[Openswan Users] Cannot get OpenSwan (or pppd) to work correctly....

frode at fritid.as frode at fritid.as
Tue Jan 3 02:00:31 CET 2006 

Hi all.

I have searched through most on the net, but cannot seem to find anyone with the same config as myself, and thus I'm not
sure wether any of the sample configs I have tried is correct.

My setup :

I have one server, installed Mandrake 10.1 with default kernel from a downloaded DVD. One NIC only.
I have installed vmware GSX-server with NAT-network enabled, and then I have gotten a virtual NIC as well.

I am installing different servers on separate VM's, and all of those get IP's in the same net as ne virtual net for
GSX-server.

Since my setup is tested locally, I have this config:

ETH0 : 10.1.3.199
vmnet8 : 192.168.5.1

and the installed servers get's their IP from vmvare-dhcp in the range of 192.168.5.128-254.

What I want, is simply to make the OpenSwan work as an VPN-server for me to logon from Win-clients to access the
virtual-machines.

I want to make it as simple as possible on the client-side, preferably only to create a new VPN-connection and supply a
user-name and password. Preferably using the same authentication as logging into the server (mandrake) via SSH. (reusing
the linux accounts).

As of now, I have set it up trying to use a preshared key, and I think my relevant files are :

/etc/openswan/ipsec.conf :
version 2.0
config setup
      interfaces=%defaultroute
      klipsdebug=none
      plutodebug=none
      overridemtu=1410
      nat_traversal=yes
      virtual_private=%v4:172.16.0.0/12,%v4:192.168.0.0/16

conn %default
      keyingtries=3
      compress=yes
      disablearrivalcheck=no
      authby=secret
      type=tunnel
      keyexchange=ike
      ikelifetime=240m
      keylife=60m

conn roadwarrior-net
      leftsubnet=192.168.0.0/16
      also=roadwarrior

conn roadwarrior-all
      leftsubnet=0.0.0.0/0
      also=roadwarrior

conn roadwarrior-l2tp
      leftprotoport=17/0
      rightprotoport=17/1701
      also=roadwarrior

conn roadwarrior-l2tp-updatedwin
      leftprotoport=17/1701
      rightprotoport=17/1701
      also=roadwarrior

conn roadwarrior
      pfs=no
      left=10.1.3.199
      leftnexthop=10.1.3.252
      right=%any
      rightsubnet=vhost:%no,%priv
      auto=add

#Disable Opportunistic Encryption
include /etc/openswan/ipsec.d/examples/no_oe.conf
-------

/etc/openswan/ipsec.secrets (also copied to /etc/ipsec.secrets) :
10.1.3.199 %any: PSK "myKey"
: RSA {
      # RSA 2192 bits   vmserver.mazeppa.no   Sun Jan  1 13:47:57 2006
      # for signatures only, UNSAFE FOR ENCRYPTION
      #pubkey=(data)
      Modulus:(data)
      PublicExponent: 0x03
      # everything after this point is secret
      PrivateExponent: (data)
      Prime1: (data)
      Prime2: (data)
      Exponent1: (data)
      Exponent2: (data)
      Coefficient: (data)
      }
# do not change the indenting of that "}"
----
/etc/ppp/options.l2tpd : (10.1.3.252 is my gateway to Internet from the local LAN i test on)
ipcp-accept-local
ipcp-accept-remote
ms-dns 10.1.3.252
ms-wins 10.1.3.252
noccp
auth
crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
lock
proxyarp
connect-delay 5000
silent

----
/etc/l2tpd/l2tpd.conf :
;
; This is a minimal sample l2tpd configuration file for use
; with L2TP over IPSEC.
;
; The idea is to provide an L2TP daemon to which Microsoft L2TP/IPSEC
; remote clients connect. In this example, the internal (protected) network
; is 192.168.1.x.  A special IP range within this network is reserved for
; the remote clients.
;

[global]
      port=1701
[lns default]
      ip range = 192.168.5.90-192.168.5.127
      local ip = 192.168.5.1
      require chap = yes
      refuse pap = yes
      require authentication = yes
      name = LinuxVPNserver
      ppp debug = yes
      pppoptfile = /etc/ppp/options.l2tpd
      length bit = yes

----
output from "ipsec verify" :
[root at vmserver log]# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                         [OK]
Linux Openswan U2.2.0/K2.6.8.1-12mdksmp (native)
Checking for IPsec support in kernel                                    [OK]
Checking for RSA private key (/etc/openswan/ipsec.secrets)              [OK]
Checking that pluto is running                                          [OK]
Two or more interfaces found, checking IP forwarding                    [OK]
Checking NAT and MASQUERADEing                                          [N/A]
Checking for 'ip' command                                               [OK]
Checking for 'iptables' command                                         [OK]
Checking for 'setkey' command for native IPsec stack support            [OK]

