[Openswan Users] Openswan/L2TP Windows Roadwarrier setup
Eric Anderson
eric at afaik.us
Sat Jul 31 19:34:14 CEST 2004
Hi, I am trying to setup a VPN on a Linux box for a corporate network. I
need for windows users to be able to connect to the Linux VPN so they
can access the internal network. I have mostly followed the instructions
from the following site but I seem to be running into problem. I am
pretty sketchy on the settings so I am guessing that is where I have
things wrong but the docs and man pages seem so cryptic to me I can't
quite understand what I need to change.
Here is the doc I am following:
http://www.jacco2.dds.nl/networking/freeswan-l2tp.html
I am still in the phase of trying to get the IPSec part correct. I have
changed the IP addresses a bit on the config file to attempt to protect
the corp. Here is a quick definition of what each IP address is:
65.83.X.Y - External IP address of VPN server (i.e. how it gets to the
Internet)
65.83.M.N - IP address of the gateway that the ISP provides for the VPN
box to get to the Internet.
65.83.A.B - Broadcast address of network external to VPN server
192.9.200.X - Network addresses for internal network.
192.9.200.245 - Internal network address for VPN box
65.6.P.Q - IP Address of remote client trying to connect
eth1:2 - Ethernet device that 65.83.X.Y is on
I downloaded the RPMS from atrpms that the document suggested.
Everything seemed to install fine. My ipsec.conf file is:
************ start /etc/ipsec.conf ***************
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# klipsdebug=all
# plutodebug=dns
interfaces="ipsec0=eth1:2"
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
include /etc/ipsec.d/L2TP*.conf
************ end /etc/ipsec.conf **********
The no_oe.conf file it includes is as follows:
************ start /etc/ipsec.d/examples/no_oe.conf ************
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
*********** end /etc/ipsec.d/examples/no_oe.conf *************
And the L2TP*.conf files are a bunch of example files that l2tpd rpm
included. I enabled two of them which and they are as follows.
************ start /etc/ipsec.d/L2TP-PSK.conf *************
conn L2TP-PSK
#
# Configuration for one user with any type of IPsec/L2TP client
# including the updated Windows 2000/XP (MS KB Q818043), but
# excluding the non-updated Windows 2000/XP.
#
#
# Use a Preshared Key. Disable Perfect Forward Secrecy.
#
authby=secret
pfs=no
#
left=65.83.X.Y
leftnexthop=65.83.M.N
leftprotoport=17/1701
#
# The remote user.
#
right=%any
rightprotoport=17/1701
#
# Change 'ignore' to 'add' to enable the configuration for this
user.
#
auto=add
keyingtries=3
************** end /etc/ipsec.d/L2TP-PSK.conf **********
************start /etc/ipsec.d/L2TP-PSK-orgWIN2KXP ******
conn L2TP-PSK-orgWIN2KXP
#
# Configuration for one user with the non-updated Windows 2000/XP.
#
#
# Use a Preshared Key. Disable Perfect Forward Secrecy.
#
authby=secret
pfs=no
#
left=65.83.132.196
leftnexthop=65.83.132.193
#
# Required for original (non-updated) Windows 2000/XP clients.
leftprotoport=17/0
#
# The remote user.
#
right=%any
rightprotoport=17/1701
#
# Change 'ignore' to 'add' to enable the configuration for this
user.
#
auto=add
keyingtries=3
************ end /etc/ipsec.d/L2TP-PSK-origWIN2KXP.conf *********
Finally is my secrets file which is simply as follows:
************ start /etc/ipsec.secrets ***********
65.83.X.Y: PSK "what"
************ end /etc/ipsec.secrets ***********
Also, even though I don't think I am even getting past ipsec I will go
ahead and post my L2TPd and PPP settings just to make sure all info is
given. Below is my l2tpd.conf settings:
*********** start /etc/l2tpd/lt2pd.conf ******************
[global]
; listen-addr = 192.9.200.245
[lns default]
ip range = 192.9.200.230-192.168.1.240
local ip = 192.9.200.245
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd
length bit = yes
*********** end /etc/l2tpd/lt2pd.conf *************
*********** start /etc/ppp/options.l2tpd ***********
ipcp-accept-local
ipcp-accept-remote
ms-dns 192.9.200.250
ms-wins 192.9.200.251
noccp
auth
crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
lock
proxyarp
connect-delay 5000
*********** end /etc/ppp/options.l2tpd *************
************* start /etc/ppp/chap-secrets **********
matt * "pass" 192.9.200.240
* matt "pass" 192.9.200.240
************* end /etc/ppp/chap-secrets ************
Now from a remote location I have a windows XP box with
matt:pass as the username password. I have what as the PSK.
