[Openswan Users] NEW - Openswan + l2tpd - Client can't connect

Ranieri Oliveira ranieri.oliveira at gmail.com
Wed Feb 2 00:53:31 CET 2005


Now, with l2tpd 0.70pre and nattpatch enable...

What's wrong ???
My Compilation ?
My Configuration ?
I ?
What ?

mkdir /root/vpn
cd /root/vpn
wget http://www.openswan.org/download/openswan-2.3.0.kernel-2.4-klips.patch.gz
wget http://www.openswan.org/download/openswan-2.3.0.tar.gz
wget ftp.debian.org/debian/pool/main/l/l2tpd/l2tpd_0.70-pre20031121.orig.tar.gz
wget ftp.debian.org/debian/pool/main/l/l2tpd/l2tpd_0.70-pre20031121-2.diff.gz

cd /usr/src
zcat /root/vpn/openswan-2.3.0.kernel-2.4-klips.patch.gz | patch -p0

===============out of apply the patch============================

patching file linux/Documentation/Configure.help
Hunk #1 succeeded at 28821 with fuzz 2 (offset 4584 lines).
patching file linux/README.openswan-2
patching file linux/crypto/ciphers/aes/test_main.c
patching file linux/crypto/ciphers/aes/test_main_mac.c
patching file linux/include/crypto/aes.h
patching file linux/include/crypto/aes_cbc.h
patching file linux/include/crypto/aes_xcbc_mac.h
patching file linux/include/crypto/cbc_generic.h
patching file linux/include/crypto/des.h
patching file linux/include/des/des_locl.h
patching file linux/include/des/des_ver.h
patching file linux/include/des/podd.h
patching file linux/include/des/sk.h
patching file linux/include/des/spr.h
patching file linux/include/mast.h
patching file linux/include/openswan.h
patching file linux/include/openswan/ipcomp.h
patching file linux/include/openswan/ipsec_ah.h
patching file linux/include/openswan/ipsec_alg.h
patching file linux/include/openswan/ipsec_auth.h
patching file linux/include/openswan/ipsec_encap.h
patching file linux/include/openswan/ipsec_eroute.h
patching file linux/include/openswan/ipsec_errs.h
patching file linux/include/openswan/ipsec_esp.h
patching file linux/include/openswan/ipsec_ipcomp.h
patching file linux/include/openswan/ipsec_ipe4.h
patching file linux/include/openswan/ipsec_ipip.h
patching file linux/include/openswan/ipsec_kern24.h
patching file linux/include/openswan/ipsec_kversion.h
patching file linux/include/openswan/ipsec_life.h
patching file linux/include/openswan/ipsec_md5h.h
patching file linux/include/openswan/ipsec_param.h
patching file linux/include/openswan/ipsec_policy.h
patching file linux/include/openswan/ipsec_proto.h
patching file linux/include/openswan/ipsec_radij.h
patching file linux/include/openswan/ipsec_rcv.h
patching file linux/include/openswan/ipsec_sa.h
patching file linux/include/openswan/ipsec_sha1.h
patching file linux/include/openswan/ipsec_stats.h
patching file linux/include/openswan/ipsec_tunnel.h
patching file linux/include/openswan/ipsec_xform.h
patching file linux/include/openswan/ipsec_xmit.h
patching file linux/include/openswan/passert.h
patching file linux/include/openswan/pfkey_debug.h
patching file linux/include/openswan/radij.h
patching file linux/include/pfkey.h
patching file linux/include/pfkeyv2.h
patching file linux/include/zlib/zconf.h
patching file linux/include/zlib/zlib.h
patching file linux/include/zlib/zutil.h
patching file linux/lib/libfreeswan/Makefile.objs
patching file linux/lib/zlib/Makefile
patching file linux/lib/zlib/Makefile.objs
patching file linux/net/Config.in
Hunk #1 succeeded at 102 with fuzz 1 (offset 14 lines).
patching file linux/net/Makefile
Hunk #1 succeeded at 18 with fuzz 2 (offset 1 line).
patching file linux/net/ipsec/Config.in
patching file linux/net/ipsec/Kconfig
patching file linux/net/ipsec/Makefile
patching file linux/net/ipsec/README-zlib
patching file linux/net/ipsec/README-zlib.freeswan
patching file linux/net/ipsec/addrtoa.c
patching file linux/net/ipsec/addrtot.c
patching file linux/net/ipsec/addrtypeof.c
patching file linux/net/ipsec/adler32.c
patching file linux/net/ipsec/aes/aes-i586.S
patching file linux/net/ipsec/aes/aes.c
patching file linux/net/ipsec/aes/aes_cbc.c
