[Openswan Users] VPN connection now failing

Mark Williams mwp at mwp.id.au
Tue Aug 19 12:43:28 EDT 2008 

Greetings all,

My openswan VPN connection has been working perfectly for a few months
now up until a few days ago.
Nothing at the client (behind NAT) or server (no NAT) end has changed
with regards to vpn or other networking configs.

ipsec makes the connection properly (or so it says)...

......
004 "cf-tunnel" #1: STATE_MAIN_I4: ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5
group=modp1536}
117 "cf-tunnel" #2: STATE_QUICK_I1: initiate
004 "cf-tunnel" #2: STATE_QUICK_I2: sent QI2, IPsec SA established
{ESP=>0x588b4438 <0x1c42cbfc xfrm=AES_0-HMAC_SHA1
NATD=66.45.165.34:4500 DPD=none}

Then on trying to connect with xl2tpd i get:

xl2tpd[5112]: get_call: allocating new tunnel for host 66.xxx.xxx.xxx,
port 1701.
xl2tpd[5112]: Connecting to host vpn.xxxx.net, port 1701
xl2tpd[5112]: control_finish: message type is (null)(0).  Tunnel is 0,
call is 0.
xl2tpd[5112]: control_finish: sending SCCRQ
xl2tpd[5112]: Maximum retries exceeded for tunnel 23247.  Closing.
xl2tpd[5112]: build_fdset: closing down tunnel 23247
xl2tpd[5112]: Connection 0 closed to 66.xxx.xxx.xxx, port 1701 (Timeout)
xl2tpd[5112]: Unable to deliver closing message for tunnel 23247.
Destroying anyway.
xl2tpd[5112]: build_fdset: closing down tunnel 23247

tcpdump shows this on the xl2tpd connection attempt:

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
01:52:59.438391 IP vpn.xxxx.net.4500 > 192.168.0.1.4500: isakmp-nat-keep-alive
01:52:59.670699 IP 192.168.0.1.4500 > vpn.xxxx.net.4500: UDP-encap:
ESP(spi=0x5270079e,seq=0x3d), length 180
01:53:00.674569 IP 192.168.0.1.4500 > vpn.xxxx.net.4500: UDP-encap:
ESP(spi=0x5270079e,seq=0x3e), length 180
01:53:01.678525 IP 192.168.0.1.4500 > vpn.xxxx.net.4500: UDP-encap:
ESP(spi=0x5270079e,seq=0x3f), length 180
01:53:02.683008 IP 192.168.0.1.4500 > vpn.xxxx.net.4500: UDP-encap:
ESP(spi=0x5270079e,seq=0x40), length 180
01:53:03.686395 IP 192.168.0.1.4500 > vpn.xxxx.net.4500: UDP-encap:
ESP(spi=0x5270079e,seq=0x41), length 180
01:53:04.690406 IP 192.168.0.1.4500 > vpn.xxxx.net.4500: UDP-encap:
ESP(spi=0x5270079e,seq=0x42), length 116
01:53:05.694305 IP 192.168.0.1.4500 > vpn.xxxx.net.4500: UDP-encap:
ESP(spi=0x5270079e,seq=0x43), length 116
01:53:06.698253 IP 192.168.0.1.4500 > vpn.xxxx.net.4500: UDP-encap:
ESP(spi=0x5270079e,seq=0x44), length 116
01:53:07.230232 IP 192.168.0.1.4500 > vpn.xxxx.net.4500: isakmp-nat-keep-alive
01:53:07.702195 IP 192.168.0.1.4500 > vpn.xxxx.net.4500: UDP-encap:
ESP(spi=0x5270079e,seq=0x45), length 116
01:53:08.706143 IP 192.168.0.1.4500 > vpn.xxxx.net.4500: UDP-encap:
ESP(spi=0x5270079e,seq=0x46), length 116

Any ideas whats wrong here??

Thanks all!!
Mark Williams.

More information about the Users mailing list