[Openswan Users] Openswan + l2tp - Client can't connect

Ranieri Oliveira ranieri.oliveira at gmail.com
Mon Jan 31 01:06:59 CET 2005


I made pass-the-pass of whom I made to install and to configure
openswan+l2tpd and I would like that they gave one looked at in that
he can be wrong.

mkdir /root/vpn
cd /root/vpn
wget http://www.openswan.org/download/openswan-2.3.0.kernel-2.4-klips.patch.gz
wget http://www.openswan.org/download/openswan-2.3.0.tar.gz
wget http://www.l2tpd.org/downloads/l2tpd-0.69.tar.gz

cd /usr/src
zcat /root/vpn/openswan-2.3.0.kernel-2.4-klips.patch.gz | patch -p0

===============out of apply the patch============================

patching file linux/Documentation/Configure.help
Hunk #1 succeeded at 28821 with fuzz 2 (offset 4584 lines).
patching file linux/README.openswan-2
patching file linux/crypto/ciphers/aes/test_main.c
patching file linux/crypto/ciphers/aes/test_main_mac.c
patching file linux/include/crypto/aes.h
patching file linux/include/crypto/aes_cbc.h
patching file linux/include/crypto/aes_xcbc_mac.h
patching file linux/include/crypto/cbc_generic.h
patching file linux/include/crypto/des.h
patching file linux/include/des/des_locl.h
patching file linux/include/des/des_ver.h
patching file linux/include/des/podd.h
patching file linux/include/des/sk.h
patching file linux/include/des/spr.h
patching file linux/include/mast.h
patching file linux/include/openswan.h
patching file linux/include/openswan/ipcomp.h
patching file linux/include/openswan/ipsec_ah.h
patching file linux/include/openswan/ipsec_alg.h
patching file linux/include/openswan/ipsec_auth.h
patching file linux/include/openswan/ipsec_encap.h
patching file linux/include/openswan/ipsec_eroute.h
patching file linux/include/openswan/ipsec_errs.h
patching file linux/include/openswan/ipsec_esp.h
patching file linux/include/openswan/ipsec_ipcomp.h
patching file linux/include/openswan/ipsec_ipe4.h
patching file linux/include/openswan/ipsec_ipip.h
patching file linux/include/openswan/ipsec_kern24.h
patching file linux/include/openswan/ipsec_kversion.h
patching file linux/include/openswan/ipsec_life.h
patching file linux/include/openswan/ipsec_md5h.h
patching file linux/include/openswan/ipsec_param.h
patching file linux/include/openswan/ipsec_policy.h
patching file linux/include/openswan/ipsec_proto.h
patching file linux/include/openswan/ipsec_radij.h
patching file linux/include/openswan/ipsec_rcv.h
patching file linux/include/openswan/ipsec_sa.h
patching file linux/include/openswan/ipsec_sha1.h
patching file linux/include/openswan/ipsec_stats.h
patching file linux/include/openswan/ipsec_tunnel.h
patching file linux/include/openswan/ipsec_xform.h
patching file linux/include/openswan/ipsec_xmit.h
patching file linux/include/openswan/passert.h
patching file linux/include/openswan/pfkey_debug.h
patching file linux/include/openswan/radij.h
patching file linux/include/pfkey.h
patching file linux/include/pfkeyv2.h
patching file linux/include/zlib/zconf.h
patching file linux/include/zlib/zlib.h
patching file linux/include/zlib/zutil.h
patching file linux/lib/libfreeswan/Makefile.objs
patching file linux/lib/zlib/Makefile
patching file linux/lib/zlib/Makefile.objs
patching file linux/net/Config.in
Hunk #1 succeeded at 102 with fuzz 1 (offset 14 lines).
patching file linux/net/Makefile
Hunk #1 succeeded at 18 with fuzz 2 (offset 1 line).
patching file linux/net/ipsec/Config.in
patching file linux/net/ipsec/Kconfig
patching file linux/net/ipsec/Makefile
patching file linux/net/ipsec/README-zlib
patching file linux/net/ipsec/README-zlib.freeswan
patching file linux/net/ipsec/addrtoa.c
patching file linux/net/ipsec/addrtot.c
patching file linux/net/ipsec/addrtypeof.c
patching file linux/net/ipsec/adler32.c
patching file linux/net/ipsec/aes/aes-i586.S
patching file linux/net/ipsec/aes/aes.c
patching file linux/net/ipsec/aes/aes_cbc.c
patching file linux/net/ipsec/aes/aes_xcbc_mac.c
