[Openswan Users] ipsec tunnel breaks down after one hour

Christian Hocken christian at hocken.net
Wed Oct 3 05:51:38 EDT 2007


Hi,
we have set up an ipsec gateway based on Openswan 2.4.5 which is  
running on Fedora Core 6 with kernel 2.6.22.7-57.fc6.
Several road warriors with different operating systems are connected  
to the gateway, including Windows XP SP2,
Windows Vista and Mac OS X. All of them are using a combination of  
ipsec and l2tp.
Initialising the connection works fine but the Vista client gets  
disconnected after one hour. It seems as if something during
the rekey attempt goes wrong.
On XP, everything works fine. The client stays connected for hours.  
In the past OS X worked fine, too. But newer tries aren't available.
I hope someone has a clue.

I'm attaching my log and config files.

Thanks a lot!

best regards
Christian Hocken

/var/log/secure:
Oct  2 22:56:43 gateway pluto[7841]: packet from 80.130.250.50:500:  
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000005]
Oct  2 22:56:43 gateway pluto[7841]: packet from 80.130.250.50:500:  
received Vendor ID payload [RFC 3947] method set to=110
Oct  2 22:56:43 gateway pluto[7841]: packet from 80.130.250.50:500:  
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]  
meth=106, but already using method 110
Oct  2 22:56:43 gateway pluto[7841]: packet from 80.130.250.50:500:  
ignoring Vendor ID payload [FRAGMENTATION]
Oct  2 22:56:43 gateway pluto[7841]: packet from 80.130.250.50:500:  
ignoring unknown Vendor ID payload [fb1de3cdf341b7ea16b7e5be0855f120]
Oct  2 22:56:43 gateway pluto[7841]: packet from 80.130.250.50:500:  
ignoring Vendor ID payload [Vid-Initial-Contact]
Oct  2 22:56:43 gateway pluto[7841]: packet from 80.130.250.50:500:  
ignoring unknown Vendor ID payload [e3a5966a76379fe707228231e5ce8652]
Oct  2 22:56:43 gateway pluto[7841]: "l2tp-cert-nat"[3] 80.130.250.50  
#3: responding to Main Mode from unknown peer 80.130.250.50
Oct  2 22:56:43 gateway pluto[7841]: "l2tp-cert-nat"[3] 80.130.250.50  
#3: only OAKLEY_GROUP_MODP1024 and OAKLEY_GROUP_MODP1536 supported.   
Attribute OAKLEY_GROUP_DESCRIPTION
Oct  2 22:56:43 gateway pluto[7841]: "l2tp-cert-nat"[3] 80.130.250.50  
#3: only OAKLEY_GROUP_MODP1024 and OAKLEY_GROUP_MODP1536 supported.   
Attribute OAKLEY_GROUP_DESCRIPTION
Oct  2 22:56:43 gateway pluto[7841]: "l2tp-cert-nat"[3] 80.130.250.50  
#3: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Oct  2 22:56:43 gateway pluto[7841]: "l2tp-cert-nat"[3] 80.130.250.50  
#3: STATE_MAIN_R1: sent MR1, expecting MI2
Oct  2 22:56:43 gateway pluto[7841]: "l2tp-cert-nat"[3] 80.130.250.50  
#3: NAT-Traversal: Result using 3: peer is NATed
Oct  2 22:56:43 gateway pluto[7841]: "l2tp-cert-nat"[3] 80.130.250.50  
#3: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Oct  2 22:56:43 gateway pluto[7841]: "l2tp-cert-nat"[3] 80.130.250.50  
#3: STATE_MAIN_R2: sent MR2, expecting MI3
Oct  2 22:56:44 gateway pluto[7841]: "l2tp-cert-nat"[3] 80.130.250.50  
#3: Main mode peer ID is ID_DER_ASN1_DN: 'C=DE, ST=NRW, L=Aachen,  
CN=example.com, E=user at example.com'
