[Openswan Users] Re: IPSec, Windows XP/2000 and Dead Peer Detection
Andrej Trobentar
andrej.trobentar at rikom.si
Mon Oct 17 23:42:13 CEST 2005
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Andrej Trobentar wrote:
>
> I have set mtu and mru settings in options.l2tpd to 500 and now the
> command "ping -l <anything greater than 487> <internal IP>" works with
> NATed and not NATed clients (quick tested on ISDN, analog an Cable line).
Sorry, but I've made a mistake here. NATed client (Windows XP behind
Linksys cable router) is *not* working. IPSEC is established, but when
the l2tpd phase should begin, nothing happens - please see the attached
trace file.
>>>It is also possible that nat-t is still broken in os2.4.2dr2 with
>>>kernel 2.4.31.
>>>Maybe Paul knows more about this?
>
> I think, that my *NATed* clients couldn't connect because the mtu
> setting was not correct. For now everything is working, but this
> requires more intensive testing to be 100% sure!
One of my co-workers, who was testing the VPN, removed his ADSL router
so now he has direct connection to the Internet (no NAT) - I didn't know
that, so I wrote that NATed clients are working. Sorry...
> But, why do you have to change these mtu settings when upgrading from os
> 2.3.1 to os 2.4.1dr2?
This question still remains...
As soon as I downgraded openswan back to 2.3.1, the Windows XP (NATed
behind Linksys router) started working. I both cases I had the mtu and
mru parameter set to 500 in options.l2tpd. I have tried to remove the
WinXP SP2 patch on Windows XP, but the problem remains.
Please let me know if you need more tests or data!
- --
Thanks for your time,
Andrej.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iD8DBQFDVAykVd/NU2yFfAoRArdmAKDRcnEpW+TxQp6dQ3BtCr8Jwpcu8gCgoFBR
FDFfqid78EWWEkcNufBxAG0=
=xIbL
-----END PGP SIGNATURE-----
-------------- next part --------------
1) Openswan 2.4.1dr2, NATed Windows XP behind Linksys router on Cable
Interface ipsec0 :
21:16:15.971403 82.149.2.245.l2tp > 193.2.211.10.l2tp: l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(S) *BEARER_CAP() |...
21:16:16.963764 82.149.2.245.l2tp > 193.2.211.10.l2tp: l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(S) *BEARER_CAP() |...
21:16:18.965513 82.149.2.245.l2tp > 193.2.211.10.l2tp: l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(S) *BEARER_CAP() |...
21:16:22.975316 82.149.2.245.l2tp > 193.2.211.10.l2tp: l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(S) *BEARER_CAP() |...
21:16:30.983199 82.149.2.245.l2tp > 193.2.211.10.l2tp: l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(S) *BEARER_CAP() |...
21:16:38.482556 193.2.211.10.4500 > 82.149.2.245.4500: udp 72 (DF)
21:16:38.494414 193.2.211.10.4500 > 82.149.2.245.4500: udp 88 (DF)
Interface eth0 :
21:16:13.924321 82.149.2.245.isakmp > 193.2.211.10.isakmp: isakmp: phase 1 I ident: [|sa]
21:16:13.924598 193.2.211.10.isakmp > 82.149.2.245.isakmp: isakmp: phase 1 R ident: [|sa] (DF)
21:16:14.880321 82.149.2.245.isakmp > 193.2.211.10.isakmp: isakmp: phase 1 I ident: [|ke]
21:16:14.900306 193.2.211.10.isakmp > 82.149.2.245.isakmp: isakmp: phase 1 R ident: [|ke] (DF)
21:16:15.822009 82.149.2.245.4500 > 193.2.211.10.4500: udp 1448
21:16:15.827146 193.2.211.10.4500 > 82.149.2.245.4500: udp 1312 (DF)
21:16:15.916128 82.149.2.245.4500 > 193.2.211.10.4500: udp 384
21:16:15.916654 193.2.211.10.4500 > 82.149.2.245.4500: udp 168 (DF)
21:16:15.945586 82.149.2.245.4500 > 193.2.211.10.4500: udp 56
21:16:15.971403 82.149.2.245.4500 > 193.2.211.10.4500: udp 140
21:16:16.963764 82.149.2.245.4500 > 193.2.211.10.4500: udp 140
21:16:18.965513 82.149.2.245.4500 > 193.2.211.10.4500: udp 140
21:16:22.975316 82.149.2.245.4500 > 193.2.211.10.4500: udp 140
21:16:30.983199 82.149.2.245.4500 > 193.2.211.10.4500: udp 140
21:16:35.962503 82.149.2.245.4500 > 193.2.211.10.4500: udp 1
21:16:38.482374 82.149.2.245.4500 > 193.2.211.10.4500: udp 72
21:16:38.482569 193.2.211.10.4500 > 82.149.2.245.4500: udp 72 (DF)
21:16:38.494276 82.149.2.245.4500 > 193.2.211.10.4500: udp 88
21:16:38.494425 193.2.211.10.4500 > 82.149.2.245.4500: udp 88 (DF)
21:16:55.990749 82.149.2.245.4500 > 193.2.211.10.4500: udp 1
-------------------------------------------------------------------------------------------------------------------------------------------------------
2) Openswan 2.3.1, NATed Windows XP behind Linksys router on Cable
Interface ipsec0 :
21:47:19.713087 82.149.2.245.l2tp > 193.2.211.10.l2tp: l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(S) *BEARER_CAP() |...
