[Openswan Users] Connection times out

Paul Wouters paul at xelerance.com
Fri May 9 11:17:46 EDT 2008 

On Fri, 9 May 2008, Serge Fonville wrote:

> version 2.0     # conforms to second version of ipsec.conf specification
> config setup
>         plutodebug=none
>         plutostderrlog=/var/log/pluto.log
>         #nat_traversal=yes
>         # virtual_private=%v4:
> 10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12

You did not enable NAT traversal

> -----------------------------------
> conn proactixvpn
>         leftprotoport=17/1701
>         rightprotoport=17/%any

Use rightprotoport=17/0 (when using openswan 2.4.12+)

>         rekey=no
>         authby=secret
>         pfs=no
>         type=tunnel

Should be type=transport

>         left=172.16.0.186
>         right=%any
>         rightsubnet=vhost:%no,%priv
>         auto=add

> /etc/ipsec/ipsec.secrets
> --------------------
> # client        server  secret                  IP addresses
> vpnuser *       "vpnuser" *
> *      vpnuser  "vpnuser" *

This looks like data for /etc/ppp/chap-secrets. It is not a valid ipsec.secrets
file. You need to either put in PSK's here, or (much prefered) X.509 key lines.

> /etc/xl2tpd/xl2tpd.conf
> ---------------------
> [global]
> port = 1701
> [lns default]
> ip range=172.16.0.128-191
> local ip=172.16.0.186

that should be the public ip of your xl2tp server (unless you did the
portforward hack that Jacco describes - I prefer to just do proper firewall
rules instead)

> require chap=yes
> refuse pap=yes
> require authentication=yes
> name=ProactixVPN
> ppp debug=yes
> pppoptfile=/etc/ppp/options.xl2tpd
> length bit=yes
>
> /etc/ppp/options.xl2tpd
> -----------------------
>  ipcp-accept-local
> ipcp-accept-remote
> ms-dns 172.16.0.2
> noccp
> auth
> crtscts
> idle 1800
> mtu 1400
> mru 1400

I use 1360 for those. (OSX even uses 1200)

> +mschap-v2

I've never used this.

> nodefaultroute
> debug
> lock
> proxyarp
> connect-delay 5000
> silent
>
> When I try to connect from within windows vista It gives a time out
>
> The contents of /var/log/pluto.log from '/etc/initd/ipsec start' to the
> timeout in windows vista
>
> Plutorun started on Fri May 9 11:45:17 CEST 2008
> Starting Pluto (Openswan Version 2.4.9 PLUTO_SENDS_VENDORID
> PLUTO_USES_KEYRR; Vendor ID OE_]{vKgCoOI)
> Setting NAT-Traversal port-4500 floating to off

Your NAT traversal is disabled (see above)

> packet from 172.16.0.85:500: received Vendor ID payload [RFC 3947] meth=110,
> but port floating is off
> packet from 172.16.0.85:500: received Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but port floating is off

And teh client is coming from behind NAT.

> "proactixvpn"[1] 172.16.0.85 #1: Diffie-Hellman group 20 is not a supported
> modp group.  Attribute OAKLEY_GROUP_DESCRIPTION
> "proactixvpn"[1] 172.16.0.85 #1: Diffie-Hellman group 19 is not a supported
> modp group.  Attribute OAKLEY_GROUP_DESCRIPTION

I dont know what group 19 and 20 is. http://www.ietf.org/rfc/rfc3526.txt
only lists upto 18. I didn't find any successor to RFC3526. I'd be
interested to see the logs on the other end to see what it believes these
groups are.

> "proactixvpn"[1] 172.16.0.85 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA
> established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192
> prf=oakley_sha group=modp2048}

Though it settles on group 14.

> "proactixvpn"[1] 172.16.0.85 #2: responding to Quick Mode {msgid:01000000}
> "proactixvpn"[1] 172.16.0.85 #2: transition from state STATE_QUICK_R0 to
> state STATE_QUICK_R1
> "proactixvpn"[1] 172.16.0.85 #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA
> installed, expecting QI2
> "proactixvpn"[1] 172.16.0.85 #2: transition from state STATE_QUICK_R1 to
> state STATE_QUICK_R2
> "proactixvpn"[1] 172.16.0.85 #2: STATE_QUICK_R2: IPsec SA established
> {ESP=>0x66755a59 <0x89f4056b xfrm=AES_128-HMAC_SHA1 NATD=none DPD=none}
> "proactixvpn"[1] 172.16.0.85 #1: received Delete SA(0x66755a59) payload:
> deleting IPSEC State #2

It is established successfully and then deleted. That does not really make
sense with your ipsec.secrets you posted. But you might just need to edit
the chap-serets properly.

Paul
-- 
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

More information about the Users mailing list