[Openswan Users] Openswan + l2tpd - Client can't connect (new)
Ranieri Oliveira
ranieri.oliveira at gmail.com
Tue Feb 1 00:30:49 CET 2005
What's wrong ???
My Compilation ?
My Configuration ?
I ?
What ?
mkdir /root/vpn
cd /root/vpn
wget http://www.openswan.org/download/openswan-2.3.0.kernel-2.4-klips.patch.gz
wget http://www.openswan.org/download/openswan-2.3.0.tar.gz
wget http://www.l2tpd.org/downloads/l2tpd-0.69.tar.gz
cd /usr/src
zcat /root/vpn/openswan-2.3.0.kernel-2.4-klips.patch.gz | patch -p0
===============out of apply the patch============================
patching file linux/Documentation/Configure.help
Hunk #1 succeeded at 28821 with fuzz 2 (offset 4584 lines).
patching file linux/README.openswan-2
patching file linux/crypto/ciphers/aes/test_main.c
patching file linux/crypto/ciphers/aes/test_main_mac.c
patching file linux/include/crypto/aes.h
patching file linux/include/crypto/aes_cbc.h
patching file linux/include/crypto/aes_xcbc_mac.h
patching file linux/include/crypto/cbc_generic.h
patching file linux/include/crypto/des.h
patching file linux/include/des/des_locl.h
patching file linux/include/des/des_ver.h
patching file linux/include/des/podd.h
patching file linux/include/des/sk.h
patching file linux/include/des/spr.h
patching file linux/include/mast.h
patching file linux/include/openswan.h
patching file linux/include/openswan/ipcomp.h
patching file linux/include/openswan/ipsec_ah.h
patching file linux/include/openswan/ipsec_alg.h
patching file linux/include/openswan/ipsec_auth.h
patching file linux/include/openswan/ipsec_encap.h
patching file linux/include/openswan/ipsec_eroute.h
patching file linux/include/openswan/ipsec_errs.h
patching file linux/include/openswan/ipsec_esp.h
patching file linux/include/openswan/ipsec_ipcomp.h
patching file linux/include/openswan/ipsec_ipe4.h
patching file linux/include/openswan/ipsec_ipip.h
patching file linux/include/openswan/ipsec_kern24.h
patching file linux/include/openswan/ipsec_kversion.h
patching file linux/include/openswan/ipsec_life.h
patching file linux/include/openswan/ipsec_md5h.h
patching file linux/include/openswan/ipsec_param.h
patching file linux/include/openswan/ipsec_policy.h
patching file linux/include/openswan/ipsec_proto.h
patching file linux/include/openswan/ipsec_radij.h
patching file linux/include/openswan/ipsec_rcv.h
patching file linux/include/openswan/ipsec_sa.h
patching file linux/include/openswan/ipsec_sha1.h
patching file linux/include/openswan/ipsec_stats.h
patching file linux/include/openswan/ipsec_tunnel.h
patching file linux/include/openswan/ipsec_xform.h
patching file linux/include/openswan/ipsec_xmit.h
patching file linux/include/openswan/passert.h
patching file linux/include/openswan/pfkey_debug.h
patching file linux/include/openswan/radij.h
patching file linux/include/pfkey.h
patching file linux/include/pfkeyv2.h
patching file linux/include/zlib/zconf.h
patching file linux/include/zlib/zlib.h
patching file linux/include/zlib/zutil.h
patching file linux/lib/libfreeswan/Makefile.objs
patching file linux/lib/zlib/Makefile
patching file linux/lib/zlib/Makefile.objs
patching file linux/net/Config.in
Hunk #1 succeeded at 102 with fuzz 1 (offset 14 lines).
patching file linux/net/Makefile
Hunk #1 succeeded at 18 with fuzz 2 (offset 1 line).
