[Openswan Users] Openswan <---> Windows XP SP2 with L2TP behind NAT isn't working
Jorge Andrade
harryjsa at gmail.com
Wed Nov 26 20:41:19 EST 2008
Folks,
Any tip or advice for this scenario?
Any help will be really appreciated.
Jorge
On Sun, Nov 23, 2008 at 3:20 PM, Jorge Andrade <harryjsa at gmail.com> wrote:
> Hi list,
>
>
>
> I am having problems to connect from clients behind NAT. From a client
> without a NAT, VPN successful connects.
>
>
>
> Relevant details:
>
> kernel: Linux 2.6.18-53.el5
>
> Distro: CentOS 5.1
>
> OpenSwan: Openswan IPsec U2.6.14/K2.6.18-53.el5 (netkey)
>
>
>
>
>
> /etc/ipsec.conf
>
> version 2.0
>
>
>
> config setup
>
> nat_traversal=yes
>
> protostack=netkey
>
>
>
> conn %default
>
> keyingtries=1
>
> compress=yes
>
> disablearrivalcheck=no
>
> authby=secret
>
> pfs=no
>
>
>
> conn roadwarrior-l2tp
>
> left=189.X.X.X
>
> leftprotoport=17/1701
>
> right=%any
>
> rightsubnet=vhost:%priv,%no,%v4:192.168.0.0/24
>
> rightprotoport=17/1701
>
> pfs=no
>
> type=transport
>
> auto=add
>
>
>
> #Disable Opportunistic Encryption
>
> include /etc/ipsec.d/examples/no_oe.conf
>
>
>
> /etc/ipsec.secrets
>
> #include /etc/ipsec.d/*.secrets
>
> 189.X.X.X %any : PSK "mytestkey"
>
>
>
> /etc/xl2tpd/xl2tpd.conf
>
> [global]
>
> listen-addr = 189.X.X.X
>
>
>
> [lns default]
>
> ip range = 10.10.40.230-10.10.40.254
>
> local ip = 10.10.40.1
>
> require chap = yes
>
> refuse pap = yes
>
> require authentication = yes
>
> name = LinuxVPNserver
>
> ppp debug = yes
>
> pppoptfile = /etc/ppp/options.xl2tpd
>
> length bit = yes
>
>
>
> /etc/ppp/options.xl2tpd
>
> ipcp-accept-local
>
> ipcp-accept-remote
>
> lcp-echo-interval 30
>
> lcp-echo-failure 6
>
> ms-dns 10.10.40.1
>
> ms-wins 10.10.40.1
>
> noccp
>
> auth
>
> crtscts
>
> idle 1800
>
> mtu 1410
>
> mru 1410
>
> nodefaultroute
>
> debug
>
> lock
>
> proxyarp
>
> connect-delay 5000
>
>
>
> * Logs for client without NAT
>
>
>
> /var/log/secure
>
>
>
> Nov 23 17:08:35 corp-core01 ipsec__plutorun: Starting Pluto subsystem...
