[Openswan Users] Openswan + l2tp - Client can't connect

Paul Wouters paul at xelerance.com
Mon Jan 31 13:15:38 CET 2005


On Mon, 31 Jan 2005, Ranieri Oliveira wrote:

> mkdir /root/vpn
> cd /root/vpn
> wget http://www.openswan.org/download/openswan-2.3.0.kernel-2.4-klips.patch.gz
> wget http://www.openswan.org/download/openswan-2.3.0.tar.gz
> wget http://www.l2tpd.org/downloads/l2tpd-0.69.tar.gz
>
> cd /usr/src
> zcat /root/vpn/openswan-2.3.0.kernel-2.4-klips.patch.gz | patch -p0

Don't forget:
tar zxvf openswan-2.3.0.tar.gz
cd openswan-2.3.0
make KERNELSRC=/usr/src/linux nattpatch > natt.patch
cd /usr/src
cat /usr/src/natt.patch | patch -p0

Or else your kernel will not support NAT Traversal (espinudp). Also
ensure that you run make oldconfig and actually enable CONFIG_IPSEC_NAT_TRAVERSAL

I cannot comment on the l2tp stuff, but I'll try it out in a few days :)

> cd linux

make oldconfig goes here. (also if you want to change some of KLIPS' options)

> make dep
> make bzImage
> make modules
> make modules_install

> tar -xzvf openswan-2.3.0.tar.gz
> cd openswan-2.3.0
> make KERNELSRC=/usr/src/linux programs module
> make KERNELSRC=/usr/src/linux install minstall

you dont actually have to rebuild module or minstall.

> conn L2TP-PSK-orgWIN2KXP
>        authby=secret
>        pfs=no

Can someone confirm to me that pfs=yes does not work with l2tp? Other then
Jacco (because it seems most people copy his config file :)

> 201.1.192.143 200.148.98.53: PSK 0xb6653806_d12b2212_fa37943f_615dbbe8

wow, that's the most random secret I've seen used in a long time. Bravo!!

> Jan 30 22:50:28 darkstar pluto[900]: Setting port floating to off
> Jan 30 22:50:28 darkstar pluto[900]: port floating activate 0/1
> Jan 30 22:50:28 darkstar pluto[900]:   including NAT-Traversal patch
> (Version 0.6c) [disabled]

This is because you missed the nattpatch.

> /usr/sbin/l2tpd
> This binary does not support kernel L2TP.

> ALL OK ??? OR NO ???

I don't know. Jacco?

> 22:46:10 darkstar pluto[655]: packet from 200.148.98.53:50293:
> received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106,
> but port floating is off
> Jan 30 22:46:10 darkstar pluto[655]: packet from 200.148.98.53:50293:
> initial Main Mode message received on 201.1.192.143:500 but no
> connection has been authorized

You do not have support for NAT Traversal. Rebuild the kernel and pluto
should do port floating too. 
Perhaps port floating should be moved outside the #ifdef for NAT TRAVERSAL.

Paul
-- 

"At best it is a theory, at worst a fantasy" -- Michael Crichton



More information about the Users mailing list