[Openswan Users]

frode at fritid.as frode at fritid.as
Wed Jan 4 01:07:43 CET 2006 

Hello again.

Thanks a lot for the suggestions so far. I believe I have come a bit further.

Do I need a protected secret in my RSA ? (I didn't take anything out, just replaced the looong text with (data))

Since the log shows that the "roadwarrior-l2tp" - connectin is the one that is used, and I get into trouble when I edit
the ipsec.conf, I will try to stick with the one I have unless you think that's what makes the connection not work.


Two things to try:

1) set the ethX mtu (or maybe the vmnet interface mtu) to 1400 (assuming they are 1500).
in options.l2tpd, set the mru/mtu options to 1200.

I don't know how to do the first, but I have set the mru/mtu to 1200

2) try replacing l2tpd with the version from ftp.xelerance.com/xl2tpd/, or use the source
rpm of "l2tpd" from Fedora Extras (which amounts to the same thing, except for the name)

I d/l and installed this :
Jan  3 23:21:52 vmserver perl: [RPM] l2tpd-0.69.20051030-14 installed
Jan  3 23:21:53 vmserver perl: [RPM] l2tpd-0.69-13mdk removed


3) ensure you are usingthe right settings on windows. L2tp encryption MUST be set to
optional or none, and chap must be enabled.

Changed to this.

4) try upgrading to openswan-2.4.5rc1

Didn't work :
[root at vmserver openswan-2.4.5rc1]# make programs install
make[1]: Entering directory `/root/openswan-2.4.5rc1/doc'
cp /root/openswan-2.4.5rc1/doc/src/index.html index.html
make[1]: Leaving directory `/root/openswan-2.4.5rc1/doc'
make[1]: Entering directory `/root/openswan-2.4.5rc1/lib'
make[2]: Entering directory `/root/openswan-2.4.5rc1/lib/libopenswan'
cc -I. -I/root/openswan-2.4.5rc1/linux/net/ipsec -I/root/openswan-2.4.5rc1/linux/include -I/root/openswan-2.4.5rc1
-DDEBUG -DWITH_UDPFROMTO -DHAVE_IP_PKTINFO -I/root/openswan-2.4.5rc1/include -g -O3 -Wall -Wpointer-arith -Wcast-qual
-Wstrict-prototypes -Wbad-function-cast  -DX509_VERSION=\"X.509-1.5.4\" -DNAT_TRAVERSAL   -c -o pfkey_v2_parse.o
/root/openswan-2.4.5rc1/linux/net/ipsec/pfkey_v2_parse.c
In file included from /root/openswan-2.4.5rc1/linux/net/ipsec/pfkey_v2_parse.c:64:
/root/openswan-2.4.5rc1/programs/pluto/defs.h:88:17: gmp.h: No such file or directory
In file included from /root/openswan-2.4.5rc1/linux/net/ipsec/pfkey_v2_parse.c:64:
/root/openswan-2.4.5rc1/programs/pluto/defs.h:90: error: syntax error before '*' token
/root/openswan-2.4.5rc1/programs/pluto/defs.h:90: warning: function declaration isn't a prototype
/root/openswan-2.4.5rc1/programs/pluto/defs.h:91: warning: type defaults to `int' in declaration of `MP_INT'
/root/openswan-2.4.5rc1/programs/pluto/defs.h:91: error: syntax error before '*' token
/root/openswan-2.4.5rc1/programs/pluto/defs.h:91: warning: function declaration isn't a prototype
make[2]: *** [pfkey_v2_parse.o] Error 1
make[2]: Leaving directory `/root/openswan-2.4.5rc1/lib/libopenswan'
make[1]: *** [programs] Error 1
make[1]: Leaving directory `/root/openswan-2.4.5rc1/lib'
make: *** [programs] Error 1

5) check the windows event logs for any clues.

Nothing.