Oct  2 22:56:44 gateway pluto[7841]: "l2tp-cert-nat"[4] 80.130.250.50  
#3: deleting connection "l2tp-cert-nat" instance with peer  
80.130.250.50 {isakmp=#0/ipsec=#0}
Oct  2 22:56:44 gateway pluto[7841]: "l2tp-cert-nat"[4] 80.130.250.50  
#3: I am sending my cert
Oct  2 22:56:44 gateway pluto[7841]: "l2tp-cert-nat"[4] 80.130.250.50  
#3: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Oct  2 22:56:44 gateway pluto[7841]: | NAT-T: new mapping  
80.130.250.50:500/4500)
Oct  2 22:56:44 gateway pluto[7841]: "l2tp-cert-nat"[4] 80.130.250.50  
#3: STATE_MAIN_R3: sent MR3, ISAKMP SA established  
{auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_sha  
group=modp2048}
Oct  2 22:56:44 gateway pluto[7841]: "l2tp-cert-nat"[4] 80.130.250.50  
#4: responding to Quick Mode {msgid:01000000}
Oct  2 22:56:44 gateway pluto[7841]: "l2tp-cert-nat"[4] 80.130.250.50  
#4: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Oct  2 22:56:44 gateway pluto[7841]: "l2tp-cert-nat"[4] 80.130.250.50  
#4: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Oct  2 22:56:44 gateway pluto[7841]: "l2tp-cert-nat"[4] 80.130.250.50  
#4: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Oct  2 22:56:44 gateway pluto[7841]: "l2tp-cert-nat"[4] 80.130.250.50  
#4: STATE_QUICK_R2: IPsec SA established {ESP=>0x67d65cc2 <0x4d8fe6fb  
xfrm=AES_128-HMAC_SHA1 NATD=80.130.250.50:4500 DPD=none}
Oct  2 23:55:30 gateway pluto[7841]: "l2tp-cert-nat"[5] 80.130.250.50  
#5: responding to Quick Mode {msgid:02000000}
Oct  2 23:55:30 gateway pluto[7841]: "l2tp-cert-nat"[5] 80.130.250.50  
#5: cannot install eroute -- it is in use for "l2tp-cert-nat"[4]  
80.130.250.50 #4
Oct  2 23:55:30 gateway pluto[7841]: "l2tp-cert-nat"[6] 80.130.250.50  
#6: responding to Quick Mode {msgid:03000000}
Oct  2 23:55:30 gateway pluto[7841]: "l2tp-cert-nat"[6] 80.130.250.50  
#6: cannot install eroute -- it is in use for "l2tp-cert-nat"[4]  
80.130.250.50 #4
Oct  2 23:55:31 gateway pluto[7841]: "l2tp-cert-nat"[6] 80.130.250.50  
#6: next payload type of ISAKMP Hash Payload has an unknown value: 207
Oct  2 23:55:31 gateway pluto[7841]: "l2tp-cert-nat"[6] 80.130.250.50  
#6: malformed payload in packet
Oct  2 23:55:31 gateway pluto[7841]: "l2tp-cert-nat"[6] 80.130.250.50  
#6: sending notification PAYLOAD_MALFORMED to 80.130.250.50:4500
Oct  2 23:55:31 gateway pluto[7841]: "l2tp-cert-nat"[5] 80.130.250.50  
#5: next payload type of ISAKMP Hash Payload has an unknown value: 195
Oct  2 23:55:31 gateway pluto[7841]: "l2tp-cert-nat"[5] 80.130.250.50  
#5: malformed payload in packet
Oct  2 23:55:33 gateway pluto[7841]: "l2tp-cert-nat"[6] 80.130.250.50  
#6: next payload type of ISAKMP Hash Payload has an unknown value: 207
Oct  2 23:55:33 gateway pluto[7841]: "l2tp-cert-nat"[6] 80.130.250.50  
#6: malformed payload in packet
Oct  2 23:55:33 gateway pluto[7841]: "l2tp-cert-nat"[6] 80.130.250.50  
#6: sending notification PAYLOAD_MALFORMED to 80.130.250.50:4500
Oct  2 23:55:33 gateway pluto[7841]: "l2tp-cert-nat"[5] 80.130.250.50  
#5: next payload type of ISAKMP Hash Payload has an unknown value: 195