>
> Nov 23 17:08:35 corp-core01 pluto[1399]: Starting Pluto (Openswan Version
> 2.6.14; Vendor ID OEoSJUweaqAX) pid:1399
>
> Nov 23 17:08:35 corp-core01 pluto[1399]: Setting NAT-Traversal port-4500
> floating to on
>
> Nov 23 17:08:35 corp-core01 pluto[1399]: port floating activation
> criteria nat_t=1/port_float=1
>
> Nov 23 17:08:35 corp-core01 pluto[1399]: including NAT-Traversal patch
> (Version 0.6c)
>
> Nov 23 17:08:35 corp-core01 pluto[1399]: using /dev/urandom as source of
> random entropy
>
> Nov 23 17:08:35 corp-core01 pluto[1399]: ike_alg_register_enc(): Activating
> OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
>
> Nov 23 17:08:35 corp-core01 pluto[1399]: ike_alg_register_enc(): Activating
> OAKLEY_TWOFISH_CBC: Ok (ret=0)
>
> Nov 23 17:08:35 corp-core01 pluto[1399]: ike_alg_register_enc(): Activating
> OAKLEY_SERPENT_CBC: Ok (ret=0)
>
> Nov 23 17:08:35 corp-core01 pluto[1399]: ike_alg_register_enc(): Activating
> OAKLEY_AES_CBC: Ok (ret=0)
>
> Nov 23 17:08:35 corp-core01 pluto[1399]: ike_alg_register_enc(): Activating
> OAKLEY_BLOWFISH_CBC: Ok (ret=0)
>
> Nov 23 17:08:35 corp-core01 pluto[1399]: ike_alg_register_hash():
> Activating OAKLEY_SHA2_512: Ok (ret=0)
>
> Nov 23 17:08:35 corp-core01 pluto[1399]: ike_alg_register_hash():
> Activating OAKLEY_SHA2_256: Ok (ret=0)
>
> Nov 23 17:08:35 corp-core01 pluto[1399]: starting up 1 cryptographic
> helpers
>
> Nov 23 17:08:36 corp-core01 pluto[1399]: started helper pid=1408 (fd:7)
>
> Nov 23 17:08:36 corp-core01 pluto[1408]: using /dev/urandom as source of
> random entropy
>
> Nov 23 17:08:36 corp-core01 pluto[1399]: Using Linux 2.6 IPsec interface
> code on 2.6.18-53.el5 (experimental code)
>
> Nov 23 17:08:36 corp-core01 pluto[1399]: ike_alg_register_enc(): WARNING:
> enc alg=0 not found in constants.c:oakley_enc_names
>
> Nov 23 17:08:37 corp-core01 pluto[1399]: ike_alg_register_enc(): Activating
> <NULL>: Ok (ret=0)
>
> Nov 23 17:08:37 corp-core01 pluto[1399]: ike_alg_register_enc(): WARNING:
> enc alg=0 not found in constants.c:oakley_enc_names
>
> Nov 23 17:08:37 corp-core01 pluto[1399]: ike_alg_add(): ERROR: Algorithm
> already exists
>
> Nov 23 17:08:37 corp-core01 pluto[1399]: ike_alg_register_enc(): Activating
> <NULL>: FAILED (ret=-17)
>
> Nov 23 17:08:37 corp-core01 pluto[1399]: ike_alg_register_enc(): WARNING:
> enc alg=0 not found in constants.c:oakley_enc_names
>
> Nov 23 17:08:37 corp-core01 pluto[1399]: ike_alg_add(): ERROR: Algorithm
> already exists
>
> Nov 23 17:08:37 corp-core01 pluto[1399]: ike_alg_register_enc(): Activating
> <NULL>: FAILED (ret=-17)
>
> Nov 23 17:08:37 corp-core01 pluto[1399]: ike_alg_register_enc(): WARNING:
> enc alg=0 not found in constants.c:oakley_enc_names
>
> Nov 23 17:08:37 corp-core01 pluto[1399]: ike_alg_add(): ERROR: Algorithm
> already exists
>
> Nov 23 17:08:37 corp-core01 pluto[1399]: ike_alg_register_enc(): Activating
> <NULL>: FAILED (ret=-17)
>
> Nov 23 17:08:37 corp-core01 pluto[1399]: ike_alg_register_enc(): WARNING:
> enc alg=0 not found in constants.c:oakley_enc_names
>
> Nov 23 17:08:37 corp-core01 pluto[1399]: ike_alg_add(): ERROR: Algorithm
> already exists
>
> Nov 23 17:08:37 corp-core01 pluto[1399]: ike_alg_register_enc(): Activating
> <NULL>: FAILED (ret=-17)
>
> Nov 23 17:08:37 corp-core01 pluto[1399]: ike_alg_register_enc(): WARNING:
> enc alg=0 not found in constants.c:oakley_enc_names
>
> Nov 23 17:08:37 corp-core01 pluto[1399]: ike_alg_add(): ERROR: Algorithm
> already exists
>
> Nov 23 17:08:37 corp-core01 pluto[1399]: ike_alg_register_enc(): Activating
> <NULL>: FAILED (ret=-17)
>
> Nov 23 17:08:37 corp-core01 pluto[1399]: Could not change to directory
> '/etc/ipsec.d/cacerts': /
>
> Nov 23 17:08:37 corp-core01 pluto[1399]: Could not change to directory
> '/etc/ipsec.d/aacerts': /
>
> Nov 23 17:08:37 corp-core01 pluto[1399]: Could not change to directory
> '/etc/ipsec.d/ocspcerts': /
>
> Nov 23 17:08:38 corp-core01 pluto[1399]: Could not change to directory
> '/etc/ipsec.d/crls'
>
> Nov 23 17:08:38 corp-core01 pluto[1399]: Changing back to directory '/'
> failed - (2 No such file or directory)
>
> Nov 23 17:08:38 corp-core01 pluto[1399]: Changing back to directory '/'
> failed - (2 No such file or directory)
>
> Nov 23 17:08:38 corp-core01 pluto[1399]: added connection description
> "roadwarrior-l2tp"
>
> Nov 23 17:08:38 corp-core01 pluto[1399]: listening for IKE messages
>
> Nov 23 17:08:38 corp-core01 pluto[1399]: adding interface ppp0/ppp0
> 189.X.X.X:500
>
> Nov 23 17:08:38 corp-core01 pluto[1399]: adding interface ppp0/ppp0
> 189.X.X.X:4500
>
> Nov 23 17:08:38 corp-core01 pluto[1399]: adding interface eth1/eth1
> 10.10.40.1:500
>
> Nov 23 17:08:38 corp-core01 pluto[1399]: adding interface eth1/eth1
> 10.10.40.1:4500
>
> Nov 23 17:08:38 corp-core01 pluto[1399]: adding interface lo/lo
> 127.0.0.1:500
>
> Nov 23 17:08:38 corp-core01 pluto[1399]: adding interface lo/lo
> 127.0.0.1:4500
>
> Nov 23 17:08:38 corp-core01 pluto[1399]: adding interface lo/lo ::1:500
>
> Nov 23 17:08:38 corp-core01 pluto[1399]: loading secrets from
> "/etc/ipsec.secrets"
>
> Nov 23 17:10:44 corp-core01 pluto[1399]: packet from 201.8.29.194:500:
> ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
>
> Nov 23 17:10:44 corp-core01 pluto[1399]: packet from 201.8.29.194:500:
> ignoring Vendor ID payload [FRAGMENTATION]
>
> Nov 23 17:10:44 corp-core01 pluto[1399]: packet from 201.8.29.194:500:
> received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set
> to=106
>
> Nov 23 17:10:44 corp-core01 pluto[1399]: packet from 201.8.29.194:500:
> ignoring Vendor ID payload [Vid-Initial-Contact]
>
> Nov 23 17:10:44 corp-core01 pluto[1399]: "roadwarrior-l2tp"[1]
> 201.8.29.194 #1: responding to Main Mode from unknown peer 201.8.29.194
>
> Nov 23 17:10:44 corp-core01 pluto[1399]: "roadwarrior-l2tp"[1]
> 201.8.29.194 #1: transition from state STATE_MAIN_R0 to state
> STATE_MAIN_R1
>
> Nov 23 17:10:44 corp-core01 pluto[1399]: "roadwarrior-l2tp"[1]
> 201.8.29.194 #1: STATE_MAIN_R1: sent MR1, expecting MI2
>
> Nov 23 17:10:45 corp-core01 pluto[1399]: "roadwarrior-l2tp"[1]
> 201.8.29.194 #1: NAT-Traversal: Result using
> draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
>
> Nov 23 17:10:45 corp-core01 pluto[1399]: "roadwarrior-l2tp"[1]
> 201.8.29.194 #1: transition from state STATE_MAIN_R1 to state
> STATE_MAIN_R2
>
> Nov 23 17:10:45 corp-core01 pluto[1399]: "roadwarrior-l2tp"[1]
> 201.8.29.194 #1: STATE_MAIN_R2: sent MR2, expecting MI3
>
> Nov 23 17:10:45 corp-core01 pluto[1399]: "roadwarrior-l2tp"[1]
> 201.8.29.194 #1: Main mode peer ID is ID_IPV4_ADDR: '201.8.29.194'
>
> Nov 23 17:10:45 corp-core01 pluto[1399]: "roadwarrior-l2tp"[1]
> 201.8.29.194 #1: transition from state STATE_MAIN_R2 to state
