[Openswan Users] seems ok but receive 678 error
Luca Ballerini
luca.ballerini at gmail.com
Wed May 18 12:42:38 CEST 2005
Hi again,
my new scenario:
A) debianbox (1 eth with local ip, some iptables rules,openswan and
l2tpd installed)
B) router (with nat to debian box for ports 50 - 4500 - 1701)
C) win2k - win xp roadwarriors with default l2tp over ipsec connection.
A <--------B<--------INTERNET<------------C
Certificate has been created in the Nate Carlson's way.(but already
done in the past so think it's not the problem)
Here's a snippet of ipsec.conf:
conn roadwarrior-l2tp
left=%defaultroute
leftsubnet=x.x.x.x/y (router ip and mask)
leftcert=CERTNAME.pem
leftprotoport=17/1701
right=%any
rightprotoport=17/1701
pfs=no
auto=add
and here's a log excerpt:
---BEGIN LOG SNIP---
May 18 11:38:03 SERVERNAME pluto[23206]: packet from CLIENTIP:500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000002]
May 18 11:38:03 SERVERNAME pluto[23206]: packet from CLIENTIP:500:
ignoring Vendor ID payload [FRAGMENTATION]
May 18 11:38:03 SERVERNAME pluto[23206]: packet from CLIENTIP:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method
set to=106
May 18 11:38:03 SERVERNAME pluto[23206]: "roadwarrior-l2tp"[21]
CLIENTIP #20: responding to Main Mode from unknown peer CLIENTIP
May 18 11:38:03 SERVERNAME pluto[23206]: "roadwarrior-l2tp"[21]
CLIENTIP #20: transition from state STATE_MAIN_R0 to state
STATE_MAIN_R1
May 18 11:38:04 SERVERNAME pluto[23206]: "roadwarrior-l2tp"[21]
CLIENTIP #20: NAT-Traversal: Result using
draft-ietf-ipsec-nat-t-ike-02/03: both are NATed
May 18 11:38:04 SERVERNAME pluto[23206]: "roadwarrior-l2tp"[21]
CLIENTIP #20: transition from state STATE_MAIN_R1 to state
STATE_MAIN_R2
May 18 11:38:04 SERVERNAME pluto[23206]: "roadwarrior-l2tp"[21]
CLIENTIP #20: Main mode peer ID is ID_DER_ASN1_DN: 'C=IT, ST=Marche,
L=Montegranaro, O=MarcoCannella, CN=MarcoCannella,
E=info at marcocannella.it'
May 18 11:38:04 SERVERNAME pluto[23206]: "roadwarrior-l2tp"[21]
CLIENTIP #20: end certificate with identical subject and issuer not
accepted
May 18 11:38:04 SERVERNAME pluto[23206]: "roadwarrior-l2tp"[21]
CLIENTIP #20: X.509 certificate rejected
May 18 11:38:04 SERVERNAME pluto[23206]: "roadwarrior-l2tp"[22]
CLIENTIP #20: deleting connection "roadwarrior-l2tp" instance with
peer CLIENTIP {isakmp=#0/ipsec=#0}
May 18 11:38:04 SERVERNAME pluto[23206]: "roadwarrior-l2tp"[22]
CLIENTIP #20: I am sending my cert
May 18 11:38:04 SERVERNAME pluto[23206]: "roadwarrior-l2tp"[22]
CLIENTIP #20: deleting connection "roadwarrior-l2tp" instance with
peer CLIENTIP {isakmp=#0/ipsec=#19}
May 18 11:38:04 SERVERNAME pluto[23206]: "roadwarrior-l2tp" #19:
deleting state (STATE_QUICK_R2)
May 18 11:38:04 SERVERNAME pluto[23206]: "roadwarrior-l2tp"[22]
CLIENTIP #20: transition from state STATE_MAIN_R2 to state
STATE_MAIN_R3
May 18 11:38:04 SERVERNAME pluto[23206]: | NAT-T: new mapping CLIENTIP:500/4500)
May 18 11:38:04 SERVERNAME pluto[23206]: "roadwarrior-l2tp"[22]
CLIENTIP:4500 #20: sent MR3, ISAKMP SA established
May 18 11:38:04 SERVERNAME pluto[23206]: "roadwarrior-l2tp"[22]
CLIENTIP:4500 #21: responding to Quick Mode
May 18 11:38:04 SERVERNAME pluto[23206]: "roadwarrior-l2tp"[22]
CLIENTIP:4500 #21: transition from state STATE_QUICK_R0 to state
STATE_QUICK_R1
May 18 11:38:04 SERVERNAME pluto[23206]: "roadwarrior-l2tp"[22]
CLIENTIP:4500 #21: transition from state STATE_QUICK_R1 to state
STATE_QUICK_R2
May 18 11:38:04 SERVERNAME pluto[23206]: "roadwarrior-l2tp"[22]
CLIENTIP:4500 #21: IPsec SA established {ESP/NAT=>0xfb8f9d0e
<0x49840cc2 NATOA=192.168.168.67}
May 18 11:38:39 SERVERNAME pluto[23206]: "roadwarrior-l2tp"[22]
CLIENTIP:4500 #20: received Delete SA(0xfb8f9d0e) payload: deleting
IPSEC State #21
May 18 11:38:39 SERVERNAME pluto[23206]: "roadwarrior-l2tp"[22]
CLIENTIP:4500 #20: received and ignored informational message
May 18 11:38:39 SERVERNAME pluto[23206]: "roadwarrior-l2tp"[22]
CLIENTIP:4500 #20: received Delete SA payload: deleting ISAKMP State
#20
May 18 11:38:39 SERVERNAME pluto[23206]: "roadwarrior-l2tp"[22]
CLIENTIP:4500: deleting connection "roadwarrior-l2tp" instance with
peer CLIENTIP {isakmp=#0/ipsec=#0}
May 18 11:38:39 SERVERNAME pluto[23206]: packet from CLIENTIP:4500:
received and ignored informational message
--- END LOG SNIP---
after some time the client returns 678 error "No answer".
Where am I wrong???
Thanks in advance and sorry for long post.
luca
--
There is no great genius without a mixture of madness.
Aristotle
More information about the Users
mailing list