21:47:19.896113 193.2.211.10.l2tp > 82.149.2.245.l2tp: l2tp:[TLS](9/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP() |... (DF)
21:47:19.910375 82.149.2.245.l2tp > 193.2.211.10.l2tp: l2tp:[TLS](17470/0)Ns=1,Nr=1 *MSGTYPE(SCCCN)
21:47:19.910774 82.149.2.245.l2tp > 193.2.211.10.l2tp: l2tp:[TLS](17470/0)Ns=2,Nr=1 *MSGTYPE(ICRQ) *ASSND_SESS_ID(1) *CALL_SER_NUM(0) *BEARER_TYPE(A)
21:47:19.910859 82.149.2.245.l2tp > 193.2.211.10.l2tp: l2tp:[TLS](17470/0)Ns=3,Nr=1 ZLB
21:47:19.926158 193.2.211.10.l2tp > 82.149.2.245.l2tp: l2tp:[TLS](9/0)Ns=1,Nr=2 ZLB (DF)
21:47:19.986624 193.2.211.10.l2tp > 82.149.2.245.l2tp: l2tp:[TLS](9/1)Ns=1,Nr=3 *MSGTYPE(ICRP) *ASSND_SESS_ID(15008) (DF)
21:47:19.986656 193.2.211.10.l2tp > 82.149.2.245.l2tp: l2tp:[TLS](9/0)Ns=2,Nr=3 ZLB (DF)
21:47:20.003214 82.149.2.245.l2tp > 193.2.211.10.l2tp: l2tp:[TLS](17470/15008)Ns=3,Nr=2 *MSGTYPE(ICCN) *TX_CONN_SPEED(100000000) *FRAMING_TYPE(S) PROXY_AUTH_TYPE(No Auth)
21:47:20.003295 82.149.2.245.l2tp > 193.2.211.10.l2tp: l2tp:[TLS](17470/0)Ns=4,Nr=2 ZLB
21:47:20.013454 193.2.211.10.l2tp > 82.149.2.245.l2tp: l2tp:[TLS](9/1)Ns=2,Nr=4 ZLB (DF)
21:47:20.013828 193.2.211.10.l2tp > 82.149.2.245.l2tp: l2tp:[L](9/1) {LCP33: Conf-Req(1), MRU=500, ACCM=00000000, Auth-Prot CHAP/MD5, Magic-Num=1d936e5f, PFC, ACFC} (DF)
21:47:20.027922 82.149.2.245.l2tp > 193.2.211.10.l2tp: l2tp:[L](17470/15008) {LCP 25: Conf-Req(0), MRU=1400, Magic-Num=47e92f01, PFC, ACFC, Call-Back CBCP}
21:47:20.028167 193.2.211.10.l2tp > 82.149.2.245.l2tp: l2tp:[L](9/1) {LCP 11: Conf-Rej(0), Call-Back CBCP} (DF)
21:47:20.037482 82.149.2.245.l2tp > 193.2.211.10.l2tp: l2tp:[L](17470/15008) {LCP 33: Conf-Ack(1), MRU=500, ACCM=00000000, Auth-Prot CHAP/MD5, Magic-Num=1d936e5f, PFC, ACFC}
21:47:22.022078 82.149.2.245.l2tp > 193.2.211.10.l2tp: l2tp:[L](17470/15008) {LCP 22: Conf-Req(2), MRU=1400, Magic-Num=47e92f01, PFC, ACFC}
21:47:22.022454 193.2.211.10.l2tp > 82.149.2.245.l2tp: l2tp:[L](9/1) {LCP 22: Conf-Ack(2), MRU=1400, Magic-Num=47e92f01, PFC, ACFC} (DF)
21:47:22.022621 193.2.211.10.l2tp > 82.149.2.245.l2tp: l2tp:[L](9/1) {CHAP 40: Chal(119), Value=ffe8cce2f7e244f1709fbc8bfff7f06a15eff2, Name=LinuxVPNserver} (DF)
21:47:22.054524 82.149.2.245.l2tp > 193.2.211.10.l2tp: l2tp:[L](17470/15008) {LCP 20: Ident(3), Magic-Num=47e92f01}
21:47:22.054611 82.149.2.245.l2tp > 193.2.211.10.l2tp: l2tp:[L](17470/15008) {LCP 22: Ident(4), Magic-Num=47e92f01}
21:47:22.054986 193.2.211.10.l2tp > 82.149.2.245.l2tp: l2tp:[L](9/1) {LCP 26: Code-Rej(2)} (DF)
21:47:22.055149 193.2.211.10.l2tp > 82.149.2.245.l2tp: l2tp:[L](9/1) {LCP 28: Code-Rej(3)} (DF)
