[Openswan Users] need some help with openswan / l2tpd

Reza ISSANY issanyr at laposte.net
Tue Nov 21 11:37:26 EST 2006 

Hi,

I'm a french people, so, i'll try to write english as well as possible.

I'd like to configure ipsec with an l2tpd authentication. I already have 
a fonctionnal connection
at my work (using the win xp pro sp2 vpn l2tp client).

The objectif of this installation is to create my vpn server to do some 
tests on voip applications.

So I have a small test platform :
- 1 Linux debian server with openswan + l2tpd + ppp
- 1 Win XP Pro SP2 laptop
- 1 VPN Router (to test vpn net-to-net)

I've succesfully configured the net-to-net connection. Now I have a 
problem with l2tpd.
The authentication doesn't seems to work. The key negociation seems to 
work fine, but
the connection doesn't works.

*This is my ipsec.conf :*

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        interfaces="ipsec0=eth0:0"
        nat_traversal=yes
        virtual_private=%v4:!172.16.7.0/16,%v4:192.168.7.0/24

conn block
    auto=ignore

conn private
    auto=ignore

conn private-or-clear
    auto=ignore

conn clear-or-private
    auto=ignore

conn clear
    auto=ignore

conn packetdefault
    auto=ignore

# Add connections here
#leftnexthop=88.191.35.1
#rightnexthop=192.168.7.7

conn %default
        left=88.191.35.181

conn roadwarriorxp
        type=transport
        keyingtries=1
        compress=no
        authby=rsasig
        leftrsasigkey=%cert
        rightrsasigkey=%cert
        leftcert=/data/openswan/etc/ipsec.d/certs/newcert.pem
        leftprotoport=17/1701
        right=%any
        rightca=%same
        rightprotoport=17/1701
        rightsubnet=vhost:%no,%priv
        pfs=no
        auto=add

*This is my l2tpd.conf :*

[global]

[lns default]
ip range = 172.16.7.10-172.16.7.30
local ip = 172.16.7.8
require chap = yes
refuse pap = yes
require authentication = yes
name = TestVPN
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd
length bit = yes

*options.l2tpd :*

ipcp-accept-local
ipcp-accept-remote
ms-dns 88.191.254.60
auth
crtscts
idle 1800
mtu 1400
mru 1400
nodefaultroute
debug
lock
connect-delay 5000
nologfd

*chap-secrets :*

# Secrets for authentication using MS-CHAP
# client        server  secret          IP addresses
integration     *       "qwerty"                172.16.7.10

And logs on server :

==> /var/log/auth.log <==
Nov 21 17:42:48 sd-5193 pluto[25394]: packet from 82.236.77.42:500: 
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Nov 21 17:42:48 sd-5193 pluto[25394]: packet from 82.236.77.42:500: 
ignoring Vendor ID payload [FRAGMENTATION]
Nov 21 17:42:48 sd-5193 pluto[25394]: packet from 82.236.77.42:500: 
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Nov 21 17:42:48 sd-5193 pluto[25394]: packet from 82.236.77.42:500: 
ignoring Vendor ID payload [Vid-Initial-Contact]
Nov 21 17:42:48 sd-5193 pluto[25394]: "roadwarriorxp"[3] 82.236.77.42 
#3: responding to Main Mode from unknown peer 82.236.77.42
Nov 21 17:42:48 sd-5193 pluto[25394]: "roadwarriorxp"[3] 82.236.77.42 
#3: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer 
is NATed
Nov 21 17:42:48 sd-5193 pluto[25394]: "roadwarriorxp"[3] 82.236.77.42 
#3: Peer ID is ID_DER_ASN1_DN: 'C=FR, ST=HOST, O=Internet Widgits Pty 
Ltd, CN=integration'
Nov 21 17:42:48 sd-5193 pluto[25394]: "roadwarriorxp"[4] 82.236.77.42 
#3: deleting connection "roadwarriorxp" instance with peer 82.236.77.42 
{isakmp=#0/ipsec=#0}
Nov 21 17:42:48 sd-5193 pluto[25394]: "roadwarriorxp"[4] 82.236.77.42 
#3: we have a cert and are sending it upon request
Nov 21 17:42:48 sd-5193 pluto[25394]: | NAT-T: new mapping 
82.236.77.42:500/11559)
Nov 21 17:42:48 sd-5193 pluto[25394]: "roadwarriorxp"[4] 
82.236.77.42:11559 #3: sent MR3, ISAKMP SA established
Nov 21 17:42:48 sd-5193 pluto[25394]: "roadwarriorxp"[4] 
82.236.77.42:11559 #4: NAT-Traversal: Transport mode disabled due to 
security concerns
Nov 21 17:42:48 sd-5193 pluto[25394]: "roadwarriorxp"[4] 
82.236.77.42:11559 #4: sending encrypted notification 
BAD_PROPOSAL_SYNTAX to 82.236.77.42:11559
Nov 21 17:42:50 sd-5193 pluto[25394]: "roadwarriorxp"[4] 
82.236.77.42:11559 #3: Quick Mode I1 message is unacceptable because it 
uses a previously used Message ID 0x1da1d8d7 (perhaps this is a 
duplicated packet)
Nov 21 17:42:50 sd-5193 pluto[25394]: "roadwarriorxp"[4] 
82.236.77.42:11559 #3: sending encrypted notification INVALID_MESSAGE_ID 
to 82.236.77.42:11559
Nov 21 17:42:52 sd-5193 pluto[25394]: "roadwarriorxp"[4] 
82.236.77.42:11559 #3: Quick Mode I1 message is unacceptable because it 
uses a previously used Message ID 0x1da1d8d7 (perhaps this is a 
duplicated packet)
Nov 21 17:42:52 sd-5193 pluto[25394]: "roadwarriorxp"[4] 
82.236.77.42:11559 #3: sending encrypted notification INVALID_MESSAGE_ID 
to 82.236.77.42:11559
Nov 21 17:42:56 sd-5193 pluto[25394]: "roadwarriorxp"[4] 
82.236.77.42:11559 #3: Quick Mode I1 message is unacceptable because it 
uses a previously used Message ID 0x1da1d8d7 (perhaps this is a 
duplicated packet)
Nov 21 17:42:56 sd-5193 pluto[25394]: "roadwarriorxp"[4] 
82.236.77.42:11559 #3: sending encrypted notification INVALID_MESSAGE_ID 
to 82.236.77.42:11559
Nov 21 17:43:02 sd-5193 pluto[25394]: "roadwarriorxp"[4] 
82.236.77.42:11559 #3: received Delete SA payload: deleting ISAKMP State #3
Nov 21 17:43:02 sd-5193 pluto[25394]: "roadwarriorxp"[4] 
82.236.77.42:11559: deleting connection "roadwarriorxp" instance with 
peer 82.236.77.42 {isakmp=#0/ipsec=#0}

I really need some help please.

Thanks

azer.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20061121/ba0e08d5/attachment-0001.html

More information about the Users mailing list