[Openswan Users] issue with WinXP L2TP/IPSEC connection to Linux L2tpd
Sambuddho Chakravarty
sc2516 at columbia.edu
Mon Jun 30 18:21:36 EDT 2008
Hello Paul
I did as you said . I have the following setup
windows host ----- router ----- openswan(2.6.14 gw)----- subnet
The openswan ipsec.conf derived
from /etc/ipsec.d/examples/l2tp-cert.conf looks like this :
conn l2tp-X.509
#
# Configuration for one user with any type of IPsec/L2TP client
# including the updated Windows 2000/XP (MS KB Q818043), but
# excluding the non-updated Windows 2000/XP.
#
#
# Use a certificate. Disable Perfect Forward Secrecy.
#
#authby=rsasig
pfs=no
auto=add
right=20.0.0.2
rightcert=server_crt.pem
# For updated Windows 2000/XP clients,
# to support old clients as well, use leftprotoport=17/%any
rightprotoport=17/1701
#
# The remote user.
#
left=%any
leftprotoport=17/1701
leftsubnet=vhost:%priv,%no
The xl2tpd.conf looks like this :
[global]
Global parameters:
port = 1701
auth file = /etc/l2tpd/l2tp-secrets
[lns default]
ip range = 30.0.0.10-30.0.0.20
local ip = 30.0.0.1
length bit = yes
require chap = yes
refuse pap = yes
require authentication = yes
name = myhostname
ppp debug = Yes
pppoptfile = /etc/ppp/options.l2tpd.lns
The secrets file is like this
#just for testing purposes
* * secret
On the windows host I created a new L2TP VPN connection using windows
networking creation page (in the networking options in control panel).
When connecting to the openswan gateway , I put no username and password
as -'secret'. On observing the logs /var/log/auth.log , I see the SA
being established but immediately following that there is a SA
disconnect message and the windows login fails. I have enabled CHAP
authentication in the windows networking L2TP dialog box. When it fails
it reports error 787. The snippets from the log showing the SA
establishment and disconnection is shown below :
Jun 30 18:28:24 host3 pluto[5045]: "l2tp-X.509"[25] 10.0.0.3 #13:
switched from "l2tp-X.509" to "l2tp-X.509"
Jun 30 18:28:24 host3 pluto[5045]: "l2tp-X.509"[26] 10.0.0.3 #13:
deleting connection "l2tp-X.509" instance with peer 10.0.0.3
{isakmp=#0/ipsec=#0}
Jun 30 18:28:24 host3 pluto[5045]: "l2tp-X.509"[26] 10.0.0.3 #13: I am
sending my cert
Jun 30 18:28:24 host3 pluto[5045]: "l2tp-X.509"[26] 10.0.0.3 #13:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jun 30 18:28:24 host3 pluto[5045]: "l2tp-X.509"[26] 10.0.0.3 #13:
STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}
Jun 30 18:28:24 host3 pluto[5045]: "l2tp-X.509"[26] 10.0.0.3 #13:
received Delete SA payload: deleting ISAKMP State #13
Jun 30 18:28:25 host3 pluto[5045]: "l2tp-X.509"[26] 10.0.0.3: deleting
connection "l2tp-X.509" instance with peer 10.0.0.3 {isakmp=#0/ipsec=#0}
Jun 30 18:28:25 host3 pluto[5045]: packet from 10.0.0.3:500: received
and ignored informational message
I am a confused why this is happening
Thanks
Sambuddho
On Mon, 2008-06-30 at 12:39 -0400, Sambuddho Chakravarty wrote:
> Hello Paul
> Thanks a lot.
> Sambuddho
> On Mon, 2008-06-30 at 11:44 -0400, Paul Wouters wrote:
> > > I don't want pure IPSEC. I want L2tp over IPSEC
> >
> > Then check the examples in /etc/ipsec.d/examples/l2tp-*.conf
> >
> > and do not install any software on the Windows machines at all,
> > except maybe "certimport.exe" when using X.509 and not wanting
> > to do 20 mouse clicks to import the certificates properly.
> >
> > Paul
>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
More information about the Users
mailing list