[Openswan Users] Openswan and L2TP problem

Stanislav Nedelchev nedelchev at eequip.net
Thu Jun 2 18:30:06 CEST 2005 

Here is my problem 
it's worked from my home for a while and now it;s now working,
but my colleague never get connected
we are using winXP SP2 as VPN client .
where can be the problem ?
 
Thanks in Advance.
 
root at fw:~# tcpdump -n -f -i eth0 host 84.252.57.99
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
18:02:18.894628 IP 84.252.57.99.500 > 213.91.208.250.500: isakmp: phase 1 I
ident
18:02:18.896515 IP 213.91.208.250.500 > 84.252.57.99.500: isakmp: phase 1 R
ident
18:02:19.128649 IP 84.252.57.99.500 > 213.91.208.250.500: isakmp: phase 1 I
ident
18:02:19.225235 IP 213.91.208.250.500 > 84.252.57.99.500: isakmp: phase 1 R
ident
18:02:19.323317 IP 84.252.57.99.500 > 213.91.208.250.500: isakmp: phase 1 I
ident[E]
18:02:19.325528 IP 213.91.208.250.500 > 84.252.57.99.500: isakmp: phase 1 R
ident[E]
18:02:19.364660 IP 84.252.57.99 > 213.91.208.250: udp
18:02:19.420126 IP 84.252.57.99.500 > 213.91.208.250.500: isakmp: phase
2/others I oakley-quick[E]
18:02:19.425628 IP 213.91.208.250.500 > 84.252.57.99.500: isakmp: phase
2/others R oakley-quick[E]
18:02:19.467523 IP 84.252.57.99.500 > 213.91.208.250.500: isakmp: phase
2/others I oakley-quick[E]
18:02:19.474631 IP 84.252.57.99 > 213.91.208.250:
ESP(spi=0x9dc03add,seq=0x1)
18:02:19.478614 IP 213.91.208.250.1701 > 84.252.57.99.1701:
l2tp:[TLS](3/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS)
*BEARER_CAP() |...
18:02:20.478615 IP 213.91.208.250.1701 > 84.252.57.99.1701:
l2tp:[TLS](3/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS)
*BEARER_CAP() |...
18:02:20.481420 IP 84.252.57.99 > 213.91.208.250:
ESP(spi=0x9dc03add,seq=0x2)
18:02:20.485501 IP 213.91.208.250.1701 > 84.252.57.99.1701:
l2tp:[TLS](3/0)Ns=0,Nr=1 ZLB
18:02:21.478825 IP 213.91.208.250.1701 > 84.252.57.99.1701:
l2tp:[TLS](3/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS)
*BEARER_CAP() |...
18:02:22.516747 IP 84.252.57.99 > 213.91.208.250:
ESP(spi=0x9dc03add,seq=0x3)
18:02:26.561328 IP 84.252.57.99 > 213.91.208.250:
ESP(spi=0x9dc03add,seq=0x4)
18:02:34.475383 IP 84.252.57.99 > 213.91.208.250:
ESP(spi=0x9dc03add,seq=0x5)
18:02:44.482796 IP 84.252.57.99 > 213.91.208.250:
ESP(spi=0x9dc03add,seq=0x6)
18:02:54.504596 IP 84.252.57.99.500 > 213.91.208.250.500: isakmp: phase
2/others I inf[E]
18:02:54.506424 IP 213.91.208.250.500 > 84.252.57.99.500: isakmp: phase
2/others R inf[E]
18:02:54.510630 IP 84.252.57.99.500 > 213.91.208.250.500: isakmp: phase
2/others I inf[E]
18:02:54.613795 IP 213.91.208.250.500 > 84.252.57.99.500: isakmp: phase
2/others R inf[E]
 

