[Openswan Users]
Openswan -- virtual network interface eth0:1 traffic escapes ESP,
times out
Alan Peery
peery at io.com
Thu Jun 1 10:12:30 CEST 2006
I have a mostly working installation of openwan that I am trying to
extend, in what I thought was a straight forward way--but my extension is
not working.
What's working:
* remote VPN login from multiple locations simultaneously
* tunnelled traffic emerging into the right networks
* Win2k clients with certificates, being forced to give CHAP passwords
What's not:
* multiple simultaneous users behind a specific NAT firewall
* first user gets in
* later users do not
* It is unknown whether ipsec passthrough is enabled on this
particular router and we are unable to change it in any case.
* It is desired that groups of users be able to connect from through
any arbitrary router, for instance from a conference site.
Since we are likely to only have two or three people at any one site, it
seemed a straight-forward extension to add a couple of virtual network
interfaces to the machine, and have the users spread their connections
across them. When I do this, the main interface continues to work as
before, but attempts to connect to the eth0:1 interface fails as in the
second packet trace. For whatever reason, the l2tp traffic is not being
encapsulated in ESP packets as expected.
Is trying to use virtual interfaces in this way unworkable, or am I just
missing a bit of configuration? Or should I be updating the entire setup,
which implies a lot work...
Versions:
* OS: Mandrake 9.2
* OpenSwan IPsec U2.2.0/K2.6.9
* l2tpd version 0.69 by Mark Spencer, Adtran
Successful trace to real interface eth0 -- ip 1.2.3.35
18:06:51.834064 1.2.3.38.isakmp > vpnbox.company.com.isakmp: isakmp: phase
1 I ident
18:06:51.835127 vpnbox.company.com.isakmp > 1.2.3.38.isakmp: isakmp: phase
1 R ident (DF)
18:06:52.721613 1.2.3.38.isakmp > vpnbox.company.com.isakmp: isakmp: phase
1 I ident
18:06:52.822898 vpnbox.company.com.isakmp > 1.2.3.38.isakmp: isakmp: phase
1 R ident (DF)
18:06:53.169941 1.2.3.38.isakmp > vpnbox.company.com.isakmp: isakmp: phase
1 I ident[E]
18:06:53.200947 vpnbox.company.com.isakmp > 1.2.3.38.isakmp: isakmp: phase
1 R ident[E] (DF)
18:06:53.214623 1.2.3.38.isakmp > vpnbox.company.com.isakmp: isakmp: phase
2/others I oakley-quick[E]
18:06:53.225275 vpnbox.company.com.isakmp > 1.2.3.38.isakmp: isakmp: phase
2/others R oakley-quick[E] (DF)
18:06:53.228582 1.2.3.38.isakmp > vpnbox.company.com.isakmp: isakmp: phase
2/others I oakley-quick[E]
18:06:53.232738 1.2.3.38 > vpnbox.company.com: ESP(spi=0x61b5ea99,seq=0x1)
18:06:53.699734 vpnbox.company.com.l2tp > 1.2.3.38.l2tp:
l2tp:[TLS](33/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS)
*BEARER_CAP() |... (DF)
18:06:54.227991 1.2.3.38 > vpnbox.company.com: ESP(spi=0x61b5ea99,seq=0x2)
18:06:54.230009 vpnbox.company.com > 1.2.3.38: ESP(spi=0xf8f2c073,seq=0x1)
(DF)
18:06:54.700594 vpnbox.company.com > 1.2.3.38: ESP(spi=0xf8f2c073,seq=0x2)
(DF)
18:06:54.702270 1.2.3.38 > vpnbox.company.com: ESP(spi=0x61b5ea99,seq=0x3)
18:06:54.702722 1.2.3.38 > vpnbox.company.com: ESP(spi=0x61b5ea99,seq=0x4)
Unsuccessful trace to virtual interface eth0:1 -- ip 1.2.3.36 -- client
times out and then retries
18:08:47.455232 1.2.3.38.isakmp > 1.2.3.36.isakmp: isakmp: phase 1 I ident
