[Openswan Users] Opwenswan and L2TP Problem !
Stanislav Nedelchev
stanislav.nedelchev at gmail.com
Thu Jun 2 23:52:16 CEST 2005
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Here is my problem
it's worked from my home for a while and now it;s now working,
but my colleague never get connected
we are using winXP SP2 as VPN client .
where can be the problem ?
Thanks in Advance.
root at fw:~# tcpdump -n -f -i eth0 host 84.252.57.99
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
18:02:18.894628 IP 84.252.57.99.500 > 213.91.208.250.500: isakmp: phase
1 I ident
18:02:18.896515 IP 213.91.208.250.500 > 84.252.57.99.500: isakmp: phase
1 R ident
18:02:19.128649 IP 84.252.57.99.500 > 213.91.208.250.500: isakmp: phase
1 I ident
18:02:19.225235 IP 213.91.208.250.500 > 84.252.57.99.500: isakmp: phase
1 R ident
18:02:19.323317 IP 84.252.57.99.500 > 213.91.208.250.500: isakmp: phase
1 I ident[E]
18:02:19.325528 IP 213.91.208.250.500 > 84.252.57.99.500: isakmp: phase
1 R ident[E]
18:02:19.364660 IP 84.252.57.99 > 213.91.208.250: udp
18:02:19.420126 IP 84.252.57.99.500 > 213.91.208.250.500: isakmp: phase
2/others I oakley-quick[E]
18:02:19.425628 IP 213.91.208.250.500 > 84.252.57.99.500: isakmp: phase
2/others R oakley-quick[E]
18:02:19.467523 IP 84.252.57.99.500 > 213.91.208.250.500: isakmp: phase
2/others I oakley-quick[E]
18:02:19.474631 IP 84.252.57.99 > 213.91.208.250:
ESP(spi=0x9dc03add,seq=0x1)
18:02:19.478614 IP 213.91.208.250.1701 > 84.252.57.99.1701:
l2tp:[TLS](3/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0)
*FRAMING_CAP(AS) *BEARER_CAP() |...
18:02:20.478615 IP 213.91.208.250.1701 > 84.252.57.99.1701:
l2tp:[TLS](3/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0)
*FRAMING_CAP(AS) *BEARER_CAP() |...
18:02:20.481420 IP 84.252.57.99 > 213.91.208.250:
ESP(spi=0x9dc03add,seq=0x2)
18:02:20.485501 IP 213.91.208.250.1701 > 84.252.57.99.1701:
l2tp:[TLS](3/0)Ns=0,Nr=1 ZLB
18:02:21.478825 IP 213.91.208.250.1701 > 84.252.57.99.1701:
l2tp:[TLS](3/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0)
*FRAMING_CAP(AS) *BEARER_CAP() |...
18:02:22.516747 IP 84.252.57.99 > 213.91.208.250:
ESP(spi=0x9dc03add,seq=0x3)
18:02:26.561328 IP 84.252.57.99 > 213.91.208.250:
ESP(spi=0x9dc03add,seq=0x4)
18:02:34.475383 IP 84.252.57.99 > 213.91.208.250:
ESP(spi=0x9dc03add,seq=0x5)
18:02:44.482796 IP 84.252.57.99 > 213.91.208.250:
ESP(spi=0x9dc03add,seq=0x6)
18:02:54.504596 IP 84.252.57.99.500 > 213.91.208.250.500: isakmp: phase
2/others I inf[E]
18:02:54.506424 IP 213.91.208.250.500 > 84.252.57.99.500: isakmp: phase
2/others R inf[E]
18:02:54.510630 IP 84.252.57.99.500 > 213.91.208.250.500: isakmp: phase
2/others I inf[E]
18:02:54.613795 IP 213.91.208.250.500 > 84.252.57.99.500: isakmp: phase
2/others R inf[E]
root at fw:~# tcpdump -n -f -i ipsec0 host 84.252.57.99
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ipsec0, link-type EN10MB (Ethernet), capture size 96 bytes
18:03:44.588528 IP 84.252.57.99.1701 > 213.91.208.250.1701:
l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(S)
*BEARER_CAP() |...
18:03:45.592545 IP 84.252.57.99.1701 > 213.91.208.250.1701:
l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(S)
*BEARER_CAP() |...
18:03:47.587679 IP 84.252.57.99.1701 > 213.91.208.250.1701:
l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(S)
*BEARER_CAP() |...
18:03:47.592293 IP 213.91.208.250.1701 > 84.252.57.99.1701:
l2tp:[TLS](4/0)Ns=0,Nr=1 ZLB
18:03:47.592512 IP 213.91.208.250 > 84.252.57.99:
ESP(spi=0xa7bcae4e,seq=0x1)
18:03:47.598581 IP 213.91.208.250.1701 > 84.252.57.99.1701:
l2tp:[TLS](4/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0)
*FRAMING_CAP(AS) *BEARER_CAP() |...
