IPSec tunnels up, but never make it way to l2tp! <br><br>xx.xx.xxx.109(public IP of gateway)<br><br>yyy.yy.248.161(an windows 7 client connected via ADSL)<br><br>yyy.yy.248.161-------->Internet--------->xx.xx.xxx.109(192.168.6.1)-----------> 192.168.6.18<br>
<br><br>=======================================================================<br>Jul 30 02:41:22 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #661: received Delete SA(0xfb0f531d) payload: deleting IPSEC State #662<br>
Jul 30 02:41:22 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #661: received and ignored informational message<br>Jul 30 02:41:25 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #661: the peer proposed: xx.xx.xxx.109/32:17/1701 -> yyy.yy.248.161/32:17/1701<br>
Jul 30 02:41:25 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #661: NAT-Traversal: received 2 NAT-OA. ignored because peer is not NATed<br>Jul 30 02:41:25 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #664: responding to Quick Mode proposal {msgid:03000000}<br>
Jul 30 02:41:25 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #664: us: 192.168.6.18<192.168.6.18>[+S=C]:17/1701---192.168.6.18<br>Jul 30 02:41:25 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #664: them: yyy.yy.248.161[+S=C]:17/1701<br>
Jul 30 02:41:25 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #664: keeping refhim=4294901761 during rekey<br>Jul 30 02:41:25 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #664: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1<br>
Jul 30 02:41:25 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #664: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2<br>Jul 30 02:41:25 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #664: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2<br>
Jul 30 02:41:25 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #664: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0x06e893de <0x94e87dbe xfrm=AES_128-HMAC_<br>SHA1 NATOA=none NATD=yyy.yy.248.161:4500 DPD=none}<br>
Jul 30 02:41:25 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #661: received Delete SA(0xacc6f55f) payload: deleting IPSEC State #663<br>Jul 30 02:41:25 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #661: received and ignored informational message<br>
Jul 30 02:41:29 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #661: the peer proposed: xx.xx.xxx.109/32:17/1701 -> yyy.yy.248.161/32:17/1701<br>Jul 30 02:41:29 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #661: NAT-Traversal: received 2 NAT-OA. ignored because peer is not NATed<br>
Jul 30 02:41:29 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #665: responding to Quick Mode proposal {msgid:04000000}<br>Jul 30 02:41:29 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #665: us: 192.168.6.18<192.168.6.18>[+S=C]:17/1701---192.168.6.18<br>
Jul 30 02:41:29 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #665: them: yyy.yy.248.161[+S=C]:17/1701<br>Jul 30 02:41:29 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #665: keeping refhim=4294901761 during rekey<br>
Jul 30 02:41:29 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #665: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1<br>Jul 30 02:41:29 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #665: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2<br>
Jul 30 02:41:29 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #665: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2<br>Jul 30 02:41:29 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #665: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0x62e4dbed <0x60c4b2c4 xfrm=AES_128-HMAC_<br>
SHA1 NATOA=none NATD=yyy.yy.248.161:4500 DPD=none}<br>Jul 30 02:41:29 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #661: received Delete SA(0x06e893de) payload: deleting IPSEC State #664<br>Jul 30 02:41:29 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #661: received and ignored informational message<br>
Jul 30 02:41:37 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #661: the peer proposed: xx.xx.xxx.109/32:17/1701 -> yyy.yy.248.161/32:17/1701<br>Jul 30 02:41:37 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #661: NAT-Traversal: received 2 NAT-OA. ignored because peer is not NATed<br>
Jul 30 02:41:37 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #666: responding to Quick Mode proposal {msgid:05000000}<br>Jul 30 02:41:37 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #666: us: 192.168.6.18<192.168.6.18>[+S=C]:17/1701---192.168.6.18<br>
Jul 30 02:41:37 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #666: them: yyy.yy.248.161[+S=C]:17/1701<br>Jul 30 02:41:37 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #666: keeping refhim=4294901761 during rekey<br>
Jul 30 02:41:37 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #666: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1<br>Jul 30 02:41:37 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #666: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2<br>
Jul 30 02:41:37 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #666: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2<br>Jul 30 02:41:37 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #666: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0xe030f135 <0x330430c4 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=yyy.yy.248.161:4500 DPD=none}<br>
