[Openswan Users] Openswan <---> Windows XP SP2 with L2TP behind NAT isn't working
Jorge Andrade
harryjsa at gmail.com
Sun Nov 23 12:20:52 EST 2008
Hi list,
I am having problems to connect from clients behind NAT. From a client
without a NAT, VPN successful connects.
Relevant details:
kernel: Linux 2.6.18-53.el5
Distro: CentOS 5.1
OpenSwan: Openswan IPsec U2.6.14/K2.6.18-53.el5 (netkey)
/etc/ipsec.conf
version 2.0
config setup
nat_traversal=yes
protostack=netkey
conn %default
keyingtries=1
compress=yes
disablearrivalcheck=no
authby=secret
pfs=no
conn roadwarrior-l2tp
left=189.X.X.X
leftprotoport=17/1701
right=%any
rightsubnet=vhost:%priv,%no,%v4:192.168.0.0/24
rightprotoport=17/1701
pfs=no
type=transport
auto=add
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
/etc/ipsec.secrets
#include /etc/ipsec.d/*.secrets
189.X.X.X %any : PSK "mytestkey"
/etc/xl2tpd/xl2tpd.conf
[global]
listen-addr = 189.X.X.X
[lns default]
ip range = 10.10.40.230-10.10.40.254
local ip = 10.10.40.1
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
/etc/ppp/options.xl2tpd
ipcp-accept-local
ipcp-accept-remote
lcp-echo-interval 30
lcp-echo-failure 6
ms-dns 10.10.40.1
ms-wins 10.10.40.1
noccp
auth
crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
lock
proxyarp
connect-delay 5000
* Logs for client without NAT
/var/log/secure
Nov 23 17:08:35 corp-core01 ipsec__plutorun: Starting Pluto subsystem...
Nov 23 17:08:35 corp-core01 pluto[1399]: Starting Pluto (Openswan Version
2.6.14; Vendor ID OEoSJUweaqAX) pid:1399
Nov 23 17:08:35 corp-core01 pluto[1399]: Setting NAT-Traversal port-4500
floating to on
Nov 23 17:08:35 corp-core01 pluto[1399]: port floating activation
criteria nat_t=1/port_float=1
Nov 23 17:08:35 corp-core01 pluto[1399]: including NAT-Traversal patch
(Version 0.6c)
Nov 23 17:08:35 corp-core01 pluto[1399]: using /dev/urandom as source of
random entropy
Nov 23 17:08:35 corp-core01 pluto[1399]: ike_alg_register_enc(): Activating
OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
Nov 23 17:08:35 corp-core01 pluto[1399]: ike_alg_register_enc(): Activating
OAKLEY_TWOFISH_CBC: Ok (ret=0)
Nov 23 17:08:35 corp-core01 pluto[1399]: ike_alg_register_enc(): Activating
OAKLEY_SERPENT_CBC: Ok (ret=0)
Nov 23 17:08:35 corp-core01 pluto[1399]: ike_alg_register_enc(): Activating
OAKLEY_AES_CBC: Ok (ret=0)
Nov 23 17:08:35 corp-core01 pluto[1399]: ike_alg_register_enc(): Activating
OAKLEY_BLOWFISH_CBC: Ok (ret=0)
Nov 23 17:08:35 corp-core01 pluto[1399]: ike_alg_register_hash(): Activating
OAKLEY_SHA2_512: Ok (ret=0)
Nov 23 17:08:35 corp-core01 pluto[1399]: ike_alg_register_hash(): Activating
OAKLEY_SHA2_256: Ok (ret=0)
Nov 23 17:08:35 corp-core01 pluto[1399]: starting up 1 cryptographic helpers
Nov 23 17:08:36 corp-core01 pluto[1399]: started helper pid=1408 (fd:7)
Nov 23 17:08:36 corp-core01 pluto[1408]: using /dev/urandom as source of
random entropy
Nov 23 17:08:36 corp-core01 pluto[1399]: Using Linux 2.6 IPsec interface
code on 2.6.18-53.el5 (experimental code)
Nov 23 17:08:36 corp-core01 pluto[1399]: ike_alg_register_enc(): WARNING:
enc alg=0 not found in constants.c:oakley_enc_names
Nov 23 17:08:37 corp-core01 pluto[1399]: ike_alg_register_enc(): Activating
<NULL>: Ok (ret=0)
Nov 23 17:08:37 corp-core01 pluto[1399]: ike_alg_register_enc(): WARNING:
enc alg=0 not found in constants.c:oakley_enc_names
Nov 23 17:08:37 corp-core01 pluto[1399]: ike_alg_add(): ERROR: Algorithm
already exists
Nov 23 17:08:37 corp-core01 pluto[1399]: ike_alg_register_enc(): Activating
<NULL>: FAILED (ret=-17)
Nov 23 17:08:37 corp-core01 pluto[1399]: ike_alg_register_enc(): WARNING:
enc alg=0 not found in constants.c:oakley_enc_names
Nov 23 17:08:37 corp-core01 pluto[1399]: ike_alg_add(): ERROR: Algorithm
already exists
Nov 23 17:08:37 corp-core01 pluto[1399]: ike_alg_register_enc(): Activating
<NULL>: FAILED (ret=-17)
Nov 23 17:08:37 corp-core01 pluto[1399]: ike_alg_register_enc(): WARNING:
enc alg=0 not found in constants.c:oakley_enc_names
Nov 23 17:08:37 corp-core01 pluto[1399]: ike_alg_add(): ERROR: Algorithm
already exists
Nov 23 17:08:37 corp-core01 pluto[1399]: ike_alg_register_enc(): Activating
<NULL>: FAILED (ret=-17)
Nov 23 17:08:37 corp-core01 pluto[1399]: ike_alg_register_enc(): WARNING:
enc alg=0 not found in constants.c:oakley_enc_names
Nov 23 17:08:37 corp-core01 pluto[1399]: ike_alg_add(): ERROR: Algorithm
already exists
Nov 23 17:08:37 corp-core01 pluto[1399]: ike_alg_register_enc(): Activating
<NULL>: FAILED (ret=-17)
Nov 23 17:08:37 corp-core01 pluto[1399]: ike_alg_register_enc(): WARNING:
enc alg=0 not found in constants.c:oakley_enc_names
Nov 23 17:08:37 corp-core01 pluto[1399]: ike_alg_add(): ERROR: Algorithm
already exists
Nov 23 17:08:37 corp-core01 pluto[1399]: ike_alg_register_enc(): Activating
<NULL>: FAILED (ret=-17)
Nov 23 17:08:37 corp-core01 pluto[1399]: Could not change to directory
'/etc/ipsec.d/cacerts': /
Nov 23 17:08:37 corp-core01 pluto[1399]: Could not change to directory
'/etc/ipsec.d/aacerts': /
Nov 23 17:08:37 corp-core01 pluto[1399]: Could not change to directory
'/etc/ipsec.d/ocspcerts': /
Nov 23 17:08:38 corp-core01 pluto[1399]: Could not change to directory
'/etc/ipsec.d/crls'
Nov 23 17:08:38 corp-core01 pluto[1399]: Changing back to directory '/'
failed - (2 No such file or directory)
Nov 23 17:08:38 corp-core01 pluto[1399]: Changing back to directory '/'
failed - (2 No such file or directory)
Nov 23 17:08:38 corp-core01 pluto[1399]: added connection description
"roadwarrior-l2tp"
Nov 23 17:08:38 corp-core01 pluto[1399]: listening for IKE messages
Nov 23 17:08:38 corp-core01 pluto[1399]: adding interface ppp0/ppp0
189.X.X.X:500
Nov 23 17:08:38 corp-core01 pluto[1399]: adding interface ppp0/ppp0
189.X.X.X:4500
Nov 23 17:08:38 corp-core01 pluto[1399]: adding interface eth1/eth1
10.10.40.1:500
Nov 23 17:08:38 corp-core01 pluto[1399]: adding interface eth1/eth1
10.10.40.1:4500
Nov 23 17:08:38 corp-core01 pluto[1399]: adding interface lo/lo
127.0.0.1:500
Nov 23 17:08:38 corp-core01 pluto[1399]: adding interface lo/lo
127.0.0.1:4500
Nov 23 17:08:38 corp-core01 pluto[1399]: adding interface lo/lo ::1:500
Nov 23 17:08:38 corp-core01 pluto[1399]: loading secrets from
"/etc/ipsec.secrets"
Nov 23 17:10:44 corp-core01 pluto[1399]: packet from 201.8.29.194:500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Nov 23 17:10:44 corp-core01 pluto[1399]: packet from 201.8.29.194:500:
ignoring Vendor ID payload [FRAGMENTATION]
Nov 23 17:10:44 corp-core01 pluto[1399]: packet from 201.8.29.194:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set
to=106
Nov 23 17:10:44 corp-core01 pluto[1399]: packet from 201.8.29.194:500:
ignoring Vendor ID payload [Vid-Initial-Contact]
Nov 23 17:10:44 corp-core01 pluto[1399]: "roadwarrior-l2tp"[1]
201.8.29.194#1: responding to Main Mode from unknown peer
201.8.29.194
Nov 23 17:10:44 corp-core01 pluto[1399]: "roadwarrior-l2tp"[1]
201.8.29.194#1: transition from state STATE_MAIN_R0 to state
STATE_MAIN_R1
Nov 23 17:10:44 corp-core01 pluto[1399]: "roadwarrior-l2tp"[1]
201.8.29.194#1: STATE_MAIN_R1: sent MR1, expecting MI2
Nov 23 17:10:45 corp-core01 pluto[1399]: "roadwarrior-l2tp"[1]
201.8.29.194#1: NAT-Traversal: Result using
draft-ietf-ipsec-nat-t-ike-02/03: no NAT
