[Openswan Users] L2TP/IPsec doesn't work

Turbo Fredriksson turbo at bayour.com
Wed Nov 1 16:07:54 EST 2006 

>>>>> "Jacco" == Jacco de Leeuw <jacco2 at dds.nl> writes:

    Jacco> No, you cannot use Internet Explorer to import certificates
    Jacco> for use with IPsec. See:

Then why did everything work much better after I did this? Was it the
CA cert import that did the trick then?

Befor I did this, I got som other problem (can't remember exactly, but
looking in my browsers history (under Googel searches :) I see that
it had something to do with

policy does not allow OAKLEY_PRESHARED_KEY authentication.  Attribute OAKLEY_AUTHENTICATION_METHOD

Might be unrelated perhaps, but will it be a problem if the CA + Cert
in included/inserted/added with IE?

    Jacco> http://www.jacco2.dds.nl/networking/win2000xp-freeswan.html#ImportingCertificates

Verifying with this, I see that on the Win2k machine my private cert is
in the list, and on the XP both the server cert and my private is in
the list...

And I see that my CA cert is below the

Trusted Root Certificaton Authorities->Certificates

This is the one I imported using IE...

    Jacco> Sorry, I misread. I meant: almost good. You only have to
    Jacco> import your personal cert (with private key) on the client,
    Jacco> and the CA's root certificate (obviously without private
    Jacco> key). Not the server cert.

Oki, so that's what I did. At least one thing I did right :).

    Turbo> This is what pluto say when I try to connect with the Win2k
    Turbo> client: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY
    Turbo> 00000002]
    Jacco> Did you edit that log? I miss the results of the NAT-T
    Jacco> negotiation.

No. I 'attach' the tail on the logfile and then press 'Connect' on
the client'.

    Turbo> virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
    Jacco> Your internal subnet needs to be excluded here.

So remove ',%v4:192.168.0.0/16' then?

    Turbo> compress=yes
    Jacco> Minor detail: this is not supported by Windows so it won't
    Jacco> have any effect.

But I saw sometehing about a reg hack to MAYBE enable this.. But I'll
leave a note in the config about it (so i'll know till the next time
I'll have to do this all over again :).

    Turbo> conn roadwarrior-l2tp
    Jacco> Add the following to this section:
    Jacco>          rightsubnet=vhost:%no,%priv

Check.

    Turbo> conn roadwarrior-l2tp-oldwin
    Jacco> Remove this section and remember to install SP2 on XP or
    Jacco> the Q818043 update on Win 2000 and XP pre-SP2.

The XP machine have SP2 and the Win2k machine have SP4...
>From what I could tell on the pages I've been loking at, that's
ok..


With modifications and restart of pluto and l2tpd, this is what's
in the logs when I hit 'Connect' on the XP machine:

----- s n i p -----
workfw:~# tail -n0 -f /var/log/{auth.,sys}log | tee /tmp/ipsec.out2
==> /var/log/auth.log <==

