[Openswan Users] openswan + l2tpd + iptables problem
mechanix at debian.org
mechanix at debian.org
Wed Oct 18 18:50:31 EDT 2006
On Wed, Oct 18, 2006 at 11:23:15PM +0200, Jacco de Leeuw wrote:
>
> Filip wrote:
>
> >I tried both -- not together -- require-mppe and noccp but without any
> >luck.
>
> OK, what messages do you get then?
For require-mppe (after chap auth):
Oct 19 06:30:11 scotos pppd[17439]: sent [CCP ConfReq id=0x1 <mppe +H -M +S +L -D -C>]
Oct 19 06:30:11 scotos pppd[17439]: rcvd [CCP ConfReq id=0x4 <mppe +H -M -S -L -D +C>]
Oct 19 06:30:11 scotos pppd[17439]: sent [CCP ConfNak id=0x4 <mppe +H -M +S +L -D -C>]
Oct 19 06:30:11 scotos pppd[17439]: rcvd [IPCP ConfReq id=0x5 <addr 0.0.0.0> <ms-dns1 0.0.0.0> <ms-wins 0.0.0.0> <ms-dns3 0.0.0.0> <ms-wins 0.0.0.0>]
Oct 19 06:30:11 scotos pppd[17439]: sent [IPCP TermAck id=0x5]
Oct 19 06:30:11 scotos pppd[17439]: rcvd [CCP ConfNak id=0x1 <mppe +H -M +S -L -D -C>]
Oct 19 06:30:11 scotos pppd[17439]: sent [CCP ConfReq id=0x2 <mppe +H -M +S -L -D -C>]
Oct 19 06:30:13 scotos pppd[17439]: rcvd [IPCP ConfReq id=0x6 <addr 0.0.0.0> <ms-dns1 0.0.0.0> <ms-wins 0.0.0.0> <ms-dns3 0.0.0.0> <ms-wins 0.0.0.0>]
Oct 19 06:30:13 scotos pppd[17439]: sent [IPCP TermAck id=0x6]
Oct 19 06:30:13 scotos pppd[17439]: rcvd [CCP ConfReq id=0x7 <mppe +H -M -S -L -D +C>]
Oct 19 06:30:13 scotos pppd[17439]: sent [CCP ConfNak id=0x7 <mppe +H -M +S +L -D -C>]
Oct 19 06:30:14 scotos pppd[17439]: sent [CCP ConfReq id=0x2 <mppe +H -M +S -L -D -C>]
Oct 19 06:30:16 scotos pppd[17439]: rcvd [IPCP ConfReq id=0x8 <addr 0.0.0.0> <ms-dns1 0.0.0.0> <ms-wins 0.0.0.0> <ms-dns3 0.0.0.0> <ms-wins 0.0.0.0>]
Oct 19 06:30:16 scotos pppd[17439]: sent [IPCP TermAck id=0x8]
Oct 19 06:30:17 scotos pppd[17439]: sent [CCP ConfReq id=0x2 <mppe +H -M +S -L -D -C>]
Oct 19 06:30:18 scotos pppd[17439]: rcvd [CCP ConfReq id=0x9 <mppe +H -M -S -L -D +C>]
Oct 19 06:30:18 scotos pppd[17439]: sent [CCP ConfNak id=0x9 <mppe +H -M +S +L -D -C>]
Oct 19 06:30:20 scotos pppd[17439]: sent [CCP ConfReq id=0x2 <mppe +H -M +S -L -D -C>]
Oct 19 06:30:21 scotos pppd[17439]: rcvd [IPCP ConfReq id=0xa <addr 0.0.0.0> <ms-dns1 0.0.0.0> <ms-wins 0.0.0.0> <ms-dns3 0.0.0.0> <ms-wins 0.0.0.0>]
Oct 19 06:30:21 scotos pppd[17439]: sent [IPCP TermAck id=0xa]
Oct 19 06:30:23 scotos pppd[17439]: rcvd [CCP ConfReq id=0xb <mppe +H -M -S -L -D +C>]
Oct 19 06:30:23 scotos pppd[17439]: sent [CCP ConfNak id=0xb <mppe +H -M +S +L -D -C>]
Oct 19 06:30:23 scotos pppd[17439]: sent [CCP ConfReq id=0x2 <mppe +H -M +S -L -D -C>]
Oct 19 06:30:26 scotos pppd[17439]: rcvd [IPCP ConfReq id=0xc <addr 0.0.0.0>]
Oct 19 06:30:26 scotos pppd[17439]: sent [IPCP TermAck id=0xc]
Oct 19 06:30:26 scotos pppd[17439]: sent [CCP ConfReq id=0x2 <mppe +H -M +S -L -D -C>]
Oct 19 06:30:28 scotos pppd[17439]: rcvd [CCP ConfReq id=0xd <mppe +H -M -S -L -D +C>]
etc.
