[Openswan Users] Windows XP L2TP
Alexandre Ghisoli
alexandre.ghisoli at ycom.ch
Sat May 27 15:54:30 CEST 2006
Hi list,
I'm lost now, while trying a L2TP tunnel with my linux GW.
Setup is :
Internal lan 172.16.x.x
Openswan box
Real IP
ADSL Router
WinXP Client
So my Client is NAT'ed by a ADSL router, and openswan box as interfaces,
one with real ip address, one on lowsec internal lan.
ipsec.conf
config setup
syslog=daemon.error
interfaces="ipsec0=vlan999"
klipsdebug=no
nat_traversal=yes
forwardcontrol=no
strictcrlpolicy=no
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!172.16.0.0/16
conn %default
authby=rsasig
pfs=no
rekey=no
keyingtries=1
compress=no
# disablearrivalcheck=no
leftrsasigkey=%cert
rightrsasigkey=%cert
forceencaps=yes
conn roadwarrior-l2tp-new
# -- Cote YCOM
left=PublicIPAddress
leftnexthop=Outgoing router
leftcert=cust1.vpn.ycom.ch.cert
leftprotoport=17/1701
#-- Cote client mobile
right=%any
rightid="C=CH, ST=Vaud, O=YCOM SA, OU=NOC, CN=*, E=*"
rightprotoport=17/%any
rightsubnet=vhost:%no,%priv
# rightsubnet=vhost:etc
# virtual_private=etc
auto=add
IPSec seems ok, since I get thoses messages :
May 27 14:31:53 cust1 pluto[14266]: "roadwarrior-l2tp-new"[1]
84.227.215.120 #37: responding to Main Mode from unknown peer 84.227.215.120
May 27 14:31:53 cust1 pluto[14266]: "roadwarrior-l2tp-new"[1]
84.227.215.120 #37: transition from state STATE_MAIN_R0 to state
STATE_MAIN_R1
May 27 14:31:53 cust1 pluto[14266]: "roadwarrior-l2tp-new"[1]
84.227.215.120 #37: STATE_MAIN_R1: sent MR1, expecting MI2
May 27 14:31:53 cust1 pluto[14266]: "roadwarrior-l2tp-new"[1]
84.227.215.120 #37: NAT-Traversal: Result using
draft-ietf-ipsec-nat-t-ike-02/03: both are NATed
May 27 14:31:53 cust1 pluto[14266]: "roadwarrior-l2tp-new"[1]
84.227.215.120 #37: transition from state STATE_MAIN_R1 to state
STATE_MAIN_R2
May 27 14:31:53 cust1 pluto[14266]: "roadwarrior-l2tp-new"[1]
84.227.215.120 #37: STATE_MAIN_R2: sent MR2, expecting MI3
May 27 14:31:53 cust1 pluto[14266]: "roadwarrior-l2tp-new"[1]
84.227.215.120 #37: Main mode peer ID is ID_DER_ASN1_DN: 'C=CH, ST=Vaud,
O=YCOM SA, OU=NOC, CN=alex.vpn.ycom.ch, E=support at ycom.ch'
May 27 14:31:53 cust1 pluto[14266]: "roadwarrior-l2tp-new"[1]
84.227.215.120 #37: I am sending my cert
May 27 14:31:53 cust1 pluto[14266]: "roadwarrior-l2tp-new"[1]
84.227.215.120 #37: transition from state STATE_MAIN_R2 to state
STATE_MAIN_R3
May 27 14:31:53 cust1 pluto[14266]: | NAT-T: new mapping
84.227.215.120:500/19023)
May 27 14:31:53 cust1 pluto[14266]: "roadwarrior-l2tp-new"[1]
84.227.215.120 #37: STATE_MAIN_R3: sent MR3, ISAKMP SA established
{auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_sha
group=modp2048}
May 27 14:31:53 cust1 pluto[14266]: "roadwarrior-l2tp-new"[1]
84.227.215.120 #38: responding to Quick Mode {msgid:1a3135c7}
May 27 14:31:53 cust1 pluto[14266]: "roadwarrior-l2tp-new"[1]
84.227.215.120 #38: transition from state STATE_QUICK_R0 to state
STATE_QUICK_R1
May 27 14:31:53 cust1 pluto[14266]: "roadwarrior-l2tp-new"[1]