> STATE_MAIN_R3
>
> Nov 23 17:10:45 corp-core01 pluto[1399]: "roadwarrior-l2tp"[1]
> 201.8.29.194 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established
> {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
> group=modp2048}
>
> Nov 23 17:10:45 corp-core01 pluto[1399]: "roadwarrior-l2tp"[1]
> 201.8.29.194 #1: the peer proposed: 189.X.X.X/32:17/1701 ->
> 201.8.29.194/32:17/1701
>
> Nov 23 17:10:45 corp-core01 pluto[1399]: "roadwarrior-l2tp"[1]
> 201.8.29.194 #1: alloc_bytes1() was mistakenly asked to malloc 0 bytes for
> st_skey_ar in duplicate_state, please report to dev at openswan.org
>
> Nov 23 17:10:45 corp-core01 pluto[1399]: "roadwarrior-l2tp"[1]
> 201.8.29.194 #1: alloc_bytes1() was mistakenly asked to malloc 0 bytes for
> st_skey_er in duplicate_state, please report to dev at openswan.org
>
> Nov 23 17:10:45 corp-core01 pluto[1399]: "roadwarrior-l2tp"[1]
> 201.8.29.194 #1: alloc_bytes1() was mistakenly asked to malloc 0 bytes for
> st_skey_pi in duplicate_state, please report to dev at openswan.org
>
> Nov 23 17:10:45 corp-core01 pluto[1399]: "roadwarrior-l2tp"[1]
> 201.8.29.194 #1: alloc_bytes1() was mistakenly asked to malloc 0 bytes for
> st_skey_pr in duplicate_state, please report to dev at openswan.org
>
> Nov 23 17:10:45 corp-core01 pluto[1399]: "roadwarrior-l2tp"[1]
> 201.8.29.194 #2: responding to Quick Mode proposal {msgid:65b17fe7}
>
> Nov 23 17:10:45 corp-core01 pluto[1399]: "roadwarrior-l2tp"[1]
> 201.8.29.194 #2: us: 189.X.X.X<189.X.X.X>[+S=C]:17/1701
>
> Nov 23 17:10:45 corp-core01 pluto[1399]: "roadwarrior-l2tp"[1]
> 201.8.29.194 #2: them: 201.8.29.194[+S=C]:17/1701
>
> Nov 23 17:10:45 corp-core01 pluto[1399]: "roadwarrior-l2tp"[1]
> 201.8.29.194 #2: transition from state STATE_QUICK_R0 to state
> STATE_QUICK_R1
>
> Nov 23 17:10:45 corp-core01 pluto[1399]: "roadwarrior-l2tp"[1]
> 201.8.29.194 #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed,
> expecting QI2
>
> Nov 23 17:10:45 corp-core01 pluto[1399]: "roadwarrior-l2tp"[1]
> 201.8.29.194 #2: transition from state STATE_QUICK_R1 to state
> STATE_QUICK_R2
>
> Nov 23 17:10:45 corp-core01 pluto[1399]: "roadwarrior-l2tp"[1]
> 201.8.29.194 #2: STATE_QUICK_R2: IPsec SA established transport mode
> {ESP=>0x86dc727b <0x1f0091d4 xfrm=3DES_0-HMAC_MD5 NATOA=<invalid>
> NATD=<invalid>:500 DPD=enabled}
>
>
>
> /var/log/messages
>
> Nov 23 17:10:47 corp-core01 xl2tpd[1120]: Connection established to
> 201.8.29.194, 1701. Local: 37989, Remote: 2 (ref=0/0). LNS session is
> 'default'
>
> Nov 23 17:10:47 corp-core01 xl2tpd[1120]: Call established with
> 201.8.29.194, Local: 41968, Remote: 1, Serial: 0
>
> Nov 23 17:10:47 corp-core01 pppd[1665]: pppd 2.4.4 started by root, uid 0
>
> Nov 23 17:10:47 corp-core01 pppd[1665]: Using interface ppp1
>
> Nov 23 17:10:47 corp-core01 pppd[1665]: Connect: ppp1 <--> /dev/pts/6
>
> Nov 23 17:10:48 corp-core01 pppd[1665]: Unsupported protocol 'Compression
> Control Protocol' (0x80fd) received
>
> Nov 23 17:10:48 corp-core01 pppd[1665]: found interface eth1 for proxy arp
>
> Nov 23 17:10:48 corp-core01 pppd[1665]: local IP address 10.10.40.1
>
> Nov 23 17:10:48 corp-core01 pppd[1665]: remote IP address 10.10.40.230
>
>
>
> * Logs for client behind NAT
>
>
>
> /var/log/secure
>
> Nov 23 17:13:56 corp-core01 ipsec__plutorun: Starting Pluto subsystem...
