[Openswan Users] Opwenswan and L2TP Problem !
Stanislav Nedelchev
stanislav.nedelchev at gmail.com
Tue Jun 7 03:22:08 CEST 2005
here is output of openswan after restart
Jun 7 02:19:32 fw ipsec__plutorun: Starting Pluto subsystem...
Jun 7 02:19:32 fw pluto[22347]: Starting Pluto (Openswan Version 1.0.9)
Jun 7 02:19:32 fw pluto[22347]: including X.509 patch with traffic
selectors (Version 0.9.42)
Jun 7 02:19:32 fw pluto[22347]: including NAT-Traversal patch (Version 0.6)
Jun 7 02:19:32 fw pluto[22347]: ike_alg_register_enc(): Activating
OAKLEY_AES_CBC: Ok (ret=0)
Jun 7 02:19:32 fw pluto[22347]: ike_alg_register_enc(): Activating
OAKLEY_BLOWFISH_CBC: Ok (ret=0)
Jun 7 02:19:32 fw pluto[22347]: ike_alg_register_enc(): Activating
OAKLEY_CAST_CBC: Ok (ret=0)
Jun 7 02:19:32 fw pluto[22347]: ike_alg_register_enc(): Activating
OAKLEY_SERPENT_CBC: Ok (ret=0)
Jun 7 02:19:32 fw pluto[22347]: ike_alg_register_hash(): Activating
OAKLEY_SHA2_256: Ok (ret=0)
Jun 7 02:19:32 fw pluto[22347]: ike_alg_register_hash(): Activating
OAKLEY_SHA2_512: Ok (ret=0)
Jun 7 02:19:32 fw pluto[22347]: ike_alg_register_enc(): Activating
OAKLEY_TWOFISH_CBC: Ok (ret=0)
Jun 7 02:19:32 fw pluto[22347]: ike_alg_register_enc(): Activating
OAKLEY_SSH_PRIVATE_65289: Ok (ret=0)
Jun 7 02:19:32 fw pluto[22347]: Changing to directory '/etc/ipsec.d/cacerts'
Jun 7 02:19:32 fw pluto[22347]: Warning: empty directory
Jun 7 02:19:32 fw pluto[22347]: Changing to directory '/etc/ipsec.d/crls'
Jun 7 02:19:32 fw pluto[22347]: Warning: empty directory
Jun 7 02:19:32 fw pluto[22347]: OpenPGP certificate file
'/etc/pgpcert.pgp' not found
Jun 7 02:19:32 fw pluto[22347]: | from whack: got --esp=3des
Jun 7 02:19:32 fw pluto[22347]: | from whack: got --ike=3des
Jun 7 02:19:32 fw pluto[22347]: added connection description "roadwarrior"
Jun 7 02:19:33 fw pluto[22347]: | from whack: got --esp=3des
Jun 7 02:19:33 fw pluto[22347]: | from whack: got --ike=3des
Jun 7 02:19:33 fw pluto[22347]: added connection description "EE-Cisco"
Jun 7 02:19:33 fw pluto[22347]: listening for IKE messages
Jun 7 02:19:33 fw pluto[22347]: adding interface ipsec0/eth0 213.91.208.250
Jun 7 02:19:33 fw pluto[22347]: adding interface ipsec0/eth0
213.91.208.250:4500
Jun 7 02:19:33 fw pluto[22347]: loading secrets from "/etc/ipsec.secrets"
Jun 7 02:19:33 fw pluto[22347]: "EE-Cisco" #1: initiating Main Mode
Jun 7 02:19:34 fw pluto[22347]: "EE-Cisco" #1: received Vendor ID
payload [draft-ietf-ipsec-nat-t-ike-03]
Jun 7 02:19:34 fw pluto[22347]: "EE-Cisco" #1: transition from state
STATE_MAIN_I1 to state STATE_MAIN_I2
Jun 7 02:19:34 fw pluto[22347]: "EE-Cisco" #1: ignoring Vendor ID
payload [Cisco-Unity]
Jun 7 02:19:34 fw pluto[22347]: "EE-Cisco" #1: received Vendor ID
payload [Dead Peer Detection]
Jun 7 02:19:34 fw pluto[22347]: "EE-Cisco" #1: ignoring Vendor ID
payload [5932ff6620ad781f5bb344c40bbf2dff]
Jun 7 02:19:34 fw pluto[22347]: "EE-Cisco" #1: ignoring Vendor ID
payload [XAUTH]
