[Openswan Users] Openswan <-> WinXp with L2TP and X.509 behind NATs not working

Florian Hackenberger f.hackenberger at chello.at
Sat Nov 18 15:30:32 EST 2006 

On Saturday 18 November 2006 20:49, you wrote:
> Could be an MTU problem:
> http://www.jacco2.dds.nl/networking/openswan-l2tp.html#MTUproblems
I've tried 'ifconfig ethX mtu 1400', as well as 'echo "0"  
> /proc/sys/net/ipv4/ip_no_pmtu_disc' on the server, but I always get the 
same results.

> Does the problem also occur with a PSK?
I switched to X.509 certificates because I couldn't get it working with PSK. 
However, when adding a PSK to ipsec.secrets and setting 
authby=secret instead of authby=rsasig
and removing the following lines:
leftrsasigkey=%cert
leftcert=/etc/ipsec.d/certs/hacki-mobile.hackenberger.at_cert.pem
leftsendcert=always
rightca=%same
rightrsasigkey=%cert

I get the error 792 on the WinXP client and the log below on the linux server. 
This line seems to be the crux:
deleting connection "l2tp-X.509" instance with peer 88.117.175.26 
{isakmp=#0/ipsec=#0}

Regards,
	Florian

pluto[5180]: packet from 88.117.175.26:65450: ignoring Vendor ID payload [MS 
NT5 ISAKMPOAKLEY 00000004]
pluto[5180]: packet from 88.117.175.26:65450: ignoring Vendor ID payload 
[FRAGMENTATION]
pluto[5180]: packet from 88.117.175.26:65450: received Vendor ID payload 
[draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
pluto[5180]: packet from 88.117.175.26:65450: ignoring Vendor ID payload 
[Vid-Initial-Contact]
pluto[5180]: "l2tp-X.509"[1] 88.117.175.26 #1: responding to Main Mode from 
unknown peer 88.117.175.26
pluto[5180]: "l2tp-X.509"[1] 88.117.175.26 #1: transition from state 
STATE_MAIN_R0 to state STATE_MAIN_R1
pluto[5180]: "l2tp-X.509"[1] 88.117.175.26 #1: STATE_MAIN_R1: sent MR1, 
expecting MI2
pluto[5180]: "l2tp-X.509"[1] 88.117.175.26 #1: NAT-Traversal: Result using 
draft-ietf-ipsec-nat-t-ike-02/03: both are NATed
pluto[5180]: "l2tp-X.509"[1] 88.117.175.26 #1: transition from state 
STATE_MAIN_R1 to state STATE_MAIN_R2
pluto[5180]: "l2tp-X.509"[1] 88.117.175.26 #1: STATE_MAIN_R2: sent MR2, 
expecting MI3
pluto[5180]: "l2tp-X.509"[1] 88.117.175.26 #1: Main mode peer ID is 
ID_FQDN: '@greilberger.hgu.at'
pluto[5180]: "l2tp-X.509"[2] 88.117.175.26 #1: deleting 
connection "l2tp-X.509" instance with peer 88.117.175.26 {isakmp=#0/ipsec=#0}
pluto[5180]: "l2tp-X.509"[2] 88.117.175.26 #1: I did not send a certificate 
because I do not have one.
pluto[5180]: "l2tp-X.509"[2] 88.117.175.26 #1: transition from state 
STATE_MAIN_R2 to state STATE_MAIN_R3
pluto[5180]: | NAT-T: new mapping 88.117.175.26:65450/65472)
pluto[5180]: "l2tp-X.509"[2] 88.117.175.26 #1: STATE_MAIN_R3: sent MR3, ISAKMP 
SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 
prf=oakley_sha group=modp2048}
pluto[5180]: "l2tp-X.509"[2] 88.117.175.26 #1: cannot respond to IPsec SA 
request because no connection is known for 
84.115.131.198/32===192.168.1.158:17/1701...88.117.175.26
[@greilberger.hgu.at]:17/1701
pluto[5180]: "l2tp-X.509"[2] 88.117.175.26 #1: sending encrypted notification 
INVALID_ID_INFORMATION to 88.117.175.26:65472
pluto[5180]: "l2tp-X.509"[2] 88.117.175.26 #1: Quick Mode I1 message is 
unacceptable because it uses a previously used Message ID 0xcaac6062 (perhaps 
this is a duplicated packet)
pluto[5180]: "l2tp-X.509"[2] 88.117.175.26 #1: sending encrypted notification 
INVALID_MESSAGE_ID to 88.117.175.26:65472
pluto[5180]: "l2tp-X.509"[2] 88.117.175.26 #1: Quick Mode I1 message is 
unacceptable because it uses a previously used Message ID 0xcaac6062 (perhaps 
this is a duplicated packet)
pluto[5180]: "l2tp-X.509"[2] 88.117.175.26 #1: sending encrypted notification 
INVALID_MESSAGE_ID to 88.117.175.26:65472
pluto[5180]: "l2tp-X.509"[2] 88.117.175.26 #1: Quick Mode I1 message is 
unacceptable because it uses a previously used Message ID 0xcaac6062 (perhaps 
this is a duplicated packet)
pluto[5180]: "l2tp-X.509"[2] 88.117.175.26 #1: sending encrypted notification 
INVALID_MESSAGE_ID to 88.117.175.26:65472
pluto[5180]: "l2tp-X.509"[2] 88.117.175.26 #1: Quick Mode I1 message is 
unacceptable because it uses a previously used Message ID 0xcaac6062 (perhaps 
this is a duplicated packet)
pluto[5180]: "l2tp-X.509"[2] 88.117.175.26 #1: sending encrypted notification 
INVALID_MESSAGE_ID to 88.117.175.26:65472


-- 
Florian Hackenberger
student @
University of Technology
Graz, Austria
florian at hackenberger.at
www.hackenberger.at

More information about the Users mailing list