[Openswan Users] ipsec with xl2tpd
Issany Reza
issanyr at gmail.com
Tue Nov 18 12:04:35 EST 2008
Hello,
I'm back after reinstall openswan on a new dedibox server. I am using 2.6.24
kernel,
and I've succesfully install the ipsec klipps module :
root at zola:/etc/ipsec.d# lsmod | grep ipsec
ipsec 354756 2 [permanent]
When I start ipsec, I have the ipsec0 interface :
ipsec0 Lien encap:Ethernet HWaddr 00:15:17:8D:B4:EB
inet adr:88.191.91.113 Masque:255.255.255.0
Now I'm using KLIPS and i'll try to get functionnal L2TP.
The server only have one address (the public one). I have created a vitual
interface (eth1:1)
- Public Adress : 88.191.91.113/24 - network 88.191.91.0/24
- Virtal Address : 192.168.10.45/24 - network 192.168.10.0/24
ipsec.conf :
version 2.0
config setup
nat_traversal=yes
virtual_private=%v4:
10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:88.191.91.0/24,%v4:192.168.10.0/2
OE=off
protostack=klips
klipsdebug=none
interfaces="ipsec0=eth1"
conn %default
keyingtries=1
compress=yes
disablearrivalcheck=no
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
conn roadwarrior-xp
type=transport
left=88.191.91.113
leftcert=vpn.olympecti.fr.pem
leftprotoport=17/1701
right=%any
rightsubnet=vhost:%no,%priv
rightprotoport=17/1701
pfs=no
auto=add
l2tpd.conf :
[global]
port = 1701
listen-addr = 88.191.91.113
debug tunnel = yes
[lns default]
ip range = 192.168.10.10-192.168.10.20
local ip = 192.168.10.1
length bit = yes
require chap = yes
refuse pap = yes
require authentication = yes
name = OCTIVPN
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd.lns
options.l2tpd.lns :
ipcp-accept-local
ipcp-accept-remote
noipdefault
require-chap
connect-delay 5000
noccp
noauth
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
lock
proxyarp
And logs :
Nov 18 18:01:32 zola kernel: IPSEC EVENT: KLIPS device ipsec0 shut down.
Nov 18 18:01:32 zola kernel:
Nov 18 18:01:32 zola ipsec_setup: ...Openswan IPsec stopped
Nov 18 18:01:32 zola ipsec_setup: Stopping Openswan IPsec...
Nov 18 18:01:32 zola ipsec_setup: Using KLIPS/legacy stack
Nov 18 18:01:32 zola ipsec_setup: KLIPS debug `none'
Nov 18 18:01:32 zola kernel:
Nov 18 18:01:32 zola ipsec_setup: KLIPS ipsec0 on eth1
88.191.91.113/255.255.255.0 broadcast 88.191.91.255
Nov 18 18:01:32 zola ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
Nov 18 18:01:32 zola pluto: adjusting ipsec.d to /etc/ipsec.d
Nov 18 18:01:32 zola ipsec_setup: ...Openswan IPsec started
Nov 18 18:01:32 zola ipsec_setup: Starting Openswan IPsec 2.6.18...