21:47:22.062211 82.149.2.245.l2tp > 193.2.211.10.l2tp: l2tp:[L](17470/15008) {CHAP 27: Resp(119), Value=581d279d40685a0a9e710771b0b3f2f3, Name=tine}
21:47:22.062706 193.2.211.10.l2tp > 82.149.2.245.l2tp: l2tp:[L](9/1) {CHAP 20: Succ(119), Msg=Access granted} (DF)
21:47:22.062844 193.2.211.10.l2tp > 82.149.2.245.l2tp: l2tp:[L](9/1) {CCP 17: Conf-Req(1), Deflate, MVRCA, BSD-Comp} (DF)
21:47:22.062935 193.2.211.10.l2tp > 82.149.2.245.l2tp: l2tp:[L](9/1) {IPCP 18: Conf-Req(1), IP-Comp VJ-Comp, IP-Addr=192.168.3.1} (DF)
21:47:22.085427 82.149.2.245.l2tp > 193.2.211.10.l2tp: l2tp:[L](17470/15008) {CCP 12: Conf-Req(5), MPPC}
21:47:22.085626 193.2.211.10.l2tp > 82.149.2.245.l2tp: l2tp:[L](9/1) {CCP 12: Conf-Rej(5), MPPC} (DF)
21:47:22.091044 82.149.2.245.l2tp > 193.2.211.10.l2tp: l2tp:[L](17470/15008) {IPCP 36: Conf-Req(6), IP-Addr=0.0.0.0, Pri-DNS=0.0.0.0, Pri-NBNS=0.0.0.0, Sec-DNS=0.0.0.0, Sec-NBNS=0.0.0.0}
21:47:22.091129 82.149.2.245.l2tp > 193.2.211.10.l2tp: l2tp:[L](17470/15008) {CCP 17: Conf-Rej(1), Deflate, MVRCA, BSD-Comp}
21:47:22.091215 82.149.2.245.l2tp > 193.2.211.10.l2tp: l2tp:[L](17470/15008) {IPCP 12: Conf-Rej(1), IP-Comp VJ-Comp}
21:47:22.091567 193.2.211.10.l2tp > 82.149.2.245.l2tp: l2tp:[L](9/1) {IPCP 18: Conf-Rej(6), Pri-NBNS=0.0.0.0, Sec-NBNS=0.0.0.0} (DF)
21:47:22.091665 193.2.211.10.l2tp > 82.149.2.245.l2tp: l2tp:[L](9/1) {CCP 6: Conf-Req(2)} (DF)
21:47:22.091815 193.2.211.10.l2tp > 82.149.2.245.l2tp: l2tp:[L](9/1) {IPCP 12: Conf-Req(2), IP-Addr=192.168.3.1} (DF)
21:47:22.101136 82.149.2.245.l2tp > 193.2.211.10.l2tp: l2tp:[L](17470/15008) {CCP 18: Term-Req(7)}
21:47:22.101349 193.2.211.10.l2tp > 82.149.2.245.l2tp: l2tp:[L](9/1) {CCP 6: Term-Ack(7)} (DF)
21:47:22.108330 82.149.2.245.l2tp > 193.2.211.10.l2tp: l2tp:[L](17470/15008) {IPCP 24: Conf-Req(8), IP-Addr=0.0.0.0, Pri-DNS=0.0.0.0, Sec-DNS=0.0.0.0}
21:47:22.108413 82.149.2.245.l2tp > 193.2.211.10.l2tp: l2tp:[L](17470/15008) {IPCP 12: Conf-Ack(2), IP-Addr=192.168.3.1}
21:47:22.108655 193.2.211.10.l2tp > 82.149.2.245.l2tp: l2tp:[L](9/1) {IPCP 24: Conf-Nak(8), IP-Addr=192.168.3.4, Pri-DNS=192.168.15.1, Sec-DNS=192.168.15.1} (DF)
21:47:22.124800 82.149.2.245.l2tp > 193.2.211.10.l2tp: l2tp:[L](17470/15008) {IPCP 24: Conf-Req(9), IP-Addr=192.168.3.4, Pri-DNS=192.168.15.1, Sec-DNS=192.168.15.1}
21:47:22.125536 193.2.211.10.l2tp > 82.149.2.245.l2tp: l2tp:[L](9/1) {IPCP 24: Conf-Ack(9), IP-Addr=192.168.3.4, Pri-DNS=192.168.15.1, Sec-DNS=192.168.15.1} (DF)
21:47:22.233031 82.149.2.245.l2tp > 193.2.211.10.l2tp: l2tp:[L](17470/15008) {IP 41: 192.168.3.4 > 224.0.0.22: igmp v3 report, 1 group record(s) [ttl 1]}
