[Openswan Users]

Paul Wouters paul at xelerance.com
Wed Jan 4 05:44:01 CET 2006


On Wed, 4 Jan 2006, frode at fritid.as wrote:

> Do I need a protected secret in my RSA ? (I didn't take anything out, just replaced the looong text with (data))

That's fine. But if you use authby=secret, you will need to have a secret, not a rsakey in
your ipsec.secrets.

> Since the log shows that the "roadwarrior-l2tp" - connectin is the one that is used, and I get into trouble when I edit
> the ipsec.conf, I will try to stick with the one I have unless you think that's what makes the connection not work.

The name is not neccesaarily the one it picks. if multiple connections share the same
phase 1, the name chosen is pseudo-random, and can switch once phase-2 starts. So don't
attach too much value to the name pluto has picked for you.

> Two things to try:
>
> 1) set the ethX mtu (or maybe the vmnet interface mtu) to 1400 (assuming they are 1500).
> in options.l2tpd, set the mru/mtu options to 1200.
>
> I don't know how to do the first, but I have set the mru/mtu to 1200

ifconfig eth0 mtu 1400

> 2) try replacing l2tpd with the version from ftp.xelerance.com/xl2tpd/, or use the source
> rpm of "l2tpd" from Fedora Extras (which amounts to the same thing, except for the name)
>
> I d/l and installed this :
> Jan  3 23:21:52 vmserver perl: [RPM] l2tpd-0.69.20051030-14 installed
> Jan  3 23:21:53 vmserver perl: [RPM] l2tpd-0.69-13mdk removed

ok, looks like ours.

> 3) ensure you are usingthe right settings on windows. L2tp encryption MUST be set to
> optional or none, and chap must be enabled.
>
> Changed to this.
>
> 4) try upgrading to openswan-2.4.5rc1
>
> Didn't work :
> [root at vmserver openswan-2.4.5rc1]# make programs install
> make[1]: Entering directory `/root/openswan-2.4.5rc1/doc'
> cp /root/openswan-2.4.5rc1/doc/src/index.html index.html
> make[1]: Leaving directory `/root/openswan-2.4.5rc1/doc'
> make[1]: Entering directory `/root/openswan-2.4.5rc1/lib'
> make[2]: Entering directory `/root/openswan-2.4.5rc1/lib/libopenswan'
> cc -I. -I/root/openswan-2.4.5rc1/linux/net/ipsec -I/root/openswan-2.4.5rc1/linux/include -I/root/openswan-2.4.5rc1
> -DDEBUG -DWITH_UDPFROMTO -DHAVE_IP_PKTINFO -I/root/openswan-2.4.5rc1/include -g -O3 -Wall -Wpointer-arith -Wcast-qual
> -Wstrict-prototypes -Wbad-function-cast  -DX509_VERSION=\"X.509-1.5.4\" -DNAT_TRAVERSAL   -c -o pfkey_v2_parse.o
> /root/openswan-2.4.5rc1/linux/net/ipsec/pfkey_v2_parse.c
> In file included from /root/openswan-2.4.5rc1/linux/net/ipsec/pfkey_v2_parse.c:64:
> /root/openswan-2.4.5rc1/programs/pluto/defs.h:88:17: gmp.h: No such file or directory

yum install gmp-devel

or wait a few days for 2.4.5 final and we'll have some rpms build for some distros.

> Jan  3 23:35:12 vmserver pluto[23683]: added connection description "roadwarrior-l2tp"
> Jan  3 23:35:12 vmserver pluto[23683]: added connection description "roadwarrior"
> Jan  3 23:35:12 vmserver pluto[23683]: added connection description "roadwarrior-all"
> Jan  3 23:35:12 vmserver pluto[23683]: added connection description "roadwarrior-net"
> Jan  3 23:35:12 vmserver pluto[23683]: added connection description "roadwarrior-l2tp-updatedwin"

Again, I recommend sticking to one for now.

> Jan  3 23:35:22 vmserver pluto[23683]: "roadwarrior-l2tp"[1] 10.1.3.66 #2: IPsec SA established {ESP=>0x745fb5bf

so the ipsec part worked.

> Jan  3 23:35:24 vmserver l2tpd[23606]: Connection established to 10.1.3.66, 1701.  Local: 30078, Remote: 29.  LNS
> session is 'default'
> Jan  3 23:35:24 vmserver pppd[23855]: The remote system is required to authenticate itself
> Jan  3 23:35:24 vmserver pppd[23855]: but I couldn't find any suitable secret (password) for it to use to do so.

do you have any /etc/ppp/chap-secrets entries? check the examples that came with the xl2tp
package, or jacco's webpages.

> I have tried several different chap.secrets-configs. my latest :
> # Secrets for authentication using CHAP
> # client    server      secret                  IP addresses
> 10.1.3.66   vmserver    pwd   *
> vmserver    10.1.3.66   pwd   *
> -----

try:
vmserver           *       "mysecret"              TheIPaddressForClient
*               vmserver   "mysecret"              TheIPaddressForClient

where vmserver is the windows username for l2tp, mysecret is the password, and
TheIPaddressForClient is the IP you want to hand out to the windows client.

> Or better yet, How can I get it configured to use the linux-user/passwords ?

It is unstable. it requires recompiling openswan to support PAM.

Paul


More information about the Users mailing list