[Openswan Users]
Can't connect Win98 MSL2TP client to OpenSwan Server
Mark Cave-Ayland
m.cave-ayland at webbased.co.uk
Wed Jun 29 14:52:58 CEST 2005
Hi everyone,
I'm having trouble trying to setup a VPN using OpenSwan v1.0.7, X509
certificates, and a roadwarrier Win98 using the MSL2TP client behind a
masquerading router. This is on a Linux 2.4 kernel using KLIPS. I've so far
managed to get a MS WinXP Pro client working at the same location, but I
just can't seem to get the Win98 client to play along. I've included a copy
of my ipsec.conf and the logs from both the server and client below as I
suspect that this is where I've gone wrong. IPs have been deliberately
obscured to protect the guilty ;)
========> /etc/ipsec.conf:
# /etc/ipsec.conf - Openswan IPsec configuration file
# More elaborate and more varied sample configurations can be found # in
Openswan's doc/examples file, in the HTML documentation, and online # at
http://www.openswan.org/docs/
# basic configuration
config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work;
# %defaultroute is okay for most simple cases.
interfaces=%defaultroute
# Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=none
plutodebug=none
# Use auto= parameters in conn descriptions to control startup
actions.
plutoload=%search
plutostart=%search
# Don't wait for pluto to complete every plutostart before
continuing
plutowait=no
# Close down old connection when new one using same ID shows up.
uniqueids=yes
# MCA: Allow NATd clients to work (UDP tunneled ESP)
nat_traversal=yes
# MCA: Specify private networks list (we include our own)
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192
.168.2.0/24,%v4:!192.168.3.0/24
# Defaults for all connection descriptions
conn %default
keyingtries=0
disablearrivalcheck=no
leftrsasigkey=%cert
rightrsasigkey=%cert
authby=rsasig
auto=add
conn l2tp-win2kxpsp2
# Use PSK, disable PFS
#authby=secret
pfs=no
# Left (local host)
left=213.x.x.x
leftcert=cacerts/cacert.pem
leftprotoport=17/1701
leftnexthop=%defaultroute
# Right (remote host)
right=%any
rightid="C=GB, ST=Devon, L=Plymouth, O=WebBased Ltd, OU=VPN, CN=*"
rightprotoport=17/1701
# Enable this connection
auto=add
keyingtries=8
conn l2tp-win2kxp
# Use PSK, disable PFS
#authby=secret
pfs=no
# Left (local host)
left=213.x.x.x
leftcert=cacerts/cacert.pem
leftprotoport=17/0
leftnexthop=%defaultroute
# Right (remote host)
right=%any
rightid="C=GB, ST=Devon, L=Plymouth, O=WebBased Ltd, OU=VPN, CN=*"
rightprotoport=17/1701
# Enable this connection
auto=add
keyingtries=8
========> /var/log/messages
Jun 29 07:33:41 src at Devil pluto[22718]: packet from 217.x.x.x:500: ignoring
Vendor ID payload [FRAGMENTATION] Jun 29 07:33:41 src at Devil pluto[22718]:
packet from 217.x.x.x:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-00] Jun 29 07:33:41 src at Devil pluto[22718]:
packet from 217.x.x.x:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n] Jun 29 07:33:41 src at Devil pluto[22718]:
"l2tp-win2kxp"[11] 217.x.x.x #16: responding to Main Mode from unknown peer
217.x.x.x Jun 29 07:33:41 src at Devil pluto[22718]: "l2tp-win2kxp"[11]
217.x.x.x #16: transition from state (null) to state STATE_MAIN_R1 Jun 29
07:33:41 src at Devil pluto[22718]: "l2tp-win2kxp"[11] 217.x.x.x #16: ignoring
Vendor ID payload
[47bbe7c993f1fc13b4e6d0db565c68e5010201010201010310382e312e302028...]
