[Openswan Users] Windows2k/XP L2TP/IPSec client

Trevor Benson tbenson at a-1networks.com
Fri Mar 5 22:11:04 CET 2004 

First off If there is a simpler way to assign DHCP LAN address to a
Windows XP RoadWarrior AND/OR allow domain authentication for windows
clients PLEASE let me know ;).  I could easily be barking up the wrong
tree for my solutions....

 

I have read Nate Carlson's Win2k/XP with freeswan, Jacco de Leeuw's
FreeSWAN with Windows2k/XP L2TP/IPSec, and Martin Koeppe's passing L2TP
through to your gateway to the Windows Server.  I realized my test
environment to the firewall (dynamic addressing) wouldn't work with Pre
Shared Keys. So then I had certificates working with the ipsec.exe
(stripping L2TP out).  Of course then one client needs to be able to
sign onto the domain easily, so I attempted taking the certificates and
using the native client from Windows XP passing L2TP to the Windows
server. Followed the instructions, and changed the clients, using the
same certificates.

 

I then ended up getting a strange error for the tunnel.  I have tried
tracking down the error but list archives suggest that my ipsec.conf has
a rightsubnet=0.0.0.0/0 and to remove it.  I do not have this setting.
IPSec fails to connect now, and doesn't even get the chance to pass off
to the Windows L2TP server and Oakley Log.  I have removed the
certificates, and recreated the p12 file, and reattempted connecting.
Same error.  I assume I am missing something, but am at a loss.  

 

The Windows Client fails with Error 792: The L2TP connection attempt
failed because security negotiation timed out.

 

64.142.54.112 = ipsec.a-1networks.com & The Root CA that created the
certificates

209.148.105.71 = Roadwarrior02 WindwosXP client.

 

Below is the copy of the log during connection:

 

15:20:18 pluto[21647] packet from 209.148.105.71:500: ignoring Vendor ID
payload [MS NT5 ISAKMPOAKLEY 00000003]
15:20:18 pluto[21647] "Roadwarrior01"[4] 209.148.105.71 #4: responding
to Main Mode from unknown peer 209.148.105.71
15:20:18 pluto[21647] "Roadwarrior01"[4] 209.148.105.71 #4: transition
from state (null) to state STATE_MAIN_R1
15:20:18 pluto[21647] "Roadwarrior01"[4] 209.148.105.71 #4: transition
from state STATE_MAIN_R1 to state STATE_MAIN_R2
15:20:19 pluto[21647] "Roadwarrior01"[4] 209.148.105.71 #4: Main mode
peer ID is ID_DER_ASN1_DN: 'C=US, O=A1Networks, CN=TrevorBenson'
15:20:19 pluto[21647] "Roadwarrior01"[4] 209.148.105.71 #4: transition
from state STATE_MAIN_R2 to state STATE_MAIN_R3
15:20:19 pluto[21647] "Roadwarrior01"[4] 209.148.105.71 #4: sent MR3,
ISAKMP SA established
15:20:20 pluto[21647] "Roadwarrior01"[4] 209.148.105.71 #4: cannot
respond to IPsec SA request because no connection is known for
64.142.54.112[C=US, O=A1Networks,
CN=ipsec.a-1networks.com]:17/0...209.148.105.71[C=US, O=A1Networks,
CN=TrevorBenson]:17/1701
15:20:20 pluto[21647] "Roadwarrior01"[4] 209.148.105.71 #4: sending
encrypted notification INVALID_ID_INFORMATION to 209.148.105.71:500
15:20:21 pluto[21647] "Roadwarrior01"[4] 209.148.105.71 #4: Quick Mode
I1 message is unacceptable because it uses a previously used Message ID
0xe74ac634 (perhaps this is a duplicated packet)

 

 

Here is the IPSec.conf entries:

 

conn Roadwarrior02

        left=64.142.54.112

        leftnexthop=%defaultroute

        leftsubnet=192.168.169.0/255.255.255.0

        leftcert=/var/ipcop/certs/hostcert.pem

        right=0.0.0.0

        rightcert=/var/ipcop/certs/Roadwarrior02cert.pem

        pfs=no

        dpddelay=30

        dpdtimeout=120

        dpdaction=clear

        authby=rsasig

        auto=add

 

 

Any suggestions are greatly appreciated.

 

Trevor Benson

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20040305/c7444dc8/attachment.htm

More information about the Users mailing list