[Openswan Users] Problem with openswan and l2tpd
Jean-Michel Caricand
jean-michel.caricand at lifc.univ-fcomte.fr
Thu Feb 14 13:10:55 EST 2008
Le jeudi 14 février 2008 18:07, Denis Beltramo a écrit :
> Hello to all,
>
> i am an user of openswan, I have installed it on debian 4.0 from repository
> with deb package. then i have installed l2tpd. I have tried the connection
> net-to-net from linux and linux, the i have tried a connection with
> certificate with linux and window but i have the problem: the tunnels go up
> but during l2tpnd negotiation it kill the tunnel and doesn't work. I have
> controllet ip forward and rp_reverse but it's all ok. this is my log:
>
> ipsec barf:
>
> Feb 14 19:09:57 testradiu2 pluto[30239]: "roadwarrior"[20] 172.31.1.192
> #19: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG
> cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}
> Feb 14 19:09:57 testradiu2 pluto[30239]: "roadwarrior-l2tp"[10]
> 172.31.1.192#20: responding to Quick Mode {msgid:46a0bcab}
> Feb 14 19:09:57 testradiu2 pluto[30239]: "roadwarrior-l2tp"[10]
> 172.31.1.192#20: transition from state STATE_QUICK_R0 to state
> STATE_QUICK_R1
> Feb 14 19:09:57 testradiu2 pluto[30239]: "roadwarrior-l2tp"[10]
> 172.31.1.192#20: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed,
> expecting QI2
> Feb 14 19:09:57 testradiu2 pluto[30239]: "roadwarrior-l2tp"[10]
> 172.31.1.192#20: transition from state STATE_QUICK_R1 to state
> STATE_QUICK_R2
> Feb 14 19:09:57 testradiu2 pluto[30239]: "roadwarrior-l2tp"[10]
> 172.31.1.192#20: STATE_QUICK_R2: IPsec SA established {ESP=>0xc80a638d
> <0x7d6591a3
> xfrm=3DES_0-HMAC_MD5 NATD=none DPD=none}
> Feb 14 19:10:32 testradiu2 pluto[30239]: "roadwarrior"[20] 172.31.1.192
> #19: received Delete SA(0xc80a638d) payload: deleting IPSEC State #20
> Feb 14 19:10:32 testradiu2 pluto[30239]: "roadwarrior"[20] 172.31.1.192
> #19: deleting connection "roadwarrior-l2tp" instance with peer
> 172.31.1.192{isakmp=#0/ipsec=#0}
> Feb 14 19:10:32 testradiu2 pluto[30239]: "roadwarrior"[20] 172.31.1.192
> #19: received and ignored informational message
> Feb 14 19:10:32 testradiu2 pluto[30239]: "roadwarrior"[20] 172.31.1.192
> #19: received Delete SA payload: deleting ISAKMP State #19
> Feb 14 19:10:32 testradiu2 pluto[30239]: "roadwarrior"[20] 172.31.1.192:
> deleting connection "roadwarrior" instance with peer
> 172.31.1.192{isakmp=#0/ipsec=#0}
> Feb 14 19:10:32 testradiu2 pluto[30239]: packet from 172.31.1.192:500:
> received and ignored informational message
>
> and /var/log/daemon.log:
>
> Feb 14 19:37:39 testradiu2 l2tpd[29852]: ourtid = 24188, entropy_buf = 5e7c
> Feb 14 19:37:39 testradiu2 l2tpd[29852]: ourcid = 47579, entropy_buf = b9db
> Feb 14 19:37:39 testradiu2 l2tpd[29852]: check_control: control, cid = 0,
> Ns = 0, Nr = 0
> Feb 14 19:37:39 testradiu2 l2tpd[29852]: handle_avps: handling avp's for
> tunnel 24188, call 47579
> Feb 14 19:37:39 testradiu2 l2tpd[29852]: message_type_avp: message type 1
> (Start-Control-Connection-Request)
> Feb 14 19:37:39 testradiu2 l2tpd[29852]: protocol_version_avp: peer is
> using version 1, revision 0.
