[Openswan Users] L2TP/IPsec problem
Nico Schmoigl
nico at schmoigl-online.de
Sat Aug 27 00:50:29 CEST 2005
Hi Jacco,
sorry for late response.
>>
>> virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
>> nat_traversal=yes
>>
> The internal subnet needs to be excluded here.
changed it now to:
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.1.0/24
no change, though
>> plutodebug=all
>> overridemtu=1500
>
> You could try a lower MTU here, say 1400 or so.
tried it with 1500, 1000, 500
no change at all
>> Running a freeswan 2.04 with x509-1.7.0 patch.
>
>
> Any particular reason you want to stick with FreeS/WAN? Essentially it's
> dead now. Most people have upgraded to either Openswan or Strongwan.
Sorry, typo! I certainly use openswan :-| Otherwise it would made any
sense to write to the mailinglist. I just saw that there is a newer
version than I have. I will try to update to 2.3.1 right away.
[after some time and some small header fixes]
Got it working now, though as expected: no change
>> conn L2TP-conn-old
>> leftprotoport=17/0
>
>
> You could install the NAT-T update on the Windows 2000 client. Not that
> you need the NAT-T support but sometimes Microsoft secretly fixes other
> things as well.
>
> I for one haven't used non-updated clients for quite a while now.
>
I downloaded the MS patch and tried it out. This changed things at least
a bit. Now I am hanging at
"L2TP-conn-new"[1] 217.247.167.50 #1: transition from state
STATE_MAIN_R1 to state STATE_MAIN_R2
(please note, that I had to define a new connection namely:
conn L2TP-conn-new
authby=rsasig
keyingtries=1
type=transport
left=%defaultroute
leftcert=mykey.pem
leftprotoport=17/1701
leftrsasigkey=%cert
right=%any
rightprotoport=17/1701
#rightca=%same
rightrsasigkey=%cert
pfs=no
auto=add
). I again played around a bit with overridemtu, but without success.
But wait, there seems to be at least some minor change: I can now see IP
fragements going through my ethernet connection at the VPN Servers
device. They come from my Windows Client. However, my knowlegde is too
little to see if that could be an ISAKMP packet. Here's the dump:
0010 01 f8 57 03 00 b9 74 11 f1 60 d9 f7 a7 61 52 d4 ..W...t. .`...aR.
0020 27 ab 04 f4 2b 3f 2a 58 43 49 88 20 6e 48 30 cd '...+?*X CI. nH0.
0030 3a f9 13 fe 1f 00 d2 64 1c b8 a0 a3 1d 2d f4 91 :......d .....-..
0040 c3 cb 6f 5f 96 69 cf 09 77 cc 6f 9e a5 22 64 51 ..o_.i.. w.o.."dQ
0050 ca ae cf 9d b8 10 ba 2d c1 62 04 fc 6b 44 3e ef .......- .b..kD>.
0060 a8 d1 50 4f ce 42 2e 30 77 40 74 fe 80 5c 6a 07 ..PO.B.0 w at t..\j.
0070 1c 37 fc 18 72 10 34 c4 12 a2 ce a7 23 70 96 ba .7..r.4. ....#p..
0080 57 0e 9f 82 81 4d 5c cb 0a 66 88 b2 c5 5c ac 33 W....M\. .f...\.3
0090 48 37 5d 19 28 52 ac f8 8c ed 2a 32 b7 b2 9b be H7].(R.. ..*2....
00a0 69 2e 8d 8e ff 73 ea b8 7c 89 2c 77 39 6e 97 35 i....s.. |.,w9n.5
00b0 9d ba e3 74 6b c7 38 eb 13 8d 59 af 57 9c 5e 1c ...tk.8. ..Y.W.^.
00c0 b3 c1 6e 4d 72 8b d5 3d f3 f4 37 17 d0 38 f6 a6 ..nMr..= ..7..8..
00d0 62 69 12 b8 c1 d9 61 f7 e1 95 1d fa 83 ac 02 3f bi....a. .......?
00e0 c9 e8 85 5a b7 5a dc cc b4 08 68 da f1 85 ca b5 ...Z.Z.. ..h.....
00f0 d3 9a 23 9b bf a9 9f 83 73 c8 c6 69 ce e4 b2 ad ..#..... s..i....
0100 f3 b3 f1 bf d1 26 8f f8 c0 d0 a9 55 63 27 36 0f .....&.. ...Uc'6.
0110 92 14 48 5b 44 3e 2c 46 b8 a0 0d c4 d1 ff 59 3c ..H[D>,F ......Y<
0120 09 88 c2 03 bb 0d d0 77 83 0c f1 d6 1f 3e dc 95 .......w .....>..
0130 14 c8 88 1e b5 d6 1b 1b 23 32 3f 41 00 0f be 26 ........ #2?A...&
0140 3f 12 fd 75 04 c1 3b 8a be b7 ad 83 82 90 da d7 ?..u..;. ........
0150 f0 da e7 74 2d 49 9c 07 08 82 7a 8e b8 ff 4f 3b ...t-I.. ..z...O;
0160 7b f2 6b f4 c8 dd d1 01 77 dd 46 0b e9 ca 50 00 {.k..... w.F...P.
0170 44 f6 d1 3e 6e c3 5b 04 ef 98 a9 0a a9 12 db da D..>n.[. ........
0180 ae a4 f6 40 a3 1f f8 d1 c9 f8 94 25 2d c7 f2 eb ... at .... ...%-...
0190 1c 05 e5 4b 14 68 f8 91 ad 1a 7c 61 f5 87 15 13 ...K.h.. ..|a....
01a0 cc a0 84 a7 c1 65 54 da 51 ed db 0f 56 b7 23 c7 .....eT. Q...V.#.
01b0 69 9d 80 49 18 09 85 68 36 f1 ae 4a 01 fd ef 56 i..I...h 6..J...V
01c0 14 85 f7 f6 e4 26 e1 cd cb f4 1e fb 78 af 43 cc .....&.. ....x.C.
01d0 cc d6 7f b2 73 5d b6 6d f8 aa da 66 ba ba 43 3b ....s].m ...f..C;
01e0 48 54 df 9c 03 16 3a f6 33 8f ea 50 49 1c ce a9 HT....:. 3..PI...
01f0 b8 49 47 4d 11 30 c8 82 5b c3 17 d2 06 ef 03 08 .IGM.0.. [.......
0200 26 58 3f 24 f0 5e &X?$.^
Please note, that it is only 484 bytes long (with header 518 bytes). The
log of the windows client there says that it tried to sent that 1956
bytes packet. Naturally, pluto does not get to know anything about the
contents of this packet. Therefore the log does not show anything. And
another strange thing: I only recieve this single IP fragment - not two
or three (3x484 is the first number which would be larger than 1956).
Could this be related to the fact, that the later packets do not have an
IP Header and therefore get discarded by the sniffing program?
73
Nico
--
More information about the Users
mailing list