[Openswan Users] Openswan-2.4.4(Klips) - FC4-2.6.12 - xl2tpd-1.1.05 <-> XP SP2 - L2TP NAT
Ola Albertsson
ola at qwert.se
Wed Nov 22 03:44:10 EST 2006
Hi I´ve got a few problems connecting a nated XP using l2tp. The
connection is up and I can ping computers on the corporate lan but when
I for example try to ssh to our database server I get time out, also
samba shares doesn´t work. I get this error message: *ERROR:
asynchronous network error report on eth0 (sport=4500)
*When browsing through the mailinglist I saw a recomendation to use
leftnexthop, I´ve tried it but it doesn´t work.
I had no problems when I had another gw with RedHat 9 2.4.20-30.9 and
Openswan-2.1.4 I´ve tried the same ipsec.conf configuration that I had
on that computer with no success.
In /var/log/secure
Nov 21 22:12:43 dns pluto[9762]: Starting Pluto (Openswan Version 2.4.4
X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OEz}FFFfgr_e)
Nov 21 22:12:43 dns pluto[9762]: Setting NAT-Traversal port-4500
floating to on
Nov 21 22:12:43 dns pluto[9762]: port floating activation criteria
nat_t=1/port_fload=1
Nov 21 22:12:43 dns pluto[9762]: including NAT-Traversal patch
(Version 0.6c)
Nov 21 22:12:43 dns pluto[9762]: ike_alg_register_enc(): Activating
OAKLEY_AES_CBC: Ok (ret=0)
Nov 21 22:12:43 dns pluto[9762]: starting up 1 cryptographic helpers
Nov 21 22:12:43 dns pluto[9762]: started helper pid=9763 (fd:6)
Nov 21 22:12:43 dns pluto[9762]: Using KLIPS IPsec interface code on 2.6.12
Nov 21 22:12:43 dns pluto[9762]: Changing to directory
'/etc/ipsec.d/cacerts'
Nov 21 22:12:43 dns pluto[9762]: loaded CA cert file 'cacert.pem'
(1273 bytes)
Nov 21 22:12:43 dns pluto[9762]: Changing to directory
'/etc/ipsec.d/aacerts'
Nov 21 22:12:43 dns pluto[9762]: Changing to directory
'/etc/ipsec.d/ocspcerts'
Nov 21 22:12:43 dns pluto[9762]: Changing to directory '/etc/ipsec.d/crls'
Nov 21 22:12:43 dns pluto[9762]: loaded crl file 'crl.pem' (516 bytes)
Nov 21 22:12:44 dns pluto[9762]: loaded host cert file
'/etc/ipsec.d/certs/openswan.gw.pem' (3674 bytes)
Nov 21 22:12:44 dns pluto[9762]: added connection description
"roadwarrior-l2tp-x509"
Nov 21 22:12:44 dns pluto[9762]: loaded host cert file
'/etc/ipsec.d/certs/openswan.gw.pem' (3674 bytes)
Nov 21 22:12:45 dns pluto[9762]: listening for IKE messages
Nov 21 22:12:45 dns pluto[9762]: adding interface ipsec0/eth0
195.67.60.45:500
Nov 21 22:12:45 dns pluto[9762]: adding interface ipsec0/eth0
195.67.60.45:4500
Nov 21 22:12:45 dns pluto[9762]: loading secrets from "/etc/ipsec.secrets"
Nov 21 22:12:45 dns pluto[9762]: loaded private key file
'/etc/ipsec.d/private/openswan.gw.key' (1671 bytes)
Nov 21 22:12:52 dns pluto[9762]: packet from 81.234.233.202:500:
ignoring Vendor ID payload [FRAGMENTATION]
Nov 21 22:12:52 dns pluto[9762]: packet from 81.234.233.202:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set
to=106
Nov 21 22:12:52 dns pluto[9762]: packet from 81.234.233.202:500:
ignoring Vendor ID payload [Vid-Initial-Contact]
Nov 21 22:12:52 dns pluto[9762]: "roadwarrior-l2tp-x509"[1]
81.234.233.202 #3: responding to Main Mode from unknown peer 81.234.233.202
Nov 21 22:12:52 dns pluto[9762]: "roadwarrior-l2tp-x509"[1]
81.234.233.202 #3: transition from state STATE_MAIN_R0 to state
STATE_MAIN_R1
Nov 21 22:12:52 dns pluto[9762]: "roadwarrior-l2tp-x509"[1]
81.234.233.202 #3: STATE_MAIN_R1: sent MR1, expecting MI2
Nov 21 22:12:53 dns pluto[9762]: "roadwarrior-l2tp-x509"[1]
81.234.233.202 #3: NAT-Traversal: Result using
draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