84.227.215.120 #38: STATE_QUICK_R1: sent QR1, inbound IPsec SA
installed, expecting QI2
May 27 14:31:53 cust1 pluto[14266]: "roadwarrior-l2tp-new"[1]
84.227.215.120 #38: transition from state STATE_QUICK_R1 to state
STATE_QUICK_R2
May 27 14:31:53 cust1 pluto[14266]: "roadwarrior-l2tp-new"[1]
84.227.215.120 #38: STATE_QUICK_R2: IPsec SA established
{ESP/NAT=>0xfaf1c34b <0xdf775237 xfrm=3DES_0-HMAC_MD5
NATD=84.227.215.120:19023 DPD=none}
But then, L2TP dont startup, :
May 27 14:31:53 cust1 pluto[14266]: packet from 84.227.215.120:500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
May 27 14:31:53 cust1 pluto[14266]: packet from 84.227.215.120:500:
ignoring Vendor ID payload [FRAGMENTATION]
May 27 14:31:53 cust1 pluto[14266]: packet from 84.227.215.120:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set
to=106
May 27 14:31:53 cust1 pluto[14266]: "roadwarrior-l2tp-new"[1]
84.227.215.120 #39: responding to Main Mode from unknown peer 84.227.215.120
May 27 14:31:53 cust1 pluto[14266]: "roadwarrior-l2tp-new"[1]
84.227.215.120 #39: transition from state STATE_MAIN_R0 to state
STATE_MAIN_R1
May 27 14:31:53 cust1 pluto[14266]: "roadwarrior-l2tp-new"[1]
84.227.215.120 #39: STATE_MAIN_R1: sent MR1, expecting MI2
May 27 14:31:54 cust1 pluto[14266]: "roadwarrior-l2tp-new"[1]
84.227.215.120 #39: NAT-Traversal: Result using
draft-ietf-ipsec-nat-t-ike-02/03: both are NATed
May 27 14:31:54 cust1 pluto[14266]: "roadwarrior-l2tp-new"[1]
84.227.215.120 #39: transition from state STATE_MAIN_R1 to state
STATE_MAIN_R2
May 27 14:31:54 cust1 pluto[14266]: "roadwarrior-l2tp-new"[1]
84.227.215.120 #39: STATE_MAIN_R2: sent MR2, expecting MI3
May 27 14:31:55 cust1 pluto[14266]: "roadwarrior-l2tp-new"[1]
84.227.215.120 #39: discarding duplicate packet; already STATE_MAIN_R2
May 27 14:31:57 cust1 pluto[14266]: "roadwarrior-l2tp-new"[1]
84.227.215.120 #37: received Delete SA(0xfaf1c34b) payload: deleting
IPSEC State #38
May 27 14:31:57 cust1 pluto[14266]: "roadwarrior-l2tp-new"[1]
84.227.215.120 #37: received and ignored informational message
May 27 14:31:57 cust1 pluto[14266]: "roadwarrior-l2tp-new"[1]
84.227.215.120 #37: received Delete SA payload: deleting ISAKMP State #37
May 27 14:31:57 cust1 pluto[14266]: packet from 84.227.215.120:19023:
received and ignored informational message
May 27 14:31:57 cust1 pluto[14266]: "roadwarrior-l2tp-new"[1]
84.227.215.120 #39: ignoring Delete SA payload: not encrypted
May 27 14:31:57 cust1 pluto[14266]: "roadwarrior-l2tp-new"[1]
84.227.215.120 #39: received and ignored informational message
Again and again ...
I'm using xl2tpd, config is :
[global]
port = 1701
debug avp = yes
debug network = yes
debug packet = yes
debug tunnel = yes
debug state = yes
[lns default]
ip range = 172.16.10.5-172.16.10.19
local ip = 172.16.10.4
require chap = yes
refuse pap = yes
require authentication = yes
name = vpn2
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd.lns
length bit = yes
Any ideas ?
Thanks for your support
--Alexandre
More information about the Users
mailing list