[Openswan Users]
Openswan + l2tpd - Client can't connect (now using certificates)
Ranieri Oliveira
ranieri.oliveira at gmail.com
Fri Feb 4 00:05:40 CET 2005
Now, with l2tpd 0.70pre and nattpatch enable and using certificates...
What's wrong ???
My Compilation ?
My Configuration ?
I ?
What ?
mkdir /root/vpn
cd /root/vpn
wget http://www.openswan.org/download/openswan-2.3.0.kernel-2.4-klips.patch.gz
wget http://www.openswan.org/download/openswan-2.3.0.tar.gz
wget ftp.debian.org/debian/pool/main/l/l2tpd/l2tpd_0.70-pre20031121.orig.tar.gz
wget ftp.debian.org/debian/pool/main/l/l2tpd/l2tpd_0.70-pre20031121-2.diff.gz
cd /usr/src
zcat /root/vpn/openswan-2.3.0.kernel-2.4-klips.patch.gz | patch -p0
===============out of apply the patch============================
patching file linux/Documentation/Configure.help
Hunk #1 succeeded at 28821 with fuzz 2 (offset 4584 lines).
patching file linux/README.openswan-2
patching file linux/crypto/ciphers/aes/test_main.c
patching file linux/crypto/ciphers/aes/test_main_mac.c
patching file linux/include/crypto/aes.h
patching file linux/include/crypto/aes_cbc.h
patching file linux/include/crypto/aes_xcbc_mac.h
patching file linux/include/crypto/cbc_generic.h
patching file linux/include/crypto/des.h
patching file linux/include/des/des_locl.h
patching file linux/include/des/des_ver.h
patching file linux/include/des/podd.h
patching file linux/include/des/sk.h
patching file linux/include/des/spr.h
patching file linux/include/mast.h
patching file linux/include/openswan.h
patching file linux/include/openswan/ipcomp.h
patching file linux/include/openswan/ipsec_ah.h
patching file linux/include/openswan/ipsec_alg.h
patching file linux/include/openswan/ipsec_auth.h
patching file linux/include/openswan/ipsec_encap.h
patching file linux/include/openswan/ipsec_eroute.h
patching file linux/include/openswan/ipsec_errs.h
patching file linux/include/openswan/ipsec_esp.h
patching file linux/include/openswan/ipsec_ipcomp.h
patching file linux/include/openswan/ipsec_ipe4.h
patching file linux/include/openswan/ipsec_ipip.h
patching file linux/include/openswan/ipsec_kern24.h
patching file linux/include/openswan/ipsec_kversion.h
patching file linux/include/openswan/ipsec_life.h
patching file linux/include/openswan/ipsec_md5h.h
patching file linux/include/openswan/ipsec_param.h
patching file linux/include/openswan/ipsec_policy.h
patching file linux/include/openswan/ipsec_proto.h
patching file linux/include/openswan/ipsec_radij.h
patching file linux/include/openswan/ipsec_rcv.h
patching file linux/include/openswan/ipsec_sa.h
patching file linux/include/openswan/ipsec_sha1.h
patching file linux/include/openswan/ipsec_stats.h
patching file linux/include/openswan/ipsec_tunnel.h
patching file linux/include/openswan/ipsec_xform.h
patching file linux/include/openswan/ipsec_xmit.h
patching file linux/include/openswan/passert.h
patching file linux/include/openswan/pfkey_debug.h
patching file linux/include/openswan/radij.h
patching file linux/include/pfkey.h
patching file linux/include/pfkeyv2.h
patching file linux/include/zlib/zconf.h
patching file linux/include/zlib/zlib.h
patching file linux/include/zlib/zutil.h
patching file linux/lib/libfreeswan/Makefile.objs
patching file linux/lib/zlib/Makefile
patching file linux/lib/zlib/Makefile.objs
patching file linux/net/Config.in
Hunk #1 succeeded at 102 with fuzz 1 (offset 14 lines).
patching file linux/net/Makefile
Hunk #1 succeeded at 18 with fuzz 2 (offset 1 line).
