[Openswan Users] Openswan IPsec, l2tpd, pppd
Denis Stepanenko
denis.stepanenko at gmail.com
Tue Feb 20 07:03:11 EST 2007
Dear ALL, - help needed very much
Problem description:
There are 3 remote LAN is present.
This LANs connected between using VPN, also each VPN gateway running
l2tpd for win XP "roadwarriors".
.
Configuration of OS and software for VPN are identical.
But on one of VPN gateways (configs and logs listed below) after IPSec
tunnel is on (Windows XP *L2TP* client) ppp connection NOT given up
(connection *l2tp*-cert-org).
Certificate exchange passed ОК, eroute shows that tunnel is up, but
after 20-30 seconds connection go down.
I spend 2 months for resolving this - but f*'n nothing.
Thanks to All for future advices.
System & settings :
ОS: *Slackware* GNU/Linux 10.2
root at host:~#uname -a
Linux host.domain.com 2.4.32-ow1-ipsec #2 SMP Thu Jun 1 17:00:58 CEST
2006 i686 unknown unknown GNU/Linux
Version of Openswan: openswan-2.4.5
Add. patches:
openswan-2.4.5.kernel-2.4-klips.patch.gz
openswan-2.4.5.kernel-2.4-natt.patch.gz
root at host:~# lsmod
Module Size Used by Not tainted
ppp_async 7168 0 (unused)
ppp_generic 23208 0 [ppp_async]
slhc 4800 0 [ppp_generic]
ipsec 333984 2
ipt_LOG 3544 1 (autoclean)
ipt_recent 8772 3 (autoclean)
ipt_state 536 5 (autoclean)
ipt_multiport 664 17 (autoclean)
iptable_mangle 2168 0 (autoclean) (unused)
iptable_nat 19294 1 (autoclean)
ip_conntrack 22464 0 (autoclean) [ipt_state iptable_nat]
iptable_filter 1740 1 (autoclean)
ip_tables 13056 9 [ipt_LOG ipt_recent ipt_state
ipt_multiport iptable_mangle iptable_nat iptable_filter]
-----------------------------------------------
Openswan IPSec Config
-----------------------------------------------
root at host:~# cat /etc/ipsec.conf
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.15.2.2 2005/11/14 20:10:27 paul Exp $
version 2.0 # conforms to second version of ipsec.conf
specification
# basic configuration
config setup
forwardcontrol=yes
interfaces="ipsec0=eth0"
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/24,%4:172.16.0.0/12
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
# Connections for "roadwarriors"
include /etc/ipsec.d/connections/*l2tp*-cert-org.conf
conn host1-host
auto=start
left=123.456.788
left...<http://groups.google.com.ua/groups/unlock?msg=4b6d10d49bae1a73&hl=uk&_done=/group/comp.os.linux.networking/browse_thread/thread/2ade0da0216204b1/4b6d10d49bae1a73%3Flnk%3Dst%26q%3Dl2tp%2Bslackware%26rnum%3D2%26hl%3Duk>
@host1.domain1.com
leftnexthop=123.456.789
leftrsasigkey=0sA....
leftsubnet=192.168.0.0/24
right=789.654.322
right...<http://groups.google.com.ua/groups/unlock?msg=4b6d10d49bae1a73&hl=uk&_done=/group/comp.os.linux.networking/browse_thread/thread/2ade0da0216204b1/4b6d10d49bae1a73%3Flnk%3Dst%26q%3Dl2tp%2Bslackware%26rnum%3D2%26hl%3Duk>
@host.domain.com
rightnexthop=789.654.321
rightrsasigkey=0sA.....
rightsubnet=192.168.1.0/24
type=tunnel
conn host-host2
auto=start
left=789.654.322
left...<http://groups.google.com.ua/groups/unlock?msg=4b6d10d49bae1a73&hl=uk&_done=/group/comp.os.linux.networking/browse_thread/thread/2ade0da0216204b1/4b6d10d49bae1a73%3Flnk%3Dst%26q%3Dl2tp%2Bslackware%26rnum%3D2%26hl%3Duk>
@host.domain.com
leftnexthop=789.654.321
leftrsasigkey=0slf......
