[Openswan Users] Freeswan Query

Peter Njiiri pnjiiri at novell.ae
Sun May 20 04:33:52 EDT 2007 

Hi,
Thank you for your feedback, I'm running a Windows roadwarrior as well
as a SUSE Linux roadwarrior on two different wrkstations. My original
plan was to run the configuration with both L2TP and without. Is it
possible to run both on the system for example have conn
roadwarrior-l2tp-updatedwin to run for Windows l2tp and conn roadwarrior
run for Linux and Windows (non-L2TP) clients?? At the end of my email is
the modified ipsec.conf. 
 
If I can't run it this way how can the configuration be changed to run
for both a Linux and Windows workstation (non-l2tp) since Linux cannot
run a l2tp connection (I'm I wrong in assuming this). Lastly, I was
testing out the Linux workstation within the same (internal) network as
the VPN gateway. The tunnel is created but I cannot ping the VPN gateway
(unsuccessful ping). Tcp dump onVPN server (10.x.x.2) during ping
request only shows 12:12:22.976070 IP 10.x.x.14 > 10.x.x.2:
ESP(spi=0x3274c0e8,seq=0x5e).  Client IP is 10.x.x.14. What would be the
reason for ping not working? Must I test this connectivity from a remote
location? Below is an excerpt from the /var/log/messages file. Thanks
for your time.
 
  ipsec__plutorun: Starting Pluto subsystem...
  ipsec_setup: ...FreeS/WAN IPsec started
  pluto[23329]: Starting Pluto (FreeS/WAN Version 2.04 X.509-1.5.4
LIBCURL PLUTO_USES_KEYRR)
  pluto[23329]:   including NAT-Traversal patch (Version 0.6)
  pluto[23329]: Using Linux 2.6 IPsec interface code
  ipsec__plutorun: whack error: "roadwarrior-l2tp-updatedwin" no / in
subnet specification "vhost;%no,%priv"
  ipsec__plutorun: ...could not add conn "roadwarrior-l2tp-updatedwin"
  pluto[23329]: listening for IKE messages
  pluto[23329]: adding interface vmnet8/vmnet8 172.16.57.1
  pluto[23329]: packet from 10.x.x.14:500: ignoring Vendor ID payload
[4f454e7c454d716b...]
  pluto[23329]: packet from 10.x.x.14:500: received Vendor ID payload
[Dead Peer Detection]
  pluto[23329]: packet from 10.x.x.14:500: ignoring Vendor ID payload
[4a131c8107035845...]
  pluto[23329]: packet from 10.x.x.14:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-03]
  pluto[23329]: packet from 10.x.x.14:500: ignoring Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02]
  pluto[23329]: packet from 10.x.x.14:500: ignoring Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n]
  pluto[23329]: packet from 10.x.x.14:500: ignoring Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-00]
  pluto[23329]: "roadwarrior"[1] 10.x.x.14 #1: responding to Main Mode
from unknown peer 10.x.x.x
  pluto[23329]: "roadwarrior"[1] 10.x.x.14 #1: NAT-Traversal: Result
using draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
  pluto[23329]: "roadwarrior"[1] 10.x.x.14 #1: issuer crl not found
  pluto[23329]: "roadwarrior"[2] 10.x.x.14 #1: deleting connection
"roadwarrior" instance with peer 10.x.x.x {isakmp=#0/ipsec=#0}
  pluto[23329]: "roadwarrior"[2] 10.x.x.14 #1: sent MR3, ISAKMP SA
established
  pluto[23329]: "roadwarrior"[2] 10.x.x.14 #2: responding to Quick
Mode
  pluto[23329]: "roadwarrior"[2] 10.x.x.14 #2: IPsec SA established
{ESP=>0x773aa749 <0x3274c0e8}
 
ipsec.conf file.
 
