[Openswan Users] Opwenswan and L2TP Problem !

Stanislav Nedelchev stanislav.nedelchev at gmail.com
Mon Jun 6 23:43:31 CEST 2005 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi again,

Here is some log files
Problem is still the same
What can be the problem with this l2tp ?
Jun  6 22:01:35 fw pluto[17028]: packet from 80.80.157.81:500: ignoring
Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Jun  6 22:01:35 fw pluto[17028]: packet from 80.80.157.81:500: ignoring
Vendor ID payload [FRAGMENTATION]
Jun  6 22:01:35 fw pluto[17028]: packet from 80.80.157.81:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Jun  6 22:01:35 fw pluto[17028]: packet from 80.80.157.81:500: ignoring
Vendor ID payload [26244d38eddb61b3172a36e3d0cfb819]
Jun  6 22:01:35 fw pluto[17028]: "roadwarrior"[1] 80.80.157.81 #3:
responding to Main Mode from unknown peer 80.80.157.81
Jun  6 22:01:35 fw pluto[17028]: "roadwarrior"[1] 80.80.157.81 #3:
transition from state (null) to state STATE_MAIN_R1
Jun  6 22:01:35 fw pluto[17028]: "roadwarrior"[1] 80.80.157.81 #3:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
Jun  6 22:01:35 fw pluto[17028]: "roadwarrior"[1] 80.80.157.81 #3:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jun  6 22:01:35 fw pluto[17028]: "roadwarrior"[1] 80.80.157.81 #3: Main
mode peer ID is ID_FQDN: '@langomir'
Jun  6 22:01:35 fw pluto[17028]: "roadwarrior"[2] 80.80.157.81 #3:
deleting connection "roadwarrior" instance with peer 80.80.157.81
Jun  6 22:01:35 fw pluto[17028]: "roadwarrior"[2] 80.80.157.81 #3:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jun  6 22:01:35 fw pluto[17028]: | NAT-T: new mapping 80.80.157.81:500/4500)
Jun  6 22:01:35 fw pluto[17028]: "roadwarrior"[2] 80.80.157.81:4500 #3:
sent MR3, ISAKMP SA established
Jun  6 22:01:35 fw pluto[17028]: "roadwarrior"[2] 80.80.157.81:4500 #4:
responding to Quick Mode
Jun  6 22:01:35 fw pluto[17028]: "roadwarrior"[2] 80.80.157.81:4500 #4:
transition from state (null) to state STATE_QUICK_R1
Jun  6 22:01:36 fw pluto[17028]: "roadwarrior"[2] 80.80.157.81:4500 #4:
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Jun  6 22:01:36 fw pluto[17028]: "roadwarrior"[2] 80.80.157.81:4500 #4:
IPsec SA established


Jun  6 22:13:57 fw pluto[17028]: "roadwarrior"[7] 84.252.57.99 #9:
responding to Main Mode from unknown peer 84.252.57.99
Jun  6 22:13:57 fw pluto[17028]: "roadwarrior"[7] 84.252.57.99 #9:
transition from state (null) to state STATE_MAIN_R1
Jun  6 22:13:57 fw pluto[17028]: "roadwarrior"[7] 84.252.57.99 #9:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT
detected
Jun  6 22:13:57 fw pluto[17028]: "roadwarrior"[7] 84.252.57.99 #9:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jun  6 22:13:57 fw pluto[17028]: "roadwarrior"[7] 84.252.57.99 #9: Main
mode peer ID is ID_IPV4_ADDR: '84.252.57.99'
Jun  6 22:13:57 fw pluto[17028]: "roadwarrior"[7] 84.252.57.99 #9:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jun  6 22:13:57 fw pluto[17028]: "roadwarrior"[7] 84.252.57.99 #9: sent
MR3, ISAKMP SA established
Jun  6 22:13:57 fw pluto[17028]: "roadwarrior"[7] 84.252.57.99 #10:
responding to Quick Mode
Jun  6 22:13:57 fw pluto[17028]: "roadwarrior"[7] 84.252.57.99 #10:
transition from state (null) to state STATE_QUICK_R1
Jun  6 22:13:58 fw pluto[17028]: "roadwarrior"[7] 84.252.57.99 #10:
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Jun  6 22:13:58 fw pluto[17028]: "roadwarrior"[7] 84.252.57.99 #10:
IPsec SA established