leftsubnet=192.168.1.0/24
right=159.357.752
right...<http://groups.google.com.ua/groups/unlock?msg=4b6d10d49bae1a73&hl=uk&_done=/group/comp.os.linux.networking/browse_thread/thread/2ade0da0216204b1/4b6d10d49bae1a73%3Flnk%3Dst%26q%3Dl2tp%2Bslackware%26rnum%3D2%26hl%3Duk>
@host2.domain.com
rightnexthop=159.357.751
rightrsasigkey=0sA....
type=tunnel
-----------------------------------------------------
*l2tp*-cert-org.conf ("roadwarriors" ) connection config
------------------------------------------------------
root at host:~# cat /etc/ipsec.d/connections/*l2tp*-cert-org.conf
conn *l2tp*-cert-org
#
# Configuration for one user with the non-updated Windows
2000/XP.
#
#
# Use a certificate. Disable Perfect Forward Secrecy.
#
authby=rsasig
pfs=no
auto=add
# we cannot rekey for %any, let client rekey
rekey=no
# Do not enable the line below. It is implicitely used, and
# specifying it will currently break when using nat-t.
# type=transport. See http://bugs.xelerance.com/view.php?id=466
type=tunnel
#
left=789.654.322
# or you can use: left=YourIPAddress
leftrsasigkey=%cert
leftcert=/etc/ipsec.d/certs/mordor.siliciosolar.es.pem
# Work-around for original (non-updated) Windows 2000/XP
clients,
# to support all clients, use leftprotoport=17/%any
leftprotoport=17/0
#
# The remote user.
#
right=%any
rightca=%same
rightrsasigkey=%cert
rightprotoport=17/1701
rightsubnet=vhost:%priv,%no
----------------------------------------------------
l2tpd config
---------------------------------------------------
root at host:~# cat /etc/l2tpd/l2tpd.conf
[global]
;listen-addr =
[lns default]
ip range = 192.168.1.140-192.168.1.150
local ip = 192.168.10.202
require chap = yes
refuse pap = yes
require authentication = yes
name = VPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd
length bit = yes
--------------------------------------------------------
root at host:~# cat /etc/ppp/options.l2tpd
ipcp-accept-local
ipcp-accept-remote
ms-dns 192.168.1.3
ms-wins 192.168.1.3
noccp
auth
crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
lock
proxyarp
connect-delay 5000
----------------------------------------------------------
iptables rules
---------------------------------------------------------
###################################################
#
# IPSec VPN section starting here
#
# Allow IPSec connections
iptables -A INPUT -p udp -m udp -s 0/0 --sport 500 --dport 500 -j
ACCEPT
iptables -A OUTPUT -p udp -m udp -d 0/0 --sport 500 --dport 500 -j
ACCEPT
iptables -A INPUT -p udp -m udp -s 0/0 --sport 4500 --dport 4500 -j
ACCEPT
iptables -A OUTPUT -p udp -m udp -d 0/0 --sport 4500 --dport 4500 -j
ACCEPT
iptables -A INPUT -p 50 -s 0/0 -j ACCEPT
iptables -A OUTPUT -p 50 -d 0/0 -j ACCEPT
iptables -A INPUT -p 51 -s 0/0 -j ACCEPT
iptables -A OUTPUT -p 51 -d 0/0 -j ACCEPT
iptables -A INPUT -s 0/0 -i $OPEN_SWAN_VIRT -j ACCEPT
iptables -A OUTPUT -d 0/0 -o $OPEN_SWAN_VIRT -j ACCEPT
#
# Ports for l2tpd
iptables -A INPUT -p udp -m udp -s 0/0 --dport 1701 -i $OPEN_SWAN_VIRT
-j ACCEPT
iptables -A OUTPUT -p udp -m udp -d 0/0 --sport 1701 -o $OPEN_SWAN_VIRT