Oct  2 23:55:33 gateway pluto[7841]: "l2tp-cert-nat"[5] 80.130.250.50  
#5: malformed payload in packet
Oct  2 23:55:37 gateway pluto[7841]: "l2tp-cert-nat"[6] 80.130.250.50  
#6: next payload type of ISAKMP Hash Payload has an unknown value: 207
Oct  2 23:55:37 gateway pluto[7841]: "l2tp-cert-nat"[6] 80.130.250.50  
#6: malformed payload in packet
Oct  2 23:55:37 gateway pluto[7841]: "l2tp-cert-nat"[6] 80.130.250.50  
#6: sending notification PAYLOAD_MALFORMED to 80.130.250.50:4500
Oct  2 23:55:37 gateway pluto[7841]: "l2tp-cert-nat"[5] 80.130.250.50  
#5: next payload type of ISAKMP Hash Payload has an unknown value: 195
Oct  2 23:55:37 gateway pluto[7841]: "l2tp-cert-nat"[5] 80.130.250.50  
#5: malformed payload in packet
Oct  2 23:55:45 gateway pluto[7841]: "l2tp-cert-nat"[6] 80.130.250.50  
#6: next payload type of ISAKMP Hash Payload has an unknown value: 207
Oct  2 23:55:45 gateway pluto[7841]: "l2tp-cert-nat"[6] 80.130.250.50  
#6: malformed payload in packet
Oct  2 23:55:45 gateway pluto[7841]: "l2tp-cert-nat"[6] 80.130.250.50  
#6: sending notification PAYLOAD_MALFORMED to 80.130.250.50:4500
Oct  2 23:55:45 gateway pluto[7841]: "l2tp-cert-nat"[5] 80.130.250.50  
#5: next payload type of ISAKMP Hash Payload has an unknown value: 195
Oct  2 23:55:45 gateway pluto[7841]: "l2tp-cert-nat"[5] 80.130.250.50  
#5: malformed payload in packet
Oct  2 23:56:01 gateway pluto[7841]: "l2tp-cert-nat"[6] 80.130.250.50  
#6: next payload type of ISAKMP Hash Payload has an unknown value: 207
Oct  2 23:56:01 gateway pluto[7841]: "l2tp-cert-nat"[6] 80.130.250.50  
#6: malformed payload in packet
Oct  2 23:56:01 gateway pluto[7841]: "l2tp-cert-nat"[6] 80.130.250.50  
#6: sending notification PAYLOAD_MALFORMED to 80.130.250.50:4500
Oct  2 23:56:01 gateway pluto[7841]: "l2tp-cert-nat"[5] 80.130.250.50  
#5: next payload type of ISAKMP Hash Payload has an unknown value: 195
Oct  2 23:56:01 gateway pluto[7841]: "l2tp-cert-nat"[5] 80.130.250.50  
#5: malformed payload in packet
Oct  2 23:56:18 gateway pluto[7841]: "l2tp-cert-nat"[6] 80.130.250.50  
#6: next payload type of ISAKMP Hash Payload has an unknown value: 207
Oct  2 23:56:18 gateway pluto[7841]: "l2tp-cert-nat"[6] 80.130.250.50  
#6: malformed payload in packet
Oct  2 23:56:18 gateway pluto[7841]: "l2tp-cert-nat"[6] 80.130.250.50  
#6: sending notification PAYLOAD_MALFORMED to 80.130.250.50:4500
Oct  2 23:56:18 gateway pluto[7841]: "l2tp-cert-nat"[5] 80.130.250.50  
#5: next payload type of ISAKMP Hash Payload has an unknown value: 195
Oct  2 23:56:18 gateway pluto[7841]: "l2tp-cert-nat"[5] 80.130.250.50  
#5: malformed payload in packet
Oct  2 23:56:35 gateway pluto[7841]: "l2tp-cert-nat"[4] 80.130.250.50  
#3: received Delete SA(0x67d65cc2) payload: deleting IPSEC State #4
Oct  2 23:56:35 gateway pluto[7841]: "l2tp-cert-nat"[4] 80.130.250.50  
#3: received and ignored informational message
Oct  2 23:56:35 gateway pluto[7841]: "l2tp-cert-nat"[4] 80.130.250.50  
#3: received Delete SA payload: deleting ISAKMP State #3
Oct  2 23:56:35 gateway pluto[7841]: "l2tp-cert-nat"[4]  
80.130.250.50: deleting connection "l2tp-cert-nat" instance with peer  
