[Openswan Users] l2tp/ipsec - ipsec ok, but no connection

Adam Zientek adam.zientek at hot.pl
Sat Aug 12 06:14:31 EDT 2006 

Hello!

I try to do l2tp/ipsecc connection between my home WinXP SP2pc and work 
network.

81.168.163.SS  --->  81.168.163.CC   --->  192.168.1.100
192.168.0.0/24      192.168.115.0/24      192.168.1.0/24

I have installed openswan 2.4.4 on my work router (81.168.163.SS)
I try co connect from my home (192.168.1.100). At home i have simple 
wireless router (192.168.1.100>NAT>192.168.115.25) then is my campus 
router (192.168.115.25>NAT>81.168.163.CC). OK, i configure 
openswan,l2tpd, import certificate on home pc and try to connect. 
Windows get 678 error and on server i get:

---
pluto[16782]: adding interface eth2/eth2 192.168.0.2:500
pluto[16782]: adding interface eth2/eth2 192.168.0.2:4500
pluto[16782]: adding interface eth0/eth0 81.168.163.SS:500
pluto[16782]: adding interface eth0/eth0 81.168.163.SS:4500
pluto[16782]: adding interface lo/lo 127.0.0.1:500
pluto[16782]: adding interface lo/lo 127.0.0.1:4500
pluto[16782]: loading secrets from "/etc/ipsec.secrets"
pluto[16782]:   loaded private key file 
'/etc/ipsec.d/private/ipsecgw.key' (963 bytes)
pluto[16782]: packet from 81.168.163.CC:64463: ignoring Vendor ID 
payload [MS NT5 ISAKMPOAKLEY 00000004]
pluto[16782]: packet from 81.168.163.CC:64463: ignoring Vendor ID 
payload [FRAGMENTATION]
pluto[16782]: packet from 81.168.163.CC:64463: received Vendor ID 
payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
pluto[16782]: packet from 81.168.163.CC:64463: ignoring Vendor ID 
payload [Vid-Initial-Contact]
pluto[16782]: "l2tp-x509"[1] 81.168.163.CC #1: responding to Main Mode 
from unknown peer 81.168.163.CC
pluto[16782]: "l2tp-x509"[1] 81.168.163.CC #1: transition from state 
STATE_MAIN_R0 to state STATE_MAIN_R1
pluto[16782]: "l2tp-x509"[1] 81.168.163.CC #1: STATE_MAIN_R1: sent MR1, 
expecting MI2
pluto[16782]: "l2tp-x509"[1] 81.168.163.CC #1: NAT-Traversal: Result 
using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
pluto[16782]: "l2tp-x509"[1] 81.168.163.CC #1: transition from state 
STATE_MAIN_R1 to state STATE_MAIN_R2
pluto[16782]: "l2tp-x509"[1] 81.168.163.CC #1: STATE_MAIN_R2: sent MR2, 
expecting MI3
pluto[16782]: "l2tp-x509"[1] 81.168.163.CC #1: Main mode peer ID is 
ID_DER_ASN1_DN: 'here_is_DN_of_ClientCert'
pluto[16782]: "l2tp-x509"[1] 81.168.163.CC #1: no crl from issuer 
"here_is_my_CA_DN" found (strict=no)
pluto[16782]: "l2tp-x509"[2] 81.168.163.CC #1: deleting connection 
"l2tp-x509" instance with peer 81.168.163.CC {isakmp=#0/ipsec=#0}
pluto[16782]: "l2tp-x509"[2] 81.168.163.CC #1: I am sending my cert
pluto[16782]: "l2tp-x509"[2] 81.168.163.CC #1: transition from state 
STATE_MAIN_R2 to state STATE_MAIN_R3
pluto[16782]: | NAT-T: new mapping 81.168.163.CC:64463/61799)
pluto[16782]: "l2tp-x509"[2] 81.168.163.CC #1: STATE_MAIN_R3: sent MR3, 
ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 
prf=oakley_sha group=modp2048}
pluto[16782]: "l2tp-x509"[2] 81.168.163.CC #2: responding to Quick Mode 
{msgid:1af6e771}
pluto[16782]: "l2tp-x509"[2] 81.168.163.CC #2: transition from state 
STATE_QUICK_R0 to state STATE_QUICK_R1
pluto[16782]: "l2tp-x509"[2] 81.168.163.CC #2: STATE_QUICK_R1: sent QR1, 
inbound IPsec SA installed, expecting QI2
pluto[16782]: "l2tp-x509"[2] 81.168.163.CC #2: transition from state 
STATE_QUICK_R1 to state STATE_QUICK_R2
pluto[16782]: "l2tp-x509"[2] 81.168.163.CC #2: STATE_QUICK_R2: IPsec SA 
established {ESP=>0xfc3666ec <0xa82d6562 xfrm=3DES_0-HMAC_MD5 
NATD=81.168.163.CC:61799 DPD=none}
pluto[16782]: packet from 81.168.163.CC:64463: ignoring Vendor ID 
payload [MS NT5 ISAKMPOAKLEY 00000004]
pluto[16782]: packet from 81.168.163.CC:64463: ignoring Vendor ID 
payload [FRAGMENTATION]
pluto[16782]: packet from 81.168.163.CC:64463: received Vendor ID 
payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
pluto[16782]: packet from 81.168.163.CC:64463: ignoring Vendor ID 
payload [Vid-Initial-Contact]
pluto[16782]: "l2tp-x509"[2] 81.168.163.CC #3: responding to Main Mode 
from unknown peer 81.168.163.CC
pluto[16782]: "l2tp-x509"[2] 81.168.163.CC #3: transition from state 
STATE_MAIN_R0 to state STATE_MAIN_R1
pluto[16782]: "l2tp-x509"[2] 81.168.163.CC #3: STATE_MAIN_R1: sent MR1, 
expecting MI2
pluto[16782]: "l2tp-x509"[2] 81.168.163.CC #3: NAT-Traversal: Result 
using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
pluto[16782]: "l2tp-x509"[2] 81.168.163.CC #3: transition from state 
STATE_MAIN_R1 to state STATE_MAIN_R2
pluto[16782]: "l2tp-x509"[2] 81.168.163.CC #3: STATE_MAIN_R2: sent MR2, 
expecting MI3
pluto[16782]: "l2tp-x509"[2] 81.168.163.CC #3: Main mode peer ID is 
ID_DER_ASN1_DN: 'here_is_DN_of_ClientCert'
pluto[16782]: "l2tp-x509"[2] 81.168.163.CC #3: no crl from issuer 
"here_is_my_CA_DN" found (strict=no)
pluto[16782]: "l2tp-x509"[2] 81.168.163.CC #3: I am sending my cert
pluto[16782]: "l2tp-x509"[2] 81.168.163.CC #3: transition from state 
STATE_MAIN_R2 to state STATE_MAIN_R3
pluto[16782]: | NAT-T: new mapping 81.168.163.CC:64463/61799)
pluto[16782]: "l2tp-x509"[2] 81.168.163.CC #3: STATE_MAIN_R3: sent MR3, 
ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 
prf=oakley_sha group=modp2048}
pluto[16782]: "l2tp-x509"[2] 81.168.163.CC #4: responding to Quick Mode 
{msgid:1c7163bd}
pluto[16782]: "l2tp-x509"[2] 81.168.163.CC #4: transition from state 
STATE_QUICK_R0 to state STATE_QUICK_R1
pluto[16782]: "l2tp-x509"[2] 81.168.163.CC #4: STATE_QUICK_R1: sent QR1, 
inbound IPsec SA installed, expecting QI2
pluto[16782]: "l2tp-x509"[2] 81.168.163.CC #4: transition from state 
STATE_QUICK_R1 to state STATE_QUICK_R2
pluto[16782]: "l2tp-x509"[2] 81.168.163.CC #4: STATE_QUICK_R2: IPsec SA 
established {ESP=>0x3e80b6b5 <0x017f8ec8 xfrm=3DES_0-HMAC_MD5 
NATD=81.168.163.CC:61799 DPD=none}
---

