[Openswan Users]
Openswan 2.4.3 Winxpsp2 problem with ipsec/l2tp connection
Wojciech Sobczak
wojciech.sobczak at cadc.pl
Sun Nov 27 20:50:01 CET 2005
Hello,
i'm trying to establish connection between openswan and windowsXP
i'm using PSK, and configured everything based on great articles from http://www.jacco2.dds.nl/networking/freeswan-l2tp.htm site
(using kernel 2.4.32 with nat-t patch on debian system) but as for now i have roadwarrior winxp client and openswan server not NAT'ed (windows with sp2 and natt patches)
the problem is that i cannot connect (ipsec part)
here are my logs and configurations:
Nov 27 21:24:48 localhost pluto[2403]: Starting Pluto (Openswan Version 2.4.3 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OE~yatdI\134sBK)
Nov 27 21:24:48 localhost pluto[2403]: Setting NAT-Traversal port-4500 floating to on
Nov 27 21:24:48 localhost pluto[2403]: port floating activation criteria nat_t=1/port_fload=1
Nov 27 21:24:48 localhost pluto[2403]: including NAT-Traversal patch (Version 0.6c)
Nov 27 21:24:48 localhost pluto[2403]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Nov 27 21:24:48 localhost pluto[2403]: starting up 1 cryptographic helpers
Nov 27 21:24:48 localhost pluto[2403]: started helper pid=2405 (fd:6)
Nov 27 21:24:48 localhost pluto[2403]: Using KLIPS IPsec interface code on 2.4.32
Nov 27 21:24:48 localhost pluto[2403]: Changing to directory '/etc/ipsec.d/cacerts'
Nov 27 21:24:48 localhost pluto[2403]: Changing to directory '/etc/ipsec.d/aacerts'
Nov 27 21:24:48 localhost pluto[2403]: Changing to directory '/etc/ipsec.d/ocspcerts'
Nov 27 21:24:48 localhost pluto[2403]: Changing to directory '/etc/ipsec.d/crls'
Nov 27 21:24:48 localhost pluto[2403]: Warning: empty directory
Nov 27 21:24:49 localhost pluto[2403]: added connection description "l2tp-psk"
Nov 27 21:24:49 localhost pluto[2403]: listening for IKE messages
Nov 27 21:24:49 localhost pluto[2403]: adding interface ipsec0/eth0 217.96.x.xx:500
Nov 27 21:24:49 localhost pluto[2403]: adding interface ipsec0/eth0 217.96.x.xx:4500
Nov 27 21:24:49 localhost pluto[2403]: loading secrets from "/etc/ipsec.secrets"
vpngw:~# cat /var/log/auth.log
Nov 27 21:24:44 localhost pluto[2229]: shutting down
Nov 27 21:24:44 localhost pluto[2229]: forgetting secrets
Nov 27 21:24:44 localhost pluto[2229]: "l2tp-psk": deleting connection
Nov 27 21:24:44 localhost pluto[2229]: shutting down interface ipsec0/eth0 217.96.x.xx:4500
Nov 27 21:24:44 localhost pluto[2229]: shutting down interface ipsec0/eth0 217.96.x.xx:500
Nov 27 21:24:48 localhost ipsec__plutorun: Starting Pluto subsystem...
Nov 27 21:24:48 localhost pluto[2403]: Starting Pluto (Openswan Version 2.4.3 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OE~yatdI\134sBK)
Nov 27 21:24:48 localhost pluto[2403]: Setting NAT-Traversal port-4500 floating to on
Nov 27 21:24:48 localhost pluto[2403]: port floating activation criteria nat_t=1/port_fload=1
Nov 27 21:24:48 localhost pluto[2403]: including NAT-Traversal patch (Version 0.6c)
Nov 27 21:24:48 localhost pluto[2403]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Nov 27 21:24:48 localhost pluto[2403]: starting up 1 cryptographic helpers
Nov 27 21:24:48 localhost pluto[2403]: started helper pid=2405 (fd:6)
Nov 27 21:24:48 localhost pluto[2403]: Using KLIPS IPsec interface code on 2.4.32
Nov 27 21:24:48 localhost pluto[2403]: Changing to directory '/etc/ipsec.d/cacerts'
Nov 27 21:24:48 localhost pluto[2403]: Changing to directory '/etc/ipsec.d/aacerts'
Nov 27 21:24:48 localhost pluto[2403]: Changing to directory '/etc/ipsec.d/ocspcerts'
Nov 27 21:24:48 localhost pluto[2403]: Changing to directory '/etc/ipsec.d/crls'
Nov 27 21:24:48 localhost pluto[2403]: Warning: empty directory
Nov 27 21:24:49 localhost pluto[2403]: added connection description "l2tp-psk"
Nov 27 21:24:49 localhost pluto[2403]: listening for IKE messages
Nov 27 21:24:49 localhost pluto[2403]: adding interface ipsec0/eth0 217.96.x.xx:500
Nov 27 21:24:49 localhost pluto[2403]: adding interface ipsec0/eth0 217.96.x.xx:4500
Nov 27 21:24:49 localhost pluto[2403]: loading secrets from "/etc/ipsec.secrets"
Nov 27 21:25:33 localhost pluto[2403]: packet from 83.29.25.49:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Nov 27 21:25:33 localhost pluto[2403]: packet from 83.29.25.49:500: ignoring Vendor ID payload [FRAGMENTATION]
Nov 27 21:25:33 localhost pluto[2403]: packet from 83.29.25.49:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
Nov 27 21:25:33 localhost pluto[2403]: packet from 83.29.25.49:500: ignoring Vendor ID payload [Vid-Initial-Contact]
Nov 27 21:25:33 localhost pluto[2403]: "l2tp-psk"[1] 83.29.25.49 #1: responding to Main Mode from unknown peer 83.29.25.49
Nov 27 21:25:33 localhost pluto[2403]: "l2tp-psk"[1] 83.29.25.49 #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Nov 27 21:25:33 localhost pluto[2403]: "l2tp-psk"[1] 83.29.25.49 #1: STATE_MAIN_R1: sent MR1, expecting MI2
Nov 27 21:25:33 localhost pluto[2403]: "l2tp-psk"[1] 83.29.25.49 #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
Nov 27 21:25:33 localhost pluto[2403]: "l2tp-psk"[1] 83.29.25.49 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Nov 27 21:25:33 localhost pluto[2403]: "l2tp-psk"[1] 83.29.25.49 #1: STATE_MAIN_R2: sent MR2, expecting MI3
Nov 27 21:25:33 localhost pluto[2403]: "l2tp-psk"[1] 83.29.25.49 #1: Main mode peer ID is ID_IPV4_ADDR: '83.29.25.49'
Nov 27 21:25:33 localhost pluto[2403]: "l2tp-psk"[1] 83.29.25.49 #1: I did not send a certificate because I do not have one.
