[Openswan Users]

Dirk Nehring dnehring at marcant.net
Sun Dec 25 22:39:16 CET 2005


On Tue, Dec 20, 2005 at 04:38:03PM +0100, Paul Wouters wrote:
> On Mon, 19 Dec 2005, Dirk Nehring wrote:
>
> > > Well, I'm not sure if the combination PSK, NAT-T and transport mode is
> > > officially supported by Openswan. So you might have to ditch that PSK.
> > > I have moved the thread to the users mailinglist because I am not yet
> > > convinced this is a developers issue.
> >
> > something gets broken between 2.3.1 and 2.4.0. For me it's a dev-issue,
> > __if__ transport mode is supported.
>
> Correct, a few things broke. Most of those are fixed in 2.4.5rc3.
>
> > Works with 2.3.1 without problems, but since 2.4.0dr??? it doesn't work
> > anymore. Currently I'm using kernel version 2.6.14.3. I can give you a
> > test account if you like to check it by yourself.
>
> Are you using klips or netkey? klips incorrectly didnt set the mtu on
> the interface, causing a lot of really small packets to be sent. The
> following fix (from cvs) needs to be applied to 2.4.5dr3 in ipsec_xmit.c
> around line 400:
>
>         ixs->physmtu = ixs->physdev->mtu;
> +       ixs->cur_mtu = ixs->dev->mtu;
>
> Or check out the 2_4_x branch using cvs.

Hello Paul,

sorry for the late reply. I try to figure out the problem. I am using
NETKEY with 2.6.14.4. ppp is 2.4.3. In my test setup, I am using EAP-TLS
authentification and CHAP (without RADIUS). Here is my config:

ipsec.conf:
-----------------------------------------------------------------
version 2.0

config setup
        plutodebug="control"
        plutostderrlog=/var/log/pluto.log
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16

conn %default
        left=1.2.3.4

include /etc/ipsec.d/examples/no_oe.conf

conn L2TP
        right=%any
        rightsubnet=vhost:%no,%priv
        rightprotoport=17/1701
        leftprotoport=17/1701
        pfs=no
        keyingtries=3
        authby=secret
        ike=3des-md5
        esp=3des-sha1,3des-md5
        auto=add
-----------------------------------------------------------------

l2tp.conf:
-----------------------------------------------------------------
global
load-handler "sync-pppd.so"
load-handler "cmd.so"

section sync-pppd
lns-pppd-opts "file /etc/ppp/options.l2tpd"

section peer
peer 0.0.0.0
mask 0
port 1701
lns-handler sync-pppd
hide-avps no

section cmd
-----------------------------------------------------------------

options.l2tpd:
-----------------------------------------------------------------
name l2tpd
#plugin /usr/lib/pppd/2.4.3/radius.so
#plugin /usr/lib/pppd/2.4.3/radattr.so
debug
lock
ipcp-accept-local
ipcp-accept-remote
ms-dns 2.3.4.5
mtu 1376
#require-eap
require-chap
lcp-echo-failure 3
lcp-echo-interval 10
#avpair Framed-MTU=1362
-----------------------------------------------------------------

It's a relatively easy setup, for bughunting. With openswan 2.3.1, I
have no problem. Now I tested 2.4.5dr3 with the MTU-patch. ppp
authentification after successful IPSec authentification doesn't work.

