[Openswan Users] ipsec with xl2tpd

Reza Issany issanyr at gmail.com
Tue Nov 18 15:45:51 EST 2008 

I have try to patch the kernel using make nattpatch, but impossible to patch
in 2.6.25. I've successfully patch a 2.6.18 kernel, but any of 2.6.2x 
kernel could be patch ?!

Nothing is logged by l2tp.

In windows, I've creted a VPN connection using the public address of the 
openswan server,
choosing VPN IPSEC / L2TP and puting the user in chap-secrets.

Why have I to exclude the 192.168.10.0 network ?

I'd like to patch my currently kernel, but I can't find any patch for 
that kernel.

Paul Wouters a écrit :
> On Tue, 18 Nov 2008, Issany Reza wrote:
>
>   
>> Now I'm using KLIPS and i'll try to get functionnal L2TP.
>> The server only have one address (the public one). I have created a vitual
>> interface (eth1:1)
>> - Public Adress : 88.191.91.113/24 - network 88.191.91.0/24
>> - Virtal Address : 192.168.10.45/24 - network 192.168.10.0/24
>>     
>
>   
>> config setup
>>        nat_traversal=yes
>>        virtual_private=%v4:
>> 10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:88.191.91.0/24,%v4:192.168.10.0/2
>>     
>
> You would need to *exclude* 192.168.10.0/24 using %v4:!192.168.10.0/24
>
>   
>> conn roadwarrior-xp
>>         type=transport
>>         left=88.191.91.113
>>         leftcert=vpn.olympecti.fr.pem
>>         leftprotoport=17/1701
>>         right=%any
>>         rightsubnet=vhost:%no,%priv
>>         rightprotoport=17/1701
>>         pfs=no
>>         auto=add
>>
>> l2tpd.conf :
>> [global]
>> port = 1701
>> listen-addr = 88.191.91.113
>> debug tunnel = yes
>>
>> [lns default]
>> ip range = 192.168.10.10-192.168.10.20
>> local ip = 192.168.10.1
>> length bit = yes
>> require chap = yes
>> refuse pap = yes
>> require authentication = yes
>> name = OCTIVPN
>> ppp debug = yes
>> pppoptfile = /etc/ppp/options.l2tpd.lns
>>
>> options.l2tpd.lns :
>>
>> ipcp-accept-local
>> ipcp-accept-remote
>> noipdefault
>> require-chap
>> connect-delay 5000
>> noccp
>> noauth
>> idle 1800
>> mtu 1410
>> mru 1410
>>     
>
> I would lower mtu/mru to 1200 or so.
>
>   
>> When I initiate the connection from my windows client (that have the cert
>> .p12, I have these logs (and a 678 error in windows XP SP2) :
>> Nov 18 18:02:31 zola pluto[8532]: packet from 217.128.239.224:500: ignoring
>> Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
>> Nov 18 18:02:31 zola pluto[8532]: packet from 217.128.239.224:500: ignoring
>> Vendor ID payload [FRAGMENTATION]
>> Nov 18 18:02:31 zola pluto[8532]: packet from 217.128.239.224:500: received
>> Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but port
>> floating is off
>>     
>
> You did not apply the nat-t patch?
>
>   
>> Nov 18 18:02:31 zola pluto[8532]: "roadwarrior-xp"[2] 217.128.239.224 #2:
>> STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0x2aaabe58
>> <0xe9e861b8 xfrm=3DES_0-HMAC_MD5 NATOA=<invalid> NATD=<invalid>:500
>> DPD=enabled}
>>     
>
> You got ipsec up
>
>   
>> Nov 18 18:03:06 zola pluto[8532]: "roadwarrior-xp"[2] 217.128.239.224 #1:
>> received Delete SA(0x2aaabe58) payload: deleting IPSEC State #2
>>     
>
> 30 seconds later Windows disconnects.
>
>   
>> How could I fix the problem ?
>>     
>
> Did you see anything from xl2tpd? incoming tunnel? Did the user
> authenticate? How did you configure the l2tp connection?
>
> Paul
>
>

More information about the Users mailing list