Nov 21 22:12:53 dns pluto[9762]: "roadwarrior-l2tp-x509"[1]
81.234.233.202 #3: transition from state STATE_MAIN_R1 to state
STATE_MAIN_R2
Nov 21 22:12:53 dns pluto[9762]: "roadwarrior-l2tp-x509"[1]
81.234.233.202 #3: STATE_MAIN_R2: sent MR2, expecting MI3
Nov 21 22:12:53 dns pluto[9762]: "roadwarrior-l2tp-x509"[1]
81.234.233.202 #3: Main mode peer ID is ID_DER_ASN1_DN: 'C=SE,
ST=Stockholm, O=Test AB, CN=Test Jupps, E=test at test-se'
Nov 21 22:12:53 dns pluto[9762]: "roadwarrior-l2tp-x509"[2]
81.234.233.202 #3: deleting connection "roadwarrior-l2tp-x509" instance
with peer 81.234.233.202 {isakmp=#0/ipsec=#0}
Nov 21 22:12:53 dns pluto[9762]: "roadwarrior-l2tp-x509"[2]
81.234.233.202 #3: I am sending my cert
Nov 21 22:12:53 dns pluto[9762]: "roadwarrior-l2tp-x509"[2]
81.234.233.202 #3: transition from state STATE_MAIN_R2 to state
STATE_MAIN_R3
Nov 21 22:12:53 dns pluto[9762]: | NAT-T: new mapping
81.234.233.202:500/4500)
Nov 21 22:12:53 dns pluto[9762]: "roadwarrior-l2tp-x509"[2]
81.234.233.202 #3: STATE_MAIN_R3: sent MR3, ISAKMP SA established
{auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_sha
group=modp2048}
Nov 21 22:12:53 dns pluto[9762]: "roadwarrior-l2tp-x509"[2]
81.234.233.202 #4: responding to Quick Mode {msgid:de278ffa}
Nov 21 22:12:53 dns pluto[9762]: "roadwarrior-l2tp-x509"[2]
81.234.233.202 #4: transition from state STATE_QUICK_R0 to state
STATE_QUICK_R1
Nov 21 22:12:53 dns pluto[9762]: "roadwarrior-l2tp-x509"[2]
81.234.233.202 #4: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed,
expecting QI2
Nov 21 22:12:53 dns pluto[9762]: "roadwarrior-l2tp-x509"[2]
81.234.233.202 #4: transition from state STATE_QUICK_R1 to state
STATE_QUICK_R2
Nov 21 22:12:53 dns pluto[9762]: "roadwarrior-l2tp-x509"[2]
81.234.233.202 #4: STATE_QUICK_R2: IPsec SA established {ESP=>0xabdce443
<0xd2a3d59c xfrm=3DES_0-HMAC_MD5 NATD=81.234.233.202:4500 DPD=none}
Nov 21 22:13:37 dns pluto[9762]: ERROR: asynchronous network error
report on eth0 (sport=4500) for message to 81.234.233.202 port 4500,
complainant 195.67.60.45: No route to host [errno 113, origin ICMP type
11 code 1 (not authenticated)]
/var/log/messages
Nov 21 15:27:03 dns l2tpd[2073]: setsockopt recvref: Protocol not available
Nov 21 15:27:03 dns l2tpd[2073]: This binary does not support kernel L2TP.
Nov 21 15:27:03 dns l2tpd[2074]: l2tpd version xl2tpd-1.1.05 started on
dns.cyberstore.se PID:2074
Nov 21 15:27:03 dns l2tpd[2074]: Written by Mark Spencer, Copyright (C)
1998, Adtran, Inc.
Nov 21 15:27:03 dns l2tpd[2074]: Forked by Scott Balmos and David Stipp,
(C) 2001
Nov 21 15:27:03 dns l2tpd[2074]: Inherited by Jeff McAdams, (C) 2002
Nov 21 15:27:03 dns l2tpd[2074]: Listening on IP address 0.0.0.0, port 1701
Nov 21 22:12:55 dns l2tpd[2074]: Connection established to
81.234.233.202, 1701. Local: 56619, Remote: 4 (ref=0/0). LNS session
is 'default'
Nov 21 22:12:55 dns pppd[10142]: pppd 2.4.2 started by root, uid 0
Nov 21 22:12:55 dns l2tpd[2074]: Call established with 81.234.233.202,
Local: 58598, Remote: 1, Serial: 0
Nov 21 22:12:55 dns pppd[10142]: Using interface ppp0
Nov 21 22:12:55 dns pppd[10142]: Connect: ppp0 <--> /dev/pts/1
Nov 21 22:12:55 dns pppd[10142]: Unsupported protocol 'Compression
Control Protocol' (0x80fd) received
Nov 21 22:12:55 dns pppd[10142]: found interface eth1 for proxy arp
Nov 21 22:12:55 dns pppd[10142]: local IP address 192.168.31.34
Nov 21 22:12:55 dns pppd[10142]: remote IP address 192.168.31.36
Nov 21 22:13:18 dns kernel: eth1: Promiscuous mode enabled.
