[Openswan Users] win-xp (sp2) with nat-t not working with dsl

Gbenga stjames08 at yahoo.co.uk
Sat Nov 4 19:49:26 EST 2006


Hi All,

Apologies for coming back late on this, but it is still not working for me. I have changed all the options I think is that were suggested on the list without success. I've also upgraded to the latest xl2tpd (v1.1.05). no success yet.

It was mentioned on somewhere by Jacco that he has never had luck using kernel 2.6 with l2tpd - rw, so I have configure a kernel version 2.4.33.3 with all the necessary patches. I will report back on my adventure.

I am using ADSL modem ZyXEL Prestige 660 RU-T1, if anyone has any experience work with that with roadwarriors. Any other advice that can help is welcome as well. I note that this same problem is facing the author of this list item: http://thread.gmane.org/gmane.network.openswan.user/10400/focus=10400. Don't know if he has been successful, no mention of it in the list (he's cc'd)

One strange thing I noted in the auth.log is that: Nov  5 00:03:26 aparo pluto[16992]: "l2tp-syseng"[4] 194.125.79.166 #93: STATE_QUICK_R2: IPsec SA established {ESP=>0x43f2cdc5 <0x02450523 xfrm=3DES_0-HMAC_MD5 NATD=194.125.79.166:17805 DPD=none}

"NATD=194.125.79.166:17805" !!! this is point to port other than 4500.

Thanks again & bravo for that multi-client feature in the new xl2tpd!

Rgds,
Gbenga

PS: relevant logs are attached.



----- Original Message ----
From: Gbenga <stjames08 at yahoo.co.uk>
To: users at openswan.org
Sent: Thursday, 26 October, 2006 11:24:21 PM
Subject: Re: [Openswan Users] win-xp (sp2) with nat-t not working with dsl

Hi all,

I wish someone who has been through this before will assist in my configuration. I have reduced my mtu gradually even upto 1000 without any luck. It is currently at 1472.

Just in case I didn't explain well. I have openswan version 2.4.6 working with xl2tp-1.0.4 and ppp. If the client (win xp sp2) is on the internet address space they connect ok, but behind a gateway e.g dsl router from home, I can't connect. The IPSec SA established ok, just that ppp/x/l2tpd didn't pick up the call after that.

Paul advised that it most likely a fragmentation issue but I am not getting a fragmentation error in the auth.log.