patching file linux/net/ipsec/Config.in
patching file linux/net/ipsec/Kconfig
patching file linux/net/ipsec/Makefile
patching file linux/net/ipsec/README-zlib
patching file linux/net/ipsec/README-zlib.freeswan
patching file linux/net/ipsec/addrtoa.c
patching file linux/net/ipsec/addrtot.c
patching file linux/net/ipsec/addrtypeof.c
patching file linux/net/ipsec/adler32.c
patching file linux/net/ipsec/aes/aes-i586.S
patching file linux/net/ipsec/aes/aes.c
patching file linux/net/ipsec/aes/aes_cbc.c
patching file linux/net/ipsec/aes/aes_xcbc_mac.c
patching file linux/net/ipsec/aes/ipsec_alg_aes.c
patching file linux/net/ipsec/alg/Config.alg_aes.in
patching file linux/net/ipsec/alg/Config.alg_cryptoapi.in
patching file linux/net/ipsec/alg/Config.in
patching file linux/net/ipsec/alg/Makefile
patching file linux/net/ipsec/alg/Makefile.alg_aes
patching file linux/net/ipsec/alg/Makefile.alg_cryptoapi
patching file linux/net/ipsec/alg/ipsec_alg_aes.c
patching file linux/net/ipsec/alg/ipsec_alg_cryptoapi.c
patching file linux/net/ipsec/alg/scripts/mk-static_init.c.sh
patching file linux/net/ipsec/anyaddr.c
patching file linux/net/ipsec/datatot.c
patching file linux/net/ipsec/defconfig
patching file linux/net/ipsec/deflate.c
patching file linux/net/ipsec/deflate.h
patching file linux/net/ipsec/des/COPYRIGHT
patching file linux/net/ipsec/des/INSTALL
patching file linux/net/ipsec/des/README
patching file linux/net/ipsec/des/README.freeswan
patching file linux/net/ipsec/des/VERSION
patching file linux/net/ipsec/des/asm/des-586.pl
patching file linux/net/ipsec/des/asm/des686.pl
patching file linux/net/ipsec/des/asm/desboth.pl
patching file linux/net/ipsec/des/asm/readme
patching file linux/net/ipsec/des/cbc_enc.c
patching file linux/net/ipsec/des/des.doc
patching file linux/net/ipsec/des/des_enc.c
patching file linux/net/ipsec/des/des_opts.c
patching file linux/net/ipsec/des/dx86unix.S
patching file linux/net/ipsec/des/ecb_enc.c
patching file linux/net/ipsec/des/set_key.c
patching file linux/net/ipsec/goodmask.c
patching file linux/net/ipsec/infblock.c
patching file linux/net/ipsec/infblock.h
patching file linux/net/ipsec/infcodes.c
patching file linux/net/ipsec/infcodes.h
patching file linux/net/ipsec/inffast.c
patching file linux/net/ipsec/inffast.h
patching file linux/net/ipsec/inffixed.h
patching file linux/net/ipsec/inflate.c
patching file linux/net/ipsec/inftrees.c
patching file linux/net/ipsec/inftrees.h
patching file linux/net/ipsec/infutil.c
patching file linux/net/ipsec/infutil.h
patching file linux/net/ipsec/initaddr.c
patching file linux/net/ipsec/ipcomp.c
patching file linux/net/ipsec/ipsec_ah.c
patching file linux/net/ipsec/ipsec_alg.c
patching file linux/net/ipsec/ipsec_alg_cryptoapi.c
patching file linux/net/ipsec/ipsec_esp.c
patching file linux/net/ipsec/ipsec_init.c
patching file linux/net/ipsec/ipsec_ipcomp.c
patching file linux/net/ipsec/ipsec_ipip.c
patching file linux/net/ipsec/ipsec_life.c
patching file linux/net/ipsec/ipsec_mast.c
patching file linux/net/ipsec/ipsec_md5c.c
patching file linux/net/ipsec/ipsec_proc.c
patching file linux/net/ipsec/ipsec_radij.c
patching file linux/net/ipsec/ipsec_rcv.c
patching file linux/net/ipsec/ipsec_sa.c
patching file linux/net/ipsec/ipsec_sha1.c
patching file linux/net/ipsec/ipsec_tunnel.c
patching file linux/net/ipsec/ipsec_xform.c
patching file linux/net/ipsec/ipsec_xmit.c
patching file linux/net/ipsec/match586.S
patching file linux/net/ipsec/match686.S
patching file linux/net/ipsec/pfkey_v2.c
patching file linux/net/ipsec/pfkey_v2_build.c
patching file linux/net/ipsec/pfkey_v2_debug.c
patching file linux/net/ipsec/pfkey_v2_ext_bits.c
patching file linux/net/ipsec/pfkey_v2_ext_process.c
patching file linux/net/ipsec/pfkey_v2_parse.c
patching file linux/net/ipsec/pfkey_v2_parser.c
patching file linux/net/ipsec/prng.c
patching file linux/net/ipsec/radij.c
patching file linux/net/ipsec/rangetoa.c
patching file linux/net/ipsec/satot.c
patching file linux/net/ipsec/subnetof.c
patching file linux/net/ipsec/subnettoa.c
patching file linux/net/ipsec/sysctl_net_ipsec.c
patching file linux/net/ipsec/trees.c
patching file linux/net/ipsec/trees.h
patching file linux/net/ipsec/ultoa.c
patching file linux/net/ipsec/ultot.c
patching file linux/net/ipsec/version.c
patching file linux/net/ipsec/zutil.c
patching file linux/net/ipv4/af_inet.c
Hunk #1 succeeded at 1186 (offset 167 lines).