80.130.250.50 {isakmp=#0/ipsec=#0}
Oct  2 23:56:35 gateway pluto[7841]: packet from 80.130.250.50:4500:  
received and ignored informational message
Oct  2 23:56:35 gateway pluto[7841]: packet from 80.130.250.50:4500:  
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000005]
Oct  2 23:56:35 gateway pluto[7841]: packet from 80.130.250.50:4500:  
received Vendor ID payload [RFC 3947] method set to=110
Oct  2 23:56:35 gateway pluto[7841]: packet from 80.130.250.50:4500:  
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]  
meth=106, but already using method 110
Oct  2 23:56:35 gateway pluto[7841]: packet from 80.130.250.50:4500:  
ignoring Vendor ID payload [FRAGMENTATION]
Oct  2 23:56:35 gateway pluto[7841]: packet from 80.130.250.50:4500:  
ignoring unknown Vendor ID payload [fb1de3cdf341b7ea16b7e5be0855f120]
Oct  2 23:56:35 gateway pluto[7841]: packet from 80.130.250.50:4500:  
ignoring Vendor ID payload [Vid-Initial-Contact]
Oct  2 23:56:35 gateway pluto[7841]: packet from 80.130.250.50:4500:  
ignoring unknown Vendor ID payload [e3a5966a76379fe707228231e5ce8652]
Oct  2 23:56:35 gateway pluto[7841]: "l2tp-cert-nat"[6] 80.130.250.50  
#7: responding to Main Mode from unknown peer 80.130.250.50
Oct  2 23:56:35 gateway pluto[7841]: "l2tp-cert-nat"[6] 80.130.250.50  
#7: only OAKLEY_GROUP_MODP1024 and OAKLEY_GROUP_MODP1536 supported.   
Attribute OAKLEY_GROUP_DESCRIPTION
Oct  2 23:56:35 gateway pluto[7841]: "l2tp-cert-nat"[6] 80.130.250.50  
#7: only OAKLEY_GROUP_MODP1024 and OAKLEY_GROUP_MODP1536 supported.   
Attribute OAKLEY_GROUP_DESCRIPTION
Oct  2 23:56:35 gateway pluto[7841]: "l2tp-cert-nat"[6] 80.130.250.50  
#7: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Oct  2 23:56:35 gateway pluto[7841]: "l2tp-cert-nat"[6] 80.130.250.50  
#7: STATE_MAIN_R1: sent MR1, expecting MI2
Oct  2 23:56:35 gateway pluto[7841]: packet from 80.130.250.50:4500:  
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000005]
Oct  2 23:56:35 gateway pluto[7841]: packet from 80.130.250.50:4500:  
received Vendor ID payload [RFC 3947] method set to=110
Oct  2 23:56:35 gateway pluto[7841]: packet from 80.130.250.50:4500:  
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]  
meth=106, but already using method 110
Oct  2 23:56:35 gateway pluto[7841]: packet from 80.130.250.50:4500:  
ignoring Vendor ID payload [FRAGMENTATION]
Oct  2 23:56:35 gateway pluto[7841]: packet from 80.130.250.50:4500:  
ignoring unknown Vendor ID payload [fb1de3cdf341b7ea16b7e5be0855f120]
Oct  2 23:56:35 gateway pluto[7841]: packet from 80.130.250.50:4500:  
ignoring unknown Vendor ID payload [e3a5966a76379fe707228231e5ce8652]
Oct  2 23:56:35 gateway pluto[7841]: "l2tp-cert-nat"[6] 80.130.250.50  
#8: responding to Main Mode from unknown peer 80.130.250.50
Oct  2 23:56:35 gateway pluto[7841]: "l2tp-cert-nat"[6] 80.130.250.50  
#8: only OAKLEY_GROUP_MODP1024 and OAKLEY_GROUP_MODP1536 supported.   
Attribute OAKLEY_GROUP_DESCRIPTION
Oct  2 23:56:35 gateway pluto[7841]: "l2tp-cert-nat"[6] 80.130.250.50  
#8: only OAKLEY_GROUP_MODP1024 and OAKLEY_GROUP_MODP1536 supported.   
