[Openswan Users] Breaking L2TP connection

Matthias Haas mh at pompase.net
Tue Aug 16 17:37:46 CEST 2005


Hello,
I am trying to establish an reliable l2tp connection. The problem I have
is that the connection breaks sometimes while doing the rekeying.
The system I am currently using is
openswan 2.2.1
kernel 2.4.31
l2tpd 0.69

I am doing cert based authentication. The client is natted. IKE Lifetme
and IPSec Lifetime are set to 1h. This is what is written in the logfiles:

pluto[30180]: packet from 213.179.141.14:4500: received and ignored
informational message
Aug 16 16:05:20 do242 pluto[30180]: packet from 213.179.141.14:4500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Aug 16 16:05:20 do242 pluto[30180]: packet from 213.179.141.14:4500:
ignoring Vendor ID payload [FRAGMENTATION]
Aug 16 16:05:20 do242 pluto[30180]: packet from 213.179.141.14:4500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Aug 16 16:05:20 do242 pluto[30180]:
"l2tp_0-L2TP_0__gw-gw_213.179.141.11-0.0.0.0"[6] 213.179.141.14:4500 #20:
responding to Main Mode from unknown peer 213.179.141.14:4500
Aug 16 16:05:20 do242 pluto[30180]:
"l2tp_0-L2TP_0__gw-gw_213.179.141.11-0.0.0.0"[6] 213.179.141.14:4500 #20:
transition from state (null) to state STATE_MAIN_R1
Aug 16 16:05:22 do242 pluto[30180]:
"l2tp_0-L2TP_0__gw-gw_213.179.141.11-0.0.0.0"[6] 213.179.141.14:4500 #20:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is
NATed
Aug 16 16:05:22 do242 pluto[30180]:
"l2tp_0-L2TP_0__gw-gw_213.179.141.11-0.0.0.0"[6] 213.179.141.14:4500 #20:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Aug 16 16:05:22 do242 pluto[30180]:
"l2tp_0-L2TP_0__gw-gw_213.179.141.11-0.0.0.0"[6] 213.179.141.14:4500 #20:
Peer ID is ID_DER_ASN1_DN: 'C=DE, CN=l2tpclient'
Aug 16 16:05:22 do242 pluto[30180]:
"l2tp_0-L2TP_0__gw-gw_213.179.141.11-0.0.0.0"[6] 213.179.141.14:4500 #20:
no crl from issuer "C=DE, CN=CA" found (strict=no)
Aug 16 16:05:22 do242 pluto[30180]:
"l2tp_0-L2TP_0__gw-gw_213.179.141.11-0.0.0.0"[4] 213.179.141.14:4500 #20:
deleting connection "l2tp_0-L2TP_0__gw-gw_213.179.141.11-0.0.0.0" instance
with peer 213.179.141.14 {isakmp=#0/ipsec=#0}
Aug 16 16:05:22 do242 pluto[30180]:
"l2tp_0-L2TP_0__gw-gw_213.179.141.11-0.0.0.0"[4] 213.179.141.14:4500 #20:
I am sending my cert
Aug 16 16:05:22 do242 pluto[30180]:
"l2tp_0-L2TP_0__gw-gw_213.179.141.11-0.0.0.0"[4] 213.179.141.14:4500 #20:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Aug 16 16:05:22 do242 pluto[30180]:
"l2tp_0-L2TP_0__gw-gw_213.179.141.11-0.0.0.0"[4] 213.179.141.14:4500 #20:
sent MR3, ISAKMP SA established
Aug 16 16:05:22 do242 pluto[30180]:
"l2tp_0-L2TP_0__gw-gw_213.179.141.11-0.0.0.0"[4] 213.179.141.14:4500 #20:
retransmitting in response to duplicate packet; already STATE_MAIN_R3
Aug 16 16:05:22 do242 pluto[30180]:
"l2tp_0-L2TP_0__gw-gw_213.179.141.11-0.0.0.0"[4] 213.179.141.14:4500 #21:
responding to Quick Mode
Aug 16 16:05:22 do242 pluto[30180]:
"l2tp_0-L2TP_0__gw-gw_213.179.141.11-0.0.0.0"[4] 213.179.141.14:4500 #21:
transition from state (null) to state STATE_QUICK_R1
Aug 16 16:05:22 do242 pluto[30180]:
"l2tp_0-L2TP_0__gw-gw_213.179.141.11-0.0.0.0"[4] 213.179.141.14:4500 #21:
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Aug 16 16:05:22 do242 pluto[30180]:
"l2tp_0-L2TP_0__gw-gw_213.179.141.11-0.0.0.0"[4] 213.179.141.14:4500 #21:
IPsec SA established {ESP=>0x3fcd11c8 <0xdae6d12a NATOA=192.168.0.136}
Aug 16 16:05:23 do242 pluto[30180]:
"l2tp_0-L2TP_0__gw-gw_213.179.141.11-0.0.0.0"[4] 213.179.141.14:4500 #15:
next payload type of ISAKMP Hash Payload has an unknown value: 170
Aug 16 16:05:23 do242 pluto[30180]:
"l2tp_0-L2TP_0__gw-gw_213.179.141.11-0.0.0.0"[4] 213.179.141.14:4500 #15:
malformed payload in packet
Aug 16 16:05:23 do242 pluto[30180]:
"l2tp_0-L2TP_0__gw-gw_213.179.141.11-0.0.0.0"[4] 213.179.141.14:4500 #15:
sending encrypted notification PAYLOAD_MALFORMED to 213.179.141.14:4500
^[[A^[[AAug 16 16:18:32 do242 pluto[30180]:
"l2tp_0-L2TP_0__gw-gw_213.179.141.11-0.0.0.0"[4] 213.179.141.14:4500 #20:
received Delete SA(0x3fcd11c8) payload: deleting IPSEC State #21
Aug 16 16:18:32 do242 pluto[30180]:
"l2tp_0-L2TP_0__gw-gw_213.179.141.11-0.0.0.0"[4] 213.179.141.14:4500 #20:
received and ignored informational message
Aug 16 16:18:36 do242 pluto[30180]: ERROR: pfkey write() of SADB_X_DELFLOW
message 33 for flow int.0 at 0.0.0.0 failed. Errno 14: Bad address
Aug 16 16:18:36 do242 pluto[30180]:
"l2tp_0-L2TP_0__gw-gw_213.179.141.11-0.0.0.0"[4] 213.179.141.14:4500 #22:
responding to Quick Mode
Aug 16 16:18:36 do242 pluto[30180]:
"l2tp_0-L2TP_0__gw-gw_213.179.141.11-0.0.0.0"[4] 213.179.141.14:4500 #22:
transition from state (null) to state STATE_QUICK_R1
Aug 16 16:18:36 do242 pluto[30180]:
"l2tp_0-L2TP_0__gw-gw_213.179.141.11-0.0.0.0"[4] 213.179.141.14:4500 #22:
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Aug 16 16:18:36 do242 pluto[30180]:
"l2tp_0-L2TP_0__gw-gw_213.179.141.11-0.0.0.0"[4] 213.179.141.14:4500 #22:
IPsec SA established {ESP=>0xa1bdff1e <0xdae6d12b NATOA=192.168.0.136}