ppp.log:
-----------------------------------------------------------------
Dec 25 22:33:57 vpn-test pppd[2806]: pppd 2.4.3 started by root, uid 0
Dec 25 22:33:57 vpn-test pppd[2806]: using channel 10
Dec 25 22:33:57 vpn-test pppd[2806]: Using interface ppp0
Dec 25 22:33:57 vpn-test pppd[2806]: Connect: ppp0 <--> /dev/pts/1
Dec 25 22:33:57 vpn-test pppd[2806]: sent [len=25] [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MD5> <magic 0x238d652f>]
Dec 25 22:33:57 vpn-test pppd[2806]: rcvd [len=25] [LCP ConfReq id=0x0 <mru 1400> <magic 0x64be043d> <pcomp> <accomp> <callback CBCP>]
Dec 25 22:33:57 vpn-test pppd[2806]: sent [len=15] [LCP ConfRej id=0x0 <pcomp> <accomp> <callback CBCP>]
Dec 25 22:33:57 vpn-test pppd[2806]: rcvd [len=25] [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap MD5> <magic 0x238d652f>]
Dec 25 22:33:57 vpn-test pppd[2806]: rcvd [len=18] [LCP ConfReq id=0x1 <mru 1400> <magic 0x64be043d>]
Dec 25 22:33:57 vpn-test pppd[2806]: sent [len=18] [LCP ConfAck id=0x1 <mru 1400> <magic 0x64be043d>]
Dec 25 22:33:57 vpn-test pppd[2806]: sent [len=12] [LCP EchoReq id=0x0 magic=0x238d652f]
Dec 25 22:33:57 vpn-test pppd[2806]: link mtu = 1376
Dec 25 22:33:57 vpn-test pppd[2806]: sent [len=33] [CHAP Challenge id=0x7e <ce2c82d387c468cdd65a076b8e46456eb90b2c>, name = "l2tpd"]
Dec 25 22:33:57 vpn-test pppd[2806]: rcvd [len=22] [LCP code=0xc id=0x2 64 be 04 3d 4d 53 52 41 53 56 35 2e 31 30]
Dec 25 22:33:57 vpn-test pppd[2806]: sent [len=26] [LCP CodeRej id=0x2 0c 02 00 12 64 be 04 3d 4d 53 52 41 53 56 35 2e 31 30]
Dec 25 22:33:57 vpn-test pppd[2806]: rcvd [len=26] [LCP code=0xc id=0x3 64 be 04 3d 4d 53 52 41 53 2d 30 2d 42 52 55 54 55 53]
Dec 25 22:33:57 vpn-test pppd[2806]: sent [len=30] [LCP CodeRej id=0x3 0c 03 00 16 64 be 04 3d 4d 53 52 41 53 2d 30 2d 42 52 55 54 55 53]
Dec 25 22:33:57 vpn-test pppd[2806]: rcvd [len=12] [LCP EchoRep id=0x0 magic=0x64be043d]
Dec 25 22:33:57 vpn-test pppd[2806]: rcvd [len=29] [CHAP Response id=0x7e <94273269eb3e9396d8fb44543a3f19e7>, name = "test"]
Dec 25 22:33:57 vpn-test pppd[2806]: sent [len=22] [CHAP Success id=0x7e "Access granted"]
Dec 25 22:33:57 vpn-test pppd[2806]: sent [len=14] [CCP ConfReq id=0x1 <mppe -H -M -S -L -D +C>]
Dec 25 22:33:57 vpn-test pppd[2806]: sent [len=14] [IPCP ConfReq id=0x1 <addr 217.14.169.21>]
Dec 25 22:33:57 vpn-test pppd[2806]: rcvd [len=14] [CCP ConfReq id=0x4 <mppe +H -M -S -L -D +C>]
Dec 25 22:33:57 vpn-test pppd[2806]: sent [len=14] [CCP ConfNak id=0x4 <mppe -H -M -S -L -D +C>]
Dec 25 22:33:57 vpn-test pppd[2806]: rcvd [len=38] [IPCP ConfReq id=0x5 <addr 0.0.0.0> <ms-dns1 0.0.0.0> <ms-wins 0.0.0.0> <ms-dns3 0.0.0.0> <ms-wins 0.0.0.0>]
Dec 25 22:33:57 vpn-test pppd[2806]: sent [len=20] [IPCP ConfRej id=0x5 <ms-wins 0.0.0.0> <ms-wins 0.0.0.0>]
Dec 25 22:33:57 vpn-test pppd[2806]: rcvd [len=14] [CCP ConfAck id=0x1 <mppe -H -M -S -L -D +C>]