155 packets received by filter
0 packets dropped by kernel
[root at rikom root]#
Interface eth0 :
21:47:19.141748 82.149.2.245.isakmp > 193.2.211.10.isakmp: isakmp: phase 1 I ident: [|sa]
21:47:19.141962 193.2.211.10.isakmp > 82.149.2.245.isakmp: isakmp: phase 1 R ident: [|sa] (DF)
21:47:19.471744 82.149.2.245.isakmp > 193.2.211.10.isakmp: isakmp: phase 1 I ident: [|ke]
21:47:19.491827 193.2.211.10.isakmp > 82.149.2.245.isakmp: isakmp: phase 1 R ident: [|ke] (DF)
21:47:19.642175 82.149.2.245.4500 > 193.2.211.10.4500: udp 1448
21:47:19.647155 193.2.211.10.4500 > 82.149.2.245.4500: udp 1312 (DF)
21:47:19.684627 82.149.2.245.4500 > 193.2.211.10.4500: udp 384
21:47:19.685152 193.2.211.10.4500 > 82.149.2.245.4500: udp 168 (DF)
21:47:19.706613 82.149.2.245.4500 > 193.2.211.10.4500: udp 56
21:47:19.713087 82.149.2.245.4500 > 193.2.211.10.4500: udp 140
21:47:19.896160 193.2.211.10.4500 > 82.149.2.245.4500: udp 140 (DF)
21:47:19.910375 82.149.2.245.4500 > 193.2.211.10.4500: udp 60
21:47:19.910774 82.149.2.245.4500 > 193.2.211.10.4500: udp 92
21:47:19.910859 82.149.2.245.4500 > 193.2.211.10.4500: udp 52
21:47:19.926179 193.2.211.10.4500 > 82.149.2.245.4500: udp 52 (DF)
21:47:19.986647 193.2.211.10.4500 > 82.149.2.245.4500: udp 68 (DF)
21:47:19.986668 193.2.211.10.4500 > 82.149.2.245.4500: udp 52 (DF)
21:47:20.003214 82.149.2.245.4500 > 193.2.211.10.4500: udp 92
21:47:20.003295 82.149.2.245.4500 > 193.2.211.10.4500: udp 52
21:47:20.013491 193.2.211.10.4500 > 82.149.2.245.4500: udp 52 (DF)
21:47:20.013847 193.2.211.10.4500 > 82.149.2.245.4500: udp 84 (DF)
21:47:20.027922 82.149.2.245.4500 > 193.2.211.10.4500: udp 76
21:47:20.028185 193.2.211.10.4500 > 82.149.2.245.4500: udp 60 (DF)
21:47:20.037482 82.149.2.245.4500 > 193.2.211.10.4500: udp 84
21:47:21.725821 82.149.2.245.4500 > 193.2.211.10.4500: udp 1
21:47:22.022078 82.149.2.245.4500 > 193.2.211.10.4500: udp 68
21:47:22.022485 193.2.211.10.4500 > 82.149.2.245.4500: udp 68 (DF)
21:47:22.022658 193.2.211.10.4500 > 82.149.2.245.4500: udp 92 (DF)
21:47:22.054524 82.149.2.245.4500 > 193.2.211.10.4500: udp 68
21:47:22.054611 82.149.2.245.4500 > 193.2.211.10.4500: udp 68
21:47:22.055004 193.2.211.10.4500 > 82.149.2.245.4500: udp 76 (DF)
21:47:22.055164 193.2.211.10.4500 > 82.149.2.245.4500: udp 76 (DF)
21:47:22.062211 82.149.2.245.4500 > 193.2.211.10.4500: udp 76
21:47:22.062729 193.2.211.10.4500 > 82.149.2.245.4500: udp 68 (DF)
21:47:22.062859 193.2.211.10.4500 > 82.149.2.245.4500: udp 68 (DF)
21:47:22.062961 193.2.211.10.4500 > 82.149.2.245.4500: udp 68 (DF)
