[Openswan Users] L2TP over IPsec over WLAN for OS-X Panther and others ...

Wed Jul 20 15:14:54 CEST 2005

Hello everyone,

I tried to secure a wireless LAN with a VPN. I use Debian sarge which 
provides Openswan Version 2.2.0 X.509-1.5.4. I have to support Mac OS X 
Panther which supports L2TP over IPSec using shared secrets.

I tried to use the informations from two sources:

http://www.jacco2.dds.nl/networking/freeswan-l2tp.html
http://www.freeswan.org/freeswan_trees/freeswan-2.06/doc/HowTo.html#wireless.config

But, so far I failed to get a working solution. :-(

Client           air         AP         air       VPN Gateway
192.168.1.129 ~~~~~~~~~ 192.168.1.254 ~~~~~~      Debian sarge
OS X                                         \
                                               ~ eth1 192.168.1.13
                                               - eth0 192.168.0.3
                                              /
     internet ----------- other wired stuff -

As far as I know the AP is acting as switch and is not of relevance.

Here my current ipsec.conf

config setup
	uniqueids=no

include /etc/ipsec.d/examples/no_oe.conf

conn wireless_vpn
	authby=secret
	pfs=no
	#
	left=192.168.1.13
	leftsubnet=0.0.0.0/0
	leftprotoport=udp/l2tp
	#
	right=%any
	rightprotoport=udp/%any
	#
	auto=add

I think this is what the two pages propose.
Here what happens after startup:

ipsec__plutorun: Starting Pluto subsystem...
pluto[10335]: Starting Pluto (Openswan Version 2.2.0 X.509-1.5.4 
PLUTO_USES_KEYRR)
pluto[10335]:   including NAT-Traversal patch (Version 0.6c) [disabled]
pluto[10335]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
pluto[10335]: Using Linux 2.6 IPsec interface code
pluto[10335]: Changing to directory '/etc/ipsec.d/cacerts'
pluto[10335]: Could not change to directory '/etc/ipsec.d/aacerts'
pluto[10335]: Changing to directory '/etc/ipsec.d/ocspcerts'
pluto[10335]: Changing to directory '/etc/ipsec.d/crls'
pluto[10335]:   Warning: empty directory
pluto[10335]: added connection description "wireless_vpn"
pluto[10335]: listening for IKE messages
pluto[10335]: adding interface eth1/eth1 192.168.1.13
pluto[10335]: adding interface lo/lo 127.0.0.1
pluto[10335]: adding interface lo/lo ::1
pluto[10335]: loading secrets from "/etc/ipsec.secrets"

I think this is OK. Then the Mac tries to connect:

pluto[10335]: packet from 192.168.1.2:500: ignoring Vendor ID payload 
[4df37928e9fc4fd1b3262170d515c662]
pluto[10335]: "wireless_vpn"[1] 192.168.1.129 #1: responding to Main 
Mode from unknown peer 192.168.1.129
pluto[10335]: "wireless_vpn"[1] 192.168.1.129 #1: transition from state 
(null) to state STATE_MAIN_R1
pluto[10335]: "wireless_vpn"[1] 192.168.1.129 #1: ignoring Vendor ID 
payload [KAME/racoon]
pluto[10335]: "wireless_vpn"[1] 192.168.1.129 #1: transition from state 
STATE_MAIN_R1 to state STATE_MAIN_R2
pluto[10335]: "wireless_vpn"[1] 192.168.1.129 #1: Peer ID is 
ID_IPV4_ADDR: '192.168.1.129'
pluto[10335]: "wireless_vpn"[1] 192.168.1.129 #1: I did not send a 
certificate because I do not have one.
pluto[10335]: "wireless_vpn"[1] 192.168.1.129 #1: transition from state 
STATE_MAIN_R2 to state STATE_MAIN_R3
pluto[10335]: "wireless_vpn"[1] 192.168.1.129 #1: sent MR3, ISAKMP SA 
established
pluto[10335]: "wireless_vpn"[1] 192.168.1.129 #1: cannot respond to 
IPsec SA request because no connection is known for 
192.168.1.13:17/1701...192.168.1.129:17/%any
pluto[10335]: "wireless_vpn"[1] 192.168.1.129 #1: sending encrypted 
notification INVALID_ID_INFORMATION to 192.168.1.129:500
pluto[10335]: "wireless_vpn"[1] 192.168.1.129 #1: Quick Mode I1 message 
is unacceptable because it uses a previously used Message ID 0xe09d5e0f 
(perhaps this is a duplicated packet)

I seems that the rightprotoport=udp/%any is the problem.

Regards, Beat

-- 
Beat ZAHND
Physics Institute
University of Bern                   phone  +41 31 631 3466
Sidlerstrasse 5                      fax    +41 31 631 4405
CH-3012 Bern (Switzerland)  mailto:beat.zahnd at phim.unibe.ch