Attribute OAKLEY_GROUP_DESCRIPTION
Oct  2 23:56:35 gateway pluto[7841]: "l2tp-cert-nat"[6] 80.130.250.50  
#8: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Oct  2 23:56:35 gateway pluto[7841]: "l2tp-cert-nat"[6] 80.130.250.50  
#8: STATE_MAIN_R1: sent MR1, expecting MI2
Oct  2 23:56:36 gateway pluto[7841]: "l2tp-cert-nat"[6] 80.130.250.50  
#8: NAT-Traversal: Result using 3: peer is NATed
Oct  2 23:56:36 gateway pluto[7841]: "l2tp-cert-nat"[6] 80.130.250.50  
#8: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Oct  2 23:56:36 gateway pluto[7841]: "l2tp-cert-nat"[6] 80.130.250.50  
#8: STATE_MAIN_R2: sent MR2, expecting MI3
Oct  2 23:56:37 gateway pluto[7841]: "l2tp-cert-nat"[6] 80.130.250.50  
#8: Main mode peer ID is ID_DER_ASN1_DN: 'C=DE, ST=NRW, L=Aachen,  
CN=example.com, E=user at example.com'
Oct  2 23:56:37 gateway pluto[7841]: "l2tp-cert-nat"[6] 80.130.250.50  
#8: I am sending my cert
Oct  2 23:56:37 gateway pluto[7841]: "l2tp-cert-nat"[6] 80.130.250.50  
#8: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Oct  2 23:56:37 gateway pluto[7841]: "l2tp-cert-nat"[6] 80.130.250.50  
#8: STATE_MAIN_R3: sent MR3, ISAKMP SA established  
{auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_sha  
group=modp2048}
Oct  2 23:56:37 gateway pluto[7841]: "l2tp-cert-nat"[7] 80.130.250.50  
#9: responding to Quick Mode {msgid:01000000}
Oct  2 23:56:37 gateway pluto[7841]: "l2tp-cert-nat"[7] 80.130.250.50  
#9: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Oct  2 23:56:37 gateway pluto[7841]: "l2tp-cert-nat"[7] 80.130.250.50  
#9: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Oct  2 23:56:37 gateway pluto[7841]: "l2tp-cert-nat"[8] 80.130.250.50  
#10: responding to Quick Mode {msgid:02000000}
Oct  2 23:56:37 gateway pluto[7841]: "l2tp-cert-nat"[8] 80.130.250.50  
#10: ERROR: netlink XFRM_MSG_NEWPOLICY response for flow tun. 
10000 at 91.42.98.182 included errno 17: File exists
Oct  2 23:56:37 gateway pluto[7841]: "l2tp-cert-nat"[8] 80.130.250.50  
#10: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Oct  2 23:56:37 gateway pluto[7841]: "l2tp-cert-nat"[8] 80.130.250.50  
#10: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Oct  2 23:56:37 gateway pluto[7841]: "l2tp-cert-nat"[9] 80.130.250.50  
#11: responding to Quick Mode {msgid:03000000}
Oct  2 23:56:37 gateway pluto[7841]: "l2tp-cert-nat"[9] 80.130.250.50  
#11: ERROR: netlink XFRM_MSG_NEWPOLICY response for flow tun. 
10000 at 91.42.98.182 included errno 17: File exists
Oct  2 23:56:37 gateway pluto[7841]: "l2tp-cert-nat"[9] 80.130.250.50  
#11: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Oct  2 23:56:37 gateway pluto[7841]: "l2tp-cert-nat"[9] 80.130.250.50  
#11: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Oct  2 23:56:37 gateway pluto[7841]: "l2tp-cert-nat"[7] 80.130.250.50  
#9: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Oct  2 23:56:37 gateway pluto[7841]: "l2tp-cert-nat"[7] 80.130.250.50  
#9: STATE_QUICK_R2: IPsec SA established {ESP=>0x8f4a20bd <0x2a246326  
xfrm=AES_128-HMAC_SHA1 NATD=80.130.250.50:4500 DPD=none}
Oct  2 23:56:37 gateway pluto[7841]: "l2tp-cert-nat"[8] 80.130.250.50  
#10: cannot install eroute -- it is in use for "l2tp-cert-nat"[7]  
80.130.250.50 #9
Oct  2 23:56:37 gateway pluto[7841]: "l2tp-cert-nat"[9] 80.130.250.50  
#11: cannot install eroute -- it is in use for "l2tp-cert-nat"[7]  
80.130.250.50 #9
Oct  2 23:56:37 gateway pluto[7841]: "l2tp-cert-nat"[6] 80.130.250.50  
#8: received Delete SA(0x8f4a20bd) payload: deleting IPSEC State #9
Oct  2 23:56:37 gateway pluto[7841]: "l2tp-cert-nat"[6] 80.130.250.50  
#8: deleting connection "l2tp-cert-nat" instance with peer  
80.130.250.50 {isakmp=#0/ipsec=#0}
Oct  2 23:56:37 gateway pluto[7841]: "l2tp-cert-nat"[6] 80.130.250.50  