18:03:47.598797 IP 213.91.208.250 > 84.252.57.99:
ESP(spi=0xa7bcae4e,seq=0x2)
18:03:48.598769 IP 213.91.208.250.1701 > 84.252.57.99.1701:
l2tp:[TLS](4/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0)
*FRAMING_CAP(AS) *BEARER_CAP() |...
18:03:48.599007 IP 213.91.208.250 > 84.252.57.99:
ESP(spi=0xa7bcae4e,seq=0x3)
18:03:49.608666 IP 213.91.208.250.1701 > 84.252.57.99.1701:
l2tp:[TLS](4/0)Ns=1,Nr=1 *MSGTYPE(StopCCN) *ASSND_TUN_ID(23967)
*RESULT_CODE(1/0 Timeout)
18:03:49.608877 IP 213.91.208.250 > 84.252.57.99:
ESP(spi=0xa7bcae4e,seq=0x4)
18:03:50.608773 IP 213.91.208.250.1701 > 84.252.57.99.1701:
l2tp:[TLS](4/0)Ns=1,Nr=1 *MSGTYPE(StopCCN) *ASSND_TUN_ID(23967)
*RESULT_CODE(1/0 Timeout)
18:03:50.608982 IP 213.91.208.250 > 84.252.57.99:
ESP(spi=0xa7bcae4e,seq=0x5)
18:03:51.590446 IP 84.252.57.99.1701 > 213.91.208.250.1701:
l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(S)
*BEARER_CAP() |...
18:03:51.595079 IP 213.91.208.250.1701 > 84.252.57.99.1701:
l2tp:[TLS](4/0)Ns=0,Nr=1 ZLB
18:03:51.595288 IP 213.91.208.250 > 84.252.57.99:
ESP(spi=0xa7bcae4e,seq=0x6)
18:03:51.618544 IP 213.91.208.250.1701 > 84.252.57.99.1701:
l2tp:[TLS](4/0)Ns=1,Nr=1 *MSGTYPE(StopCCN) *ASSND_TUN_ID(23967)
*RESULT_CODE(1/0 Timeout)
18:03:51.618747 IP 213.91.208.250 > 84.252.57.99:
ESP(spi=0xa7bcae4e,seq=0x7)
18:03:52.618589 IP 213.91.208.250.1701 > 84.252.57.99.1701:
l2tp:[TLS](4/0)Ns=1,Nr=1 *MSGTYPE(StopCCN) *ASSND_TUN_ID(23967)
*RESULT_CODE(1/0 Timeout)
18:03:52.618796 IP 213.91.208.250 > 84.252.57.99:
ESP(spi=0xa7bcae4e,seq=0x8)
18:03:53.618756 IP 213.91.208.250.1701 > 84.252.57.99.1701:
l2tp:[TLS](4/0)Ns=1,Nr=1 *MSGTYPE(StopCCN) *ASSND_TUN_ID(23967)
*RESULT_CODE(1/0 Timeout)
18:03:53.618967 IP 213.91.208.250 > 84.252.57.99:
ESP(spi=0xa7bcae4e,seq=0x9)
Here is the configuration files.
root at fw:~# cat /etc/l2tpd/l2tpd.conf
[global]
port = 1701
access control = no
rand source = dev
[lns default]
exclusive = no
ip range = 192.168.0.200-192.168.0.250
local ip = 192.168.0.3
require chap = yes
refuse pap = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd
length bit = yes
root at fw:~# cat /etc/ipsec.conf
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file
# More elaborate and more varied sample configurations can be found
# in FreeS/WAN's doc/examples file, and in the HTML documentation.
# basic configuration
config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work;
# %defaultroute is okay for most simple cases.
# def interfaces=%defaultroute
interfaces="ipsec0=eth0"
# Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=none
plutodebug=none
# Use auto= parameters in conn descriptions to control startup
actions.
plutoload=%search
plutostart=%search
# Close down old connection when new one using same ID shows up.
uniqueids=yes
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
# defaults for subsequent connection descriptions
# (these defaults will soon go away)
conn %default
keyingtries=0
# def disablearrivalcheck=no
# def authby=rsasig
# def leftrsasigkey=%dns
# rightrsasigkey=%dns
conn RoadWar
left= 213.91.208.250
leftnexthop= 213.91.208.249
authby=secret
auto=add
keyingtries=1
pfs=no
right=%any
leftprotoport=17/1701
rightsubnet=vhost:%no,%priv
rightprotoport=17/1701
root at fw:~# cat /etc/ppp/options.l2tpd
ipcp-accept-local
ipcp-accept-remote
#ms-dns 192.168.0.10
#ms-wins 192.168.0.10
#noccp
auth
crtscts
idle 1800
mtu 1410
mru 1410
#nodefaultroute
debug
lock
proxyarp
connect-delay 5000
#silent
logfd 2
logfile /var/log/l2tpd.log
root at fw:~#
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFCn2NvI1Upp0RIqpERAgiRAJ9QrlMn/KhM62y742+QBBesubWPwwCgmrg/
5BQ2UA5K1CubpYcy9Oz3NuQ=
=In/S
-----END PGP SIGNATURE-----
More information about the Users
mailing list