[Openswan Users] openswan + l2tpd + iptables problem

Wed Oct 4 14:21:33 EDT 2006

On Wed, Oct 04, 2006 at 08:17:40PM +0200, mechanix at debian.org wrote:
> On Wed, Oct 04, 2006 at 07:41:34PM +0200, Paul Wouters wrote:
> > On Wed, 4 Oct 2006, mechanix at debian.org wrote:
> > >
> > > it did seem to make a difference - the l2tp packets no longer hit
> > > the firewall.
> > > Still, I'm not there: l2tpd never seems to succeed on establishing a
> > > connection. I get a lot of debugging output, but what sticks out is these
> > > ones repeating itself about 6 times:
> > >
> > > Oct  5 00:31:11 scotos l2tpd[790]: message_type_avp: message type 1 (Start-Control-Connection-Request)
> > >
> > > and it never gets any further. On the other system, after 2 of the above,
> > > I get a message type 3 (Start-Control-Connection-Connected) and the
> > > connection handshake continues and all.
> > 
> > These might be MTU issues. Try setting the external mtu (eg ethX) to 1472.
> > Make sure the mtu/mru in options.l2tpd is about 1200-1300.
> 
> That's a pppd options file, right? l2tpd even never got as far as launching
> pppd.
> 
> Still, I tried setting mtu on eth1 to 1472 (was 1500), but it made ipsec
> negotiation fail, probably because the packets which contain certificates
> are too big. Log attached.
> 
> I noticed something else in the log: the gateway appears to be negotiating
> the connection twice. I checked, the previous attempts showed the same
> symptom.
> Is there a way to make it not too? Even if the gateway would receive the
> same initiation packet twice?

Classic mistake... forgot to attach the log.

Regards,

Filip
-------------- next part --------------
Oct  5 02:00:15 scotos pluto[622]: packet from RW.IP.ADDR.ESS:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Oct  5 02:00:15 scotos pluto[622]: packet from RW.IP.ADDR.ESS:500: ignoring Vendor ID payload [FRAGMENTATION]
Oct  5 02:00:15 scotos pluto[622]: packet from RW.IP.ADDR.ESS:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106 
Oct  5 02:00:15 scotos pluto[622]: packet from RW.IP.ADDR.ESS:500: ignoring Vendor ID payload [Vid-Initial-Contact]
Oct  5 02:00:15 scotos pluto[622]: "roadwarrior-l2tp"[9] RW.IP.ADDR.ESS #19: responding to Main Mode from unknown peer RW.IP.ADDR.ESS
Oct  5 02:00:15 scotos pluto[622]: "roadwarrior-l2tp"[9] RW.IP.ADDR.ESS #19: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Oct  5 02:00:15 scotos pluto[622]: "roadwarrior-l2tp"[9] RW.IP.ADDR.ESS #19: STATE_MAIN_R1: sent MR1, expecting MI2
Oct  5 02:00:15 scotos pluto[622]: packet from RW.IP.ADDR.ESS:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Oct  5 02:00:15 scotos pluto[622]: packet from RW.IP.ADDR.ESS:500: ignoring Vendor ID payload [FRAGMENTATION]
Oct  5 02:00:15 scotos pluto[622]: packet from RW.IP.ADDR.ESS:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106 
Oct  5 02:00:15 scotos pluto[622]: packet from RW.IP.ADDR.ESS:500: ignoring Vendor ID payload [Vid-Initial-Contact]
Oct  5 02:00:15 scotos pluto[622]: "roadwarrior-l2tp"[9] RW.IP.ADDR.ESS #20: responding to Main Mode from unknown peer RW.IP.ADDR.ESS
Oct  5 02:00:15 scotos pluto[622]: "roadwarrior-l2tp"[9] RW.IP.ADDR.ESS #20: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Oct  5 02:00:15 scotos pluto[622]: "roadwarrior-l2tp"[9] RW.IP.ADDR.ESS #20: STATE_MAIN_R1: sent MR1, expecting MI2
Oct  5 02:00:17 scotos pluto[622]: "roadwarrior-l2tp"[9] RW.IP.ADDR.ESS #19: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
Oct  5 02:00:17 scotos pluto[622]: "roadwarrior-l2tp"[9] RW.IP.ADDR.ESS #19: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Oct  5 02:00:17 scotos pluto[622]: "roadwarrior-l2tp"[9] RW.IP.ADDR.ESS #19: STATE_MAIN_R2: sent MR2, expecting MI3
Oct  5 02:00:18 scotos pluto[622]: "roadwarrior-l2tp"[9] RW.IP.ADDR.ESS #19: discarding duplicate packet; already STATE_MAIN_R2
Oct  5 02:01:22 scotos pluto[622]: "roadwarrior-l2tp"[9] RW.IP.ADDR.ESS #19: next payload type of ISAKMP Hash Payload has an unknown value: 249
Oct  5 02:01:22 scotos pluto[622]: "roadwarrior-l2tp"[9] RW.IP.ADDR.ESS #19: malformed payload in packet
Oct  5 02:01:22 scotos pluto[622]: "roadwarrior-l2tp"[9] RW.IP.ADDR.ESS #19: sending notification PAYLOAD_MALFORMED to RW.IP.ADDR.ESS:500
Oct  5 02:01:25 scotos pluto[622]: "roadwarrior-l2tp"[9] RW.IP.ADDR.ESS #20: max number of retransmissions (2) reached STATE_MAIN_R1
Oct  5 02:01:27 scotos pluto[622]: "roadwarrior-l2tp"[9] RW.IP.ADDR.ESS #19: max number of retransmissions (2) reached STATE_MAIN_R2
Oct  5 02:01:27 scotos pluto[622]: "roadwarrior-l2tp"[9] RW.IP.ADDR.ESS: deleting connection "roadwarrior-l2tp" instance with peer RW.IP.ADDR.ESS {isakmp=#0/ipsec=#0}