[Openswan Users] Can't connect Win98 MSL2TP client to OpenSwan Server

Mark Cave-Ayland m.cave-ayland at webbased.co.uk
Wed Jun 29 14:52:58 CEST 2005


Hi everyone,

I'm having trouble trying to setup a VPN using OpenSwan v1.0.7, X509
certificates, and a roadwarrier Win98 using the MSL2TP client behind a
masquerading router. This is on a Linux 2.4 kernel using KLIPS. I've so far
managed to get a MS WinXP Pro client working at the same location, but I
just can't seem to get the Win98 client to play along. I've included a copy
of my ipsec.conf and the logs from both the server and client below as I
suspect that this is where I've gone wrong. IPs have been deliberately
obscured to protect the guilty ;)


========> /etc/ipsec.conf:

# /etc/ipsec.conf - Openswan IPsec configuration file

# More elaborate and more varied sample configurations can be found # in
Openswan's doc/examples file, in the HTML documentation, and online # at
http://www.openswan.org/docs/

# basic configuration
config setup
        # THIS SETTING MUST BE CORRECT or almost nothing will work;
        # %defaultroute is okay for most simple cases.
        interfaces=%defaultroute
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        klipsdebug=none
        plutodebug=none
        # Use auto= parameters in conn descriptions to control startup
actions.
        plutoload=%search
        plutostart=%search
        # Don't wait for pluto to complete every plutostart before
continuing
        plutowait=no
        # Close down old connection when new one using same ID shows up.
        uniqueids=yes
        # MCA: Allow NATd clients to work (UDP tunneled ESP)
        nat_traversal=yes
        # MCA: Specify private networks list (we include our own)
 
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192
.168.2.0/24,%v4:!192.168.3.0/24

# Defaults for all connection descriptions
conn %default
        keyingtries=0
        disablearrivalcheck=no
        leftrsasigkey=%cert
        rightrsasigkey=%cert
        authby=rsasig
        auto=add

conn l2tp-win2kxpsp2
        # Use PSK, disable PFS
        #authby=secret
        pfs=no
        # Left (local host)
        left=213.x.x.x
        leftcert=cacerts/cacert.pem
        leftprotoport=17/1701
        leftnexthop=%defaultroute
        # Right (remote host)
        right=%any
        rightid="C=GB, ST=Devon, L=Plymouth, O=WebBased Ltd, OU=VPN, CN=*"
        rightprotoport=17/1701
        # Enable this connection
        auto=add
        keyingtries=8

conn l2tp-win2kxp
        # Use PSK, disable PFS
        #authby=secret
        pfs=no
        # Left (local host)
        left=213.x.x.x
        leftcert=cacerts/cacert.pem
        leftprotoport=17/0
        leftnexthop=%defaultroute
        # Right (remote host)
        right=%any
        rightid="C=GB, ST=Devon, L=Plymouth, O=WebBased Ltd, OU=VPN, CN=*"
        rightprotoport=17/1701
        # Enable this connection
        auto=add
        keyingtries=8