Nov 27 21:25:33 localhost pluto[2403]: "l2tp-psk"[1] 83.29.25.49 #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Nov 27 21:25:33 localhost pluto[2403]: "l2tp-psk"[1] 83.29.25.49 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}
Nov 27 21:26:36 localhost pluto[2403]: "l2tp-psk"[1] 83.29.25.49 #1: received Delete SA payload: deleting ISAKMP State #1
Nov 27 21:26:36 localhost pluto[2403]: "l2tp-psk"[1] 83.29.25.49: deleting connection "l2tp-psk" instance with peer 83.29.25.49 {isakmp=#0/ipsec=#0}
Nov 27 21:26:36 localhost pluto[2403]: packet from 83.29.25.49:500: received and ignored informational message
from windows side
11-27: 20:17:21:880:218 Initialization OK
11-27: 20:18:40:523:c88 QM PolicyName: L2TP Optional Encryption Quick Mode Policy dwFlags 0
11-27: 20:18:40:523:c88 QMOffer[0] LifetimeKBytes 250000 LifetimeSec 3600
11-27: 20:18:40:523:c88 QMOffer[0] dwFlags 0 dwPFSGroup 0
11-27: 20:18:40:523:c88 Algo[0] Operation: ESP Algo: Triple DES CBC HMAC: MD5
11-27: 20:18:40:523:c88 QMOffer[1] LifetimeKBytes 250000 LifetimeSec 3600
11-27: 20:18:40:523:c88 QMOffer[1] dwFlags 0 dwPFSGroup 0
11-27: 20:18:40:523:c88 Algo[0] Operation: ESP Algo: Triple DES CBC HMAC: SHA
11-27: 20:18:40:523:c88 QMOffer[2] LifetimeKBytes 250000 LifetimeSec 3600
11-27: 20:18:40:523:c88 QMOffer[2] dwFlags 0 dwPFSGroup 0
11-27: 20:18:40:523:c88 Algo[0] Operation: AH Algo: SHA
11-27: 20:18:40:533:c88 Algo[1] Operation: ESP Algo: Triple DES CBC HMAC: 0
11-27: 20:18:40:533:c88 QMOffer[3] LifetimeKBytes 250000 LifetimeSec 3600
11-27: 20:18:40:533:c88 QMOffer[3] dwFlags 0 dwPFSGroup 0
11-27: 20:18:40:533:c88 Algo[0] Operation: AH Algo: MD5
11-27: 20:18:40:533:c88 Algo[1] Operation: ESP Algo: Triple DES CBC HMAC: 0
11-27: 20:18:40:533:c88 QMOffer[4] LifetimeKBytes 250000 LifetimeSec 3600
11-27: 20:18:40:533:c88 QMOffer[4] dwFlags 0 dwPFSGroup 0
11-27: 20:18:40:533:c88 Algo[0] Operation: AH Algo: SHA
11-27: 20:18:40:533:c88 Algo[1] Operation: ESP Algo: Triple DES CBC HMAC: SHA
11-27: 20:18:40:533:c88 QMOffer[5] LifetimeKBytes 250000 LifetimeSec 3600
11-27: 20:18:40:533:c88 QMOffer[5] dwFlags 0 dwPFSGroup 0
11-27: 20:18:40:533:c88 Algo[0] Operation: AH Algo: MD5
11-27: 20:18:40:533:c88 Algo[1] Operation: ESP Algo: Triple DES CBC HMAC: MD5
11-27: 20:18:40:533:c88 QMOffer[6] LifetimeKBytes 250000 LifetimeSec 3600
11-27: 20:18:40:533:c88 QMOffer[6] dwFlags 0 dwPFSGroup 0
11-27: 20:18:40:533:c88 Algo[0] Operation: ESP Algo: DES CBC HMAC: MD5
11-27: 20:18:40:533:c88 QMOffer[7] LifetimeKBytes 250000 LifetimeSec 3600
11-27: 20:18:40:533:c88 QMOffer[7] dwFlags 0 dwPFSGroup 0
11-27: 20:18:40:533:c88 Algo[0] Operation: ESP Algo: DES CBC HMAC: SHA
11-27: 20:18:40:533:c88 QMOffer[8] LifetimeKBytes 250000 LifetimeSec 3600
11-27: 20:18:40:533:c88 QMOffer[8] dwFlags 0 dwPFSGroup 0
11-27: 20:18:40:533:c88 Algo[0] Operation: AH Algo: SHA
11-27: 20:18:40:533:c88 Algo[1] Operation: ESP Algo: DES CBC HMAC: 0
11-27: 20:18:40:533:c88 QMOffer[9] LifetimeKBytes 250000 LifetimeSec 3600
11-27: 20:18:40:533:c88 QMOffer[9] dwFlags 0 dwPFSGroup 0
11-27: 20:18:40:533:c88 Algo[0] Operation: AH Algo: MD5
11-27: 20:18:40:533:c88 Algo[1] Operation: ESP Algo: DES CBC HMAC: 0
11-27: 20:18:40:533:c88 QMOffer[10] LifetimeKBytes 250000 LifetimeSec 3600
11-27: 20:18:40:533:c88 QMOffer[10] dwFlags 0 dwPFSGroup 0
11-27: 20:18:40:533:c88 Algo[0] Operation: AH Algo: SHA
11-27: 20:18:40:533:c88 Algo[1] Operation: ESP Algo: DES CBC HMAC: SHA
11-27: 20:18:40:533:c88 QMOffer[11] LifetimeKBytes 250000 LifetimeSec 3600
11-27: 20:18:40:533:c88 QMOffer[11] dwFlags 0 dwPFSGroup 0
11-27: 20:18:40:533:c88 Algo[0] Operation: AH Algo: MD5
11-27: 20:18:40:533:c88 Algo[1] Operation: ESP Algo: DES CBC HMAC: MD5
11-27: 20:18:40:533:c88 QMOffer[12] LifetimeKBytes 250000 LifetimeSec 3600