root at fw:~# tcpdump -n -f -i ipsec0 host 84.252.57.99
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ipsec0, link-type EN10MB (Ethernet), capture size 96 bytes
18:03:44.588528 IP 84.252.57.99.1701 > 213.91.208.250.1701:
l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(S)
*BEARER_CAP() |...
18:03:45.592545 IP 84.252.57.99.1701 > 213.91.208.250.1701:
l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(S)
*BEARER_CAP() |...
18:03:47.587679 IP 84.252.57.99.1701 > 213.91.208.250.1701:
l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(S)
*BEARER_CAP() |...
18:03:47.592293 IP 213.91.208.250.1701 > 84.252.57.99.1701:
l2tp:[TLS](4/0)Ns=0,Nr=1 ZLB
18:03:47.592512 IP 213.91.208.250 > 84.252.57.99:
ESP(spi=0xa7bcae4e,seq=0x1)
18:03:47.598581 IP 213.91.208.250.1701 > 84.252.57.99.1701:
l2tp:[TLS](4/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS)
*BEARER_CAP() |...
18:03:47.598797 IP 213.91.208.250 > 84.252.57.99:
ESP(spi=0xa7bcae4e,seq=0x2)
18:03:48.598769 IP 213.91.208.250.1701 > 84.252.57.99.1701:
l2tp:[TLS](4/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS)
*BEARER_CAP() |...
18:03:48.599007 IP 213.91.208.250 > 84.252.57.99:
ESP(spi=0xa7bcae4e,seq=0x3)
18:03:49.608666 IP 213.91.208.250.1701 > 84.252.57.99.1701:
l2tp:[TLS](4/0)Ns=1,Nr=1 *MSGTYPE(StopCCN) *ASSND_TUN_ID(23967)
*RESULT_CODE(1/0 Timeout)
18:03:49.608877 IP 213.91.208.250 > 84.252.57.99:
ESP(spi=0xa7bcae4e,seq=0x4)
18:03:50.608773 IP 213.91.208.250.1701 > 84.252.57.99.1701:
l2tp:[TLS](4/0)Ns=1,Nr=1 *MSGTYPE(StopCCN) *ASSND_TUN_ID(23967)
*RESULT_CODE(1/0 Timeout)
18:03:50.608982 IP 213.91.208.250 > 84.252.57.99:
ESP(spi=0xa7bcae4e,seq=0x5)
18:03:51.590446 IP 84.252.57.99.1701 > 213.91.208.250.1701:
l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(S)
*BEARER_CAP() |...
18:03:51.595079 IP 213.91.208.250.1701 > 84.252.57.99.1701:
l2tp:[TLS](4/0)Ns=0,Nr=1 ZLB
18:03:51.595288 IP 213.91.208.250 > 84.252.57.99:
ESP(spi=0xa7bcae4e,seq=0x6)
18:03:51.618544 IP 213.91.208.250.1701 > 84.252.57.99.1701:
l2tp:[TLS](4/0)Ns=1,Nr=1 *MSGTYPE(StopCCN) *ASSND_TUN_ID(23967)
*RESULT_CODE(1/0 Timeout)
18:03:51.618747 IP 213.91.208.250 > 84.252.57.99:
ESP(spi=0xa7bcae4e,seq=0x7)
18:03:52.618589 IP 213.91.208.250.1701 > 84.252.57.99.1701:
l2tp:[TLS](4/0)Ns=1,Nr=1 *MSGTYPE(StopCCN) *ASSND_TUN_ID(23967)
*RESULT_CODE(1/0 Timeout)
18:03:52.618796 IP 213.91.208.250 > 84.252.57.99:
ESP(spi=0xa7bcae4e,seq=0x8)
18:03:53.618756 IP 213.91.208.250.1701 > 84.252.57.99.1701:
l2tp:[TLS](4/0)Ns=1,Nr=1 *MSGTYPE(StopCCN) *ASSND_TUN_ID(23967)
*RESULT_CODE(1/0 Timeout)
18:03:53.618967 IP 213.91.208.250 > 84.252.57.99:
ESP(spi=0xa7bcae4e,seq=0x9)
 
 
 
Here is the configuration files.
 
root at fw:~# cat /etc/l2tpd/l2tpd.conf
 [global]
 port = 1701
 access control = no
 rand source = dev
 [lns default]
 exclusive = no
 ip range = 192.168.0.200-192.168.0.250
 local ip = 192.168.0.3
 require chap = yes
 refuse pap = yes
 ppp debug = yes
 pppoptfile = /etc/ppp/options.l2tpd
 length bit = yes
 

 
root at fw:~# cat /etc/ipsec.conf
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file
 
# More elaborate and more varied sample configurations can be found
# in FreeS/WAN's doc/examples file, and in the HTML documentation.
 
 
 
# basic configuration
config setup
        # THIS SETTING MUST BE CORRECT or almost nothing will work;
        # %defaultroute is okay for most simple cases.
        # def interfaces=%defaultroute
        interfaces="ipsec0=eth0"
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        klipsdebug=none
        plutodebug=none
        # Use auto= parameters in conn descriptions to control startup
actions.
         plutoload=%search
         plutostart=%search
        # Close down old connection when new one using same ID shows up.
        uniqueids=yes
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
 

# defaults for subsequent connection descriptions
# (these defaults will soon go away)
conn %default
        keyingtries=0
        # def disablearrivalcheck=no
        # def authby=rsasig
        # def leftrsasigkey=%dns
        # rightrsasigkey=%dns
 

conn RoadWar
        left= 213.91.208.250
        leftnexthop= 213.91.208.249
        authby=secret
        auto=add
        keyingtries=1
        pfs=no
        right=%any
        leftprotoport=17/1701
        rightsubnet=vhost:%no,%priv
        rightprotoport=17/1701
 
 

root at fw:~# cat /etc/ppp/options.l2tpd
ipcp-accept-local
ipcp-accept-remote
#ms-dns  192.168.0.10
#ms-wins 192.168.0.10
#noccp
auth
crtscts
idle 1800
mtu 1410
mru 1410
#nodefaultroute
debug
lock
proxyarp
connect-delay 5000
#silent
logfd 2
logfile /var/log/l2tpd.log
root at fw:~#

 
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20050602/0e3b3d64/attachment-0001.htm

More information about the Users mailing list