Jul 30 02:41:37 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #661: received Delete SA(0x62e4dbed) payload: deleting IPSEC State #665<br>Jul 30 02:41:37 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #661: received and ignored informational message<br>
======================================================================================<br><br><br>Can anyone please help me out ? I have been trapped here for several days. still I can't make the ipsec/l2tp vpn server behind NAT work.<br>
<br>Tried Ubuntu 10.04 lts with its own openswan , still fai. tried CentOS, still fail. all fail. <br><br>use DNAT and one-to-one nat on the gw, still fail.<br><br>I will go mad without solving this. Seems other people with the identical config will work smoothly, But I always fail. why? What did I miss ?<br>
<br>here's my ipsec.conf<br>==================================================================<br>config setup<br> nat_traversal=yes<br> virtual_private=%v4:<a href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12">10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12</a><br>
oe=off<br> protostack=netkey<br><br>conn l2tp-psk<br> left=192.168.6.18<br> leftprotoport=17/1701<br> right=%any<br> rightprotoport=17/%any<br> rightsubnet=vhost:%priv,%no<br>
pfs=no<br> rekey=no<br> type=transport<br> authby=secret<br> auto=add<br>======================================<br><br>/etc/xl2tpd/xl2tpd.conf<br>======================================<br>
[global]<br>listen-addr = 192.168.6.18<br>debug tunnel= yes<br>[lns default]<br>ip range = 192.168.6.100-192.168.6.200<br>local ip = 192.168.6.99<br>assign ip = yes<br>require chap = yes<br>refuse pap = yes<br>require authentication = yes<br>
pppoptfile = /etc/ppp/ppp-options.xl2tpd<br>length bit = yes<br>========================================<br><br><br>Thanks anyone here for your kind help! <br><br><br><div class="gmail_quote">2011/7/28 Curu Wong <span dir="ltr"><<a href="mailto:prinbra@gmail.com">prinbra@gmail.com</a>></span><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">Maybe this has nothing to do with xl2tpd.<br><br>I know that l2tp/ipsec will use transport mode. However, I managed to run the server in tunnel mode. and let an Linux client( use openswan+ xl2tpd) connect to the server, it works.<br>
<br>Then, when I change from tunnel mode to transport, connection failed(ipsec tunnel still up, but never goes to l2tp).<br><br>Again, I tcpdump on mast0 interface. and find that when in transport mode, the destination address packets from client has been changed to the internal address of the server. thus I think. even this packet can goes to l2tpd, it will never goes back to the client, because client never know the server's internal address<br>
<br>on clientA.<br>ping GW(S.111.111.111)<br>========================================================================<br>22:53:28.841232 IP 192.168.9.106 > <a href="http://192.168.11.19" target="_blank">192.168.11.19</a>: ICMP echo request, id 53249, seq 1, length 64<br>
22:53:29.838744 IP 192.168.9.106 > <a href="http://192.168.11.19" target="_blank">192.168.11.19</a>: ICMP echo request, id 53249, seq 2, length 64<br>22:53:30.840031 IP 192.168.9.106 > <a href="http://192.168.11.19" target="_blank">192.168.11.19</a>: ICMP echo request, id 53249, seq 3, length 64<br>
22:53:31.843266 IP 192.168.9.106 > <a href="http://192.168.11.19" target="_blank">192.168.11.19</a>: ICMP echo request, id 53249, seq 4, length 64<br>========================================================================<br>
<br>by the way, I add this line to my previous config to make it work in tunnel mode<br>
=============================<br>leftsubnet=S.111.111.111/32 #public IP of the gw<br>=============================<br><br>and add the public IP as an alias interface <br><br>ip addr add S.111.111.111/32 dev eth0 label eth0:0<br>
<br>I don't know why in transport mode, the dst IP changed to l2tp/ipsec GW's internal IP, the tcpdump when using tunnel mode shows the public IP(S.111.111.111) and that works fine.<div><div></div><div class="h5">
<br><br><br><br><br><div class="gmail_quote">
2011/7/28 Paul Wouters <span dir="ltr"><<a href="mailto:paul@xelerance.com" target="_blank">paul@xelerance.com</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>
On Thu, 28 Jul 2011, Curu Wong wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Now I am testing ipsec/l2tp with the server itself behind NAT. here's the new network topology:<br>
<br>
clientA(192.168.9.106)-----><u></u>clientGWA(A.111.111.111)------<u></u>-->Server GW(S.111.111.111)------>l2tp/<u></u>ipsec GW(192.168.11.19)<br>
</blockquote>
<br>
</div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br><div>
but, there's nothing happen to xl2tpd. the log just stops at this line:<br>
==============================<u></u>========================<br>
Jul 28 14:38:13 tvpn xl2tpd[1660]: Listening on IP address 0.0.0.0, port 1701<br>
</div></blockquote>
<br>
Specify the real IP address in listen-addr, do not let it default to ANY.<br><font color="#888888">
<br>
Paul<br>
</font></blockquote></div><br>
</div></div></blockquote></div><br>