==> /var/log/syslog <==

==> /var/log/auth.log <==
Nov  1 21:53:57 workfw pluto[8381]: packet from <HOMEFW_IP>:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Nov  1 21:53:57 workfw pluto[8381]: packet from <HOMEFW_IP>:500: ignoring Vendor ID payload [FRAGMENTATION]
Nov  1 21:53:57 workfw pluto[8381]: packet from <HOMEFW_IP>:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
Nov  1 21:53:57 workfw pluto[8381]: packet from <HOMEFW_IP>:500: ignoring Vendor ID payload [Vid-Initial-Contact]
Nov  1 21:53:57 workfw pluto[8381]: "roadwarrior"[1] <HOMEFW_IP> #1: responding to Main Mode from unknown peer <HOMEFW_IP>
Nov  1 21:53:57 workfw pluto[8381]: "roadwarrior"[1] <HOMEFW_IP> #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Nov  1 21:53:57 workfw pluto[8381]: "roadwarrior"[1] <HOMEFW_IP> #1: STATE_MAIN_R1: sent MR1, expecting MI2
Nov  1 21:53:57 workfw pluto[8381]: "roadwarrior"[1] <HOMEFW_IP> #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
Nov  1 21:53:57 workfw pluto[8381]: "roadwarrior"[1] <HOMEFW_IP> #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Nov  1 21:53:57 workfw pluto[8381]: "roadwarrior"[1] <HOMEFW_IP> #1: STATE_MAIN_R2: sent MR2, expecting MI3
Nov  1 21:53:58 workfw pluto[8381]: "roadwarrior"[1] <HOMEFW_IP> #1: Main mode peer ID is ID_DER_ASN1_DN: '<DN_OF_PERSONAL_CERT>'
Nov  1 21:53:58 workfw pluto[8381]: "roadwarrior"[1] <HOMEFW_IP> #1: switched from "roadwarrior" to "roadwarrior"
Nov  1 21:53:58 workfw pluto[8381]: "roadwarrior"[2] <HOMEFW_IP> #1: deleting connection "roadwarrior" instance with peer <HOMEFW_IP> {isakmp=#0/ipsec=#0}
Nov  1 21:53:58 workfw pluto[8381]: "roadwarrior"[2] <HOMEFW_IP> #1: I am sending my cert
Nov  1 21:53:58 workfw pluto[8381]: "roadwarrior"[2] <HOMEFW_IP> #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Nov  1 21:53:58 workfw pluto[8381]: | NAT-T: new mapping <HOMEFW_IP>:500/4500)
Nov  1 21:53:58 workfw pluto[8381]: "roadwarrior"[2] <HOMEFW_IP> #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}
Nov  1 21:53:58 workfw pluto[8381]: "roadwarrior-l2tp"[1] <HOMEFW_IP> #2: responding to Quick Mode {msgid:d48dda4e}
Nov  1 21:53:58 workfw pluto[8381]: "roadwarrior-l2tp"[1] <HOMEFW_IP> #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Nov  1 21:53:58 workfw pluto[8381]: "roadwarrior-l2tp"[1] <HOMEFW_IP> #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Nov  1 21:53:58 workfw pluto[8381]: "roadwarrior-l2tp"[1] <HOMEFW_IP> #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Nov  1 21:53:58 workfw pluto[8381]: "roadwarrior-l2tp"[1] <HOMEFW_IP> #2: STATE_QUICK_R2: IPsec SA established {ESP=>0xa39a19f7 <0xa5aad798 xfrm=3DES_0-HMAC_MD5 NATD=<HOMEFW_IP>:4500 DPD=none}

==> /var/log/syslog <==
Nov  1 21:53:58 workfw kernel: klips:pfkey_msg_parse: ext type 27(X-NAT-T-sport) unknown, ignoring.
Nov  1 21:53:58 workfw kernel: klips:pfkey_msg_parse: ext type 28(X-NAT-T-dport) unknown, ignoring.
Nov  1 21:53:58 workfw kernel: klips:pfkey_msg_parse: ext type 29(X-NAT-T-OA) unknown, ignoring.
Nov  1 21:53:58 workfw kernel: klips:pfkey_msg_parse: ext type 30(<NULL>) unknown, ignoring.
Nov  1 21:53:58 workfw kernel: klips:pfkey_msg_parse: ext type 27(X-NAT-T-sport) unknown, ignoring.
Nov  1 21:53:58 workfw kernel: klips:pfkey_msg_parse: ext type 28(X-NAT-T-dport) unknown, ignoring.
Nov  1 21:53:58 workfw kernel: klips:pfkey_msg_parse: ext type 29(X-NAT-T-OA) unknown, ignoring.
Nov  1 21:53:58 workfw kernel: klips:pfkey_msg_parse: ext type 30(<NULL>) unknown, ignoring.

==> /var/log/auth.log <==
Nov  1 21:54:33 workfw pluto[8381]: "roadwarrior"[2] <HOMEFW_IP> #1: received Delete SA(0xa39a19f7) payload: deleting IPSEC State #2
Nov  1 21:54:33 workfw pluto[8381]: "roadwarrior"[2] <HOMEFW_IP> #1: deleting connection "roadwarrior-l2tp" instance with peer <HOMEFW_IP> {isakmp=#0/ipsec=#0}
Nov  1 21:54:33 workfw pluto[8381]: "roadwarrior"[2] <HOMEFW_IP> #1: received and ignored informational message
Nov  1 21:54:33 workfw pluto[8381]: "roadwarrior"[2] <HOMEFW_IP> #1: received Delete SA payload: deleting ISAKMP State #1
Nov  1 21:54:33 workfw pluto[8381]: "roadwarrior"[2] <HOMEFW_IP>: deleting connection "roadwarrior" instance with peer <HOMEFW_IP> {isakmp=#0/ipsec=#0}
Nov  1 21:54:33 workfw pluto[8381]: packet from <HOMEFW_IP>:4500: received and ignored informational message
----- s n i p -----

If I just try Reconnect, then the stuff that ended up in syslog isn't
there... Maybe that's what you where missing above?

