[Openswan Users] L2TP/IPsec doesn't work

Turbo Fredriksson turbo at bayour.com
Thu Nov 2 09:27:43 EST 2006 

>>>>> "Turbo" == Turbo Fredriksson <turbo at bayour.com> writes:

    Jacco> No, you add ,%v4:!192.168.x.0/24

    Jacco> The Win2k machine still needs the Q818043 update if it is
    Jacco> behind NAT.

    Turbo> I'll install that then. Do I need the NAT-T patch on my
    Turbo> home firewall?

The firewall have been opened according to Peter McGill's
iptables example and the Win2k have been patched but still no go:

----- s n i p -----
workfw:~# tail -n0 -f /var/log/{auth.,sys}log | tee /tmp/ipsec.out2
==> /var/log/auth.log <==

==> /var/log/syslog <==

==> /var/log/auth.log <==
Nov  2 15:07:36 workfw pluto[11934]: packet from <HOMEFW_IP>:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000002]
Nov  2 15:07:36 workfw pluto[11934]: packet from <HOMEFW_IP>:500: ignoring Vendor ID payload [FRAGMENTATION]
Nov  2 15:07:36 workfw pluto[11934]: packet from <HOMEFW_IP>:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
Nov  2 15:07:36 workfw pluto[11934]: "roadwarrior"[1] <HOMEFW_IP> #1: responding to Main Mode from unknown peer <HOMEFW_IP>
Nov  2 15:07:36 workfw pluto[11934]: "roadwarrior"[1] <HOMEFW_IP> #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Nov  2 15:07:36 workfw pluto[11934]: "roadwarrior"[1] <HOMEFW_IP> #1: STATE_MAIN_R1: sent MR1, expecting MI2
Nov  2 15:07:38 workfw pluto[11934]: "roadwarrior"[1] <HOMEFW_IP> #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
Nov  2 15:07:38 workfw pluto[11934]: "roadwarrior"[1] <HOMEFW_IP> #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Nov  2 15:07:38 workfw pluto[11934]: "roadwarrior"[1] <HOMEFW_IP> #1: STATE_MAIN_R2: sent MR2, expecting MI3
Nov  2 15:07:39 workfw pluto[11934]: "roadwarrior"[1] <HOMEFW_IP> #1: Main mode peer ID is ID_DER_ASN1_DN: '<MY_PRIVATE_CERT_DN>'
Nov  2 15:07:39 workfw pluto[11934]: "roadwarrior"[1] <HOMEFW_IP> #1: switched from "roadwarrior" to "roadwarrior"
Nov  2 15:07:39 workfw pluto[11934]: "roadwarrior"[2] <HOMEFW_IP> #1: deleting connection "roadwarrior" instance with peer <HOMEFW_IP> {isakmp=#0/ipsec=#0}
Nov  2 15:07:39 workfw pluto[11934]: "roadwarrior"[2] <HOMEFW_IP> #1: I am sending my cert
Nov  2 15:07:39 workfw pluto[11934]: "roadwarrior"[2] <HOMEFW_IP> #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Nov  2 15:07:39 workfw pluto[11934]: | NAT-T: new mapping <HOMEFW_IP>:500/4500)
Nov  2 15:07:39 workfw pluto[11934]: "roadwarrior"[2] <HOMEFW_IP> #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}
Nov  2 15:07:39 workfw pluto[11934]: "roadwarrior-l2tp"[1] <HOMEFW_IP> #2: responding to Quick Mode {msgid:ac3d0904}
Nov  2 15:07:39 workfw pluto[11934]: "roadwarrior-l2tp"[1] <HOMEFW_IP> #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Nov  2 15:07:39 workfw pluto[11934]: "roadwarrior-l2tp"[1] <HOMEFW_IP> #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2