For noccp:
Oct 19 06:26:41 scotos pppd[17407]: sent [IPCP ConfReq id=0x1 <compress VJ 0f 01> <addr 192.168.2.254>]
Oct 19 06:26:41 scotos pppd[17407]: rcvd [CCP ConfReq id=0x4 <mppe +H -M -S -L -D +C>]
Oct 19 06:26:41 scotos pppd[17407]: sent [LCP ProtRej id=0x2 80 fd 01 04 00 0a 12 06 01 00 00 01]
Oct 19 06:26:41 scotos pppd[17407]: rcvd [IPCP ConfReq id=0x5 <addr 0.0.0.0> <ms-dns1 0.0.0.0> <ms-wins 0.0.0.0> <ms-dns3 0.0.0.0> <ms-wins 0.0.0.0>]
Oct 19 06:26:41 scotos pppd[17407]: sent [IPCP ConfRej id=0x5 <ms-wins 0.0.0.0> <ms-wins 0.0.0.0>]
Oct 19 06:26:41 scotos pppd[17407]: rcvd [IPCP ConfRej id=0x1 <compress VJ 0f 01>]
Oct 19 06:26:41 scotos pppd[17407]: sent [IPCP ConfReq id=0x2 <addr 192.168.2.254>]
Oct 19 06:26:43 scotos pppd[17407]: rcvd [IPCP ConfReq id=0x6 <addr 0.0.0.0> <ms-dns1 0.0.0.0> <ms-wins 0.0.0.0> <ms-dns3 0.0.0.0> <ms-wins 0.0.0.0>]
Oct 19 06:26:43 scotos pppd[17407]: sent [IPCP ConfRej id=0x6 <ms-wins 0.0.0.0> <ms-wins 0.0.0.0>]
Oct 19 06:26:43 scotos pppd[17407]: rcvd [CCP ConfReq id=0x7 <mppe +H -M -S -L -D +C>]
Oct 19 06:26:43 scotos pppd[17407]: sent [LCP ProtRej id=0x3 80 fd 01 07 00 0a 12 06 01 00 00 01]
Oct 19 06:26:44 scotos pppd[17407]: sent [IPCP ConfReq id=0x2 <addr 192.168.2.254>]
Oct 19 06:26:46 scotos pppd[17407]: rcvd [IPCP ConfReq id=0x8 <addr 0.0.0.0> <ms-dns1 0.0.0.0> <ms-wins 0.0.0.0> <ms-dns3 0.0.0.0> <ms-wins 0.0.0.0>]
Oct 19 06:26:46 scotos pppd[17407]: sent [IPCP ConfRej id=0x8 <ms-wins 0.0.0.0> <ms-wins 0.0.0.0>]
Oct 19 06:26:47 scotos pppd[17407]: sent [IPCP ConfReq id=0x2 <addr 192.168.2.254>]
Oct 19 06:26:48 scotos pppd[17407]: rcvd [CCP ConfReq id=0x9 <mppe +H -M -S -L -D +C>]
Oct 19 06:26:48 scotos pppd[17407]: sent [LCP ProtRej id=0x4 80 fd 01 09 00 0a 12 06 01 00 00 01]
Oct 19 06:26:50 scotos pppd[17407]: sent [IPCP ConfReq id=0x2 <addr 192.168.2.254>]
Oct 19 06:26:51 scotos pppd[17407]: rcvd [IPCP ConfReq id=0xa <addr 0.0.0.0> <ms-dns1 0.0.0.0> <ms-wins 0.0.0.0> <ms-dns3 0.0.0.0> <ms-wins 0.0.0.0>]
Oct 19 06:26:51 scotos pppd[17407]: sent [IPCP ConfRej id=0xa <ms-wins 0.0.0.0> <ms-wins 0.0.0.0>]
Oct 19 06:26:53 scotos pppd[17407]: rcvd [CCP ConfReq id=0xb <mppe +H -M -S -L -D +C>]
Oct 19 06:26:53 scotos pppd[17407]: sent [LCP ProtRej id=0x5 80 fd 01 0b 00 0a 12 06 01 00 00 01]
etc.
> >I took a closer look at the logs, and it seems that the pppd mtu option
> >from the configuration file is simply ignored. The client asks for a mru
> >of 1400, and pppd just acknowledges that, and then possibly starts sending
> >packets which are to big and do not get through.
>
> I'm not so sure about that because the PPP negotiation almost completes.
> The main differences between your two logs is that the BE client gives up
> CCP negotiation after the server says it does not support MPPE and
> compression also does not complete.
I ran tcpdump while noccp and require-mppe were both not set in the
options.l2tp file; and got udp-encap traffic both ways initially, then
only incoming messages for a while until traffic halted. Seems to confirm
my suspicion.
I applied the registry settings from the second part of MS KB 826159 to
see if I could get the client to negotiate a smaller MRU, and rebooted,
but it did not help. Then again, the KB was for setting MTU not MRU.
> >I haven't recreated the CMAK profile to disable encryption yet.
>
> You could use the New Connection Wizard to create one manually.
I tried; when I set "No encryption allowed" on the "advanced settings"
which can be opened from the security tab, I get these from pluto:
Oct 19 06:25:03 scotos pluto[15933]: "roadwarrior-l2tp"[52] 81.82.7.106 #76: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}
Oct 19 06:25:03 scotos pluto[15933]: "roadwarrior-l2tp"[52] 81.82.7.106 #77: kernel algorithm does not like: no alg
Oct 19 06:25:03 scotos pluto[15933]: "roadwarrior-l2tp"[52] 81.82.7.106 #77: unsupported ESP Transform ESP_NULL from 81.82.7.106
Oct 19 06:25:03 scotos pluto[15933]: "roadwarrior-l2tp"[52] 81.82.7.106 #77: kernel algorithm does not like: no alg
Oct 19 06:25:03 scotos pluto[15933]: "roadwarrior-l2tp"[52] 81.82.7.106 #77: unsupported ESP Transform ESP_NULL from 81.82.7.106
Oct 19 06:25:03 scotos pluto[15933]: "roadwarrior-l2tp"[52] 81.82.7.106 #77: no acceptable Proposal in IPsec SA
Oct 19 06:25:03 scotos pluto[15933]: "roadwarrior-l2tp"[52] 81.82.7.106 #77: sending encrypted notification NO_PROPOSAL_CHOSEN to 81.82.7.106:4500
...
When I set it to require encryption, it's the same as with the CMAK
profile.
Regards,
Filip
--
http://www.sysfs.be/
More information about the Users
mailing list