[Openswan Users] Openswan & xl2tpd on Fedora Core 4 , Windows Clients not connecting

Janantha Marasinghe janantha at techcert.lk
Tue Jul 22 23:55:20 EDT 2008 

Hi all,

First of all a little summary of the specs of my setup

    * VPN Server is running on Fedora Core 4 (2.6.17-1.2142_FC4) , with
      Openswan version 2.4.4 along with Xl2tpd1.1.12
    * Windows clients composing of SP3 and SP2 clients

I'm attaching ipsec.conf, xl2tpd.conf, options.xl2tpd

When I try to connect from my client machine to the server, it says 
connecting but doesn't seem to move forward at all. Even tried with 
iptables switched off.But that didn't help.. Below I'm pasting the dumps 
of var/log/secure and /var/log/messages for one connection attempt. Just 
to make sure that I'm not making any mistakes I have removed xl2tpd and 
got the rpm of l2tpd compiled by Jacco.

Messages

Jul 22 16:11:37 test2 xl2tpd[6824]: This binary does not support kernel 
L2TP.
Jul 22 16:11:37 test2 xl2tpd[6825]: xl2tpd version xl2tpd-1.1.12 started 
on test2 PID:6825
Jul 22 16:11:37 test2 xl2tpd[6825]: Written by Mark Spencer, Copyright 
(C) 1998, Adtran, Inc.
Jul 22 16:11:37 test2 xl2tpd[6825]: Forked by Scott Balmos and David 
Stipp, (C) 2001
Jul 22 16:11:37 test2 xl2tpd[6825]: Inherited by Jeff McAd ams, (C) 2002
Jul 22 16:11:37 test2 xl2tpd[6825]: Forked again by Xelerance 
(www.xelerance.com) (C) 2006
Jul 22 16:11:37 test2 xl2tpd[6825]: Listening on IP address 0.0.0.0, 
port 1701
Jul 22 16:11:45 test2 kernel: NET: Unregistered protocol family 15
Jul 22 16:11:45 test2 ipsec_setup: ...Openswan IPsec stopped
Jul 22 16:11:45 test2 kernel: NET: Registered protocol family 15
Jul 22 16:11:46 test2 ipsec_setup: KLIPS ipsec0 on eth0 
vpn.external.ip/255.255.255.224 broadcast xxx.xxx.xxx.xxx
Jul 22 16:11:46 test2 ipsec_setup: ...Openswan IPsec started
Jul 22 16:12:03 test2 xl2tpd[6825]: Maximum retries exceeded for tunnel 
15489.  Closing.
Jul 22 16:12:03 test2 xl2tpd[6825]: Connection 10 closed to 
my.client.ip, port 1701 (Timeout)
Jul 22 16:12:18 test2 xl2tpd[6825]: Maximum retries exceeded for tunnel 
34702.  Closing.
Jul 22 16:12:18 test2 xl2tpd[6825]: Connection 10 closed to 
my.client.ip, port 1701 (Timeout)

Secure

Jul 22 16:11:44 test2 pluto[6292]: "L2TP-PSK": deleting connection

Jul 22 16:11:44 test2 pluto[6292]: shutting down interface lo/lo ::1:500

Jul 22 16:11:44 test2 pluto[6292]: shutting down interface lo/lo 
127.0.0.1:500

Jul 22 16:11:44 test2 pluto[6292]: shutting down interface eth0/eth0 
vpn-server-external-ip:500

Jul 22 16:11:44 test2 pluto[6292]: shutting down interface eth1/eth1 
10.8.109.65:500

Jul 22 16:11:46 test2 ipsec__plutorun: Starting Pluto subsystem...

Jul 22 16:11:46 test2 pluto[6939]: Starting Pluto (Openswan Version 
2.4.4 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID 
OEz}FFFfgr_e)

Jul 22 16:11:46 test2 pluto[6939]: Setting NAT-Traversal port-4500 
floating to off

Jul 22 16:11:46 test2 pluto[6939]: port floating activation criteria 
nat_t=0/port_fload=1

Jul 22 16:11:46 test2 pluto[6939]: including NAT-Traversal patch 
(Version 0.6c) [disabled]

Jul 22 16:11:46 test2 pluto[6939]: ike_alg_register_enc(): Activating 
OAKLEY_AES_CBC: Ok (ret=0)

Jul 22 16:11:46 test2 pluto[6939]: starting up 1 cryptographic helpers

Jul 22 16:11:46 test2 pluto[6939]: started helper pid=6940 (fd:6)

Jul 22 16:11:46 test2 pluto[6939]: Using Linux 2.6 IPsec interface code 
on 2.6.17-1.2142_FC4

Jul 22 16:11:47 test2 pluto[6939]: Could not change to directory 
'/etc/ipsec.d/cacerts'

Jul 22 16:11:47 test2 pluto[6939]: Could not change to directory 
'/etc/ipsec.d/aacerts'

Jul 22 16:11:47 test2 pluto[6939]: Could not change to directory 
'/etc/ipsec.d/ocspcerts'

Jul 22 16:11:47 test2 pluto[6939]: Could not change to directory 
'/etc/ipsec.d/crls'

Jul 22 16:11:47 test2 pluto[6939]: added connection description "L2TP-PSK"

Jul 22 16:11:47 test2 pluto[6939]: listening for IKE messages

Jul 22 16:11:47 test2 pluto[6939]: adding interface eth1/eth1 
10.8.109.65:500

Jul 22 16:11:47 test2 pluto[6939]: adding interface eth0/eth0 
vpn-server-external-ip:500

