[30646]: ike_alg_add(): ERROR: Algorithm already exists<br>Apr 10 19:55:17 vpn pluto[30646]: ike_alg_register_enc(): Activating <NULL>: FAILED (ret=-17)<br>
Apr 10 19:55:17 vpn pluto[30646]: ike_alg_register_enc(): WARNING: enc alg=0 not found in constants.c:oakley_enc_names <br>Apr 10 19:55:17 vpn pluto[30646]: ike_alg_add(): ERROR: Algorithm already exists<br>Apr 10 19:55:17 vpn pluto[30646]: ike_alg_register_enc(): Activating <NULL>: FAILED (ret=-17)<br>
Apr 10 19:55:17 vpn pluto[30646]: ike_alg_register_enc(): WARNING: enc alg=0 not found in constants.c:oakley_enc_names <br>Apr 10 19:55:17 vpn pluto[30646]: ike_alg_add(): ERROR: Algorithm already exists<br>Apr 10 19:55:17 vpn pluto[30646]: ike_alg_register_enc(): Activating <NULL>: FAILED (ret=-17)<br>
Apr 10 19:55:17 vpn pluto[30646]: ike_alg_register_enc(): WARNING: enc alg=0 not found in constants.c:oakley_enc_names <br>Apr 10 19:55:17 vpn pluto[30646]: ike_alg_add(): ERROR: Algorithm already exists<br>Apr 10 19:55:17 vpn pluto[30646]: ike_alg_register_enc(): Activating <NULL>: FAILED (ret=-17)<br>
Apr 10 19:55:17 vpn pluto[30646]: Changed path to directory '/etc/ipsec.d/cacerts'<br>Apr 10 19:55:17 vpn pluto[30646]: loaded CA cert file 'cakey.pem' (963 bytes)<br>Apr 10 19:55:17 vpn pluto[30646]: no passphrase available<br>
Apr 10 19:55:17 vpn pluto[30646]: Could not change to directory '/etc/ipsec.d/aacerts': /<br>Apr 10 19:55:17 vpn pluto[30646]: Could not change to directory '/etc/ipsec.d/ocspcerts': /<br>Apr 10 19:55:17 vpn pluto[30646]: Changing to directory '/etc/ipsec.d/crls'<br>
Apr 10 19:55:17 vpn pluto[30646]: loaded crl file 'crl.pem' (499 bytes)<br>Apr 10 19:55:17 vpn pluto[30646]: crl issuer cacert not found for (file:///etc/ipsec.d/crls/crl.pem)<br>Apr 10 19:55:17 vpn pluto[30646]: added connection description "roadwarrior-l2tp"<br>
Apr 10 19:55:17 vpn pluto[30646]: listening for IKE messages<br>Apr 10 19:55:17 vpn pluto[30646]: adding interface eth0/eth0 REM.OTE.NET.178:500<br>Apr 10 19:55:17 vpn pluto[30646]: adding interface eth0/eth0 REM.OTE.NET.178:4500<br>
Apr 10 19:55:17 vpn pluto[30646]: adding interface lo/lo <a href="http://127.0.0.1:500">127.0.0.1:500</a><br>Apr 10 19:55:17 vpn pluto[30646]: adding interface lo/lo <a href="http://127.0.0.1:4500">127.0.0.1:4500</a><br>Apr 10 19:55:17 vpn pluto[30646]: adding interface lo/lo ::1:500<br>
Apr 10 19:55:17 vpn pluto[30646]: loading secrets from "/etc/ipsec.secrets"<br>Apr 10 19:55:17 vpn pluto[30646]: loading secrets from "/etc/ipsec.d/hostname.secrets"<br>Apr 10 19:56:18 vpn pluto[30646]: packet from HO.ME.NET.254:500: received Vendor ID payload [RFC 3947] method set to=109 <br>
Apr 10 19:56:18 vpn pluto[30646]: packet from HO.ME.NET.254:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] method set to=110 <br>Apr 10 19:56:18 vpn pluto[30646]: packet from HO.ME.NET.254:500: ignoring unknown Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]<br>
Apr 10 19:56:18 vpn pluto[30646]: packet from HO.ME.NET.254:500: ignoring unknown Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]<br>Apr 10 19:56:18 vpn pluto[30646]: packet from HO.ME.NET.254:500: ignoring unknown Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]<br>
Apr 10 19:56:18 vpn pluto[30646]: packet from HO.ME.NET.254:500: ignoring unknown Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]<br>Apr 10 19:56:18 vpn pluto[30646]: packet from HO.ME.NET.254:500: ignoring unknown Vendor ID payload [9909b64eed937c6573de52ace952fa6b]<br>
Apr 10 19:56:18 vpn pluto[30646]: packet from HO.ME.NET.254:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 110<br>Apr 10 19:56:18 vpn pluto[30646]: packet from HO.ME.NET.254:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 110<br>
Apr 10 19:56:18 vpn pluto[30646]: packet from HO.ME.NET.254:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 110<br>Apr 10 19:56:18 vpn pluto[30646]: packet from HO.ME.NET.254:500: received Vendor ID payload [Dead Peer Detection]<br>
