[Openswan Users] openswan configuration needs help

Jean Marc Le Fevre jm.lefevre at etatcritik.dyndns.org
Wed Apr 18 12:12:48 EDT 2007 

Hello all,


I'm lloking for a VPN solution as:

Client (MacosX or  linux)  <===VPN thought internet ===> FW <===>  
VPNServer <===> LAN

my Client have a fixed address (for now)
my firewall is configured with iptables thought fwbuilder
yhe firewall internal ip is 10.91.130.2/24 and is the default route.
the VPNServer is at 10.91.130.61/24

I've tried several times to make it works but i'm still  
unsuccessfull. I'm sure I've made big mistake as I'm no VPN expert.
Can someone help me to make it work?

thanks in advance.




here is my ipsec.conf and included files:

config setup
         nat_traversal=yes
         plutowait=yes
         nhelpers=0
         dumpdir=/tmp
include /etc/ipsec.d/examples/no_oe.conf
include /etc/ipsec.d/eos.conf

eos.conf:
conn L2TP-PSK
         #
         type=transport
         authby=secret
         pfs=no
         keyingtries=3
         left=%defaultroute
         leftprotoport=17/%any
         right=IPFIXE
         rightprotoport=17/%any
         auto=add
         leftsubnet=10.91.130.0/24
         leftnexthop=%defaultroute


here are the logs:

Apr 18 18:04:16 Zpro pluto[11600]: packet from IPFIXE:500: received  
Vendor ID payload [RFC 3947] method set to=110
Apr 18 18:04:16 Zpro pluto[11600]: packet from IPFIXE:500: received  
Vendor ID payload [draft-ietf-ipsec-nat-t-ike] meth=109, but already  
using method 110
Apr 18 18:04:16 Zpro pluto[11600]: packet from IPFIXE:500: received  
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but  
already using method 110
Apr 18 18:04:16 Zpro pluto[11600]: packet from IPFIXE:500: received  
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but  
already using method 110
Apr 18 18:04:16 Zpro pluto[11600]: "L2TP-PSK" #1: responding to Main  
Mode
Apr 18 18:04:16 Zpro pluto[11600]: "L2TP-PSK" #1: transition from  
state STATE_MAIN_R0 to state STATE_MAIN_R1
Apr 18 18:04:16 Zpro pluto[11600]: "L2TP-PSK" #1: STATE_MAIN_R1: sent  
MR1, expecting MI2
Apr 18 18:04:16 Zpro pluto[11600]: "L2TP-PSK" #1: ignoring Vendor ID  
payload [KAME/racoon]
Apr 18 18:04:16 Zpro pluto[11600]: "L2TP-PSK" #1: NAT-Traversal:  
Result using 3: i am NATed
Apr 18 18:04:16 Zpro pluto[11600]: "L2TP-PSK" #1: transition from  
state STATE_MAIN_R1 to state STATE_MAIN_R2
Apr 18 18:04:16 Zpro pluto[11600]: "L2TP-PSK" #1: STATE_MAIN_R2: sent  
MR2, expecting MI3
Apr 18 18:04:16 Zpro pluto[11600]: "L2TP-PSK" #1: Main mode peer ID  
is ID_IPV4_ADDR: 'IPFIXE'
Apr 18 18:04:16 Zpro pluto[11600]: "L2TP-PSK" #1: I did not send a  
certificate because I do not have one.
Apr 18 18:04:16 Zpro pluto[11600]: "L2TP-PSK" #1: transition from  
state STATE_MAIN_R2 to state STATE_MAIN_R3
Apr 18 18:04:16 Zpro pluto[11600]: | NAT-T: new mapping IPFIXE:500/4500)
Apr 18 18:04:16 Zpro pluto[11600]: "L2TP-PSK" #1: STATE_MAIN_R3: sent  
MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY  
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2: NAT-Traversal:  
received 2 NAT-OA. ignored because peer is not NATed
Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2: responding to Quick  
Mode {msgid:99321c1d}
Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2: ASSERTION FAILED at  
kernel.c:2237: c->kind == CK_PERMANENT || c->kind == CK_INSTANCE
Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2: interface lo/lo  
127.0.0.1
Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2: interface lo/lo  
127.0.0.1
Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2: interface eth0/eth0  
10.91.130.61
Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2: interface eth0/eth0  
10.91.130.61
Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2: %myid = (none)
Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2: debug none
Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2:
Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2: algorithm ESP  
encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2: algorithm ESP  
encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2: algorithm ESP  
encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2: algorithm ESP  
encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2: algorithm ESP  
encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2: algorithm ESP  
encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128,  
keysizemax=256
Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2: algorithm ESP  
encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128,  
keysizemax=256
Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2: algorithm ESP auth  
attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2: algorithm ESP auth  
attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160,  
keysizemax=160
Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2: algorithm ESP auth  
attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256,  
keysizemax=256
Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2: algorithm ESP auth  
attr: id=251, name=(null), keysizemin=0, keysizemax=0
Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2:
Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2: algorithm IKE  
encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2: algorithm IKE  
encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2: algorithm IKE hash:  
id=1, name=OAKLEY_MD5, hashsize=16
Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2: algorithm IKE hash:  
id=2, name=OAKLEY_SHA1, hashsize=20
Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2: algorithm IKE dh  
group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2: algorithm IKE dh  
group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2: algorithm IKE dh  
group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2: algorithm IKE dh  
group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2: algorithm IKE dh  
group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2: algorithm IKE dh  
group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2: algorithm IKE dh  
group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2:
Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2: stats db_ops.c:  
{curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs= 
{0,0,0}
Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2:
Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2: "L2TP-PSK":  
10.91.130.0/24===10.91.130.61:17/%any---10.91.130.2...IPFIXE: 
17/49199; unrouted; eroute owner: #0
Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2: "L2TP-PSK":      
srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2: "L2TP-PSK":    
ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz:  
100%; keyingtries: 3
Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2: "L2TP-PSK":    
policy: PSK+ENCRYPT+TUNNEL+DONTREKEY; prio: 32,24; interface: eth0;
Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2: "L2TP-PSK":    
newest ISAKMP SA: #1; newest IPsec SA: #0;
Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2: "L2TP-PSK":   IKE  
algorithm newest: 3DES_CBC_192-SHA1-MODP1024
Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2:
Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2: #2: "L2TP-PSK":4500  
STATE_QUICK_R0 (expecting QI1); EVENT_SO_DISCARD in 0s; nodpd
Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2: #1: "L2TP-PSK":4500  
STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_EXPIRE in  
3599s; newest ISAKMP; nodpd
Apr 18 18:04:17 Zpro pluto[11600]: "L2TP-PSK" #2:
Apr 18 18:04:17 Zpro ipsec__plutorun: /usr/lib/ipsec/_plutorun: line  
217: 11600 Aborted                 (core dumped) /usr/lib/ipsec/pluto  
--nofork --secretsfile /etc/ipsec.secrets --ipsecdir /etc/ipsec.d -- 
use-auto --uniqueids --nat_traversal --nhelpers 0
Apr 18 18:04:17 Zpro ipsec__plutorun: !pluto failure!:  exited with  
error status 134 (signal 6)
Apr 18 18:04:17 Zpro ipsec__plutorun: restarting IPsec after pause...



!DSPAM:4626438450701748911108!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20070418/8efe3dfc/attachment.html

More information about the Users mailing list