patching file linux/net/ipsec/aes/ipsec_alg_aes.c
patching file linux/net/ipsec/alg/Config.alg_aes.in
patching file linux/net/ipsec/alg/Config.alg_cryptoapi.in
patching file linux/net/ipsec/alg/Config.in
patching file linux/net/ipsec/alg/Makefile
patching file linux/net/ipsec/alg/Makefile.alg_aes
patching file linux/net/ipsec/alg/Makefile.alg_cryptoapi
patching file linux/net/ipsec/alg/ipsec_alg_aes.c
patching file linux/net/ipsec/alg/ipsec_alg_cryptoapi.c
patching file linux/net/ipsec/alg/scripts/mk-static_init.c.sh
patching file linux/net/ipsec/anyaddr.c
patching file linux/net/ipsec/datatot.c
patching file linux/net/ipsec/defconfig
patching file linux/net/ipsec/deflate.c
patching file linux/net/ipsec/deflate.h
patching file linux/net/ipsec/des/COPYRIGHT
patching file linux/net/ipsec/des/INSTALL
patching file linux/net/ipsec/des/README
patching file linux/net/ipsec/des/README.freeswan
patching file linux/net/ipsec/des/VERSION
patching file linux/net/ipsec/des/asm/des-586.pl
patching file linux/net/ipsec/des/asm/des686.pl
patching file linux/net/ipsec/des/asm/desboth.pl
patching file linux/net/ipsec/des/asm/readme
patching file linux/net/ipsec/des/cbc_enc.c
patching file linux/net/ipsec/des/des.doc
patching file linux/net/ipsec/des/des_enc.c
patching file linux/net/ipsec/des/des_opts.c
patching file linux/net/ipsec/des/dx86unix.S
patching file linux/net/ipsec/des/ecb_enc.c
patching file linux/net/ipsec/des/set_key.c
patching file linux/net/ipsec/goodmask.c
patching file linux/net/ipsec/infblock.c
patching file linux/net/ipsec/infblock.h
patching file linux/net/ipsec/infcodes.c
patching file linux/net/ipsec/infcodes.h
patching file linux/net/ipsec/inffast.c
patching file linux/net/ipsec/inffast.h
patching file linux/net/ipsec/inffixed.h
patching file linux/net/ipsec/inflate.c
patching file linux/net/ipsec/inftrees.c
patching file linux/net/ipsec/inftrees.h
patching file linux/net/ipsec/infutil.c
patching file linux/net/ipsec/infutil.h
patching file linux/net/ipsec/initaddr.c
patching file linux/net/ipsec/ipcomp.c
patching file linux/net/ipsec/ipsec_ah.c
patching file linux/net/ipsec/ipsec_alg.c
patching file linux/net/ipsec/ipsec_alg_cryptoapi.c
patching file linux/net/ipsec/ipsec_esp.c
patching file linux/net/ipsec/ipsec_init.c
patching file linux/net/ipsec/ipsec_ipcomp.c
patching file linux/net/ipsec/ipsec_ipip.c
patching file linux/net/ipsec/ipsec_life.c
patching file linux/net/ipsec/ipsec_mast.c
patching file linux/net/ipsec/ipsec_md5c.c
patching file linux/net/ipsec/ipsec_proc.c
patching file linux/net/ipsec/ipsec_radij.c
patching file linux/net/ipsec/ipsec_rcv.c
patching file linux/net/ipsec/ipsec_sa.c
patching file linux/net/ipsec/ipsec_sha1.c
patching file linux/net/ipsec/ipsec_tunnel.c
patching file linux/net/ipsec/ipsec_xform.c
patching file linux/net/ipsec/ipsec_xmit.c
patching file linux/net/ipsec/match586.S
patching file linux/net/ipsec/match686.S
patching file linux/net/ipsec/pfkey_v2.c
patching file linux/net/ipsec/pfkey_v2_build.c
patching file linux/net/ipsec/pfkey_v2_debug.c
patching file linux/net/ipsec/pfkey_v2_ext_bits.c
patching file linux/net/ipsec/pfkey_v2_ext_process.c
patching file linux/net/ipsec/pfkey_v2_parse.c
patching file linux/net/ipsec/pfkey_v2_parser.c
patching file linux/net/ipsec/prng.c
patching file linux/net/ipsec/radij.c
patching file linux/net/ipsec/rangetoa.c
patching file linux/net/ipsec/satot.c
patching file linux/net/ipsec/subnetof.c
patching file linux/net/ipsec/subnettoa.c
patching file linux/net/ipsec/sysctl_net_ipsec.c
patching file linux/net/ipsec/trees.c
patching file linux/net/ipsec/trees.h
patching file linux/net/ipsec/ultoa.c
patching file linux/net/ipsec/ultot.c
patching file linux/net/ipsec/version.c
patching file linux/net/ipsec/zutil.c
patching file linux/net/ipv4/af_inet.c
Hunk #1 succeeded at 1186 (offset 167 lines).
patching file linux/net/ipsec/Makefile.ver