patching file linux/net/ipsec/aes/aes_xcbc_mac.c
patching file linux/net/ipsec/aes/ipsec_alg_aes.c
patching file linux/net/ipsec/alg/Config.alg_aes.in
patching file linux/net/ipsec/alg/Config.alg_cryptoapi.in
patching file linux/net/ipsec/alg/Config.in
patching file linux/net/ipsec/alg/Makefile
patching file linux/net/ipsec/alg/Makefile.alg_aes
patching file linux/net/ipsec/alg/Makefile.alg_cryptoapi
patching file linux/net/ipsec/alg/ipsec_alg_aes.c
patching file linux/net/ipsec/alg/ipsec_alg_cryptoapi.c
patching file linux/net/ipsec/alg/scripts/mk-static_init.c.sh
patching file linux/net/ipsec/anyaddr.c
patching file linux/net/ipsec/datatot.c
patching file linux/net/ipsec/defconfig
patching file linux/net/ipsec/deflate.c
patching file linux/net/ipsec/deflate.h
patching file linux/net/ipsec/des/COPYRIGHT
patching file linux/net/ipsec/des/INSTALL
patching file linux/net/ipsec/des/README
patching file linux/net/ipsec/des/README.freeswan
patching file linux/net/ipsec/des/VERSION
patching file linux/net/ipsec/des/asm/des-586.pl
patching file linux/net/ipsec/des/asm/des686.pl
patching file linux/net/ipsec/des/asm/desboth.pl
patching file linux/net/ipsec/des/asm/readme
patching file linux/net/ipsec/des/cbc_enc.c
patching file linux/net/ipsec/des/des.doc
patching file linux/net/ipsec/des/des_enc.c
patching file linux/net/ipsec/des/des_opts.c
patching file linux/net/ipsec/des/dx86unix.S
patching file linux/net/ipsec/des/ecb_enc.c
patching file linux/net/ipsec/des/set_key.c
patching file linux/net/ipsec/goodmask.c
patching file linux/net/ipsec/infblock.c
patching file linux/net/ipsec/infblock.h
patching file linux/net/ipsec/infcodes.c
patching file linux/net/ipsec/infcodes.h
patching file linux/net/ipsec/inffast.c
patching file linux/net/ipsec/inffast.h
patching file linux/net/ipsec/inffixed.h
patching file linux/net/ipsec/inflate.c
patching file linux/net/ipsec/inftrees.c
patching file linux/net/ipsec/inftrees.h
patching file linux/net/ipsec/infutil.c
patching file linux/net/ipsec/infutil.h
patching file linux/net/ipsec/initaddr.c
patching file linux/net/ipsec/ipcomp.c
patching file linux/net/ipsec/ipsec_ah.c
patching file linux/net/ipsec/ipsec_alg.c
patching file linux/net/ipsec/ipsec_alg_cryptoapi.c
patching file linux/net/ipsec/ipsec_esp.c
patching file linux/net/ipsec/ipsec_init.c
patching file linux/net/ipsec/ipsec_ipcomp.c
patching file linux/net/ipsec/ipsec_ipip.c
patching file linux/net/ipsec/ipsec_life.c
patching file linux/net/ipsec/ipsec_mast.c
patching file linux/net/ipsec/ipsec_md5c.c
patching file linux/net/ipsec/ipsec_proc.c
patching file linux/net/ipsec/ipsec_radij.c
patching file linux/net/ipsec/ipsec_rcv.c
patching file linux/net/ipsec/ipsec_sa.c
patching file linux/net/ipsec/ipsec_sha1.c
patching file linux/net/ipsec/ipsec_tunnel.c
patching file linux/net/ipsec/ipsec_xform.c
patching file linux/net/ipsec/ipsec_xmit.c
patching file linux/net/ipsec/match586.S
patching file linux/net/ipsec/match686.S
patching file linux/net/ipsec/pfkey_v2.c
patching file linux/net/ipsec/pfkey_v2_build.c
patching file linux/net/ipsec/pfkey_v2_debug.c
patching file linux/net/ipsec/pfkey_v2_ext_bits.c
patching file linux/net/ipsec/pfkey_v2_ext_process.c
patching file linux/net/ipsec/pfkey_v2_parse.c
patching file linux/net/ipsec/pfkey_v2_parser.c
patching file linux/net/ipsec/prng.c
patching file linux/net/ipsec/radij.c
patching file linux/net/ipsec/rangetoa.c
patching file linux/net/ipsec/satot.c
patching file linux/net/ipsec/subnetof.c
patching file linux/net/ipsec/subnettoa.c
patching file linux/net/ipsec/sysctl_net_ipsec.c
patching file linux/net/ipsec/trees.c
patching file linux/net/ipsec/trees.h
patching file linux/net/ipsec/ultoa.c
patching file linux/net/ipsec/ultot.c
patching file linux/net/ipsec/version.c
patching file linux/net/ipsec/zutil.c
patching file linux/net/ipv4/af_inet.c
Hunk #1 succeeded at 1186 (offset 167 lines).
patching file linux/net/ipsec/Makefile.ver

