[Openswan Users] It doesn't work

Turbo Fredriksson turbo at bayour.com
Wed Nov 1 12:30:58 EST 2006 

... and I have absolutly no idea why!

I've been following the guide at http://www.natecarlson.com/linux/ipsec-l2tp.php
to the letter.

This is how my setup looks like:

     Home                           Work
Win2k -> LinFW -> INTERNET -> LinFW <-> intranet

I want my Win2k (and/or WinXP) machine to access the intranet at
work. The LinFW is using iptables to NAT (and block unwanted) traffic.

The one at work have the NAT-T patch applied, but not the one at
home... Does that matter?

Both firewalls accepts connections to TCP and UDP port 500, 4500
and 1701. The the work FW runns the OpenSwan and L2TPd softwares.

My configs look identical to the one at the HOWTO above, but on
the Win client(s), I had to import the CA (with IE) and also
the personal certificate. Was I correct in understanding that
the 'server' (work FW) uses ONE certificate and I will have
another at my end? The HOWTO wasn't crystal on that part...


I first used my girlfriends XP machine, but when I didn't get
it to work, I imported the server cert with certimport.exe
AS WELL as my personal cert. Now I can't remove/find the certs
(i.e. I find them on disk, but I don't know where certimport.exe
put "it's" copy).


This is what pluto say when I try to connect with the Win2k
client:

----- s n i p -----
==> /var/log/auth.log <==
Nov  1 18:05:28 gudrun pluto[7260]: packet from <HOME_FW_IP>:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000002]
Nov  1 18:05:28 gudrun pluto[7260]: "roadwarrior"[1] <HOME_FW_IP> #1: responding to Main Mode from unknown peer <HOME_FW_IP>
Nov  1 18:05:28 gudrun pluto[7260]: "roadwarrior"[1] <HOME_FW_IP> #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Nov  1 18:05:28 gudrun pluto[7260]: "roadwarrior"[1] <HOME_FW_IP> #1: STATE_MAIN_R1: sent MR1, expecting MI2
Nov  1 18:05:30 gudrun pluto[7260]: "roadwarrior"[1] <HOME_FW_IP> #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Nov  1 18:05:30 gudrun pluto[7260]: "roadwarrior"[1] <HOME_FW_IP> #1: STATE_MAIN_R2: sent MR2, expecting MI3
Nov  1 18:05:31 gudrun pluto[7260]: "roadwarrior"[1] <HOME_FW_IP> #1: Main mode peer ID is ID_DER_ASN1_DN: '<DN_OF_MY_PRIVATE_CERT_ON_WIN2K_CLIENT>'
Nov  1 18:05:31 gudrun pluto[7260]: "roadwarrior"[1] <HOME_FW_IP> #1: switched from "roadwarrior" to "roadwarrior"
Nov  1 18:05:31 gudrun pluto[7260]: "roadwarrior"[2] <HOME_FW_IP> #1: deleting connection "roadwarrior" instance with peer <HOME_FW_IP> {isakmp=#0/ipsec=#0}
Nov  1 18:05:31 gudrun pluto[7260]: "roadwarrior"[2] <HOME_FW_IP> #1: I am sending my cert
Nov  1 18:05:31 gudrun pluto[7260]: "roadwarrior"[2] <HOME_FW_IP> #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Nov  1 18:05:31 gudrun pluto[7260]: "roadwarrior"[2] <HOME_FW_IP> #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}
Nov  1 18:05:31 gudrun pluto[7260]: "roadwarrior-l2tp-oldwin"[1] <HOME_FW_IP> #2: responding to Quick Mode {msgid:695bdceb}
Nov  1 18:05:31 gudrun pluto[7260]: "roadwarrior-l2tp-oldwin"[1] <HOME_FW_IP> #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Nov  1 18:05:31 gudrun pluto[7260]: "roadwarrior-l2tp-oldwin"[1] <HOME_FW_IP> #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Nov  1 18:05:31 gudrun pluto[7260]: "roadwarrior-l2tp-oldwin"[1] <HOME_FW_IP> #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Nov  1 18:05:31 gudrun pluto[7260]: "roadwarrior-l2tp-oldwin"[1] <HOME_FW_IP> #2: STATE_QUICK_R2: IPsec SA established {ESP=>0xe7a22a62 <0x1234d5c8 xfrm=3DES_0-HMAC_MD5 NATD=none DPD=none}
[one minute delay, see below]
Nov  1 18:06:06 gudrun pluto[7260]: "roadwarrior"[2] <HOME_FW_IP> #1: received Delete SA(0xe7a22a62) payload: deleting IPSEC State #2
Nov  1 18:06:06 gudrun pluto[7260]: "roadwarrior"[2] <HOME_FW_IP> #1: deleting connection "roadwarrior-l2tp-oldwin" instance with peer <HOME_FW_IP> {isakmp=#0/ipsec=#0}
Nov  1 18:06:06 gudrun pluto[7260]: "roadwarrior"[2] <HOME_FW_IP> #1: received and ignored informational message
Nov  1 18:06:06 gudrun pluto[7260]: "roadwarrior"[2] <HOME_FW_IP> #1: received Delete SA payload: deleting ISAKMP State #1
Nov  1 18:06:06 gudrun pluto[7260]: "roadwarrior"[2] <HOME_FW_IP>: deleting connection "roadwarrior" instance with peer <HOME_FW_IP> {isakmp=#0/ipsec=#0}
Nov  1 18:06:06 gudrun pluto[7260]: packet from <HOME_FW_IP>:500: received and ignored informational message
----- s n i p -----