Dec 25 22:33:57 vpn-test pppd[2806]: rcvd [len=14] [IPCP ConfAck id=0x1 <addr 217.14.169.21>]
Dec 25 22:33:57 vpn-test pppd[2806]: rcvd [len=14] [CCP ConfReq id=0x6 <mppe -H -M -S -L -D +C>]
Dec 25 22:33:57 vpn-test pppd[2806]: sent [len=14] [CCP ConfAck id=0x6 <mppe -H -M -S -L -D +C>]
Dec 25 22:33:57 vpn-test pppd[2806]: MPPC compression enabled
Dec 25 22:33:57 vpn-test pppd[2806]: rcvd [len=26] [IPCP ConfReq id=0x7 <addr 0.0.0.0> <ms-dns1 0.0.0.0> <ms-dns3 0.0.0.0>]
Dec 25 22:33:57 vpn-test pppd[2806]: sent [len=26] [IPCP ConfNak id=0x7 <addr 10.0.0.102> <ms-dns1 217.14.160.130> <ms-dns3 217.14.160.130>]
Dec 25 22:33:57 vpn-test pppd[2806]: rcvd [len=26] [IPCP ConfReq id=0x8 <addr 10.0.0.102> <ms-dns1 217.14.160.130> <ms-dns3 217.14.160.130>]
Dec 25 22:33:57 vpn-test pppd[2806]: sent [len=26] [IPCP ConfAck id=0x8 <addr 10.0.0.102> <ms-dns1 217.14.160.130> <ms-dns3 217.14.160.130>]
Dec 25 22:33:57 vpn-test pppd[2806]: local  IP address 217.14.169.21
Dec 25 22:33:57 vpn-test pppd[2806]: remote IP address 10.0.0.102
Dec 25 22:33:58 vpn-test pppd[2806]: Script /etc/ppp/ip-up started (pid 2810)
Dec 25 22:33:58 vpn-test pppd[2806]: Script /etc/ppp/ip-up finished (pid 2810), status = 0x0
Dec 25 22:33:59 vpn-test pppd[2806]: rcvd [len=26] [IPCP ConfReq id=0x9 <addr 10.0.0.102> <ms-dns1 217.14.160.130> <ms-dns3 217.14.160.130>]
Dec 25 22:33:59 vpn-test pppd[2806]: Connect time 0.1 minutes.
Dec 25 22:33:59 vpn-test pppd[2806]: Sent 0 bytes, received 22 bytes.
Dec 25 22:33:59 vpn-test pppd[2806]: Script /etc/ppp/ip-down started (pid 2812)
Dec 25 22:33:59 vpn-test pppd[2806]: sent [len=14] [IPCP ConfReq id=0x2 <addr 217.14.169.21>]
Dec 25 22:33:59 vpn-test pppd[2806]: sent [len=26] [IPCP ConfAck id=0x9 <addr 10.0.0.102> <ms-dns1 217.14.160.130> <ms-dns3 217.14.160.130>]
Dec 25 22:33:59 vpn-test pppd[2806]: Script /etc/ppp/ip-down finished (pid 2812), status = 0x0
Dec 25 22:34:02 vpn-test pppd[2806]: rcvd [len=26] [IPCP ConfReq id=0xa <addr 10.0.0.102> <ms-dns1 217.14.160.130> <ms-dns3 217.14.160.130>]
Dec 25 22:34:02 vpn-test pppd[2806]: sent [len=26] [IPCP ConfAck id=0xa <addr 10.0.0.102> <ms-dns1 217.14.160.130> <ms-dns3 217.14.160.130>]
Dec 25 22:34:02 vpn-test pppd[2806]: sent [len=14] [IPCP ConfReq id=0x2 <addr 217.14.169.21>]
Dec 25 22:34:05 vpn-test pppd[2806]: sent [len=14] [IPCP ConfReq id=0x2 <addr 217.14.169.21>]
Dec 25 22:34:06 vpn-test pppd[2806]: rcvd [len=26] [IPCP ConfReq id=0xb <addr 10.0.0.102> <ms-dns1 217.14.160.130> <ms-dns3 217.14.160.130>]
Dec 25 22:34:06 vpn-test pppd[2806]: sent [len=26] [IPCP ConfAck id=0xb <addr 10.0.0.102> <ms-dns1 217.14.160.130> <ms-dns3 217.14.160.130>]
Dec 25 22:34:08 vpn-test pppd[2806]: sent [len=14] [IPCP ConfReq id=0x2 <addr 217.14.169.21>]
Dec 25 22:34:10 vpn-test pppd[2806]: rcvd [len=14] [IPCP ConfReq id=0xc <addr 10.0.0.102>]
Dec 25 22:34:10 vpn-test pppd[2806]: sent [len=14] [IPCP ConfAck id=0xc <addr 10.0.0.102>]
