[Openswan Users] Re: Openswan, WinXP NAT-T and PSK sticks at STATE_MAIN_R1 to STATE_MAIN_R2

Mike Rothon mike.rothon at certisa.com
Tue Jan 31 01:00:03 CET 2006 

Thanks for the tips.

I have upgraded to 2.4.4 and patched it for NAT-T as you described.

Jan 31 00:27:48 linux pluto[630]: Setting NAT-Traversal port-4500 
floating to on
Jan 31 00:27:48 linux pluto[630]:    port floating activation criteria 
nat_t=1/port_fload=1
Jan 31 00:27:48 linux pluto[630]:   including NAT-Traversal patch 
(Version 0.6c)
Jan 31 00:27:48 linux pluto[630]: | opening /dev/urandom
Jan 31 00:27:48 linux pluto[630]: | inserting event EVENT_REINIT_SECRET, 
timeout in 3600 seconds
Jan 31 00:27:48 linux pluto[630]: | inserting event 
EVENT_PENDING_PHASE2, timeout in 120 seconds
Jan 31 00:27:48 linux pluto[630]: ike_alg_register_enc(): Activating 
OAKLEY_AES_CBC: Ok (ret=0)
Jan 31 00:27:48 linux pluto[630]: starting up 1 cryptographic helpers
Jan 31 00:27:48 linux pluto[643]: | opening /dev/urandom
Jan 31 00:27:48 linux pluto[630]: started helper pid=643 (fd:6)
Jan 31 00:27:48 linux pluto[630]: | process 630 listening for PF_KEY_V2 
on file descriptor 7
Jan 31 00:27:48 linux pluto[630]: Using Linux 2.6 IPsec interface code 
on 2.6.8-24.19-smp

Also added the leftnexthop and configured virtual_private:

 
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:192.168.2.0/24,%v4:!192.168.1.0/24

and

conn L2TP-PSK
        authby=secret
        pfs=no
        rekey=no
        keyingtries=3
        left=192.168.1.100
        leftnexthop=192.168.1.1
        leftprotoport=17/1701
        right=%any
        rightprotoport=17/1701
        rightsubnet=vhost:%no,%priv
        auto=add

Alas it makes no difference :(

I turned the debugging up to "all" and this is the extra bit of information:

Jan 31 00:27:56 linux pluto[630]: | inserting event EVENT_RETRANSMIT, 
timeout in 10 seconds for #1
Jan 31 00:27:56 linux pluto[630]: "L2TP-PSK"[1] 86.xxx.xxx.xxx #1: 
STATE_MAIN_R2: sent MR2, expecting MI3
Jan 31 00:27:56 linux pluto[630]: | modecfg pull: noquirk policy:push 
not-client
Jan 31 00:27:56 linux pluto[630]: | phase 1 is done, looking for phase 1 
to unpend
Jan 31 00:27:56 linux pluto[630]: | next event EVENT_RETRANSMIT in 10 
seconds for #1

...then nothing happens for 10 seconds before a retry, and eventual failure.


Jacco de Leeuw wrote:
> Mike Rothon wrote:
>
>> Openswan 2.3.0
>
> You may need to upgrade because there were a lot of NAT-T fixes in 2.4.x.
>
>> conn L2TP-PSK
>>        authby=secret
>>        pfs=no
>>        rekey=no
>>        keyingtries=3
>>        left=192.168.1.101
>>        leftprotoport=17/1701
>
> You may need leftnexthop=192.168.1.x (the internal IP address
> of your DLink ADSL Router).
>
>> Finally I have patched the WinXP SP2 client as discussed elsewhere.
>
> There is also a patch for Openswan if the server is NATed in transport 
> mode.
> This has not been resolved in 2.4.5, if I'm correct:
> http://www.jacco2.dds.nl/networking/patches/openswan-2.3.1-NATserver.patch 
>
>
> Is there anything silly in the L2TP logs like an incorrect password which
> causes the server to disconnect?
>
> Jacco

More information about the Users mailing list