[Openswan Users] Tunnel works but Win2k VPN doesn't

Adnan H Yusuf ayusuf at greaterthanone.com
Wed Oct 13 20:40:39 CEST 2004 

Hello:

This is my setup:


<Client>  ->   <NAT GW>   ->   |Internet|   ->   <VPN GW>
<a.b.c.d>      <x.x.x.x>                         <y.y.y.y>


The idea is to use L2TP to get a local IP address from VPN GW on the client.

- The client is a Win2k box with High Enc Pack.
- NAT GW is a Cisco 2514 router.
- VPN GW is a FC2 Linux box with
   - kernel 2.6.5-1.358
   - OpenS/WAN 2.2.0-2
   - l2tpd 0.69-9jdl

I can set up the IPSEC tunnel from the client to VPN GW, and everything
works fine:


----------
Oct 13 19:28:32 vpngw pluto[9987]: packet from x.x.x.x:500: ignoring Vendor
ID payload [FRAGMENTATION]
Oct 13 19:28:32 vpngw pluto[9987]: packet from x.x.x.x:500: received Vendor
ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Oct 13 19:28:32 vpngw pluto[9987]: "roadwarrior-l2tp"[1] x.x.x.x #1:
responding to Main Mode from unknown peer x.x.x.x
Oct 13 19:28:32 vpngw pluto[9987]: "roadwarrior-l2tp"[1] x.x.x.x #1:
transition from state (null) to state STATE_MAIN_R1
Oct 13 19:28:32 vpngw pluto[9987]: "roadwarrior-l2tp"[1] x.x.x.x #1:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
Oct 13 19:28:32 vpngw pluto[9987]: "roadwarrior-l2tp"[1] x.x.x.x #1:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Oct 13 19:28:32 vpngw pluto[9987]: "roadwarrior-l2tp"[1] x.x.x.x #1: Peer ID
is ID_DER_ASN1_DN: '<snip>'
Oct 13 19:28:32 vpngw pluto[9987]: "roadwarrior-l2tp"[1] x.x.x.x #1: no crl
from issuer "<snip>" found (strict=no)
Oct 13 19:28:32 vpngw pluto[9987]: "roadwarrior-l2tp"[2] x.x.x.x #1:
deleting connection "roadwarrior-l2tp" instance with peer x.x.x.x
{isakmp=#0/ipsec=#0}
Oct 13 19:28:32 vpngw pluto[9987]: "roadwarrior-l2tp"[2] x.x.x.x #1: I am
sending my cert
Oct 13 19:28:32 vpngw pluto[9987]: "roadwarrior-l2tp"[2] x.x.x.x #1:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Oct 13 19:28:32 vpngw pluto[9987]: | NAT-T: new mapping x.x.x.x:500/4500)
Oct 13 19:28:32 vpngw pluto[9987]: "roadwarrior-l2tp"[2] x.x.x.x:4500 #1:
sent MR3, ISAKMP SA established
Oct 13 19:28:32 vpngw pluto[9987]: "roadwarrior"[1] x.x.x.x:4500 #2:
responding to Quick Mode
Oct 13 19:28:32 vpngw pluto[9987]: "roadwarrior"[1] x.x.x.x:4500 #2:
transition from state (null) to state STATE_QUICK_R1
Oct 13 19:28:32 vpngw pluto[9987]: "roadwarrior"[1] x.x.x.x:4500 #2:
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Oct 13 19:28:32 vpngw pluto[9987]: "roadwarrior"[1] x.x.x.x:4500 #2: IPsec
SA established {ESP=>0x8d02f269 <0x7c480d4d NATOA=0.0.0.0}

-----------


I've tried using ping and ssh over the tunnel: they work fine.