11-27: 20:18:40:533:c88 QMOffer[12] dwFlags 0 dwPFSGroup 0
11-27: 20:18:40:533:c88 Algo[0] Operation: ESP Algo: NULL DES HMAC: SHA
11-27: 20:18:40:533:c88 QMOffer[13] LifetimeKBytes 250000 LifetimeSec 3600
11-27: 20:18:40:533:c88 QMOffer[13] dwFlags 0 dwPFSGroup 0
11-27: 20:18:40:533:c88 Algo[0] Operation: ESP Algo: NULL DES HMAC: MD5
11-27: 20:18:40:533:c88 QMOffer[14] LifetimeKBytes 250000 LifetimeSec 3600
11-27: 20:18:40:533:c88 QMOffer[14] dwFlags 0 dwPFSGroup 0
11-27: 20:18:40:533:c88 Algo[0] Operation: AH Algo: SHA
11-27: 20:18:40:533:c88 QMOffer[15] LifetimeKBytes 250000 LifetimeSec 3600
11-27: 20:18:40:533:c88 QMOffer[15] dwFlags 0 dwPFSGroup 0
11-27: 20:18:40:533:c88 Algo[0] Operation: AH Algo: MD5
11-27: 20:18:40:533:c88 Internal Acquire: op=00000001 src=83.29.25.49.1701 dst=217.96.x.xx.1701 proto = 17, SrcMask=255.255.255.255, DstMask=255.255.255.255, Tunnel 0, TunnelEndpt=0.0.0.0 Inbound TunnelEndpt=0.0.0.0, InitiateEvent=00000314, IKE SrcPort=500 IKE DstPort=500
11-27: 20:18:40:533:928 Filter to match: Src 217.96.x.xx Dst 83.29.25.49
11-27: 20:18:40:533:928 MM PolicyName: L2TP Main Mode Policy
11-27: 20:18:40:533:928 MMPolicy dwFlags 8 SoftSAExpireTime 28800
11-27: 20:18:40:533:928 MMOffer[0] LifetimeSec 28800 QMLimit 0 DHGroup 268435457
11-27: 20:18:40:533:928 MMOffer[0] Encrypt: Triple DES CBC Hash: SHA
11-27: 20:18:40:533:928 MMOffer[1] LifetimeSec 28800 QMLimit 0 DHGroup 2
11-27: 20:18:40:533:928 MMOffer[1] Encrypt: Triple DES CBC Hash: SHA
11-27: 20:18:40:533:928 MMOffer[2] LifetimeSec 28800 QMLimit 0 DHGroup 2
11-27: 20:18:40:533:928 MMOffer[2] Encrypt: Triple DES CBC Hash: MD5
11-27: 20:18:40:533:928 MMOffer[3] LifetimeSec 28800 QMLimit 0 DHGroup 1
11-27: 20:18:40:533:928 MMOffer[3] Encrypt: DES CBC Hash: SHA
11-27: 20:18:40:533:928 MMOffer[4] LifetimeSec 28800 QMLimit 0 DHGroup 1
11-27: 20:18:40:533:928 MMOffer[4] Encrypt: DES CBC Hash: MD5
11-27: 20:18:40:533:928 Auth[0]:PresharedKey KeyLen 12
11-27: 20:18:40:533:928 QM PolicyName: L2TP Optional Encryption Quick Mode Policy dwFlags 0
11-27: 20:18:40:533:928 QMOffer[0] LifetimeKBytes 250000 LifetimeSec 3600
11-27: 20:18:40:533:928 QMOffer[0] dwFlags 0 dwPFSGroup 0
11-27: 20:18:40:533:928 Algo[0] Operation: ESP Algo: Triple DES CBC HMAC: MD5
11-27: 20:18:40:533:928 QMOffer[1] LifetimeKBytes 250000 LifetimeSec 3600
11-27: 20:18:40:533:928 QMOffer[1] dwFlags 0 dwPFSGroup 0
11-27: 20:18:40:533:928 Algo[0] Operation: ESP Algo: Triple DES CBC HMAC: SHA
11-27: 20:18:40:533:928 QMOffer[2] LifetimeKBytes 250000 LifetimeSec 3600
11-27: 20:18:40:533:928 QMOffer[2] dwFlags 0 dwPFSGroup 0
11-27: 20:18:40:533:928 Algo[0] Operation: AH Algo: SHA
11-27: 20:18:40:533:928 Algo[1] Operation: ESP Algo: Triple DES CBC HMAC: 0
11-27: 20:18:40:533:928 QMOffer[3] LifetimeKBytes 250000 LifetimeSec 3600
11-27: 20:18:40:533:928 QMOffer[3] dwFlags 0 dwPFSGroup 0
11-27: 20:18:40:533:928 Algo[0] Operation: AH Algo: MD5
11-27: 20:18:40:533:928 Algo[1] Operation: ESP Algo: Triple DES CBC HMAC: 0
11-27: 20:18:40:533:928 QMOffer[4] LifetimeKBytes 250000 LifetimeSec 3600
11-27: 20:18:40:533:928 QMOffer[4] dwFlags 0 dwPFSGroup 0
11-27: 20:18:40:533:928 Algo[0] Operation: AH Algo: SHA
11-27: 20:18:40:533:928 Algo[1] Operation: ESP Algo: Triple DES CBC HMAC: SHA
11-27: 20:18:40:533:928 QMOffer[5] LifetimeKBytes 250000 LifetimeSec 3600
11-27: 20:18:40:533:928 QMOffer[5] dwFlags 0 dwPFSGroup 0
11-27: 20:18:40:533:928 Algo[0] Operation: AH Algo: MD5
11-27: 20:18:40:533:928 Algo[1] Operation: ESP Algo: Triple DES CBC HMAC: MD5
11-27: 20:18:40:533:928 QMOffer[6] LifetimeKBytes 250000 LifetimeSec 3600
11-27: 20:18:40:533:928 QMOffer[6] dwFlags 0 dwPFSGroup 0
11-27: 20:18:40:533:928 Algo[0] Operation: ESP Algo: DES CBC HMAC: MD5
11-27: 20:18:40:533:928 QMOffer[7] LifetimeKBytes 250000 LifetimeSec 3600