> Feb 14 19:37:39 testradiu2 l2tpd[29852]: framing_caps_avp: supported peer
> frames: sync
> Feb 14 19:37:39 testradiu2 l2tpd[29852]: bearer_caps_avp: supported peer
> bearers:
> Feb 14 19:37:39 testradiu2 l2tpd[29852]: firmware_rev_avp: peer reports
> firmware version 1280 (0x0500)
> Feb 14 19:37:39 testradiu2 l2tpd[29852]: hostname_avp: peer reports
> hostname 'admin-e5d20a8be'
> Feb 14 19:37:39 testradiu2 l2tpd[29852]: vendor_avp: peer reports vendor
> 'Microsoft'
> Feb 14 19:37:39 testradiu2 l2tpd[29852]: assigned_tunnel_avp: using peer's
> tunnel 32
> Feb 14 19:37:39 testradiu2 l2tpd[29852]: receive_window_size_avp: peer
> wants RWS of 8. Will use flow control.
> Feb 14 19:37:40 testradiu2 l2tpd[29852]: ourtid = 216, entropy_buf = d8
> Feb 14 19:37:40 testradiu2 l2tpd[29852]: ourcid = 31780, entropy_buf = 7c24
> Feb 14 19:37:40 testradiu2 l2tpd[29852]: check_control: control, cid = 0,
> Ns = 0, Nr = 0
> Feb 14 19:37:40 testradiu2 l2tpd[29852]: handle_avps: handling avp's for
> tunnel 216, call 31780
> Feb 14 19:37:40 testradiu2 l2tpd[29852]: message_type_avp: message type 1
> (Start-Control-Connection-Request)
> Feb 14 19:37:40 testradiu2 l2tpd[29852]: protocol_version_avp: peer is
> using version 1, revision 0.
> Feb 14 19:37:40 testradiu2 l2tpd[29852]: framing_caps_avp: supported peer
> frames: sync
> Feb 14 19:37:40 testradiu2 l2tpd[29852]: bearer_caps_avp: supported peer
> bearers:
> Feb 14 19:37:40 testradiu2 l2tpd[29852]: firmware_rev_avp: peer reports
> firmware version 1280 (0x0500)
> Feb 14 19:37:40 testradiu2 l2tpd[29852]: hostname_avp: peer reports
> hostname 'admin-e5d20a8be'
> Feb 14 19:37:40 testradiu2 l2tpd[29852]: vendor_avp: peer reports vendor
> 'Microsoft'
> Feb 14 19:37:40 testradiu2 l2tpd[29852]: assigned_tunnel_avp: using peer's
> tunnel 32
> Feb 14 19:37:40 testradiu2 l2tpd[29852]: receive_window_size_avp: peer
> wants RWS of 8. Will use flow control.
> Feb 14 19:37:40 testradiu2 l2tpd[29852]: control_finish: Peer requested
> tunnel 32 twice, ignoring second one.
> Feb 14 19:37:42 testradiu2 l2tpd[29852]: ourtid = 9445, entropy_buf = 24e5
> Feb 14 19:37:42 testradiu2 l2tpd[29852]: ourcid = 41286, entropy_buf = a146
> Feb 14 19:37:42 testradiu2 l2tpd[29852]: check_control: control, cid = 0,
> Ns = 0, Nr = 0
> Feb 14 19:37:42 testradiu2 l2tpd[29852]: handle_avps: handling avp's for
> tunnel 9445, call 41286
> Feb 14 19:37:42 testradiu2 l2tpd[29852]: message_type_avp: message type 1
> (Start-Control-Connection-Request)
> Feb 14 19:37:42 testradiu2 l2tpd[29852]: protocol_version_avp: peer is
> using version 1, revision 0.
> Feb 14 19:37:42 testradiu2 l2tpd[29852]: framing_caps_avp: supported peer
> frames: sync
> Feb 14 19:37:42 testradiu2 l2tpd[29852]: bearer_caps_avp: supported peer
> bearers:
> Feb 14 19:37:42 testradiu2 l2tpd[29852]: firmware_rev_avp: peer reports
> firmware version 1280 (0x0500)
> Feb 14 19:37:42 testradiu2 l2tpd[29852]: hostname_avp: peer reports
> hostname 'admin-e5d20a8be'
> Feb 14 19:37:42 testradiu2 l2tpd[29852]: vendor_avp: peer reports vendor
> 'Microsoft'
> Feb 14 19:37:42 testradiu2 l2tpd[29852]: assigned_tunnel_avp: using peer's
> tunnel 32
> Feb 14 19:37:42 testradiu2 l2tpd[29852]: receive_window_size_avp: peer
> wants RWS of 8. Will use flow control.