==============end of patch===========================

cd linux
make dep
make bzImage
make modules
make modules_install
cp System.map /boot/System.map-openswan
cp arch/i386/boot/bzImage /boot/vmlinuz-openswan
cd /boot
ln -sf System.map-openswan System.map

# Edit the /etc/lilo.conf and add for openswan kernel
vi /etc/lilo.conf

add lines:
image = /boot/vmlinuz-openswan
  root = /dev/hda2
  label = Linux-Openswan
  read-only

#Re-load lilo
lilo

#Reboot the system
reboot

#Now with new kernel
cd vpn
tar -xzvf openswan-2.3.0.tar.gz
cd openswan-2.3.0
make KERNELSRC=/usr/src/linux programs module
make KERNELSRC=/usr/src/linux install minstall

cd ..
tar -xzvf l2tpd-0.69.tar.gz
cd l2tpd-0.69
make
cp l2tpd /usr/sbin/
mkdir /etc/l2tpd

#create file /etc/l2tpd/l2tpd.conf and add lines:
================start /etc/l2tpd/l2tpd.conf=============
[global]
; listen-addr = 192.168.1.98

[lns default]
ip range = 192.168.1.128-192.168.1.254
local ip = 192.168.1.99
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd
length bit = yes
================end /etc/l2tpd/l2tpd.conf===============

#create file /etc/ppp/options.l2tpd and add lines:
==================start /etc/ppp/options.l2tpd==========
ipcp-accept-local
ipcp-accept-remote
noccp
auth
crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
lock
proxyarp
connect-delay 5000
===================end /etc/ppp/options.l2tpd==========

#edit file /etc/ppp/chap-secrets and add user:
ronaldo	*	123456	192.168.1.200

#create file /etc/ipsec.conf and add lines:
==================start /etc/ipsec.conf================
version	2.0	

config setup

conn L2TP-PSK-orgWIN2KXP
        authby=secret
        pfs=no
        left=201.1.192.143
        leftprotoport=17/0
        right=200.148.98.53
        rightprotoport=17/1701
        auto=add
        keyingtries=3

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
====================end /etc/ipsec.conf==============