11-27: 20:18:40:533:928 QMOffer[7] dwFlags 0 dwPFSGroup 0
11-27: 20:18:40:533:928 Algo[0] Operation: ESP Algo: DES CBC HMAC: SHA
11-27: 20:18:40:533:928 QMOffer[8] LifetimeKBytes 250000 LifetimeSec 3600
11-27: 20:18:40:533:928 QMOffer[8] dwFlags 0 dwPFSGroup 0
11-27: 20:18:40:533:928 Algo[0] Operation: AH Algo: SHA
11-27: 20:18:40:533:928 Algo[1] Operation: ESP Algo: DES CBC HMAC: 0
11-27: 20:18:40:533:928 QMOffer[9] LifetimeKBytes 250000 LifetimeSec 3600
11-27: 20:18:40:533:928 QMOffer[9] dwFlags 0 dwPFSGroup 0
11-27: 20:18:40:533:928 Algo[0] Operation: AH Algo: MD5
11-27: 20:18:40:533:928 Algo[1] Operation: ESP Algo: DES CBC HMAC: 0
11-27: 20:18:40:533:928 QMOffer[10] LifetimeKBytes 250000 LifetimeSec 3600
11-27: 20:18:40:533:928 QMOffer[10] dwFlags 0 dwPFSGroup 0
11-27: 20:18:40:533:928 Algo[0] Operation: AH Algo: SHA
11-27: 20:18:40:533:928 Algo[1] Operation: ESP Algo: DES CBC HMAC: SHA
11-27: 20:18:40:533:928 QMOffer[11] LifetimeKBytes 250000 LifetimeSec 3600
11-27: 20:18:40:533:928 QMOffer[11] dwFlags 0 dwPFSGroup 0
11-27: 20:18:40:533:928 Algo[0] Operation: AH Algo: MD5
11-27: 20:18:40:533:928 Algo[1] Operation: ESP Algo: DES CBC HMAC: MD5
11-27: 20:18:40:533:928 QMOffer[12] LifetimeKBytes 250000 LifetimeSec 3600
11-27: 20:18:40:533:928 QMOffer[12] dwFlags 0 dwPFSGroup 0
11-27: 20:18:40:533:928 Algo[0] Operation: ESP Algo: NULL DES HMAC: SHA
11-27: 20:18:40:533:928 QMOffer[13] LifetimeKBytes 250000 LifetimeSec 3600
11-27: 20:18:40:533:928 QMOffer[13] dwFlags 0 dwPFSGroup 0
11-27: 20:18:40:533:928 Algo[0] Operation: ESP Algo: NULL DES HMAC: MD5
11-27: 20:18:40:533:928 QMOffer[14] LifetimeKBytes 250000 LifetimeSec 3600
11-27: 20:18:40:533:928 QMOffer[14] dwFlags 0 dwPFSGroup 0
11-27: 20:18:40:533:928 Algo[0] Operation: AH Algo: SHA
11-27: 20:18:40:533:928 QMOffer[15] LifetimeKBytes 250000 LifetimeSec 3600
11-27: 20:18:40:533:928 QMOffer[15] dwFlags 0 dwPFSGroup 0
11-27: 20:18:40:533:928 Algo[0] Operation: AH Algo: MD5
11-27: 20:18:40:533:928 Starting Negotiation: src = 83.29.25.49.0500, dst = 217.96.x.xx.0500, proto = 17, context = 00000000, ProxySrc = 83.29.25.49.1701, ProxyDst = 217.96.x.xx.1701 SrcMask = 0.0.0.0 DstMask = 0.0.0.0
11-27: 20:18:40:533:928 constructing ISAKMP Header
11-27: 20:18:40:533:928 constructing SA (ISAKMP)
11-27: 20:18:40:533:928 Constructing Vendor MS NT5 ISAKMPOAKLEY
11-27: 20:18:40:533:928 Constructing Vendor FRAGMENTATION
11-27: 20:18:40:533:928 Constructing Vendor draft-ietf-ipsec-nat-t-ike-02
11-27: 20:18:40:533:928 Constructing Vendor Vid-Initial-Contact
11-27: 20:18:40:533:928
11-27: 20:18:40:533:928 Sending: SA = 0x00105CC8 to 217.96.x.xx:Type 2.500
11-27: 20:18:40:533:928 ISAKMP Header: (V1.0), len = 312
11-27: 20:18:40:533:928 I-COOKIE 378dedc6da3bcb05
11-27: 20:18:40:533:928 R-COOKIE 0000000000000000
11-27: 20:18:40:533:928 exchange: Oakley Main Mode
11-27: 20:18:40:533:928 flags: 0
11-27: 20:18:40:533:928 next payload: SA
11-27: 20:18:40:533:928 message ID: 00000000
11-27: 20:18:40:533:928 Ports S:f401 D:f401
11-27: 20:18:40:533:928 Activating InitiateEvent 00000314
11-27: 20:18:40:583:928
11-27: 20:18:40:583:928 Receive: (get) SA = 0x00105cc8 from 217.96.x.xx.500
11-27: 20:18:40:583:928 ISAKMP Header: (V1.0), len = 140
11-27: 20:18:40:583:928 I-COOKIE 378dedc6da3bcb05
11-27: 20:18:40:583:928 R-COOKIE b9de73219f782cab
11-27: 20:18:40:583:928 exchange: Oakley Main Mode
11-27: 20:18:40:583:928 flags: 0
11-27: 20:18:40:583:928 next payload: SA
11-27: 20:18:40:583:928 message ID: 00000000
11-27: 20:18:40:583:928 processing payload SA
11-27: 20:18:40:583:928 Received Phase 1 Transform 1
11-27: 20:18:40:583:928 Encryption Alg Triple DES CBC(5)
11-27: 20:18:40:583:928 Hash Alg SHA(2)
11-27: 20:18:40:583:928 Oakley Group 14
11-27: 20:18:40:583:928 Auth Method Preshared Key(1)