Paul

----

But now ; when I start services and connect :

[root at vmserver openswan-2.4.5rc1]# service l2tpd start
Starting l2tpd:                                                 [  OK  ]
[root at vmserver openswan-2.4.5rc1]# Jan  3 23:35:04 vmserver l2tpd[23605]: This binary does not support kernel L2TP.
Jan  3 23:35:04 vmserver l2tpd[23606]: l2tpd version 0.69-FedoraExtra started on vmserver.mazeppa.no PID:23606
Jan  3 23:35:04 vmserver l2tpd[23606]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
Jan  3 23:35:04 vmserver l2tpd[23606]: Forked by Scott Balmos and David Stipp, (C) 2001
Jan  3 23:35:04 vmserver l2tpd[23606]: Inherited by Jeff McAdams, (C) 2002
Jan  3 23:35:04 vmserver l2tpd[23606]: Listening on IP address 0.0.0.0, port 1701
Jan  3 23:35:04 vmserver l2tpd: l2tpd startup succeeded
service ipsec start
ipsec_setup: Starting Openswan IPsec U2.2.0/K2.6.8.1-12mdksmp...
[root at vmserver openswan-2.4.5rc1]# Jan  3 23:35:11 vmserver ipsec_setup: KLIPS ipsec0 on eth0 10.1.3.199/255.255.255.0
broadcast 10.1.3.255 mtu 1410
Jan  3 23:35:11 vmserver ipsec_setup: ...Openswan IPsec started
Jan  3 23:35:11 vmserver ipsec_setup: Starting Openswan IPsec U2.2.0/K2.6.8.1-12mdksmp...
Jan  3 23:34:53 vmserver pluto[21717]: shutting down interface vmnet8/vmnet8 192.168.5.1
Jan  3 23:35:11 vmserver ipsec__plutorun: Starting Pluto subsystem...
Jan  3 23:35:11 vmserver pluto[23683]: Starting Pluto (Openswan Version 2.2.0 X.509-1.5.4 PLUTO_USES_KEYRR)
Jan  3 23:35:11 vmserver pluto[23683]:   including NAT-Traversal patch (Version 0.6c)
Jan  3 23:35:11 vmserver pluto[23683]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Jan  3 23:35:11 vmserver pluto[23683]: Using Linux 2.6 IPsec interface code
Jan  3 23:35:11 vmserver pluto[23683]: Could not change to directory '/etc/openswan/ipsec.d/cacerts'
Jan  3 23:35:11 vmserver pluto[23683]: Could not change to directory '/etc/openswan/ipsec.d/aacerts'
Jan  3 23:35:11 vmserver pluto[23683]: Could not change to directory '/etc/openswan/ipsec.d/ocspcerts'
Jan  3 23:35:11 vmserver pluto[23683]: Could not change to directory '/etc/openswan/ipsec.d/crls'
Jan  3 23:35:12 vmserver pluto[23683]: added connection description "roadwarrior-l2tp"
Jan  3 23:35:12 vmserver pluto[23683]: added connection description "roadwarrior"
Jan  3 23:35:12 vmserver pluto[23683]: added connection description "roadwarrior-all"
Jan  3 23:35:12 vmserver pluto[23683]: added connection description "roadwarrior-net"
Jan  3 23:35:12 vmserver pluto[23683]: added connection description "roadwarrior-l2tp-updatedwin"
Jan  3 23:35:12 vmserver pluto[23683]: listening for IKE messages
Jan  3 23:35:12 vmserver pluto[23683]: adding interface vmnet8/vmnet8 192.168.5.1
Jan  3 23:35:12 vmserver pluto[23683]: adding interface vmnet8/vmnet8 192.168.5.1:4500
Jan  3 23:35:12 vmserver pluto[23683]: adding interface vmnet1/vmnet1 172.16.135.1
Jan  3 23:35:12 vmserver pluto[23683]: adding interface vmnet1/vmnet1 172.16.135.1:4500
Jan  3 23:35:12 vmserver pluto[23683]: adding interface eth0/eth0 10.1.3.199
Jan  3 23:35:12 vmserver pluto[23683]: adding interface eth0/eth0 10.1.3.199:4500
Jan  3 23:35:12 vmserver pluto[23683]: adding interface lo/lo 127.0.0.1
Jan  3 23:35:12 vmserver pluto[23683]: adding interface lo/lo 127.0.0.1:4500
Jan  3 23:35:12 vmserver pluto[23683]: adding interface lo/lo ::1
Jan  3 23:35:12 vmserver pluto[23683]: loading secrets from "/etc/openswan/ipsec.secrets"

