[Openswan Users] l2tpd problem

Stephan Scholz sscholz at astaro.com
Thu Sep 9 16:59:17 CEST 2004 

Hi Francesco,

have you installed the NAT-Traversal patch for the Windows 2000 client?
See: http://www.jacco2.dds.nl/networking/win2000xp-freeswan.html#NAT-T

Stephan

> Hello, I'v a vpn with the following configuration:
> 
> gprs -> natgw -> vpngw -> lan
> 10.x -> 194.x -> 213.z -> 192.168.x
> 
> when the l2tp/ipsec client connect I'v:
> 
> Sep  9 15:36:17 vpngw pluto[5516]: packet from 194.185.97.57:14532: 
> ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
> Sep  9 15:36:17 vpngw pluto[5516]: packet from 194.185.97.57:14532: 
> ignoring Vendor ID payload [FRAGMENTATION]
> Sep  9 15:36:17 vpngw pluto[5516]: packet from 194.185.97.57:14532: 
> received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
> Sep  9 15:36:17 vpngw pluto[5516]: packet from 194.185.97.57:14532: 
> ignoring Vendor ID payload [26244d38eddb61b3172a36e3d0cfb819]
> Sep  9 15:36:17 vpngw pluto[5516]: "roadwarrior"[3] 194.185.97.57:14532 
> #3: responding to Main Mode from unknown peer 194.185.97.57:14532
> Sep  9 15:36:19 vpngw pluto[5516]: "roadwarrior"[3] 194.185.97.57:14532 
> #3: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer 
> is NATed
> Sep  9 15:36:21 vpngw pluto[5516]: "roadwarrior"[3] 194.185.97.57:14532 
> #3: Peer ID is ID_DER_ASN1_DN: 'C=IT, ST=Italia, L=test, O=test, 
> OU=test1, CN=pda, E=pda at test.lan'
> Sep  9 15:36:21 vpngw pluto[5516]: "roadwarrior"[4] 194.185.97.57:14532 
> #3: deleting connection "roadwarrior" instance with peer 194.185.97.57 
> {isakmp=#0/ipsec=#0}
> Sep  9 15:36:22 vpngw pluto[5516]: | NAT-T: new mapping 
> 194.185.97.57:14532/14578)
> Sep  9 15:36:22 vpngw pluto[5516]: "roadwarrior"[4] 194.185.97.57:14578 
> #3: sent MR3, ISAKMP SA established
> Sep  9 15:36:23 vpngw pluto[5516]: "roadwarrior"[4] 194.185.97.57:14578 
> #3: retransmitting in response to duplicate packet; already STATE_MAIN_R3
> Sep  9 15:36:24 vpngw pluto[5516]: "roadwarrior"[4] 194.185.97.57:14578 
> #3: retransmitting in response to duplicate packet; already STATE_MAIN_R3
> Sep  9 15:36:25 vpngw pluto[5516]: "roadwarrior"[4] 194.185.97.57:14578 
> #4: responding to Quick Mode
> Sep  9 15:36:25 vpngw pluto[5516]: "roadwarrior"[4] 194.185.97.57:14578 
> #4: discarding duplicate packet; already STATE_QUICK_R1
> Sep  9 15:36:26 vpngw pluto[5516]: "roadwarrior"[4] 194.185.97.57:14578 
> #4: IPsec SA established {ESP=>0x008ad7e0 <0x953509f9 NATOA=10.216.149.19}
> 
> after the l2tpd daemon say:
> 
> Sep  9 15:31:58 vpngw l2tpd[3289]: ourtid = 33436, entropy_buf = 829c
> Sep  9 15:31:58 vpngw l2tpd[3289]: ourcid = 12570, entropy_buf = 311a
> Sep  9 15:31:58 vpngw l2tpd[3289]: check_control: control, cid = 0, Ns = 
> 0, Nr = 0
> Sep  9 15:31:58 vpngw l2tpd[3289]: handle_avps: handling avp's for 
> tunnel 33436, call 12570
> Sep  9 15:31:58 vpngw l2tpd[3289]: message_type_avp: message type 1 
> (Start-Control-Connection-Request)
> Sep  9 15:31:58 vpngw l2tpd[3289]: protocol_version_avp: peer is using 
> version 1, revision 0.
> Sep  9 15:31:58 vpngw l2tpd[3289]: framing_caps_avp: supported peer 
> frames: sync
> Sep  9 15:31:58 vpngw l2tpd[3289]: bearer_caps_avp: supported peer bearers:
> Sep  9 15:31:58 vpngw l2tpd[3289]: firmware_rev_avp: peer reports 
> firmware version 1026 (0x0402)
> Sep  9 15:31:58 vpngw l2tpd[3289]: hostname_avp: peer reports hostname 
> 'Pocket_PC_1'
> Sep  9 15:31:58 vpngw l2tpd[3289]: vendor_avp: peer reports vendor 
> 'Microsoft\200^H'
> Sep  9 15:31:58 vpngw l2tpd[3289]: assigned_tunnel_avp: using peer's 
> tunnel 44
> Sep  9 15:31:58 vpngw l2tpd[3289]: receive_window_size_avp: peer wants 
> RWS of 8.  Will use flow control.
> Sep  9 15:32:03 vpngw l2tpd[3289]: control_xmit: Maximum retries 
> exceeded for tunnel 33436.  Closing.
> Sep  9 15:32:03 vpngw l2tpd[3289]: call_close : Connection 44 closed to 
> 194.185.97.57, port 1701 (Timeout)
> Sep  9 15:32:08 vpngw l2tpd[3289]: control_xmit: Unable to deliver 
> closing message for tunnel 33436. Destroying anyway.
> Sep  9 15:35:42 vpngw l2tpd[3289]: death_handler: Fatal signal 15 received
> 
> any hint?
> 
> ipsec.conf:
> 
> version 2.0
> 
> config setup
>        #interfaces="ipsec0=eth0"
>        interfaces=%defaultroute
>        nat_traversal=yes
>        klipsdebug=none
>        dumpdir=/tmp
>        overridemtu=1410
>        virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12
>        hidetos=yes
>        uniqueids=yes
> 
> conn %default
>        compress=yes
>        disablearrivalcheck=no
>        authby=rsasig
>        leftrsasigkey=%cert
>        rightrsasigkey=%cert
>        left=%defaultroute
>        leftcert=vpngw-cert.pem
>        pfs=no
> 
> conn roadwarrior
>        leftprotoport=17/1701
>        right=%any
>        rightprotoport=17/%any
>        rightsubnet=vhost:%no,%priv
>        auto=add
>        esp="3des-md5,3des-sha1"
>        keyingtries=3
> 
> 
> 
>    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497
> 
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users


-- 
Stephan Scholz <sscholz at astaro.com> | Development
Astaro AG | www.astaro.com | Phone +49-721-490069-0 | Fax -55

Documentation: http://docs.astaro.org
User Bulletin Board: http://www.astaro.org

- Certified by ICSA labs - June 2004
- Computer Reseller News: "CRN Certified Program" - June 2004
- Linux Pro Italy: Best Rating 10 out of 10 points - May 2004
- Linux Enterprise Readers' Choice Award: Best Firewall - October 2003

More information about the Users mailing list