[Openswan Users] ipsec/l2tp Windows (yes again)
Trevor Benson
tbenson at a-1networks.com
Mon Apr 24 21:54:16 CEST 2006
OK So I got this working about 2 years ago and have used it off and on,
but not for about 10 months. I just rebuilt the latest fedora kernel of
2.6.15.10 and openswan 2.4.5 with klips (patched the kernel for natt as
well). I have already used this certificate and connection string for
non l2tp sessions, so I know the certificate is accepted with linsys
ipsec client and this gateway before attempting l2tp with it.
Testing has been a pain with a public IP, so I actually built natt just
so I could test this without additional hassle of locating myself at the
server room while doing all of this. But natt is deffinately needed in
the environment I am providing ipsec/l2tp traffic for anyway.
Here is the relevant sections of the ipsec.conf and ipsec.secrets and
the /var/log/secure log errors.
----IPSEC.CONF
version 2.0
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
uniqueids=yes
nat_traversal=yes
myid=@office1.ct.vpn.cleartunnel.net
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:
!192.168.167.0/24,%v4:!192.168.21.0/24,%v4:!192.168.200.0/24,%v4:!192.16
8.38.0/24,%v4:!192.168.130.0/24,%v4:!10.0.255.254/255.255.255.255,%v4:!1
92.168.1.0/24,%v4:!192.168.169.0/24,%v4:!192.168.128.0/24,%v4:!192.168.2
10.0/24,%v4:!192.168.166.0/24
conn %default
left=64.142.mumble1.mumble2
leftnexthop=%defaultroute
leftsubnet=192.168.mumble3.0/24
dpddelay=30
dpdtimeout=120
dpdaction=hold
authby=secret
auto=start
keyingtries=0
disablearrivalcheck=no
conn tbenson
leftcert=office1.ct.vpn.cleartunnel.net.cert
leftrsasigkey=%cert
leftprotoport=17/1701
rightprotoport=17/1701
right=64.142.7.188
rightnexthop=%defaultroute
rightca=%same
rightid="C=US, ST=California, L=Santa Rosa, O=Mumble,
CN=tbenson.vpn.Mumble.net, E=ca-admin at Mumble.net"
rightrsasigkey=%cert
authby=rsasig
auto=add
----IPSEC.SECRETS
64.142.mumble1.mumble2 64.142.7.188 : RSA
office1.ct.vpn.cleartunnel.net.key "mumblepassword"
---- SECURE LOG
Apr 24 12:33:16 office1 pluto[5070]: packet from 64.142.7.188:500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Apr 24 12:33:16 office1 pluto[5070]: packet from 64.142.7.188:500:
ignoring Vendor ID payload [FRAGMENTATION]
Apr 24 12:33:16 office1 pluto[5070]: packet from 64.142.7.188:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set
to=106
Apr 24 12:33:16 office1 pluto[5070]: packet from 64.142.7.188:500:
ignoring Vendor ID payload [Vid-Initial-Contact]
Apr 24 12:33:16 office1 pluto[5070]: "tbenson" #35: responding to Main
Mode
Apr 24 12:33:16 office1 pluto[5070]: "tbenson" #35: transition from
state STATE_MAIN_R0 to state STATE_MAIN_R1
Apr 24 12:33:16 office1 pluto[5070]: "tbenson" #35: STATE_MAIN_R1: sent
MR1, expecting MI2
Apr 24 12:33:16 office1 pluto[5070]: "tbenson" #35: NAT-Traversal:
Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
Apr 24 12:33:16 office1 pluto[5070]: "tbenson" #35: transition from
state STATE_MAIN_R1 to state STATE_MAIN_R2
Apr 24 12:33:16 office1 pluto[5070]: "tbenson" #35: STATE_MAIN_R2: sent
MR2, expecting MI3
Apr 24 12:33:16 office1 pluto[5070]: "tbenson" #35: Main mode peer ID is
ID_DER_ASN1_DN: 'C=US, ST=California, L=Santa Rosa, O=ClearTunnel,
CN=tbenson.vpn.cleartunnel.net, E=ca-admin at cleartunnel.net'
Apr 24 12:33:16 office1 pluto[5070]: "tbenson" #35: no crl from issuer
"C=US, ST=California, L=Santa Rosa, O=ClearTunnel, OU=Operations,
CN=vpn.cleartunnel.net, E=vpn-admin at cleartunnel.net" found (strict=no)
Apr 24 12:33:16 office1 pluto[5070]: "tbenson" #35: I am sending my cert
Apr 24 12:33:16 office1 pluto[5070]: "tbenson" #35: transition from
state STATE_MAIN_R2 to state STATE_MAIN_R3
Apr 24 12:33:16 office1 pluto[5070]: | NAT-T: new mapping
64.142.7.188:500/4500)
Apr 24 12:33:16 office1 pluto[5070]: "tbenson" #35: STATE_MAIN_R3: sent
MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}
Apr 24 12:33:16 office1 pluto[5070]: "tbenson" #35: Dead Peer Detection
(RFC 3706): not enabled because peer did not advertise it
Apr 24 12:33:16 office1 pluto[5070]: "tbenson" #35: cannot respond to
IPsec SA request because no connection is known for 64.142.21.254[C=US,
ST=California, L=Santa Rosa, O=ClearTunnel,
CN=office1.ct.vpn.cleartunnel.net,
E=ca-admin at cleartunnel.net]:17/1701...64.142.7.188[C=US, ST=California,
L=Santa Rosa, O=ClearTunnel, CN=tbenson.vpn.cleartunnel.net,
E=ca-admin at cleartunnel.net]:17/1701
Apr 24 12:33:16 office1 pluto[5070]: "tbenson" #35: sending encrypted
notification INVALID_ID_INFORMATION to 64.142.7.188:4500
Apr 24 12:33:18 office1 pluto[5070]: "tbenson" #35: Quick Mode I1
message is unacceptable because it uses a previously used Message ID
0x2cf03810 (perhaps this is a duplicated packet)
Apr 24 12:33:18 office1 pluto[5070]: "tbenson" #35: sending encrypted
notification INVALID_MESSAGE_ID to 64.142.7.188:4500
Apr 24 12:33:20 office1 pluto[5070]: "tbenson" #35: Quick Mode I1
message is unacceptable because it uses a previously used Message ID
0x2cf03810 (perhaps this is a duplicated packet)
Apr 24 12:33:20 office1 pluto[5070]: "tbenson" #35: sending encrypted
notification INVALID_MESSAGE_ID to 64.142.7.188:4500
Apr 24 12:33:24 office1 pluto[5070]: "tbenson" #35: Quick Mode I1
message is unacceptable because it uses a previously used Message ID
0x2cf03810 (perhaps this is a duplicated packet)
Apr 24 12:33:24 office1 pluto[5070]: "tbenson" #35: sending encrypted
notification INVALID_MESSAGE_ID to 64.142.7.188:4500
Trevor
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20060424/0bc91628/attachment-0001.htm
More information about the Users
mailing list