[Openswan Users] no connection is known for...

Sun May 23 12:01:48 CEST 2004

Hi,

I would suggest that you set up Openswan servers L2TP part and try with it.
Plain IPsec should work if you get IPsec SA established in your secure log.

I'm not familiar with ICMP 348. UDP 348 seems to be Cabletron Management
Protocol and I've never heard about it. Maybe you have some kind of special
application running on Windows XP client that tries to send these packets
via IPsec tunnel to the Openswan server.

I haven't tried connection without L2TPD installed on the Openswan server.

If you are still having troubles, it would be good idea to test your
L2TP/IPsec connection first from the same LAN as your Openswan server if
this is possible. This will help you to ensure that you have working server
configuration. Things come more complicated with Internet.

Regards

Juha Pietikäinen

----- Original Message ----- 
From: "Mark Frost" <mfrost at westnet.com>
To: "Juha Pietikäinen" <juha.pietikainen at connet.net>
Cc: <users at lists.openswan.org>
Sent: Sunday, May 23, 2004 7:20 AM
Subject: Re: [Openswan Users] no connection is known for...

> Hmmm.  I just ran a tcpdump on the OpenSwan gateway and after I start
> the XP side, I see lots of
>
> 00:09:47.142305 IP X.X.X.X > Y.Y.Y.Y: icmp 348: X.X.X.X udp port 500
> unreachable
> 00:09:48.554227 IP Y.Y.Y.Y.500 > X.X.X.X.500: isakmp: phase 1 I ident
>
> again,
> where
> X.X.X.X = public/external address of OpenSwan gateway
> Y.Y.Y.Y = public/external address of local Linksys router (WinXP client
end)
>
> So if I'm reading this right, the OpenSwan gateway is not able to send
> UDP packets to port 500 on my Linksys router.  It's not clear to me how
> I can tell why -- is it my ISP, or is it my Linksys box somehow?
>
> I am not currently trying to make L2TP work.  The instructions I've been
> going through on Jacco de Leeuw's web site talk about getting the
> OpenSwan part working first, then once that's going, messing with L2TP.
> <http://www.jacco2.dds.nl/contact/index.html>
>
> Thanks
>
> Mark
>
> Juha Pietikäinen wrote:
>
> >Hi,
> >
> >according your secure log an IPsec connection is now established. I guess
> >that you might have some kind of problem with upper layer protocols (UDP
or
> >L2TP).
> >
> >Have you tried to capture network traffic with Ethereal or tcpdump from
your
> >linux server?
> >
> >Is there any L2TP traffic between your remote Windows XP host and your
Linux
> >server?
> >
> >It seems to be that my own ADSL-router doesn't support directly ESP
> >transport mode, which is needed by Windows XP:s L2TP/IPsec client (My
> >previous messages handles this issue).  I am waiting for new firmware and
I
> >hope that it will fix the problem with my router.
> >
> >It may be that you might also have problems with your ADSL-router. I have
> >incorrect checksum errors with incoming UDP packets which contain L2TP
> >packets inside. Packets are rejected due to checksum errors generated in
> >ADSL-router.
> >
> >I have managed to get L2TP/IPsec connection working only in
LAN-environment.
> >
> >
> >Juha Pietikäinen
> >
> >
> >
> >>>>
> >>>>