Jun 29 07:33:41 src at Devil pluto[22718]: "l2tp-win2kxp"[11] 217.x.x.x #16:
ignoring Vendor ID payload [3025dbd21062b9e53dc441c6aab5293600000000]
Jun 29 07:33:41 src at Devil pluto[22718]: "l2tp-win2kxp"[11] 217.x.x.x #16:
ignoring Vendor ID payload [da8e937880010000] Jun 29 07:33:41 src at Devil
pluto[22718]: "l2tp-win2kxp"[11] 217.x.x.x #16: ignoring Vendor ID payload
[XAUTH] Jun 29 07:33:41 src at Devil pluto[22718]: "l2tp-win2kxp"[11] 217.x.x.x
#16: NAT-Traversal: Result using draft-ietf-ipsec-nat
-t-ike-02/03: peer is NATed
Jun 29 07:33:41 src at Devil pluto[22718]: "l2tp-win2kxp"[11] 217.x.x.x #16:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2 Jun 29 07:33:42
src at Devil pluto[22718]: | protocol/port in Phase 1 ID Payload is 17/4500.
accepted with port_floating NAT-T Jun 29 07:33:42 src at Devil pluto[22718]:
"l2tp-win2kxp"[11] 217.x.x.x #16: Main mode peer ID is ID_DER_ASN1_DN:
'C=GB, ST=Devon, L=Plymouth, O=WebBased Ltd, OU=VPN, CN=Mark Cave-Ayland'
Jun 29 07:33:42 src at Devil pluto[22718]: "l2tp-win2kxp"[11] 217.x.x.x #16:
Issuer CRL not found Jun 29 07:33:42 src at Devil pluto[22718]:
"l2tp-win2kxp"[11] 217.x.x.x #16: Issuer CRL not found Jun 29 07:33:42
src at Devil pluto[22718]: "l2tp-win2kxp"[11] 217.x.x.x #16: deleting
connection "l2tp-win2kxp" instance with peer 217.x.x.x Jun 29 07:33:42
src at Devil pluto[22718]: "l2tp-win2kxp" #15: deleting state (STATE_MAIN_R3)
Jun 29 07:33:42 src at Devil pluto[22718]: "l2tp-win2kxp"[11] 217.x.x.x #16:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3 Jun 29 07:33:42
src at Devil pluto[22718]: | NAT-T: new mapping 217.x.x.x:500/1024) Jun 29
07:33:42 src at Devil pluto[22718]: "l2tp-win2kxp"[11] 217.x.x.x:1024 #16: sent
MR3, ISAKMP SA established Jun 29 07:33:42 src at Devil pluto[22718]:
"l2tp-win2kxp"[11] 217.x.x.x:1024 #16: cannot respond to IPsec SA request
because no connection is known for 213.x.x.x:4500[C=GB, ST=Devon,
L=Plymouth, O=WebBased Ltd,
CN=vpn.webbased.co.uk]:17/1701...217.x.x.x:1024[C=GB, ST=Devon, L=Plymouth,
O=WebBased Ltd, OU=VPN, CN=Mark Cave-Ayland]:17/1701===192.168.1.3/32
Jun 29 07:33:42 src at Devil pluto[22718]: "l2tp-win2kxp"[11] 217.x.x.x:1024
#16: sending encrypted notification INVALID_ID_INFORMATION to 217.x.x.x:1024
========> isakmp.log (from Win98)
6-29: 07:32:27.470 Microsoft IPsec VPN\L2TP/IPsec - Initiating IKE Phase 1
(IP ADDR=213.x.x.x)
6-29: 07:32:27.470 Microsoft IPsec VPN\L2TP/IPsec - Generic entry match
with remote address 213.x.x.x.