11-27: 20:18:40:583:928 Life type in Seconds
11-27: 20:18:40:583:928 Life duration of 28800
11-27: 20:18:40:583:928 Phase 1 SA accepted: transform=1
11-27: 20:18:40:583:928 SA - Oakley proposal accepted
11-27: 20:18:40:583:928 processing payload VENDOR ID
11-27: 20:18:40:583:928 processing payload VENDOR ID
11-27: 20:18:40:583:928 processing payload VENDOR ID
11-27: 20:18:40:583:928 Received VendorId draft-ietf-ipsec-nat-t-ike-02
11-27: 20:18:40:583:928 ClearFragList
11-27: 20:18:40:583:928 constructing ISAKMP Header
11-27: 20:18:40:773:928 constructing KE
11-27: 20:18:40:773:928 constructing NONCE (ISAKMP)
11-27: 20:18:40:773:928 Constructing NatDisc
11-27: 20:18:40:773:928
11-27: 20:18:40:773:928 Sending: SA = 0x00105CC8 to 217.96.x.xx:Type 2.500
11-27: 20:18:40:773:928 ISAKMP Header: (V1.0), len = 360
11-27: 20:18:40:773:928 I-COOKIE 378dedc6da3bcb05
11-27: 20:18:40:773:928 R-COOKIE b9de73219f782cab
11-27: 20:18:40:773:928 exchange: Oakley Main Mode
11-27: 20:18:40:773:928 flags: 0
11-27: 20:18:40:773:928 next payload: KE
11-27: 20:18:40:773:928 message ID: 00000000
11-27: 20:18:40:773:928 Ports S:f401 D:f401
11-27: 20:18:40:874:928
11-27: 20:18:40:874:928 Receive: (get) SA = 0x00105cc8 from 217.96.x.xx.500
11-27: 20:18:40:874:928 ISAKMP Header: (V1.0), len = 356
11-27: 20:18:40:874:928 I-COOKIE 378dedc6da3bcb05
11-27: 20:18:40:874:928 R-COOKIE b9de73219f782cab
11-27: 20:18:40:874:928 exchange: Oakley Main Mode
11-27: 20:18:40:874:928 flags: 0
11-27: 20:18:40:874:928 next payload: KE
11-27: 20:18:40:874:928 message ID: 00000000
11-27: 20:18:40:874:928 processing payload KE
11-27: 20:18:40:954:928 processing payload NONCE
11-27: 20:18:40:954:928 processing payload NATDISC
11-27: 20:18:40:954:928 Processing NatHash
11-27: 20:18:40:954:928 Nat hash 440d2c010fea6ee6967548da4045b92c
11-27: 20:18:40:954:928 e4461edb
11-27: 20:18:40:954:928 SA StateMask2 e
11-27: 20:18:40:954:928 processing payload NATDISC
11-27: 20:18:40:954:928 Processing NatHash
11-27: 20:18:40:954:928 Nat hash 8b1746b31c1ddabd4751980e1cffafda
11-27: 20:18:40:954:928 bec26ec1
11-27: 20:18:40:954:928 SA StateMask2 8e
11-27: 20:18:40:954:928 ClearFragList
11-27: 20:18:40:954:928 constructing ISAKMP Header
11-27: 20:18:40:954:928 constructing ID
11-27: 20:18:40:954:928 MM ID Type 1
11-27: 20:18:40:954:928 MM ID 531d1931
11-27: 20:18:40:954:928 constructing HASH
11-27: 20:18:40:954:928
11-27: 20:18:40:954:928 Sending: SA = 0x00105CC8 to 217.96.x.xx:Type 2.500
11-27: 20:18:40:954:928 ISAKMP Header: (V1.0), len = 68
11-27: 20:18:40:954:928 I-COOKIE 378dedc6da3bcb05
11-27: 20:18:40:954:928 R-COOKIE b9de73219f782cab
11-27: 20:18:40:954:928 exchange: Oakley Main Mode
11-27: 20:18:40:954:928 flags: 1 ( encrypted )
11-27: 20:18:40:954:928 next payload: ID
11-27: 20:18:40:954:928 message ID: 00000000
11-27: 20:18:40:954:928 Ports S:f401 D:f401
11-27: 20:18:40:984:928
11-27: 20:18:40:984:928 Receive: (get) SA = 0x00105cc8 from 217.96.x.xx.500
11-27: 20:18:40:984:928 ISAKMP Header: (V1.0), len = 68
11-27: 20:18:40:984:928 I-COOKIE 378dedc6da3bcb05
11-27: 20:18:40:984:928 R-COOKIE b9de73219f782cab
11-27: 20:18:40:984:928 exchange: Oakley Main Mode
11-27: 20:18:40:984:928 flags: 1 ( encrypted )
11-27: 20:18:40:984:928 next payload: ID
11-27: 20:18:40:984:928 message ID: 00000000
11-27: 20:18:40:984:928 processing payload ID
11-27: 20:18:40:984:928 processing payload HASH
11-27: 20:18:40:984:928 AUTH: Phase I authentication accepted
11-27: 20:18:40:984:928 ClearFragList
11-27: 20:18:40:984:928 MM established. SA: 00105CC8
11-27: 20:18:40:984:928 QM PolicyName: L2TP Optional Encryption Quick Mode Policy dwFlags 0
11-27: 20:18:40:984:928 QMOffer[0] LifetimeKBytes 250000 LifetimeSec 3600
11-27: 20:18:40:984:928 QMOffer[0] dwFlags 0 dwPFSGroup 0