Nov 18 18:01:32 zola ipsec__plutorun: 002 loading certificate from
vpn.olympecti.fr.pem
Nov 18 18:01:32 zola ipsec__plutorun: 002 loaded host cert file
'/etc/ipsec.d/certs/vpn.olympecti.fr.pem' (3375 bytes)
Nov 18 18:01:32 zola ipsec__plutorun: 002 added connection description
"roadwarrior-xp"
Nov 18 18:02:06 zola xl2tpd[8560]: init_config: Using old style config files
/etc/l2tp/l2tpd.conf and /etc/l2tpd/l2tp-secrets
Nov 18 18:02:06 zola xl2tpd[8560]: parse_config: global context descriptor
Nov 18 18:02:06 zola xl2tpd[8560]: parse_config: field is port, value is
1701
Nov 18 18:02:06 zola xl2tpd[8560]: set_port: Setting global port number to
1701
Nov 18 18:02:06 zola xl2tpd[8560]: set_port: port flag to '1701'
Nov 18 18:02:06 zola xl2tpd[8560]: parse_config: field is listen-addr, value
is 88.191.91.113
Nov 18 18:02:06 zola xl2tpd[8560]: set_listenaddr: Setting listen address to
88.191.91.113
Nov 18 18:02:06 zola xl2tpd[8560]: parse_config: field is debug tunnel,
value is yes
Nov 18 18:02:06 zola xl2tpd[8560]: set_debug tunnel: debug tunnel flag to
'yes'
Nov 18 18:02:06 zola xl2tpd[8560]: parse_config: field is ip range, value is
192.168.10.10-192.168.10.20
Nov 18 18:02:06 zola xl2tpd[8560]: range start = c0a80a0a, end = c0a80a14,
sense=4294967295d
Nov 18 18:02:06 zola xl2tpd[8560]: parse_config: field is local ip, value is
192.168.10.1
Nov 18 18:02:06 zola xl2tpd[8560]: parse_config: field is length bit, value
is yes
Nov 18 18:02:06 zola xl2tpd[8560]: set_length bit: length bit flag to 'yes'
Nov 18 18:02:06 zola xl2tpd[8560]: parse_config: field is require chap,
value is yes
Nov 18 18:02:06 zola xl2tpd[8560]: set_require chap: require chap flag to
'yes'
Nov 18 18:02:06 zola xl2tpd[8560]: parse_config: field is refuse pap, value
is yes
Nov 18 18:02:06 zola xl2tpd[8560]: set_refuse pap: refuse pap flag to 'yes'
Nov 18 18:02:06 zola xl2tpd[8560]: parse_config: field is require
authentication, value is yes
Nov 18 18:02:06 zola xl2tpd[8560]: set_require authentication: require
authentication flag to 'yes'
Nov 18 18:02:06 zola xl2tpd[8560]: parse_config: field is name, value is
OCTIVPN
Nov 18 18:02:06 zola xl2tpd[8560]: set_name: name flag to 'OCTIVPN'
Nov 18 18:02:06 zola xl2tpd[8560]: parse_config: field is ppp debug, value
is yes
Nov 18 18:02:06 zola xl2tpd[8560]: set_ppp debug: ppp debug flag to 'yes'
Nov 18 18:02:06 zola xl2tpd[8560]: parse_config: field is pppoptfile, value
is /etc/ppp/options.l2tpd.lns
Nov 18 18:02:06 zola xl2tpd[8560]: set_pppoptfile: pppoptfile flag to
'/etc/ppp/options.l2tpd.lns'
Nov 18 18:02:06 zola xl2tpd[8560]: setsockopt recvref[22]: Protocol not
available
Nov 18 18:02:06 zola xl2tpd[8560]: This binary does not support kernel L2TP.
Nov 18 18:02:06 zola xl2tpd[8561]: xl2tpd version xl2tpd-1.2.3 started on
zola PID:8561
Nov 18 18:02:06 zola xl2tpd[8561]: Written by Mark Spencer, Copyright (C)
1998, Adtran, Inc.
Nov 18 18:02:06 zola xl2tpd[8561]: Forked by Scott Balmos and David Stipp,
(C) 2001
Nov 18 18:02:06 zola xl2tpd[8561]: Inherited by Jeff McAdams, (C) 2002
Nov 18 18:02:06 zola xl2tpd[8561]: Forked again by Xelerance (
www.xelerance.com) (C) 2006
Nov 18 18:02:06 zola xl2tpd[8561]: Listening on IP address 88.191.91.113,
port 1701
When I initiate the connection from my windows client (that have the cert
.p12, I have these logs (and a 678 error in windows XP SP2) :
Nov 18 18:02:31 zola pluto[8532]: packet from 217.128.239.224:500: ignoring
Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Nov 18 18:02:31 zola pluto[8532]: packet from 217.128.239.224:500: ignoring
Vendor ID payload [FRAGMENTATION]
Nov 18 18:02:31 zola pluto[8532]: packet from 217.128.239.224:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but port
