[Openswan Users] Problem with conn road

sasa sasa at shoponweb.it
Fri Oct 28 15:37:56 CEST 2005 

"Jacco de Leeuw" wrote:

> What is the problem?

..the problem is then from XP I don't succesfull connect to vpn server with error 678
 
> > [global]
> > listen-addr = 192.168.0.180

I had made an error in l2tpd.conf and the service l2tpd did not start, now is corrected this error but however I do not succeed to connect to the vpn

> > ..where is my error ?
 
> That's what I'm wondering too. The only thing that I can think of
> is that you don't see an L2TP connection. l2tpd is listening on the
> internal interface. Are you using KLIPS or NETKEY? If you are using
> KLIPS you will have to add a DNAT rule. If you are using NETKEY, l2tpd
> should be listening on the external interface instead and you should
> probably use iptables to "mark" the packets. See also:

..I use KLIPS and the rules DNAT is present, now in the log file I have:

[root at test2 root]# tcpdump -i ipsec0
tcpdump: listening on ipsec0
14:18:02.663296 213.45.198.15.l2tp > host189-185.pool82189.interbusiness.it.l2tp:  l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(S) *BEARER_CAP() |...
14:18:03.653546 213.45.198.15.l2tp > host189-185.pool82189.interbusiness.it.l2tp:  l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(S) *BEARER_CAP() |...
14:18:05.653417 213.45.198.15.l2tp > host189-185.pool82189.interbusiness.it.l2tp:  l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(S) *BEARER_CAP() |...
14:18:05.653556 host189-185.pool82189.interbusiness.it > 213.45.198.15: icmp: host189-185.pool82189.interbusiness.it udp port l2tp unreachable [tos 0xc0]

[root at test2 root]# ipsec whack --status
000 interface ipsec0/eth0 x.x.x.x
000 interface ipsec0/eth0 x.x.x.x
000 %myid = (none)
000 debug none
000
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=64, keysizemin=168, keysizemax=168
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
[cut]
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}
000
000 "left-road": x.x.x.x:17/0---x.x.x.y...%any:17/1701; unrouted; eroute owner: #0
[cut]
000 "left-road":   policy: PSK+ENCRYPT; prio: 32,32; interface: eth0;
000 "left-road":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "left-road"[1]: x.x.x.x:17/0---x.x.x.y...213.45.198.15:17/1701; erouted; eroute owner: #2
000 "left-road"[1]:     srcip=unset; dstip=unset
000 "left-road"[1]:   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "left-road"[1]:   policy: PSK+ENCRYPT; prio: 32,32; interface: eth0;
000 "left-road"[1]:   newest ISAKMP SA: #1; newest IPsec SA: #2;
000 "left-road"[1]:   IKE algorithm newest: 3DES_CBC_192-SHA1-MODP2048
000
000 #2: "left-road"[1] 213.45.198.15:500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 3300s; newest IPSEC; eroute owner
000 #2: "left-road"[1] 213.45.198.15 esp.7a18dd87 at 213.45.198.15 esp.e40c5254 at x.x.x.x
000 #1: "left-road"[1] 213.45.198.15:500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 3299s; newest ISAKMP; nodpd

[root at test2 root]# tail /var/log/secure
Oct 28 14:18:01 test2 pluto[5589]: "left-road"[1] 213.45.198.15 #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
Oct 28 14:18:01 test2 pluto[5589]: "left-road"[1] 213.45.198.15 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Oct 28 14:18:01 test2 pluto[5589]: "left-road"[1] 213.45.198.15 #1: Main mode peer ID is ID_IPV4_ADDR: '213.45.198.15'
Oct 28 14:18:01 test2 pluto[5589]: "left-road"[1] 213.45.198.15 #1: I did not send a certificate because I do not have one.
Oct 28 14:18:01 test2 pluto[5589]: "left-road"[1] 213.45.198.15 #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Oct 28 14:18:01 test2 pluto[5589]: "left-road"[1] 213.45.198.15 #1: sent MR3, ISAKMP SA established
Oct 28 14:18:02 test2 pluto[5589]: "left-road"[1] 213.45.198.15 #2: responding to Quick Mode {msgid:ac5fb3f2}
Oct 28 14:18:02 test2 pluto[5589]: "left-road"[1] 213.45.198.15 #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Oct 28 14:18:02 test2 pluto[5589]: "left-road"[1] 213.45.198.15 #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Oct 28 14:18:02 test2 pluto[5589]: "left-road"[1] 213.45.198.15 #2: IPsec SA established {ESP=>0x7a18dd87 <0xe40c5254 xfrm=3DES_0-HMAC_MD5}

... I just do not succeed to understand why XP client (the patch is installed) is not connected ???!!!
still thanks.

        Salvatore.

More information about the Users mailing list