Apr 10 19:56:18 vpn pluto[30646]: "roadwarrior-l2tp"[1] HO.ME.NET.254 #1: responding to Main Mode from unknown peer HO.ME.NET.254<br>Apr 10 19:56:18 vpn pluto[30646]: "roadwarrior-l2tp"[1] HO.ME.NET.254 #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1<br>
Apr 10 19:56:18 vpn pluto[30646]: "roadwarrior-l2tp"[1] HO.ME.NET.254 #1: STATE_MAIN_R1: sent MR1, expecting MI2<br>Apr 10 19:56:18 vpn pluto[30646]: "roadwarrior-l2tp"[1] HO.ME.NET.254 #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): peer is NATed<br>
Apr 10 19:56:18 vpn pluto[30646]: pluto_do_crypto: helper (0) is exiting <br>Apr 10 19:56:18 vpn pluto[30646]: "roadwarrior-l2tp"[1] HO.ME.NET.254 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2<br>
Apr 10 19:56:18 vpn pluto[30646]: "roadwarrior-l2tp"[1] HO.ME.NET.254 #1: STATE_MAIN_R2: sent MR2, expecting MI3<br>Apr 10 19:56:18 vpn pluto[30646]: pluto_do_crypto: helper (0) is exiting <br>Apr 10 19:56:18 vpn pluto[30646]: "roadwarrior-l2tp"[1] HO.ME.NET.254 #1: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.63'<br>
Apr 10 19:56:18 vpn pluto[30646]: "roadwarrior-l2tp"[1] HO.ME.NET.254 #1: switched from "roadwarrior-l2tp" to "roadwarrior-l2tp"<br>Apr 10 19:56:18 vpn pluto[30646]: "roadwarrior-l2tp"[2] HO.ME.NET.254 #1: deleting connection "roadwarrior-l2tp" instance with peer HO.ME.NET.254 {isakmp=#0/ipsec=#0}<br>
Apr 10 19:56:18 vpn pluto[30646]: "roadwarrior-l2tp"[2] HO.ME.NET.254 #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3<br>Apr 10 19:56:18 vpn pluto[30646]: "roadwarrior-l2tp"[2] HO.ME.NET.254 #1: new NAT mapping for #1, was HO.ME.NET.254:500, now HO.ME.NET.254:4500<br>
Apr 10 19:56:18 vpn pluto[30646]: "roadwarrior-l2tp"[2] HO.ME.NET.254 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}<br>Apr 10 19:56:18 vpn pluto[30646]: "roadwarrior-l2tp"[2] HO.ME.NET.254 #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000<br>
Apr 10 19:56:18 vpn pluto[30646]: "roadwarrior-l2tp"[2] HO.ME.NET.254 #1: received and ignored informational message<br>Apr 10 19:56:19 vpn pluto[30646]: "roadwarrior-l2tp"[2] HO.ME.NET.254 #1: the peer proposed: REM.OTE.NET.178/32:17/1701 -> <a href="http://192.168.1.63/32:17/0">192.168.1.63/32:17/0</a><br>
Apr 10 19:56:19 vpn pluto[30646]: "roadwarrior-l2tp"[2] HO.ME.NET.254 #1: cannot respond to IPsec SA request because no connection is known for REM.OTE.NET.178<REM.OTE.NET.178>[+S=C]:17/1701...HO.ME.NET.254[192.168.1.63,+S=C]:17/49470===<a href="http://192.168.1.63/32">192.168.1.63/32</a><br>
Apr 10 19:56:19 vpn pluto[30646]: "roadwarrior-l2tp"[2] HO.ME.NET.254 #1: sending encrypted notification INVALID_ID_INFORMATION to HO.ME.NET.254:4500<br>Apr 10 19:56:29 vpn pluto[30646]: "roadwarrior-l2tp"[2] HO.ME.NET.254 #1: the peer proposed: REM.OTE.NET.178/32:17/1701 -> <a href="http://192.168.1.63/32:17/0">192.168.1.63/32:17/0</a><br>
Apr 10 19:56:29 vpn pluto[30646]: "roadwarrior-l2tp"[2] HO.ME.NET.254 #1: cannot respond to IPsec SA request because no connection is known for REM.OTE.NET.178<REM.OTE.NET.178>[+S=C]:17/1701...HO.ME.NET.254[192.168.1.63,+S=C]:17/49470===<a href="http://192.168.1.63/32">192.168.1.63/32</a><br>
Apr 10 19:56:29 vpn pluto[30646]: "roadwarrior-l2tp"[2] HO.ME.NET.254 #1: sending encrypted notification INVALID_ID_INFORMATION to HO.ME.NET.254:4500<br>Apr 10 19:56:39 vpn pluto[30646]: "roadwarrior-l2tp"[2] HO.ME.NET.254 #1: the peer proposed: REM.OTE.NET.178/32:17/1701 -> <a href="http://192.168.1.63/32:17/0">192.168.1.63/32:17/0</a><br>
Apr 10 19:56:39 vpn pluto[30646]: "roadwarrior-l2tp"[2] HO.ME.NET.254 #1: cannot respond to IPsec SA request because no connection is known for REM.OTE.NET.178<REM.OTE.NET.178>[+S=C]:17/1701...HO.ME.NET.254[192.168.1.63,+S=C]:17/49470===<a href="http://192.168.1.63/32">192.168.1.63/32</a><br>
Apr 10 19:56:39 vpn pluto[30646]: "roadwarrior-l2tp"[2] HO.ME.NET.254 #1: sending encrypted notification INVALID_ID_INFORMATION to HO.ME.NET.254:4500<br><br><br><br>