[Openswan Users] Disconnect after Verifying username and password

Nabin Limbu nlimbu at healthnet.org.np
Sun Aug 26 03:27:49 EDT 2007 

Hi,

While trying to connect via winxp client, I see "Verifying username and
password" and then get "Disconnected" message. In /var/log/secure of vpn
server, I get below messages while trying to connect. I'm using
openswan-2.4.4-1.1.2.1 and l2tpd-0.69-0.4.20051030.fc5 in FC 5.

Config files are appended after the below error message.

/var/log/secure
---------------
Aug 26 13:21:28 dell pluto[4414]: packet from 202.70.88.88:500: ignoring
Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Aug 26 13:21:28 dell pluto[4414]: packet from 202.70.88.88:500: ignoring
Vendor ID payload [FRAGMENTATION]
Aug 26 13:21:28 dell pluto[4414]: packet from 202.70.88.88:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
Aug 26 13:21:28 dell pluto[4414]: packet from 202.70.88.88:500: ignoring
Vendor ID payload [Vid-Initial-Contact]
Aug 26 13:21:28 dell pluto[4414]: "roadwarrior-l2tp"[1] 202.70.88.88 #1:
responding to Main Mode from unknown peer 202.70.88.88
Aug 26 13:21:28 dell pluto[4414]: "roadwarrior-l2tp"[1] 202.70.88.88 #1:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Aug 26 13:21:28 dell pluto[4414]: "roadwarrior-l2tp"[1] 202.70.88.88 #1:
STATE_MAIN_R1: sent MR1, expecting MI2
Aug 26 13:21:29 dell pluto[4414]: "roadwarrior-l2tp"[1] 202.70.88.88 #1:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT
detected
Aug 26 13:21:29 dell pluto[4414]: "roadwarrior-l2tp"[1] 202.70.88.88 #1:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Aug 26 13:21:29 dell pluto[4414]: "roadwarrior-l2tp"[1] 202.70.88.88 #1:
STATE_MAIN_R2: sent MR2, expecting MI3
Aug 26 13:21:29 dell pluto[4414]: "roadwarrior-l2tp"[1] 202.70.88.88 #1:
Main mode peer ID is ID_IPV4_ADDR: '202.70.88.88'
Aug 26 13:21:29 dell pluto[4414]: "roadwarrior-l2tp"[1] 202.70.88.88 #1: I
did not send a certificate because I do not have one.
Aug 26 13:21:29 dell pluto[4414]: "roadwarrior-l2tp"[1] 202.70.88.88 #1:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Aug 26 13:21:29 dell pluto[4414]: "roadwarrior-l2tp"[1] 202.70.88.88 #1:
STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}
Aug 26 13:21:30 dell pluto[4414]: "roadwarrior-l2tp"[1] 202.70.88.88 #2:
responding to Quick Mode {msgid:ace64e54}
Aug 26 13:21:30 dell pluto[4414]: "roadwarrior-l2tp"[1] 202.70.88.88 #2:
transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Aug 26 13:21:30 dell pluto[4414]: "roadwarrior-l2tp"[1] 202.70.88.88 #2:
STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Aug 26 13:21:30 dell pluto[4414]: "roadwarrior-l2tp"[1] 202.70.88.88 #2:
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Aug 26 13:21:30 dell pluto[4414]: "roadwarrior-l2tp"[1] 202.70.88.88 #2:
STATE_QUICK_R2: IPsec SA established {ESP=>0x7f991e46 <0xb249d002
xfrm=3DES_0-HMAC_MD5 NATD=202.70.88.88:500 DPD=none}
Aug 26 13:21:35 dell pluto[4414]: "roadwarrior-l2tp"[1] 202.70.88.88 #1:
received Delete SA payload: deleting ISAKMP State #1
Aug 26 13:21:35 dell pluto[4414]: packet from 202.70.88.88:500: received
and ignored informational message
Aug 26 13:21:35 dell pluto[4414]: packet from 202.70.88.88:500:
Informational Exchange is for an unknown (expired?) SA


/etc/ipsec.conf
---------------

version 2.0

config setup
        interfaces=%defaultroute
        klipsdebug=none
        plutodebug=none
        overridemtu=1410
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.1.0/24
        dumpdir=/tmp

conn %default
        keyingtries=3
        compress=yes
        disablearrivalcheck=no
        authby=secret
        type=tunnel
        keyexchange=ike
        ikelifetime=240m
        keylife=60m

conn roadwarrior-net
        leftsubnet=192.168.0.0/16
        also=roadwarrior

conn roadwarrior-all
        leftsubnet=0.0.0.0/0
        also=roadwarrior

conn roadwarrior-l2tp
        leftprotoport=17/0
        rightprotoport=17/1701
        also=roadwarrior

conn roadwarrior-l2tp-updatedwin
        leftprotoport=17/1701
        rightprotoport=17/1701
        also=roadwarrior

conn roadwarrior
        pfs=no
        left=69.88.8.14
        leftnexthop=69.88.8.7
        right=%any
        rightsubnet=vhost:%no,%priv
        auto=add

include /etc/ipsec.d/examples/no_oe.conf

/etc/l2tpd/l2tpd.conf
---------------------
[global]
listen-addr = 69.88.8.14
port = 1701

[lns default]
ip range = 192.168.1.101-192.168.1.254
local ip = 192.168.1.100
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd
length bit = yes


/etc/l2tpd/l2tp-secrets
-----------------------
user1    *        secpass     192.168.1.0/24
*        user1    secpass     192.168.1.0/24

Hopoing for your kind support.

With regards
Nabin Limbu











> On Sat, 25 Aug 2007, Nabin Limbu wrote:
>
>> Checking your system to see if IPsec got installed and started
>> correctly: Version check and ipsec on-path
>>     [OK] Linux Openswan U2.4.4/K2.6.15-1.2054_FC5 (netkey)
>> Checking for IPsec support in kernel                            [OK]
>> Checking for RSA private key (/etc/ipsec.secrets)
>> [FAILED]
>
> That's fine since you are not using it. You are using psk or X.509 with
> l2tp.
>
>> Checking for 'setkey' command for NETKEY IPsec stack support
>> [FAILED] which: no setkey in
>
> if "ip xfrm state list" does not give a usage error, you can ignore it.
> Otherwise install the iproute2 package.
>
> Paul

More information about the Users mailing list