Opportunistic Encryption DNS checks:
   Looking for TXT in forward dns zone: vmserver.mazeppa.no             [MISSING]
   Does the machine have at least one non-private address?              [FAILED]

----
a merge of /var/messages and /var/secret when I issue "service l2tpd start"
Starting l2tpd:                                                 [  OK  ]
[root at vmserver log]# Jan  3 00:42:37 vmserver l2tpd[10802]: This binary does not support kernel L2TP.
Jan  3 00:42:37 vmserver l2tpd[10803]: l2tpd version 0.69 started on vmserver.mazeppa.no PID:10803
Jan  3 00:42:37 vmserver l2tpd[10803]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
Jan  3 00:42:37 vmserver l2tpd[10803]: Forked by Scott Balmos and David Stipp, (C) 2001
Jan  3 00:42:37 vmserver l2tpd[10803]: Inhereted by Jeff McAdams, (C) 2002
Jan  3 00:42:37 vmserver l2tpd[10803]: Linux version 2.6.8.1-12mdksmp on a i686, port 1701
Jan  3 00:42:37 vmserver l2tpd: This binary does not support kernel L2TP.
Jan  3 00:42:37 vmserver l2tpd: l2tpd startup succeeded
---
a merge when I issue "service ipsec start" :
[root at vmserver log]# service ipsec start
Jan  3 00:43:36 vmserver ipsec_setup: KLIPS ipsec0 on eth0 10.1.3.199/255.255.255.0 broadcast 10.1.3.255 mtu 1410
ipsec_setup: Starting Openswan IPsec U2.2.0/K2.6.8.1-12mdksmp...
[root at vmserver log]# Jan  3 00:43:36 vmserver ipsec_setup: ...Openswan IPsec started
Jan  3 00:43:36 vmserver ipsec_setup: Starting Openswan IPsec U2.2.0/K2.6.8.1-12mdksmp...
Jan  3 00:41:57 vmserver pluto[10244]: shutting down interface vmnet8/vmnet8 192.168.5.1
Jan  3 00:43:36 vmserver ipsec__plutorun: Starting Pluto subsystem...
Jan  3 00:43:36 vmserver pluto[10880]: Starting Pluto (Openswan Version 2.2.0 X.509-1.5.4 PLUTO_USES_KEYRR)
Jan  3 00:43:36 vmserver pluto[10880]:   including NAT-Traversal patch (Version 0.6c)
Jan  3 00:43:36 vmserver pluto[10880]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Jan  3 00:43:36 vmserver pluto[10880]: Using Linux 2.6 IPsec interface code
Jan  3 00:43:36 vmserver pluto[10880]: Could not change to directory '/etc/openswan/ipsec.d/cacerts'
Jan  3 00:43:36 vmserver pluto[10880]: Could not change to directory '/etc/openswan/ipsec.d/aacerts'
Jan  3 00:43:36 vmserver pluto[10880]: Could not change to directory '/etc/openswan/ipsec.d/ocspcerts'
Jan  3 00:43:36 vmserver pluto[10880]: Could not change to directory '/etc/openswan/ipsec.d/crls'
Jan  3 00:43:36 vmserver pluto[10880]: added connection description "roadwarrior-l2tp"
Jan  3 00:43:36 vmserver pluto[10880]: added connection description "roadwarrior"
Jan  3 00:43:36 vmserver pluto[10880]: added connection description "roadwarrior-all"
Jan  3 00:43:36 vmserver pluto[10880]: added connection description "roadwarrior-net"
Jan  3 00:43:37 vmserver pluto[10880]: added connection description "roadwarrior-l2tp-updatedwin"
Jan  3 00:43:37 vmserver pluto[10880]: listening for IKE messages
Jan  3 00:43:37 vmserver pluto[10880]: adding interface vmnet8/vmnet8 192.168.5.1
Jan  3 00:43:37 vmserver pluto[10880]: adding interface vmnet8/vmnet8 192.168.5.1:4500
Jan  3 00:43:37 vmserver pluto[10880]: adding interface vmnet1/vmnet1 172.16.135.1
Jan  3 00:43:37 vmserver pluto[10880]: adding interface vmnet1/vmnet1 172.16.135.1:4500
Jan  3 00:43:37 vmserver pluto[10880]: adding interface eth0/eth0 10.1.3.199
Jan  3 00:43:37 vmserver pluto[10880]: adding interface eth0/eth0 10.1.3.199:4500
Jan  3 00:43:37 vmserver pluto[10880]: adding interface lo/lo 127.0.0.1
Jan  3 00:43:37 vmserver pluto[10880]: adding interface lo/lo 127.0.0.1:4500
Jan  3 00:43:37 vmserver pluto[10880]: adding interface lo/lo ::1
Jan  3 00:43:37 vmserver pluto[10880]: loading secrets from "/etc/openswan/ipsec.secrets"