Dec 25 22:34:11 vpn-test pppd[2806]: sent [len=14] [IPCP ConfReq id=0x2 <addr 217.14.169.21>]
Dec 25 22:34:14 vpn-test pppd[2806]: rcvd [len=14] [IPCP ConfReq id=0xd <addr 10.0.0.102>]
Dec 25 22:34:14 vpn-test pppd[2806]: sent [len=14] [IPCP ConfAck id=0xd <addr 10.0.0.102>]
Dec 25 22:34:14 vpn-test pppd[2806]: sent [len=14] [IPCP ConfReq id=0x2 <addr 217.14.169.21>]
Dec 25 22:34:17 vpn-test pppd[2806]: sent [len=14] [IPCP ConfReq id=0x2 <addr 217.14.169.21>]
Dec 25 22:34:18 vpn-test pppd[2806]: rcvd [len=14] [IPCP ConfReq id=0xe <addr 10.0.0.102>]
Dec 25 22:34:18 vpn-test pppd[2806]: sent [len=14] [IPCP ConfAck id=0xe <addr 10.0.0.102>]
Dec 25 22:34:20 vpn-test pppd[2806]: sent [len=14] [IPCP ConfReq id=0x2 <addr 217.14.169.21>]
Dec 25 22:34:22 vpn-test pppd[2806]: rcvd [len=14] [IPCP ConfReq id=0xf <addr 10.0.0.102>]
Dec 25 22:34:22 vpn-test pppd[2806]: sent [len=14] [IPCP ConfAck id=0xf <addr 10.0.0.102>]
Dec 25 22:34:23 vpn-test pppd[2806]: sent [len=14] [IPCP ConfReq id=0x2 <addr 217.14.169.21>]
Dec 25 22:34:26 vpn-test pppd[2806]: sent [len=14] [IPCP ConfReq id=0x2 <addr 217.14.169.21>]
Dec 25 22:34:26 vpn-test pppd[2806]: rcvd [len=14] [IPCP ConfReq id=0x10 <addr 10.0.0.102>]
Dec 25 22:34:26 vpn-test pppd[2806]: sent [len=14] [IPCP ConfAck id=0x10 <addr 10.0.0.102>]
Dec 25 22:34:29 vpn-test pppd[2806]: IPCP: timeout sending Config-Requests
Dec 25 22:34:30 vpn-test pppd[2806]: rcvd [len=14] [IPCP ConfReq id=0x11 <addr 10.0.0.102>]
Dec 25 22:34:30 vpn-test pppd[2806]: sent [len=14] [IPCP ConfReq id=0x3 <addr 217.14.169.21>]
Dec 25 22:34:30 vpn-test pppd[2806]: sent [len=14] [IPCP ConfAck id=0x11 <addr 10.0.0.102>]
Dec 25 22:34:33 vpn-test pppd[2806]: sent [len=14] [IPCP ConfReq id=0x3 <addr 217.14.169.21>]
Dec 25 22:34:34 vpn-test pppd[2806]: rcvd [len=20] [LCP TermReq id=0x12 "d\37777777676\004=\000<\37777777715t\000\000\000\000"]
Dec 25 22:34:34 vpn-test pppd[2806]: LCP terminated by peer (dM->^D=^@<M-Mt^@^@^@^@)
Dec 25 22:34:34 vpn-test pppd[2806]: sent [len=8] [LCP TermAck id=0x12]
Dec 25 22:34:37 vpn-test pppd[2806]: Connection terminated.
Dec 25 22:34:37 vpn-test pppd[2806]: Connect time 0.7 minutes.
Dec 25 22:34:37 vpn-test pppd[2806]: Sent 246 bytes, received 126 bytes.
Dec 25 22:34:37 vpn-test pppd[2806]: using channel 11
Dec 25 22:34:37 vpn-test pppd[2806]: Using interface ppp0
Dec 25 22:34:37 vpn-test pppd[2806]: Connect: ppp0 <--> /dev/pts/1
Dec 25 22:34:37 vpn-test pppd[2806]: sent [len=25] [LCP ConfReq id=0x4 <asyncmap 0x0> <auth chap MD5> <magic 0x6b8f08b9>]
Dec 25 22:34:37 vpn-test pppd[2806]: tcflush failed: Bad file descriptor
Dec 25 22:34:37 vpn-test pppd[2806]: tcsetattr: Invalid argument (line 1001)
Dec 25 22:34:37 vpn-test pppd[2806]: Exit.
-----------------------------------------------------------------

There must be another problem which was introduced in 2.4.0.

Dirk


More information about the Users mailing list