[Openswan Users] win-xp (sp2) with nat-t not working with dsl [SOLVED]
Gbenga
stjames08 at yahoo.co.uk
Sun Nov 19 18:02:55 EST 2006
Hi list,
Just a quick report on this issue. Since I didn't get this to work with klip, I decided to try netkey. I compiled a new kernel (2.6.18) since newer kernel is meant to work well with netkey internal ipsec mangling.
I got the latest openswan 2.4.7, compiled against the kernel and tested it. Everything worked very well. I didn't even need to change the mtu.
Relevent details:
kernel: Linux aparo 2.6.18 #1 Thu Nov 16 17:09:22 GMT 2006 i686 GNU/Linux
openswan: Linux Openswan U2.4.7/K2.6.18 (netkey).
openswan verify command:
osogbetun at aparo:~$ sudo ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.4.7/K2.6.18 (netkey)
Checking for IPsec support in kernel [OK]
NETKEY detected, testing for disabled ICMP send_redirects [OK]
NETKEY detected, testing for disabled ICMP accept_redirects [OK]
Checking for RSA private key (/etc/ipsec.secrets) [OK]
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [OK]
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
I don't if anything has changed to make this possible in the 2.4.7 version, I am going try it with klip again and will report back.
Rgds,
Gbenga
----- Original Message ----
From: Gbenga <stjames08 at yahoo.co.uk>
To: users at openswan.org
Sent: Thursday, 26 October, 2006 11:24:21 PM
Subject: Re: [Openswan Users] win-xp (sp2) with nat-t not working with dsl
Hi all,
I wish someone who has been through this before will assist in my configuration. I have reduced my mtu gradually even upto 1000 without any luck. It is currently at 1472.
Just in case I didn't explain well. I have openswan version 2.4.6 working with xl2tp-1.0.4 and ppp. If the client (win xp sp2) is on the internet address space they connect ok, but behind a gateway e.g dsl router from home, I can't connect. The IPSec SA established ok, just that ppp/x/l2tpd didn't pick up the call after that.
Paul advised that it most likely a fragmentation issue but I am not getting a fragmentation error in the auth.log.
my auth.log:
--------------------
Oct 26 00:51:20 aparo pluto[11330]: packet from 212.2.177.88:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Oct 26 00:51:20 aparo pluto[11330]: packet from 212.2.177.88:500: ignoring Vendor ID payload [FRAGMENTATION]
Oct 26 00:51:20 aparo pluto[11330]: packet from 212.2.177.88:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
Oct 26 00:51:20 aparo pluto[11330]: packet from 212.2.177.88:500: ignoring Vendor ID payload [Vid-Initial-Contact]
Oct 26 00:51:20 aparo pluto[11330]: "l2tp-syseng"[3] 212.2.177.88 #351: responding to Main Mode from unknown peer 212.2.177.88
Oct 26 00:51:20 aparo pluto[11330]: "l2tp-syseng"[3] 212.2.177.88 #351: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Oct 26 00:51:20 aparo pluto[11330]: "l2tp-syseng"[3] 212.2.177.88 #351: STATE_MAIN_R1: sent MR1, expecting MI2
Oct 26 00:51:21 aparo pluto[11330]: "l2tp-syseng"[3] 212.2.177.88 #351: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: both are NATed
Oct 26 00:51:21 aparo pluto[11330]: "l2tp-syseng"[3] 212.2.177.88 #351: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Oct 26 00:51:21 aparo pluto[11330]: "l2tp-syseng"[3] 212.2.177.88 #351: STATE_MAIN_R2: sent MR2, expecting MI3
Oct 26 00:51:21 aparo pluto[11330]: "l2tp-syseng"[3] 212.2.177.88 #351: Main mode peer ID is ID_DER_ASN1_DN: 'C=IE, ST=Dublin, O=Networks, OU=Systems Eng, CN=Gbenga Sogbetun, E=olugbenga.Sogbetun at bt.com'
