[Openswan Users] issue with WinXP L2TP/IPSEC connection to Linux L2tpd

Sambuddho Chakravarty sc2516 at columbia.edu
Mon Jun 30 18:21:36 EDT 2008

Hello Paul
 I did as you said . I have the following setup

windows host ----- router ----- openswan(2.6.14 gw)----- subnet

The openswan ipsec.conf derived
from /etc/ipsec.d/examples/l2tp-cert.conf looks like this :

conn l2tp-X.509
        # Configuration for one user with any type of IPsec/L2TP client
        # including the updated Windows 2000/XP (MS KB Q818043), but
        # excluding the non-updated Windows 2000/XP.
        # Use a certificate. Disable Perfect Forward Secrecy.
        # For updated Windows 2000/XP clients,
        # to support old clients as well, use leftprotoport=17/%any
        # The remote user.

The xl2tpd.conf looks like this :

Global parameters:
 port = 1701                                                    
 auth file = /etc/l2tpd/l2tp-secrets    
 [lns default]                                                  
 ip range = 
 local ip =                            
 length bit = yes                               
 require chap = yes                                     
 refuse pap = yes                                           
 require authentication = yes                   
 name = myhostname                                              
  ppp debug = Yes          
 pppoptfile = /etc/ppp/options.l2tpd.lns

The secrets file is like this
#just for testing purposes

*  * secret  

On the windows host I created a new L2TP VPN connection using windows
networking creation page (in the networking options in control panel).

When connecting to the openswan gateway , I put no username and password
as -'secret'. On observing the logs /var/log/auth.log , I see the SA
being established but immediately following that there is a SA
disconnect message and the windows login fails. I have enabled CHAP
authentication in the windows networking L2TP dialog box. When it fails
it reports error 787. The snippets from the log showing the SA
establishment and disconnection is shown below :

Jun 30 18:28:24 host3 pluto[5045]: "l2tp-X.509"[25] #13:
switched from "l2tp-X.509" to "l2tp-X.509"
Jun 30 18:28:24 host3 pluto[5045]: "l2tp-X.509"[26] #13:
deleting connection "l2tp-X.509" instance with peer
Jun 30 18:28:24 host3 pluto[5045]: "l2tp-X.509"[26] #13: I am
sending my cert
Jun 30 18:28:24 host3 pluto[5045]: "l2tp-X.509"[26] #13:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jun 30 18:28:24 host3 pluto[5045]: "l2tp-X.509"[26] #13:
STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}
Jun 30 18:28:24 host3 pluto[5045]: "l2tp-X.509"[26] #13:
received Delete SA payload: deleting ISAKMP State #13
Jun 30 18:28:25 host3 pluto[5045]: "l2tp-X.509"[26] deleting
connection "l2tp-X.509" instance with peer {isakmp=#0/ipsec=#0}
Jun 30 18:28:25 host3 pluto[5045]: packet from received
and ignored informational message

I am a confused why this is happening 



On Mon, 2008-06-30 at 12:39 -0400, Sambuddho Chakravarty wrote:
> Hello Paul
>  Thanks a lot.
> Sambuddho
> On Mon, 2008-06-30 at 11:44 -0400, Paul Wouters wrote:
> > > I don't want pure IPSEC. I want L2tp over IPSEC
> > 
> > Then check the examples in /etc/ipsec.d/examples/l2tp-*.conf
> > 
> > and do not install any software on the Windows machines at all,
> > except maybe "certimport.exe" when using X.509 and not wanting
> > to do 20 mouse clicks to import the certificates properly.
> > 
> > Paul
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

More information about the Users mailing list