==> /var/log/syslog <==
Nov  2 15:07:39 workfw kernel: klips:pfkey_msg_parse: ext type 27(X-NAT-T-sport) unknown, ignoring.
Nov  2 15:07:39 workfw kernel: klips:pfkey_msg_parse: ext type 28(X-NAT-T-dport) unknown, ignoring.
Nov  2 15:07:39 workfw kernel: klips:pfkey_msg_parse: ext type 29(X-NAT-T-OA) unknown, ignoring.
Nov  2 15:07:39 workfw kernel: klips:pfkey_msg_parse: ext type 30(<NULL>) unknown, ignoring.
Nov  2 15:07:39 workfw kernel: klips:pfkey_msg_parse: ext type 27(X-NAT-T-sport) unknown, ignoring.
Nov  2 15:07:39 workfw kernel: klips:pfkey_msg_parse: ext type 28(X-NAT-T-dport) unknown, ignoring.
Nov  2 15:07:39 workfw kernel: klips:pfkey_msg_parse: ext type 29(X-NAT-T-OA) unknown, ignoring.
Nov  2 15:07:39 workfw kernel: klips:pfkey_msg_parse: ext type 30(<NULL>) unknown, ignoring.

==> /var/log/auth.log <==
Nov  2 15:07:39 workfw pluto[11934]: "roadwarrior-l2tp"[1] <HOMEFW_IP> #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Nov  2 15:07:39 workfw pluto[11934]: "roadwarrior-l2tp"[1] <HOMEFW_IP> #2: STATE_QUICK_R2: IPsec SA established {ESP=>0x54ce4519 <0xd1c6e0ac xfrm=3DES_0-HMAC_MD5 NATD=<HOMEFW_IP>:4500 DPD=none}
Nov  2 15:08:14 workfw pluto[11934]: "roadwarrior"[2] <HOMEFW_IP> #1: received Delete SA(0x54ce4519) payload: deleting IPSEC State #2
Nov  2 15:08:14 workfw pluto[11934]: "roadwarrior"[2] <HOMEFW_IP> #1: deleting connection "roadwarrior-l2tp" instance with peer <HOMEFW_IP> {isakmp=#0/ipsec=#0}
Nov  2 15:08:14 workfw pluto[11934]: "roadwarrior"[2] <HOMEFW_IP> #1: received and ignored informational message
Nov  2 15:08:14 workfw pluto[11934]: "roadwarrior"[2] <HOMEFW_IP> #1: received Delete SA payload: deleting ISAKMP State #1
Nov  2 15:08:14 workfw pluto[11934]: "roadwarrior"[2] <HOMEFW_IP>: deleting connection "roadwarrior" instance with peer <HOMEFW_IP> {isakmp=#0/ipsec=#0}
Nov  2 15:08:14 workfw pluto[11934]: packet from <HOMEFW_IP>:4500: received and ignored informational message
----- s n i p -----


Just for completness (and tripple check), this is ipsec.conf:

----- s n i p -----
version 2.0

config setup
        interfaces=%defaultroute
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.1.0/24

conn %default
        keyingtries=1
        disablearrivalcheck=no
        authby=rsasig
        leftrsasigkey=%cert
        rightrsasigkey=%cert
        pfs=no

conn roadwarrior
        left=%defaultroute
        leftcert=workfw.domain.tld.pem
        leftrsasigkey=%cert
        right=%any
        rightca=%same
        rightrsasigkey=%cert
        rightsubnet=vhost:%no,%priv
        auto=add

conn roadwarrior-net
        leftsubnet=192.168.1.0/24
        also=roadwarrior

conn roadwarrior-all
        leftsubnet=0.0.0.0/0
        also=roadwarrior

conn roadwarrior-l2tp
        type=transport
        left=%defaultroute
        leftcert=workfw.domain.tld.pem
        leftprotoport=17/1701
        right=%any
        rightca=%same
        rightrsasigkey=%cert
        rightprotoport=17/1701
        rightsubnet=vhost:%no,%priv
        auto=add

# Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
----- s n i p -----

----- s n i p -----
gudrun:~# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan 2.4.6 (klips)
Checking for IPsec support in kernel                            [OK]
Checking for RSA private key (/etc/ipsec.secrets)               [DISABLED]
  ipsec showhostkey: no default key in "/etc/ipsec.secrets"
Checking that pluto is running                                  [OK]
Two or more interfaces found, checking IP forwarding            [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command                                       [OK]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]
----- s n i p -----

More information about the Users mailing list