[Openswan Users] OSX roadwarrior to openswan
Chris Garrigues
cwg-openswan at Trinsics.Com
Mon May 22 12:02:02 CEST 2006
> From: Jacco de Leeuw <jacco2 at dds.nl>
> Date: Sat, 20 May 2006 10:34:25 +0200
>
>
> Chris Garrigues wrote:
>
> > I'm trying to bring up a VPN from a OSX roadrunner (MacBook Pro running 10.4.6)
> > to a Mandriva based firewall running openswan-2.3.1-1mdk, l2tpd-0.69-11jdl and
> > ppp-2.4.3-4mdk.
> >
> > May 19 11:06:27 fw l2tpd[20615]: message_type_avp: message type 1 (Start-Control-Connection-Request)
> > May 19 11:06:28 fw l2tpd[20615]: message_type_avp: message type 1 (Start-Control-Connection-Request)
> > May 19 11:06:29 fw l2tpd[20615]: message_type_avp: message type 1 (Start-Control-Connection-Request)
> > May 19 11:06:30 fw l2tpd[20615]: message_type_avp: message type 1 (Start-Control-Connection-Request)
>
> I saw the same thing the other day. I suspect it is a problem in the handling
> of ptys. I upgraded Openswan to the latest version, disconnected on the Mac,
> connected again and after that it worked. The strange thing is that when
> the problem occurred I did not see the log message
> "N_HDLC line discipline registered."
> What if you do a manual "modprobe n_hdlc" before you connect? Also, I
> don't know if xl2tpd has seen any pty fixes but you may want to try that.
I remain stumped.
I have now upgraded openswan to openswan-2.4.5-1mdk with no change; rebooted
both boxes multiple times with no change; did a manual "modprobe n_hdlc" with
no effect; and tried installing xl2tp-1.04 with what looks my my inexperienced
eyes like worse problems.
It's quite likely that I got the xl2tp install screwed up since there doesn't
appear to be an RPM available and the installation documentation is rather sparse.
I made my own RPM based on the one for l2tpd (the firewall box doesn't have a
compiler on it).
Here's the logs with xl2tp:
May 22 10:55:31 fw l2tpd[6601]: This binary does not support kernel L2TP.
May 22 10:55:31 fw l2tpd[6602]: l2tpd version 1.04-X started on fw.DeepEddy.Com PID:6602
May 22 10:55:31 fw l2tpd[6602]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
May 22 10:55:31 fw l2tpd[6602]: Forked by Scott Balmos and David Stipp, (C) 2001
May 22 10:55:31 fw l2tpd[6602]: Inherited by Jeff McAdams, (C) 2002
May 22 10:55:31 fw l2tpd[6602]: Listening on IP address 0.0.0.0, port 1701
May 22 10:55:41 fw pluto[6088]: packet from 192.12.3.191:500: received Vendor ID payload [RFC 3947] method set to=110
May 22 10:55:41 fw pluto[6088]: packet from 192.12.3.191:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] meth=109, but already using method 110
May 22 10:55:41 fw pluto[6088]: packet from 192.12.3.191:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 110
May 22 10:55:41 fw pluto[6088]: packet from 192.12.3.191:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 110
May 22 10:55:41 fw pluto[6088]: "fwdeepeddycom-ninadeepeddycom"[2] 192.12.3.191 #6: responding to Main Mode from unknown peer 192.12.3.191
May 22 10:55:41 fw pluto[6088]: "fwdeepeddycom-ninadeepeddycom"[2] 192.12.3.191 #6: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
May 22 10:55:41 fw pluto[6088]: "fwdeepeddycom-ninadeepeddycom"[2] 192.12.3.191 #6: STATE_MAIN_R1: sent MR1, expecting MI2