This is what bothers me most:
Aug 16 16:19:14 do242 pluto[30180]: ERROR: pfkey write() of SADB_X_DELFLOW
message 37 for flow int.0 at 0.0.0.0 failed. Errno 14: Bad address


Aug 16 16:19:37 do242 pluto[30180]:
"l2tp_0-L2TP_0__gw-gw_213.179.141.11-0.0.0.0"[4] 213.179.141.14:4500 #20:
received Delete SA(0xa1bdff1e) payload: deleting IPSEC State #22
Aug 16 16:19:37 do242 pluto[30180]:
"l2tp_0-L2TP_0__gw-gw_213.179.141.11-0.0.0.0"[4] 213.179.141.14:4500 #20:
received and ignored informational message
Aug 16 16:19:39 do242 pluto[30180]:
"l2tp_0-L2TP_0__gw-gw_213.179.141.11-0.0.0.0"[4] 213.179.141.14:4500 #23:
responding to Quick Mode
Aug 16 16:19:39 do242 pluto[30180]:
"l2tp_0-L2TP_0__gw-gw_213.179.141.11-0.0.0.0"[4] 213.179.141.14:4500 #23:
transition from state (null) to state STATE_QUICK_R1
Aug 16 16:19:39 do242 pluto[30180]:
"l2tp_0-L2TP_0__gw-gw_213.179.141.11-0.0.0.0"[4] 213.179.141.14:4500 #23:
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Aug 16 16:19:39 do242 pluto[30180]:
"l2tp_0-L2TP_0__gw-gw_213.179.141.11-0.0.0.0"[4] 213.179.141.14:4500 #23:
IPsec SA established {ESP=>0x958f5903 <0xdae6d12c NATOA=192.168.0.136}
Aug 16 16:20:38 do242 pluto[30180]:
"l2tp_0-L2TP_0__gw-gw_213.179.141.11-0.0.0.0"[4] 213.179.141.14:4500 #20:
received Delete SA(0x958f5903) payload: deleting IPSEC State #23
Aug 16 16:20:38 do242 pluto[30180]:
"l2tp_0-L2TP_0__gw-gw_213.179.141.11-0.0.0.0"[4] 213.179.141.14:4500 #20:
received and ignored informational message
Aug 16 16:20:38 do242 pluto[30180]:
"l2tp_0-L2TP_0__gw-gw_213.179.141.11-0.0.0.0"[4] 213.179.141.14:4500 #20:
received Delete SA payload: deleting ISAKMP State #20

Is there something wrong configured?

Kind regards
Matthias



More information about the Users mailing list