version 2.0
 
config setup
 nat_traversal=yes
 strictcrlpolicy=no

virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.1.0/24
 
conn %default
 
conn clear
 auto=ignore
 
conn private
 auto=ignore
 
conn packetdefault
 auto=ignore
 
conn clear-or-private
 auto=ignore
 
conn private-or-clear
 auto=ignore
 
conn block
 auto=ignore
 
conn OEself
 auto=ignore
 
conn roadwarrior-l2tp-updatedwin
 left=10.x.x.2
 leftcert=path/xxx_01.pem
 leftprotoport=17/1701
 leftnexthop=10.x.x.254
 right=%any
 rightca=%same
 rightrsasigkey=%cert
 rightprotoport=17/1701
 rightsubnet=vhost;%no,%priv
 keyingtries=3
 pfs=no
 auto=add
 
conn roadwarrior
 authby=rsasig
 auto=add
 esp=aes,3des
 keyingtries=3
 left=Þfaultroute
 leftcert=path/xxx_01.pem
 leftid="x.x.x.x"
 leftrsasigkey=Îrt
 pfs=yes
 right=%any
 rightrsasigkey=%cert

 
Kind Regards
Peter

>>> Jacco de Leeuw <jacco2 at dds.nl> 18/05/2007 23:50 >>>
Peter Njiiri wrote:

> My VPN Linux server is behind a Linux Gateway/NAT.
>  
> VPN Server —--> Gateway (eth0-10.x.x.254/24 <—> eth1-70.x.x.x)

Remove this section:

> conn roadwarrior-l2tp
>  leftprotoport=17/0
>  rightprotoport=17/1701
>  also=roadwarrior

> conn roadwarrior-l2tp-updatedwin

Change this section to something like this:

conn roadwarrior-l2tp-updatedwin
   left=10.x.x.x
   leftcert=path/xxx_01.pem
   leftprotoport=17/1701
   leftnexthop=10.x.x.254
   right=%any
   rightca=%same
   rightrsasigkey=%cert
   rightprotoport=17/1701
   rightsubnet=vhost:%no,%priv
   keyingtries=3
   pfs=no
   auto=add

Remove this section:

> conn L2TP-CERT
>  # ...Existing parameters
>  left=10.x.x.x
>  leftnexthop=10.x.x.254
>  rightsubnet=vhost:%no,%priv

Do you want to use L2TP/IPsec or IPsec without L2TP?
The following section is for IPsec without L2TP:

> conn roadwarrior
> [...]

The following seems to indicate you are using the IPsec
client by Marcus Muller, which is no longer recommended:

> Windows roadwarrior is as follows:
>  
> conn me_to_vpngateway
>  pfs=yes
>  auto=start
>  network=auto
>  left=%any
>  right=DNSname (FQDN) of server
>  rightca="xxxxx"

Better use something like the Linsys client, the Shrew client
or a commercial IPsec client.

> the gateway and it's failing. I've followed the link
> http://www.natecarlson.com/linux/ipsec-x509-fs1.php,

This is an old page for IPsec without L2TP.

> http://www.jacco2.dds.nl/networking/openswan-l2tp.html#serverNATed 
> and http://www.jacco2.dds.nl/networking/win2000xp-openswan.html#SP2 

These are pages for L2TP/IPsec.

> (Windows registry addition) but no success. I receive the Error 789
from
> the windows client. 

This is an L2TP/IPsec (dial-up networking) error message.
It looks like you haven't made your mind up whether you want to use
L2TP/IPsec
or IPsec without L2TP. That's an important decision to make before you
begin.

Jacco
-- 
Jacco de Leeuw                         mailto:jacco2 at dds.nl 
Zaandam, The Netherlands           http://www.jacco2.dds.nl (
http://www.jacco2.dds.nl/ )

_______________________________________________
Users at openswan.org 
http://lists.openswan.org/mailman/listinfo/users 
Building and Integrating Virtual Private Networks with Openswan: 
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20070520/82927cf8/attachment.html

More information about the Users mailing list