11-27: 20:18:40:984:928 Algo[0] Operation: ESP Algo: Triple DES CBC HMAC: MD5
11-27: 20:18:40:984:928 QMOffer[1] LifetimeKBytes 250000 LifetimeSec 3600
11-27: 20:18:40:984:928 QMOffer[1] dwFlags 0 dwPFSGroup 0
11-27: 20:18:40:984:928 Algo[0] Operation: ESP Algo: Triple DES CBC HMAC: SHA
11-27: 20:18:40:984:928 QMOffer[2] LifetimeKBytes 250000 LifetimeSec 3600
11-27: 20:18:40:984:928 QMOffer[2] dwFlags 0 dwPFSGroup 0
11-27: 20:18:40:984:928 Algo[0] Operation: AH Algo: SHA
11-27: 20:18:40:984:928 Algo[1] Operation: ESP Algo: Triple DES CBC HMAC: 0
11-27: 20:18:40:984:928 QMOffer[3] LifetimeKBytes 250000 LifetimeSec 3600
11-27: 20:18:40:984:928 QMOffer[3] dwFlags 0 dwPFSGroup 0
11-27: 20:18:40:984:928 Algo[0] Operation: AH Algo: MD5
11-27: 20:18:40:984:928 Algo[1] Operation: ESP Algo: Triple DES CBC HMAC: 0
11-27: 20:18:40:984:928 QMOffer[4] LifetimeKBytes 250000 LifetimeSec 3600
11-27: 20:18:40:984:928 QMOffer[4] dwFlags 0 dwPFSGroup 0
11-27: 20:18:40:984:928 Algo[0] Operation: AH Algo: SHA
11-27: 20:18:40:984:928 Algo[1] Operation: ESP Algo: Triple DES CBC HMAC: SHA
11-27: 20:18:40:984:928 QMOffer[5] LifetimeKBytes 250000 LifetimeSec 3600
11-27: 20:18:40:984:928 QMOffer[5] dwFlags 0 dwPFSGroup 0
11-27: 20:18:40:984:928 Algo[0] Operation: AH Algo: MD5
11-27: 20:18:40:984:928 Algo[1] Operation: ESP Algo: Triple DES CBC HMAC: MD5
11-27: 20:18:40:984:928 QMOffer[6] LifetimeKBytes 250000 LifetimeSec 3600
11-27: 20:18:40:984:928 QMOffer[6] dwFlags 0 dwPFSGroup 0
11-27: 20:18:40:984:928 Algo[0] Operation: ESP Algo: DES CBC HMAC: MD5
11-27: 20:18:40:984:928 QMOffer[7] LifetimeKBytes 250000 LifetimeSec 3600
11-27: 20:18:40:984:928 QMOffer[7] dwFlags 0 dwPFSGroup 0
11-27: 20:18:40:984:928 Algo[0] Operation: ESP Algo: DES CBC HMAC: SHA
11-27: 20:18:40:984:928 QMOffer[8] LifetimeKBytes 250000 LifetimeSec 3600
11-27: 20:18:40:984:928 QMOffer[8] dwFlags 0 dwPFSGroup 0
11-27: 20:18:40:984:928 Algo[0] Operation: AH Algo: SHA
11-27: 20:18:40:984:928 Algo[1] Operation: ESP Algo: DES CBC HMAC: 0
11-27: 20:18:40:984:928 QMOffer[9] LifetimeKBytes 250000 LifetimeSec 3600
11-27: 20:18:40:984:928 QMOffer[9] dwFlags 0 dwPFSGroup 0
11-27: 20:18:40:984:928 Algo[0] Operation: AH Algo: MD5
11-27: 20:18:40:984:928 Algo[1] Operation: ESP Algo: DES CBC HMAC: 0
11-27: 20:18:40:984:928 QMOffer[10] LifetimeKBytes 250000 LifetimeSec 3600
11-27: 20:18:40:984:928 QMOffer[10] dwFlags 0 dwPFSGroup 0
11-27: 20:18:40:984:928 Algo[0] Operation: AH Algo: SHA
11-27: 20:18:40:984:928 Algo[1] Operation: ESP Algo: DES CBC HMAC: SHA
11-27: 20:18:40:984:928 QMOffer[11] LifetimeKBytes 250000 LifetimeSec 3600
11-27: 20:18:40:984:928 QMOffer[11] dwFlags 0 dwPFSGroup 0
11-27: 20:18:40:984:928 Algo[0] Operation: AH Algo: MD5
11-27: 20:18:40:984:928 Algo[1] Operation: ESP Algo: DES CBC HMAC: MD5
11-27: 20:18:40:984:928 QMOffer[12] LifetimeKBytes 250000 LifetimeSec 3600
11-27: 20:18:40:984:928 QMOffer[12] dwFlags 0 dwPFSGroup 0
11-27: 20:18:40:984:928 Algo[0] Operation: ESP Algo: NULL DES HMAC: SHA
11-27: 20:18:40:984:928 QMOffer[13] LifetimeKBytes 250000 LifetimeSec 3600
11-27: 20:18:40:984:928 QMOffer[13] dwFlags 0 dwPFSGroup 0
11-27: 20:18:40:984:928 Algo[0] Operation: ESP Algo: NULL DES HMAC: MD5
11-27: 20:18:40:984:928 QMOffer[14] LifetimeKBytes 250000 LifetimeSec 3600
11-27: 20:18:40:984:928 QMOffer[14] dwFlags 0 dwPFSGroup 0
11-27: 20:18:40:984:928 Algo[0] Operation: AH Algo: SHA
11-27: 20:18:40:984:928 QMOffer[15] LifetimeKBytes 250000 LifetimeSec 3600
11-27: 20:18:40:984:928 QMOffer[15] dwFlags 0 dwPFSGroup 0
11-27: 20:18:40:984:928 Algo[0] Operation: AH Algo: MD5
11-27: 20:18:40:984:928 GetSpi: src = 217.96.x.xx.1701, dst = 83.29.25.49.1701, proto = 17, context = 00000000, srcMask = 255.255.255.255, destMask = 255.255.255.255, TunnelFilter 0
