[Openswan Users] l2tpd problem?
Dennis Leist
dl at byteeffect.de
Thu May 26 02:16:24 CEST 2005
Jacco de Leeuw schrieb:
> Dennis wrote:
>
>> I seem to have troubles with l2tpd and a winxp sp2 client.
>> The connection always comes up without any troubles and works very fine
>> for some time, but after ca. 40 check_controls
>
>
> Is this reproducable? Is this only one particular client?
Yes, it is reproducable except of one Win2k-client, that works bloody fine!
Even re-keying works but always at the last try.
</v/l/m>
pluto[3219]: "win2l-conn"[2] 1.2.3.4 #57: max number of retransmissions
(2) reached STATE_QUICK_I1
pluto[3219]: "win2l-conn"[2] 1.2.3.4 #57: starting keying attempt 3 of
at most 3
pluto[3219]: "win2l-conn"[2] 1.2.3.4 #58: initiating Quick Mode
RSASIG+ENCRYPT+TUNNEL to replace #57 {using isakmp#55}
pluto[3219]: "win2l-conn"[2] 1.2.3.4 #55: ignoring informational
payload, type INVALID_ID_INFORMATION pppd[7899]: sent [LCP EchoReq
id=0xd5 magic=0xe896dc28]
pppd[7899]: rcvd [LCP EchoRep id=0xd5 magic=0x781721b4]
pluto[3219]: "win2l-conn"[2] 1.2.3.4 #59: responding to Quick Mode
pluto[3219]: "win2l-conn"[2] 1.2.3.4 #59: transition from state (null)
to state STATE_QUICK_R1
pluto[3219]: "win2l-conn"[2] 1.2.3.4 #59: transition from state
STATE_QUICK_R1 to state STATE_QUICK_R2
pluto[3219]: "win2l-conn"[2] 1.2.3.4 #59: IPsec SA established
{ESP=>0x749608d4 <0xbd1ad6ac}
> These
> check_controls occur every minute, right?
Yes.
>
>> the l2ptd ends the connection.
>> Therefore I think the client dosen't hang up but the server.
>
>
> The client does not respond to the L2TP packets so the server
> disconnects. Can you find out with a network sniffer who stops
> sending what?
>
Currently doing. But this time the link was killed due to lack of activity.
That's okay this time. I will redo that and wait for this:
l2tpd[7363]: control_xmit: Maximum retries exceeded for tunnel 57649.
Closing.
>> <oakley.log>
>
>
> The Windows Oakley.log is almost unreadable. As far as I known it
> is undocumented. For some reason Microsoft decided to localise these
> very low-level error messages (I can see that you are using a German
> XP version). What were they thinking...
The thoughts must be out there.SCNR
>
> Can you post the /var/log/secure as well?
There is no /v/l/secure.
> And your ipsec.conf/
> l2tpd.conf?
<ipsec.conf>
version 2.0
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
uniqueids=yes
nat_traversal=yes
conn %default
keyingtries=0
disablearrivalcheck=no
authby=rsasig
rightrsasigkey=%dnsondemand
left=4.3.2.2
leftnexthop=4.3.2.1
leftrsasigkey=%cert
conn non-working # this conn neiher works on Win2k nor WinXP SP2 -
at least re-keying always fails !
leftrsasigkey=%cert
authby=rsasig
pfs=no
leftcert=/etc/ipsec.d/gatecert.pem
leftprotoport=17/1701
right=%any
rightrsasigkey=%cert
rightcert=/etc/ipsec.d/roadwarrior.pem
rightprotoport=17/1701
auto=add
keyingtries=3
conn fine-working # this is the good-working Win2k client
authby=rsasig
pfs=no
leftcert=/etc/ipsec.d/gatecert.pem
leftprotoport=17/1701
right=%any
rightrsasigkey=%cert
rightcert=/etc/ipsec.d/roadwarriorFine.pem
rightprotoport=17/1701
auto=add
keyingtries=3
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
<EOF: ipsec.conf>
<l2tpd.conf>
[global]
[lns default]
ip range = 192.168.2.23-192.168.2.33
local ip = 192.168.2.70
require chap = yes
refuse pap = yes
require authentication = yes
name = VPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd
length bit = yes
<EOF: l2tpd.conf>
THX for help again
Dennis
p.s: What's the status with Mac's Tiger. Does it really work with certs?
More information about the Users
mailing list