[Openswan Users] Problem with L2TP on Centos EL5

Oguz Yilmaz oguzyilmazlist at gmail.com
Wed Dec 24 14:48:57 EST 2008


I am using openswan-2.6.14-1.el5_2.1 and xl2tpd-1.1.12-1 on Centos EL5
(RHEL5). The result with l2tpd-0.69-0.4.20051030.el5 is also the same.
I can not establish L2TP vpn connection from Windows XP or Vista. On the
Windows side, it only says "Connecting".

All the logs and config portions is attached below.

Has anybody an idea?

Regards,
Oguz Yilmaz


On the Linux side standard error log is below:



Dec 24 21:29:30 2008 pluto[26350]: packet from 85.99.218.171:500: ignoring
Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000005]
Dec 24 21:29:30 2008 pluto[26350]: packet from 85.99.218.171:500: received
Vendor ID payload [RFC 3947] method set to=109
Dec 24 21:29:30 2008 pluto[26350]: packet from 85.99.218.171:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already
using method 109
Dec 24 21:29:30 2008 pluto[26350]: packet from 85.99.218.171:500: ignoring
Vendor ID payload [FRAGMENTATION]
Dec 24 21:29:30 2008 pluto[26350]: packet from 85.99.218.171:500: ignoring
Vendor ID payload [MS-Negotiation Discovery Capable]
Dec 24 21:29:30 2008 pluto[26350]: packet from 85.99.218.171:500: ignoring
Vendor ID payload [Vid-Initial-Contact]
Dec 24 21:29:30 2008 pluto[26350]: packet from 85.99.218.171:500: ignoring
Vendor ID payload [IKE CGA version 1]
Dec 24 21:29:30 2008 pluto[26350]: \"my.l2tp\"[1] 85.99.218.171 #1:
responding to Main Mode from unknown peer 85.99.218.171
Dec 24 21:29:30 2008 pluto[26350]: \"my.l2tp\"[1] 85.99.218.171 #1:
OAKLEY_GROUP 20 not supported.  Attribute OAKLEY_GROUP_DESCRIPTION
Dec 24 21:29:30 2008 pluto[26350]: \"my.l2tp\"[1] 85.99.218.171 #1:
OAKLEY_GROUP 19 not supported.  Attribute OAKLEY_GROUP_DESCRIPTION
Dec 24 21:29:30 2008 pluto[26350]: \"my.l2tp\"[1] 85.99.218.171 #1:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Dec 24 21:29:30 2008 pluto[26350]: \"my.l2tp\"[1] 85.99.218.171 #1:
STATE_MAIN_R1: sent MR1, expecting MI2
Dec 24 21:29:31 2008 pluto[26350]: \"my.l2tp\"[1] 85.99.218.171 #1:
NAT-Traversal: Result using RFC 3947 (NAT-Traversal): peer is NATed
Dec 24 21:29:31 2008 pluto[26350]: \"my.l2tp\"[1] 85.99.218.171 #1:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Dec 24 21:29:31 2008 pluto[26350]: \"my.l2tp\"[1] 85.99.218.171 #1:
STATE_MAIN_R2: sent MR2, expecting MI3
Dec 24 21:29:31 2008 pluto[26350]: \"my.l2tp\"[1] 85.99.218.171 #1: Main
mode peer ID is ID_IPV4_ADDR: \'192.168.2.2\'
Dec 24 21:29:31 2008 pluto[26350]: \"my.l2tp\"[1] 85.99.218.171 #1: switched
from \"my.l2tp\" to \"my.l2tp\"
Dec 24 21:29:31 2008 pluto[26350]: \"my.l2tp\"[2] 85.99.218.171 #1: deleting
connection \"my.l2tp\" instance with peer 85.99.218.171 {isakmp=#0/ipsec=#0}
Dec 24 21:29:31 2008 pluto[26350]: \"my.l2tp\"[2] 85.99.218.171 #1:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Dec 24 21:29:31 2008 pluto[26350]: \"my.l2tp\"[2] 85.99.218.171 #1: new NAT
mapping for #1, was 85.99.218.171:500, now 85.99.218.171:4500
Dec 24 21:29:31 2008 pluto[26350]: \"my.l2tp\"[2] 85.99.218.171 #1:
STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}
Dec 24 21:29:31 2008 pluto[26350]: \"my.l2tp\"[2] 85.99.218.171 #1: the peer
proposed: 81.213.213.34/32:17/1701 -> 192.168.2.2/32:17/1701
Dec 24 21:29:31 2008 pluto[26350]: \"my.l2tp\"[2] 85.99.218.171 #1:
alloc_bytes1() was mistakenly asked to malloc 0 bytes for st_skey_ar in
duplicate_state, please report to dev at openswan.org
Dec 24 21:29:31 2008 pluto[26350]: \"my.l2tp\"[2] 85.99.218.171 #1:
alloc_bytes1() was mistakenly asked to malloc 0 bytes for st_skey_er in
duplicate_state, please report to dev at openswan.org
Dec 24 21:29:31 2008 pluto[26350]: \"my.l2tp\"[2] 85.99.218.171 #1:
alloc_bytes1() was mistakenly asked to malloc 0 bytes for st_skey_pi in
duplicate_state, please report to dev at openswan.org
Dec 24 21:29:31 2008 pluto[26350]: \"my.l2tp\"[2] 85.99.218.171 #1:
alloc_bytes1() was mistakenly asked to malloc 0 bytes for st_skey_pr in
duplicate_state, please report to dev at openswan.org
Dec 24 21:29:31 2008 pluto[26350]: \"my.l2tp\"[2] 85.99.218.171 #2:
responding to Quick Mode proposal {msgid:01000000}
Dec 24 21:29:31 2008 pluto[26350]: \"my.l2tp\"[2] 85.99.218.171 #2:     us:
81.213.213.34<81.213.213.34>[+S=C]:17/1701---81.213.213.33
Dec 24 21:29:31 2008 pluto[26350]: \"my.l2tp\"[2] 85.99.218.171 #2:   them:
85.99.218.171[192.168.2.2,+S=C]:17/1701===192.168.2.2/32
Dec 24 21:29:31 2008 pluto[26350]: \"my.l2tp\"[2] 85.99.218.171 #2:
transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Dec 24 21:29:31 2008 pluto[26350]: \"my.l2tp\"[2] 85.99.218.171 #2:
STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Dec 24 21:29:31 2008 pluto[26350]: \"my.l2tp\"[2] 85.99.218.171 #2:
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Dec 24 21:29:31 2008 pluto[26350]: \"my.l2tp\"[2] 85.99.218.171 #2:
STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0x1cb2eec3
<0xce03546a xfrm=AES_128-HMAC_SHA1 NATOA=192.168.2.2
NATD=85.99.218.171:4500DPD=none}

