[Openswan Users] WinXP Roadwarrior cannot connect to xl2tpd

Stefan Denker Stefan at dn-kr.de
Tue Nov 7 06:15:24 EST 2006 

Hello there, 

So now I am trying to connect my Home workstation(WinXP for testing,
NATed behind my openswan gateway) to the network at
work using openswan(netkey), xl2tpd 1.04 and certificates. the 
corresponding connection definition on the server is: 

conn khdn-rw
        left=212.16.235.28
        leftcert=/etc/ipsec.d/certs/seikan.pem
        leftprotoport=17/1701
        leftrsasigkey=%cert
        right=%any
        rightsubnet=vhost:%priv,%no
        rightrsasigkey=%cert
        rightprotoport=17/%any
	rightid="C=DE, ST=Nordrhein-Westfalen, O=..."
	#
        pfs=no
        authby=rsasig
        type=transport
        auto=add
        dpddelay=60
        dpdtimeout=240
        dpdaction=clear

I imported the clients certificate with certimport.exe and set up a
connection on my WinXP-Machine. When trying to connect the IPSec-Session
is established, but something is wrong after that: 

,--------[/var/log/auth.log]---------
| ... 
| Nov  7 11:52:32 seikan pluto[1825]: "khdn-rw"[1] 87.78.98.213 #51: responding to Main Mode from unknown peer 87.78.98.213
| Nov  7 11:52:32 seikan pluto[1825]: "khdn-rw"[1] 87.78.98.213 #51: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
| Nov  7 11:52:32 seikan pluto[1825]: "khdn-rw"[1] 87.78.98.213 #51: STATE_MAIN_R1: sent MR1, expecting MI2
| Nov  7 11:52:33 seikan pluto[1825]: "khdn-rw"[1] 87.78.98.213 #51: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
| Nov  7 11:52:33 seikan pluto[1825]: "khdn-rw"[1] 87.78.98.213 #51: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
| Nov  7 11:52:33 seikan pluto[1825]: "khdn-rw"[1] 87.78.98.213 #51: STATE_MAIN_R2: sent MR2, expecting MI3
| Nov  7 11:52:34 seikan pluto[1825]: "khdn-rw"[1] 87.78.98.213 #51: Main mode peer ID is ID_DER_ASN1_DN: 'C=DE, ST=Nordrhein-Westfalen, O=...'
| Nov  7 11:52:34 seikan pluto[1825]: "khdn-rw"[1] 87.78.98.213 #51: I am sending my cert
| Nov  7 11:52:34 seikan pluto[1825]: "khdn-rw"[1] 87.78.98.213 #51: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
| Nov  7 11:52:34 seikan pluto[1825]: | NAT-T: new mapping 87.78.98.213:500/4500)
| Nov  7 11:52:34 seikan pluto[1825]: "khdn-rw"[1] 87.78.98.213 #51: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}
| Nov  7 11:52:34 seikan pluto[1825]: "khdn-rw"[1] 87.78.98.213 #51: Dead Peer Detection (RFC 3706): not enabled because peer did not advertise it
| Nov  7 11:52:34 seikan pluto[1825]: "khdn-rw"[1] 87.78.98.213 #52: responding to Quick Mode {msgid:d9718375}
| Nov  7 11:52:34 seikan pluto[1825]: "khdn-rw"[1] 87.78.98.213 #52: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
| Nov  7 11:52:34 seikan pluto[1825]: "khdn-rw"[1] 87.78.98.213 #52: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
| Nov  7 11:52:34 seikan pluto[1825]: "khdn-rw"[1] 87.78.98.213 #52: Dead Peer Detection (RFC 3706): not enabled because peer did not advertise it
| Nov  7 11:52:34 seikan pluto[1825]: "khdn-rw"[1] 87.78.98.213 #52: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
| Nov  7 11:52:34 seikan pluto[1825]: "khdn-rw"[1] 87.78.98.213 #52: STATE_QUICK_R2: IPsec SA established {ESP=>0x6734bac4 <0xc9e732ed xfrm=3DES_0-HMAC_MD5 NATD=87.78.98.213:4500 DPD=none}
| Nov  7 11:52:39 seikan pluto[1825]: ERROR: asynchronous network error report on eth0 (sport=4500) for message to 87.78.98.213 port 4500, complainant 212.16.235.28: No route to host [errno 113, origin
|  ICMP type 3 code 1 (not authenticated)]
| Nov  7 11:53:02 seikan last message repeated 17 times
| Nov  7 11:53:09 seikan pluto[1825]: "khdn-rw"[1] 87.78.98.213 #51: received Delete SA(0x6734bac4) payload: deleting IPSEC State #52
| Nov  7 11:53:09 seikan pluto[1825]: "khdn-rw"[1] 87.78.98.213 #51: received and ignored informational message
| Nov  7 11:53:09 seikan pluto[1825]: "khdn-rw"[1] 87.78.98.213 #51: received Delete SA payload: deleting ISAKMP State #51
| Nov  7 11:53:09 seikan pluto[1825]: "khdn-rw"[1] 87.78.98.213: deleting connection "khdn-rw" instance with peer 87.78.98.213 {isakmp=#0/ipsec=#0}
`---


,--------[/var/log/syslog]---------
| Nov  7 11:52:36 seikan l2tpd[30275]: control_finish: Peer requested tunnel 1 twice, ignoring second one. 
| Nov  7 11:52:41 seikan last message repeated 2 times
| Nov  7 11:52:41 seikan l2tpd[30275]: Maximum retries exceeded for tunnel 59510.  Closing. 
| Nov  7 11:52:41 seikan l2tpd[30275]: Connection 1 closed to 87.78.98.213, port 1701 (Timeout) 
| Nov  7 11:52:46 seikan l2tpd[30275]: Unable to deliver closing message for tunnel 59510. Destroying anyway. 
| Nov  7 11:52:56 seikan l2tpd[30275]: Maximum retries exceeded for tunnel 3222.  Closing. 
| Nov  7 11:52:56 seikan l2tpd[30275]: Connection 1 closed to 87.78.98.213, port 1701 (Timeout) 
| Nov  7 11:52:59 seikan l2tpd[30275]: control_finish: Peer requested tunnel 1 twice, ignoring second one. 
| Nov  7 11:53:01 seikan l2tpd[30275]: Unable to deliver closing message for tunnel 3222. Destroying anyway. 
`---

Any help with that? I tried to search the mailing list archive, but
*.openswan.org seems down to me at the moment. 

It seems to me something weird is going on in the routing table so the
two hosts cannot reach each other if the IPSec-Tunnel is established.
I cannot reach the server via ssh for some time once I try to connect. 

Thanks in advance

Stefan
 
-- 
"In my opinion MS is a lot better at making money
than it is at making good operating systems"
-- Linus Torvalds --
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.openswan.org/pipermail/users/attachments/20061107/2ab84200/attachment.bin

More information about the Users mailing list