Oct 26 00:51:21 aparo pluto[11330]: "l2tp-syseng"[3] 212.2.177.88 #351: no crl from issuer "C=IE, O=Networks, OU=Systems Eng, ST=Dublin, L=Dundrum, CN=Systems Eng CA, E=olugbenga.Sogbetun at bt.com" found (strict=no)
Oct 26 00:51:21 aparo pluto[11330]: "l2tp-syseng"[3] 212.2.177.88 #351: switched from "l2tp-syseng" to "l2tp-syseng"
Oct 26 00:51:21 aparo pluto[11330]: "l2tp-syseng"[4] 212.2.177.88 #351: deleting connection "l2tp-syseng" instance with peer 212.2.177.88 {isakmp=#0/ipsec=#0}
Oct 26 00:51:21 aparo pluto[11330]: "l2tp-syseng"[4] 212.2.177.88 #351: I am sending my cert
Oct 26 00:51:21 aparo pluto[11330]: "l2tp-syseng"[4] 212.2.177.88 #351: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Oct 26 00:51:21 aparo pluto[11330]: | NAT-T: new mapping 212.2.177.88:500/12256)
Oct 26 00:51:21 aparo pluto[11330]: "l2tp-syseng"[4] 212.2.177.88 #351: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}
Oct 26 00:51:21 aparo pluto[11330]: "l2tp-syseng"[4] 212.2.177.88 #352: responding to Quick Mode {msgid:e8ded7d8}
Oct 26 00:51:21 aparo pluto[11330]: "l2tp-syseng"[4] 212.2.177.88 #352: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Oct 26 00:51:21 aparo pluto[11330]: "l2tp-syseng"[4] 212.2.177.88 #352: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Oct 26 00:51:21 aparo pluto[11330]: "l2tp-syseng"[4] 212.2.177.88 #352: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Oct 26 00:51:21 aparo pluto[11330]: "l2tp-syseng"[4] 212.2.177.88 #352: STATE_QUICK_R2: IPsec SA established {ESP=>0x735d6531 <0xfbc91a78 xfrm=3DES_0-HMAC_MD5 NATD=212.2.177.88:12256 DPD=none}
I also ran the l2pd in debug mode but nothing absolutely come up in it. On the list there are various people that claimed to have got it working for them but no mention of what they did to get it working!
If it is of any use, the dsl is a 3meg link, but I don't htink that matters. If anyone is here that has a working conf, that I can compare with mine that will be good.
Rgds,
Gbenga
----- Original Message ----
From: Paul Wouters <paul at xelerance.com>
To: Gbenga <stjames08 at yahoo.co.uk>
Cc: users at openswan.org
Sent: Monday, 23 October, 2006 4:39:25 PM
Subject: Re: [Openswan Users] win-xp (sp2) with nat-t not working with dsl
On Mon, 23 Oct 2006, Gbenga wrote:
> Ok, I see this is a bug that is under consideration. Is the fix going into the 2.4.7 release?
>
> http://bugs.xelerance.com/view.php?id=541&nbn=4
That is a resolved bug. There is no fix for fragmentation. Try setting your
external mtu on the vpn server to 1472 or 1450.
> conn %default
> authby=secret|rsasig
I whould just set this to rsasig, esp. since you are using certificates
>
> conn l2tp-syseng
> left=10.10.1.57
> leftsubnet=10.10.1.57/32
you should not be setting subnet options, since l2tp is a transport mode
host-host connection. (with the exception of the rightsubnet to support
NAT-T.
> rightsubnet=vhost:%no,%priv
So that's ok.
> compress=yes
> disablearrivalcheck=no
> type=tunnel
That is wrong for l2tp. It must be transport mode. If your openswan then
complains about the rightsubnet, comment out the type line completely.
Paul
--
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
Send instant messages to your online friends http://uk.messenger.yahoo.com
_______________________________________________
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
Send instant messages to your online friends http://uk.messenger.yahoo.com
More information about the Users
mailing list