-j ACCEPT
iptables -t nat -A PREROUTING -p udp -m udp -i $OPEN_SWAN_VIRT --sport
1701 --dport 1701 -j DNAT --to-destination $LAN_IP
#
# Packet forwarding for "road warriors" network
iptables -A FORWARD -p all -s $RW1 -d $LAN_SUBNET -j ACCEPT
iptables -A FORWARD -p all -s $LAN_SUBNET -d $RW1 -j ACCEPT
iptables -A FORWARD -p all -s $RW2 -d $LAN_SUBNET -j ACCEPT
iptables -A FORWARD -p all -s $LAN_SUBNET -d $RW2 -j ACCEPT
iptables -A FORWARD -p all -s $RW3 -d $LAN_SUBNET -j ACCEPT
iptables -A FORWARD -p all -s $LAN_SUBNET -d $RW3 -j ACCEPT
iptables -A FORWARD -p all -s $RW4 -d $LAN_SUBNET -j ACCEPT
iptables -A FORWARD -p all -s $LAN_SUBNET -d $RW4 -j ACCEPT
iptables -A FORWARD -p all -s $RW5 -d $LAN_SUBNET -j ACCEPT
iptables -A FORWARD -p all -s $LAN_SUBNET -d $RW5 -j ACCEPT
iptables -A FORWARD -p all -s $RW6 -d $LAN_SUBNET -j ACCEPT
iptables -A FORWARD -p all -s $LAN_SUBNET -d $RW6 -j ACCEPT
iptables -A FORWARD -p all -s $RW7 -d $LAN_SUBNET -j ACCEPT
iptables -A FORWARD -p all -s $LAN_SUBNET -d $RW7 -j ACCEPT
#
# Packet forwarding for COMPANY2 subnet
iptables -A FORWARD -p all -s $COMPANY2_SUBNET1 -d $LAN_SUBNET -j
ACCEPT
iptables -A FORWARD -p all -s $LAN_SUBNET -d $COMPANY2_SUBNET1 -j
ACCEPT
# Packet forwarding for COMPANY1 subnet
iptables -A FORWARD -p all -s $COMPANY1_SUBNET -d $LAN_SUBNET -j ACCEPT
iptables -A FORWARD -p all -s $LAN_SUBNET -d $COMPANY1_SUBNET -j ACCEPT
#
#
# Rules for COMPANY2 internal network
iptables -t nat -A POSTROUTING -s $EXT_IP -d $COMPANY2_SUBNET1 -j SNAT
--to-source $LAN_IP
#
# Rules for COMPANY1 internal network
iptables -t nat -A POSTROUTING -s $EXT_IP -d $COMPANY1_SUBNET -j SNAT
--to-source $LAN_IP
# Make nat a for "road warriors" network (ppp interface)
iptables -t nat -A POSTROUTING -s $LAN_SUBNET -d $RW1 -j SNAT
--to-source $PPP_IP
iptables -t nat -A POSTROUTING -s $PPP_IP -d $RW1 -j SNAT --to-source
$LAN_IP
iptables -t nat -A POSTROUTING -s $LAN_SUBNET -d $RW2 -j SNAT
--to-source $PPP_IP
iptables -t nat -A POSTROUTING -s $PPP_IP -d $RW2 -j SNAT --to-source
$LAN_IP
iptables -t nat -A POSTROUTING -s $LAN_SUBNET -d $RW3 -j SNAT
--to-source $PPP_IP
iptables -t nat -A POSTROUTING -s $PPP_IP -d $RW3 -j SNAT --to-source
$LAN_IP
iptables -t nat -A POSTROUTING -s $LAN_SUBNET -d $RW4 -j SNAT
--to-source $PPP_IP
iptables -t nat -A POSTROUTING -s $PPP_IP -d $RW4 -j SNAT --to-source
$LAN_IP
iptables -t nat -A POSTROUTING -s $LAN_SUBNET -d $RW5 -j SNAT
--to-source $PPP_IP
iptables -t nat -A POSTROUTING -s $PPP_IP -d $RW5 -j SNAT --to-source
$LAN_IP
iptables -t nat -A POSTROUTING -s $LAN_SUBNET -d $RW6 -j SNAT
--to-source $PPP_IP
iptables -t nat -A POSTROUTING -s $PPP_IP -d $RW6 -j SNAT --to-source
$LAN_IP
iptables -t nat -A POSTROUTING -s $LAN_SUBNET -d $RW7 -j SNAT
--to-source $PPP_IP
iptables -t nat -A POSTROUTING -s $PPP_IP -d $RW7 -j SNAT --to-source
$LAN_IP
#
# IPSec VPN section ends
#
##############################################################################
----------------------------------------------------------
piece of /var/log/secure
---------------------------------------------------------
