[strongSwan] Re: [Openswan Users] l2tpd problem

Francesco Defilippo francesco.defilippo at sys-net.it
Thu Sep 9 20:03:08 CEST 2004 

Hello again, I forgot to say that with windows 2003/xp all work as is :(

Francesco Defilippo wrote:

> Hi, could be a Fragmentation Problem? with tcpdump I see:
>
> 18:34:40.202492 213.92.x.x.4500 > 194.185.97.57.25084: [no cksum] udp 
> 140 (DF) (ttl 64, id 290, len 168)
> 18:34:41.202504 213.92.x.x.4500 > 194.185.97.57.25084: [no cksum] udp 
> 140 (DF) (ttl 64, id 291, len 168)
> 18:34:42.202528 213.92.x.x.4500 > 194.185.97.57.25084: [no cksum] udp 
> 140 (DF) (ttl 64, id 292, len 168)
> 18:34:43.123759 194.185.97.57.25084 > 213.92.x.x.4500: [udp sum ok] 
> udp 1 (ttl 112, id 53, len 29)
>
>
> Francesco Defilippo wrote:
>
>> Hi, I'm try from a pocket pc 2003.
>>
>> Stephan Scholz wrote:
>>
>>> Hi Francesco,
>>>
>>> have you installed the NAT-Traversal patch for the Windows 2000 client?
>>> See: http://www.jacco2.dds.nl/networking/win2000xp-freeswan.html#NAT-T
>>>
>>> Stephan
>>>
>>>> Hello, I'v a vpn with the following configuration:
>>>>
>>>> gprs -> natgw -> vpngw -> lan
>>>> 10.x -> 194.x -> 213.z -> 192.168.x
>>>>
>>>> when the l2tp/ipsec client connect I'v:
>>>>
>>>> Sep  9 15:36:17 vpngw pluto[5516]: packet from 194.185.97.57:14532: 
>>>> ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
>>>> Sep  9 15:36:17 vpngw pluto[5516]: packet from 194.185.97.57:14532: 
>>>> ignoring Vendor ID payload [FRAGMENTATION]
>>>> Sep  9 15:36:17 vpngw pluto[5516]: packet from 194.185.97.57:14532: 
>>>> received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
>>>> Sep  9 15:36:17 vpngw pluto[5516]: packet from 194.185.97.57:14532: 
>>>> ignoring Vendor ID payload [26244d38eddb61b3172a36e3d0cfb819]
>>>> Sep  9 15:36:17 vpngw pluto[5516]: "roadwarrior"[3] 
>>>> 194.185.97.57:14532 #3: responding to Main Mode from unknown peer 
>>>> 194.185.97.57:14532
>>>> Sep  9 15:36:19 vpngw pluto[5516]: "roadwarrior"[3] 
>>>> 194.185.97.57:14532 #3: NAT-Traversal: Result using 
>>>> draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
>>>> Sep  9 15:36:21 vpngw pluto[5516]: "roadwarrior"[3] 
>>>> 194.185.97.57:14532 #3: Peer ID is ID_DER_ASN1_DN: 'C=IT, 
>>>> ST=Italia, L=test, O=test, OU=test1, CN=pda, E=pda at test.lan'
>>>> Sep  9 15:36:21 vpngw pluto[5516]: "roadwarrior"[4] 
>>>> 194.185.97.57:14532 #3: deleting connection "roadwarrior" instance 
>>>> with peer 194.185.97.57 {isakmp=#0/ipsec=#0}
>>>> Sep  9 15:36:22 vpngw pluto[5516]: | NAT-T: new mapping 
>>>> 194.185.97.57:14532/14578)
>>>> Sep  9 15:36:22 vpngw pluto[5516]: "roadwarrior"[4] 
>>>> 194.185.97.57:14578 #3: sent MR3, ISAKMP SA established
>>>> Sep  9 15:36:23 vpngw pluto[5516]: "roadwarrior"[4] 
>>>> 194.185.97.57:14578 #3: retransmitting in response to duplicate 
>>>> packet; already STATE_MAIN_R3
>>>> Sep  9 15:36:24 vpngw pluto[5516]: "roadwarrior"[4] 
>>>> 194.185.97.57:14578 #3: retransmitting in response to duplicate 
>>>> packet; already STATE_MAIN_R3
>>>> Sep  9 15:36:25 vpngw pluto[5516]: "roadwarrior"[4] 
>>>> 194.185.97.57:14578 #4: responding to Quick Mode
>>>> Sep  9 15:36:25 vpngw pluto[5516]: "roadwarrior"[4] 
>>>> 194.185.97.57:14578 #4: discarding duplicate packet; already 
>>>> STATE_QUICK_R1
>>>> Sep  9 15:36:26 vpngw pluto[5516]: "roadwarrior"[4] 
>>>> 194.185.97.57:14578 #4: IPsec SA established {ESP=>0x008ad7e0 
