[Openswan Users] roadwarrior setup with xl2tpd

Paul Wouters paul at xelerance.com
Tue Jan 30 14:12:05 EST 2007

On Tue, 30 Jan 2007, Deepak Chopra wrote:

> The openswan-2.4.7 on my gateway machine (home network) is running on RHEL 4
> and kernel is 2.6.9-x.
> Ipsec version is : openswan-2.4.7 (klips)
> But when my laptop connects the linux gateway machine it goes crashed and
> the log is attached below:

> Jan 30 15:11:51 eashdeep pluto[6170]: "roadwarrior-l2tp"[2]
> #57: STATE_MAIN_R3: sent MR3, ISAKMP SA established
> {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
> group=modp2048}

> Jan 30 15:11:51 eashdeep pluto[6170]: "roadwarrior-l2tp"[2]
> #58: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2

> Jan 30 15:11:51 eashdeep pluto[6170]: "roadwarrior-l2tp"[2]
> #44: received Delete SA payload: deleting ISAKMP State #44

windows is hanging up for some reason. enable/check the OAKLEY.LOG on
your windows machine.

> Jan 30 15:11:51 eashdeep pluto[6170]: "roadwarrior-l2tp"[2]
> #58: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
> Jan 30 15:11:51 eashdeep pluto[6170]: "roadwarrior-l2tp"[2]
> #58: STATE_QUICK_R2: IPsec SA established {ESP=>0x5464e2f2 <0xd8f3f9cb
> xfrm=3DES_0-HMAC_MD5 NATD= DPD=none}

Not sure what it worked on the second run though. If this is really an
l2tp connection (as the name suggests) you should see things in the logfile
of the l2tp daemon. If the name is wrong and this is just a plain IPsec
connection, then at this point things should work (unless Windows hangs up

> I'm using PSK for roadwarrior setup and config file is :

PSK and NAT-T don't go well together. You're better of switching to X.509

> config setup
>       plutodebug=dns

leave that out.

>       nat_traversal=yes

You are missing the virtual_private= option. See man ipsec.conf

> conn %default
>       authby=secret
>       keyexchange=ike
>       esp=aes,3des
>       keyingtries=%forever
>       auth=esp
> conn roadwarrior-l2tp
>       left=%defaultroute
>       leftsubnet=
>       leftid=@xyz.selfip.net
>       leftprotoport=17/1701
>       rightprotoport=17/%any
>       right=%any
>       authby=secret
>       auto=add
>       pfs=no

So it is not l2tp. Rename the connection to avoid confusing?
You need to add rekey=no, since the dynamic IP client needs to rekey,
not the server. I do not see a rightid= which should be needed when
using PSK and dynamic IP.

> I don't know what is the exact problem but as per the openswan userlist it
> is NAT-T patch problem. So I've installed the patch as per process given
> below
> export KERNELSRC=/lib/modules/`uname -r`/build
> Make module26
> Make minstall26
> depmod -a

This is not installing the NAT patch. That is for installing KLIPS only.
The NAT-T patch is seperate and requires an entire kernel rebuild. And
your RHEL4 based 2.6.9 kernel has various issues with packet size, which
you will run into when running it on a home DSL/cable machine. You are
better of compiling a custom 2.6.xx kernel and patch it for NAT-T and KLIPS
using the patches on ftp.openswan.org.


More information about the Users mailing list