I start ipsec and I get the following output:
ipsec_setup: Starting Openswan IPsec cvs2002Mar11_19:19:03...
ipsec_setup: Using
/lib/modules/2.4.22-1.2197.nptl_51.rhfc1.at/updates/net/ipsec/ipsec.o
and I get the following in my /var/log/messages:
Jul 31 18:05:00 nogo ipsec_setup: Starting Openswan IPsec
cvs2002Mar11_19:19:03...
Jul 31 18:05:01 nogo ipsec_setup: Using
/lib/modules/2.4.22-1.2197.nptl_51.rhfc1.at/updates/net/ipsec/ipsec.o
Jul 31 18:05:01 nogo kernel: klips_info:ipsec_init: KLIPS startup,
Openswan IPsec version: openswan-2.1.4-15.rhfc1.at
Jul 31 18:05:01 nogo ipsec_setup: KLIPS debug `none'
Jul 31 18:05:01 nogo kernel:
Jul 31 18:05:01 nogo ipsec_setup: KLIPS ipsec0 on eth1:2
65.83.X.Y/255.255.255.224 broadcast 65.83.A.B
Jul 31 18:05:01 nogo ipsec_setup: ...Openswan IPsec started
and I get the following in /var/log/secure
Jul 31 18:05:01 nogo pluto[7168]: Starting Pluto (Openswan Version
cvs2002Mar11_19:19:03 X.509-1.4.8-1 PLUTO_USES_KEYRR)
Jul 31 18:05:01 nogo pluto[7168]: including NAT-Traversal patch
(Version 0.6c) [disabled]
Jul 31 18:05:01 nogo pluto[7168]: Using KLIPS IPsec interface code
Jul 31 18:05:01 nogo pluto[7168]: added connection description "L2TP-PSK"
Jul 31 18:05:01 nogo pluto[7168]: added connection description
"L2TP-PSK-orgWIN2KXP"
Jul 31 18:05:01 nogo pluto[7168]: listening for IKE messages
Jul 31 18:05:01 nogo pluto[7168]: adding interface ipsec0/eth1:2 65.83.X.Y
Jul 31 18:05:01 nogo pluto[7168]: loading secrets from "/etc/ipsec.secrets"
then I start up l2tpd with the following messages in /var/log/messages
Jul 31 18:13:51 nogo l2tpd[7285]: This binary does not support kernel L2TP.
Jul 31 18:13:51 nogo l2tpd[7286]: l2tpd version 0.69 started on
mymachine.mydomain.com PID:7286
Jul 31 18:13:51 nogo l2tpd[7286]: Written by Mark Spencer, Copyright (C)
1998, Adtran, Inc.
Jul 31 18:13:51 nogo l2tpd[7286]: Forked by Scott Balmos and David
Stipp, (C) 2001
Jul 31 18:13:51 nogo l2tpd[7286]: Inhereted by Jeff McAdams, (C) 2002
Jul 31 18:13:51 nogo l2tpd[7286]: Linux version
2.4.22-1.2197.nptl_51.rhfc1.at on a i686, listening on IP address
0.0.0.0, port 1701
Jul 31 18:13:51 nogo l2tpd: This binary does not support kernel L2TP.
Jul 31 18:13:51 nogo l2tpd: l2tpd startup succeeded
Now when we try to connect to the VPN server from the remote desktop
machine I get the following error message and this is where I am stuck:
Jul 29 17:18:48 nogo pluto[15983]: "L2TP-PSK-orgWIN2KXP"[2] 65.6.P.Q #2:
cannot respond to IPsec SA request because no connection is known for
65.83.X.Y[S=C]:17/0...65.6.P.Q[192.168.0.111,S=C]:17/1701===192.168.0.111/32
Note in the above error message the actual IP address of the client
machine seems to be known. The remote client is sitting behind NAT so
it's actual address is 192.168.0.111 but the address of the Internet
connection for the remote client is 65.6.P.Q.
I have tried searching all over google and various other sources but
cannot really pin down what the problem is. I am guessing it is a config
problem but I don't know what to change to get things working. Any
pointers or help would be greatly appreciated.
Eric
More information about the Users
mailing list