This part:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
[...]
STATE_QUICK_R2: IPsec SA established

repeats until WinXP terminate connection with 678 error. There is no 
messages form l2tpd.
My system is Fedora Core 5, kernel 2.4.17, openswan 2.4.4, l2tpd 0.69

ipsec.conf:

version         2.0

config setup
        # klipsdebug=none
        # plutodebug="control parsing"
        nat_traversal=yes
        
virtual_private=%v4:!192.168.0.0/24,%v4:192.168.1.0/24,%v4:192.168.117.0/24

include /etc/ipsec.d/no_oe.conf

conn l2tp-x509
        left=81.168.163.SS
        leftnexthop=81.168.163.1
        leftprotoport=17/1701
        leftrsasigkey=%cert
        leftcert=/etc/ipsec.d/certs/ipsecgwCert.pem
        rightprotoport=17/%any
        rightsubnet=vhost:%priv,%no
        right=%any
        rightrsasigkey=%cert
        auto=add
        authby=rsasig
        pfs=no
        #rekey=no
        #type=transport
        #keyingtries=1
        # rightca=%same

81.168.163.1 <-- this is my ISP gateway

Please tell me why i get "IPsec SA established", but connection is not 
establshed?

-- 
Pozdrawiam
Adam Zientek

More information about the Users mailing list