11-27: 20:18:40:984:928 Setting SPI 3879650508
11-27: 20:18:40:984:928 constructing ISAKMP Header
11-27: 20:18:40:984:928 constructing HASH (null)
11-27: 20:18:40:984:928 constructing SA (IPSEC)
11-27: 20:18:40:984:928 constructing NONCE (IPSEC)
11-27: 20:18:40:984:928 constructing ID (proxy)
11-27: 20:18:40:984:928 constructing ID (proxy)
11-27: 20:18:40:984:928 constructing HASH (QM)
11-27: 20:18:40:984:928
11-27: 20:18:40:984:928 Sending: SA = 0x00105CC8 to 217.96.x.xx:Type 2.500
11-27: 20:18:40:984:928 ISAKMP Header: (V1.0), len = 1300
11-27: 20:18:40:984:928 I-COOKIE 378dedc6da3bcb05
11-27: 20:18:40:984:928 R-COOKIE b9de73219f782cab
11-27: 20:18:40:984:928 exchange: Oakley Quick Mode
11-27: 20:18:40:984:928 flags: 1 ( encrypted )
11-27: 20:18:40:984:928 next payload: HASH
11-27: 20:18:40:984:928 message ID: cbe52755
11-27: 20:18:40:984:928 Ports S:f401 D:f401
11-27: 20:18:41:905:bd8 retransmit: sa = 00105CC8 centry 000E1158 , count = 1
11-27: 20:18:41:905:bd8
11-27: 20:18:41:905:bd8 Sending: SA = 0x00105CC8 to 217.96.x.xx:Type 2.500
11-27: 20:18:41:905:bd8 ISAKMP Header: (V1.0), len = 1300
11-27: 20:18:41:905:bd8 I-COOKIE 378dedc6da3bcb05
11-27: 20:18:41:905:bd8 R-COOKIE b9de73219f782cab
11-27: 20:18:41:905:bd8 exchange: Oakley Quick Mode
11-27: 20:18:41:905:bd8 flags: 1 ( encrypted )
11-27: 20:18:41:905:bd8 next payload: HASH
11-27: 20:18:41:905:bd8 message ID: cbe52755
11-27: 20:18:41:905:bd8 Ports S:f401 D:f401
11-27: 20:18:43:898:bd8 retransmit: sa = 00105CC8 centry 000E1158 , count = 2
11-27: 20:18:43:898:bd8
11-27: 20:18:43:898:bd8 Sending: SA = 0x00105CC8 to 217.96.x.xx:Type 2.500
11-27: 20:18:43:898:bd8 ISAKMP Header: (V1.0), len = 1300
11-27: 20:18:43:898:bd8 I-COOKIE 378dedc6da3bcb05
11-27: 20:18:43:898:bd8 R-COOKIE b9de73219f782cab
11-27: 20:18:43:898:bd8 exchange: Oakley Quick Mode
11-27: 20:18:43:898:bd8 flags: 1 ( encrypted )
11-27: 20:18:43:898:bd8 next payload: HASH
11-27: 20:18:43:898:bd8 message ID: cbe52755
11-27: 20:18:43:898:bd8 Ports S:f401 D:f401
11-27: 20:18:47:904:bd8 retransmit: sa = 00105CC8 centry 000E1158 , count = 3
11-27: 20:18:47:904:bd8
11-27: 20:18:47:904:bd8 Sending: SA = 0x00105CC8 to 217.96.x.xx:Type 2.500
11-27: 20:18:47:904:bd8 ISAKMP Header: (V1.0), len = 1300
11-27: 20:18:47:904:bd8 I-COOKIE 378dedc6da3bcb05
11-27: 20:18:47:904:bd8 R-COOKIE b9de73219f782cab
11-27: 20:18:47:904:bd8 exchange: Oakley Quick Mode
11-27: 20:18:47:904:bd8 flags: 1 ( encrypted )
11-27: 20:18:47:904:bd8 next payload: HASH
11-27: 20:18:47:904:bd8 message ID: cbe52755
11-27: 20:18:47:904:bd8 Ports S:f401 D:f401
11-27: 20:18:55:905:bd8 retransmit: sa = 00105CC8 centry 000E1158 , count = 4
11-27: 20:18:55:905:bd8
11-27: 20:18:55:905:bd8 Sending: SA = 0x00105CC8 to 217.96.x.xx:Type 2.500
11-27: 20:18:55:905:bd8 ISAKMP Header: (V1.0), len = 1300
11-27: 20:18:55:905:bd8 I-COOKIE 378dedc6da3bcb05
11-27: 20:18:55:905:bd8 R-COOKIE b9de73219f782cab
11-27: 20:18:55:905:bd8 exchange: Oakley Quick Mode
11-27: 20:18:55:905:bd8 flags: 1 ( encrypted )
11-27: 20:18:55:905:bd8 next payload: HASH
11-27: 20:18:55:905:bd8 message ID: cbe52755
11-27: 20:18:55:905:bd8 Ports S:f401 D:f401
11-27: 20:19:11:908:bd8 retransmit: sa = 00105CC8 centry 000E1158 , count = 5
11-27: 20:19:11:908:bd8
11-27: 20:19:11:908:bd8 Sending: SA = 0x00105CC8 to 217.96.x.xx:Type 2.500
11-27: 20:19:11:908:bd8 ISAKMP Header: (V1.0), len = 1300
11-27: 20:19:11:908:bd8 I-COOKIE 378dedc6da3bcb05
11-27: 20:19:11:908:bd8 R-COOKIE b9de73219f782cab
11-27: 20:19:11:908:bd8 exchange: Oakley Quick Mode
11-27: 20:19:11:908:bd8 flags: 1 ( encrypted )
11-27: 20:19:11:908:bd8 next payload: HASH
11-27: 20:19:11:908:bd8 message ID: cbe52755
11-27: 20:19:11:908:bd8 Ports S:f401 D:f401
11-27: 20:19:43:914:bd8 retransmit exhausted: sa = 00105CC8 centry 000E1158, count = 6