>
> Nov 23 17:13:56 corp-core01 pluto[2241]: Starting Pluto (Openswan Version
> 2.6.14; Vendor ID OEoSJUweaqAX) pid:2241
>
> Nov 23 17:13:56 corp-core01 pluto[2241]: Setting NAT-Traversal port-4500
> floating to on
>
> Nov 23 17:13:56 corp-core01 pluto[2241]: port floating activation
> criteria nat_t=1/port_float=1
>
> Nov 23 17:13:56 corp-core01 pluto[2241]: including NAT-Traversal patch
> (Version 0.6c)
>
> Nov 23 17:13:56 corp-core01 pluto[2241]: using /dev/urandom as source of
> random entropy
>
> Nov 23 17:13:56 corp-core01 pluto[2241]: ike_alg_register_enc(): Activating
> OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
>
> Nov 23 17:13:56 corp-core01 pluto[2241]: ike_alg_register_enc(): Activating
> OAKLEY_TWOFISH_CBC: Ok (ret=0)
>
> Nov 23 17:13:56 corp-core01 pluto[2241]: ike_alg_register_enc(): Activating
> OAKLEY_SERPENT_CBC: Ok (ret=0)
>
> Nov 23 17:13:56 corp-core01 pluto[2241]: ike_alg_register_enc(): Activating
> OAKLEY_AES_CBC: Ok (ret=0)
>
> Nov 23 17:13:56 corp-core01 pluto[2241]: ike_alg_register_enc(): Activating
> OAKLEY_BLOWFISH_CBC: Ok (ret=0)
>
> Nov 23 17:13:56 corp-core01 pluto[2241]: ike_alg_register_hash():
> Activating OAKLEY_SHA2_512: Ok (ret=0)
>
> Nov 23 17:13:56 corp-core01 pluto[2241]: ike_alg_register_hash():
> Activating OAKLEY_SHA2_256: Ok (ret=0)
>
> Nov 23 17:13:56 corp-core01 pluto[2241]: starting up 1 cryptographic
> helpers
>
> Nov 23 17:13:57 corp-core01 pluto[2241]: started helper pid=2251 (fd:7)
>
> Nov 23 17:13:57 corp-core01 pluto[2251]: using /dev/urandom as source of
> random entropy
>
> Nov 23 17:13:57 corp-core01 pluto[2241]: Using Linux 2.6 IPsec interface
> code on 2.6.18-53.el5 (experimental code)
>
> Nov 23 17:13:57 corp-core01 pluto[2241]: ike_alg_register_enc(): WARNING:
> enc alg=0 not found in constants.c:oakley_enc_names
>
> Nov 23 17:13:57 corp-core01 pluto[2241]: ike_alg_register_enc(): Activating
> <NULL>: Ok (ret=0)
>
> Nov 23 17:13:57 corp-core01 pluto[2241]: ike_alg_register_enc(): WARNING:
> enc alg=0 not found in constants.c:oakley_enc_names
>
> Nov 23 17:13:57 corp-core01 pluto[2241]: ike_alg_add(): ERROR: Algorithm
> already exists
>
> Nov 23 17:13:57 corp-core01 pluto[2241]: ike_alg_register_enc(): Activating
> <NULL>: FAILED (ret=-17)
>
> Nov 23 17:13:57 corp-core01 pluto[2241]: ike_alg_register_enc(): WARNING:
> enc alg=0 not found in constants.c:oakley_enc_names
>