detected
Nov 23 17:10:45 corp-core01 pluto[1399]: "roadwarrior-l2tp"[1]
201.8.29.194#1: transition from state STATE_MAIN_R1 to state
STATE_MAIN_R2
Nov 23 17:10:45 corp-core01 pluto[1399]: "roadwarrior-l2tp"[1]
201.8.29.194#1: STATE_MAIN_R2: sent MR2, expecting MI3
Nov 23 17:10:45 corp-core01 pluto[1399]: "roadwarrior-l2tp"[1]
201.8.29.194#1: Main mode peer ID is ID_IPV4_ADDR: '
201.8.29.194'
Nov 23 17:10:45 corp-core01 pluto[1399]: "roadwarrior-l2tp"[1]
201.8.29.194#1: transition from state STATE_MAIN_R2 to state
STATE_MAIN_R3
Nov 23 17:10:45 corp-core01 pluto[1399]: "roadwarrior-l2tp"[1]
201.8.29.194#1: STATE_MAIN_R3: sent MR3, ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
group=modp2048}
Nov 23 17:10:45 corp-core01 pluto[1399]: "roadwarrior-l2tp"[1]
201.8.29.194#1: the peer proposed: 189.X.X.X/32:17/1701 ->
201.8.29.194/32:17/1701
Nov 23 17:10:45 corp-core01 pluto[1399]: "roadwarrior-l2tp"[1]
201.8.29.194#1: alloc_bytes1() was mistakenly asked to malloc 0 bytes
for st_skey_ar in
duplicate_state, please report to dev at openswan.org
Nov 23 17:10:45 corp-core01 pluto[1399]: "roadwarrior-l2tp"[1]
201.8.29.194#1: alloc_bytes1() was mistakenly asked to malloc 0 bytes
for st_skey_er in
duplicate_state, please report to dev at openswan.org
Nov 23 17:10:45 corp-core01 pluto[1399]: "roadwarrior-l2tp"[1]
201.8.29.194#1: alloc_bytes1() was mistakenly asked to malloc 0 bytes
for st_skey_pi in
duplicate_state, please report to dev at openswan.org
Nov 23 17:10:45 corp-core01 pluto[1399]: "roadwarrior-l2tp"[1]
201.8.29.194#1: alloc_bytes1() was mistakenly asked to malloc 0 bytes
for st_skey_pr in
duplicate_state, please report to dev at openswan.org
Nov 23 17:10:45 corp-core01 pluto[1399]: "roadwarrior-l2tp"[1]
201.8.29.194#2: responding to Quick Mode proposal {msgid:65b17fe7}
Nov 23 17:10:45 corp-core01 pluto[1399]: "roadwarrior-l2tp"[1]
201.8.29.194#2:
us: 189.X.X.X<189.X.X.X>[+S=C]:17/1701
Nov 23 17:10:45 corp-core01 pluto[1399]: "roadwarrior-l2tp"[1]
201.8.29.194#2:
them: 201.8.29.194[+S=C]:17/1701
Nov 23 17:10:45 corp-core01 pluto[1399]: "roadwarrior-l2tp"[1]
201.8.29.194#2: transition from state STATE_QUICK_R0 to state
STATE_QUICK_R1
Nov 23 17:10:45 corp-core01 pluto[1399]: "roadwarrior-l2tp"[1]
201.8.29.194#2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed,
expecting QI2
Nov 23 17:10:45 corp-core01 pluto[1399]: "roadwarrior-l2tp"[1]
201.8.29.194#2: transition from state STATE_QUICK_R1 to state
STATE_QUICK_R2
Nov 23 17:10:45 corp-core01 pluto[1399]: "roadwarrior-l2tp"[1]
201.8.29.194#2: STATE_QUICK_R2: IPsec SA established transport mode
{ESP=>0x86dc727b
<0x1f0091d4 xfrm=3DES_0-HMAC_MD5 NATOA=<invalid> NATD=<invalid>:500
DPD=enabled}
/var/log/messages
Nov 23 17:10:47 corp-core01 xl2tpd[1120]: Connection established to
201.8.29.194, 1701. Local: 37989, Remote: 2 (ref=0/0). LNS session is
'default'
Nov 23 17:10:47 corp-core01 xl2tpd[1120]: Call established with 201.8.29.194,
Local: 41968, Remote: 1, Serial: 0
Nov 23 17:10:47 corp-core01 pppd[1665]: pppd 2.4.4 started by root, uid 0
Nov 23 17:10:47 corp-core01 pppd[1665]: Using interface ppp1
Nov 23 17:10:47 corp-core01 pppd[1665]: Connect: ppp1 <--> /dev/pts/6
Nov 23 17:10:48 corp-core01 pppd[1665]: Unsupported protocol 'Compression
Control Protocol' (0x80fd) received
Nov 23 17:10:48 corp-core01 pppd[1665]: found interface eth1 for proxy arp
Nov 23 17:10:48 corp-core01 pppd[1665]: local IP address 10.10.40.1
Nov 23 17:10:48 corp-core01 pppd[1665]: remote IP address 10.10.40.230
* Logs for client behind NAT
/var/log/secure
Nov 23 17:13:56 corp-core01 ipsec__plutorun: Starting Pluto subsystem...
