[Openswan Users] Openswan/L2TP Windows Roadwarrier setup

Eric Anderson eric at afaik.us
Sat Jul 31 19:34:14 CEST 2004


Hi, I am trying to setup a VPN on a Linux box for a corporate network. I 
need for windows users to be able to connect to the Linux VPN so they 
can access the internal network. I have mostly followed the instructions 
from the following site but I seem to be running into problem. I am 
pretty sketchy on the settings so I am guessing that is where I have 
things wrong but the docs and man pages seem so cryptic to me I can't 
quite understand what I need to change.

Here is the doc I am following:
http://www.jacco2.dds.nl/networking/freeswan-l2tp.html

I am still in the phase of trying to get the IPSec part correct. I have 
changed the IP addresses a bit on the config file to attempt to protect 
the corp. Here is a quick definition of what each IP address is:

65.83.X.Y - External IP address of VPN server (i.e. how it gets to the 
Internet)

65.83.M.N - IP address of the gateway that the ISP provides for the VPN 
box to get to the Internet.

65.83.A.B - Broadcast address of network external to VPN server

192.9.200.X - Network addresses for internal network.

192.9.200.245 - Internal network address for VPN box

65.6.P.Q - IP Address of remote client trying to connect

eth1:2 - Ethernet device that 65.83.X.Y is on

I downloaded the RPMS from atrpms that the document suggested. 
Everything seemed to install fine. My ipsec.conf file is:

************ start /etc/ipsec.conf ***************

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
         # klipsdebug=all
         # plutodebug=dns
         interfaces="ipsec0=eth1:2"

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
include /etc/ipsec.d/L2TP*.conf

************ end /etc/ipsec.conf **********

The no_oe.conf file it includes is as follows:

************ start /etc/ipsec.d/examples/no_oe.conf ************

conn block
     auto=ignore

conn private
     auto=ignore

conn private-or-clear
     auto=ignore

conn clear-or-private
     auto=ignore

conn clear
     auto=ignore

conn packetdefault
     auto=ignore

*********** end /etc/ipsec.d/examples/no_oe.conf *************

And the L2TP*.conf files are a bunch of example files that l2tpd rpm 
included. I enabled two of them which and they are as follows.

************ start /etc/ipsec.d/L2TP-PSK.conf *************

conn L2TP-PSK
         #
         # Configuration for one user with any type of IPsec/L2TP client
         # including the updated Windows 2000/XP (MS KB Q818043), but
         # excluding the non-updated Windows 2000/XP.
         #
         #
         # Use a Preshared Key. Disable Perfect Forward Secrecy.
         #
         authby=secret
         pfs=no
         #
         left=65.83.X.Y
         leftnexthop=65.83.M.N
         leftprotoport=17/1701
         #
         # The remote user.
         #
         right=%any
         rightprotoport=17/1701
         #
         # Change 'ignore' to 'add' to enable the configuration for this 
user.
         #
         auto=add
         keyingtries=3

************** end /etc/ipsec.d/L2TP-PSK.conf **********

************start /etc/ipsec.d/L2TP-PSK-orgWIN2KXP ******

conn L2TP-PSK-orgWIN2KXP
         #
         # Configuration for one user with the non-updated Windows 2000/XP.
         #
         #
         # Use a Preshared Key. Disable Perfect Forward Secrecy.
         #
         authby=secret
         pfs=no
         #
         left=65.83.132.196
         leftnexthop=65.83.132.193
         #
         # Required for original (non-updated) Windows 2000/XP clients.
         leftprotoport=17/0
         #
         # The remote user.
         #
         right=%any
         rightprotoport=17/1701
         #
         # Change 'ignore' to 'add' to enable the configuration for this 
user.
         #
         auto=add
         keyingtries=3

************ end /etc/ipsec.d/L2TP-PSK-origWIN2KXP.conf *********

Finally is my secrets file which is simply as follows:

************ start /etc/ipsec.secrets ***********
65.83.X.Y: PSK "what"
************ end /etc/ipsec.secrets ***********

Also, even though I don't think I am even getting past ipsec I will go 
ahead and post my L2TPd and PPP settings just to make sure all info is 
given. Below is my l2tpd.conf settings:


*********** start /etc/l2tpd/lt2pd.conf ******************

[global]
; listen-addr = 192.9.200.245

[lns default]
ip range = 192.9.200.230-192.168.1.240
local ip = 192.9.200.245
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd
length bit = yes
*********** end /etc/l2tpd/lt2pd.conf *************

*********** start /etc/ppp/options.l2tpd ***********
ipcp-accept-local
ipcp-accept-remote
ms-dns  192.9.200.250
ms-wins 192.9.200.251
noccp
auth
crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
lock
proxyarp
connect-delay 5000
*********** end /etc/ppp/options.l2tpd *************

************* start /etc/ppp/chap-secrets **********
matt            *       "pass"                  192.9.200.240
*               matt    "pass"                  192.9.200.240
************* end /etc/ppp/chap-secrets ************

Now from a remote location I have a windows XP box with

matt:pass as the username password. I have what as the PSK.