patching file linux/net/ipsec/Config.in
patching file linux/net/ipsec/Kconfig
patching file linux/net/ipsec/Makefile
patching file linux/net/ipsec/README-zlib
patching file linux/net/ipsec/README-zlib.freeswan
patching file linux/net/ipsec/addrtoa.c
patching file linux/net/ipsec/addrtot.c
patching file linux/net/ipsec/addrtypeof.c
patching file linux/net/ipsec/adler32.c
patching file linux/net/ipsec/aes/aes-i586.S
patching file linux/net/ipsec/aes/aes.c
patching file linux/net/ipsec/aes/aes_cbc.c
patching file linux/net/ipsec/aes/aes_xcbc_mac.c
patching file linux/net/ipsec/aes/ipsec_alg_aes.c
patching file linux/net/ipsec/alg/Config.alg_aes.in
patching file linux/net/ipsec/alg/Config.alg_cryptoapi.in
patching file linux/net/ipsec/alg/Config.in
patching file linux/net/ipsec/alg/Makefile
patching file linux/net/ipsec/alg/Makefile.alg_aes
patching file linux/net/ipsec/alg/Makefile.alg_cryptoapi
patching file linux/net/ipsec/alg/ipsec_alg_aes.c
patching file linux/net/ipsec/alg/ipsec_alg_cryptoapi.c
patching file linux/net/ipsec/alg/scripts/mk-static_init.c.sh
patching file linux/net/ipsec/anyaddr.c
patching file linux/net/ipsec/datatot.c
patching file linux/net/ipsec/defconfig
patching file linux/net/ipsec/deflate.c
patching file linux/net/ipsec/deflate.h
patching file linux/net/ipsec/des/COPYRIGHT
patching file linux/net/ipsec/des/INSTALL
patching file linux/net/ipsec/des/README
patching file linux/net/ipsec/des/README.freeswan
patching file linux/net/ipsec/des/VERSION
patching file linux/net/ipsec/des/asm/des-586.pl
patching file linux/net/ipsec/des/asm/des686.pl
patching file linux/net/ipsec/des/asm/desboth.pl
patching file linux/net/ipsec/des/asm/readme
patching file linux/net/ipsec/des/cbc_enc.c
patching file linux/net/ipsec/des/des.doc
patching file linux/net/ipsec/des/des_enc.c
patching file linux/net/ipsec/des/des_opts.c
patching file linux/net/ipsec/des/dx86unix.S
patching file linux/net/ipsec/des/ecb_enc.c
patching file linux/net/ipsec/des/set_key.c
patching file linux/net/ipsec/goodmask.c
patching file linux/net/ipsec/infblock.c
patching file linux/net/ipsec/infblock.h
patching file linux/net/ipsec/infcodes.c
patching file linux/net/ipsec/infcodes.h
patching file linux/net/ipsec/inffast.c
patching file linux/net/ipsec/inffast.h
patching file linux/net/ipsec/inffixed.h
patching file linux/net/ipsec/inflate.c
patching file linux/net/ipsec/inftrees.c
patching file linux/net/ipsec/inftrees.h
patching file linux/net/ipsec/infutil.c
patching file linux/net/ipsec/infutil.h
patching file linux/net/ipsec/initaddr.c
patching file linux/net/ipsec/ipcomp.c
patching file linux/net/ipsec/ipsec_ah.c
patching file linux/net/ipsec/ipsec_alg.c
patching file linux/net/ipsec/ipsec_alg_cryptoapi.c
patching file linux/net/ipsec/ipsec_esp.c
patching file linux/net/ipsec/ipsec_init.c
patching file linux/net/ipsec/ipsec_ipcomp.c
patching file linux/net/ipsec/ipsec_ipip.c
patching file linux/net/ipsec/ipsec_life.c
patching file linux/net/ipsec/ipsec_mast.c
patching file linux/net/ipsec/ipsec_md5c.c
patching file linux/net/ipsec/ipsec_proc.c
patching file linux/net/ipsec/ipsec_radij.c
patching file linux/net/ipsec/ipsec_rcv.c
patching file linux/net/ipsec/ipsec_sa.c
patching file linux/net/ipsec/ipsec_sha1.c
patching file linux/net/ipsec/ipsec_tunnel.c
patching file linux/net/ipsec/ipsec_xform.c
patching file linux/net/ipsec/ipsec_xmit.c
patching file linux/net/ipsec/match586.S
patching file linux/net/ipsec/match686.S
patching file linux/net/ipsec/pfkey_v2.c
patching file linux/net/ipsec/pfkey_v2_build.c
patching file linux/net/ipsec/pfkey_v2_debug.c
patching file linux/net/ipsec/pfkey_v2_ext_bits.c
patching file linux/net/ipsec/pfkey_v2_ext_process.c
patching file linux/net/ipsec/pfkey_v2_parse.c
patching file linux/net/ipsec/pfkey_v2_parser.c
patching file linux/net/ipsec/prng.c
patching file linux/net/ipsec/radij.c
patching file linux/net/ipsec/rangetoa.c
patching file linux/net/ipsec/satot.c
patching file linux/net/ipsec/subnetof.c
patching file linux/net/ipsec/subnettoa.c
patching file linux/net/ipsec/sysctl_net_ipsec.c
patching file linux/net/ipsec/trees.c
patching file linux/net/ipsec/trees.h
patching file linux/net/ipsec/ultoa.c
patching file linux/net/ipsec/ultot.c
patching file linux/net/ipsec/version.c
patching file linux/net/ipsec/zutil.c
patching file linux/net/ipv4/af_inet.c
Hunk #1 succeeded at 1186 (offset 167 lines).