> Feb 14 19:37:42 testradiu2 l2tpd[29852]: control_finish: Peer requested
> tunnel 32 twice, ignoring second one.
>
> and tcpdump:
>
>
>
> 19:37:39.324723 IP 172.31.1.192.isakmp > 172.31.1.190.isakmp: isakmp: phase
> 2/others I oakley-quick[E]
> 19:37:39.330324 IP 172.31.1.190.isakmp > 172.31.1.192.isakmp: isakmp: phase
> 2/others R oakley-quick[E]
> 19:37:39.331714 IP 172.31.1.192.isakmp > 172.31.1.190.isakmp: isakmp: phase
> 2/others I oakley-quick[E]
> 19:37:39.332620 IP 172.31.1.192 > 172.31.1.190:
> ESP(spi=0xcef51c62,seq=0x1), length 148
> 19:37:39.369614 IP 172.31.1.190.l2f > 172.31.1.192.l2f:
> l2tp:[TLS](32/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS)
> *BEARER_CAP() |...
> 19:37:40.319704 IP 172.31.1.192 > 172.31.1.190:
> ESP(spi=0xcef51c62,seq=0x2), length 148
> 19:37:40.323999 IP 172.31.1.190.l2f > 172.31.1.192.l2f:
> l2tp:[TLS](32/0)Ns=0,Nr=1 ZLB
> 19:37:40.371747 IP 172.31.1.190.l2f > 172.31.1.192.l2f:
> l2tp:[TLS](32/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS)
> *BEARER_CAP() |...
> 19:37:41.375720 IP 172.31.1.190.l2f > 172.31.1.192.l2f:
> l2tp:[TLS](32/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS)
> *BEARER_CAP() |...
> 19:37:42.319557 IP 172.31.1.192 > 172.31.1.190:
> ESP(spi=0xcef51c62,seq=0x3), length 148
> 19:37:42.325942 IP 172.31.1.190.l2f > 172.31.1.192.l2f:
> l2tp:[TLS](32/0)Ns=0,Nr=1 ZLB
> 19:37:42.379704 IP 172.31.1.190.l2f > 172.31.1.192.l2f:
> l2tp:[TLS](32/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS)
> *BEARER_CAP() |...
> 19:37:43.051593 arp who-has 172.31.1.192 tell 172.31.1.190
> 19:37:43.051937 arp reply 172.31.1.192 is-at 00:0f:b0:bc:1d:92 (oui
> Unknown) 19:37:43.383678 IP 172.31.1.190.l2f > 172.31.1.192.l2f:
> l2tp:[TLS](32/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS)
> *BEARER_CAP() |...
