[Openswan Users] Opwenswan and L2TP Problem !
Stanislav Nedelchev
stanislav.nedelchev at gmail.com
Mon Jun 6 23:43:31 CEST 2005
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi again,
Here is some log files
Problem is still the same
What can be the problem with this l2tp ?
Jun 6 22:01:35 fw pluto[17028]: packet from 80.80.157.81:500: ignoring
Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Jun 6 22:01:35 fw pluto[17028]: packet from 80.80.157.81:500: ignoring
Vendor ID payload [FRAGMENTATION]
Jun 6 22:01:35 fw pluto[17028]: packet from 80.80.157.81:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Jun 6 22:01:35 fw pluto[17028]: packet from 80.80.157.81:500: ignoring
Vendor ID payload [26244d38eddb61b3172a36e3d0cfb819]
Jun 6 22:01:35 fw pluto[17028]: "roadwarrior"[1] 80.80.157.81 #3:
responding to Main Mode from unknown peer 80.80.157.81
Jun 6 22:01:35 fw pluto[17028]: "roadwarrior"[1] 80.80.157.81 #3:
transition from state (null) to state STATE_MAIN_R1
Jun 6 22:01:35 fw pluto[17028]: "roadwarrior"[1] 80.80.157.81 #3:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
Jun 6 22:01:35 fw pluto[17028]: "roadwarrior"[1] 80.80.157.81 #3:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jun 6 22:01:35 fw pluto[17028]: "roadwarrior"[1] 80.80.157.81 #3: Main
mode peer ID is ID_FQDN: '@langomir'
Jun 6 22:01:35 fw pluto[17028]: "roadwarrior"[2] 80.80.157.81 #3:
deleting connection "roadwarrior" instance with peer 80.80.157.81
Jun 6 22:01:35 fw pluto[17028]: "roadwarrior"[2] 80.80.157.81 #3:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jun 6 22:01:35 fw pluto[17028]: | NAT-T: new mapping 80.80.157.81:500/4500)
Jun 6 22:01:35 fw pluto[17028]: "roadwarrior"[2] 80.80.157.81:4500 #3:
sent MR3, ISAKMP SA established
Jun 6 22:01:35 fw pluto[17028]: "roadwarrior"[2] 80.80.157.81:4500 #4:
responding to Quick Mode
Jun 6 22:01:35 fw pluto[17028]: "roadwarrior"[2] 80.80.157.81:4500 #4:
transition from state (null) to state STATE_QUICK_R1
Jun 6 22:01:36 fw pluto[17028]: "roadwarrior"[2] 80.80.157.81:4500 #4:
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Jun 6 22:01:36 fw pluto[17028]: "roadwarrior"[2] 80.80.157.81:4500 #4:
IPsec SA established
Jun 6 22:13:57 fw pluto[17028]: "roadwarrior"[7] 84.252.57.99 #9:
responding to Main Mode from unknown peer 84.252.57.99
Jun 6 22:13:57 fw pluto[17028]: "roadwarrior"[7] 84.252.57.99 #9:
transition from state (null) to state STATE_MAIN_R1
Jun 6 22:13:57 fw pluto[17028]: "roadwarrior"[7] 84.252.57.99 #9:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT
detected
Jun 6 22:13:57 fw pluto[17028]: "roadwarrior"[7] 84.252.57.99 #9:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jun 6 22:13:57 fw pluto[17028]: "roadwarrior"[7] 84.252.57.99 #9: Main
mode peer ID is ID_IPV4_ADDR: '84.252.57.99'
Jun 6 22:13:57 fw pluto[17028]: "roadwarrior"[7] 84.252.57.99 #9:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jun 6 22:13:57 fw pluto[17028]: "roadwarrior"[7] 84.252.57.99 #9: sent
MR3, ISAKMP SA established
Jun 6 22:13:57 fw pluto[17028]: "roadwarrior"[7] 84.252.57.99 #10:
responding to Quick Mode
Jun 6 22:13:57 fw pluto[17028]: "roadwarrior"[7] 84.252.57.99 #10:
transition from state (null) to state STATE_QUICK_R1
Jun 6 22:13:58 fw pluto[17028]: "roadwarrior"[7] 84.252.57.99 #10:
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Jun 6 22:13:58 fw pluto[17028]: "roadwarrior"[7] 84.252.57.99 #10:
IPsec SA established
root at fw:~# tcpdump -n -f -i ipsec0 dst port 1701
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ipsec0, link-type EN10MB (Ethernet), capture size 96 bytes
22:13:58.066284 IP 84.252.57.99.1701 > 213.91.208.250.1701:
l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(S)
*BEARER_CAP() |...
22:13:59.065533 IP 84.252.57.99.1701 > 213.91.208.250.1701:
l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(S)
*BEARER_CAP() |...