patching file linux/net/ipsec/Makefile.ver
==============end of patch===========================
cd /root/vpn
tar -xzvf openswan-2.3.0.tar.gz
cd openswan-2.3.0
make KERNELSRC=/usr/src/linux nattpatch > /usr/src/natt.patch
cd /usr/src
cat natt.patch | patch -p0
===============out of apply the patch============================
patching file linux/include/net/sock.h
Hunk #1 succeeded at 447 with fuzz 1 (offset -41 lines).
patching file linux/net/Config.in
Hunk #1 succeeded at 108 with fuzz 1 (offset 20 lines).
patching file linux/net/ipv4/udp.c
Hunk #1 succeeded at 807 (offset 20 lines).
Hunk #3 succeeded at 1084 (offset 20 lines).
==============end of patch===========================
cd linux
make menuconfig
=============== I selected the options ==========================
<M> IP Security Protocol (Openswan IPSEC) (NEW)
--- IPsec options (Openswan)
[*] IPsec: IP-in-IP encapsulation (tunnel mode) (NEW)
[*] IPsec: Authentication Header (NEW)
[*] IPsec: Encapsulating Security Payload (NEW)
--- IPsec algorithms to include
[*] 3DES encryption algorithm (NEW)
[*] AES encryption algorithm (NEW)
[*] HMAC-MD5 authentication algorithm (NEW)
[*] HMAC-SHA1 authentication algorithm (NEW)
[*] IPsec Modular Extensions (NEW)
[*] IPsec: IP Compression (NEW)
[*] IPsec Debugging Option (NEW)
[*] IPSEC NAT-Traversal (NEW)
==============================================================
make dep
make bzImage
make modules
make modules_install
cp System.map /boot/System.map-openswan
cp arch/i386/boot/bzImage /boot/vmlinuz-openswan
cd /boot
ln -sf System.map-openswan System.map
# Edit the /etc/lilo.conf and add for openswan kernel
vi /etc/lilo.conf
add lines:
image = /boot/vmlinuz-openswan
root = /dev/hda2
label = Linux-Openswan
read-only
#Re-load lilo
lilo
#Reboot the system
reboot
#Now with new kernel
cd vpn
cd openswan-2.3.0
make KERNELSRC=/usr/src/linux programs
make KERNELSRC=/usr/src/linux install
cd ..