May 22 10:55:41 fw pluto[6088]: "fwdeepeddycom-ninadeepeddycom"[2] 192.12.3.191 #6: ignoring Vendor ID payload [KAME/racoon]
May 22 10:55:41 fw pluto[6088]: "fwdeepeddycom-ninadeepeddycom"[2] 192.12.3.191 #6: NAT-Traversal: Result using 3: no NAT detected
May 22 10:55:41 fw pluto[6088]: "fwdeepeddycom-ninadeepeddycom"[2] 192.12.3.191 #6: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
May 22 10:55:41 fw pluto[6088]: "fwdeepeddycom-ninadeepeddycom"[2] 192.12.3.191 #6: STATE_MAIN_R2: sent MR2, expecting MI3
May 22 10:55:41 fw pluto[6088]: "fwdeepeddycom-ninadeepeddycom"[2] 192.12.3.191 #6: Main mode peer ID is ID_DER_ASN1_DN: 'C=US, ST=TX, L=Austin, O=Trinsics, OU=ipsec, CN=macbook.trinsics.com, E=webmaster at Trinsics.Com'
May 22 10:55:41 fw pluto[6088]: "fwdeepeddycom-ninadeepeddycom"[2] 192.12.3.191 #6: crl update for "C=US, ST=TX, L=Austin, O=Trinsics, OU=ca, CN=Trinsics Root CA, E=webmaster at trinsics.com" is overdue since Jan 24 22:38:18 UTC 2006
May 22 10:55:41 fw pluto[6088]: "fwdeepeddycom-macbooktrinsicscom"[2] 192.12.3.191 #6: deleting connection "fwdeepeddycom-ninadeepeddycom" instance with peer 192.12.3.191 {isakmp=#0/ipsec=#0}
May 22 10:55:41 fw pluto[6088]: "fwdeepeddycom-macbooktrinsicscom"[2] 192.12.3.191 #6: I am sending my cert
May 22 10:55:41 fw pluto[6088]: "fwdeepeddycom-macbooktrinsicscom"[2] 192.12.3.191 #6: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
May 22 10:55:41 fw pluto[6088]: "fwdeepeddycom-macbooktrinsicscom"[2] 192.12.3.191 #6: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
May 22 10:55:42 fw pluto[6088]: "fwdeepeddycom-macbooktrinsicscom"[2] 192.12.3.191 #7: responding to Quick Mode {msgid:49e620ea}
May 22 10:55:42 fw pluto[6088]: "fwdeepeddycom-macbooktrinsicscom"[2] 192.12.3.191 #7: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
May 22 10:55:42 fw pluto[6088]: "fwdeepeddycom-macbooktrinsicscom"[2] 192.12.3.191 #7: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
May 22 10:55:42 fw pluto[6088]: "fwdeepeddycom-macbooktrinsicscom"[2] 192.12.3.191 #7: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
May 22 10:55:42 fw pluto[6088]: "fwdeepeddycom-macbooktrinsicscom"[2] 192.12.3.191 #7: STATE_QUICK_R2: IPsec SA established {ESP=>0x09299f8d <0x78abb79b xfrm=AES_128-HMAC_SHA1 NATD=none DPD=none}
May 22 10:55:45 fw l2tpd[6602]: control_finish: Peer requested tunnel 3 twice, ignoring second one.
May 22 10:55:50 fw last message repeated 6 times
May 22 10:55:50 fw l2tpd[6602]: Maximum retries exceeded for tunnel 12555. Closing.
May 22 10:55:50 fw l2tpd[6602]: Connection 3 closed to 192.12.3.191, port 49233 (Timeout)
May 22 10:55:51 fw l2tpd[6602]: control_finish: Peer requested tunnel 3 twice, ignoring second one.
May 22 10:55:55 fw last message repeated 4 times
May 22 10:55:55 fw l2tpd[6602]: Unable to deliver closing message for tunnel 12555. Destroying anyway.
May 22 10:55:58 fw l2tpd[6602]: control_finish: Peer requested tunnel 3 twice, ignoring second one.
May 22 10:56:02 fw last message repeated 5 times
May 22 10:56:03 fw l2tpd[6602]: Maximum retries exceeded for tunnel 45103. Closing.
May 22 10:56:03 fw l2tpd[6602]: Connection 3 closed to 192.12.3.191, port 49233 (Timeout)
May 22 10:56:03 fw l2tpd[6602]: control_finish: Peer requested tunnel 3 twice, ignoring second one.