floating is off
Nov 18 18:02:31 zola pluto[8532]: packet from 217.128.239.224:500: ignoring
Vendor ID payload [Vid-Initial-Contact]
Nov 18 18:02:31 zola pluto[8532]: "roadwarrior-xp"[1] 217.128.239.224 #1:
responding to Main Mode from unknown peer 217.128.239.224
Nov 18 18:02:31 zola pluto[8532]: "roadwarrior-xp"[1] 217.128.239.224 #1:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Nov 18 18:02:31 zola pluto[8532]: "roadwarrior-xp"[1] 217.128.239.224 #1:
STATE_MAIN_R1: sent MR1, expecting MI2
Nov 18 18:02:31 zola pluto[8532]: "roadwarrior-xp"[1] 217.128.239.224 #1:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Nov 18 18:02:31 zola pluto[8532]: "roadwarrior-xp"[1] 217.128.239.224 #1:
STATE_MAIN_R2: sent MR2, expecting MI3
Nov 18 18:02:31 zola pluto[8532]: "roadwarrior-xp"[1] 217.128.239.224 #1:
Main mode peer ID is ID_DER_ASN1_DN: 'C=FR, ST=France, L=Var, O=Olympe CTI,
OU=Ingenierie informatique, CN=vpn.olympecti.fr, E=issanyr at olympecti.fr'
Nov 18 18:02:31 zola pluto[8532]: "roadwarrior-xp"[1] 217.128.239.224 #1:
switched from "roadwarrior-xp" to "roadwarrior-xp"
Nov 18 18:02:31 zola pluto[8532]: "roadwarrior-xp"[2] 217.128.239.224 #1:
deleting connection "roadwarrior-xp" instance with peer
217.128.239.224{isakmp=#0/ipsec=#0}
Nov 18 18:02:31 zola pluto[8532]: "roadwarrior-xp"[2] 217.128.239.224 #1: I
am sending my cert
Nov 18 18:02:31 zola pluto[8532]: "roadwarrior-xp"[2] 217.128.239.224 #1:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Nov 18 18:02:31 zola pluto[8532]: "roadwarrior-xp"[2] 217.128.239.224 #1:
STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}
Nov 18 18:02:31 zola pluto[8532]: "roadwarrior-xp"[2] 217.128.239.224 #1:
the peer proposed: 88.191.91.113/32:17/1701 -> 192.168.1.155/32:17/1701
Nov 18 18:02:31 zola pluto[8532]: "roadwarrior-xp"[2] 217.128.239.224 #2:
responding to Quick Mode proposal {msgid:8521b42e}
Nov 18 18:02:31 zola pluto[8532]: "roadwarrior-xp"[2]
217.128.239.224#2: us:
88.191.91.113<88.191.91.113>[+S=C]:17/1701
Nov 18 18:02:31 zola pluto[8532]: "roadwarrior-xp"[2] 217.128.239.224 #2:
them: 217.128.239.224[C=FR, ST=France, L=Var, O=Olympe CTI, OU=Ingenierie
informatique, CN=vpn.olympecti.fr, E=issanyr at olympecti.fr,+S=C]:17/1701===
192.168.1.155/32
Nov 18 18:02:31 zola pluto[8532]: "roadwarrior-xp"[2] 217.128.239.224 #2:
transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Nov 18 18:02:31 zola pluto[8532]: "roadwarrior-xp"[2] 217.128.239.224 #2:
STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Nov 18 18:02:31 zola pluto[8532]: "roadwarrior-xp"[2] 217.128.239.224 #2:
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Nov 18 18:02:31 zola pluto[8532]: "roadwarrior-xp"[2] 217.128.239.224 #2:
STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0x2aaabe58
<0xe9e861b8 xfrm=3DES_0-HMAC_MD5 NATOA=<invalid> NATD=<invalid>:500
DPD=enabled}
Nov 18 18:03:06 zola pluto[8532]: "roadwarrior-xp"[2] 217.128.239.224 #1:
received Delete SA(0x2aaabe58) payload: deleting IPSEC State #2
Nov 18 18:03:06 zola pluto[8532]: "roadwarrior-xp"[2] 217.128.239.224 #1:
received and ignored informational message
Nov 18 18:03:06 zola pluto[8532]: "roadwarrior-xp"[2] 217.128.239.224 #1:
received Delete SA payload: deleting ISAKMP State #1
Nov 18 18:03:06 zola pluto[8532]: "roadwarrior-xp"[2] 217.128.239.224:
deleting connection "roadwarrior-xp" instance with peer
217.128.239.224{isakmp=#0/ipsec=#0}
Nov 18 18:03:06 zola pluto[8532]: packet from 217.128.239.224:500: received
and ignored informational message
How could I fix the problem ?
thanks for your helps.
--
- reza -
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20081118/563875fc/attachment.html
More information about the Users
mailing list