tar -xzvf l2tpd_0.70-pre20031121.orig.tar.gz
zcat l2tpd_0.70-pre20031121-2.diff.gz | patch -p0
cd l2tpd-0.70-pre20031121.orig
make
cp l2tpd /usr/sbin/
mkdir /etc/l2tpd
#create file /etc/l2tpd/l2tpd.conf and add lines:
================start /etc/l2tpd/l2tpd.conf=============
[global]
; listen-addr = 192.168.1.98
[lns default]
ip range = 192.168.1.128-192.168.1.254
local ip = 192.168.1.99
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd
length bit = yes
================end /etc/l2tpd/l2tpd.conf===============
#create file /etc/ppp/options.l2tpd and add lines:
==================start /etc/ppp/options.l2tpd==========
ipcp-accept-local
ipcp-accept-remote
noccp
auth
crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
lock
proxyarp
connect-delay 5000
===================end /etc/ppp/options.l2tpd==========
#edit file /etc/ppp/chap-secrets and add user:
ronaldo * 123456 192.168.1.200
#create file /etc/ipsec.conf and add lines:
==================start /etc/ipsec.conf================
version 2.0
config setup
interfaces=%defaultroute
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
conn %default
keyingtries=1
compress=yes
disablearrivalcheck=no
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
conn roadwarrior-net
leftsubnet=10.0.0.0/255.0.0.0
also=roadwarrior
conn roadwarrior-all
leftsubnet=0.0.0.0/0
also=roadwarrior
conn roadwarrior
left=%defaultroute
leftcert=host.example.com.pem
right=%any
rightsubnet=vhost:%no,%priv
auto=add
pfs=no
conn roadwarrior-l2tp
type=transport
left=%defaultroute
leftcert=host.example.com.pem
leftprotoport=17/1701
right=%any
rightprotoport=17/1701
pfs=no
auto=add
conn roadwarrior-l2tp-oldwin
left=%defaultroute
leftcert=host.example.com.pem
leftprotoport=17/0
right=%any
rightprotoport=17/1701
rightsubnet=vhost:%no,%priv
pfs=no
auto=add
#Disable Opportunistic Encryption
#include /etc/ipsec.d/examples/no_oe.conf
====================end /etc/ipsec.conf==============
#create file /etc/ipsec.secrets and add line:
==============start /etc/ipsec.secrets===============
: RSA host.example.com.key master
==============end /etc/ipsec.secrets=================
cd /etc/rc.d/
./ipsec --start
ipsec_setup: Starting Openswan IPsec 2.3.0...
ipsec_setup: Using /lib/modules/2.4.26/kernel/ipsec.o
cat /var/log/secure
Feb 3 21:46:29 darkstar pluto[735]: shutting down interface
ipsec0/eth0 200.171.13.9
Feb 3 21:46:45 darkstar ipsec__plutorun: Starting Pluto subsystem...
Feb 3 21:46:45 darkstar pluto[1110]: Starting Pluto (Openswan Version
2.3.0 X.509-1.5.4 PLUTO_USES_KEYRR)
Feb 3 21:46:45 darkstar pluto[1110]: Setting port floating to on
Feb 3 21:46:45 darkstar pluto[1110]: port floating activate 1/1
Feb 3 21:46:45 darkstar pluto[1110]: including NAT-Traversal patch
(Version 0.6c)
Feb 3 21:46:45 darkstar pluto[1110]: ike_alg_register_enc():
Activating OAKLEY_AES_CBC: Ok (ret=0)
Feb 3 21:46:45 darkstar pluto[1110]: starting up 1 cryptographic helpers
Feb 3 21:46:45 darkstar pluto[1110]: started helper pid=1111 (fd:6)
Feb 3 21:46:45 darkstar pluto[1110]: Using KLIPS IPsec interface code
Feb 3 21:46:45 darkstar pluto[1110]: Changing to directory
'/etc/ipsec.d/cacerts'
Feb 3 21:46:45 darkstar pluto[1110]: loaded CA cert file
'cacert.pem' (1261 bytes)
Feb 3 21:46:45 darkstar pluto[1110]: Could not change to directory
'/etc/ipsec.d/aacerts'
Feb 3 21:46:45 darkstar pluto[1110]: Changing to directory
'/etc/ipsec.d/ocspcerts'
Feb 3 21:46:45 darkstar pluto[1110]: Changing to directory '/etc/ipsec.d/crls'
Feb 3 21:46:45 darkstar pluto[1110]: loaded crl file 'crl.pem' (512 bytes)
Feb 3 21:46:46 darkstar pluto[1110]: listening for IKE messages
Feb 3 21:46:46 darkstar pluto[1110]: adding interface ipsec0/eth0 200.171.13.9
Feb 3 21:46:46 darkstar pluto[1110]: adding interface ipsec0/eth0
200.171.13.9:4500
Feb 3 21:46:46 darkstar pluto[1110]: loading secrets from "/etc/ipsec.secrets"
Feb 3 21:46:46 darkstar pluto[1110]: loaded private key file
'/etc/ipsec.d/private/host.example.com.key' (1663 bytes)
/usr/sbin/l2tpd
This binary does not support kernel L2TP.
cat /var/log/messages
Feb 1 22:16:42 darkstar l2tpd[575]: This binary does not support kernel L2TP.
