[Openswan Users]
Brian Sheets
brians at fl240.com
Tue Aug 8 07:45:43 EDT 2006
Here is my config
#
authby=rsasig
pfs=no
left=198.172.xx.201
leftnexthop=%defaultroute
leftrsasigkey=%cert
leftcert=/etc/ipsec.d/certs/gateway1.mxpath.net.pem
leftsendcert=always
leftprotoport=17/1701
#
# The remote user.
#
right=%any
rightrsasigkey=%cert
rightprotoport=17/1701
rightsubnet=vhost:%no,%priv
rightid=%any
#
# Authorize this connection, and wait for connection from user.
#
auto=add
keyingtries=3
________________________________
From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On Behalf Of Greg
Sent: Tuesday, August 08, 2006 12:38 PM
To: users at openswan.org
Subject: [Openswan Users]
Hello List,
I'm trying to configure a VPN gateway between openswan and windows xp SP2.
I"ve no problem to open a "simple"' ipsec tunnel, but when I want to use L2TP, the client give me this error (Error 789: L2TP-Connection failed, since a processing error arose during it first safety from action with the remote computer) and the server (respond to IPsec SA request because no connection is known for 81.127.61.93/32===192.168.0.4[C=FR, ST=FRANCE, L=LOCATION, O=WEF, OU=INFO, CN=TEST, E=root at test.com]:17/1701...80.10.30.143[C=FR, ST=FRANCE, L=LOCATION, O=WEF, OU=INFO, CN=TEST, E=root at test.com]:17/1701)
Please help
Thanks,
GD
My ipsec.conf (cf nate Carlson site)
version 2.0
config setup
interfaces=%defaultroute
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
# Debug-logging controls :«none» for (almost) none,«all» for lots.
klipsdebug=none
plutodebug="none"
conn %default
keyingtries=1
compress=yes
disablearrivalcheck=no
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
conn roadwarrior-net
leftsubnet=192.168.0.0/255.255.255.0
also=roadwarrior
conn roadwarrior-all
leftsubnet=0.0.0.0/0
also=roadwarrior
conn roadwarrior
left=%defaultroute
leftcert=cert.pem
right=%any
rightsubnet=vhost:%no,%priv
auto=add
pfs=yes
conn roadwarrior-l2tp
left=%defaultroute
leftcert=cert.pem
leftprotoport=17/1701
right=%any
rightprotoport=17/1701
pfs=no
auto=add
type=transport
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
LOG
Aug 8 06:59:42 darko ipsec__plutorun: Starting Pluto subsystem...
Aug 8 06:59:42 darko pluto[23921]: Starting Pluto (Openswan Version 2.4.4 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OEz}FFFfgr_e)
Aug 8 06:59:42 darko pluto[23921]: Setting NAT-Traversal port-4500 floating to on
Aug 8 06:59:42 darko pluto[23921]: port floating activation criteria nat_t=1/port_fload=1
Aug 8 06:59:42 darko pluto[23921]: including NAT-Traversal patch (Version 0.6c)
Aug 8 06:59:42 darko pluto[23921]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Aug 8 06:59:42 darko pluto[23921]: starting up 1 cryptographic helpers
Aug 8 06:59:42 darko pluto[23921]: started helper pid=23931 (fd:6)
Aug 8 06:59:42 darko pluto[23921]: Using Linux 2.6 IPsec interface code on 2.6.14-1.1656_FC4smp
Aug 8 06:59:42 darko pluto[23921]: Changing to directory '/etc/ipsec.d/cacerts'
Aug 8 06:59:42 darko pluto[23921]: loaded CA cert file 'vpn2.pem' (3358 bytes)
Aug 8 06:59:42 darko pluto[23921]: loaded CA cert file 'cacert.pem' (1253 bytes)
Aug 8 06:59:42 darko pluto[23921]: Could not change to directory '/etc/ipsec.d/aacerts'
Aug 8 06:59:42 darko pluto[23921]: Could not change to directory '/etc/ipsec.d/ocspcerts'
Aug 8 06:59:42 darko pluto[23921]: Changing to directory '/etc/ipsec.d/crls'
Aug 8 06:59:42 darko pluto[23921]: loaded crl file 'crl.pem' (499 bytes)
Aug 8 06:59:42 darko pluto[23921]: loaded host cert file '/etc/ipsec.d/certs/cert.pem' (3611 bytes)
Aug 8 06:59:42 darko pluto[23921]: added connection description "roadwarrior-l2tp"
Aug 8 06:59:43 darko pluto[23921]: loaded host cert file '/etc/ipsec.d/certs/cert.pem' (3611 bytes)
Aug 8 06:59:43 darko pluto[23921]: added connection description "roadwarrior"
Aug 8 06:59:43 darko pluto[23921]: loaded host cert file '/etc/ipsec.d/certs/cert.pem' (3611 bytes)
Aug 8 06:59:43 darko pluto[23921]: added connection description "roadwarrior-all"
Aug 8 06:59:43 darko pluto[23921]: loaded host cert file '/etc/ipsec.d/certs/cert.pem' (3611 bytes)
Aug 8 06:59:43 darko pluto[23921]: added connection description "roadwarrior-l2tp-oldwin"
Aug 8 06:59:43 darko pluto[23921]: loaded host cert file '/etc/ipsec.d/certs/cert.pem' (3611 bytes)
Aug 8 06:59:43 darko pluto[23921]: added connection description "roadwarrior-net"
Aug 8 06:59:43 darko pluto[23921]: listening for IKE messages
Aug 8 06:59:43 darko pluto[23921]: adding interface eth0/eth0 192.168.0.4:500
