<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div>you need to:</div><div>- add rightsubnet=vhost:%priv,%no</div><div>- add virtual-private= that includes your 172 range</div><div>- configure the real IP address in xl2tpd.comf for listen-addr </div><div><br></div><div><br><br>sent from a tiny device </div><div><br>On 2013-09-02, at 23:18, "Ozai" <<a href="mailto:ozai.tien@gmail.com">ozai.tien@gmail.com</a>> wrote:<br><br></div><blockquote type="cite"><div>
<meta content="text/html; charset=big5" http-equiv="Content-Type">
<meta name="GENERATOR" content="MSHTML 8.00.6001.23515">
<style></style>
<div><font color="#0000ff" size="2" face="Verdana">Dear Sirs,</font></div>
<div><font color="#0000ff" size="2" face="Verdana"></font> </div>
<div><font color="#0000ff" size="2" face="Verdana">I setup the L2TP test environment
as below.But it did not seem to work.It seem the ipsec negotiation was
failed.How do I need to do to check this question?</font><font color="#0000ff" size="2" face="Verdana">Can someone point me in the right
direction?Thank's.</font></div>
<div><font color="#0000ff" size="2" face="Verdana"></font> </div>
<div><font color="#0000ff" size="2" face="Verdana">Best Regards,</font></div>
<div><font color="#0000ff" size="2" face="Verdana">Ozai</font></div>
<div><font color="#0000ff" size="2" face="Verdana"></font> </div>
<div><font color="#0000ff" size="2" face="Verdana">Windows XP -----------(LAN
side:192.168.71.X)-----GW-------(WAN side:172.17.21.X)-----------L2TP/IPSec
Server</font></div>
<div><font color="#0000ff" size="2" face="Verdana">L2TP/IPSec
client
Xl2tpd/openswan 2.6.38</font></div>
<div><font color="#0000ff" size="2" face="Verdana"></font> </div>
<div><font color="#0000ff" size="2" face="Verdana">####################>>log</font></div>
<div><font color="#0000ff" size="2" face="Verdana">Sep 3 03:56:09 daemon err
ipsec_setup: Starting Openswan IPsec U2.6.38/K2.6.30...<br>Sep 3 03:56:09
daemon err ipsec_setup: Using NETKEY(XFRM) stack<br>Sep 3 03:56:11
authpriv err ipsec__plutorun: Starting Pluto subsystem...<br>Sep 3
03:56:11 user warn syslog: adjusting ipsec.d to /var/ipsec.d<br>Sep 3
03:56:11 authpriv warn pluto[5955]: WARNING: 1DES is enabled<br>Sep 3
03:56:11 authpriv warn pluto[5955]: LEAK_DETECTIVE support
[disabled]<br>Sep 3 03:56:11 authpriv warn pluto[5955]: OCF support for
IKE [disabled]<br>Sep 3 03:56:11 authpriv warn pluto[5955]: NSS support
[disabled]<br>Sep 3 03:56:11 authpriv warn pluto[5955]: HAVE_STATSD
notification support not compiled in<br>Sep 3 03:56:11 authpriv warn
pluto[5955]: Setting NAT-Traversal port-4500 floating to off<br>Sep 3
03:56:11 authpriv warn pluto[5955]: port floating activation
criteria nat_t=0/port_float=1<br>Sep 3 03:56:11 authpriv warn
pluto[5955]: NAT-Traversal support
[disabled]<br>Sep 3 03:56:11 authpriv warn pluto[5955]: using /dev/urandom
as source of random entropy<br>Sep 3 03:56:11 authpriv warn pluto[5955]:
starting up 1 cryptographic helpers<br>Sep 3 03:56:11 authpriv warn
pluto[5958]: using /dev/urandom as source of random entropy<br>Sep 3
03:56:11 authpriv warn pluto[5955]: started helper pid=5958 (fd:6)<br>Sep
3 03:56:11 daemon err ipsec__plutorun: adjusting ipsec.d to
/var/ipsec.d<br>Sep 3 03:56:11 daemon err ipsec_setup: ...Openswan IPsec
started<br>Sep 3 03:56:13 authpriv warn pluto[5955]: Could not change to
directory '/var/ipsec.d/cacerts': No such file or directory<br>Sep 3
03:56:13 authpriv warn pluto[5955]: Could not change to directory
'/var/ipsec.d/aacerts': No such file or directory<br>Sep 3 03:56:13
authpriv warn pluto[5955]: Could not change to directory
'/var/ipsec.d/ocspcerts': No such file or directory<br>Sep 3 03:56:13