Feb 1 22:16:42 darkstar l2tpd[576]: l2tpd version 0.69 started on
darkstar PID:576
Feb 1 22:16:42 darkstar l2tpd[576]: Linux version 2.4.26 on a i686,
listening on IP address 0.0.0.0, port 1701
ALL OK ??? OR NO ???
========================================================
The client winxp professional sp2 trying connect, I obtain:
cat /var/log/secure
Feb 3 21:49:02 darkstar pluto[1110]: packet from 200.171.13.10:500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Feb 3 21:49:02 darkstar pluto[1110]: packet from 200.171.13.10:500:
ignoring Vendor ID payload [FRAGMENTATION]
Feb 3 21:49:02 darkstar pluto[1110]: packet from 200.171.13.10:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method
set to=106
Feb 3 21:49:02 darkstar pluto[1110]: packet from 200.171.13.10:500:
ignoring Vendor ID payload [Vid-Initial-Contact]
Feb 3 21:49:02 darkstar pluto[1110]: packet from 200.171.13.10:500:
initial Main Mode message received on 200.171.13.9:500 but no
connection has been authorized
Feb 3 21:49:03 darkstar pluto[1110]: packet from 200.171.13.10:500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Feb 3 21:49:03 darkstar pluto[1110]: packet from 200.171.13.10:500:
ignoring Vendor ID payload [FRAGMENTATION]
Feb 3 21:49:03 darkstar pluto[1110]: packet from 200.171.13.10:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method
set to=106
Feb 3 21:49:03 darkstar pluto[1110]: packet from 200.171.13.10:500:
ignoring Vendor ID payload [Vid-Initial-Contact]
Feb 3 21:49:03 darkstar pluto[1110]: packet from 200.171.13.10:500:
initial Main Mode message received on 200.171.13.9:500 but no
connection has been authorized
Feb 3 21:49:05 darkstar pluto[1110]: packet from 200.171.13.10:500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Feb 3 21:49:05 darkstar pluto[1110]: packet from 200.171.13.10:500:
ignoring Vendor ID payload [FRAGMENTATION]
Feb 3 21:49:05 darkstar pluto[1110]: packet from 200.171.13.10:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method
set to=106
Feb 3 21:49:05 darkstar pluto[1110]: packet from 200.171.13.10:500:
ignoring Vendor ID payload [Vid-Initial-Contact]
Feb 3 21:49:05 darkstar pluto[1110]: packet from 200.171.13.10:500:
initial Main Mode message received on 200.171.13.9:500 but no
connection has been authorized
Feb 3 21:49:09 darkstar pluto[1110]: packet from 200.171.13.10:500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Feb 3 21:49:09 darkstar pluto[1110]: packet from 200.171.13.10:500:
ignoring Vendor ID payload [FRAGMENTATION]
Feb 3 21:49:09 darkstar pluto[1110]: packet from 200.171.13.10:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method
set to=106
Feb 3 21:49:09 darkstar pluto[1110]: packet from 200.171.13.10:500:
ignoring Vendor ID payload [Vid-Initial-Contact]
Feb 3 21:49:09 darkstar pluto[1110]: packet from 200.171.13.10:500:
initial Main Mode message received on 200.171.13.9:500 but no
connection has been authorized
Feb 3 21:49:17 darkstar pluto[1110]: packet from 200.171.13.10:500:
ignoring Delete SA payload: not encrypted
Feb 3 21:49:17 darkstar pluto[1110]: packet from 200.171.13.10:500:
received and ignored informational message
I created and imported the certificate how show the page
www.natecarlson.com/linux/ipsec-l2tp.php
My God!!!
Why ??? Why ??? Why ???
Jacco, please, help-me again... and the others pleoples too, again. :-)
I'm using slackware 10 with kernel 2.4.26
Thanks.
More information about the Users
mailing list