root at fw:~# tcpdump -n -f -i ipsec0 dst port 1701
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ipsec0, link-type EN10MB (Ethernet), capture size 96 bytes
22:13:58.066284 IP 84.252.57.99.1701 > 213.91.208.250.1701:
l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(S)
*BEARER_CAP() |...
22:13:59.065533 IP 84.252.57.99.1701 > 213.91.208.250.1701:
l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(S)
*BEARER_CAP() |...
22:14:01.062094 IP 84.252.57.99.1701 > 213.91.208.250.1701:
l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(S)
*BEARER_CAP() |...
22:14:01.066969 IP 213.91.208.250.1701 > 84.252.57.99.1701:
l2tp:[TLS](1/0)Ns=0,Nr=1 ZLB
22:14:01.072183 IP 213.91.208.250.1701 > 84.252.57.99.1701:
l2tp:[TLS](1/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0)
*FRAMING_CAP(AS) *BEARER_CAP() |...
22:14:02.072340 IP 213.91.208.250.1701 > 84.252.57.99.1701:
l2tp:[TLS](1/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0)
*FRAMING_CAP(AS) *BEARER_CAP() |...
22:14:03.082291 IP 213.91.208.250.1701 > 84.252.57.99.1701:
l2tp:[TLS](1/0)Ns=1,Nr=1 *MSGTYPE(StopCCN) *ASSND_TUN_ID(8088)
*RESULT_CODE(1/0 Timeout)
22:14:04.082348 IP 213.91.208.250.1701 > 84.252.57.99.1701:
l2tp:[TLS](1/0)Ns=1,Nr=1 *MSGTYPE(StopCCN) *ASSND_TUN_ID(8088)
*RESULT_CODE(1/0 Timeout)


tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ipsec0, link-type EN10MB (Ethernet), capture size 96 bytes
22:17:54.791421 IP 80.80.157.81.1701 > 213.91.208.250.1701:
l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(S)
*BEARER_CAP() |...
22:17:55.792503 IP 80.80.157.81.1701 > 213.91.208.250.1701:
l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(S)
*BEARER_CAP() |...
22:17:57.791466 IP 80.80.157.81.1701 > 213.91.208.250.1701:
l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(S)
*BEARER_CAP() |...
22:17:57.796105 IP 213.91.208.250.1701 > 80.80.157.81.1701:
l2tp:[TLS](8/0)Ns=0,Nr=1 ZLB
22:17:57.802175 IP 213.91.208.250.1701 > 80.80.157.81.1701:
l2tp:[TLS](8/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0)
*FRAMING_CAP(AS) *BEARER_CAP() |...
22:17:58.802334 IP 213.91.208.250.1701 > 80.80.157.81.1701:
l2tp:[TLS](8/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0)
*FRAMING_CAP(AS) *BEARER_CAP() |...
22:17:59.812245 IP 213.91.208.250.1701 > 80.80.157.81.1701:
l2tp:[TLS](8/0)Ns=1,Nr=1 *MSGTYPE(StopCCN) *ASSND_TUN_ID(18049)
*RESULT_CODE(1/0 Timeout)
22:18:00.812332 IP 213.91.208.250.1701 > 80.80.157.81.1701:
l2tp:[TLS](8/0)Ns=1,Nr=1 *MSGTYPE(StopCCN) *ASSND_TUN_ID(18049)
*RESULT_CODE(1/0 Timeout)


config files


config setup
        # THIS SETTING MUST BE CORRECT or almost nothing will work;
        # %defaultroute is okay for most simple cases.
        # def interfaces=%defaultroute
        interfaces="ipsec0=eth0"
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        klipsdebug=none
        plutodebug=none
        # Use auto= parameters in conn descriptions to control startup
actions.
         plutoload=%search
         plutostart=%search
        # Close down old connection when new one using same ID shows up.
        uniqueids=yes
        nat_traversal=yes

virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.0.0/24,%v4:!192.168.66.0/24
conn roadwarrior
        leftprotoport=17/1701
        rightprotoport=17/1701
        disablearrivalcheck=no
        type=tunnel
        keyexchange=ike
        ikelifetime=240m
        keylife=60m
        left= 213.91.208.250
        leftnexthop= 213.91.208.249
        authby=secret
        auto=add
        keyingtries=3
        pfs=no
        right=%any
        rightsubnet=vhost:%no,%priv


root at fw:/var/log# cat /etc/l2tpd/l2tpd.conf
 [global]
 port = 1701
 access control = no
 rand source = dev
 [lns default]
 exclusive = no
 ip range = 192.168.0.200-192.168.0.250
 local ip = 192.168.0.1
 require chap = yes
 refuse pap = yes
 ppp debug = yes
 pppoptfile = /etc/ppp/options.l2tpd
 length bit = yes


root at fw:/var/log# cat /etc/ppp/options.l2tpd
ipcp-accept-local
ipcp-accept-remote
ms-dns  192.168.0.10
ms-wins 192.168.0.10
noccp
auth
crtscts
idle 1800
mtu 1410
mru 1410
#nodefaultroute
debug
lock
proxyarp
connect-delay 5000
#silent

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCpKdjI1Upp0RIqpERAr/kAJ46UYKBgPF3zyma8fXKNLwilADJ3gCfQZNR
Fw5vZ4lYit5f5IJ1iTcAxMs=
=L5Gw
-----END PGP SIGNATURE-----

More information about the Users mailing list