Nov 23 17:13:56 corp-core01 pluto[2241]: Starting Pluto (Openswan Version
2.6.14; Vendor ID OEoSJUweaqAX) pid:2241
Nov 23 17:13:56 corp-core01 pluto[2241]: Setting NAT-Traversal port-4500
floating to on
Nov 23 17:13:56 corp-core01 pluto[2241]: port floating activation
criteria nat_t=1/port_float=1
Nov 23 17:13:56 corp-core01 pluto[2241]: including NAT-Traversal patch
(Version 0.6c)
Nov 23 17:13:56 corp-core01 pluto[2241]: using /dev/urandom as source of
random entropy
Nov 23 17:13:56 corp-core01 pluto[2241]: ike_alg_register_enc(): Activating
OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
Nov 23 17:13:56 corp-core01 pluto[2241]: ike_alg_register_enc(): Activating
OAKLEY_TWOFISH_CBC: Ok (ret=0)
Nov 23 17:13:56 corp-core01 pluto[2241]: ike_alg_register_enc(): Activating
OAKLEY_SERPENT_CBC: Ok (ret=0)
Nov 23 17:13:56 corp-core01 pluto[2241]: ike_alg_register_enc(): Activating
OAKLEY_AES_CBC: Ok (ret=0)
Nov 23 17:13:56 corp-core01 pluto[2241]: ike_alg_register_enc(): Activating
OAKLEY_BLOWFISH_CBC: Ok (ret=0)
Nov 23 17:13:56 corp-core01 pluto[2241]: ike_alg_register_hash(): Activating
OAKLEY_SHA2_512: Ok (ret=0)
Nov 23 17:13:56 corp-core01 pluto[2241]: ike_alg_register_hash(): Activating
OAKLEY_SHA2_256: Ok (ret=0)
Nov 23 17:13:56 corp-core01 pluto[2241]: starting up 1 cryptographic helpers
Nov 23 17:13:57 corp-core01 pluto[2241]: started helper pid=2251 (fd:7)
Nov 23 17:13:57 corp-core01 pluto[2251]: using /dev/urandom as source of
random entropy
Nov 23 17:13:57 corp-core01 pluto[2241]: Using Linux 2.6 IPsec interface
code on 2.6.18-53.el5 (experimental code)
Nov 23 17:13:57 corp-core01 pluto[2241]: ike_alg_register_enc(): WARNING:
enc alg=0 not found in constants.c:oakley_enc_names
Nov 23 17:13:57 corp-core01 pluto[2241]: ike_alg_register_enc(): Activating
<NULL>: Ok (ret=0)
Nov 23 17:13:57 corp-core01 pluto[2241]: ike_alg_register_enc(): WARNING:
enc alg=0 not found in constants.c:oakley_enc_names
Nov 23 17:13:57 corp-core01 pluto[2241]: ike_alg_add(): ERROR: Algorithm
already exists
Nov 23 17:13:57 corp-core01 pluto[2241]: ike_alg_register_enc(): Activating
<NULL>: FAILED (ret=-17)
Nov 23 17:13:57 corp-core01 pluto[2241]: ike_alg_register_enc(): WARNING:
enc alg=0 not found in constants.c:oakley_enc_names
Nov 23 17:13:58 corp-core01 pluto[2241]: ike_alg_add(): ERROR: Algorithm
already exists
Nov 23 17:13:58 corp-core01 pluto[2241]: ike_alg_register_enc(): Activating
<NULL>: FAILED (ret=-17)
Nov 23 17:13:58 corp-core01 pluto[2241]: ike_alg_register_enc(): WARNING:
enc alg=0 not found in constants.c:oakley_enc_names
Nov 23 17:13:58 corp-core01 pluto[2241]: ike_alg_add(): ERROR: Algorithm
already exists
Nov 23 17:13:58 corp-core01 pluto[2241]: ike_alg_register_enc(): Activating
<NULL>: FAILED (ret=-17)
Nov 23 17:13:58 corp-core01 pluto[2241]: ike_alg_register_enc(): WARNING:
enc alg=0 not found in constants.c:oakley_enc_names
Nov 23 17:13:58 corp-core01 pluto[2241]: ike_alg_add(): ERROR: Algorithm
already exists
Nov 23 17:13:58 corp-core01 pluto[2241]: ike_alg_register_enc(): Activating
<NULL>: FAILED (ret=-17)
Nov 23 17:13:58 corp-core01 pluto[2241]: ike_alg_register_enc(): WARNING:
enc alg=0 not found in constants.c:oakley_enc_names
Nov 23 17:13:58 corp-core01 pluto[2241]: ike_alg_add(): ERROR: Algorithm
already exists
Nov 23 17:13:58 corp-core01 pluto[2241]: ike_alg_register_enc(): Activating
<NULL>: FAILED (ret=-17)
Nov 23 17:13:58 corp-core01 pluto[2241]: Could not change to directory
'/etc/ipsec.d/cacerts': /
Nov 23 17:13:58 corp-core01 pluto[2241]: Could not change to directory
'/etc/ipsec.d/aacerts': /
Nov 23 17:13:58 corp-core01 pluto[2241]: Could not change to directory
'/etc/ipsec.d/ocspcerts': /
Nov 23 17:13:58 corp-core01 pluto[2241]: Could not change to directory
'/etc/ipsec.d/crls'
Nov 23 17:13:58 corp-core01 pluto[2241]: Changing back to directory '/'
failed - (2 No such file or directory)
Nov 23 17:13:58 corp-core01 pluto[2241]: Changing back to directory '/'
failed - (2 No such file or directory)
Nov 23 17:13:59 corp-core01 pluto[2241]: added connection description
"roadwarrior-l2tp"
Nov 23 17:13:59 corp-core01 pluto[2241]: listening for IKE messages
Nov 23 17:13:59 corp-core01 pluto[2241]: adding interface ppp0/ppp0
189.X.X.X:500
Nov 23 17:13:59 corp-core01 pluto[2241]: adding interface ppp0/ppp0
189.X.X.X:4500
Nov 23 17:13:59 corp-core01 pluto[2241]: adding interface eth1/eth1
10.10.40.1:500
Nov 23 17:13:59 corp-core01 pluto[2241]: adding interface eth1/eth1
10.10.40.1:4500
Nov 23 17:13:59 corp-core01 pluto[2241]: adding interface lo/lo
127.0.0.1:500
Nov 23 17:13:59 corp-core01 pluto[2241]: adding interface lo/lo
127.0.0.1:4500
Nov 23 17:13:59 corp-core01 pluto[2241]: adding interface lo/lo ::1:500
Nov 23 17:13:59 corp-core01 pluto[2241]: loading secrets from
"/etc/ipsec.secrets"
Nov 23 17:14:16 corp-core01 pluto[2241]: packet from 201.8.29.194:500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Nov 23 17:14:16 corp-core01 pluto[2241]: packet from 201.8.29.194:500:
ignoring Vendor ID payload [FRAGMENTATION]
Nov 23 17:14:16 corp-core01 pluto[2241]: packet from 201.8.29.194:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set
to=106
Nov 23 17:14:16 corp-core01 pluto[2241]: packet from 201.8.29.194:500:
ignoring Vendor ID payload [Vid-Initial-Contact]
Nov 23 17:14:16 corp-core01 pluto[2241]: "roadwarrior-l2tp"[1]
201.8.29.194#1: responding to Main Mode from unknown peer
201.8.29.194
Nov 23 17:14:16 corp-core01 pluto[2241]: "roadwarrior-l2tp"[1]
201.8.29.194#1: transition from state STATE_MAIN_R0 to state
STATE_MAIN_R1
Nov 23 17:14:16 corp-core01 pluto[2241]: "roadwarrior-l2tp"[1]
201.8.29.194#1: STATE_MAIN_R1: sent MR1, expecting MI2
Nov 23 17:14:16 corp-core01 pluto[2241]: "roadwarrior-l2tp"[1]
201.8.29.194#1: NAT-Traversal: Result using
draft-ietf-ipsec-nat-t-ike-02/03: no NAT
detected
Nov 23 17:14:16 corp-core01 pluto[2241]: "roadwarrior-l2tp"[1]
201.8.29.194#1: transition from state STATE_MAIN_R1 to state
STATE_MAIN_R2
Nov 23 17:14:16 corp-core01 pluto[2241]: "roadwarrior-l2tp"[1]
201.8.29.194#1: STATE_MAIN_R2: sent MR2, expecting MI3
Nov 23 17:14:16 corp-core01 pluto[2241]: "roadwarrior-l2tp"[1]
201.8.29.194#1: Main mode peer ID is ID_IPV4_ADDR: '
201.8.29.194'
Nov 23 17:14:16 corp-core01 pluto[2241]: "roadwarrior-l2tp"[1]
201.8.29.194#1: transition from state STATE_MAIN_R2 to state
