[Openswan Users] One road warrior doesn't connect
Brian Hoover
brian_hoover at verizon.net
Sat Dec 16 09:37:18 EST 2006
My IPsec/L2TP Gateway config:
Kernel 2.6.14 klips, Linux Openswan U2.4.5rc5/K2.4.5dr3 (klips), Using
X.509
The setup works well for many users accept one. When he tries to
connect using XP's client the sequence below is logged.
When I review a working connection sequence I see that certs are passed
after the sent MR2 message, so I recreated and reinstalled his cert,
still no joy.
How can I find more information about what is stopping this connection?
I tried to enabled ike logging on the M$ box but the log file was never
populated.
Will tcpdump help me? What should I look for?
Is there an known solution for this without more information?
TIA,
Brian Hoover
Dec 15 13:45:52 vespertilian pluto[9193]: packet from 38.247.16.254:500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Dec 15 13:45:52 vespertilian pluto[9193]: packet from 38.247.16.254:500:
ignoring Vendor ID payload [FRAGMENTATION]
Dec 15 13:45:52 vespertilian pluto[9193]: packet from 38.247.16.254:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set
to=106
Dec 15 13:45:52 vespertilian pluto[9193]: packet from 38.247.16.254:500:
ignoring Vendor ID payload [Vid-Initial-Contact]
Dec 15 13:45:52 vespertilian pluto[9193]: "L2TP-CERT-NAT"[999]
38.247.16.254 #5525: responding to Main Mode from unknown peer 38.247.16.254
Dec 15 13:45:52 vespertilian pluto[9193]: "L2TP-CERT-NAT"[999]
38.247.16.254 #5525: transition from state STATE_MAIN_R0 to state
STATE_MAIN_R1
Dec 15 13:45:52 vespertilian pluto[9193]: "L2TP-CERT-NAT"[999]
38.247.16.254 #5525: STATE_MAIN_R1: sent MR1, expecting MI2
Dec 15 13:45:52 vespertilian pluto[9193]: "L2TP-CERT-NAT"[999]
38.247.16.254 #5525: NAT-Traversal: Result using
draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
Dec 15 13:45:53 vespertilian pluto[9193]: "L2TP-CERT-NAT"[999]
38.247.16.254 #5525: transition from state STATE_MAIN_R1 to state
STATE_MAIN_R2
Dec 15 13:45:53 vespertilian pluto[9193]: "L2TP-CERT-NAT"[999]
38.247.16.254 #5525: STATE_MAIN_R2: sent MR2, expecting MI3
Dec 15 13:47:03 vespertilian pluto[9193]: "L2TP-CERT-NAT"[999]
38.247.16.254 #5525: max number of retransmissions (2) reached STATE_MAIN_R2
Dec 15 13:47:03 vespertilian pluto[9193]: "L2TP-CERT-NAT"[999]
38.247.16.254: deleting connection "L2TP-CERT-NAT" instance with peer
38.247.16.254 {isakmp=#0/ipsec=#0}
Dec 15 13:56:28 vespertilian pluto[9193]: packet from 71.126.167.46:500:
Informational Exchange is for an unknown (expired?) SA
Dec 15 14:04:58 vespertilian pluto[9193]: packet from 38.247.16.254:500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Dec 15 14:04:58 vespertilian pluto[9193]: packet from 38.247.16.254:500:
ignoring Vendor ID payload [FRAGMENTATION]
Dec 15 14:04:58 vespertilian pluto[9193]: packet from 38.247.16.254:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set
to=106
Dec 15 14:04:58 vespertilian pluto[9193]: packet from 38.247.16.254:500:
ignoring Vendor ID payload [Vid-Initial-Contact]
Dec 15 14:04:58 vespertilian pluto[9193]: "L2TP-CERT-NAT"[1000]
38.247.16.254 #5526: responding to Main Mode from unknown peer 38.247.16.254
Dec 15 14:04:58 vespertilian pluto[9193]: "L2TP-CERT-NAT"[1000]
38.247.16.254 #5526: transition from state STATE_MAIN_R0 to state
STATE_MAIN_R1
Dec 15 14:04:58 vespertilian pluto[9193]: "L2TP-CERT-NAT"[1000]
38.247.16.254 #5526: STATE_MAIN_R1: sent MR1, expecting MI2
Dec 15 14:04:58 vespertilian pluto[9193]: "L2TP-CERT-NAT"[1000]
38.247.16.254 #5526: NAT-Traversal: Result using
draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
Dec 15 14:04:58 vespertilian pluto[9193]: "L2TP-CERT-NAT"[1000]
38.247.16.254 #5526: transition from state STATE_MAIN_R1 to state
STATE_MAIN_R2
Dec 15 14:04:58 vespertilian pluto[9193]: "L2TP-CERT-NAT"[1000]
38.247.16.254 #5526: STATE_MAIN_R2: sent MR2, expecting MI3
XP finally gives-up with "security negotiation timed out"
Dec 15 14:06:08 vespertilian pluto[9193]: "L2TP-CERT-NAT"[1000]
38.247.16.254 #5526: max number of retransmissions (2) reached STATE_MAIN_R2
Dec 15 14:06:08 vespertilian pluto[9193]: "L2TP-CERT-NAT"[1000]
38.247.16.254: deleting connection "L2TP-CERT-NAT" instance with peer
38.247.16.254 {isakmp=#0/ipsec=#0}
More information about the Users
mailing list