But when I try to use the VPN dialer on Win2k to connect to the l2tpd server
on VPN GW, this is what I get:


---------
Oct 13 19:33:38 vpngw pluto[9987]: "roadwarrior-l2tp"[2] x.x.x.x:4500 #1:
received Delete SA(0x8d02f269) payload: deleting IPSEC State #2
Oct 13 19:33:38 vpngw pluto[9987]: "roadwarrior-l2tp"[2] x.x.x.x:4500 #1:
deleting connection "roadwarrior" instance with peer x.x.x.x
{isakmp=#0/ipsec=#0}
Oct 13 19:33:38 vpngw pluto[9987]: "roadwarrior-l2tp"[2] x.x.x.x:4500 #1:
received and ignored informational message
Oct 13 19:34:25 vpngw pluto[9987]: "roadwarrior-l2tp"[2] x.x.x.x:4500 #1:
received Delete SA payload: deleting ISAKMP State #1
Oct 13 19:34:25 vpngw pluto[9987]: "roadwarrior-l2tp"[2] x.x.x.x:4500:
deleting connection "roadwarrior-l2tp" instance with peer x.x.x.x
{isakmp=#0/ipsec=#0}
Oct 13 19:34:25 vpngw pluto[9987]: packet from x.x.x.x:4500: received and
ignored informational message
Oct 13 19:34:25 vpngw pluto[9987]: packet from x.x.x.x:500: ignoring Vendor
ID payload [MS NT5 ISAKMPOAKLEY 00000002]
Oct 13 19:34:25 vpngw pluto[9987]: packet from x.x.x.x:500: ignoring Vendor
ID payload [FRAGMENTATION]
Oct 13 19:34:25 vpngw pluto[9987]: packet from x.x.x.x:500: received Vendor
ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Oct 13 19:34:25 vpngw pluto[9987]: "roadwarrior-l2tp"[3] x.x.x.x #3:
responding to Main Mode from unknown peer x.x.x.x
Oct 13 19:34:25 vpngw pluto[9987]: "roadwarrior-l2tp"[3] x.x.x.x #3:
transition from state (null) to state STATE_MAIN_R1
Oct 13 19:34:25 vpngw pluto[9987]: "roadwarrior-l2tp"[3] x.x.x.x #3:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
Oct 13 19:34:25 vpngw pluto[9987]: "roadwarrior-l2tp"[3] x.x.x.x #3:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Oct 13 19:34:26 vpngw pluto[9987]: "roadwarrior-l2tp"[3] x.x.x.x #3: Peer ID
is ID_DER_ASN1_DN: '<snip>'
Oct 13 19:34:26 vpngw pluto[9987]: "roadwarrior-l2tp"[3] x.x.x.x #3: no crl
from issuer "<snip>" found (strict=no)
Oct 13 19:34:26 vpngw pluto[9987]: "roadwarrior-l2tp"[4] x.x.x.x #3:
deleting connection "roadwarrior-l2tp" instance with peer x.x.x.x
{isakmp=#0/ipsec=#0}
Oct 13 19:34:26 vpngw pluto[9987]: "roadwarrior-l2tp"[4] x.x.x.x #3: I am
sending my cert
Oct 13 19:34:26 vpngw pluto[9987]: "roadwarrior-l2tp"[4] x.x.x.x #3:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Oct 13 19:34:26 vpngw pluto[9987]: | NAT-T: new mapping x.x.x.x:500/4500)
Oct 13 19:34:26 vpngw pluto[9987]: "roadwarrior-l2tp"[4] x.x.x.x:4500 #3:
sent MR3, ISAKMP SA established
Oct 13 19:34:26 vpngw pluto[9987]: "roadwarrior-l2tp"[4] x.x.x.x:4500 #4: we
require PFS but Quick I1 SA specifies no GROUP_DESCRIPTION
Oct 13 19:34:26 vpngw pluto[9987]: "roadwarrior-l2tp"[4] x.x.x.x:4500 #4:
sending encrypted notification NO_PROPOSAL_CHOSEN to x.x.x.x:4500
Oct 13 19:34:26 vpngw pluto[9987]: "roadwarrior-l2tp"[4] x.x.x.x:4500 #3:
received Delete SA payload: deleting ISAKMP State #3
Oct 13 19:34:26 vpngw pluto[9987]: "roadwarrior-l2tp"[4] x.x.x.x:4500:
deleting connection "roadwarrior-l2tp" instance with peer x.x.x.x
{isakmp=#0/ipsec=#0}
Oct 13 19:34:26 vpngw pluto[9987]: packet from x.x.x.x:4500: received and
ignored informational message
----------

The IPSEC connection is clearly 'deleted', but Windows seems oblivious to
it. I have to wait for the tunnel to timeout (?) before a new connection is
initiated.

I'm using simple config files found on HOWTO's, and I'll be glad to attach
them for review.

Any ideas on where I went wrong will be greatly appreciated. Thank you!



Regards,
Adnan.

More information about the Users mailing list