STATE_MAIN_R3
Nov 23 17:14:16 corp-core01 pluto[2241]: "roadwarrior-l2tp"[1]
201.8.29.194#1: STATE_MAIN_R3: sent MR3, ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
group=modp2048}
Nov 23 17:14:17 corp-core01 pluto[2241]: "roadwarrior-l2tp"[1]
201.8.29.194#1: the peer proposed: 189.X.X.X/32:17/1701 ->
201.8.29.194/32:17/1701
Nov 23 17:14:17 corp-core01 pluto[2241]: "roadwarrior-l2tp"[1]
201.8.29.194#1: alloc_bytes1() was mistakenly asked to malloc 0 bytes
for st_skey_ar in
duplicate_state, please report to dev at openswan.org
Nov 23 17:14:17 corp-core01 pluto[2241]: "roadwarrior-l2tp"[1]
201.8.29.194#1: alloc_bytes1() was mistakenly asked to malloc 0 bytes
for st_skey_er in
duplicate_state, please report to dev at openswan.org
Nov 23 17:14:17 corp-core01 pluto[2241]: "roadwarrior-l2tp"[1]
201.8.29.194#1: alloc_bytes1() was mistakenly asked to malloc 0 bytes
for st_skey_pi in
duplicate_state, please report to dev at openswan.org
Nov 23 17:14:17 corp-core01 pluto[2241]: "roadwarrior-l2tp"[1]
201.8.29.194#1: alloc_bytes1() was mistakenly asked to malloc 0 bytes
for st_skey_pr in
duplicate_state, please report to dev at openswan.org
Nov 23 17:14:17 corp-core01 pluto[2241]: "roadwarrior-l2tp"[1]
201.8.29.194#2: responding to Quick Mode proposal {msgid:bfe83f53}
Nov 23 17:14:17 corp-core01 pluto[2241]: "roadwarrior-l2tp"[1]
201.8.29.194#2:
us: 189.X.X.X<189.X.X.X>[+S=C]:17/1701
Nov 23 17:14:17 corp-core01 pluto[2241]: "roadwarrior-l2tp"[1]
201.8.29.194#2:
them: 201.8.29.194[+S=C]:17/1701
Nov 23 17:14:17 corp-core01 pluto[2241]: "roadwarrior-l2tp"[1]
201.8.29.194#2: transition from state STATE_QUICK_R0 to state
STATE_QUICK_R1
Nov 23 17:14:17 corp-core01 pluto[2241]: "roadwarrior-l2tp"[1]
201.8.29.194#2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed,
expecting QI2
Nov 23 17:14:17 corp-core01 pluto[2241]: "roadwarrior-l2tp"[1]
201.8.29.194#2: transition from state STATE_QUICK_R1 to state
STATE_QUICK_R2
Nov 23 17:14:17 corp-core01 pluto[2241]: "roadwarrior-l2tp"[1]
201.8.29.194#2: STATE_QUICK_R2: IPsec SA established transport mode
{ESP=>0x36d7da49
<0x5ab14582 xfrm=3DES_0-HMAC_MD5 NATOA=<invalid> NATD=<invalid>:500
DPD=enabled}
Nov 23 17:14:29 corp-core01 pluto[2241]: "roadwarrior-l2tp"[1]
201.8.29.194#1: received Delete SA(0x36d7da49) payload: deleting IPSEC
State #2
Nov 23 17:14:29 corp-core01 pluto[2241]: "roadwarrior-l2tp"[1]
201.8.29.194#2: request to replace with shunt a prospective erouted
policy with netkey
kernel --- experimental
Nov 23 17:14:29 corp-core01 pluto[2241]: "roadwarrior-l2tp"[1]
201.8.29.194#1: received and ignored informational message
Nov 23 17:14:29 corp-core01 pluto[2241]: "roadwarrior-l2tp"[1]
201.8.29.194#1: received Delete SA payload: deleting ISAKMP State #1
Nov 23 17:14:29 corp-core01 pluto[2241]: "roadwarrior-l2tp"[1] 201.8.29.194:
deleting connection "roadwarrior-l2tp" instance with peer
201.8.29.194{isakmp=#0/ipsec=#0}
Nov 23 17:14:29 corp-core01 pluto[2241]: "roadwarrior-l2tp": request to
delete a unrouted policy with netkey kernel --- experimental
Nov 23 17:14:29 corp-core01 pluto[2241]: packet from 201.8.29.194:500:
received and ignored informational message