11-27: 20:19:43:914:bd8 Data Protection Mode (Quick Mode)
11-27: 20:19:43:914:bd8 Source IP Address 83.29.25.49 Source IP Address Mask 255.255.255.255 Destination IP Address 217.96.x.xx Destination IP Address Mask 255.255.255.255 Protocol 17 Source Port 1701 Destination Port 1701 IKE Local Addr 83.29.25.49 IKE Peer Addr 217.96.x.xx
11-27: 20:19:43:914:bd8 Preshared key ID. Peer IP Address: 217.96.x.xx
11-27: 20:19:43:914:bd8 Me
11-27: 20:19:43:914:bd8 Negotiation timed out
11-27: 20:19:43:914:bd8 0x0 0x0
11-27: 20:19:43:914:bd8 isadb_set_status sa:00105CC8 centry:000E1158 status 35ed
11-27: 20:19:43:914:bd8 isadb_set_status InitiateEvent 00000314: Setting Status 35ed
11-27: 20:19:43:914:bd8 Clearing centry 000E1158 InitiateEvent 00000314
11-27: 20:19:43:914:fb0 CloseNegHandle 00000314
11-27: 20:19:43:914:fb0 SE cookie 378dedc6da3bcb05
11-27: 20:19:43:934:fb0 isadb_schedule_kill_oldPolicy_sas: e64f82f8-e2b3-416b-942a96dc546ef659 4
11-27: 20:19:43:934:11c isadb_schedule_kill_oldPolicy_sas: 95c8dd04-deb5-49d2-ba39b55e177e427e 3
11-27: 20:19:43:934:c88 isadb_schedule_kill_oldPolicy_sas: d9f3ea7d-7a2f-462d-a10379750df825f8 2
11-27: 20:19:43:934:fb0 isadb_schedule_kill_oldPolicy_sas: 78182b7e-bd09-4fec-9d14b25199c5f7fb 1
11-27: 20:19:43:934:928 entered kill_old_policy_sas 4
11-27: 20:19:43:934:928 SA Dead. sa:00105CC8 status:3619
11-27: 20:19:43:934:928 isadb_set_status sa:00105CC8 centry:00000000 status 3619
11-27: 20:19:43:934:928 constructing ISAKMP Header
11-27: 20:19:43:934:928 constructing HASH (null)
11-27: 20:19:43:934:928 constructing DELETE. MM 00105CC8
11-27: 20:19:43:934:928 constructing HASH (Notify/Delete)
11-27: 20:19:43:934:928 Not setting retransmit to downlevel client. SA 00105CC8 Centry 00000000
11-27: 20:19:43:934:928
11-27: 20:19:43:934:928 Sending: SA = 0x00105CC8 to 217.96.x.xx:Type 1.500
11-27: 20:19:43:934:928 ISAKMP Header: (V1.0), len = 84
11-27: 20:19:43:934:928 I-COOKIE 378dedc6da3bcb05
11-27: 20:19:43:934:928 R-COOKIE b9de73219f782cab
11-27: 20:19:43:934:928 exchange: ISAKMP Informational Exchange
11-27: 20:19:43:934:928 flags: 1 ( encrypted )
11-27: 20:19:43:934:928 next payload: HASH
11-27: 20:19:43:934:928 message ID: 2610dcf6
11-27: 20:19:43:934:928 Ports S:f401 D:f401
11-27: 20:19:43:934:928 entered kill_old_policy_sas 3
11-27: 20:19:43:934:928 entered kill_old_policy_sas 2
11-27: 20:19:43:934:928 entered kill_old_policy_sas 1
11-27: 20:19:43:964:a24
11-27: 20:19:43:964:a24 Receive: (get) SA = 0x00105cc8 from 217.96.x.xx.500
11-27: 20:19:43:964:a24 ISAKMP Header: (V1.0), len = 84
11-27: 20:19:43:964:a24 I-COOKIE 378dedc6da3bcb05
11-27: 20:19:43:964:a24 R-COOKIE b9de73219f782cab
11-27: 20:19:43:964:a24 exchange: ISAKMP Informational Exchange
11-27: 20:19:43:964:a24 flags: 1 ( encrypted )
11-27: 20:19:43:964:a24 next payload: HASH
11-27: 20:19:43:964:a24 message ID: b4602bd4
11-27: 20:19:43:964:a24 processing HASH (Notify/Delete)
11-27: 20:19:43:964:a24 processing payload DELETE
11-27: 20:20:21:879:a24 ClearFragList
and connection is dropped
here is my config
version 2.0
# basic configuration
config setup
#plutodebug=all
#klipsdebug=all
# NAT-TRAVERSAL support, see README.NAT-Traversal
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.218.134.0/24
conn l2tp-psk
authby=secret
pfs=no
auto=add
rekey=no
keyingtries=3
left=%defaultroute
leftprotoport=17/0
right=%any
rightprotoport=17/1701
rightsubnet=vhost:%priv,%no
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
and /etc/ipsec.secrets
217.96.x.xx %any: PSK "secret"
can anyone point me what can be wrong please?
there are no firewalls between openswan and roadwarrior
but
when i connect roadwarrior to 217.96.x.x network everything works fine....
best regards
Sobczak Wojciech
More information about the Users
mailing list