Aug 8 06:59:43 darko pluto[23921]: adding interface eth0/eth0 192.168.0.4:4500
Aug 8 06:59:43 darko pluto[23921]: adding interface lo/lo 127.0.0.1:500
Aug 8 06:59:43 darko pluto[23921]: adding interface lo/lo 127.0.0.1:4500
Aug 8 06:59:43 darko pluto[23921]: adding interface lo/lo ::1:500
Aug 8 06:59:43 darko pluto[23921]: loading secrets from "/etc/ipsec.secrets"
Aug 8 06:59:43 darko pluto[23921]: loading secrets from "/etc/ipsec.d/hostkey.secrets"
Aug 8 06:59:43 darko pluto[23921]: loaded private key file '/etc/ipsec.d/private/cert.key' (1659 bytes)
Aug 8 07:02:49 darko pluto[23921]: packet from 80.10.30.143:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Aug 8 07:02:49 darko pluto[23921]: packet from 80.10.30.143:500: ignoring Vendor ID payload [FRAGMENTATION]
Aug 8 07:02:49 darko pluto[23921]: packet from 80.10.30.143:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
Aug 8 07:02:49 darko pluto[23921]: packet from 80.10.30.143:500: ignoring Vendor ID payload [Vid-Initial-Contact]
Aug 8 07:02:49 darko pluto[23921]: "roadwarrior-l2tp"[1] 80.10.30.143 #1: responding to Main Mode from unknown peer 80.10.30.143
Aug 8 07:02:49 darko pluto[23921]: "roadwarrior-l2tp"[1] 80.10.30.143 #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Aug 8 07:02:49 darko pluto[23921]: "roadwarrior-l2tp"[1] 80.10.30.143 #1: STATE_MAIN_R1: sent MR1, expecting MI2
Aug 8 07:02:50 darko pluto[23921]: "roadwarrior-l2tp"[1] 80.10.30.143 #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: i am NATed
Aug 8 07:02:50 darko pluto[23921]: "roadwarrior-l2tp"[1] 80.10.30.143 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Aug 8 07:02:50 darko pluto[23921]: "roadwarrior-l2tp"[1] 80.10.30.143 #1: STATE_MAIN_R2: sent MR2, expecting MI3
Aug 8 07:02:51 darko pluto[23921]: "roadwarrior-l2tp"[1] 80.10.30.143 #1: discarding duplicate packet; already STATE_MAIN_R2
Aug 8 07:02:52 darko pluto[23921]: "roadwarrior-l2tp"[1] 80.10.30.143 #1: Main mode peer ID is ID_DER_ASN1_DN: 'C=FR, ST=FRANCE, L=LOCATION, O=WEF, OU=INFO, CN=TEST, E=root at test.com'
Aug 8 07:02:52 darko pluto[23921]: "roadwarrior-l2tp"[2] 80.10.30.143 #1: deleting connection "roadwarrior-l2tp" instance with peer 80.10.30.143 {isakmp=#0/ipsec=#0}
Aug 8 07:02:52 darko pluto[23921]: "roadwarrior-l2tp"[2] 80.10.30.143 #1: I am sending my cert
Aug 8 07:02:52 darko pluto[23921]: "roadwarrior-l2tp"[2] 80.10.30.143 #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Aug 8 07:02:52 darko pluto[23921]: | NAT-T: new mapping 80.10.30.143:500/4500)
Aug 8 07:02:52 darko pluto[23921]: "roadwarrior-l2tp"[2] 80.10.30.143 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}
Aug 8 07:02:52 darko pluto[23921]: "roadwarrior-l2tp"[2] 80.10.30.143 #1: cannot respond to IPsec SA request because no connection is known for 81.127.61.93/32===192.168.0.4['C=FR, ST=FRANCE, L=LOCATION, O=WEF, OU=INFO, CN=TEST, E=root at test.com']:17/1701...80.10.30.143['C=FR, ST=FRANCE, L=LOCATION, O=WEF, OU=INFO, CN=TEST, E=root at test.com']:17/1701
Aug 8 07:02:52 darko pluto[23921]: "roadwarrior-l2tp"[2] 80.10.30.143 #1: sending encrypted notification INVALID_ID_INFORMATION to 80.10.30.143:4500
Aug 8 07:02:53 darko pluto[23921]: "roadwarrior-l2tp"[2] 80.10.30.143 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xb51f56cd (perhaps this is a duplicated packet)
Aug 8 07:02:53 darko pluto[23921]: "roadwarrior-l2tp"[2] 80.10.30.143 #1: sending encrypted notification INVALID_MESSAGE_ID to 80.10.30.143:4500
Aug 8 07:02:55 darko pluto[23921]: "roadwarrior-l2tp"[2] 80.10.30.143 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xb51f56cd (perhaps this is a duplicated packet)
Aug 8 07:02:55 darko pluto[23921]: "roadwarrior-l2tp"[2] 80.10.30.143 #1: sending encrypted notification INVALID_MESSAGE_ID to 80.10.30.143:4500
Aug 8 07:02:59 darko pluto[23921]: "roadwarrior-l2tp"[2] 80.10.30.143 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xb51f56cd (perhaps this is a duplicated packet)
Aug 8 07:02:59 darko pluto[23921]: "roadwarrior-l2tp"[2] 80.10.30.143 #1: sending encrypted notification INVALID_MESSAGE_ID to 80.10.30.143:4500
Aug 8 07:03:07 darko pluto[23921]: "roadwarrior-l2tp"[2] 80.10.30.143 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xb51f56cd (perhaps this is a duplicated packet)
Aug 8 07:03:07 darko pluto[23921]: "roadwarrior-l2tp"[2] 80.10.30.143 #1: sending encrypted notification INVALID_MESSAGE_ID to 80.10.30.143:4500
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20060808/538c0453/attachment-0001.htm
More information about the Users
mailing list