22:14:01.062094 IP 84.252.57.99.1701 > 213.91.208.250.1701:
l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(S)
*BEARER_CAP() |...
22:14:01.066969 IP 213.91.208.250.1701 > 84.252.57.99.1701:
l2tp:[TLS](1/0)Ns=0,Nr=1 ZLB
22:14:01.072183 IP 213.91.208.250.1701 > 84.252.57.99.1701:
l2tp:[TLS](1/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0)
*FRAMING_CAP(AS) *BEARER_CAP() |...
22:14:02.072340 IP 213.91.208.250.1701 > 84.252.57.99.1701:
l2tp:[TLS](1/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0)
*FRAMING_CAP(AS) *BEARER_CAP() |...
22:14:03.082291 IP 213.91.208.250.1701 > 84.252.57.99.1701:
l2tp:[TLS](1/0)Ns=1,Nr=1 *MSGTYPE(StopCCN) *ASSND_TUN_ID(8088)
*RESULT_CODE(1/0 Timeout)
22:14:04.082348 IP 213.91.208.250.1701 > 84.252.57.99.1701:
l2tp:[TLS](1/0)Ns=1,Nr=1 *MSGTYPE(StopCCN) *ASSND_TUN_ID(8088)
*RESULT_CODE(1/0 Timeout)
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ipsec0, link-type EN10MB (Ethernet), capture size 96 bytes
22:17:54.791421 IP 80.80.157.81.1701 > 213.91.208.250.1701:
l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(S)
*BEARER_CAP() |...
22:17:55.792503 IP 80.80.157.81.1701 > 213.91.208.250.1701:
l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(S)
*BEARER_CAP() |...
22:17:57.791466 IP 80.80.157.81.1701 > 213.91.208.250.1701:
l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(S)
*BEARER_CAP() |...
22:17:57.796105 IP 213.91.208.250.1701 > 80.80.157.81.1701:
l2tp:[TLS](8/0)Ns=0,Nr=1 ZLB
22:17:57.802175 IP 213.91.208.250.1701 > 80.80.157.81.1701:
l2tp:[TLS](8/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0)
*FRAMING_CAP(AS) *BEARER_CAP() |...
22:17:58.802334 IP 213.91.208.250.1701 > 80.80.157.81.1701:
l2tp:[TLS](8/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0)
*FRAMING_CAP(AS) *BEARER_CAP() |...
22:17:59.812245 IP 213.91.208.250.1701 > 80.80.157.81.1701:
l2tp:[TLS](8/0)Ns=1,Nr=1 *MSGTYPE(StopCCN) *ASSND_TUN_ID(18049)
*RESULT_CODE(1/0 Timeout)
22:18:00.812332 IP 213.91.208.250.1701 > 80.80.157.81.1701:
l2tp:[TLS](8/0)Ns=1,Nr=1 *MSGTYPE(StopCCN) *ASSND_TUN_ID(18049)
*RESULT_CODE(1/0 Timeout)
config files
config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work;
# %defaultroute is okay for most simple cases.
# def interfaces=%defaultroute
interfaces="ipsec0=eth0"
# Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=none
plutodebug=none
# Use auto= parameters in conn descriptions to control startup
actions.
plutoload=%search
plutostart=%search
# Close down old connection when new one using same ID shows up.
uniqueids=yes
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.0.0/24,%v4:!192.168.66.0/24
conn roadwarrior
leftprotoport=17/1701
rightprotoport=17/1701
disablearrivalcheck=no
type=tunnel
keyexchange=ike
ikelifetime=240m
keylife=60m
left= 213.91.208.250
leftnexthop= 213.91.208.249
authby=secret
auto=add
keyingtries=3
pfs=no
right=%any
rightsubnet=vhost:%no,%priv
root at fw:/var/log# cat /etc/l2tpd/l2tpd.conf
[global]
port = 1701
access control = no
rand source = dev
[lns default]
exclusive = no
ip range = 192.168.0.200-192.168.0.250
local ip = 192.168.0.1
require chap = yes
refuse pap = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd
length bit = yes
root at fw:/var/log# cat /etc/ppp/options.l2tpd
ipcp-accept-local
ipcp-accept-remote
ms-dns 192.168.0.10
ms-wins 192.168.0.10
noccp
auth
crtscts
idle 1800
mtu 1410
mru 1410
#nodefaultroute
debug
lock
proxyarp
connect-delay 5000
#silent
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFCpKdjI1Upp0RIqpERAr/kAJ46UYKBgPF3zyma8fXKNLwilADJ3gCfQZNR
Fw5vZ4lYit5f5IJ1iTcAxMs=
=L5Gw
-----END PGP SIGNATURE-----
More information about the Users
mailing list