patching file linux/net/ipsec/Makefile.ver
==============end of patch===========================
cd /root/vpn
tar -xzvf openswan-2.3.0.tar.gz
cd openswan-2.3.0
make KERNELSRC=/usr/src/linux nattpatch > /usr/src/natt.patch
cd /usr/src
cat natt.patch | patch -p0
===============out of apply the patch============================
patching file linux/include/net/sock.h
Hunk #1 succeeded at 447 with fuzz 1 (offset -41 lines).
patching file linux/net/Config.in
Hunk #1 succeeded at 108 with fuzz 1 (offset 20 lines).
patching file linux/net/ipv4/udp.c
Hunk #1 succeeded at 807 (offset 20 lines).
Hunk #3 succeeded at 1084 (offset 20 lines).
==============end of patch===========================
cd linux
make menuconfig
=============== I selected the options ==========================
<M> IP Security Protocol (Openswan IPSEC) (NEW)
--- IPsec options (Openswan)
[*] IPsec: IP-in-IP encapsulation (tunnel mode) (NEW)
[*] IPsec: Authentication Header (NEW)
[*] IPsec: Encapsulating Security Payload (NEW)
--- IPsec algorithms to include
[*] 3DES encryption algorithm (NEW)
[*] AES encryption algorithm (NEW)
[*] HMAC-MD5 authentication algorithm (NEW)
[*] HMAC-SHA1 authentication algorithm (NEW)
[*] IPsec Modular Extensions (NEW)
[*] IPsec: IP Compression (NEW)
[*] IPsec Debugging Option (NEW)
[*] IPSEC NAT-Traversal (NEW)
==============================================================
make dep
make bzImage
make modules
make modules_install
cp System.map /boot/System.map-openswan
cp arch/i386/boot/bzImage /boot/vmlinuz-openswan
cd /boot
ln -sf System.map-openswan System.map
# Edit the /etc/lilo.conf and add for openswan kernel
vi /etc/lilo.conf
add lines:
image = /boot/vmlinuz-openswan
root = /dev/hda2
label = Linux-Openswan
read-only
#Re-load lilo
lilo
#Reboot the system
reboot
#Now with new kernel
cd vpn
cd openswan-2.3.0
make KERNELSRC=/usr/src/linux programs
make KERNELSRC=/usr/src/linux install
cd ..
tar -xzvf l2tpd-0.69.tar.gz
cd l2tpd-0.69
make
cp l2tpd /usr/sbin/
mkdir /etc/l2tpd
#create file /etc/l2tpd/l2tpd.conf and add lines:
================start /etc/l2tpd/l2tpd.conf=============
[global]
; listen-addr = 192.168.1.98
[lns default]
ip range = 192.168.1.128-192.168.1.254
local ip = 192.168.1.99
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd
length bit = yes
================end /etc/l2tpd/l2tpd.conf===============
#create file /etc/ppp/options.l2tpd and add lines:
==================start /etc/ppp/options.l2tpd==========
ipcp-accept-local
ipcp-accept-remote
noccp
auth
crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
lock
proxyarp
connect-delay 5000
===================end /etc/ppp/options.l2tpd==========
#edit file /etc/ppp/chap-secrets and add user:
ronaldo * 123456 192.168.1.200
#create file /etc/ipsec.conf and add lines:
==================start /etc/ipsec.conf================
version 2.0
config setup
conn L2TP-PSK-orgWIN2KXP
authby=secret
pfs=no
left=201.13.95.132
leftprotoport=17/1701
right=200.158.201.98
rightprotoport=17/1701
auto=add
keyingtries=3
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
====================end /etc/ipsec.conf==============
#create file /etc/ipsec.secrets and add line:
==============start /etc/ipsec.secrets===============
201.13.95.132 200.158.201.98: PSK 0xb6653806_d12b2212_fa37943f_615dbbe8
==============end /etc/ipsec.secrets=================
cd /etc/rc.d/
./ipsec --start
ipsec_setup: Starting Openswan IPsec 2.3.0...
