[Openswan Users] WinXP-RoadWrrior-Openswan setup on 2.4kernel with PSK

liran tal liransgarage at gmail.com
Thu Dec 22 14:07:40 CET 2005 

Hey guys,

I've been struggling for a few weeks on getting this to work and I haven't
made alot of progress.
The setup is as follows:

REMOTE END = Roadwrrior windows xp clients with the built-in L2TP/IPSEC
dialer, set with PSK and
                          security options are "Optional Encryption" and PAP
+ SPAP.

LOCAL END    = My linux gateway at home, runing debian 2.4.27 kernel with
Openswan 2.4.4 and L2TPns 2.1.13



Here is the complete configuration:
=====================

   - Gateway Kernel information:


[root at localhost:/root] uname -a
Linux localhost 2.4.27-2-386 #1 Mon May 16 16:47:51 JST 2005 i586 GNU/Linux


   - IPsec configuration  (/etc/ipsec.conf)


version 2.0

config setup
        uniqueids=yes
        interfaces=%defaultroute
        nat_traversal=yes

conn L2TP-PSK
        ike=aes128-md5-modp1024
        esp=aes128-md5
        ikelifetime=1h
        keylife=8h
        dpddelay=30
        dpdtimeout=120
        dpdaction=hold
        auth=esp
        type=transport
        authby=secret
        pfs=no
        rekey=no
        keyingtries=3
        left=myip.homeunix.org
        leftprotoport=17/%any
        right=%any
        rightprotoport=17/1701
        auto=add

include /etc/ipsec.d/examples/no_oe.conf



   - IPSec.secrets   (/etc/ipsec.secrets)


myip.homeunix.org %any: PSK "thiskeyisonlyatest"




   - Logfile    (/var/log/auth.log)


Dec 20 20:19:48 localhost pluto[15013]: Setting NAT-Traversal port-4500
floating to on
Dec 20 20:19:48 localhost pluto[15013]:    port floating activation criteria
nat_t=1/port_fload=1
Dec 20 20:19:48 localhost pluto[15013]:   including NAT-Traversal patch
(Version 0.6c)
Dec 20 20:19:49 localhost pluto[15013]: ike_alg_register_enc(): Activating
OAKLEY_AES_CBC: Ok (ret=0)
Dec 20 20:19:49 localhost pluto[15013]: starting up 1 cryptographic helpers
Dec 20 20:19:49 localhost pluto[15013]: started helper pid=15020 (fd:6)
Dec 20 20:19:49 localhost pluto[15013]: Using Linux 2.6 IPsec interface code
on 2.4.27-2-386
Dec 20 20:19:53 localhost pluto[15013]: Changing to directory
'/etc/ipsec.d/cacerts'
Dec 20 20:19:53 localhost pluto[15013]: Changing to directory
'/etc/ipsec.d/aacerts'
Dec 20 20:19:53 localhost pluto[15013]: Changing to directory
'/etc/ipsec.d/ocspcerts'
Dec 20 20:19:53 localhost pluto[15013]: Changing to directory
'/etc/ipsec.d/crls'
Dec 20 20:19:53 localhost pluto[15013]:   Warning: empty directory
Dec 20 20:19:53 localhost pluto[15013]: added connection description
"L2TP-PSK"
Dec 20 20:19:53 localhost pluto[15013]: listening for IKE messages
Dec 20 20:19:53 localhost pluto[15013]: adding interface ppp0/ppp0
80.179.58.23:500
Dec 20 20:19:53 localhost pluto[15013]: adding interface ppp0/ppp0
80.179.58.23:4500
Dec 20 20:19:53 localhost pluto[15013]: adding interface eth0/eth0
10.10.1.1:500
Dec 20 20:19:53 localhost pluto[15013]: adding interface eth0/eth0
10.10.1.1:4500
Dec 20 20:19:53 localhost pluto[15013]: adding interface lo/lo 127.0.0.1:500
Dec 20 20:19:53 localhost pluto[15013]: adding interface lo/lo
127.0.0.1:4500
Dec 20 20:19:53 localhost pluto[15013]: loading secrets from
"/etc/ipsec.secrets"
Dec 20 20:19:54 localhost pluto[15013]: packet from 85.65.23.16:500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Dec 20 20:19:54 localhost pluto[15013]: packet from 85.65.23.16:500:
ignoring Vendor ID payload [FRAGMENTATION]
Dec 20 20:19:54 localhost pluto[15013]: packet from 85.65.23.16:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set
to=106
Dec 20 20:19:54 localhost pluto[15013]: packet from 85.65.23.16:500:
ignoring Vendor ID payload [Vid-Initial-Contact]
Dec 20 20:19:54 localhost pluto[15013]: "L2TP-PSK"[1] 85.65.23.16 #1:
responding to Main Mode from unknown peer 85.65.23.16
Dec 20 20:19:54 localhost pluto[15013]: "L2TP-PSK"[1] 85.65.23.16 #1:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Dec 20 20:19:54 localhost pluto[15013]: "L2TP-PSK"[1] 85.65.23.16 #1:
STATE_MAIN_R1: sent MR1, expecting MI2
Dec 20 20:19:55 localhost pluto[15013]: "L2TP-PSK"[1] 85.65.23.16 #1:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
Dec 20 20:19:55 localhost pluto[15013]: "L2TP-PSK"[1] 85.65.23.16 #1:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Dec 20 20:19:55 localhost pluto[15013]: "L2TP-PSK"[1] 85.65.23.16 #1:
STATE_MAIN_R2: sent MR2, expecting MI3



And it's just stuck there...
On the windows box I'm getting an error 678 if I remember correctly.


I've tried different configurations from seeing on the web.
I've tried connecting from the world (as seen here) and from my local LAN,
still the same.

I've also applied the patch from the debian packages:
kernel-patch-openswan - IPSEC kernel support for Openswan


No idea what else to do.
Any help or insight is mostly welcome.

Thanks in advance.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20051222/1d11c818/attachment.htm

More information about the Users mailing list