[Openswan Users]
Mike Rothon
mike.rothon at certisa.com
Tue Jan 31 00:45:28 CET 2006
Thanks for the tips.
I have upgraded to 2.4.4 and patched it for NAT-T as you described.
Jan 31 00:27:48 linux pluto[630]: Setting NAT-Traversal port-4500 floating to on
Jan 31 00:27:48 linux pluto[630]: port floating activation criteria nat_t=1/port_fload=1
Jan 31 00:27:48 linux pluto[630]: including NAT-Traversal patch (Version 0.6c)
Jan 31 00:27:48 linux pluto[630]: | opening /dev/urandom
Jan 31 00:27:48 linux pluto[630]: | inserting event EVENT_REINIT_SECRET, timeout in 3600 seconds
Jan 31 00:27:48 linux pluto[630]: | inserting event EVENT_PENDING_PHASE2, timeout in 120 seconds
Jan 31 00:27:48 linux pluto[630]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Jan 31 00:27:48 linux pluto[630]: starting up 1 cryptographic helpers
Jan 31 00:27:48 linux pluto[643]: | opening /dev/urandom
Jan 31 00:27:48 linux pluto[630]: started helper pid=643 (fd:6)
Jan 31 00:27:48 linux pluto[630]: | process 630 listening for PF_KEY_V2 on file descriptor 7
Jan 31 00:27:48 linux pluto[630]: Using Linux 2.6 IPsec interface code on 2.6.8-24.19-smp
Also added the leftnexthop and configured virtual_private:
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:192.168.2.0/24,%v4:!192.168.1.0/24
and
conn L2TP-PSK
authby=secret
pfs=no
rekey=no
keyingtries=3
left=192.168.1.100
leftnexthop=192.168.1.1
leftprotoport=17/1701
right=%any
rightprotoport=17/1701
rightsubnet=vhost:%no,%priv
auto=add
Alas it makes no difference :(
I turned the debugging up to "all" and this is the extra bit of information:
Jan 31 00:27:56 linux pluto[630]: | inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #1
Jan 31 00:27:56 linux pluto[630]: "L2TP-PSK"[1] 86.xxx.xxx.xxx #1: STATE_MAIN_R2: sent MR2, expecting MI3
Jan 31 00:27:56 linux pluto[630]: | modecfg pull: noquirk policy:push not-client
Jan 31 00:27:56 linux pluto[630]: | phase 1 is done, looking for phase 1 to unpend
Jan 31 00:27:56 linux pluto[630]: | next event EVENT_RETRANSMIT in 10 seconds for #1
...then nothing happens for 10 seconds before a retry, and eventual failure.
Jacco de Leeuw wrote:
> Mike Rothon wrote:
>
>> Openswan 2.3.0
>
> You may need to upgrade because there were a lot of NAT-T fixes in 2.4.x.
>
>> conn L2TP-PSK
>> authby=secret
>> pfs=no
>> rekey=no
>> keyingtries=3
>> left=192.168.1.101
>> leftprotoport=17/1701
>
> You may need leftnexthop=192.168.1.x (the internal IP address
> of your DLink ADSL Router).
>
>> Finally I have patched the WinXP SP2 client as discussed elsewhere.
>
> There is also a patch for Openswan if the server is NATed in transport
> mode.
> This has not been resolved in 2.4.5, if I'm correct:
> http://www.jacco2.dds.nl/networking/patches/openswan-2.3.1-NATserver.patch
>
>
> Is there anything silly in the L2TP logs like an incorrect password which
> causes the server to disconnect?
>
> Jacco
More information about the Users
mailing list