after waiting come time on Windows side it stop trying and Linux is logging:




Dec 24 21:29:36 2008 pluto[26350]: \"my.l2tp\"[2] 85.99.218.171 #1: received
Delete SA(0x1cb2eec3) payload: deleting IPSEC State #2
Dec 24 21:29:36 2008 pluto[26350]: \"my.l2tp\"[2] 85.99.218.171 #2: request
to replace with shunt a prospective erouted policy with netkey kernel ---
experimental
Dec 24 21:29:36 2008 pluto[26350]: \"my.l2tp\"[2] 85.99.218.171 #1: received
and ignored informational message
Dec 24 21:29:36 2008 pluto[26350]: \"my.l2tp\"[2] 85.99.218.171 #1: received
Delete SA payload: deleting ISAKMP State #1
Dec 24 21:29:36 2008 pluto[26350]: \"my.l2tp\"[2] 85.99.218.171: deleting
connection \"my.l2tp\" instance with peer 85.99.218.171 {isakmp=#0/ipsec=#0}
Dec 24 21:29:36 2008 pluto[26350]: \"my.l2tp\": request to delete a unrouted
policy with netkey kernel --- experimental
Dec 24 21:29:36 2008 pluto[26350]: packet from 85.99.218.171:4500: received
and ignored informational message

While Windows is waiting, I can see in tcdump logs:



20:53:03.189571 IP 81.213.213.34.1701 > 85.99.218.171.1701:
l2tp:[TLS](13/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS)
*BEARER_CAP() |...
20:53:03.189798 IP 81.213.213.34.1701 > 85.99.218.171.1701:
l2tp:[TLS](13/0)Ns=0,Nr=1 ZLB
20:53:04.191453 IP 81.213.213.34.1701 > 85.99.218.171.1701:
l2tp:[TLS](13/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS)
*BEARER_CAP() |...
20:53:04.194545 IP 85.99.218.171.4500 > 81.213.213.34.4500: UDP-encap:
ESP(spi=0x9781aebc,seq=0x3), length 148
20:53:04.194939 IP 81.213.213.34.1701 > 85.99.218.171.1701:
l2tp:[TLS](13/0)Ns=0,Nr=1 ZLB
20:53:05.193286 IP 81.213.213.34.1701 > 85.99.218.171.1701:
l2tp:[TLS](13/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS)
*BEARER_CAP() |...
20:53:06.195141 IP 81.213.213.34.1701 > 85.99.218.171.1701:
l2tp:[TLS](13/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS)
*BEARER_CAP() |...
20:53:07.197001 IP 81.213.213.34.1701 > 85.99.218.171.1701:
l2tp:[TLS](13/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS)
*BEARER_CAP() |...
20:53:08.198966 IP 81.213.213.34.1701 > 85.99.218.171.1701:
l2tp:[TLS](13/0)Ns=1,Nr=1 *MSGTYPE(StopCCN) *ASSND_TUN_ID(6794)
*RESULT_CODE(1/0 Timeout)
20:53:08.203889 IP 85.99.218.171.4500 > 81.213.213.34.4500: UDP-encap:
ESP(spi=0x9781aebc,seq=0x4), length 148
20:53:08.204161 IP 81.213.213.34.1701 > 85.99.218.171.1701:
l2tp:[TLS](13/0)Ns=0,Nr=1 ZLB
20:53:09.199735 IP 81.213.213.34.1701 > 85.99.218.171.1701:
l2tp:[TLS](13/0)Ns=1,Nr=1 *MSGTYPE(StopCCN) *ASSND_TUN_ID(6794)
*RESULT_CODE(1/0 Timeout)
20:53:10.200590 IP 81.213.213.34.1701 > 85.99.218.171.1701:
l2tp:[TLS](13/0)Ns=1,Nr=1 *MSGTYPE(StopCCN) *ASSND_TUN_ID(6794)
*RESULT_CODE(1/0 Timeout)
20:53:11.201452 IP 81.213.213.34.1701 > 85.99.218.171.1701:
l2tp:[TLS](13/0)Ns=1,Nr=1 *MSGTYPE(StopCCN) *ASSND_TUN_ID(6794)
*RESULT_CODE(1/0 Timeout)
20:53:12.202314 IP 81.213.213.34.1701 > 85.99.218.171.1701:
l2tp:[TLS](13/0)Ns=1,Nr=1 *MSGTYPE(StopCCN) *ASSND_TUN_ID(6794)
*RESULT_CODE(1/0 Timeout)
20:53:16.206136 IP 85.99.218.171.4500 > 81.213.213.34.4500: UDP-encap:
ESP(spi=0x9781aebc,seq=0x5), length 148
20:53:18.207467 IP 81.213.213.34.1701 > 85.99.218.171.1701:
l2tp:[TLS](13/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS)
*BEARER_CAP() |...
20:53:19.208339 IP 81.213.213.34.1701 > 85.99.218.171.1701:
l2tp:[TLS](13/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS)
*BEARER_CAP() |...
20:53:20.209196 IP 81.213.213.34.1701 > 85.99.218.171.1701:
l2tp:[TLS](13/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS)
*BEARER_CAP() |...
20:53:21.210059 IP 81.213.213.34.1701 > 85.99.218.171.1701:
l2tp:[TLS](13/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS)
*BEARER_CAP() |...
20:53:22.210910 IP 81.213.213.34.1701 > 85.99.218.171.1701:
l2tp:[TLS](13/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS)
*BEARER_CAP() |...
20:53:23.211872 IP 81.213.213.34.1701 > 85.99.218.171.1701:
l2tp:[TLS](13/0)Ns=1,Nr=1 *MSGTYPE(StopCCN) *ASSND_TUN_ID(53161)
*RESULT_CODE(1/0 Timeout)
20:53:24.212643 IP 81.213.213.34.1701 > 85.99.218.171.1701:
l2tp:[TLS](13/0)Ns=1,Nr=1 *MSGTYPE(StopCCN) *ASSND_TUN_ID(53161)
*RESULT_CODE(1/0 Timeout)
20:53:25.213503 IP 81.213.213.34.1701 > 85.99.218.171.1701:
l2tp:[TLS](13/0)Ns=1,Nr=1 *MSGTYPE(StopCCN) *ASSND_TUN_ID(53161)
*RESULT_CODE(1/0 Timeout)
20:53:26.214358 IP 81.213.213.34.1701 > 85.99.218.171.1701:
l2tp:[TLS](13/0)Ns=1,Nr=1 *MSGTYPE(StopCCN) *ASSND_TUN_ID(53161)
*RESULT_CODE(1/0 Timeout)
20:53:26.220209 IP 85.99.218.171.4500 > 81.213.213.34.4500: UDP-encap:
ESP(spi=0x9781aebc,seq=0x6), length 148
20:53:26.220482 IP 81.213.213.34.1701 > 85.99.218.171.1701:
l2tp:[TLS](13/0)Ns=0,Nr=1 ZLB
20:53:27.216225 IP 81.213.213.34.1701 > 85.99.218.171.1701:
l2tp:[TLS](13/0)Ns=1,Nr=1 *MSGTYPE(StopCCN) *ASSND_TUN_ID(53161)
*RESULT_CODE(1/0 Timeout)



########################################################

ipsec.conf is:

version 2.0

config setup
        interfaces=%defaultroute
        klipsdebug=none
        plutodebug=none
        nat_traversal=yes
        virtual_private=%v4:
10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.1.0/24
        uniqueids=yes
        protostack=netkey

conn %default
        auto=add

conn my.l2tp
        authby=secret
        auth=esp
        left=81.213.213.34
        leftnexthop=81.213.213.33
        right=%any
        rightsubnet=vhost:%no,%priv
        rekey=no
        pfs=no
        rightid=%any
        leftprotoport=17/1701
        auto=add
        rightprotoport=17/1701
        keyingtries=3

#include /etc/ipsec.d/*.conf

conn block
    auto=ignore

conn private
    auto=ignore

conn private-or-clear
    auto=ignore

conn clear-or-private
    auto=ignore

conn clear
    auto=ignore

conn packetdefault
    auto=ignore


#########################################################

xl2tpd.conf is:

[global]
listen-addr = 81.213.213.34

[lns default]
ip range = 192.168.0.240-192.168.0.254
local ip = 192.168.0.3
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes


###########################################################
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20081224/325fdec6/attachment.html 


More information about the Users mailing list