my auth.log:
--------------------
Oct 26 00:51:20 aparo pluto[11330]: packet from 212.2.177.88:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Oct 26 00:51:20 aparo pluto[11330]: packet from 212.2.177.88:500: ignoring Vendor ID payload [FRAGMENTATION]
Oct 26 00:51:20 aparo pluto[11330]: packet from 212.2.177.88:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
Oct 26 00:51:20 aparo pluto[11330]: packet from 212.2.177.88:500: ignoring Vendor ID payload [Vid-Initial-Contact]
Oct 26 00:51:20 aparo pluto[11330]: "l2tp-syseng"[3] 212.2.177.88 #351: responding to Main Mode from unknown peer 212.2.177.88
Oct 26 00:51:20 aparo pluto[11330]: "l2tp-syseng"[3] 212.2.177.88 #351: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Oct 26 00:51:20 aparo pluto[11330]: "l2tp-syseng"[3] 212.2.177.88 #351: STATE_MAIN_R1: sent MR1, expecting MI2
Oct 26 00:51:21 aparo pluto[11330]: "l2tp-syseng"[3] 212.2.177.88 #351: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: both are NATed
Oct 26 00:51:21 aparo pluto[11330]: "l2tp-syseng"[3] 212.2.177.88 #351: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Oct 26 00:51:21 aparo pluto[11330]: "l2tp-syseng"[3] 212.2.177.88 #351: STATE_MAIN_R2: sent MR2, expecting MI3
Oct 26 00:51:21 aparo pluto[11330]: "l2tp-syseng"[3] 212.2.177.88 #351: Main mode peer ID is ID_DER_ASN1_DN: 'C=IE, ST=Dublin, O=Networks, OU=Systems Eng, CN=Gbenga Sogbetun, E=olugbenga.Sogbetun at bt.com'
Oct 26 00:51:21 aparo pluto[11330]: "l2tp-syseng"[3] 212.2.177.88 #351: no crl from issuer "C=IE, O=Networks, OU=Systems Eng, ST=Dublin, L=Dundrum, CN=Systems Eng CA, E=olugbenga.Sogbetun at bt.com" found (strict=no)
Oct 26 00:51:21 aparo pluto[11330]: "l2tp-syseng"[3] 212.2.177.88 #351: switched from "l2tp-syseng" to "l2tp-syseng"
Oct 26 00:51:21 aparo pluto[11330]: "l2tp-syseng"[4] 212.2.177.88 #351: deleting connection "l2tp-syseng" instance with peer 212.2.177.88 {isakmp=#0/ipsec=#0}
Oct 26 00:51:21 aparo pluto[11330]: "l2tp-syseng"[4] 212.2.177.88 #351: I am sending my cert
Oct 26 00:51:21 aparo pluto[11330]: "l2tp-syseng"[4] 212.2.177.88 #351: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Oct 26 00:51:21 aparo pluto[11330]: | NAT-T: new mapping 212.2.177.88:500/12256)
Oct 26 00:51:21 aparo pluto[11330]: "l2tp-syseng"[4] 212.2.177.88 #351: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}
Oct 26 00:51:21 aparo pluto[11330]: "l2tp-syseng"[4] 212.2.177.88 #352: responding to Quick Mode {msgid:e8ded7d8}
Oct 26 00:51:21 aparo pluto[11330]: "l2tp-syseng"[4] 212.2.177.88 #352: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Oct 26 00:51:21 aparo pluto[11330]: "l2tp-syseng"[4] 212.2.177.88 #352: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Oct 26 00:51:21 aparo pluto[11330]: "l2tp-syseng"[4] 212.2.177.88 #352: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Oct 26 00:51:21 aparo pluto[11330]: "l2tp-syseng"[4] 212.2.177.88 #352: STATE_QUICK_R2: IPsec SA established {ESP=>0x735d6531 <0xfbc91a78 xfrm=3DES_0-HMAC_MD5 NATD=212.2.177.88:12256 DPD=none}

I also ran the l2pd in debug mode but nothing absolutely come up in it. On the list there are various people that claimed to have got it working for them but no mention of what they did to get it working!

If it is of any use, the dsl is a 3meg link, but I don't htink that matters. If anyone is here that has a working conf, that I can compare with mine that will be good.

Rgds,
Gbenga


----- Original Message ----
From: Paul Wouters <paul at xelerance.com>
To: Gbenga <stjames08 at yahoo.co.uk>
Cc: users at openswan.org
Sent: Monday, 23 October, 2006 4:39:25 PM
Subject: Re: [Openswan Users] win-xp (sp2) with nat-t not working with dsl

On Mon, 23 Oct 2006, Gbenga wrote:

> Ok, I see this is a bug that is under consideration. Is the fix going into the 2.4.7 release?
>
> http://bugs.xelerance.com/view.php?id=541&nbn=4

That is a resolved bug. There is no fix for fragmentation. Try setting your
external mtu on the vpn server to 1472 or 1450.

> conn %default
>         authby=secret|rsasig

I whould just set this to rsasig, esp. since you are using certificates
>
> conn l2tp-syseng
>         left=10.10.1.57
>         leftsubnet=10.10.1.57/32

you should not be setting subnet options, since l2tp is a transport mode
host-host connection. (with the exception of the rightsubnet to support
NAT-T.

>         rightsubnet=vhost:%no,%priv

So that's ok.

>         compress=yes
>         disablearrivalcheck=no
>         type=tunnel

That is wrong for l2tp. It must be transport mode. If your openswan then
complains about the rightsubnet, comment out the type line completely.

Paul
-- 
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155




Send instant messages to your online friends http://uk.messenger.yahoo.com 
_______________________________________________
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with Openswan: 
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155




Send instant messages to your online friends http://uk.messenger.yahoo.com 
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: l2f.txt
Url: http://lists.openswan.org/pipermail/users/attachments/20061105/4670228e/attachment-0001.txt 


More information about the Users mailing list