[Openswan Users] Windows roadwarrior issues

Yiannis Mavroukakis yiannis at jaguarfreight.com
Mon Jul 17 18:20:52 CEST 2006


Hello everyone :)

I'm trying to get a windows xp machine to connect to Openswan 2.4.5. but
I seem to be tripping myself somewhere.

Here is the relevant part from secure

Jul 17 16:38:00 firewall pluto[5658]: packet from 149.1.2.215:12341:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Jul 17 16:38:00 firewall pluto[5658]: packet from 149.1.2.215:12341:
ignoring Vendor ID payload [FRAGMENTATION]
Jul 17 16:38:00 firewall pluto[5658]: packet from 149.1.2.215:12341:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set
to=106
Jul 17 16:38:00 firewall pluto[5658]: packet from 149.1.2.215:12341:
ignoring Vendor ID payload [Vid-Initial-Contact]
Jul 17 16:38:00 firewall pluto[5658]: "roadwarrior-l2tp"[1] 149.1.2.215
#1: responding to Main Mode from unknown peer 149.1.2.215
Jul 17 16:38:00 firewall pluto[5658]: "roadwarrior-l2tp"[1] 149.1.2.215
#1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jul 17 16:38:00 firewall pluto[5658]: "roadwarrior-l2tp"[1] 149.1.2.215
#1: STATE_MAIN_R1: sent MR1, expecting MI2
Jul 17 16:38:01 firewall pluto[5658]: "roadwarrior-l2tp"[1] 149.1.2.215
#1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer
is NATed
Jul 17 16:38:01 firewall pluto[5658]: "roadwarrior-l2tp"[1] 149.1.2.215
#1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jul 17 16:38:01 firewall pluto[5658]: "roadwarrior-l2tp"[1] 149.1.2.215
#1: STATE_MAIN_R2: sent MR2, expecting MI3
Jul 17 16:38:01 firewall pluto[5658]: "roadwarrior-l2tp"[1] 149.1.2.215
#1: Main mode peer ID is ID_DER_ASN1_DN: 'C=UK, ST=London, O=Jaguar
Freight, OU=S$
Jul 17 16:38:01 firewall pluto[5658]: "roadwarrior-l2tp"[2] 149.1.2.215
#1: deleting connection "roadwarrior-l2tp" instance with peer
149.1.2.215  {isakmp=#0/ipsec=#0}
Jul 17 16:38:01 firewall pluto[5658]: "roadwarrior-l2tp"[2] 149.1.2.215
#1: I am sending my cert
Jul 17 16:38:01 firewall pluto[5658]: "roadwarrior-l2tp"[2] 149.1.2.215
#1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jul 17 16:38:01 firewall pluto[5658]: | NAT-T: new mapping
149.1.2.215:12341/17706)
Jul 17 16:38:01 firewall pluto[5658]: "roadwarrior-l2tp"[2]
149.1.2.215#1: STATE_MAIN_R3: sent MR3, ISAKMP SA established
{auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_sha
group=modp2048}
Jul 17 16:38:02 firewall pluto[5658]: "roadwarrior-l2tp"[2]
149.1.2.215#2: responding to Quick Mode {msgid:2a81b7bc}
Jul 17 16:38:02 firewall pluto[5658]: "roadwarrior-l2tp"[2]
149.1.2.215#2: transition from state STATE_QUICK_R0 to state
STATE_QUICK_R1
Jul 17 16:38:02 firewall pluto[5658]: "roadwarrior-l2tp"[2]
149.1.2.215#2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed,
expecting QI2
Jul 17 16:38:02 firewall pluto[5658]: "roadwarrior-l2tp"[2]
149.1.2.215#2: transition from state STATE_QUICK_R1 to state
STATE_QUICK_R2
Jul 17 16:38:02 firewall pluto[5658]: "roadwarrior-l2tp"[2]
149.1.2.215#2: STATE_QUICK_R2: IPsec SA established {ESP=>0xf46c00c7
<0xded39681 xfrm=3DES_0-HMAC_MD5 NATD=149.1.2.215:17706 DPD=none}

And this is as far as it will go..the connection doesn't proceed to
l2tpd authentication and times out

This is my ipsec.conf
==========================
version 2.0

config setup
 interfaces=%defaultroute
 nat_traversal=yes
 uniqueids=yes
 
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:
!192.168.5.0/24

conn %default
 keyingtries=1
 compress=yes
 disablearrivalcheck=no
 authby=rsasig
 leftrsasigkey=%cert
 rightrsasigkey=%cert

conn roadwarrior-l2tp-updatedwin
 pfs=no
 leftprotoport=17/1701
 rightprotoport=17/1701
 also=roadwarrior

conn roadwarrior-l2tp
 pfs=no
 leftprotoport=17/0
 rightprotoport=17/1701
 also=roadwarrior


conn roadwarrior
 left=%defaultroute
 leftcert=firewall.pem
 right=%any
 rightsubnet=vhost:%no,%priv
 auto=add

include /etc/ipsec.d/examples/no_oe.conf
========================

ipsec verify output

Version check and ipsec on-path                                 [OK]
Linux Openswan U2.4.5/K2.6.17.4 (netkey)
Checking for IPsec support in kernel                            [OK]
NETKEY detected, testing for disabled ICMP send_redirects       [OK]
NETKEY detected, testing for disabled ICMP accept_redirects     [OK]
Checking for RSA private key (/etc/ipsec.secrets)
[DISABLED]
  ipsec showhostkey: no default key in "/etc/ipsec.secrets"
Checking that pluto is running                                  [OK]
Two or more interfaces found, checking IP forwarding            [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command                                       [OK]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support
[DISABLED]



I'm stumped...any ideas?

Note:__________________________________________________________________
This message is for the named person's use only. It may contain
confidential, proprietary or legally privileged information. No
confidentiality or privilege is waived or lost by any mistransmission.
If you receive this message in error, please immediately delete it and
all copies of it from your system, destroy any hard copies of it and
notify the sender. You must not, directly or indirectly, use, disclose,
distribute, print, or copy any part of this message if you are not the
intended recipient. Jaguar Freight Services and any of its subsidiaries
each reserve the right to monitor all e-mail communications through its
networks.
Any views expressed in this message are those of the individual sender,
except where the message states otherwise and the sender is authorized
to state them to be the views of any such entity.
________________________________________________________________________
This e-mail has been scanned for all known viruses.


More information about the Users mailing list