Jul 22 16:11:47 test2 pluto[6939]: adding interface lo/lo 127.0.0.1:500

Jul 22 16:11:47 test2 pluto[6939]: adding interface lo/lo ::1:500

Jul 22 16:11:47 test2 pluto[6939]: loading secrets from "/etc/ipsec.secrets"

Jul 22 16:11:56 test2 pluto[6939]: packet from vpn-client-ip:500: 
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]

Jul 22 16:11:56 test2 pluto[6939]: packet from vpn-client-ip:500: 
ignoring Vendor ID payload [FRAGMENTATION]

Jul 22 16:11:56 test2 pluto[6939]: packet from vpn-client-ip:500: 
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, 
but port floating is off

Jul 22 16:11:56 test2 pluto[6939]: packet from vpn-client-ip:500: 
ignoring Vendor ID payload [Vid-Initial-Contact]

Jul 22 16:11:56 test2 pluto[6939]: "L2TP-PSK"[1] vpn-client-ip #1: 
responding to Main Mode from unknown peer vpn-client-ip

Jul 22 16:11:56 test2 pluto[6939]: "L2TP-PSK"[1] vpn-client-ip #1: 
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1

Jul 22 16:11:56 test2 pluto[6939]: "L2TP-PSK"[1] vpn-client-ip #1: 
STATE_MAIN_R1: sent MR1, expecting MI2

Jul 22 16:11:56 test2 pluto[6939]: "L2TP-PSK"[1] vpn-client-ip #1: 
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2

Jul 22 16:11:56 test2 pluto[6939]: "L2TP-PSK"[1] vpn-client-ip #1: 
STATE_MAIN_R2: sent MR2, expecting MI3

Jul 22 16:11:56 test2 pluto[6939]: "L2TP-PSK"[1] vpn-client-ip #1: Main 
mode peer ID is ID_IPV4_ADDR: 'vpn-client-ip'

Jul 22 16:11:56 test2 pluto[6939]: "L2TP-PSK"[1] vpn-client-ip #1: I did 
not send a certificate because I do not have one.

Jul 22 16:11:56 test2 pluto[6939]: "L2TP-PSK"[1] vpn-client-ip #1: 
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3

Jul 22 16:11:56 test2 pluto[6939]: "L2TP-PSK"[1] vpn-client-ip #1: 
STATE_MAIN_R3: sent MR3, ISA KMP SA established 
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha 
group=modp2048}

Jul 22 16:11:56 test2 pluto[6939]: "L2TP-PSK"[1] vpn-client-ip #2: 
responding to Quick Mode {msgid:68879540}

Jul 22 16:11:56 test2 pluto[6939]: "L2TP-PSK"[1] vpn-client-ip #2: 
transition from state STATE_QUICK_R0 to state STATE_QUICK_R1

Jul 22 16:11:56 test2 pluto[6939]: "L2TP-PSK"[1] vpn-client-ip #2: 
STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2

Jul 22 16:11:56 test2 pluto[6939]: "L2TP-PSK"[1] vpn-client-ip #2: 
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2

Jul 22 16:11:56 test2 pluto[6939]: "L2TP-PSK"[1] vpn-client-ip #2: 
STATE_QUICK_R2: IPsec SA established {ESP=>0x9b76cf71 <0x13478bc1 
xfrm=3DES_0-HMAC_MD5 NATD=none DPD=none}

Jul 22 16:12:18 test2 pluto[6939]: "L2TP-PSK"[1] vpn-client-ip #1: 
received Delete SA(0x9b76cf71) payload: deleting IPSEC State #2

Jul 22 16:12:18 test2 pluto[6939]: "L2TP-PSK"[1] vpn-client-ip #1: 
received and ignored informational message

Jul 22 16:12:18 test2 pluto[6939]: "L2TP-PSK"[1] vpn-client-ip #1: 
received Delete SA payload: deleting ISAKMP State #1

Jul 22 16:12:18 test2 pluto[6939]: "L2TP-PSK"[1] vpn-client-ip: deleting 
connection "L2TP-PSK" instance with peer vpn-client-ip {isakmp=#0/ipsec=#0}

Jul 22 16:12:18 test2 pluto[6939]: packet from vpn-client-ip:500: 
received and ignored informational message

Jul 22 16:12:20 test2 pluto[6939]: ERROR: asynchronous network error 
report on eth0 (sport=500) for message to vpn-client-ip port 500, 
complainant vpn-server-external-ip: No route to host [errno 113, origin 
ICMP type 3 code 1 (not authenticated)]



Can any one help me out?

------------------
Best Regards
Jay

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080723/a96ae416/attachment-0001.html 
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ipsec.conf
Url: http://lists.openswan.org/pipermail/users/attachments/20080723/a96ae416/attachment-0003.pl 
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: options.xl2tpd
Url: http://lists.openswan.org/pipermail/users/attachments/20080723/a96ae416/attachment-0004.pl 
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: xl2tpd.conf
Url: http://lists.openswan.org/pipermail/users/attachments/20080723/a96ae416/attachment-0005.pl 
-------------- next part --------------

No virus found in this outgoing message.
Checked by AVG. 
Version: 8.0.100 / Virus Database: 270.5.3/1565 - Release Date: 7/21/2008 6:36 PM

More information about the Users mailing list