#create file /etc/ipsec.secrets and add line:
==============start /etc/ipsec.secrets===============
201.1.192.143 200.148.98.53: PSK 0xb6653806_d12b2212_fa37943f_615dbbe8
==============end /etc/ipsec.secrets=================

cd /etc/rc.d/

./ipsec --start
ipsec_setup: Starting Openswan IPsec 2.3.0...
ipsec_setup: Using /lib/modules/2.4.26/kernel/ipsec.o

cat /var/log/secure
Jan 30 22:50:27 darkstar ipsec__plutorun: Starting Pluto subsystem...
Jan 30 22:50:28 darkstar pluto[900]: Starting Pluto (Openswan Version
2.3.0 X.509-1.5.4 PLUTO_USES_KEYRR)
Jan 30 22:50:28 darkstar pluto[900]: Setting port floating to off
Jan 30 22:50:28 darkstar pluto[900]: port floating activate 0/1
Jan 30 22:50:28 darkstar pluto[900]:   including NAT-Traversal patch
(Version 0.6c) [disabled]
Jan 30 22:50:28 darkstar pluto[900]: ike_alg_register_enc():
Activating OAKLEY_AES_CBC: Ok (ret=0)
Jan 30 22:50:28 darkstar pluto[900]: starting up 1 cryptographic helpers
Jan 30 22:50:28 darkstar pluto[900]: started helper pid=904 (fd:6)
Jan 30 22:50:28 darkstar pluto[900]: Using KLIPS IPsec interface code
Jan 30 22:50:28 darkstar pluto[900]: Changing to directory
'/etc/ipsec.d/cacerts'
Jan 30 22:50:28 darkstar pluto[900]: Could not change to directory
'/etc/ipsec.d/aacerts'
Jan 30 22:50:28 darkstar pluto[900]: Changing to directory
'/etc/ipsec.d/ocspcerts'
Jan 30 22:50:28 darkstar pluto[900]: Changing to directory '/etc/ipsec.d/crls'
Jan 30 22:50:28 darkstar pluto[900]:   Warning: empty directory
Jan 30 22:50:28 darkstar pluto[900]: added connection description
"L2TP-PSK-orgWIN2KXP"
Jan 30 22:50:28 darkstar pluto[900]: listening for IKE messages
Jan 30 22:50:28 darkstar pluto[900]: adding interface ipsec0/ppp0 201.1.192.143
Jan 30 22:50:28 darkstar pluto[900]: loading secrets from "/etc/ipsec.secrets"

/usr/sbin/l2tpd
This binary does not support kernel L2TP.

cat /var/log/messages
Jan 30 22:52:00 darkstar l2tpd[950]: This binary does not support kernel L2TP. 
Jan 30 22:52:00 darkstar l2tpd[951]: l2tpd version 0.69 started on
darkstar PID:951
Jan 30 22:52:00 darkstar l2tpd[951]: Written by Mark Spencer,
Copyright (C) 1998, Adtran, Inc.
Jan 30 22:52:00 darkstar l2tpd[951]: Forked by Scott Balmos and David
Stipp, (C) 2001
Jan 30 22:52:00 darkstar l2tpd[951]: Inhereted by Jeff McAdams, (C) 2002 
Jan 30 22:52:00 darkstar l2tpd[951]: Linux version 2.4.26 on a i686, port 1701

ALL OK ??? OR NO ???

========================================================
The client win98 with msl2tp trying connect, I obtain:

cat /var/log/secure
Jan 30 22:46:10 darkstar pluto[655]: packet from 200.148.98.53:50293:
ignoring Vendor ID payload [FRAGMENTATION]
Jan 30 22:46:10 darkstar pluto[655]: packet from 200.148.98.53:50293:
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]Jan 30
22:46:10 darkstar pluto[655]: packet from 200.148.98.53:50293:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106,
but port floating is off
Jan 30 22:46:10 darkstar pluto[655]: packet from 200.148.98.53:50293:
initial Main Mode message received on 201.1.192.143:500 but no
connection has been authorized


Why ???


Thanks.


More information about the Users mailing list