[Openswan Users] Linux client does not connect while Windows does

Andriy Lesyuk s-andy at in.if.ua
Mon May 5 03:45:44 EDT 2008


>> I have found somewhere that I need to be sure that both ends use the
>> same algo...
>>     
> Well, yes, but that is not the cause of the problem here. Openswan
> proposes reasonable algorithms by default so it should work securely with
> lots of peers.
>> key, this is not the issue any more - I needed to reboot... Now all
>> tests are OK.
>>     
> I guess it was a NAT issue because I did not see a NAT-T negotiation
> result message.
Yes, it was definitely NAT-T issue... I have solved it by adding 
forceencaps=yes. My client is behind NAT and have zone 192.168.14.0/24 
and this zone is used on the server. So I guess the server could not 
allow connecting directly because the client is actually behind NAT 
(that's what the error message says). And the client did not know that 
it should use NAT-T...

But, again, now I have another issue... :)

IPSec client connects successfully but L2TPd does not work... :( It says:

May  5 10:22:32 andrix xl2tpd[3166]: Connecting to host vpn.domain, port 
1701
May  5 10:22:37 andrix xl2tpd[3166]: Maximum retries exceeded for tunnel 
33521.  Closing.
May  5 10:22:37 andrix xl2tpd[3166]: Connection 0 closed to 68.68.44.42, 
port 1701 (Timeout)
May  5 10:22:42 andrix xl2tpd[3166]: Unable to deliver closing message 
for tunnel 33521. Destroying anyway.
May  5 10:22:42 andrix xl2tpd[3166]: Will redial in 15 seconds

When IPSec connects it adds the following route:

68.68.44.42 dev eth0  scope link

Weird... While L2TP claims that it tries to connect I don't see L2TP 
packets anywhere...
I have also tried running:

$ hping2 --udp --baseport 1701 --destport 1701 68.68.44.42
HPING 68.68.44.42 (eth0 68.68.44.42): udp mode set, 28 headers + 0 data 
bytes
ICMP Host Unreachable from ip=192.168.14.2 name=dev.hostname
ICMP Host Unreachable from ip=192.168.14.2 name=dev.hostname
ICMP Host Unreachable from ip=192.168.14.2 name=dev.hostname

And I also do not see any packets...

Pluto sometimes says in its logs:

May  5 10:22:33 andrix pluto[2427]: ERROR: asynchronous network error 
report on eth0 (sport=4500) for message to 68.68.44.42 port 4500, 
complainant 192.168.14.2: No route to host [errno 113, origin ICMP type 
3 code 1 (not authenticated)]

After I disconnect IPSec the same route still remains (I guess it should 
disappear). So I delete it manually.

Also after I disconnect I'm able to see hping2 packets but I still do 
not see L2TP (tried running without IPSec). Does xl2tpd somehow checks 
for presence of IPSec? When no IPSec connection is available it writes 
to logs: udp_xmit failed with err=-1:No such process.

I'm using NETKEY on client side...

What can be wrong? Where should I look?

Thanks,
Andriy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080505/d0e776da/attachment.html 


More information about the Users mailing list