18:08:47.456214 1.2.3.36.isakmp > 1.2.3.38.isakmp: isakmp: phase 1 R ident
(DF)
18:08:48.342396 1.2.3.38.isakmp > 1.2.3.36.isakmp: isakmp: phase 1 I ident
18:08:48.443297 1.2.3.36.isakmp > 1.2.3.38.isakmp: isakmp: phase 1 R ident
(DF)
18:08:48.787310 1.2.3.38.isakmp > 1.2.3.36.isakmp: isakmp: phase 1 I ident[E]
18:08:48.818202 1.2.3.36.isakmp > 1.2.3.38.isakmp: isakmp: phase 1 R
ident[E] (DF)
18:08:48.830127 1.2.3.38.isakmp > 1.2.3.36.isakmp: isakmp: phase 2/others
I oakley-quick[E]
18:08:48.840775 1.2.3.36.isakmp > 1.2.3.38.isakmp: isakmp: phase 2/others
R oakley-quick[E] (DF)
18:08:48.844180 1.2.3.38.isakmp > 1.2.3.36.isakmp: isakmp: phase 2/others
I oakley-quick[E]
18:08:48.848151 1.2.3.38 > 1.2.3.36: ESP(spi=0x109151c5,seq=0x1)
18:08:49.360605 vpnbox.company.com.l2tp > 1.2.3.38.l2tp:
l2tp:[TLS](34/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS)
*BEARER_CAP() |... (DF)
18:08:49.841280 1.2.3.38 > 1.2.3.36: ESP(spi=0x109151c5,seq=0x2)
18:08:49.843203 vpnbox.company.com.l2tp > 1.2.3.38.l2tp:
l2tp:[TLS](34/0)Ns=0,Nr=1 ZLB (DF)
18:08:50.361403 vpnbox.company.com.l2tp > 1.2.3.38.l2tp:
l2tp:[TLS](34/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS)
*BEARER_CAP() |... (DF)
18:08:51.362342 vpnbox.company.com.l2tp > 1.2.3.38.l2tp:
l2tp:[TLS](34/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS)
*BEARER_CAP() |... (DF)
18:08:51.844124 1.2.3.38 > 1.2.3.36: ESP(spi=0x109151c5,seq=0x3)
18:08:51.845418 vpnbox.company.com.l2tp > 1.2.3.38.l2tp:
l2tp:[TLS](34/0)Ns=0,Nr=1 ZLB (DF)
18:08:52.362381 vpnbox.company.com.l2tp > 1.2.3.38.l2tp:
l2tp:[TLS](34/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS)
*BEARER_CAP() |... (DF)
18:08:52.455261 arp who-has 1.2.3.38 tell vpnbox.company.com
18:08:52.456155 arp reply 1.2.3.38 is-at 0:b:db:a0:d8:c8
18:08:53.363228 vpnbox.company.com.l2tp > 1.2.3.38.l2tp:
l2tp:[TLS](34/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS)
*BEARER_CAP() |... (DF)
18:08:54.363711 vpnbox.company.com.l2tp > 1.2.3.38.l2tp:
l2tp:[TLS](34/0)Ns=1,Nr=1 *MSGTYPE(StopCCN) *ASSND_TUN_ID(16614)
*RESULT_CODE(1/0 Timeout) (DF)
18:08:55.364080 vpnbox.company.com.l2tp > 1.2.3.38.l2tp:
l2tp:[TLS](34/0)Ns=1,Nr=1 *MSGTYPE(StopCCN) *ASSND_TUN_ID(16614)
*RESULT_CODE(1/0 Timeout) (DF)
18:08:55.850091 1.2.3.38 > 1.2.3.36: ESP(spi=0x109151c5,seq=0x4)
18:08:55.852041 vpnbox.company.com.l2tp > 1.2.3.38.l2tp:
l2tp:[TLS](34/0)Ns=0,Nr=1 ZLB (DF)
18:08:56.364077 vpnbox.company.com.l2tp > 1.2.3.38.l2tp:
l2tp:[TLS](34/0)Ns=1,Nr=1 *MSGTYPE(StopCCN) *ASSND_TUN_ID(16614)
*RESULT_CODE(1/0 Timeout) (DF)
18:08:57.364921 vpnbox.company.com.l2tp > 1.2.3.38.l2tp:
l2tp:[TLS](34/0)Ns=1,Nr=1 *MSGTYPE(StopCCN) *ASSND_TUN_ID(16614)
*RESULT_CODE(1/0 Timeout) (DF)
18:08:58.365839 vpnbox.company.com.l2tp > 1.2.3.38.l2tp:
l2tp:[TLS](34/0)Ns=1,Nr=1 *MSGTYPE(StopCCN) *ASSND_TUN_ID(16614)
*RESULT_CODE(1/0 Timeout) (DF)
18:09:03.852065 1.2.3.38 > 1.2.3.36: ESP(spi=0x109151c5,seq=0x5)
18:09:03.853220 vpnbox.company.com.l2tp > 1.2.3.38.l2tp:
l2tp:[TLS](34/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS)
*BEARER_CAP() |... (DF)
18:09:04.853406 vpnbox.company.com.l2tp > 1.2.3.38.l2tp:
l2tp:[TLS](34/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS)
*BEARER_CAP() |... (DF)
18:09:05.854378 vpnbox.company.com.l2tp > 1.2.3.38.l2tp:
l2tp:[TLS](34/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS)
