[Openswan Users] L2TP/IPSEC (yet)

Giovani Moda giovani at mrinformatica.com.br
Sat Nov 19 00:37:52 CET 2005 

Good news,

I got my IPSEC tunnel to comunnicate with L2TPD daemon. It turned out to
be the XP Box (what a surprise, hun?). George Ou's script
(http://www.lanarchitect.net/Articles/FixSP2VPN/) was the missing piece to
the puzzle. The funny thing is that I had already manually changed the
registry key for NAT-T in SP2, but that didn't work. Maybe there's
something else in that script...

But that's not over yet. After connecting and authenticating the with
l2tp/ipsec, I can successfully ping the remote host. So far so good. But,
when I try to access something inside the remote network, or even send
higher packets with ping, I get:

Nov 19 00:08:28 main pluto[20429]: ERROR: asynchronous network error
report on eth0 (sport=4500) for message to 200... port 50818, complainant
200...: Connection refused [errno 111, origin ICMP type 3 code 3 (not
authenticated)]

And the tunnel dies. The connection at the XP box is still active, so when
I disconnect it, I get:

Nov 19 00:08:48 main pluto[20429]: | NAT-T: new mapping 200...:50818/50843)
Nov 19 00:08:48 main pluto[20429]: | pfkey_lib_debug:pfkey_msg_parse:
satype 0 conversion to proto failed for msg_type 2 (update).
Nov 19 00:08:48 main pluto[20429]: | pfkey_lib_debug:pfkey_msg_build:
Trouble parsing newly built pfkey message, error=-22.
Nov 19 00:08:48 main pluto[20429]: "inet-XP"[2] 200... #2: pfkey_msg_build
of Add SA esp.e23a8684 at 200.161.199.83 failed, code -22
Nov 19 00:08:48 main pluto[20429]: "inet-XP"[2] 200... #1: received Delete
SA(0x070206a2) payload: deleting IPSEC State #2
Nov 19 00:08:48 main pluto[20429]: "inet-XP"[2] 200... #1: received and
ignored informational message
Nov 19 00:08:48 main pluto[20429]: "inet-XP"[2] 200... #1: received Delete
SA payload: deleting ISAKMP State #1
Nov 19 00:08:48 main pluto[20429]: "inet-XP"[2] 200...: deleting
connection "inet-XP" instance with peer 200... {isakmp=#0/ipsec=#0}
Nov 19 00:08:48 main pluto[20429]: packet from 200...:50843: received and
ignored informational message

I tried a few things, but none of them worked. Lowered MTU and MRU (in
l2tp.conf), added lefnexthop=gatewayipnumber in ipsec.conf, disabled
firewall... But still no luck. Has anyone been through that and can lend
me a hand?

My l2tp section at ipsec.conf is:

conn inet-XP
        pfs=no
        left=200...
        leftcert=inet.pem
        leftprotoport=17/%any
        right=%any
        rightprotoport=17/%any
        rightsubnet=vhost:%no,%priv
        auto=add
        rekey=no

The good news are: leftprotoport=17/%any no longer crashes pluto, KLIPS
code static in kernel compiles without a hitch, and NAT-T works OK.

One more thing: I would like to thank everybody at Xelerance for their
great work and even greater patience to answer my (mostly dumb) questions.


Cheers,

Giovani

More information about the Users mailing list