[Openswan Users] windows xp sp2 nated and openswan+l2tp

Mihai Costache tepesu at yahoo.com
Mon Jul 4 10:56:56 CEST 2005 

    hi,
  
    all my roadwarior windows xp are sp2ed and
fixsp2vpn.vbs patched.
    i can connect from any dialup or from any public ip to
 my openswan server .... but not from behind of any nat
 gateway (linux or not )
 
 
 this is my ipsec.conf

----------- snip ---------
config setup
        interfaces="ipsec0=eth0"
        klipsdebug=none
        plutodebug="control parsing"
        uniqueids=yes
        nat_traversal=yes
virtual_private="%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.100.0/24"

conn %default
        keyingtries=1
        disablearrivalcheck=no
        authby=rsasig
        leftrsasigkey=%cert
        rightrsasigkey=%cert
        pfs=no

conn roadwarior-l2tpd
        left=xxx.xxx.xxx.xxx
        leftnexthop=%defaultroute
        leftprotoport=17/1701
        leftcert=/etc/ipsec.d/certs/vpnCert.pem
        right=%any
        rightprotoport=17/1701
        rightcert=/etc/ipsec.d/certs/clientCert.pem
        rightsubnet=vhost:%no,%priv
        auto=add

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
------------- snip ---------------------

l2tpd.conf

---- snip ---
[global]
listen-addr = 192.168.100.2
[lns default]
ip range = 192.168.100.249-192.168.100.254
local ip = 192.168.100.100
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd
length bit = yes
---- snip ---



a file log from /var/log/secure is attached



__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
-------------- next part --------------
Jul  4 19:15:45 server2 pluto[6884]: packet from <ip_client_nated_gateway>:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Jul  4 19:15:45 server2 pluto[6884]: packet from <ip_client_nated_gateway>:500: ignoring Vendor ID payload [FRAGMENTATION]
Jul  4 19:15:45 server2 pluto[6884]: packet from <ip_client_nated_gateway>:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
Jul  4 19:15:45 server2 pluto[6884]: packet from <ip_client_nated_gateway>:500: ignoring Vendor ID payload [Vid-Initial-Contact]
Jul  4 19:15:45 server2 pluto[6884]: "roadwarior-l2tpd"[1] <ip_client_nated_gateway> #4: responding to Main Mode from unknown peer <ip_client_nated_gateway>
Jul  4 19:15:45 server2 pluto[6884]: "roadwarior-l2tpd"[1] <ip_client_nated_gateway> #4: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jul  4 19:15:45 server2 pluto[6884]: "roadwarior-l2tpd"[1] <ip_client_nated_gateway> #4: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
Jul  4 19:15:45 server2 pluto[6884]: "roadwarior-l2tpd"[1] <ip_client_nated_gateway> #4: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jul  4 19:15:45 server2 pluto[6884]: "roadwarior-l2tpd"[1] <ip_client_nated_gateway> #4: Main mode peer ID is ID_DER_ASN1_DN: 'C=RO, ST=Bucuresti, O=GFS Romania, OU=GFS Communication, CN=Client VPN, E=it.security at gfs.ro'
Jul  4 19:15:45 server2 pluto[6884]: "roadwarior-l2tpd"[1] <ip_client_nated_gateway> #4: no crl from issuer "C=RO, ST=Bucuresti, L=Bucuresti, O=TESTING, OU=TESTING2, CN=IT, E=testing at testing.o" found (strict=no)
Jul  4 19:15:45 server2 pluto[6884]: "roadwarior-l2tpd"[1] <ip_client_nated_gateway> #4: I am sending my cert
Jul  4 19:15:45 server2 pluto[6884]: "roadwarior-l2tpd"[1] <ip_client_nated_gateway> #4: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jul  4 19:15:45 server2 pluto[6884]: | NAT-T: new mapping <ip_client_nated_gateway>:500/4500)
Jul  4 19:15:45 server2 pluto[6884]: | pfkey_lib_debug:pfkey_msg_parse: satype 0 conversion to proto failed for msg_type 2 (update).
Jul  4 19:15:45 server2 pluto[6884]: | pfkey_lib_debug:pfkey_msg_build: Trouble parsing newly built pfkey message, error=-22.
Jul  4 19:15:45 server2 pluto[6884]: "roadwarior-l2tpd"[1] <ip_client_nated_gateway> #2: pfkey_msg_build of Add SA esp.b94b6a74@<ip_server_openswan> failed, code -22
Jul  4 19:15:45 server2 pluto[6884]: "roadwarior-l2tpd"[1] <ip_client_nated_gateway> #4: sent MR3, ISAKMP SA established
Jul  4 19:15:46 server2 pluto[6884]: "roadwarior-l2tpd"[1] <ip_client_nated_gateway> #4: retransmitting in response to duplicate packet; already STATE_MAIN_R3
Jul  4 19:15:48 server2 pluto[6884]: "roadwarior-l2tpd"[1] <ip_client_nated_gateway> #4: retransmitting in response to duplicate packet; already STATE_MAIN_R3
Jul  4 19:15:52 server2 pluto[6884]: "roadwarior-l2tpd"[1] <ip_client_nated_gateway> #4: discarding duplicate packet -- exhausted retransmission; already STATE_MAIN_R3
Jul  4 19:16:16 server2 last message repeated 2 times
Jul  4 19:16:48 server2 pluto[6884]: "roadwarior-l2tpd"[1] <ip_client_nated_gateway> #4: next payload type of ISAKMP Hash Payload has an unknown value: 49
Jul  4 19:16:48 server2 pluto[6884]: "roadwarior-l2tpd"[1] <ip_client_nated_gateway> #4: malformed payload in packet
Jul  4 19:16:48 server2 pluto[6884]: "roadwarior-l2tpd"[1] <ip_client_nated_gateway> #4: sending notification PAYLOAD_MALFORMED to <ip_client_nated_gateway>:4500
Jul  4 19:16:48 server2 pluto[6884]: "roadwarior-l2tpd"[1] <ip_client_nated_gateway> #4: failed to build notification for spisize=0

More information about the Users mailing list