21:47:22.085427 82.149.2.245.4500 > 193.2.211.10.4500: udp 60
21:47:22.085643 193.2.211.10.4500 > 82.149.2.245.4500: udp 60 (DF)
21:47:22.091044 82.149.2.245.4500 > 193.2.211.10.4500: udp 84
21:47:22.091129 82.149.2.245.4500 > 193.2.211.10.4500: udp 68
21:47:22.091215 82.149.2.245.4500 > 193.2.211.10.4500: udp 60
21:47:22.091584 193.2.211.10.4500 > 82.149.2.245.4500: udp 68 (DF)
21:47:22.091690 193.2.211.10.4500 > 82.149.2.245.4500: udp 52 (DF)
21:47:22.091829 193.2.211.10.4500 > 82.149.2.245.4500: udp 60 (DF)
21:47:22.101136 82.149.2.245.4500 > 193.2.211.10.4500: udp 68
21:47:22.101365 193.2.211.10.4500 > 82.149.2.245.4500: udp 52 (DF)
21:47:22.108330 82.149.2.245.4500 > 193.2.211.10.4500: udp 76
21:47:22.108413 82.149.2.245.4500 > 193.2.211.10.4500: udp 60
21:47:22.108673 193.2.211.10.4500 > 82.149.2.245.4500: udp 76 (DF)
21:47:22.124800 82.149.2.245.4500 > 193.2.211.10.4500: udp 76
21:47:22.125567 193.2.211.10.4500 > 82.149.2.245.4500: udp 76 (DF)
21:47:22.233031 82.149.2.245.4500 > 193.2.211.10.4500: udp 92
21:47:22.250627 82.149.2.245.4500 > 193.2.211.10.4500: udp 148
21:47:22.455119 82.149.2.245.4500 > 193.2.211.10.4500: udp 212
21:47:22.506996 82.149.2.245.4500 > 193.2.211.10.4500: udp 380
21:47:23.002150 82.149.2.245.4500 > 193.2.211.10.4500: udp 148
21:47:23.140502 82.149.2.245.4500 > 193.2.211.10.4500: udp 92
21:47:23.757942 82.149.2.245.4500 > 193.2.211.10.4500: udp 148
21:47:24.508006 82.149.2.245.4500 > 193.2.211.10.4500: udp 148
21:47:25.093372 193.2.211.10.4500 > 82.149.2.245.4500: udp 52 (DF)
21:47:25.113973 82.149.2.245.4500 > 193.2.211.10.4500: udp 52
21:47:25.114248 193.2.211.10.4500 > 82.149.2.245.4500: udp 84 (DF)
21:47:25.128208 82.149.2.245.4500 > 193.2.211.10.4500: udp 84
21:47:25.255760 82.149.2.245.4500 > 193.2.211.10.4500: udp 148
21:47:25.499010 82.149.2.245.4500 > 193.2.211.10.4500: udp 212
21:47:25.505569 82.149.2.245.4500 > 193.2.211.10.4500: udp 380
21:47:26.023070 82.149.2.245.4500 > 193.2.211.10.4500: udp 148
21:47:26.756958 82.149.2.245.4500 > 193.2.211.10.4500: udp 148
21:47:27.508110 82.149.2.245.4500 > 193.2.211.10.4500: udp 148
21:47:28.268909 82.149.2.245.4500 > 193.2.211.10.4500: udp 148
21:47:28.269077 82.149.2.245.4500 > 193.2.211.10.4500: udp 148
21:47:28.516411 82.149.2.245.4500 > 193.2.211.10.4500: udp 212
21:47:29.023838 82.149.2.245.4500 > 193.2.211.10.4500: udp 148
21:47:29.023994 82.149.2.245.4500 > 193.2.211.10.4500: udp 148
169 packets received by filter
0 packets dropped by kernel
[root at rikom root]#
More information about the Users
mailing list