Nov 23 17:14:32 corp-core01 pluto[2241]: packet from 189.24.76.188:500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Nov 23 17:14:32 corp-core01 pluto[2241]: packet from 189.24.76.188:500:
ignoring Vendor ID payload [FRAGMENTATION]
Nov 23 17:14:32 corp-core01 pluto[2241]: packet from 189.24.76.188:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set
to=106
Nov 23 17:14:32 corp-core01 pluto[2241]: packet from 189.24.76.188:500:
ignoring Vendor ID payload [Vid-Initial-Contact]
Nov 23 17:14:32 corp-core01 pluto[2241]: "roadwarrior-l2tp"[2]
189.24.76.188#3: responding to Main Mode from unknown peer
189.24.76.188
Nov 23 17:14:32 corp-core01 pluto[2241]: "roadwarrior-l2tp"[2]
189.24.76.188#3: transition from state STATE_MAIN_R0 to state
STATE_MAIN_R1
Nov 23 17:14:32 corp-core01 pluto[2241]: "roadwarrior-l2tp"[2]
189.24.76.188#3: STATE_MAIN_R1: sent MR1, expecting MI2
Nov 23 17:14:32 corp-core01 pluto[2241]: "roadwarrior-l2tp"[2]
189.24.76.188#3: NAT-Traversal: Result using
draft-ietf-ipsec-nat-t-ike-02/03: peer is
NATed
Nov 23 17:14:32 corp-core01 pluto[2241]: "roadwarrior-l2tp"[2]
189.24.76.188#3: transition from state STATE_MAIN_R1 to state
STATE_MAIN_R2
Nov 23 17:14:32 corp-core01 pluto[2241]: "roadwarrior-l2tp"[2]
189.24.76.188#3: STATE_MAIN_R2: sent MR2, expecting MI3
Nov 23 17:14:32 corp-core01 pluto[2241]: "roadwarrior-l2tp"[2]
189.24.76.188#3: Main mode peer ID is ID_FQDN: '@casa01'
Nov 23 17:14:32 corp-core01 pluto[2241]: "roadwarrior-l2tp"[2]
189.24.76.188#3: switched from "roadwarrior-l2tp" to
"roadwarrior-l2tp"
Nov 23 17:14:32 corp-core01 pluto[2241]: "roadwarrior-l2tp"[3]
189.24.76.188#3: deleting connection "roadwarrior-l2tp" instance with
peer
189.24.76.188 {isakmp=#0/ipsec=#0}
Nov 23 17:14:32 corp-core01 pluto[2241]: "roadwarrior-l2tp"[3]
189.24.76.188#3: transition from state STATE_MAIN_R2 to state
STATE_MAIN_R3
Nov 23 17:14:32 corp-core01 pluto[2241]: "roadwarrior-l2tp"[3]
189.24.76.188#3: new NAT mapping for #3, was
189.24.76.188:500, now 189.24.76.188:4500
Nov 23 17:14:32 corp-core01 pluto[2241]: "roadwarrior-l2tp"[3]
189.24.76.188#3: STATE_MAIN_R3: sent MR3, ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
group=modp2048}
Nov 23 17:14:32 corp-core01 pluto[2241]: "roadwarrior-l2tp"[3]
189.24.76.188#3: peer client type is FQDN
Nov 23 17:14:32 corp-core01 pluto[2241]: "roadwarrior-l2tp"[3]
189.24.76.188#3: Applying workaround for MS-818043 NAT-T bug
Nov 23 17:14:32 corp-core01 pluto[2241]: "roadwarrior-l2tp"[3]
189.24.76.188#3: IDci was FQDN: \275\031(V, using NAT_OA=
192.168.0.100/32 as IDci
Nov 23 17:14:32 corp-core01 pluto[2241]: "roadwarrior-l2tp"[3]
189.24.76.188#3: the peer proposed: 189.X.X.X/32:17/1701 ->
192.168.0.100/32:17/1701
Nov 23 17:14:32 corp-core01 pluto[2241]: "roadwarrior-l2tp"[3]
189.24.76.188#3: alloc_bytes1() was mistakenly asked to malloc 0 bytes
for st_skey_ar in
duplicate_state, please report to dev at openswan.org
Nov 23 17:14:32 corp-core01 pluto[2241]: "roadwarrior-l2tp"[3]
189.24.76.188#3: alloc_bytes1() was mistakenly asked to malloc 0 bytes
for st_skey_er in
duplicate_state, please report to dev at openswan.org
Nov 23 17:14:32 corp-core01 pluto[2241]: "roadwarrior-l2tp"[3]