authpriv warn pluto[5955]: Could not change to directory '/var/ipsec.d/crls': 2
No such file or directory<br>Sep 3 03:56:13 authpriv warn pluto[5955]:
added connection description "test"<br>Sep 3 03:56:13 daemon err
ipsec__plutorun: 002 added connection description "test"<br>Sep 3 03:56:14
authpriv warn pluto[5955]: listening for IKE messages<br>Sep 3 03:56:14
authpriv warn pluto[5955]: adding interface eth0.1/eth0.1
172.17.21.75:500<br>Sep 3 03:56:14 authpriv warn pluto[5955]: adding
interface br0/br0 192.168.1.254:500<br>Sep 3 03:56:14 authpriv warn
pluto[5955]: adding interface lo/lo 127.0.0.1:500<br>Sep 3 03:56:14
authpriv warn pluto[5955]: adding interface lo/lo ::1:500<br>Sep 3
03:56:14 authpriv warn pluto[5955]: loading secrets from
"/var/ipsec.secrets"<br>Sep 3 03:56:15 daemon info xl2tpd[6358]: Enabling
IPsec SAref processing for L2TP transport mode SAs<br>Sep 3 03:56:15
daemon warn xl2tpd[6358]: IPsec SAref does not work with L2TP kernel mode yet,
enabling forceuserspace=yes<br>Sep 3 03:56:15 daemon crit xl2tpd[6358]:
setsockopt recvref[30]: Protocol not available<br>Sep 3 03:56:15 daemon
info xl2tpd[6358]: This binary does not support kernel L2TP.<br>Sep 3
03:56:15 daemon info xl2tpd[6359]: xl2tpd version xl2tpd-1.3.1 started on
home.gateway PID:6359<br>Sep 3 03:56:15 daemon info xl2tpd[6359]: Written
by Mark Spencer, Copyright (C) 1998, Adtran, Inc.<br>Sep 3 03:56:15 daemon
info xl2tpd[6359]: Forked by Scott Balmos and David Stipp, (C) 2001<br>Sep
3 03:56:15 daemon info xl2tpd[6359]: Inherited by Jeff McAdams, (C)
2002<br>Sep 3 03:56:15 daemon info xl2tpd[6359]: Forked again by Xelerance
(<a href="http://www.xelerance.com">www.xelerance.com</a>) (C) 2006<br>Sep
3 03:56:15 daemon info xl2tpd[6359]: Listening on IP address 0.0.0.0, port
1701<br>Sep 3 03:56:26 authpriv warn pluto[5955]: packet from
172.17.21.74:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY
00000004]<br>Sep 3 03:56:26 authpriv warn pluto[5955]: packet from
172.17.21.74:500: ignoring Vendor ID payload [FRAGMENTATION]<br>Sep 3
03:56:26 authpriv warn pluto[5955]: packet from 172.17.21.74:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but port floating
is off<br>Sep 3 03:56:26 authpriv warn pluto[5955]: packet from
172.17.21.74:500: ignoring Vendor ID payload [Vid-Initial-Contact]<br>Sep
3 03:56:26 authpriv warn pluto[5955]: "test"[1] 172.17.21.74 #1: responding to
Main Mode from unknown peer 172.17.21.74<br>Sep 3 03:56:26 authpriv warn
pluto[5955]: "test"[1] 172.17.21.74 #1: transition from state STATE_MAIN_R0 to
state STATE_MAIN_R1<br>Sep 3 03:56:26 authpriv warn pluto[5955]: "test"[1]
172.17.21.74 #1: STATE_MAIN_R1: sent MR1, expecting MI2<br>Sep 3 03:56:26
authpriv warn pluto[5955]: "test"[1] 172.17.21.74 #1: transition from state
STATE_MAIN_R1 to state STATE_MAIN_R2<br>Sep 3 03:56:26 authpriv warn
pluto[5955]: "test"[1] 172.17.21.74 #1: STATE_MAIN_R2: sent MR2, expecting
MI3<br>Sep 3 03:56:26 authpriv warn pluto[5955]: "test"[1] 172.17.21.74
#1: Main mode peer ID is ID_IPV4_ADDR: '192.168.71.1'<br>Sep 3 03:56:26
authpriv warn pluto[5955]: "test"[1] 172.17.21.74 #1: switched from "test" to
"test"<br>Sep 3 03:56:26 authpriv warn pluto[5955]: "test"[2] 172.17.21.74
#1: deleting connection "test" instance with peer 172.17.21.74
{isakmp=#0/ipsec=#0}<br>Sep 3 03:56:26 authpriv warn pluto[5955]:
"test"[2] 172.17.21.74 #1: transition from state STATE_MAIN_R2 to state
STATE_MAIN_R3<br>Sep 3 03:56:26 authpriv warn pluto[5955]: "test"[2]
172.17.21.74 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
group=modp2048}<br>Sep 3 03:56:26 authpriv warn pluto[5955]: "test"[2]
172.17.21.74 #1: the peer proposed: 172.17.21.75/32:17/1701 ->