Restarting pluto+l2tpd (so that the klips:pfkey_msg_parse stuff is
generated in the logs) and trying connecting from the Win2k machine
gives a sligtly different output in the logs:

----- s n i p -----
workfw:~# tail -n0 -f /var/log/{auth.,sys}log | tee /tmp/ipsec.out2
==> /var/log/auth.log <==

==> /var/log/syslog <==

==> /var/log/auth.log <==
Nov  1 21:58:08 workfw pluto[8622]: packet from <HOMEFW_IP>:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000002]
Nov  1 21:58:08 workfw pluto[8622]: "roadwarrior"[1] <HOMEFW_IP> #1: responding to Main Mode from unknown peer <HOMEFW_IP>
Nov  1 21:58:08 workfw pluto[8622]: "roadwarrior"[1] <HOMEFW_IP> #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Nov  1 21:58:08 workfw pluto[8622]: "roadwarrior"[1] <HOMEFW_IP> #1: STATE_MAIN_R1: sent MR1, expecting MI2
Nov  1 21:58:10 workfw pluto[8622]: "roadwarrior"[1] <HOMEFW_IP> #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Nov  1 21:58:10 workfw pluto[8622]: "roadwarrior"[1] <HOMEFW_IP> #1: STATE_MAIN_R2: sent MR2, expecting MI3
Nov  1 21:58:11 workfw pluto[8622]: "roadwarrior"[1] <HOMEFW_IP> #1: Main mode peer ID is ID_DER_ASN1_DN: '<DN_OF_PERSONAL_CERT>'
Nov  1 21:58:11 workfw pluto[8622]: "roadwarrior"[1] <HOMEFW_IP> #1: switched from "roadwarrior" to "roadwarrior"
Nov  1 21:58:11 workfw pluto[8622]: "roadwarrior"[2] <HOMEFW_IP> #1: deleting connection "roadwarrior" instance with peer <HOMEFW_IP> {isakmp=#0/ipsec=#0}
Nov  1 21:58:11 workfw pluto[8622]: "roadwarrior"[2] <HOMEFW_IP> #1: I am sending my cert
Nov  1 21:58:11 workfw pluto[8622]: "roadwarrior"[2] <HOMEFW_IP> #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Nov  1 21:58:11 workfw pluto[8622]: "roadwarrior"[2] <HOMEFW_IP> #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}
Nov  1 21:58:11 workfw pluto[8622]: "roadwarrior"[2] <HOMEFW_IP> #1: cannot respond to IPsec SA request because no connection is known for <WORKFW_IP>[<DN_OF_CA_CERT>]:17/0...<HOMEFW_IP>[<DN_OF_PERSONAL_CERT>]:17/1701===192.168.2.19/32
Nov  1 21:58:11 workfw pluto[8622]: "roadwarrior"[2] <HOMEFW_IP> #1: sending encrypted notification INVALID_ID_INFORMATION to <HOMEFW_IP>:500
Nov  1 21:58:12 workfw pluto[8622]: "roadwarrior"[2] <HOMEFW_IP> #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x4eaab04c (perhaps this is a duplicated packet)
Nov  1 21:58:12 workfw pluto[8622]: "roadwarrior"[2] <HOMEFW_IP> #1: sending encrypted notification INVALID_MESSAGE_ID to <HOMEFW_IP>:500
Nov  1 21:58:14 workfw pluto[8622]: "roadwarrior"[2] <HOMEFW_IP> #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x4eaab04c (perhaps this is a duplicated packet)
Nov  1 21:58:14 workfw pluto[8622]: "roadwarrior"[2] <HOMEFW_IP> #1: sending encrypted notification INVALID_MESSAGE_ID to <HOMEFW_IP>:500
Nov  1 21:58:18 workfw pluto[8622]: "roadwarrior"[2] <HOMEFW_IP> #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x4eaab04c (perhaps this is a duplicated packet)
Nov  1 21:58:18 workfw pluto[8622]: "roadwarrior"[2] <HOMEFW_IP> #1: sending encrypted notification INVALID_MESSAGE_ID to <HOMEFW_IP>:500
Nov  1 21:58:26 workfw pluto[8622]: "roadwarrior"[2] <HOMEFW_IP> #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x4eaab04c (perhaps this is a duplicated packet)
Nov  1 21:58:26 workfw pluto[8622]: "roadwarrior"[2] <HOMEFW_IP> #1: sending encrypted notification INVALID_MESSAGE_ID to <HOMEFW_IP>:500

Nov  1 21:59:14 workfw pluto[8622]: "roadwarrior"[2] <HOMEFW_IP> #1: received Delete SA payload: deleting ISAKMP State #1
Nov  1 21:59:14 workfw pluto[8622]: "roadwarrior"[2] <HOMEFW_IP>: deleting connection "roadwarrior" instance with peer <HOMEFW_IP> {isakmp=#0/ipsec=#0}
Nov  1 21:59:14 workfw pluto[8622]: packet from <HOMEFW_IP>:500: received and ignored informational message
----- s n i p -----

More information about the Users mailing list