[Openswan Users] IPSec, Windows XP/2000 and Dead Peer Detection

Andrej Trobentar andrej.trobentar at rikom.si
Mon Oct 17 09:47:45 CEST 2005 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Andrej Trobentar wrote:
> Juha Pietikäinen wrote:
> 
>>>Hi,
>>>
>>>I have os 2.4.2dr2 running with kernel 2.4.31.
>>>
>>>I have ended up to use these settings with quick trial and error method:
>>>
>>>ipsec.conf:
>>>override mtu = 1430
>>>
>>>options.l2tpd:
>>>mtu 1360
>>>mru 500
>>>
>>>There was discussed in one earlier message that
>>>MRU 500 is caused by incompatible PMTU with Windows clients.
>>>
>>>I noticed this low mru issue when I upgrated OS from version 2.2.1 to
>>>version 2.4
>>>
>>>With Os 2.2.1 it was possible to use same MTU and MRU value.
>>>
>>>I haven't got any natted clients now but this version (2.4.2dr2) seems
>>>to work with "nat traversal = yes"
>>>as version 2.4.1 didn't work at all with it. NAT-T worked fine with os
>>>2.2.1 and Windows XP Pro (SP2) clients.
> 
> 
> Hello,
> 
> This works for me too at the moment! My static tunnels and my roadwarior
>  setup works. I have to test it a little more to be sure, but so far
> everything is working.
> 
> Regarding the WindowsXP/2000 disconects I have to wait for the feedback
> from my co-workers. Maybe this release will resolve this issues...

Hello,

Well, I was happy to soon :( After I changed this things that Juha
suggested my *NATed* roadwarrior clients can't connect anymore!
Roadwarriors *without* NAT are working. The IPSEC is established, but
the verification phase with the l2tpd doesn't begin. Here's the log from
IPSEC :

Oct 17 08:31:51 rikom pluto[1472]: packet from 82.149.2.245:500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Oct 17 08:31:51 rikom pluto[1472]: packet from 82.149.2.245:500:
ignoring Vendor ID payload [FRAGMENTATION]
Oct 17 08:31:51 rikom pluto[1472]: packet from 82.149.2.245:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set
to=106
Oct 17 08:31:51 rikom pluto[1472]: packet from 82.149.2.245:500:
ignoring Vendor ID payload [Vid-Initial-Contact]
Oct 17 08:31:51 rikom pluto[1472]: "roadwarior-l2tpd"[17] 82.149.2.245
#181: responding to Main Mode from unknown peer 82.149.2.245
Oct 17 08:31:51 rikom pluto[1472]: "roadwarior-l2tpd"[17] 82.149.2.245
#181: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Oct 17 08:31:51 rikom pluto[1472]: "roadwarior-l2tpd"[17] 82.149.2.245
#181: STATE_MAIN_R1: sent MR1, expecting MI2
Oct 17 08:31:51 rikom pluto[1472]: "roadwarior-l2tpd"[17] 82.149.2.245
#181: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer
is NATed
Oct 17 08:31:51 rikom pluto[1472]: "roadwarior-l2tpd"[17] 82.149.2.245
#181: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Oct 17 08:31:51 rikom pluto[1472]: "roadwarior-l2tpd"[17] 82.149.2.245
#181: STATE_MAIN_R2: sent MR2, expecting MI3
Oct 17 08:31:52 rikom pluto[1472]: "roadwarior-l2tpd"[17] 82.149.2.245
#181: Main mode peer ID is ID_DER_ASN1_DN: 'C=SI, ST=Slovenija,
L=Maribor, O=Rikom d.o.o., OU=VPN Tine Zorko, CN=VPN Tine Zorko,
E=tine.zorko at rikom.si'
Oct 17 08:31:52 rikom pluto[1472]: "roadwarior-l2tpd"[17] 82.149.2.245
#181: crl update for "C=SI, ST=Slovenija, L=Maribor, O=Rikom d.o.o.,
CN=Rikom Root Certificate, E=admin at rikom.si" is overdue since Jul 20
09:29:14 UTC 2005
Oct 17 08:31:52 rikom pluto[1472]: "roadwarior-l2tpd"[18] 82.149.2.245
#181: deleting connection "roadwarior-l2tpd" instance with peer
82.149.2.245 {isakmp=#0/ipsec=#0}
Oct 17 08:31:52 rikom pluto[1472]: "roadwarior-l2tpd"[18] 82.149.2.245
#181: I am sending my cert
Oct 17 08:31:52 rikom pluto[1472]: "roadwarior-l2tpd"[18] 82.149.2.245
#181: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Oct 17 08:31:52 rikom pluto[1472]: | NAT-T: new mapping
82.149.2.245:500/4500)
Oct 17 08:31:52 rikom pluto[1472]: "roadwarior-l2tpd"[18] 82.149.2.245
#181: STATE_MAIN_R3: sent MR3, ISAKMP SA established
{auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_sha
group=modp2048}
Oct 17 08:31:52 rikom pluto[1472]: "roadwarior-l2tpd"[18] 82.149.2.245
#182: responding to Quick Mode {msgid:4d9e2083}
Oct 17 08:31:52 rikom pluto[1472]: "roadwarior-l2tpd"[18] 82.149.2.245
#182: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Oct 17 08:31:52 rikom pluto[1472]: "roadwarior-l2tpd"[18] 82.149.2.245
#182: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Oct 17 08:31:52 rikom pluto[1472]: "roadwarior-l2tpd"[18] 82.149.2.245
#182: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Oct 17 08:31:52 rikom pluto[1472]: "roadwarior-l2tpd"[18] 82.149.2.245
#182: STATE_QUICK_R2: IPsec SA established {ESP=>0x81453f42 <0x8e93d891
xfrm=3DES_0-HMAC_MD5 NATD=82.149.2.245:4500 DPD=none}


I have NO log messages from l2tpd (yes, my l2tpd is runing). Any ideas?

- --
Thanks,

	Andrej.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFDU0kRVd/NU2yFfAoRAosJAKCiflY6V+8ElxcV7dyh5DTFeJiYqQCfThgL
DcpUmKwokljIA+C8FaP8dwM=
=uUOr
-----END PGP SIGNATURE-----

More information about the Users mailing list