6-29: 07:32:27.470 Microsoft IPsec VPN\L2TP/IPsec - SENDING>>>> ISAKMP OAK
MM (SA, VID, VID, VID)
6-29: 07:32:27.520 Microsoft IPsec VPN\L2TP/IPsec - RECEIVED<<< ISAKMP OAK
MM (SA, VID)
6-29: 07:32:27.520 Microsoft IPsec VPN\L2TP/IPsec - Peer is NAT-T draft-02
capable
6-29: 07:32:27.520 Microsoft IPsec VPN\L2TP/IPsec - SENDING>>>> ISAKMP OAK
MM (KE, NON, NAT-D, NAT-D, VID, VID, VID, VID)
6-29: 07:32:27.580 Microsoft IPsec VPN\L2TP/IPsec - RECEIVED<<< ISAKMP OAK
MM (KE, NON, CERT_REQ, NAT-D, NAT-D)
6-29: 07:32:27.960 Microsoft IPsec VPN\L2TP/IPsec - NAT is detected for
Client
6-29: 07:32:27.960 Microsoft IPsec VPN\L2TP/IPsec - Floating to IKE non-500
port
6-29: 07:32:27.960 Microsoft IPsec VPN\L2TP/IPsec - Using auto-selected
user certificate "Mark Cave-Ayland's WebBased Ltd ID".
6-29: 07:32:28.070 Microsoft IPsec VPN\L2TP/IPsec - SENDING>>>> ISAKMP OAK
MM *(ID, CERT, CERT_REQ, SIG)
6-29: 07:32:28.130 NO MATCHING SECURE CONNECTION - RECEIVED<<< ISAKMP OAK
INFO *(Opaque)
6-29: 07:32:28.130 NO MATCHING SECURE CONNECTION - Received message for
non-active SA
6-29: 07:32:28.130 Microsoft IPsec VPN\L2TP/IPsec - RECEIVED<<< ISAKMP OAK
MM *(ID, CERT, SIG)
6-29: 07:32:28.290 Microsoft IPsec VPN\L2TP/IPsec - Established IKE SA
6-29: 07:32:28.290 MY COOKIE 19 76 4 23 d2 c3 23 1b
6-29: 07:32:28.290 HIS COOKIE 11 64 72 78 a3 7d ba e7
6-29: 07:32:28.290 Microsoft IPsec VPN\L2TP/IPsec - Initiating IKE Phase 2
with Client IDs (message id: 5E9BF955)
6-29: 07:32:28.290 Initiator = IP ADDR=192.168.1.3, prot = 17 port = 1701
6-29: 07:32:28.290 Responder = IP ADDR=213.x.x.x, prot = 17 port = 1701
6-29: 07:32:28.290 Microsoft IPsec VPN\L2TP/IPsec - SENDING>>>> ISAKMP OAK
QM *(HASH, SA, NON, ID, ID, NAT-OA)
6-29: 07:32:28.350 Microsoft IPsec VPN\L2TP/IPsec - RECEIVED<<< ISAKMP OAK
INFO *(HASH, NOTIFY:INVALID_ID_INFO)
6-29: 07:32:28.350 Microsoft IPsec VPN\L2TP/IPsec - Discarding SA
negotiation
6-29: 07:32:28.350 Microsoft IPsec VPN\L2TP/IPsec - Deleting IKE SA (IP
ADDR=213.x.x.x)
6-29: 07:32:28.350 MY COOKIE 19 76 4 23 d2 c3 23 1b
6-29: 07:32:28.350 HIS COOKIE 11 64 72 78 a3 7d ba e7
I've correctly installed the vpn certificate on the Win98 client, and
ensured that it is in the trusted publishers group. If anyone could explain
what I need to do to get this to work, I would be very grateful (BTW a big
thanks to Jacco for webpages which have been invaluable in setting this up).
Many thanks in advance,
Mark.
------------------------
WebBased Ltd
17 Research Way
Tamar Science Park
Plymouth
PL6 8BT
T: +44 (0)1752 797131
F: +44 (0)1752 791023
W: http://www.webbased.co.uk
More information about the Users
mailing list