-----
Note that the interface vmnet1 is used by vmware-server for host-only vm-instances.
---
A merged output from the logs when I try to connect via a plain genereated windows VPN-connection (only set up IP, user,
pass and PSK) :

 Jan  3 00:49:22 vmserver pluto[10880]: packet from 10.1.3.66:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY
00000003]
Jan  3 00:49:22 vmserver pluto[10880]: "roadwarrior-l2tp"[1] 10.1.3.66 #1: responding to Main Mode from unknown peer
10.1.3.66
Jan  3 00:49:22 vmserver pluto[10880]: "roadwarrior-l2tp"[1] 10.1.3.66 #1: transition from state (null) to state
STATE_MAIN_R1
Jan  3 00:49:22 vmserver pluto[10880]: "roadwarrior-l2tp"[1] 10.1.3.66 #1: transition from state STATE_MAIN_R1 to state
STATE_MAIN_R2
Jan  3 00:49:22 vmserver pluto[10880]: "roadwarrior-l2tp"[1] 10.1.3.66 #1: Peer ID is ID_IPV4_ADDR: '10.1.3.66'
Jan  3 00:49:22 vmserver pluto[10880]: "roadwarrior-l2tp"[1] 10.1.3.66 #1: I did not send a certificate because I do not
have one.
Jan  3 00:49:22 vmserver pluto[10880]: "roadwarrior-l2tp"[1] 10.1.3.66 #1: transition from state STATE_MAIN_R2 to state
STATE_MAIN_R3
Jan  3 00:49:22 vmserver pluto[10880]: "roadwarrior-l2tp"[1] 10.1.3.66 #1: sent MR3, ISAKMP SA established
Jan  3 00:49:22 vmserver pluto[10880]: "roadwarrior-l2tp"[1] 10.1.3.66 #2: responding to Quick Mode
Jan  3 00:49:22 vmserver pluto[10880]: "roadwarrior-l2tp"[1] 10.1.3.66 #2: transition from state (null) to state
STATE_QUICK_R1
Jan  3 00:49:23 vmserver pluto[10880]: "roadwarrior-l2tp"[1] 10.1.3.66 #2: transition from state STATE_QUICK_R1 to state
STATE_QUICK_R2
Jan  3 00:49:23 vmserver pluto[10880]: "roadwarrior-l2tp"[1] 10.1.3.66 #2: IPsec SA established {ESP=>0xb90b733d
<0x3f2a507c}
Jan  3 00:49:23 vmserver l2tpd[10803]: control_finish: Connection established to 10.1.3.66, 1701.  Local: 5750, Remote:
19.  LNS session is 'default'
Jan  3 00:49:23 vmserver l2tpd[10803]: control_finish: Call established with 10.1.3.66, Local: 19609, Remote: 1, Serial:
0
Jan  3 00:49:23 vmserver pppd[11052]: no device specified and stdin is not a tty
Jan  3 00:49:23 vmserver l2tpd[10803]: network_thread: tossing read packet, error = Bad file descriptor (9).  Closing
call.
Jan  3 00:49:23 vmserver l2tpd[10803]: call_close: Call 19609 to 10.1.3.66 disconnected
Jan  3 00:49:23 vmserver l2tpd[10803]: control_finish: Connection closed to 10.1.3.66, port 1701 (), Local: 5750,
Remote: 19
Jan  3 00:49:23 vmserver pluto[10880]: "roadwarrior-l2tp"[1] 10.1.3.66 #1: received Delete SA(0xb90b733d) payload:
deleting IPSEC State #2
Jan  3 00:49:23 vmserver pluto[10880]: "roadwarrior-l2tp"[1] 10.1.3.66 #1: received and ignored informational message
Jan  3 00:49:23 vmserver pluto[10880]: "roadwarrior-l2tp"[1] 10.1.3.66 #1: received Delete SA payload: deleting ISAKMP
State #1
Jan  3 00:49:23 vmserver pluto[10880]: "roadwarrior-l2tp"[1] 10.1.3.66: deleting connection "roadwarrior-l2tp" instance
with peer 10.1.3.66 {isakmp=#0/ipsec=#0}
Jan  3 00:49:24 vmserver pluto[10880]: packet from 10.1.3.66:500: received and ignored informational message


-----

It seems to me that I miss something in my PPPD-configuration, but I don't have a clue to what it is... I haven't seen
anything in the samples I've traversed, or the doc's I've read.


I sincerly hope someone can help, as I have now used _so_ many hours trying to get it to work on my own...

Frode Halvorsen

More information about the Users mailing list