I start ipsec and I get the following output:
ipsec_setup: Starting Openswan IPsec cvs2002Mar11_19:19:03...
ipsec_setup: Using 
/lib/modules/2.4.22-1.2197.nptl_51.rhfc1.at/updates/net/ipsec/ipsec.o


and I get the following in my /var/log/messages:
Jul 31 18:05:00 nogo ipsec_setup: Starting Openswan IPsec 
cvs2002Mar11_19:19:03...
Jul 31 18:05:01 nogo ipsec_setup: Using 
/lib/modules/2.4.22-1.2197.nptl_51.rhfc1.at/updates/net/ipsec/ipsec.o
Jul 31 18:05:01 nogo kernel: klips_info:ipsec_init: KLIPS startup, 
Openswan IPsec version: openswan-2.1.4-15.rhfc1.at
Jul 31 18:05:01 nogo ipsec_setup: KLIPS debug `none'
Jul 31 18:05:01 nogo kernel:
Jul 31 18:05:01 nogo ipsec_setup: KLIPS ipsec0 on eth1:2 
65.83.X.Y/255.255.255.224 broadcast 65.83.A.B
Jul 31 18:05:01 nogo ipsec_setup: ...Openswan IPsec started

and I get the following in /var/log/secure
Jul 31 18:05:01 nogo pluto[7168]: Starting Pluto (Openswan Version 
cvs2002Mar11_19:19:03 X.509-1.4.8-1 PLUTO_USES_KEYRR)
Jul 31 18:05:01 nogo pluto[7168]:   including NAT-Traversal patch 
(Version 0.6c) [disabled]
Jul 31 18:05:01 nogo pluto[7168]: Using KLIPS IPsec interface code
Jul 31 18:05:01 nogo pluto[7168]: added connection description "L2TP-PSK"
Jul 31 18:05:01 nogo pluto[7168]: added connection description 
"L2TP-PSK-orgWIN2KXP"
Jul 31 18:05:01 nogo pluto[7168]: listening for IKE messages
Jul 31 18:05:01 nogo pluto[7168]: adding interface ipsec0/eth1:2 65.83.X.Y
Jul 31 18:05:01 nogo pluto[7168]: loading secrets from "/etc/ipsec.secrets"

then I start up l2tpd with the following messages in /var/log/messages
Jul 31 18:13:51 nogo l2tpd[7285]: This binary does not support kernel L2TP.
Jul 31 18:13:51 nogo l2tpd[7286]: l2tpd version 0.69 started on 
mymachine.mydomain.com PID:7286
Jul 31 18:13:51 nogo l2tpd[7286]: Written by Mark Spencer, Copyright (C) 
1998, Adtran, Inc.
Jul 31 18:13:51 nogo l2tpd[7286]: Forked by Scott Balmos and David 
Stipp, (C) 2001
Jul 31 18:13:51 nogo l2tpd[7286]: Inhereted by Jeff McAdams, (C) 2002
Jul 31 18:13:51 nogo l2tpd[7286]: Linux version 
2.4.22-1.2197.nptl_51.rhfc1.at on a i686, listening on IP address 
0.0.0.0, port 1701
Jul 31 18:13:51 nogo l2tpd: This binary does not support kernel L2TP.
Jul 31 18:13:51 nogo l2tpd: l2tpd startup succeeded

Now when we try to connect to the VPN server from the remote desktop 
machine I get the following error message and this is where I am stuck:

Jul 29 17:18:48 nogo pluto[15983]: "L2TP-PSK-orgWIN2KXP"[2] 65.6.P.Q #2: 
cannot respond to IPsec SA request because no connection is known for 
65.83.X.Y[S=C]:17/0...65.6.P.Q[192.168.0.111,S=C]:17/1701===192.168.0.111/32

Note in the above error message the actual IP address of the client 
machine seems to be known. The remote client is sitting behind NAT so 
it's actual address is 192.168.0.111 but the address of the Internet 
connection for the remote client is 65.6.P.Q.

I have tried searching all over google and various other sources but 
cannot really pin down what the problem is. I am guessing it is a config 
problem but I don't know what to change to get things working. Any 
pointers or help would be greatly appreciated.

Eric



More information about the Users mailing list