*BEARER_CAP() |... (DF)
18:09:06.854364 vpnbox.company.com.l2tp > 1.2.3.38.l2tp:
l2tp:[TLS](34/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS)
*BEARER_CAP() |... (DF)
18:09:07.855178 vpnbox.company.com.l2tp > 1.2.3.38.l2tp:
l2tp:[TLS](34/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS)
*BEARER_CAP() |... (DF)
18:09:08.856371 vpnbox.company.com.l2tp > 1.2.3.38.l2tp:
l2tp:[TLS](34/0)Ns=1,Nr=1 *MSGTYPE(StopCCN) *ASSND_TUN_ID(52603)
*RESULT_CODE(1/0 Timeout) (DF)
18:09:09.857043 vpnbox.company.com.l2tp > 1.2.3.38.l2tp:
l2tp:[TLS](34/0)Ns=1,Nr=1 *MSGTYPE(StopCCN) *ASSND_TUN_ID(52603)
*RESULT_CODE(1/0 Timeout) (DF)
18:09:10.857981 vpnbox.company.com.l2tp > 1.2.3.38.l2tp:
l2tp:[TLS](34/0)Ns=1,Nr=1 *MSGTYPE(StopCCN) *ASSND_TUN_ID(52603)
*RESULT_CODE(1/0 Timeout) (DF)
18:09:11.858929 vpnbox.company.com.l2tp > 1.2.3.38.l2tp:
l2tp:[TLS](34/0)Ns=1,Nr=1 *MSGTYPE(StopCCN) *ASSND_TUN_ID(52603)
*RESULT_CODE(1/0 Timeout) (DF)
18:09:12.859823 vpnbox.company.com.l2tp > 1.2.3.38.l2tp:
l2tp:[TLS](34/0)Ns=1,Nr=1 *MSGTYPE(StopCCN) *ASSND_TUN_ID(52603)
*RESULT_CODE(1/0 Timeout) (DF)
18:09:13.857048 1.2.3.38 > 1.2.3.36: ESP(spi=0x109151c5,seq=0x6)
18:09:13.858167 vpnbox.company.com.l2tp > 1.2.3.38.l2tp:
l2tp:[TLS](34/0)Ns=0,Nr=1 ZLB (DF)
18:09:23.919376 1.2.3.38.isakmp > 1.2.3.36.isakmp: isakmp: phase 2/others
I inf[E]
18:09:23.920115 1.2.3.36.isakmp > 1.2.3.38.isakmp: isakmp: phase 2/others
R inf[E] (DF)
18:09:23.932503 1.2.3.38.isakmp > 1.2.3.36.isakmp: isakmp: phase 2/others
I inf[E]
18:09:23.958766 1.2.3.36.isakmp > 1.2.3.38.isakmp: isakmp: phase 2/others
R inf[E] (DF)
18:09:28.919669 arp who-has 1.2.3.38 tell vpnbox.company.com
18:09:28.920668 arp reply 1.2.3.38 is-at 0:b:db:a0:d8:c8
18:10:24.324645 1.2.3.38.isakmp > 1.2.3.36.isakmp: isakmp: phase 1 I ident
18:10:24.325413 1.2.3.36.isakmp > 1.2.3.38.isakmp: isakmp: phase 1 R ident
(DF)
18:10:25.207909 1.2.3.38.isakmp > 1.2.3.36.isakmp: isakmp: phase 1 I ident
18:10:25.321982 1.2.3.36.isakmp > 1.2.3.38.isakmp: isakmp: phase 1 R ident
(DF)
18:10:25.664256 1.2.3.38.isakmp > 1.2.3.36.isakmp: isakmp: phase 1 I ident[E]
18:10:25.698234 1.2.3.36.isakmp > 1.2.3.38.isakmp: isakmp: phase 1 R
ident[E] (DF)
18:10:25.712283 1.2.3.38.isakmp > 1.2.3.36.isakmp: isakmp: phase 2/others
I oakley-quick[E]
18:10:25.723289 1.2.3.36.isakmp > 1.2.3.38.isakmp: isakmp: phase 2/others
R oakley-quick[E] (DF)
18:10:25.727292 1.2.3.38.isakmp > 1.2.3.36.isakmp: isakmp: phase 2/others
I oakley-quick[E]
18:10:25.731052 1.2.3.38 > 1.2.3.36: ESP(spi=0x1429128e,seq=0x1)
18:10:26.233148 vpnbox.company.com.l2tp > 1.2.3.38.l2tp:
l2tp:[TLS](35/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS)
*BEARER_CAP() |... (DF)
18:10:26.726150 1.2.3.38 > 1.2.3.36: ESP(spi=0x1429128e,seq=0x2)
18:10:26.728112 vpnbox.company.com.l2tp > 1.2.3.38.l2tp:
l2tp:[TLS](35/0)Ns=0,Nr=1 ZLB (DF)
18:10:27.233624 vpnbox.company.com.l2tp > 1.2.3.38.l2tp:
l2tp:[TLS](35/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS)
*BEARER_CAP() |... (DF)
18:10:28.234537 vpnbox.company.com.l2tp > 1.2.3.38.l2tp:
l2tp:[TLS](35/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS)
*BEARER_CAP() |... (DF)
18:10:28.729113 1.2.3.38 > 1.2.3.36: ESP(spi=0x1429128e,seq=0x3)
18:10:28.730969 vpnbox.company.com.l2tp > 1.2.3.38.l2tp:
l2tp:[TLS](35/0)Ns=0,Nr=1 ZLB (DF)
More information about the Users
mailing list