[root at vmserver openswan-2.4.5rc1]# Jan  3 23:35:22 vmserver pluto[23683]: packet from 10.1.3.66:500: ignoring Vendor ID
payload [MS NT5 ISAKMPOAKLEY 00000003]
Jan  3 23:35:22 vmserver pluto[23683]: "roadwarrior-l2tp"[1] 10.1.3.66 #1: responding to Main Mode from unknown peer
10.1.3.66
Jan  3 23:35:22 vmserver pluto[23683]: "roadwarrior-l2tp"[1] 10.1.3.66 #1: transition from state (null) to state
STATE_MAIN_R1
Jan  3 23:35:22 vmserver pluto[23683]: "roadwarrior-l2tp"[1] 10.1.3.66 #1: transition from state STATE_MAIN_R1 to state
STATE_MAIN_R2
Jan  3 23:35:22 vmserver pluto[23683]: "roadwarrior-l2tp"[1] 10.1.3.66 #1: Peer ID is ID_IPV4_ADDR: '10.1.3.66'
Jan  3 23:35:22 vmserver pluto[23683]: "roadwarrior-l2tp"[1] 10.1.3.66 #1: I did not send a certificate because I do not
have one.
Jan  3 23:35:22 vmserver pluto[23683]: "roadwarrior-l2tp"[1] 10.1.3.66 #1: transition from state STATE_MAIN_R2 to state
STATE_MAIN_R3
Jan  3 23:35:22 vmserver pluto[23683]: "roadwarrior-l2tp"[1] 10.1.3.66 #1: sent MR3, ISAKMP SA established
Jan  3 23:35:22 vmserver pluto[23683]: "roadwarrior-l2tp"[1] 10.1.3.66 #2: responding to Quick Mode
Jan  3 23:35:22 vmserver pluto[23683]: "roadwarrior-l2tp"[1] 10.1.3.66 #2: transition from state (null) to state
STATE_QUICK_R1
Jan  3 23:35:22 vmserver pluto[23683]: "roadwarrior-l2tp"[1] 10.1.3.66 #2: transition from state STATE_QUICK_R1 to state
STATE_QUICK_R2
Jan  3 23:35:22 vmserver pluto[23683]: "roadwarrior-l2tp"[1] 10.1.3.66 #2: IPsec SA established {ESP=>0x745fb5bf
<0xb553f637}
Jan  3 23:35:24 vmserver l2tpd[23606]: Connection established to 10.1.3.66, 1701.  Local: 30078, Remote: 29.  LNS
session is 'default'
Jan  3 23:35:24 vmserver pppd[23855]: The remote system is required to authenticate itself
Jan  3 23:35:24 vmserver pppd[23855]: but I couldn't find any suitable secret (password) for it to use to do so.
Jan  3 23:35:24 vmserver l2tpd[23606]: Call established with 10.1.3.66, Local: 41945, Remote: 1, Serial: 0
Jan  3 23:36:01 vmserver pluto[23683]: "roadwarrior-l2tp"[1] 10.1.3.66 #1: received Delete SA(0x745fb5bf) payload:
deleting IPSEC State #2
Jan  3 23:36:01 vmserver pluto[23683]: "roadwarrior-l2tp"[1] 10.1.3.66 #1: received and ignored informational message
Jan  3 23:36:01 vmserver pluto[23683]: "roadwarrior-l2tp"[1] 10.1.3.66 #1: received Delete SA payload: deleting ISAKMP
State #1
Jan  3 23:36:01 vmserver l2tpd[23606]: control_finish: Connection closed to 10.1.3.66, serial 0 ()
Jan  3 23:36:01 vmserver pluto[23683]: "roadwarrior-l2tp"[1] 10.1.3.66: deleting connection "roadwarrior-l2tp" instance
with peer 10.1.3.66 {isakmp=#0/ipsec=#0}
Jan  3 23:36:01 vmserver pluto[23683]: packet from 10.1.3.66:500: received and ignored informational message

----

So now my problem seems to be my password-files.

I have tried several different chap.secrets-configs. my latest :
# Secrets for authentication using CHAP
# client    server      secret                  IP addresses
10.1.3.66   vmserver    pwd   *
vmserver    10.1.3.66   pwd   *
-----
Do You have nay working samples for this ?

Or better yet, How can I get it configured to use the linux-user/passwords ?

More information about the Users mailing list