#8: received and ignored informational message
Oct  2 23:56:37 gateway pluto[7841]: "l2tp-cert-nat"[6] 80.130.250.50  
#8: ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0x3c782bb6) not  
found (maybe expired)
Oct  2 23:56:37 gateway pluto[7841]: "l2tp-cert-nat"[6] 80.130.250.50  
#8: received and ignored informational message
Oct  2 23:56:48 gateway pluto[7841]: "l2tp-cert-nat"[6] 80.130.250.50  
#8: ignoring informational payload, type INVALID_PAYLOAD_TYPE
Oct  2 23:56:48 gateway pluto[7841]: "l2tp-cert-nat"[6] 80.130.250.50  
#8: received and ignored informational message
Oct  2 23:57:07 gateway pluto[7841]: "l2tp-cert-nat"[6] 80.130.250.50  
#8: ignoring informational payload, type INVALID_PAYLOAD_TYPE
Oct  2 23:57:07 gateway pluto[7841]: "l2tp-cert-nat"[6] 80.130.250.50  
#8: received and ignored informational message
Oct  2 23:57:45 gateway pluto[7841]: "l2tp-cert-nat"[6] 80.130.250.50  
#7: max number of retransmissions (2) reached STATE_MAIN_R1
Oct  2 23:57:47 gateway pluto[7841]: "l2tp-cert-nat"[6] 80.130.250.50  
#8: ignoring informational payload, type INVALID_PAYLOAD_TYPE
Oct  2 23:57:47 gateway pluto[7841]: "l2tp-cert-nat"[6] 80.130.250.50  
#8: received and ignored informational message
Oct  2 23:58:26 gateway pluto[7841]: "l2tp-cert-nat"[6] 80.130.250.50  
#8: ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0x7de1d58e) not  
found (maybe expired)
Oct  2 23:58:26 gateway pluto[7841]: "l2tp-cert-nat"[6] 80.130.250.50  
#8: received and ignored informational message
Oct  2 23:58:26 gateway pluto[7841]: "l2tp-cert-nat"[6] 80.130.250.50  
#8: received Delete SA payload: deleting ISAKMP State #8
Oct  2 23:58:26 gateway pluto[7841]: packet from 80.130.250.50:4500:  
received and ignored informational message
Oct  3 00:00:30 gateway pluto[7841]: "l2tp-cert-nat"[6]  
80.130.250.50: deleting connection "l2tp-cert-nat" instance with peer  
80.130.250.50 {isakmp=#0/ipsec=#0}
Oct  3 00:00:30 gateway pluto[7841]: "l2tp-cert-nat"[5]  
80.130.250.50: deleting connection "l2tp-cert-nat" instance with peer  
80.130.250.50 {isakmp=#0/ipsec=#0}
Oct  3 00:03:55 gateway su: pam_unix(su:session): session closed for  
user root
Oct  3 00:03:57 gateway sshd[9153]: pam_unix(sshd:session): session  
closed for user christianhocken
Oct  3 00:07:10 gateway pluto[7841]: ERROR: asynchronous network  
error report on ppp0 (sport=4500) for message to 80.130.250.50 port  
4500, complainant 80.130.250.50: No route to host [errno 113, origin  
ICMP type 3 code 1 (not authenticated)]
Oct  3 00:07:10 gateway pluto[7841]: ERROR: asynchronous network  
error report on ppp0 (sport=4500) for message to 80.130.250.50 port  
4500, complainant 80.130.250.50: No route to host [errno 113, origin  
ICMP type 3 code 1 (not authenticated)]
Oct  3 00:07:47 gateway pluto[7841]: ERROR: asynchronous network  
error report on ppp0 (sport=4500) for message to 80.130.250.50 port  
4500, complainant 80.130.250.50: No route to host [errno 113, origin  
ICMP type 3 code 13 (not authenticated)]
Oct  3 00:08:27 gateway last message repeated 2 times
Oct  3 00:09:08 gateway last message repeated 3 times
Oct  3 00:09:47 gateway pluto[7841]: "l2tp-cert-nat"[9] 80.130.250.50  
#11: max number of retransmissions (20) reached STATE_QUICK_R1
Oct  3 00:09:47 gateway pluto[7841]: "l2tp-cert-nat"[9]  
80.130.250.50: deleting connection "l2tp-cert-nat" instance with peer  
80.130.250.50 {isakmp=#0/ipsec=#0}
Oct  3 00:09:47 gateway pluto[7841]: "l2tp-cert-nat"[8] 80.130.250.50  
#10: max number of retransmissions (20) reached STATE_QUICK_R1
Oct  3 00:09:47 gateway pluto[7841]: "l2tp-cert-nat"[8]  
80.130.250.50: deleting connection "l2tp-cert-nat" instance with peer  
80.130.250.50 {isakmp=#0/ipsec=#0}

