[Openswan Users] Not able to communicate to other subnets

Bram Jansen bramsbox at gmail.com
Thu Apr 3 13:29:15 EDT 2008 

Hi,

 

I've configured openswan with Jacco's page "Using a Linux L2TP/IPsec VPN
server" almost successfully with the exception that I am not able to
communicate/ping to the openswan linux server when the connection is routed
to another subnet.

My Openswan server is an up to date Debian Etch server with all the latest
packages.

 

When I'm in the same subnet and the packages aren't routed, the
communication works flawlessly. This is all configured without NAT-T and is
tested in a private range subnet. Everything is configured according to
jacco's page and the debian defaults. The connection is established
"correctly", as in that everything connects and in the tray appears the
connected to OPENSWAN server icon. I also see that when it doesn't work the
ppp0 interface disappears after a number of seconds on the openswan gateway
and then 30 or more seconds later the connection on the windows box is
disconnected.

 

I've checked a few things:

 

1.	I disabled the firewall on my router so no traffic is blocked
2.	I connected my laptop in the same subnet and then it did work
correctly
3.	I tried the latest l2tp package from jacco's page, but I don't think
it is a l2tp/ppp problem anymore
4.	Upgraded Openswan, l2tpd and pppd to the Debian testing branche

 

I try not to bore you guys with too many log and config texts, but here's
the minimum I think that could be helpful


Thanks anyway,

 

Bram

 

In the logs I see the following message:

 

 

Examples/l2tpd-psk.conf:

        

conn L2TP-PSK-noNAT

        authby=secret

        pfs=no

        auto=add

        keyingtries=3

        # we cannot rekey for %any, let client rekey

        rekey=no

        type=transport

        #

        left=%defaultroute

        # or you can use: left=YourIPAddress

        #

        # For updated Windows 2000/XP clients,

        # to support old clients as well, use leftprotoport=17/%any

        leftprotoport=17/1701

        #leftnexthop=%defaulroute

        #

        # The remote user.

        #

        right=%any

        rightprotoport=17/1701

 

Openswan log :

Apr  3 01:15:05 sector pluto[29980]: ERROR: asynchronous network error
report on eth0 (sport=500) for message to 192.168.54.250 port

 500, complainant 192.168.98.2: No route to host [errno 113, origin ICMP
type 3 code 1 (not authenticated)]

 

L2tpd log:

Apr  3 01:13:57 sector l2tpd[29801]: control_xmit: Maximum retries exceeded
for tunnel 46545.  Closing. 

Apr  3 01:13:58 sector l2tpd[29801]: call_close : Connection 1 closed to
192.168.54.250, port 1701 (Timeout) 

Apr  3 01:14:02 sector l2tpd[29801]: check_control: control, cid = 0, Ns =
4, Nr = 2 

Apr  3 01:14:02 sector l2tpd[29801]: handle_avps: handling avp's for tunnel
46545, call 29577 

Apr  3 01:14:02 sector l2tpd[29801]: message_type_avp: message type 6
(Hello) 

Apr  3 01:14:02 sector l2tpd[29801]: control_xmit: Unable to deliver closing
message for tunnel 46545. Destroying anyway. 

Apr  3 01:14:12 sector l2tpd[29801]: get_call:can't find tunnel 46545 

Apr  3 01:14:12 sector l2tpd[29801]: network_thread: unable to find call or
tunnel to handle packet.  call = 0, tunnel = 46545 Dumpi

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080403/97fd8988/attachment.html

More information about the Users mailing list