[Openswan Users] L2TP/IPsec problem

[Nico Schmoigl]

Hi Jacco,

sorry for late response.

>>     
>> virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16        
>> nat_traversal=yes
>>

> The internal subnet needs to be excluded here.

changed it now to:
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.1.0/24

no change, though

>>     plutodebug=all
>>     overridemtu=1500
>
> You could try a lower MTU here, say 1400 or so.

tried it with 1500, 1000, 500
no change at all

>> Running a freeswan 2.04 with x509-1.7.0 patch.
>
>
> Any particular reason you want to stick with FreeS/WAN? Essentially it's
> dead now. Most people have upgraded to either Openswan or Strongwan.

Sorry, typo! I certainly use openswan :-| Otherwise it would made any 
sense to write to the mailinglist. I just saw that there is a newer 
version than I have. I will try to update to 2.3.1 right away.
[after some time and some small header fixes]
Got it working now, though as expected: no change

>> conn L2TP-conn-old
>> leftprotoport=17/0
>
>
> You could install the NAT-T update on the Windows 2000 client. Not that
> you need the NAT-T support but sometimes Microsoft secretly fixes other
> things as well.
>
> I for one haven't used non-updated clients for quite a while now.
>
I downloaded the MS patch and tried it out. This changed things at least 
a bit. Now I am hanging at

"L2TP-conn-new"[1] 217.247.167.50 #1: transition from state 
STATE_MAIN_R1 to state STATE_MAIN_R2

(please note, that I had to define a new connection namely:

conn L2TP-conn-new
  authby=rsasig
  keyingtries=1
  type=transport
  left=%defaultroute
  leftcert=mykey.pem
  leftprotoport=17/1701
  leftrsasigkey=%cert
  right=%any
  rightprotoport=17/1701
  #rightca=%same
  rightrsasigkey=%cert
  pfs=no
  auto=add

). I again played around a bit with overridemtu, but without success. 
But wait, there seems to be at least some minor change: I can now see IP 
fragements going through my ethernet connection at the VPN Servers 
device. They come from my Windows Client. However, my knowlegde is too 
little to see if that could be an ISAKMP packet. Here's the dump:

0010  01 f8 57 03 00 b9 74 11  f1 60 d9 f7 a7 61 52 d4   ..W...t. .`...aR.
0020  27 ab 04 f4 2b 3f 2a 58  43 49 88 20 6e 48 30 cd   '...+?*X CI. nH0.
0030  3a f9 13 fe 1f 00 d2 64  1c b8 a0 a3 1d 2d f4 91   :......d .....-..
0040  c3 cb 6f 5f 96 69 cf 09  77 cc 6f 9e a5 22 64 51   ..o_.i.. w.o.."dQ
0050  ca ae cf 9d b8 10 ba 2d  c1 62 04 fc 6b 44 3e ef   .......- .b..kD>.
0060  a8 d1 50 4f ce 42 2e 30  77 40 74 fe 80 5c 6a 07   ..PO.B.0 w at t..\j.
0070  1c 37 fc 18 72 10 34 c4  12 a2 ce a7 23 70 96 ba   .7..r.4. ....#p..
0080  57 0e 9f 82 81 4d 5c cb  0a 66 88 b2 c5 5c ac 33   W....M\. .f...\.3
0090  48 37 5d 19 28 52 ac f8  8c ed 2a 32 b7 b2 9b be   H7].(R.. ..*2....
00a0  69 2e 8d 8e ff 73 ea b8  7c 89 2c 77 39 6e 97 35   i....s.. |.,w9n.5
00b0  9d ba e3 74 6b c7 38 eb  13 8d 59 af 57 9c 5e 1c   ...tk.8. ..Y.W.^.
00c0  b3 c1 6e 4d 72 8b d5 3d  f3 f4 37 17 d0 38 f6 a6   ..nMr..= ..7..8..
00d0  62 69 12 b8 c1 d9 61 f7  e1 95 1d fa 83 ac 02 3f   bi....a. .......?
00e0  c9 e8 85 5a b7 5a dc cc  b4 08 68 da f1 85 ca b5   ...Z.Z.. ..h.....
00f0  d3 9a 23 9b bf a9 9f 83  73 c8 c6 69 ce e4 b2 ad   ..#..... s..i....
0100  f3 b3 f1 bf d1 26 8f f8  c0 d0 a9 55 63 27 36 0f   .....&.. ...Uc'6.
0110  92 14 48 5b 44 3e 2c 46  b8 a0 0d c4 d1 ff 59 3c   ..H[D>,F ......Y<
0120  09 88 c2 03 bb 0d d0 77  83 0c f1 d6 1f 3e dc 95   .......w .....>..
0130  14 c8 88 1e b5 d6 1b 1b  23 32 3f 41 00 0f be 26   ........ #2?A...&
0140  3f 12 fd 75 04 c1 3b 8a  be b7 ad 83 82 90 da d7   ?..u..;. ........
0150  f0 da e7 74 2d 49 9c 07  08 82 7a 8e b8 ff 4f 3b   ...t-I.. ..z...O;
0160  7b f2 6b f4 c8 dd d1 01  77 dd 46 0b e9 ca 50 00   {.k..... w.F...P.
0170  44 f6 d1 3e 6e c3 5b 04  ef 98 a9 0a a9 12 db da   D..>n.[. ........
0180  ae a4 f6 40 a3 1f f8 d1  c9 f8 94 25 2d c7 f2 eb   ... at .... ...%-...
0190  1c 05 e5 4b 14 68 f8 91  ad 1a 7c 61 f5 87 15 13   ...K.h.. ..|a....
01a0  cc a0 84 a7 c1 65 54 da  51 ed db 0f 56 b7 23 c7   .....eT. Q...V.#.
01b0  69 9d 80 49 18 09 85 68  36 f1 ae 4a 01 fd ef 56   i..I...h 6..J...V
01c0  14 85 f7 f6 e4 26 e1 cd  cb f4 1e fb 78 af 43 cc   .....&.. ....x.C.
01d0  cc d6 7f b2 73 5d b6 6d  f8 aa da 66 ba ba 43 3b   ....s].m ...f..C;
01e0  48 54 df 9c 03 16 3a f6  33 8f ea 50 49 1c ce a9   HT....:. 3..PI...
01f0  b8 49 47 4d 11 30 c8 82  5b c3 17 d2 06 ef 03 08   .IGM.0.. [.......
0200  26 58 3f 24 f0 5e                                  &X?$.^

Please note, that it is only 484 bytes long (with header 518 bytes). The 
log of the windows client there says that it tried to sent that 1956 
bytes packet. Naturally, pluto does not get to know anything about the 
contents of this packet. Therefore the log does not show anything. And 
another strange thing: I only recieve this single IP fragment - not two 
or three (3x484 is the first number which would be larger than 1956). 
Could this be related to the fact, that the later packets do not have an 
IP Header and therefore get discarded by the sniffing program?


73
  Nico

--