189.24.76.188#3: alloc_bytes1() was mistakenly asked to malloc 0 bytes
for st_skey_pi in
duplicate_state, please report to dev at openswan.org
Nov 23 17:14:32 corp-core01 pluto[2241]: "roadwarrior-l2tp"[3]
189.24.76.188#3: alloc_bytes1() was mistakenly asked to malloc 0 bytes
for st_skey_pr in
duplicate_state, please report to dev at openswan.org
Nov 23 17:14:32 corp-core01 pluto[2241]: "roadwarrior-l2tp"[3]
189.24.76.188#4: responding to Quick Mode proposal {msgid:8b2e7e93}
Nov 23 17:14:32 corp-core01 pluto[2241]: "roadwarrior-l2tp"[3]
189.24.76.188#4:
us: 189.X.X.X<189.X.X.X>[+S=C]:17/1701
Nov 23 17:14:32 corp-core01 pluto[2241]: "roadwarrior-l2tp"[3]
189.24.76.188#4:
them: 189.24.76.188[@casa01,+S=C]:17/1701===192.168.0.100/32
Nov 23 17:14:32 corp-core01 pluto[2241]: "roadwarrior-l2tp"[3]
189.24.76.188#4: transition from state STATE_QUICK_R0 to state
STATE_QUICK_R1
Nov 23 17:14:33 corp-core01 pluto[2241]: "roadwarrior-l2tp"[3]
189.24.76.188#4: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed,
expecting QI2
Nov 23 17:14:33 corp-core01 pluto[2241]: "roadwarrior-l2tp"[3]
189.24.76.188#4: transition from state STATE_QUICK_R1 to state
STATE_QUICK_R2
Nov 23 17:14:33 corp-core01 pluto[2241]: "roadwarrior-l2tp"[3]
189.24.76.188#4: STATE_QUICK_R2: IPsec SA established transport mode
{ESP=>0xf0887f84
<0x63648101 xfrm=3DES_0-HMAC_MD5 NATOA=192.168.0.100
NATD=189.24.76.188:4500DPD=none}
(After 678 error)
Nov 23 17:15:08 corp-core01 pluto[2241]: "roadwarrior-l2tp"[3]
189.24.76.188#3: received Delete SA(0xf0887f84) payload: deleting
IPSEC State #4
Nov 23 17:15:08 corp-core01 pluto[2241]: "roadwarrior-l2tp"[3]
189.24.76.188#4: request to replace with shunt a prospective erouted
policy with netkey
kernel --- experimental
Nov 23 17:15:08 corp-core01 pluto[2241]: "roadwarrior-l2tp"[3]
189.24.76.188#3: received and ignored informational message
Nov 23 17:15:08 corp-core01 pluto[2241]: "roadwarrior-l2tp"[3]
189.24.76.188#3: received Delete SA payload: deleting ISAKMP State #3
Nov 23 17:15:08 corp-core01 pluto[2241]: "roadwarrior-l2tp"[3] 189.24.76.188:
deleting connection "roadwarrior-l2tp" instance with peer
189.24.76.188{isakmp=#0/ipsec=#0}
Nov 23 17:15:08 corp-core01 pluto[2241]: "roadwarrior-l2tp": request to
delete a unrouted policy with netkey kernel --- experimental
Nov 23 17:15:08 corp-core01 pluto[2241]: packet from 189.24.76.188:4500:
received and ignored informational message
/var/log/messages
Nov 23 17:14:40 corp-core01 xl2tpd[1950]: Maximum retries exceeded for
tunnel 48658. Closing.
Nov 23 17:14:40 corp-core01 xl2tpd[1950]: Connection 13 closed to
189.24.76.188, port 1701 (Timeout)
Nov 23 17:14:50 corp-core01 xl2tpd[1950]: Can not find tunnel 37989
(refhim=0)
Nov 23 17:14:55 corp-core01 xl2tpd[1950]: Maximum retries exceeded for
tunnel 7179. Closing.
Nov 23 17:14:55 corp-core01 xl2tpd[1950]: Connection 13 closed to
189.24.76.188, port 1701 (Timeout)
Nov 23 17:14:59 corp-core01 xl2tpd[1950]: Can not find tunnel 37989
(refhim=0)
Thanks in advance for any help,
Jorge
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20081123/910a5a31/attachment-0001.html
More information about the Users
mailing list