----------------------------------------------------------
piece of /var/log/secure
---------------------------------------------------------
Feb 19 20:32:45 host pluto[12966]: "l2tp-cert-org"[17] 951.753.852 #112:
responding to Main Mode from unknown peer 951.753.852
Feb 19 20:32:45 host pluto[12966]: "l2tp-cert-org"[17] 951.753.852 #112:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Feb 19 20:32:45 host pluto[12966]: "l2tp-cert-org"[17] 951.753.852 #112:
STATE_MAIN_R1: sent MR1, expecting MI2
Feb 19 20:32:45 host pluto[12966]: "l2tp-cert-org"[17] 951.753.852 #112:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Feb 19 20:32:45 host pluto[12966]: "l2tp-cert-org"[17] 951.753.852 #112:
STATE_MAIN_R2: sent MR2, expecting MI3
Feb 19 20:32:46 host pluto[12966]: "l2tp-cert-org"[17] 951.753.852 #112:
Main mode peer ID is ID_DER_ASN1_DN: 'C=ES, ST=Ciudad Real, L=Puertollano,
O=Silicio Solar S.A.U., OU=IT Department, CN=host.domain.com, E=
admin at domain.com'
Feb 19 20:32:46 host pluto[12966]: "l2tp-cert-org"[17] 951.753.852 #112: end
certificate with identical subject and issuer not accepted
Feb 19 20:32:46 host pluto[12966]: "l2tp-cert-org"[17] 951.753.852 #112:
X.509 certificate rejected
Feb 19 20:32:46 host pluto[12966]: "l2tp-cert-org"[18] 951.753.852 #112:
deleting connection "l2tp-cert-org" instance with peer
951.753.852{isakmp=#0/ipsec=#0}
Feb 19 20:32:46 host pluto[12966]: "l2tp-cert-org"[18] 951.753.852 #112: I
am sending my cert
Feb 19 20:32:46 host pluto[12966]: "l2tp-cert-org"[18] 951.753.852 #112:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Feb 19 20:32:46 host pluto[12966]: "l2tp-cert-org"[18] 951.753.852 #112:
STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}
Feb 19 20:32:46 host pluto[12966]: "l2tp-cert-org"[18] 951.753.852 #113:
responding to Quick Mode {msgid:6bf34503}
Feb 19 20:32:46 host pluto[12966]: "l2tp-cert-org"[18] 951.753.852 #113:
transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Feb 19 20:32:46 host pluto[12966]: "l2tp-cert-org"[18] 951.753.852 #113:
STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Feb 19 20:32:46 host pluto[12966]: "l2tp-cert-org"[18] 951.753.852 #113:
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Feb 19 20:32:46 host pluto[12966]: "l2tp-cert-org"[18] 951.753.852 #113:
STATE_QUICK_R2: IPsec SA established {ESP=>0x1f8aa8cd <0x26a293c4
xfrm=3DES_0-HMAC_MD5 NATD=none DPD=none}
Feb 19 20:33:21 host pluto[12966]: "l2tp-cert-org"[18] 951.753.852 #112:
received Delete SA(0x1f8aa8cd) payload: deleting IPSEC State #113
Feb 19 20:33:21 host pluto[12966]: "l2tp-cert-org"[18] 951.753.852 #112:
received and ignored informational message
Feb 19 20:33:21 host pluto[12966]: "l2tp-cert-org"[18] 951.753.852 #112:
received Delete SA payload: deleting ISAKMP State #112
Feb 19 20:33:21 host pluto[12966]: "l2tp-cert-org"[18] 951.753.852: deleting
connection "l2tp-cert-org" instance with peer 951.753.852{isakmp=#0/ipsec=#0}
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20070220/2ba7fd11/attachment-0001.html
More information about the Users
mailing list