[Openswan Users] win-xp (sp2) with nat-t not working with dsl

Gbenga stjames08 at yahoo.co.uk
Thu Oct 26 18:24:21 EDT 2006 

Hi all,

I wish someone who has been through this before will assist in my configuration. I have reduced my mtu gradually even upto 1000 without any luck. It is currently at 1472.

Just in case I didn't explain well. I have openswan version 2.4.6 working with xl2tp-1.0.4 and ppp. If the client (win xp sp2) is on the internet address space they connect ok, but behind a gateway e.g dsl router from home, I can't connect. The IPSec SA established ok, just that ppp/x/l2tpd didn't pick up the call after that.

Paul advised that it most likely a fragmentation issue but I am not getting a fragmentation error in the auth.log.

my auth.log:
--------------------
Oct 26 00:51:20 aparo pluto[11330]: packet from 212.2.177.88:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Oct 26 00:51:20 aparo pluto[11330]: packet from 212.2.177.88:500: ignoring Vendor ID payload [FRAGMENTATION]
Oct 26 00:51:20 aparo pluto[11330]: packet from 212.2.177.88:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
Oct 26 00:51:20 aparo pluto[11330]: packet from 212.2.177.88:500: ignoring Vendor ID payload [Vid-Initial-Contact]
Oct 26 00:51:20 aparo pluto[11330]: "l2tp-syseng"[3] 212.2.177.88 #351: responding to Main Mode from unknown peer 212.2.177.88
Oct 26 00:51:20 aparo pluto[11330]: "l2tp-syseng"[3] 212.2.177.88 #351: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Oct 26 00:51:20 aparo pluto[11330]: "l2tp-syseng"[3] 212.2.177.88 #351: STATE_MAIN_R1: sent MR1, expecting MI2
Oct 26 00:51:21 aparo pluto[11330]: "l2tp-syseng"[3] 212.2.177.88 #351: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: both are NATed
Oct 26 00:51:21 aparo pluto[11330]: "l2tp-syseng"[3] 212.2.177.88 #351: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Oct 26 00:51:21 aparo pluto[11330]: "l2tp-syseng"[3] 212.2.177.88 #351: STATE_MAIN_R2: sent MR2, expecting MI3
Oct 26 00:51:21 aparo pluto[11330]: "l2tp-syseng"[3] 212.2.177.88 #351: Main mode peer ID is ID_DER_ASN1_DN: 'C=IE, ST=Dublin, O=Networks, OU=Systems Eng, CN=Gbenga Sogbetun, E=olugbenga.Sogbetun at bt.com'
Oct 26 00:51:21 aparo pluto[11330]: "l2tp-syseng"[3] 212.2.177.88 #351: no crl from issuer "C=IE, O=Networks, OU=Systems Eng, ST=Dublin, L=Dundrum, CN=Systems Eng CA, E=olugbenga.Sogbetun at bt.com" found (strict=no)
Oct 26 00:51:21 aparo pluto[11330]: "l2tp-syseng"[3] 212.2.177.88 #351: switched from "l2tp-syseng" to "l2tp-syseng"
Oct 26 00:51:21 aparo pluto[11330]: "l2tp-syseng"[4] 212.2.177.88 #351: deleting connection "l2tp-syseng" instance with peer 212.2.177.88 {isakmp=#0/ipsec=#0}
Oct 26 00:51:21 aparo pluto[11330]: "l2tp-syseng"[4] 212.2.177.88 #351: I am sending my cert
Oct 26 00:51:21 aparo pluto[11330]: "l2tp-syseng"[4] 212.2.177.88 #351: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Oct 26 00:51:21 aparo pluto[11330]: | NAT-T: new mapping 212.2.177.88:500/12256)
Oct 26 00:51:21 aparo pluto[11330]: "l2tp-syseng"[4] 212.2.177.88 #351: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}
Oct 26 00:51:21 aparo pluto[11330]: "l2tp-syseng"[4] 212.2.177.88 #352: responding to Quick Mode {msgid:e8ded7d8}
Oct 26 00:51:21 aparo pluto[11330]: "l2tp-syseng"[4] 212.2.177.88 #352: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Oct 26 00:51:21 aparo pluto[11330]: "l2tp-syseng"[4] 212.2.177.88 #352: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Oct 26 00:51:21 aparo pluto[11330]: "l2tp-syseng"[4] 212.2.177.88 #352: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Oct 26 00:51:21 aparo pluto[11330]: "l2tp-syseng"[4] 212.2.177.88 #352: STATE_QUICK_R2: IPsec SA established {ESP=>0x735d6531 <0xfbc91a78 xfrm=3DES_0-HMAC_MD5 NATD=212.2.177.88:12256 DPD=none}

I also ran the l2pd in debug mode but nothing absolutely come up in it. On the list there are various people that claimed to have got it working for them but no mention of what they did to get it working!

If it is of any use, the dsl is a 3meg link, but I don't htink that matters. If anyone is here that has a working conf, that I can compare with mine that will be good.

Rgds,
Gbenga


----- Original Message ----
From: Paul Wouters <paul at xelerance.com>
To: Gbenga <stjames08 at yahoo.co.uk>
Cc: users at openswan.org
Sent: Monday, 23 October, 2006 4:39:25 PM
Subject: Re: [Openswan Users] win-xp (sp2) with nat-t not working with dsl

On Mon, 23 Oct 2006, Gbenga wrote:

> Ok, I see this is a bug that is under consideration. Is the fix going into the 2.4.7 release?
>
> http://bugs.xelerance.com/view.php?id=541&nbn=4

That is a resolved bug. There is no fix for fragmentation. Try setting your
external mtu on the vpn server to 1472 or 1450.

> conn %default
>         authby=secret|rsasig

I whould just set this to rsasig, esp. since you are using certificates
>
> conn l2tp-syseng
>         left=10.10.1.57
>         leftsubnet=10.10.1.57/32

you should not be setting subnet options, since l2tp is a transport mode
host-host connection. (with the exception of the rightsubnet to support
NAT-T.

>         rightsubnet=vhost:%no,%priv

So that's ok.

>         compress=yes
>         disablearrivalcheck=no
>         type=tunnel

That is wrong for l2tp. It must be transport mode. If your openswan then
complains about the rightsubnet, comment out the type line completely.

Paul
-- 
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155




Send instant messages to your online friends http://uk.messenger.yahoo.com

More information about the Users mailing list