[Openswan Users] ipsec with xl2tpd

Paul Wouters paul at xelerance.com
Tue Nov 18 12:30:56 EST 2008 

On Tue, 18 Nov 2008, Issany Reza wrote:

> Now I'm using KLIPS and i'll try to get functionnal L2TP.
> The server only have one address (the public one). I have created a vitual
> interface (eth1:1)
> - Public Adress : 88.191.91.113/24 - network 88.191.91.0/24
> - Virtal Address : 192.168.10.45/24 - network 192.168.10.0/24

> config setup
>        nat_traversal=yes
>        virtual_private=%v4:
> 10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:88.191.91.0/24,%v4:192.168.10.0/2

You would need to *exclude* 192.168.10.0/24 using %v4:!192.168.10.0/24

> conn roadwarrior-xp
>         type=transport
>         left=88.191.91.113
>         leftcert=vpn.olympecti.fr.pem
>         leftprotoport=17/1701
>         right=%any
>         rightsubnet=vhost:%no,%priv
>         rightprotoport=17/1701
>         pfs=no
>         auto=add
> 
> l2tpd.conf :
> [global]
> port = 1701
> listen-addr = 88.191.91.113
> debug tunnel = yes
> 
> [lns default]
> ip range = 192.168.10.10-192.168.10.20
> local ip = 192.168.10.1
> length bit = yes
> require chap = yes
> refuse pap = yes
> require authentication = yes
> name = OCTIVPN
> ppp debug = yes
> pppoptfile = /etc/ppp/options.l2tpd.lns
> 
> options.l2tpd.lns :
> 
> ipcp-accept-local
> ipcp-accept-remote
> noipdefault
> require-chap
> connect-delay 5000
> noccp
> noauth
> idle 1800
> mtu 1410
> mru 1410

I would lower mtu/mru to 1200 or so.

> When I initiate the connection from my windows client (that have the cert
> .p12, I have these logs (and a 678 error in windows XP SP2) :
> Nov 18 18:02:31 zola pluto[8532]: packet from 217.128.239.224:500: ignoring
> Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
> Nov 18 18:02:31 zola pluto[8532]: packet from 217.128.239.224:500: ignoring
> Vendor ID payload [FRAGMENTATION]
> Nov 18 18:02:31 zola pluto[8532]: packet from 217.128.239.224:500: received
> Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but port
> floating is off

You did not apply the nat-t patch?

> Nov 18 18:02:31 zola pluto[8532]: "roadwarrior-xp"[2] 217.128.239.224 #2:
> STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0x2aaabe58
> <0xe9e861b8 xfrm=3DES_0-HMAC_MD5 NATOA=<invalid> NATD=<invalid>:500
> DPD=enabled}

You got ipsec up

> Nov 18 18:03:06 zola pluto[8532]: "roadwarrior-xp"[2] 217.128.239.224 #1:
> received Delete SA(0x2aaabe58) payload: deleting IPSEC State #2

30 seconds later Windows disconnects.

> How could I fix the problem ?

Did you see anything from xl2tpd? incoming tunnel? Did the user
authenticate? How did you configure the l2tp connection?

Paul

More information about the Users mailing list