ipsec_setup: Using /lib/modules/2.4.26/kernel/ipsec.o
cat /var/log/secure
Jan 31 21:52:26 darkstar ipsec__plutorun: Starting Pluto subsystem...
Jan 31 21:52:26 darkstar pluto[5006]: Starting Pluto (Openswan Version
2.3.0 X.509-1.5.4 PLUTO_USES_KEYRR)
Jan 31 21:52:26 darkstar pluto[5006]: Setting port floating to off
Jan 31 21:52:26 darkstar pluto[5006]: port floating activate 0/1
Jan 31 21:52:26 darkstar pluto[5006]: including NAT-Traversal patch
(Version 0.6c) [disabled]
Jan 31 21:52:26 darkstar pluto[5006]: ike_alg_register_enc():
Activating OAKLEY_AES_CBC: Ok (ret=0)
Jan 31 21:52:26 darkstar pluto[5006]: starting up 1 cryptographic helpers
Jan 31 21:52:26 darkstar pluto[5006]: started helper pid=5007 (fd:6)
Jan 31 21:52:26 darkstar pluto[5006]: Using KLIPS IPsec interface code
Jan 31 21:52:26 darkstar pluto[5006]: Changing to directory
'/etc/ipsec.d/cacerts'
Jan 31 21:52:26 darkstar pluto[5006]: Could not change to directory
'/etc/ipsec.d/aacerts'
Jan 31 21:52:26 darkstar pluto[5006]: Changing to directory
'/etc/ipsec.d/ocspcerts'
Jan 31 21:52:26 darkstar pluto[5006]: Changing to directory '/etc/ipsec.d/crls'
Jan 31 21:52:26 darkstar pluto[5006]: Warning: empty directory
Jan 31 21:52:26 darkstar pluto[5006]: added connection description
"L2TP-PSK-orgWIN2KXP"
Jan 31 21:52:26 darkstar pluto[5006]: listening for IKE messages
Jan 31 21:52:26 darkstar pluto[5006]: adding interface ipsec0/ppp0 201.13.95.132
Jan 31 21:52:26 darkstar pluto[5006]: loading secrets from "/etc/ipsec.secrets"
/usr/sbin/l2tpd
This binary does not support kernel L2TP.
cat /var/log/messages
Jan 30 22:52:00 darkstar l2tpd[950]: This binary does not support kernel L2TP.
Jan 30 22:52:00 darkstar l2tpd[951]: l2tpd version 0.69 started on
darkstar PID:951
Jan 30 22:52:00 darkstar l2tpd[951]: Written by Mark Spencer,
Copyright (C) 1998, Adtran, Inc.
Jan 30 22:52:00 darkstar l2tpd[951]: Forked by Scott Balmos and David
Stipp, (C) 2001
Jan 30 22:52:00 darkstar l2tpd[951]: Inhereted by Jeff McAdams, (C) 2002
Jan 30 22:52:00 darkstar l2tpd[951]: Linux version 2.4.26 on a i686, port 1701
ALL OK ??? OR NO ???
========================================================
The client trying connect, I obtain:
cat /var/log/secure
Jan 31 21:47:49 darkstar pluto[4799]: packet from
200.158.201.98:50888: ignoring Vendor ID payload [FRAGMENTATION]
Jan 31 21:47:49 darkstar pluto[4799]: packet from
200.158.201.98:50888: ignoring Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-00]
Jan 31 21:47:49 darkstar pluto[4799]: packet from
200.158.201.98:50888: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but port floating is off
Jan 31 21:47:49 darkstar pluto[4799]: packet from
200.158.201.98:50888: initial Main Mode message received on
201.13.95.132:500
but no connection has been authorized
My God!!!
Why ??? Why ??? Why ???
Jacco, please, help-me... and the others pleoples too. :-)
I'm using slackware 10 with kernel 2.4.26
Thanks.
More information about the Users
mailing list