[Openswan Users] openswan release candidate: 2.4.5rc7

Matthias Haas mh at pompase.net
Thu Apr 6 09:43:38 CEST 2006 

Good morning :-),
>
> We have just uploaded a new release candidate for openswan 2.4.5. This is
> openswan-2.4.5rc7. Most notable:
>
> - Fixes SMP crasher in KLIPS
> - Fixes compiles on 2.6.14 to 2.6.16
> - Fixes various NATD detections
> - Includes patch for openswan behind NAT with transport mode (for l2tp)
I have some questions regarding the stablility and functionallity of this
patch, because I am not able to enable l2tp connection with a natted
openswan server. I use openswan 2.4.5rc7, a WinXP Pro SP2 Client, with the
changes that are needed to get it working (Q885407). What I get is a
configured tunnel
0          192.168.0.186/32:1701 -> 82.134.150.1/32:1701 =>
esp0x3aca6f3c at 82.134.150.1:17

with no packages passing by. As a second remark, i get
0          192.168.0.186/32:1701 -> 82.134.150.1/32:1701 => %trap:17
after the l2tp windows client gives up connecting. As far as I remember
this should not happen as the tunnel should be completely removed due to
the log file:

"l2tp_0-l2tp_1701__gw-gw_defaultroute-0.0.0.0"[2] 213.179.141.14 #158:
responding to Main Mode from unknown peer 213.179.141.14
 "l2tp_0-l2tp_1701__gw-gw_defaultroute-0.0.0.0"[2] 213.179.141.14 #158:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
 "l2tp_0-l2tp_1701__gw-gw_defaultroute-0.0.0.0"[2] 213.179.141.14 #158:
STATE_MAIN_R1: sent MR1, expecting MI2
 "l2tp_0-l2tp_1701__gw-gw_defaultroute-0.0.0.0"[2] 213.179.141.14 #158:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: both are
NATed
 "l2tp_0-l2tp_1701__gw-gw_defaultroute-0.0.0.0"[2] 213.179.141.14 #158:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
 "l2tp_0-l2tp_1701__gw-gw_defaultroute-0.0.0.0"[2] 213.179.141.14 #158:
STATE_MAIN_R2: sent MR2, expecting MI3
 "l2tp_0-l2tp_1701__gw-gw_defaultroute-0.0.0.0"[2] 213.179.141.14 #158:
Main mode peer ID is ID_DER_ASN1_DN: 'C=DE, CN=l2tpclient'
 "l2tp_0-l2tp_1701__gw-gw_defaultroute-0.0.0.0"[2] 213.179.141.14 #158: no
crl from issuer "C=DE, CN=CA" found (strict=no)
 "l2tp_0-l2tp_1701__gw-gw_defaultroute-0.0.0.0"[2] 213.179.141.14 #158: I
am sending my cert
 "l2tp_0-l2tp_1701__gw-gw_defaultroute-0.0.0.0"[2] 213.179.141.14 #158:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
 "l2tp_0-l2tp_1701__gw-gw_defaultroute-0.0.0.0"[2] 213.179.141.14 #158:
STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG
cipher=oakley_3des_cbc_192 prf=oakley_sha group
=modp2048}
 "l2tp_0-l2tp_1701__gw-gw_defaultroute-0.0.0.0"[2] 213.179.141.14 #159:
responding to Quick Mode {msgid:79098525}
 "l2tp_0-l2tp_1701__gw-gw_defaultroute-0.0.0.0"[2] 213.179.141.14 #159:
transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
 "l2tp_0-l2tp_1701__gw-gw_defaultroute-0.0.0.0"[2] 213.179.141.14 #159:
STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
 "l2tp_0-l2tp_1701__gw-gw_defaultroute-0.0.0.0"[2] 213.179.141.14 #159:
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
 "l2tp_0-l2tp_1701__gw-gw_defaultroute-0.0.0.0"[2] 213.179.141.14 #159:
STATE_QUICK_R2: IPsec SA established {ESP=>0x7a3466d3 <0x5be62fa3
xfrm=3DES_0-HMAC_MD5 NATD=213.179.141.14:4500 DPD
=none}
 "l2tp_0-l2tp_1701__gw-gw_defaultroute-0.0.0.0"[2] 213.179.141.14 #158:
received Delete SA(0x7a3466d3) payload: deleting IPSEC State #159
 "l2tp_0-l2tp_1701__gw-gw_defaultroute-0.0.0.0"[2] 213.179.141.14 #158:
received and ignored informational message
 "l2tp_0-l2tp_1701__gw-gw_defaultroute-0.0.0.0"[2] 213.179.141.14 #158:
received Delete SA payload: deleting ISAKMP State #158

Both SAs get a delete SA and should by removed though.
Perhaps I am missing something completely, but without natting my l2tp
server everything works fine?
Or are there any additional parts that I have to look at while working
with this patch?

Matthias

>
> We would very much appreciate feedback, especially on the SMP crasher,
> and people using openswan behind NAT as l2tp server.
>
> ftp://ftp.openswan.org/openswan/openswan-2.4.5rc7.tar.gz
> http://www.openswan.org/download/openswan-2.4.5rc7.tar.gz
>
> If we hear nothing fatal, we will release 2.4.5 on thursday.
>
> Thanks,
>
> Paul
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
>

More information about the Users mailing list