[Openswan Users] linux box <> WinXP/SP2 problem (NAT-T, LTPD)

Radek Antoniuk R.Antoniuk at pixel.com.pl
Fri Jan 13 11:40:25 CET 2006 

Hello,

I have a problem with setting up certificate tunnel with Openswan (2.4.5 
dr3 & 2.6.15) with MS WinXP/SP2.
I have read the instructions at 
http://www.natecarlson.com/linux/ipsec-x509.php and I think it is the 
certificate problem, but I'm not sure in fact.

I have made and signed both of the certificates, but openswan seems not 
to like the one presented by WinXP.

And an additional question. What LTPD do you use? Cause the www.ltpd.org 
site is now down.
I have switched to rp-l2tp-0.4. Any other useful daemons? Does anybody 
have a working example with this daemon? (NAT-T is required)

And the last question. Is there any native method of authentication with 
One Time Passwords like PSKs? Or only by using some 'external' ideas 
like RADIUS or something?

In short what do I have:

my ipsec.conf
version 2

conn l2tp-X.509
         authby=rsasig
         pfs=no
         auto=add
         rekey=no
         left=%defaultroute
         leftrsasigkey=%cert
         leftcert=/etc/ipsec.d/certs/gate.cert
         leftprotoport=17/1701
         right=%any
         rightca=%same
         rightrsasigkey=%cert
         rightprotoport=17/1701
         rightsubnet=vhost:%priv,%no

include /etc/ipsec.d/examples/no_oe.conf

.:
total 32
drwxr-xr-x  2 root root 4096 2006-01-09 22:27 aacerts
drwxr-xr-x  2 root root 4096 2006-01-12 02:54 cacerts
drwxr-xr-x  2 root root 4096 2006-01-12 02:55 certs
drwxr-xr-x  2 root root 4096 2006-01-09 22:27 crls
drwxr-xr-x  2 root root 4096 2006-01-09 22:27 examples
drwxr-xr-x  2 root root 4096 2006-01-09 22:27 ocspcerts
drwxr-xr-x  2 root root 4096 2006-01-09 22:27 policies
drwx------  2 root root 4096 2006-01-12 02:55 private

./aacerts:
total 0

./cacerts:
total 4
-rw-r--r--  1 root root 3101 2006-01-12 02:50 cacert.pem

./certs:
total 4
-rw-r--r--  1 root root 3169 2006-01-12 02:51 gate.cert

./crls:
total 0

./examples:
total 20
-rwxr-xr-x  1 root root 957 2006-01-09 22:27 l2tp-cert.conf
-rwxr-xr-x  1 root root 892 2006-01-09 22:27 l2tp-cert-orgWIN2KXP.conf
-rwxr-xr-x  1 root root 825 2006-01-09 22:27 l2tp-psk.conf
-rwxr-xr-x  1 root root 803 2006-01-09 22:27 l2tp-psk-orgWIN2KXP.conf
-rwxr-xr-x  1 root root 397 2006-01-09 22:27 no_oe.conf

./ocspcerts:
total 0

./policies:
total 20
-rwxr-xr-x  1 root root 235 2006-01-09 22:27 block
-rwxr-xr-x  1 root root 240 2006-01-09 22:27 clear
-rwxr-xr-x  1 root root 357 2006-01-09 22:27 clear-or-private
-rwxr-xr-x  1 root root 252 2006-01-09 22:27 private
-rwxr-xr-x  1 root root 512 2006-01-09 22:27 private-or-clear

./private:
total 4
-rw-r--r--  1 root root 963 2006-01-12 02:51 gate.key


Auth.log

Jan 12 03:21:34 fufu pluto[6533]: packet from 193.16.255.138:500: 
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Jan 12 03:21:34 fufu pluto[6533]: packet from 193.16.255.138:500: 
ignoring Vendor ID payload [FRAGMENTATION]
Jan 12 03:21:34 fufu pluto[6533]: packet from 193.16.255.138:500: 
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, 
but port floating is off
Jan 12 03:21:34 fufu pluto[6533]: packet from 193.16.255.138:500: 
ignoring Vendor ID payload [Vid-Initial-Contact]
Jan 12 03:21:34 fufu pluto[6533]: "l2tp-X.509"[4] 193.16.255.138 #16: 
responding to Main Mode from unknown peer 193.16.255.138
Jan 12 03:21:34 fufu pluto[6533]: "l2tp-X.509"[4] 193.16.255.138 #16: 
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jan 12 03:21:34 fufu pluto[6533]: "l2tp-X.509"[4] 193.16.255.138 #16: 
STATE_MAIN_R1: sent MR1, expecting MI2
Jan 12 03:21:34 fufu pluto[6533]: "l2tp-X.509"[4] 193.16.255.138 #16: 
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jan 12 03:21:34 fufu pluto[6533]: "l2tp-X.509"[4] 193.16.255.138 #16: 
STATE_MAIN_R2: sent MR2, expecting MI3
Jan 12 03:21:34 fufu pluto[6533]: "l2tp-X.509"[4] 193.16.255.138 #16: 
next payload type of ISAKMP Hash Payload has an unknown value: 239
Jan 12 03:21:34 fufu pluto[6533]: "l2tp-X.509"[4] 193.16.255.138 #16: 
malformed payload in packet
Jan 12 03:21:34 fufu pluto[6533]: "l2tp-X.509"[4] 193.16.255.138 #16: 
sending notification PAYLOAD_MALFORMED to 193.16.255.138:500
Jan 12 03:21:34 fufu pluto[6533]: "l2tp-X.509"[4] 193.16.255.138 #16: 
byte 2 of ISAKMP Hash Payload must be zero, but is not
Jan 12 03:21:34 fufu pluto[6533]: "l2tp-X.509"[4] 193.16.255.138 #16: 
malformed payload in packet


Thank you in advance,
Radek

More information about the Users mailing list