> 19:37:44.387892 IP 172.31.1.190.l2f > 172.31.1.192.l2f:
> l2tp:[TLS](32/0)Ns=1,Nr=1 *MSGTYPE(StopCCN) *ASSND_TUN_ID(24188)
> *RESULT_CODE(1/0 Timeout)
> 19:37:45.391641 IP 172.31.1.190.l2f > 172.31.1.192.l2f:
> l2tp:[TLS](32/0)Ns=1,Nr=1 *MSGTYPE(StopCCN) *ASSND_TUN_ID(24188)
> *RESULT_CODE(1/0 Timeout)
> 19:37:46.319304 IP 172.31.1.192 > 172.31.1.190:
> ESP(spi=0xcef51c62,seq=0x4), length 148
> 19:37:46.325648 IP 172.31.1.190.l2f > 172.31.1.192.l2f:
> l2tp:[TLS](32/0)Ns=0,Nr=1 ZLB
> 19:37:46.399610 IP 172.31.1.190.l2f > 172.31.1.192.l2f:
> l2tp:[TLS](32/0)Ns=1,Nr=1 *MSGTYPE(StopCCN) *ASSND_TUN_ID(24188)
> *RESULT_CODE(1/0 Timeout)
> 19:37:47.403588 IP 172.31.1.190.l2f > 172.31.1.192.l2f:
> l2tp:[TLS](32/0)Ns=1,Nr=1 *MSGTYPE(StopCCN) *ASSND_TUN_ID(24188)
> *RESULT_CODE(1/0 Timeout)
> 19:37:48.407564 IP 172.31.1.190.l2f > 172.31.1.192.l2f:
> l2tp:[TLS](32/0)Ns=1,Nr=1 *MSGTYPE(StopCCN) *ASSND_TUN_ID(24188)
> *RESULT_CODE(1/0 Timeout)
> 19:37:54.318773 IP 172.31.1.192 > 172.31.1.190:
> ESP(spi=0xcef51c62,seq=0x5), length 148
> 19:37:54.325420 IP 172.31.1.190.l2f > 172.31.1.192.l2f:
> l2tp:[TLS](32/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS)
> *BEARER_CAP() |...
> 19:37:55.331432 IP 172.31.1.190.l2f > 172.31.1.192.l2f:
> l2tp:[TLS](32/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS)
> *BEARER_CAP() |...
> 19:37:56.335393 IP 172.31.1.190.l2f > 172.31.1.192.l2f:
> l2tp:[TLS](32/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS)
> *BEARER_CAP() |...
> 19:37:57.339364 IP 172.31.1.190.l2f > 172.31.1.192.l2f:
> l2tp:[TLS](32/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS)
> *BEARER_CAP() |...
> 19:37:58.343349 IP 172.31.1.190.l2f > 172.31.1.192.l2f:
> l2tp:[TLS](32/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS)
> *BEARER_CAP() |...
> 19:37:59.347561 IP 172.31.1.190.l2f > 172.31.1.192.l2f:
> l2tp:[TLS](32/0)Ns=1,Nr=1 *MSGTYPE(StopCCN) *ASSND_TUN_ID(34515)
> *RESULT_CODE(1/0 Timeout)
> 19:38:00.351321 IP 172.31.1.190.l2f > 172.31.1.192.l2f:
> l2tp:[TLS](32/0)Ns=1,Nr=1 *MSGTYPE(StopCCN) *ASSND_TUN_ID(34515)
> *RESULT_CODE(1/0 Timeout)
> 19:38:01.355280 IP 172.31.1.190.l2f > 172.31.1.192.l2f:
> l2tp:[TLS](32/0)Ns=1,Nr=1 *MSGTYPE(StopCCN) *ASSND_TUN_ID(34515)
> *RESULT_CODE(1/0 Timeout)
> 19:38:02.359260 IP 172.31.1.190.l2f > 172.31.1.192.l2f:
> l2tp:[TLS](32/0)Ns=1,Nr=1 *MSGTYPE(StopCCN) *ASSND_TUN_ID(34515)
> *RESULT_CODE(1/0 Timeout)
> 19:38:03.363235 IP 172.31.1.190.l2f > 172.31.1.192.l2f:
> l2tp:[TLS](32/0)Ns=1,Nr=1 *MSGTYPE(StopCCN) *ASSND_TUN_ID(34515)
> *RESULT_CODE(1/0 Timeout)
> 19:38:04.318148 IP 172.31.1.192 > 172.31.1.190:
> ESP(spi=0xcef51c62,seq=0x6), length 148
> 19:38:04.324785 IP 172.31.1.190.l2f > 172.31.1.192.l2f:
> l2tp:[TLS](32/0)Ns=0,Nr=1 ZLB
> 19:38:14.329490 IP 172.31.1.192.isakmp > 172.31.1.190.isakmp: isakmp: phase
> 2/others I inf[E]
> 19:38:14.331766 IP 172.31.1.190.isakmp > 172.31.1.192.isakmp: isakmp: phase
> 2/others R inf[E]
>
> Thanks
Hi Denis,
We use openswan and l2tpd together on a Debian Etch (official packages)
without problems.
What is your configuration ?
Cheers.
More information about the Users
mailing list