Nov 21 22:13:18 dns kernel: device eth1 entered promiscuous mode
Nov 21 22:13:22 dns kernel: device eth1 left promiscuous mode
Nov 21 22:16:11 dns pppd[10142]: LCP terminated by peer (X
2M-W^@<M-Mt^@^@^@^@)
Nov 21 22:16:11 dns l2tpd[2074]: control_finish: Connection closed to
81.234.233.202, serial 0 ()
Nov 21 22:16:11 dns pppd[10142]: Terminating on signal 15.
Nov 21 22:16:11 dns pppd[10142]: Modem hangup
Nov 21 22:16:11 dns pppd[10142]: Connection terminated.
Nov 21 22:16:11 dns pppd[10142]: Connect time 3.3 minutes.
Nov 21 22:16:11 dns pppd[10142]: Sent 6109 bytes, received 4032 bytes.
Nov 21 22:16:11 dns pppd[10142]: Connect time 3.3 minutes.
Nov 21 22:16:11 dns pppd[10142]: Sent 6109 bytes, received 4032 bytes.
Nov 21 22:16:11 dns pppd[10142]: Exit.
Nov 21 22:16:11 dns l2tpd[2074]: control_finish: Connection closed to
81.234.233.202, port 1701 (), Local: 56619, Remote: 4
First I tried with the roadwarrior configs that has a # infront of them
and yesterday I tried the one which is active in this config but its the
same result
my ipsec.conf:
version 2.0
config setup
interfaces=%defaultroute
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.31.0/24
nat_traversal=yes
overridemtu=1300
conn %default
keyingtries=1
compress=yes
disablearrivalcheck=no
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
#conn roadwarrior-net
# leftsubnet=192.168.31.0/24
# also=roadwarrior
#conn roadwarrior
# left=%defaultroute
# leftnexthop=195.67.60.1
# leftcert=openswan.gw.pem
# right=%any
# rightsubnet=vhost:%no,%priv
# auto=add
# pfs=yes
#conn roadwarrior-l2tp
# #type=transport
# left=%defaultroute
# leftnexthop=195.67.60.1
# leftcert=openswan.gw.pem
# leftprotoport=17/1701
# right=%any
# rightprotoport=17/1701
# pfs=no
# auto=add
#conn roadwarrior-l2tp-oldwin
# left=%defaultroute
# leftcert=openswan.gw.pem
# leftprotoport=17/0
# right=%any
# rightprotoport=17/1701
# rightsubnet=vhost:%no,%priv
# pfs=no
# auto=add
conn roadwarrior-l2tp-x509
left=195.67.60.45
leftnexthop=195.67.60.1
leftprotoport=17/1701
leftrsasigkey=%cert
leftcert=openswan.gw.pem
rightprotoport=17/%any
rightsubnet=vhost:%priv,%no
right=%any
rightrsasigkey=%cert
auto=add
authby=rsasig
pfs=no
# type=transport
# rightca=%same
/var/log/messages on our database server to which I tried to ssh
Nov 21 22:15:13 systemq sshd[27965]: fatal: Timeout before
authentication for ::ffff:192.168.31.34
192.168.31.34 is the local ip of the Openswan GW... shouldn´t the ip I
get from PPP(192.168.31.36) be listed as the From adress??
Hopefully you can help me with this problem..
Regards
Ola Albertsson
--
Ola Albertsson
Qwert Cyberstore AB
Romansvägen 6, 13tr. Box 4090, 131 04 Nacka
*Telefon* 08-556 74 470 *Fax* 08-601 96 89 *Mobil* 0736-172 285
*E-post* ola at qwert.se *Internet* www.qwert.se
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20061122/591ccb82/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: systemQlogga4.jpg
Type: image/jpeg
Size: 6112 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20061122/591ccb82/attachment-0002.jpg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: red.jpg
Type: image/jpeg
Size: 8217 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20061122/591ccb82/attachment-0003.jpg
More information about the Users
mailing list