>>>> <0x953509f9 NATOA=10.216.149.19}
>>>>
>>>> after the l2tpd daemon say:
>>>>
>>>> Sep  9 15:31:58 vpngw l2tpd[3289]: ourtid = 33436, entropy_buf = 829c
>>>> Sep  9 15:31:58 vpngw l2tpd[3289]: ourcid = 12570, entropy_buf = 311a
>>>> Sep  9 15:31:58 vpngw l2tpd[3289]: check_control: control, cid = 0, 
>>>> Ns = 0, Nr = 0
>>>> Sep  9 15:31:58 vpngw l2tpd[3289]: handle_avps: handling avp's for 
>>>> tunnel 33436, call 12570
>>>> Sep  9 15:31:58 vpngw l2tpd[3289]: message_type_avp: message type 1 
>>>> (Start-Control-Connection-Request)
>>>> Sep  9 15:31:58 vpngw l2tpd[3289]: protocol_version_avp: peer is 
>>>> using version 1, revision 0.
>>>> Sep  9 15:31:58 vpngw l2tpd[3289]: framing_caps_avp: supported peer 
>>>> frames: sync
>>>> Sep  9 15:31:58 vpngw l2tpd[3289]: bearer_caps_avp: supported peer 
>>>> bearers:
>>>> Sep  9 15:31:58 vpngw l2tpd[3289]: firmware_rev_avp: peer reports 
>>>> firmware version 1026 (0x0402)
>>>> Sep  9 15:31:58 vpngw l2tpd[3289]: hostname_avp: peer reports 
>>>> hostname 'Pocket_PC_1'
>>>> Sep  9 15:31:58 vpngw l2tpd[3289]: vendor_avp: peer reports vendor 
>>>> 'Microsoft\200^H'
>>>> Sep  9 15:31:58 vpngw l2tpd[3289]: assigned_tunnel_avp: using 
>>>> peer's tunnel 44
>>>> Sep  9 15:31:58 vpngw l2tpd[3289]: receive_window_size_avp: peer 
>>>> wants RWS of 8.  Will use flow control.
>>>> Sep  9 15:32:03 vpngw l2tpd[3289]: control_xmit: Maximum retries 
>>>> exceeded for tunnel 33436.  Closing.
>>>> Sep  9 15:32:03 vpngw l2tpd[3289]: call_close : Connection 44 
>>>> closed to 194.185.97.57, port 1701 (Timeout)
>>>> Sep  9 15:32:08 vpngw l2tpd[3289]: control_xmit: Unable to deliver 
>>>> closing message for tunnel 33436. Destroying anyway.
>>>> Sep  9 15:35:42 vpngw l2tpd[3289]: death_handler: Fatal signal 15 
>>>> received
>>>>
>>>> any hint?
>>>>
>>>> ipsec.conf:
>>>>
>>>> version 2.0
>>>>
>>>> config setup
>>>>        #interfaces="ipsec0=eth0"
>>>>        interfaces=%defaultroute
>>>>        nat_traversal=yes
>>>>        klipsdebug=none
>>>>        dumpdir=/tmp
>>>>        overridemtu=1410
>>>>        virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12
>>>>        hidetos=yes
>>>>        uniqueids=yes
>>>>
>>>> conn %default
>>>>        compress=yes
>>>>        disablearrivalcheck=no
>>>>        authby=rsasig
>>>>        leftrsasigkey=%cert
>>>>        rightrsasigkey=%cert
>>>>        left=%defaultroute
>>>>        leftcert=vpngw-cert.pem
>>>>        pfs=no
>>>>
>>>> conn roadwarrior
>>>>        leftprotoport=17/1701
>>>>        right=%any
>>>>        rightprotoport=17/%any
>>>>        rightsubnet=vhost:%no,%priv
>>>>        auto=add
>>>>        esp="3des-md5,3des-sha1"
>>>>        keyingtries=3
>>>>
>>>>
>>>>
>>>>    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: 
>>>> +390382476497
>>>>
>>>> _______________________________________________
>>>> Users mailing list
>>>> Users at openswan.org
>>>> http://lists.openswan.org/mailman/listinfo/users
>>>
>>>
>>>
>>>
>>>
>>
>>
>>    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: 
>> +390382476497
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> http://lists.strongswan.org/mailman/listinfo/users
>
>
>
>
>    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> http://lists.strongswan.org/mailman/listinfo/users



    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497

More information about the Users mailing list