192.168.71.1/32:17/0<br>Sep 3 03:56:26 authpriv warn pluto[5955]:
"test"[2] 172.17.21.74 #1: cannot respond to IPsec SA request because no
connection is known for
172.17.21.75<172.17.21.75>:17/1701...172.17.21.74[192.168.71.1]:17/%any===192.168.71.1/32<br>Sep
3 03:56:26 authpriv warn pluto[5955]: "test"[2] 172.17.21.74 #1: sending
encrypted notification INVALID_ID_INFORMATION to 172.17.21.74:500<br>Sep 3
03:56:27 authpriv warn pluto[5955]: "test"[2] 172.17.21.74 #1: the peer
proposed: 172.17.21.75/32:17/1701 -> 192.168.71.1/32:17/0<br>Sep 3
03:56:27 authpriv warn pluto[5955]: "test"[2] 172.17.21.74 #1: cannot respond to
IPsec SA request because no connection is known for
172.17.21.75<172.17.21.75>:17/1701...172.17.21.74[192.168.71.1]:17/%any===192.168.71.1/32<br>Sep
3 03:56:27 authpriv warn pluto[5955]: "test"[2] 172.17.21.74 #1: sending
encrypted notification INVALID_ID_INFORMATION to 172.17.21.74:500<br>Sep 3
03:56:29 authpriv warn pluto[5955]: "test"[2] 172.17.21.74 #1: the peer
proposed: 172.17.21.75/32:17/1701 -> 192.168.71.1/32:17/0<br>Sep 3
03:56:29 authpriv warn pluto[5955]: "test"[2] 172.17.21.74 #1: cannot respond to
IPsec SA request because no connection is known for
172.17.21.75<172.17.21.75>:17/1701...172.17.21.74[192.168.71.1]:17/%any===192.168.71.1/32<br>Sep
3 03:56:29 authpriv warn pluto[5955]: "test"[2] 172.17.21.74 #1: sending
encrypted notification INVALID_ID_INFORMATION to 172.17.21.74:500<br>Sep 3
03:56:33 authpriv warn pluto[5955]: "test"[2] 172.17.21.74 #1: the peer
proposed: 172.17.21.75/32:17/1701 -> 192.168.71.1/32:17/0<br>Sep 3
03:56:33 authpriv warn pluto[5955]: "test"[2] 172.17.21.74 #1: cannot respond to
IPsec SA request because no connection is known for
172.17.21.75<172.17.21.75>:17/1701...172.17.21.74[192.168.71.1]:17/%any===192.168.71.1/32<br>Sep
3 03:56:33 authpriv warn pluto[5955]: "test"[2] 172.17.21.74 #1: sending
encrypted notification INVALID_ID_INFORMATION to 172.17.21.74:500</font></div>
<div> </div>
<div><font color="#0000ff" size="2" face="Verdana">####################>>ipsec.conf<br>config
setup<br>
nat_traversal=no<br>
oe=off<br>
protostack=netkey<br>
interfaces=%defaultroute</font></div>
<div> </div>
<div><font color="#0000ff" size="2" face="Verdana">conn
test<br>
left=172.17.21.75<br>
leftprotoport=17/1701<br>
connaddrfamily=ipv4<br>
right=%any<br>
rightprotoport=17/%any<br>
pfs=no<br>
salifetime=60m<br>
ikelifetime=480m<br>
type=transport<br>
phase2=esp<br>
keyexchange=ike<br>
authby=secret<br>
auto=add</font></div>
<div> </div>
<div><font color="#0000ff" size="2" face="Verdana">####################>>ipsec.secrets<br>172.17.21.75 %any :
PSK
"123"<br>
<br>####################>>xl2tpd.conf<br>[global]<br>auth
file=/var/xl2tpd/l2tp-secrets<br>ipsec saref = yes<br>port = 1701</font></div>
<div> </div>
<div><font color="#0000ff" size="2" face="Verdana">[lns default]<br>ip range =
192.168.1.10-192.168.1.13<br>local ip = 192.168.1.254<br>require authentication
= yes<br>name = L2TPServer<br>pppoptfile = /var/xl2tpd/options.xl2tpd<br>length
bit = yes<br>challenge =
no<br>#
</font></div>
</div></blockquote><blockquote type="cite"><div><span>_______________________________________________</span><br><span><a href="mailto:Users@lists.openswan.org">Users@lists.openswan.org</a></span><br><span><a href="https://lists.openswan.org/mailman/listinfo/users">https://lists.openswan.org/mailman/listinfo/users</a></span><br><span>Micropayments: <a href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a></span><br><span>Building and Integrating Virtual Private Networks with Openswan:</span><br><span><a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a></span><br></div></blockquote></body></html>