[Openswan Users] Connection times out

Serge Fonville serge.fonville at gmail.com
Fri May 9 05:51:52 EDT 2008 

I am trying to set up a l2tp/ipsec server to connect remote windows users to
the office

All testing is done internally

Guides I read and used
HOWTO: Gentoo Linux L2TP/IPSEC VPN w/ Active Directory/Radius/X.509 serving
Windows XP/Vista
Clients<http://sqls.net/wiki/HOWTO:_Gentoo_Linux_L2TP/IPSEC_VPN_w/_Active_Directory/Radius/X.509_serving_Windows_XP/Vista_Clients>
zUsing a Linux L2TP/IPsec VPN
server<http://www.jacco2.dds.nl/networking/freeswan-l2tp.html>

 ---------
|My setup|
---------

IPs
VPN server wan: 212.67.179.18/29
VPN server lan: 172.16.0.186/24
Test Client: 172.16.0.85

 --------------------
|Configuration files |
--------------------

/etc/ipsec/ipsec.conf
----------------------
version 2.0     # conforms to second version of ipsec.conf specification
config setup
        plutodebug=none
        plutostderrlog=/var/log/pluto.log
        #nat_traversal=yes
        # virtual_private=%v4:
10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
        nhelpers=0
        interfaces=%defaultroute
        virtual_private=%v4:
10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!172.17.147.0/24

conn %default
        keyingtries=3
        compress=no
        disablearrivalcheck=no
        keyexchange=ike
        ikelifetime=240m
        keylife=60m

include /etc/ipsec/ipsec.d/examples/no_oe.conf
include /etc/ipsec/ipsec.d/proactixvpn.conf

/etc/ipsec/ipsec.d/proactixvpn.conf
-----------------------------------
conn proactixvpn
        leftprotoport=17/1701
        rightprotoport=17/%any
        rekey=no
        authby=secret
        pfs=no
        type=tunnel
        left=172.16.0.186
        right=%any
        rightsubnet=vhost:%no,%priv
        auto=add

/etc/ipsec/ipsec.secrets
--------------------
# client        server  secret                  IP addresses
vpnuser *       "vpnuser" *
*      vpnuser  "vpnuser" *

/etc/xl2tpd/xl2tpd.conf
---------------------
[global]
port = 1701
[lns default]
ip range=172.16.0.128-191
local ip=172.16.0.186
require chap=yes
refuse pap=yes
require authentication=yes
name=ProactixVPN
ppp debug=yes
pppoptfile=/etc/ppp/options.xl2tpd
length bit=yes

/etc/ppp/options.xl2tpd
-----------------------
 ipcp-accept-local
ipcp-accept-remote
ms-dns 172.16.0.2
noccp
auth
crtscts
idle 1800
mtu 1400
mru 1400
+mschap-v2
nodefaultroute
debug
lock
proxyarp
connect-delay 5000
silent

When I try to connect from within windows vista It gives a time out

The contents of /var/log/pluto.log from '/etc/initd/ipsec start' to the
timeout in windows vista

Plutorun started on Fri May 9 11:45:17 CEST 2008
Starting Pluto (Openswan Version 2.4.9 PLUTO_SENDS_VENDORID
PLUTO_USES_KEYRR; Vendor ID OE_]{vKgCoOI)
Setting NAT-Traversal port-4500 floating to off
   port floating activation criteria nat_t=0/port_fload=1
  including NAT-Traversal patch (Version 0.6c) [disabled]
ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
no helpers will be started, all cryptographic operations will be done inline
Using NETKEY IPsec interface code on 2.6.24-gentoo-r4
Changing to directory '/etc/ipsec/ipsec.d/cacerts'
Changing to directory '/etc/ipsec/ipsec.d/aacerts'
Changing to directory '/etc/ipsec/ipsec.d/ocspcerts'
Changing to directory '/etc/ipsec/ipsec.d/crls'
  Warning: empty directory
loading secrets from "/etc/ipsec/ipsec.secrets"
added connection description "proactixvpn"
listening for IKE messages
adding interface eth1/eth1 212.67.179.18:500
adding interface eth0/eth0 172.16.0.186:500
adding interface lo/lo 127.0.0.1:500
forgetting secrets
loading secrets from "/etc/ipsec/ipsec.secrets"
packet from 172.16.0.85:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY
00000006]
packet from 172.16.0.85:500: received Vendor ID payload [RFC 3947] meth=110,
but port floating is off
packet from 172.16.0.85:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but port floating is off
packet from 172.16.0.85:500: ignoring Vendor ID payload [FRAGMENTATION]
packet from 172.16.0.85:500: ignoring Vendor ID payload [MS-Negotiation
Discovery Capable]
packet from 172.16.0.85:500: ignoring Vendor ID payload
[Vid-Initial-Contact]
packet from 172.16.0.85:500: ignoring Vendor ID payload [IKE CGA version 1]
"proactixvpn"[1] 172.16.0.85 #1: responding to Main Mode from unknown peer
172.16.0.85
"proactixvpn"[1] 172.16.0.85 #1: Diffie-Hellman group 20 is not a supported
modp group.  Attribute OAKLEY_GROUP_DESCRIPTION
"proactixvpn"[1] 172.16.0.85 #1: Diffie-Hellman group 19 is not a supported
modp group.  Attribute OAKLEY_GROUP_DESCRIPTION
"proactixvpn"[1] 172.16.0.85 #1: transition from state STATE_MAIN_R0 to
state STATE_MAIN_R1
"proactixvpn"[1] 172.16.0.85 #1: STATE_MAIN_R1: sent MR1, expecting MI2
"proactixvpn"[1] 172.16.0.85 #1: transition from state STATE_MAIN_R1 to
state STATE_MAIN_R2
"proactixvpn"[1] 172.16.0.85 #1: STATE_MAIN_R2: sent MR2, expecting MI3
"proactixvpn"[1] 172.16.0.85 #1: Main mode peer ID is ID_IPV4_ADDR: '
172.16.0.85'
"proactixvpn"[1] 172.16.0.85 #1: I did not send a certificate because I do
not have one.
"proactixvpn"[1] 172.16.0.85 #1: transition from state STATE_MAIN_R2 to
state STATE_MAIN_R3
"proactixvpn"[1] 172.16.0.85 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA
established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192
prf=oakley_sha group=modp2048}
"proactixvpn"[1] 172.16.0.85 #2: responding to Quick Mode {msgid:01000000}
"proactixvpn"[1] 172.16.0.85 #2: transition from state STATE_QUICK_R0 to
state STATE_QUICK_R1
"proactixvpn"[1] 172.16.0.85 #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA
installed, expecting QI2
"proactixvpn"[1] 172.16.0.85 #2: transition from state STATE_QUICK_R1 to
state STATE_QUICK_R2
"proactixvpn"[1] 172.16.0.85 #2: STATE_QUICK_R2: IPsec SA established
{ESP=>0x66755a59 <0x89f4056b xfrm=AES_128-HMAC_SHA1 NATD=none DPD=none}
"proactixvpn"[1] 172.16.0.85 #1: received Delete SA(0x66755a59) payload:
deleting IPSEC State #2
"proactixvpn"[1] 172.16.0.85 #1: received and ignored informational message
"proactixvpn"[1] 172.16.0.85 #1: received Delete SA payload: deleting ISAKMP
State #1
"proactixvpn"[1] 172.16.0.85: deleting connection "proactixvpn" instance
with peer 172.16.0.85 {isakmp=#0/ipsec=#0}
packet from 172.16.0.85:500: received and ignored informational message
Thanks a lot in advance for any help
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080509/34b838c2/attachment.html

More information about the Users mailing list