========> /var/log/messages

Jun 29 07:33:41 src at Devil pluto[22718]: packet from 217.x.x.x:500: ignoring
Vendor ID payload [FRAGMENTATION] Jun 29 07:33:41 src at Devil pluto[22718]:
packet from 217.x.x.x:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-00] Jun 29 07:33:41 src at Devil pluto[22718]:
packet from 217.x.x.x:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n] Jun 29 07:33:41 src at Devil pluto[22718]:
"l2tp-win2kxp"[11] 217.x.x.x #16: responding to Main Mode from unknown peer
217.x.x.x Jun 29 07:33:41 src at Devil pluto[22718]: "l2tp-win2kxp"[11]
217.x.x.x #16: transition from state (null) to state STATE_MAIN_R1 Jun 29
07:33:41 src at Devil pluto[22718]: "l2tp-win2kxp"[11] 217.x.x.x #16: ignoring
Vendor ID payload
[47bbe7c993f1fc13b4e6d0db565c68e5010201010201010310382e312e302028...]
Jun 29 07:33:41 src at Devil pluto[22718]: "l2tp-win2kxp"[11] 217.x.x.x #16:
ignoring Vendor ID payload [3025dbd21062b9e53dc441c6aab5293600000000]
Jun 29 07:33:41 src at Devil pluto[22718]: "l2tp-win2kxp"[11] 217.x.x.x #16:
ignoring Vendor ID payload [da8e937880010000] Jun 29 07:33:41 src at Devil
pluto[22718]: "l2tp-win2kxp"[11] 217.x.x.x #16: ignoring Vendor ID payload
[XAUTH] Jun 29 07:33:41 src at Devil pluto[22718]: "l2tp-win2kxp"[11] 217.x.x.x
#16: NAT-Traversal: Result using draft-ietf-ipsec-nat
-t-ike-02/03: peer is NATed
Jun 29 07:33:41 src at Devil pluto[22718]: "l2tp-win2kxp"[11] 217.x.x.x #16:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2 Jun 29 07:33:42
src at Devil pluto[22718]: | protocol/port in Phase 1 ID Payload is 17/4500.
accepted with port_floating NAT-T Jun 29 07:33:42 src at Devil pluto[22718]:
"l2tp-win2kxp"[11] 217.x.x.x #16: Main mode peer ID is ID_DER_ASN1_DN:
'C=GB, ST=Devon, L=Plymouth, O=WebBased Ltd, OU=VPN, CN=Mark Cave-Ayland'
Jun 29 07:33:42 src at Devil pluto[22718]: "l2tp-win2kxp"[11] 217.x.x.x #16:
Issuer CRL not found Jun 29 07:33:42 src at Devil pluto[22718]:
"l2tp-win2kxp"[11] 217.x.x.x #16: Issuer CRL not found Jun 29 07:33:42
src at Devil pluto[22718]: "l2tp-win2kxp"[11] 217.x.x.x #16: deleting
connection "l2tp-win2kxp" instance with peer 217.x.x.x Jun 29 07:33:42
src at Devil pluto[22718]: "l2tp-win2kxp" #15: deleting state (STATE_MAIN_R3)
Jun 29 07:33:42 src at Devil pluto[22718]: "l2tp-win2kxp"[11] 217.x.x.x #16:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3 Jun 29 07:33:42
src at Devil pluto[22718]: | NAT-T: new mapping 217.x.x.x:500/1024) Jun 29
07:33:42 src at Devil pluto[22718]: "l2tp-win2kxp"[11] 217.x.x.x:1024 #16: sent
MR3, ISAKMP SA established Jun 29 07:33:42 src at Devil pluto[22718]:
"l2tp-win2kxp"[11] 217.x.x.x:1024 #16: cannot respond to IPsec SA request
because no connection is known for 213.x.x.x:4500[C=GB, ST=Devon,
L=Plymouth, O=WebBased Ltd,
CN=vpn.webbased.co.uk]:17/1701...217.x.x.x:1024[C=GB, ST=Devon, L=Plymouth,
O=WebBased Ltd, OU=VPN, CN=Mark Cave-Ayland]:17/1701===192.168.1.3/32
Jun 29 07:33:42 src at Devil pluto[22718]: "l2tp-win2kxp"[11] 217.x.x.x:1024
#16: sending encrypted notification INVALID_ID_INFORMATION to 217.x.x.x:1024


========> isakmp.log (from Win98)