/usr/sbin/ipsec whack --status (no tunnels up):
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth1/eth1 192.168.24.1
000 interface eth1/eth1 192.168.24.1
000 interface ppp0/ppp0 91.42.98.182
000 interface ppp0/ppp0 91.42.98.182
000 %myid = (none)
000 debug none
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8,  
keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8,  
keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8,  
keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0,  
keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8,  
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=22, name=(null), ivlen=8,  
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,  
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,  
keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,  
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,  
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,  
keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC,  
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0,  
keysizemax=0
000
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,  
keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,  
keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0}  
trans={0,0,0} attrs={0,0,0}
000
000 "l2tp-cert-nat": 91.42.98.182[C=DE, ST=NRW, L=Aachen,  
CN=example.com, E=gateway at example.com]:17/1701...%virtual:17/% 
any===?; unrouted; eroute owner: #0
000 "l2tp-cert-nat":     srcip=unset; dstip=unset; srcup=ipsec  
_updown; dstup=ipsec _updown;
000 "l2tp-cert-nat":   CAs: 'C=DE, ST=NRW, L=Aachen, CN=VPN Aachen  
rootCA, E=ca at example.com'...'C=DE, ST=NRW, L=Aachen, CN=VPN Aachen  
rootCA, E=ca at example.com'
000 "l2tp-cert-nat":   ike_life: 3600s; ipsec_life: 28800s;  
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "l2tp-cert-nat":   policy: RSASIG+ENCRYPT+TUNNEL+DONTREKEY; prio:  
32,32; interface: ppp0;
000 "l2tp-cert-nat":   newest ISAKMP SA: #0; newest IPsec SA: #0;


ipsec.conf:
# /etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual:     ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/ ending in .conf

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
         # Debug-logging controls:  "none" for (almost) none, "all"  
for lots.
         # klipsdebug=none
         # plutodebug="control parsing"
         nat_traversal=yes
         virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,% 
v4:192.168.0.0/16,%v4:!192.168.24.0/24

include /etc/ipsec.d/*.conf




and finally my connection:
conn l2tp-cert-nat
         #
         # Configuration for users with any type of IPsec/L2TP client
         # including the updated Windows 2000/XP (MS KB Q818043), but
         # excluding the non-updated Windows 2000/XP.
         #
         #
         # Use a certificate. Disable Perfect Forward Secrecy.
         #
         authby=rsasig
         pfs=no
         #
         # Add connection.
         #
         auto=add
         #
         # We cannot rekey for %any, let client rekey.
         #
         rekey=no
         #
         #
         # Do not enable the line below. It is implicitely used, and
         # specifying it will currently break when using nat-t.
         #
         # type=transport. See http://bugs.xelerance.com/view.php?id=466
         #
         #
         # The server:
         #
         left=%defaultroute
         leftrsasigkey=%cert
         leftcert=/etc/ipsec.d/certs/example.com-cert.pem
         leftprotoport=17/1701
         #
         #
         # The remote user:
         #
         right=%any
         rightsubnet=vhost:%no,%priv
         rightca=%same
         rightrsasigkey=%cert
         rightprotoport=17/%any



More information about the Users mailing list