[Openswan Users] Re: Client loops not any more; but the l2tpd daemon don't answers the request.

[foren titze]

NOW It works!

So the tunnel is established only once. The last line is:
80.226.253.78 #3: IPsec SA established {ESP=>0xe5386ad2 <0xfc03cf41 
xfrm=3DES_0-HMAC_MD5 NATD=80.226.253.78}.

Shit Microsoft. Who had said that they should change the behavior of her 
l2tp-client?

Your link to the microsoft hp and the little registry-patch were the solution.  
(http://support.microsoft.com/default.aspx?kbid=885407)

Erlier ist was, that wehn IPSec SA established was up, the l2tpd daemon has 
overtaken the connection and build an ppp-connect.
Now he does not make this.

The logfile was set to on in /etc/ppp/options.l2tpd but it would not fill in
/var/log/l2tpd.log. 

I don't know how to debug this.

I have changed nothing in ppp and l2tpd and all kernel modules are compiled 
correctly.

Any solution?

THX

Am Dienstag, 12. Juli 2005 10:46 schrieb Jacco de Leeuw:
> Foren Titze wrote:
> > > > and this is 10.0.0.1 the internal IP of the nating Router.
> > >
> > >             ,%v4:!10.0.0.0/24
> >
> > Yes I have added %v4:!192.168.121.0/24
>
> But 10.0.0.1 is the internal IP address of your NAT router?
> Do you use both 192.168.121.0/24 and 10.0.0.0/24 on your
> internal network? If so, then you need to exclude both in virtual_private.
>
> > > I don't know what you are trying to achieve with left/rightid="".
> >
> > I have left it clear to beware our secrets. Normaly there is filled with
> > the right stuff: the subject of this certificate.
>
> I see. Good call. But if you'd used something like rightid="blahblah"
> it would have been immediately obvious.
>
> > > >      #rightcert=certs/titze_cert.pem
> > >
> > > Uncomment this line or use:
> > >
> > >         rightca=%same
> >
> > What line? Do you mean #rightcert=, anytime I heard, that rightcert must
> > not be given in ipsec.conf, because the roadwarrior sends his
> > certificate.
>
> Well yes, but the server can use rightcert to extract the certificate
> details (i.e. rightid) automatically from the file. There are several ways
> of specifying the certificates that are allowed but your current
> configuration is incomplete. That's why I recommended to use rightcert or
> rightca.
>
> > Whatever, the config was working without server is nated.
>
> Whatever... But you could have run into a problem later on when you used
> multiple servers:
> http://www.jacco2.dds.nl/networking/win2000xp-freeswan.html#Wrong_certifica
>te
>
> > >            rightsubnet=vhost:%no,%priv
> >
> > Can I use this if the client is not nated?
>
> Certainly. The %no makes that possible.
>
> > > The Openswan log says that both are NATed. But that is incorrect?
> >
> > The Logfile is not right in that way.
> > The Client wasn't nated, I think he came with an external IP; from
> > Vodafone UMTS.
>
> I think you should trust the Openswan team and the NAT-T standardisation
> people on this one. Or perhaps you could file a bug report if you are
> confident. Could you try to repeat the experiment with a public IP, e.g. by
> using dial-up, ISDN or GSM CSD?
>
> Jacco