==============end of patch===========================

cd /root/vpn
tar -xzvf openswan-2.3.0.tar.gz
cd openswan-2.3.0
make KERNELSRC=/usr/src/linux nattpatch > /usr/src/natt.patch
cd /usr/src

cat natt.patch | patch -p0
===============out of apply the patch============================

patching file linux/include/net/sock.h
Hunk #1 succeeded at 447 with fuzz 1 (offset -41 lines).
patching file linux/net/Config.in
Hunk #1 succeeded at 108 with fuzz 1 (offset 20 lines).
patching file linux/net/ipv4/udp.c
Hunk #1 succeeded at 807 (offset 20 lines).
Hunk #3 succeeded at 1084 (offset 20 lines).

==============end of patch===========================

cd linux
make menuconfig

=============== I selected the options ==========================

<M> IP Security Protocol (Openswan IPSEC) (NEW)
--- IPsec options (Openswan)
[*]    IPsec: IP-in-IP encapsulation (tunnel mode) (NEW)
[*]    IPsec: Authentication Header (NEW)
[*]    IPsec: Encapsulating Security Payload (NEW)
---    IPsec algorithms to include
[*]       3DES encryption algorithm (NEW)
[*]        AES encryption algorithm (NEW)
[*]       HMAC-MD5 authentication algorithm (NEW)
[*]       HMAC-SHA1 authentication algorithm (NEW)
[*]    IPsec Modular Extensions (NEW)
[*]    IPsec: IP Compression (NEW)
[*]    IPsec Debugging Option (NEW)
[*] IPSEC NAT-Traversal (NEW)

==============================================================

make dep
make bzImage
make modules
make modules_install
cp System.map /boot/System.map-openswan
cp arch/i386/boot/bzImage /boot/vmlinuz-openswan
cd /boot
ln -sf System.map-openswan System.map

# Edit the /etc/lilo.conf and add for openswan kernel
vi /etc/lilo.conf

add lines:
image = /boot/vmlinuz-openswan
 root = /dev/hda2
 label = Linux-Openswan
 read-only

#Re-load lilo
lilo

#Reboot the system
reboot

#Now with new kernel
cd vpn
cd openswan-2.3.0
make KERNELSRC=/usr/src/linux programs
make KERNELSRC=/usr/src/linux install

cd ..
tar -xzvf l2tpd_0.70-pre20031121.orig.tar.gz
zcat l2tpd_0.70-pre20031121-2.diff.gz | patch -p0
cd l2tpd-0.70-pre20031121.orig
make
cp l2tpd /usr/sbin/
mkdir /etc/l2tpd

#create file /etc/l2tpd/l2tpd.conf and add lines:
================start /etc/l2tpd/l2tpd.conf=============
[global]
; listen-addr = 192.168.1.98

[lns default]
ip range = 192.168.1.128-192.168.1.254
local ip = 192.168.1.99
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd
length bit = yes
================end /etc/l2tpd/l2tpd.conf===============

#create file /etc/ppp/options.l2tpd and add lines:
==================start /etc/ppp/options.l2tpd==========
ipcp-accept-local
ipcp-accept-remote
noccp
auth
crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
lock
proxyarp
connect-delay 5000
===================end /etc/ppp/options.l2tpd==========

#edit file /etc/ppp/chap-secrets and add user:
ronaldo    *    123456    192.168.1.200