Jun 7 02:19:34 fw pluto[22347]: "EE-Cisco" #1: NAT-Traversal: Result
using draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
Jun 7 02:19:34 fw pluto[22347]: "EE-Cisco" #1: transition from state
STATE_MAIN_I2 to state STATE_MAIN_I3
Jun 7 02:19:34 fw pluto[22347]: "EE-Cisco" #1: Main mode peer ID is
ID_IPV4_ADDR: '82.119.243.25'
Jun 7 02:19:34 fw pluto[22347]: "EE-Cisco" #1: transition from state
STATE_MAIN_I3 to state STATE_MAIN_I4
Jun 7 02:19:34 fw pluto[22347]: "EE-Cisco" #1: ISAKMP SA established
Jun 7 02:19:34 fw pluto[22347]: "EE-Cisco" #2: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+DISABLEARRIVALCHECK
Jun 7 02:19:34 fw pluto[22347]: "EE-Cisco" #2: ignoring informational
payload, type IPSEC_RESPONDER_LIFETIME
Jun 7 02:19:34 fw pluto[22347]: "EE-Cisco" #2: transition from state
STATE_QUICK_I1 to state STATE_QUICK_I2
Jun 7 02:19:34 fw pluto[22347]: "EE-Cisco" #2: sent QI2, IPsec SA established
On 6/7/05, Stanislav Nedelchev <stanislav.nedelchev at gmail.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Linux fw 2.4.29 #7 Mon Apr 4 17:52:13 EEST 2005 i686 unknown
>
> 5 18:45:17 fw pluto[1296]: Starting Pluto (Openswan Version 1.0.9)
>
> i'm using slackware on this mashine .
>
> At my home with same configuration
> i can conect from my work but at home i'm using
> openswan 2.2 and gentoo with kernel 2.6.11
> interesting is that is have
> interfaces="ipsec0=eth0" in my ipsec.conf
> but there is no added ipsec0 interface
> is it some reason for that ?
>
>
> Jacco de Leeuw wrote:
> > Stanislav Nedelchev wrote:
> >
> >> l2tpd-0.70-pre20031121.orig
> >> with this patch
> >> l2tpd_0.70-pre20031121-2.diff
> >
> >
> > Looks like the Debian version. Are you using Debian? What kernel
> > are you using? What version of Openswan? What do Openswan's startup
> > messages say?
> >
> >>> If you are using KLIPS you cannot use NAT-T with a PSK (as far as I
> >>> know).
> >>
> >> But one peer is not NAT-ed.
> >
> >
> > Ah, I see. It was not clear to me that you tried twice with and without
> > NAT.
> >
> >> conn roadwarrior
> >> authby=secret
> >> right=%any
> >
> >
> > Is this supported by KLIPS nowadays? What if you use the IP address of
> > the client here? (And also change the IP address in ipsec.secrets).
> >
> >> This is the log file for peet that is not NAT-ed
> >>
> >> Jun 6 22:15:44 fw l2tpd[21242]: control_xmit: Unable to deliver closing
> >> message for tunnel 33619. Destroying anyway.
> >
> >
> > Did you clear rp_filter?
> > echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
> >
> > If all else fails you can send me your (compressed) ipsec barf, or you
> > can upload it somewhere for anyone to investigate.
> >
> > Jacco
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.1 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>
> iD8DBQFCpMzaI1Upp0RIqpERAiBdAJ4r50vEXr1akYP8kaWh6LJB9b3F7gCfbBXz
> 0yZEiVaxHg+WmEY/lydEX9A=
> =Y+nt
> -----END PGP SIGNATURE-----
>
More information about the Users
mailing list