[Openswan Users] pluto: deleting connection instance with peer -- why?
Peter McGill
petermcgill at goco.net
Mon May 14 09:06:33 EDT 2007
> -----Original Message-----
> Date: Sun, 13 May 2007 21:02:39 -0500
> From: "JOR HAY" <flexbumpchest at gmail.com>
> Subject: [Openswan Users] pluto: deleting connection instance with
> peer -- why?
> To: users at openswan.org
>
> I'm having some trouble with a Windows XP IPSEC connection to
> my l2tpd.
> I've changed my OpenSWAN server's ip to yyy.yyy.yyy.254 and
> my client's
> (which is natted on a network) external IP to
> xxx.xxx.xxx.xxx. OpenSWAN is
> on Fedora Core 6 with the KLIPS and NAT-T patches compiled
> into the kernel.
> I made a VPN connection setup through windows and have checked and
> re-checked and all the settings are right. When I go to
> connect, after
> about a minute, it gives Error 678:
> Error Connecting to yyy.yyy.yyy.254
> Error 678: The remote computer did not respond. For further
> assistance,
> click More Info or search Help and Support Center for this
> error number.
>
> I'm fairly certain it's the IPSEC connection (see log below).
> If I need to
> run any other commands for you to see other confs or logs,
> let me know.
>
> ipsec verify:
> Version check and ipsec on-path [OK]
> Linux Openswan Uopenswan-2.4.7-27.fc6.at/K2.4.7 (klips)
> Checking for IPsec support in kernel [OK]
> Checking for RSA private key (/etc/ipsec.d/hostkey.secrets) [OK]
> Checking that pluto is running [OK]
> Two or more interfaces found, checking IP forwarding
> [FAILED]
> Checking for 'ip' command [OK]
> Checking for 'iptables' command [OK]
> Opportunistic Encryption Support
> [DISABLED]
>
> Contents of /etc/ipsec.conf
> # /etc/ipsec.conf - Openswan IPsec configuration file
> #
> # Manual: ipsec.conf.5
> #
> # Please place your own config files in /etc/ipsec.d/ ending in .conf
>
> version 2.0 # conforms to second version of ipsec.conf
> specification
>
> # basic configuration
> config setup
> # Debug-logging controls: "none" for (almost) none,
> "all" for lots.
> klipsdebug=none
> plutodebug=control
> interfaces="ipsec0=eth0:3"
> nat_traversal=yes
>
> virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0
> .0/16,%v4:172.23.23.0/24
> <http://10.0.0.0/8,%25v4:172.16.0.0/12,%25v4:192.168.0.0/16,%2
> 5v4:172.23.23.0/24>
>
> include /etc/ipsec.d/*.conf
>
> Contents of /etc/ipsec.d/no_oe.conf
> # 'include' this file to disable Opportunistic Encryption.
> # See /usr/share/doc/openswan/policygroups.html for details.
> #
> # RCSID $Id: no_oe.conf.in,v 1.2 2004/10/03 19:33:10 paul Exp $
> conn block
> auto=ignore
>
> conn private
> auto=ignore
>
> conn private-or-clear
> auto=ignore
>
> conn clear-or-private
> auto=ignore
>
> conn clear
> auto=ignore
>
> conn packetdefault
> auto=ignore
>
> Contents of /etc/ipsec.d/l2tpd.conf
> # Configuration supporting multiple users with any type of
> # IPsec/L2TP client. This includes the updated Windows 2000/XP
> # (MS KB Q818043), Vista and Mac OS X 10.3+ but excludes the
> # non-updated Windows 2000/XP.
> #
> # Authenticates through a Pre-Shared Key. Supports clients that
> # are not behind NAT. Does not support clients that are behind NAT.
>
> conn L2TP-WINXP
> #
> type=transport
> authby=secret
> pfs=no
> rekey=no
> keyingtries=3
> #
> # ----------------------------------------------------------
> # The VPN server.
> #
> # Allow incoming connections on the external network
> interface.
> # If you want to use a different interface or if there is no
> # %defaultroute, you can use: left=your.ip.addr.ess
> #
> left=yyy.yyy.yyy.254
> leftprotoport=17/1701
> # If you insist on supporting non-updated Windows clients,
> # you can use: leftprotoport=17/%any
> #
> # ----------------------------------------------------------
> # The remote user(s).
> #
> # Allow incoming connections only from this IP address.
> right=%any
> # If you want to allow multiple connections from any
> IP address,
> # you can use: right=%any
> #
> rightprotoport=17/%any
> #
> # ----------------------------------------------------------
> # Change 'ignore' to 'add' to enable this configuration.
> #
> auto=add
First set plutodebug=none, we don't usually need this much info, and it's
A real pain to look through. All the below lines which we need are still
There without the debuging options.
> Contents of /var/log/secure
> May 13 18:47:39 myserver pluto[28835]: "L2TP-WINXP"[2]
> xxx.xxx.xxx.xxx #1:
> STATE_MAIN_R3: sent MR3, ISAKMP SA established
> {auth=OAKLEY_PRESHARED_KEY
> cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}
> May 13 18:47:48 myserver pluto[28835]: "L2TP-WINXP"[2]
> xxx.xxx.xxx.xxx #3:
> STATE_QUICK_R2: IPsec SA established {ESP=>0x4e864e6a <0x697cc74c
> xfrm=3DES_0-HMAC_MD5 NATD=xxx.xxx.xxx.xxx:22155 DPD=none}
The above two lines indicate that the IPSec connection was made
Correctly, so the IPSec portion is working.
> May 13 18:48:19 myserver pluto[28835]: "L2TP-WINXP"[2]
> xxx.xxx.xxx.xxx #1:
> received Delete SA(0x4e864e6a) payload: deleting IPSEC State #3
This line indicates the the Windows machine asked for a disconnect.
The thing to remember with windows is it's not using IPSec but rather
L2TP over/in IPSec. And L2TP itself uses PPP in it's tunnel. Since
windows said it didn't get a response, and You can clearly see the
IPSec part is working, the problem must lie in The L2TP or PPP portion
of the connection. Did you install and configure a L2TP and PPP
daemon/server on your linux box? If so try looking in it's logs. If not
try downloading xl2tpd from Xelerance. Be sure to read Jacco's docs on
L2TP/IPSec connections.
http://www.xelerance.com/software/xl2tpd/
http://www.jacco2.dds.nl/networking/index.html
Peter
More information about the Users
mailing list