#create file /etc/ipsec.conf and add lines:
==================start /etc/ipsec.conf================
version    2.0   
config setup
       nat_traversal=yes

conn L2TP-PSK-orgWIN2KXP
       authby=secret
       pfs=no
       left=201.1.194.167
       leftprotoport=17/1701
       right=200.158.200.147
       rightprotoport=17/1701
       auto=add
       keyingtries=3

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
====================end /etc/ipsec.conf==============

#create file /etc/ipsec.secrets and add line:
==============start /etc/ipsec.secrets===============
201.1.194.167 200.158.200.147: PSK 0xb6653806_d12b2212_fa37943f_615dbbe8
==============end /etc/ipsec.secrets=================

cd /etc/rc.d/

./ipsec --start
ipsec_setup: Starting Openswan IPsec 2.3.0...
ipsec_setup: Using /lib/modules/2.4.26/kernel/ipsec.o

cat /var/log/secure
Feb  1 22:15:02 darkstar pluto[319]: shutting down interface
ipsec0/ppp0 201.1.194.167
Feb  1 22:15:21 darkstar ipsec__plutorun: Starting Pluto subsystem...
Feb  1 22:15:21 darkstar pluto[524]: Starting Pluto (Openswan Version
2.3.0 X.509-1.5.4 PLUTO_USES_KEYRR)
Feb  1 22:15:21 darkstar pluto[524]: Setting port floating to on
Feb  1 22:15:21 darkstar pluto[524]: port floating activate 1/1
Feb  1 22:15:21 darkstar pluto[524]:   including NAT-Traversal patch
(Version 0.6c)
Feb  1 22:15:21 darkstar pluto[524]: ike_alg_register_enc():
Activating OAKLEY_AES_CBC: Ok (ret=0)
Feb  1 22:15:21 darkstar pluto[524]: starting up 1 cryptographic helpers
Feb  1 22:15:21 darkstar pluto[524]: started helper pid=526 (fd:6)
Feb  1 22:15:21 darkstar pluto[524]: Using KLIPS IPsec interface code
Feb  1 22:15:21 darkstar pluto[524]: Changing to directory
'/etc/ipsec.d/cacerts'
Feb  1 22:15:21 darkstar pluto[524]: Could not change to directory
'/etc/ipsec.d/aacerts'
Feb  1 22:15:21 darkstar pluto[524]: Changing to directory
'/etc/ipsec.d/ocspcerts'
Feb  1 22:15:21 darkstar pluto[524]: Changing to directory '/etc/ipsec.d/crls'
Feb  1 22:15:21 darkstar pluto[524]:   Warning: empty directory
Feb  1 22:15:22 darkstar pluto[524]: added connection description
"L2TP-PSK-orgWIN2KXP"
Feb  1 22:15:22 darkstar pluto[524]: listening for IKE messages
Feb  1 22:15:22 darkstar pluto[524]: adding interface ipsec0/ppp0 201.1.194.167
Feb  1 22:15:22 darkstar pluto[524]: adding interface ipsec0/ppp0
201.1.194.167:4500
Feb  1 22:15:22 darkstar pluto[524]: loading secrets from "/etc/ipsec.secrets"

/usr/sbin/l2tpd
This binary does not support kernel L2TP.

cat /var/log/messages
Feb  1 22:16:42 darkstar l2tpd[575]: This binary does not support kernel L2TP. 
Feb  1 22:16:42 darkstar l2tpd[576]: l2tpd version 0.69 started on
darkstar PID:576
Feb  1 22:16:42 darkstar l2tpd[576]: Linux version 2.4.26 on a i686,
listening on IP address 0.0.0.0, port 1701

ALL OK ??? OR NO ???

========================================================
The client trying connect, I obtain:

cat /var/log/secure
Feb  1 22:42:09 darkstar pluto[524]: packet from
200.158.200.250:50010: ignoring Vendor ID payload [FRAGMENTATION]
Feb  1 22:42:09 darkstar pluto[524]: packet from
200.158.200.250:50010: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-00]
Feb  1 22:42:09 darkstar pluto[524]: packet from
200.158.200.250:50010: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
Feb  1 22:42:09 darkstar pluto[524]: packet from
200.158.200.250:50010: initial Main Mode message received on
201.1.194.167:500 but no connection has been authorized

My God!!!
Why ??? Why ??? Why ???
Jacco, please, help-me again... and the others pleoples too, again.  :-) 

I'm using slackware 10 with kernel 2.4.26

Thanks.


More information about the Users mailing list