May 22 10:56:07 fw last message repeated 4 times
May 22 10:56:08 fw l2tpd[6602]: Unable to deliver closing message for tunnel 45103. Destroying anyway.
May 22 10:56:10 fw l2tpd[6602]: control_finish: Peer requested tunnel 3 twice, ignoring second one.
May 22 10:56:15 fw last message repeated 6 times
May 22 10:56:15 fw l2tpd[6602]: Maximum retries exceeded for tunnel 38224. Closing.
May 22 10:56:15 fw l2tpd[6602]: Connection 3 closed to 192.12.3.191, port 49233 (Timeout)
May 22 10:56:16 fw l2tpd[6602]: control_finish: Peer requested tunnel 3 twice, ignoring second one.
May 22 10:56:20 fw last message repeated 4 times
May 22 10:56:20 fw l2tpd[6602]: Unable to deliver closing message for tunnel 38224. Destroying anyway.
May 22 10:56:23 fw l2tpd[6602]: control_finish: Peer requested tunnel 3 twice, ignoring second one.
May 22 10:56:23 fw l2tpd[6602]: control_finish: Peer requested tunnel 3 twice, ignoring second one.
May 22 10:56:24 fw ifplugd(eth1)[3495]: Link beat lost.
May 22 10:56:26 fw l2tpd[6602]: control_finish: Peer requested tunnel 3 twice, ignoring second one.
May 22 10:56:26 fw ifplugd(eth1)[3495]: Link beat detected.
May 22 10:56:27 fw l2tpd[6602]: control_finish: Peer requested tunnel 3 twice, ignoring second one.
May 22 10:56:28 fw l2tpd[6602]: control_finish: Peer requested tunnel 3 twice, ignoring second one.
May 22 10:56:28 fw l2tpd[6602]: Maximum retries exceeded for tunnel 21068. Closing.
May 22 10:56:28 fw l2tpd[6602]: Connection 3 closed to 192.12.3.191, port 49233 (Timeout)
May 22 10:56:29 fw l2tpd[6602]: control_finish: Peer requested tunnel 3 twice, ignoring second one.
May 22 10:56:33 fw last message repeated 4 times
May 22 10:56:33 fw l2tpd[6602]: Unable to deliver closing message for tunnel 21068. Destroying anyway.
May 22 10:56:36 fw l2tpd[6602]: control_finish: Peer requested tunnel 3 twice, ignoring second one.
May 22 10:56:39 fw last message repeated 4 times
May 22 10:56:40 fw pluto[6088]: "fwdeepeddycom-macbooktrinsicscom"[2] 192.12.3.191 #6: received Delete SA(0x09299f8d) payload: deleting IPSEC State #7
May 22 10:56:40 fw pluto[6088]: "fwdeepeddycom-macbooktrinsicscom"[2] 192.12.3.191 #6: received and ignored informational message
May 22 10:56:40 fw pluto[6088]: "fwdeepeddycom-macbooktrinsicscom"[2] 192.12.3.191 #6: received Delete SA payload: deleting ISAKMP State #6
May 22 10:56:40 fw pluto[6088]: "fwdeepeddycom-macbooktrinsicscom"[2] 192.12.3.191: deleting connection "fwdeepeddycom-macbooktrinsicscom" instance with peer 192.12.3.191 {isakmp=#0/ipsec=#0}
May 22 10:56:40 fw pluto[6088]: packet from 192.12.3.191:500: received and ignored informational message
May 22 10:56:41 fw l2tpd[6602]: Maximum retries exceeded for tunnel 30298. Closing.
May 22 10:56:41 fw l2tpd[6602]: Connection 3 closed to 192.12.3.191, port 49233 (Timeout)
May 22 10:56:46 fw l2tpd[6602]: Unable to deliver closing message for tunnel 30298. Destroying anyway.
--
Chris Garrigues Trinsic Solutions
President 710-B West 14th Street
Austin, TX 78701-1755
512-322-0180 http://www.trinsics.com
Would you rather proactively pay for
uptime or reactively pay for downtime?
Trinsic Solutions
Your Proactive IT Management Partner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 235 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20060522/b3dd5316/attachment.bin
More information about the Users
mailing list