[Openswan Users] VPN connection problems Dialup to ADSL

Rowland Mosbergen rowlandm at paragontechnology.com.au
Sun Oct 3 14:18:13 CEST 2004 

Hi there,

I have successfully setup a VPN Server with Openswan IPsec 
U2.1.3/K2.4.26-1-686 on an ADSL connection, using a roadwarrior 
configuration.

I can successfully connect to the VPN server and beyond using either 
Windows 2000 or Windows XP using Marcus Mueller's VPN Client only if the 
internet connection is ADSL.

Our main issue is trying to get the GPRS to work with ADSL for a 
client.  But if I try using GPRS or even traditional dial-up connections 
(with the appropriate configuration changes) it does not connect.

If we get the VPN server to go on dial-up, after we make the appropriate 
changes the dial-up and the GPRS can connect but the ADSL cannot.

This is using nat traversal which works successfully on both the GPRS to 
Dialup and ADSL to ADSL connections.

We have tried to change the MTU settings on the VPN server and on the 
clients to drop the MTU down to 576, 1400 and other ranges, but with no 
success.

My question is:

Has this problem (dial-up/GPRS roadwarrior connecting to ADSL VPN 
openswan) been found before? I would assume so.

What was the underlying problem?

What are the options or procedures to resolve the issue?

Would using another VPN client solve our issue?

In summary:

Roadwarrior to VPN
ADSL to ADSL = Success
GPRS to ADSL = Failure
Dialup to ADSL = Failure
Dialup to Dialup = Success
GPRS to Dialup = Success
ADSL to Dialup = Failure

The GPRS is really slow as well, which doesn't help matters.  But it 
connects up reliably when the VPN server is on dialup.


Any help would be much appreciated.

Some supporting information::


Debian auth.log
Oct  3 06:53:11 compassGW pluto[758]: packet from XX.XX.XX.XX:850: 
ignoring Ven
dor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Oct  3 06:53:11 compassGW pluto[758]: packet from XX.XX.XX.XX:850: 
ignoring Ven
dor ID payload [FRAGMENTATION]
Oct  3 06:53:11 compassGW pluto[758]: packet from XX.XX.XX.XX:850: 
received Ven
dor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Oct  3 06:53:11 compassGW pluto[758]: packet from XX.XX.XX.XX:850: 
ignoring Ven
dor ID payload [26244d38eddb61b3...]
Oct  3 06:53:11 compassGW pluto[758]: "roadwarrior"[14] XX.XX.XX.XX:850 
#17: re
sponding to Main Mode from unknown peer XX.XX.XX.XX:850
Oct  3 06:53:11 compassGW pluto[758]: "roadwarrior"[14] XX.XX.XX.XX:850 
#17: tr
ansition from state (null) to state STATE_MAIN_R1
Oct  3 06:53:12 compassGW pluto[758]: "roadwarrior"[14] XX.XX.XX.XX:850 
#17: NA
T-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
Oct  3 06:53:12 compassGW pluto[758]: "roadwarrior"[14] XX.XX.XX.XX:850 
#17: tr
ansition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Oct  3 06:54:16 compassGW pluto[758]: "roadwarrior"[14] XX.XX.XX.XX:850 
#17: en
crypted Informational Exchange message is invalid because it is for 
incomplete I
SAKMP SA
Oct  3 06:54:22 compassGW pluto[758]: "roadwarrior"[14] XX.XX.XX.XX:850 
#17: ma
x number of retransmissions (2) reached STATE_MAIN_R2
Oct  3 06:54:22 compassGW pluto[758]: "roadwarrior"[14] XX.XX.XX.XX:850: 
deleti
ng connection "roadwarrior" instance with peer XX.XX.XX.XX 
{isakmp=#0/ipsec=#0}



Oakley log error :: received an unencrypted packed when crypto active.



This is for the GPRS link in terms of pinging the VPN server and google 
trying to find best MTU

Ping www.google.com.au OK
Ping 61.9.212.209 OK
Ping -l 1473 -f www.google.com.au Packet needs to be fragmenteed but DF set
Ping -l 1472 -f www.google.com.au Request timed out
Ping -l 1472 -f XX.XX.XX.XX Request timed out
Ping -l 576 -f XX.XX.XX.XX Request timed out
Ping -l 176 -f XX.XX.XX.XX Request timed out
Ping -l 76 -f XX.XX.XX.XX Request timed out
Ping -l 65 -f XX.XX.XX.XX Request timed out
Ping -l 64 -f XX.XX.XX.XX OK






Roadwarrior ipsec.conf
-----------------------------

conn roadwarrior
    left=%any
    leftnexthop=%defaultroute
    right=XX.XX.XX.XX
    rightca="C=AU,YYYYYYYYY"
    network=auto
    auto=start
    pfs=yes

conn roadwarrior-net
    left=%any
    leftnexthop=%defaultroute
    right=XX.XX.XX.XX
    rightsubnet=192.168.0.0/255.255.255.0
     rightca="C=AU,YYYYYYYYY"
    network=auto
    auto=start
    pfs=yes


VPN server ipsec.conf (have hardcoded the rightsubnetwithin to be 
10.0.0.0/8 as this is OK for both the GPRS and ADSL subnets we are 
testing on)
-----------------------------

# /etc/ipsec.conf - FreeS/WAN IPsec configuration file

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        #interfaces = %defaultroute
        interfaces = "ipsec0=ppp0"
        klipsdebug=all
        nat_traversal=yes
       
conn %default
        keyingtries=1
        compress=yes
        disablearrivalcheck=no
        authby=rsasig
        leftrsasigkey=%cert
        rightrsasigkey=%cert

conn roadwarrior-net
        #Internal local subnet
        leftsubnet=192.168.0.0/255.255.255.0
        rightsubnetwithin=10.0.0.0/8
        also=roadwarrior

conn roadwarrior
        right=%any
        left=XX.XX.XX.XX
        leftcert=cert.pem
        auto=add
        pfs=yes


#Following disables opportunistic encryption
conn block
        auto=ignore

conn private
        auto=ignore

conn private-or-clear
        auto=ignore

conn clear-or-private
        auto=ignore

conn clear
        auto=ignore

conn packetdefault
        auto=ignore

More information about the Users mailing list