6-29: 07:32:27.470 Microsoft IPsec VPN\L2TP/IPsec - Initiating IKE Phase 1
(IP ADDR=213.x.x.x)
 6-29: 07:32:27.470 Microsoft IPsec VPN\L2TP/IPsec - Generic entry match
with remote address 213.x.x.x.
 6-29: 07:32:27.470 Microsoft IPsec VPN\L2TP/IPsec - SENDING>>>> ISAKMP OAK
MM (SA, VID, VID, VID)
 6-29: 07:32:27.520 Microsoft IPsec VPN\L2TP/IPsec - RECEIVED<<< ISAKMP OAK
MM (SA, VID)
 6-29: 07:32:27.520 Microsoft IPsec VPN\L2TP/IPsec - Peer is NAT-T draft-02
capable
 6-29: 07:32:27.520 Microsoft IPsec VPN\L2TP/IPsec - SENDING>>>> ISAKMP OAK
MM (KE, NON, NAT-D, NAT-D, VID, VID, VID, VID)
 6-29: 07:32:27.580 Microsoft IPsec VPN\L2TP/IPsec - RECEIVED<<< ISAKMP OAK
MM (KE, NON, CERT_REQ, NAT-D, NAT-D)
 6-29: 07:32:27.960 Microsoft IPsec VPN\L2TP/IPsec - NAT is detected for
Client
 6-29: 07:32:27.960 Microsoft IPsec VPN\L2TP/IPsec - Floating to IKE non-500
port
 6-29: 07:32:27.960 Microsoft IPsec VPN\L2TP/IPsec - Using auto-selected
user certificate "Mark Cave-Ayland's WebBased Ltd ID".
 6-29: 07:32:28.070 Microsoft IPsec VPN\L2TP/IPsec - SENDING>>>> ISAKMP OAK
MM *(ID, CERT, CERT_REQ, SIG)
 6-29: 07:32:28.130 NO MATCHING SECURE CONNECTION - RECEIVED<<< ISAKMP OAK
INFO *(Opaque)
 6-29: 07:32:28.130 NO MATCHING SECURE CONNECTION - Received message for
non-active SA
 6-29: 07:32:28.130 Microsoft IPsec VPN\L2TP/IPsec - RECEIVED<<< ISAKMP OAK
MM *(ID, CERT, SIG)
 6-29: 07:32:28.290 Microsoft IPsec VPN\L2TP/IPsec - Established IKE SA
 6-29: 07:32:28.290    MY COOKIE 19 76 4 23 d2 c3 23 1b
 6-29: 07:32:28.290    HIS COOKIE 11 64 72 78 a3 7d ba e7
 6-29: 07:32:28.290 Microsoft IPsec VPN\L2TP/IPsec - Initiating IKE Phase 2
with Client IDs (message id: 5E9BF955)
 6-29: 07:32:28.290   Initiator = IP ADDR=192.168.1.3, prot = 17 port = 1701
 6-29: 07:32:28.290   Responder = IP ADDR=213.x.x.x, prot = 17 port = 1701
 6-29: 07:32:28.290 Microsoft IPsec VPN\L2TP/IPsec - SENDING>>>> ISAKMP OAK
QM *(HASH, SA, NON, ID, ID, NAT-OA)
 6-29: 07:32:28.350 Microsoft IPsec VPN\L2TP/IPsec - RECEIVED<<< ISAKMP OAK
INFO *(HASH, NOTIFY:INVALID_ID_INFO)
 6-29: 07:32:28.350 Microsoft IPsec VPN\L2TP/IPsec - Discarding SA
negotiation
 6-29: 07:32:28.350 Microsoft IPsec VPN\L2TP/IPsec - Deleting IKE SA (IP
ADDR=213.x.x.x)
 6-29: 07:32:28.350    MY COOKIE 19 76 4 23 d2 c3 23 1b
 6-29: 07:32:28.350    HIS COOKIE 11 64 72 78 a3 7d ba e7


I've correctly installed the vpn certificate on the Win98 client, and
ensured that it is in the trusted publishers group. If anyone could explain
what I need to do to get this to work, I would be very grateful (BTW a big
thanks to Jacco for webpages which have been invaluable in setting this up).


Many thanks in advance,

Mark.

------------------------
WebBased Ltd
17 Research Way
Tamar Science Park
Plymouth
PL6 8BT 

T: +44 (0)1752 797131
F: +44 (0)1752 791023
W: http://www.webbased.co.uk




More information about the Users mailing list