In the one minute delay, I checked the routing table, and it seems
line SOMETHING happens:

----- s n i p -----
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.2.19    0.0.0.0         255.255.255.255 UH    0      0        0 ipsec0
<EXT-BRCAST>    0.0.0.0         255.255.255.192 U     0      0        0 eth0
<EXT-BRCAST>    0.0.0.0         255.255.255.192 U     0      0        0 ipsec0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
0.0.0.0         <EXT-GW>        0.0.0.0         UG    0      0        0 eth0
----- s n i p -----

The IP address 192.168.2.19 is the IP of the Win2k client and
the 192.168.1.0 network is the internal network at work.

The ipsec.conf file (had to change SOME stuff to fit my network setup):

----- s n i p -----
version 2.0

config setup
        interfaces=%defaultroute
        nat_traversal=yes
        #virtual_private=%v4:10.0.0.0/8
        virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
        #plutodebug="control parsing"
        #klipsdebug=""

conn %default
        keyingtries=1
        compress=yes
        disablearrivalcheck=no
        authby=rsasig
        leftrsasigkey=%cert
        rightrsasigkey=%cert
        pfs=no

conn roadwarrior
        left=%defaultroute
        leftcert=workfw.domain.tld.pem
        leftrsasigkey=%cert
        right=%any
        rightca=%same
        rightrsasigkey=%cert
        rightsubnet=vhost:%no,%priv
        auto=add

conn roadwarrior-net
        leftsubnet=10.0.0.0/8
        #leftsubnet=192.168.1.0/24
        also=roadwarrior

conn roadwarrior-all
        leftsubnet=0.0.0.0/0
        also=roadwarrior

conn roadwarrior-l2tp
        type=transport
        left=%defaultroute
        leftcert=workfw.domain.tld.pem
        leftprotoport=17/1701
        right=%any
        rightca=%same
        rightrsasigkey=%cert
        rightprotoport=17/1701
        auto=add

conn roadwarrior-l2tp-oldwin
        left=%defaultroute
        leftcert=workfw.domain.tld.pem
        leftprotoport=17/0
        right=%any
        rightca=%same
        rightrsasigkey=%cert
        rightprotoport=17/1701
        rightsubnet=vhost:%no,%priv
        auto=add

# Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
----- s n i p -----

One problem I might imagine is that the 'workfw.domain.tld' isn't in
the reverse DNS (and only forward in the internal DNS not accessible
from the outside but the workfw looks there).

Another thing I was thinking about was that if I had to forward port
500 on my homefw into the Win2k client, but that doesn't sound
resonable (then only ONE person on the local network could use
the VPN connection at any one time) so I haven't tested...

Just for the sake of it, I did but that didn't change anything
(as expected)...

Could anyone hit me with a clue bat so I can get this working?

More information about the Users mailing list