[Openswan Users] need some help with openswan / l2tpd

Reza ISSANY issanyr at laposte.net
Tue Nov 21 17:02:11 EST 2006


OK, i've tried your configuration without type=transport and the line 
"Transport mode disabled ..." disappears :

==> /var/log/auth.log <==

Nov 21 20:54:33 sd-5193 pluto[25568]: "roadwarriorxp"[2] 82.236.77.42 
#1: we have a cert and are sending it upon request
Nov 21 20:54:33 sd-5193 pluto[25568]: | NAT-T: new mapping 
82.236.77.42:500/12568)
Nov 21 20:54:33 sd-5193 pluto[25568]: "roadwarriorxp"[2] 
82.236.77.42:12568 #1: sent MR3, ISAKMP SA established
Nov 21 20:54:33 sd-5193 pluto[25568]: "roadwarriorxp"[2] 
82.236.77.42:12568 #1: cannot respond to IPsec SA request because no 
connection is known for 88.191.35.181:4500[C=FR, ST=HOST, O=Internet 
Widgits Pty Ltd, CN=integration]:17/1701...82.236.77.42:12568[C=FR, 
ST=HOST, O=Internet Widgits Pty Ltd, CN=integration]:17/%any
Nov 21 20:54:33 sd-5193 pluto[25568]: "roadwarriorxp"[2] 
82.236.77.42:12568 #1: sending encrypted notification 
INVALID_ID_INFORMATION to 82.236.77.42:12568
Nov 21 20:54:34 sd-5193 pluto[25568]: "roadwarriorxp"[2] 
82.236.77.42:12568 #1: Quick Mode I1 message is unacceptable because it 
uses a previously used Message ID 0xb7703a26 (perhaps this is a 
duplicated packet)
Nov 21 20:54:34 sd-5193 pluto[25568]: "roadwarriorxp"[2] 
82.236.77.42:12568 #1: sending encrypted notification INVALID_MESSAGE_ID 
to 82.236.77.42:12568
Nov 21 20:54:36 sd-5193 pluto[25568]: "roadwarriorxp"[2] 
82.236.77.42:12568 #1: Quick Mode I1 message is unacceptable because it 
uses a previously used Message ID 0xb7703a26 (perhaps this is a 
duplicated packet)

But the connection still doesn't works. My new conf :

conn %default
        left=88.191.35.181

conn roadwarriorxp
        keyingtries=1
        compress=no
        authby=rsasig
        leftrsasigkey=%cert
        leftcert=/data/openswan/etc/ipsec.d/certs/newcert.pem
        leftprotoport=17/1701
        leftsubnet=172.16.7.0/16
        leftnexthop=88.191.35.1
        right=%any
        rightrsasigkey=%cert
        rightca=%same
        rightprotoport=17/%any
        rightsubnet=vhost:%no,%priv
        pfs=no
        rekey=no
        auto=add

When I iniate a connection :

root at integration:/tmp# ipsec status
000 "roadwarriorxp": 172.16.0.0/16===88.191.35.181[C=FR, ST=HOST, 
O=Internet Widgits Pty Ltd, 
CN=integration]:17/1701---88.191.35.1...%virtual:17/%any===?; unrouted; 
eroute owner: #0
000 "roadwarriorxp":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "roadwarriorxp"[4]: 172.16.0.0/16===88.191.35.181:4500[C=FR, 
ST=HOST, O=Internet Widgits Pty Ltd, 
CN=integration]:17/1701---88.191.35.1...82.236.77.42:13238[C=FR, 
ST=HOST, O=Internet Widgits Pty Ltd, CN=integration]:17/%any===?; 
unrouted; eroute owner: #0
000 "roadwarriorxp"[4]:   newest ISAKMP SA: #2; newest IPsec SA: #0;
000
000 #2: "roadwarriorxp"[4] 82.236.77.42:13238 STATE_MAIN_R3 (sent MR3, 
ISAKMP SA established); EVENT_SA_EXPIRE in 28794s; newest ISAKMP
000
[C0] Templates:

The keys negociations starts, but the l2tpd authentication doesn't seems 
to work.

My ipsec is already patched to accept NAT-T :
*Nov 21 23:12:12 sd-5193 pluto[25688]:   including NAT-Traversal patch 
(Version 0.6c)*

Any idea ?

Peter McGill a écrit :
>> I'd like to configure ipsec with an l2tpd authentication. I already 
>> have a fonctionnal connection
>> at my work (using the win xp pro sp2 vpn l2tp client).
>
> I have almost the same setup, although I don't have NAT-T enabled on 
> mine.
> I just got mine working yesterday, so I'm no expert, but it works.
>
>>        type=transport
> I don't have this line in my conn, are you sure you need it.
> The default is type=tunnel, which is what I'm using without the line.
>
>> Nov 21 17:42:48 sd-5193 pluto[25394]: "roadwarriorxp"[4] 
>> 82.236.77.42:11559 #4: NAT-Traversal: Transport mode disabled due to 
>> security concerns
>> Nov 21 17:42:48 sd-5193 pluto[25394]: "roadwarriorxp"[4] 
>> 82.236.77.42:11559 #4: sending encrypted notification 
>> BAD_PROPOSAL_SYNTAX to
>> 82.236.77.42:11559
>
> Looks to me like it doesn't like type=transport.
>
> Peter McGill

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20061121/784ff329/attachment.html 


More information about the Users mailing list