> Nov 23 17:13:58 corp-core01 pluto[2241]: ike_alg_add(): ERROR: Algorithm
> already exists
>
> Nov 23 17:13:58 corp-core01 pluto[2241]: ike_alg_register_enc(): Activating
> <NULL>: FAILED (ret=-17)
>
> Nov 23 17:13:58 corp-core01 pluto[2241]: ike_alg_register_enc(): WARNING:
> enc alg=0 not found in constants.c:oakley_enc_names
>
> Nov 23 17:13:58 corp-core01 pluto[2241]: ike_alg_add(): ERROR: Algorithm
> already exists
>
> Nov 23 17:13:58 corp-core01 pluto[2241]: ike_alg_register_enc(): Activating
> <NULL>: FAILED (ret=-17)
>
> Nov 23 17:13:58 corp-core01 pluto[2241]: ike_alg_register_enc(): WARNING:
> enc alg=0 not found in constants.c:oakley_enc_names
>
> Nov 23 17:13:58 corp-core01 pluto[2241]: ike_alg_add(): ERROR: Algorithm
> already exists
>
> Nov 23 17:13:58 corp-core01 pluto[2241]: ike_alg_register_enc(): Activating
> <NULL>: FAILED (ret=-17)
>
> Nov 23 17:13:58 corp-core01 pluto[2241]: ike_alg_register_enc(): WARNING:
> enc alg=0 not found in constants.c:oakley_enc_names
>
> Nov 23 17:13:58 corp-core01 pluto[2241]: ike_alg_add(): ERROR: Algorithm
> already exists
>
> Nov 23 17:13:58 corp-core01 pluto[2241]: ike_alg_register_enc(): Activating
> <NULL>: FAILED (ret=-17)
>
> Nov 23 17:13:58 corp-core01 pluto[2241]: Could not change to directory
> '/etc/ipsec.d/cacerts': /
>
> Nov 23 17:13:58 corp-core01 pluto[2241]: Could not change to directory
> '/etc/ipsec.d/aacerts': /
>
> Nov 23 17:13:58 corp-core01 pluto[2241]: Could not change to directory
> '/etc/ipsec.d/ocspcerts': /
>
> Nov 23 17:13:58 corp-core01 pluto[2241]: Could not change to directory
> '/etc/ipsec.d/crls'
>
> Nov 23 17:13:58 corp-core01 pluto[2241]: Changing back to directory '/'
> failed - (2 No such file or directory)
>
> Nov 23 17:13:58 corp-core01 pluto[2241]: Changing back to directory '/'
> failed - (2 No such file or directory)
>
> Nov 23 17:13:59 corp-core01 pluto[2241]: added connection description
> "roadwarrior-l2tp"
>
> Nov 23 17:13:59 corp-core01 pluto[2241]: listening for IKE messages
>
> Nov 23 17:13:59 corp-core01 pluto[2241]: adding interface ppp0/ppp0
> 189.X.X.X:500
>
> Nov 23 17:13:59 corp-core01 pluto[2241]: adding interface ppp0/ppp0
> 189.X.X.X:4500
>
> Nov 23 17:13:59 corp-core01 pluto[2241]: adding interface eth1/eth1
> 10.10.40.1:500
>
> Nov 23 17:13:59 corp-core01 pluto[2241]: adding interface eth1/eth1
> 10.10.40.1:4500
>
> Nov 23 17:13:59 corp-core01 pluto[2241]: adding interface lo/lo
> 127.0.0.1:500
>
> Nov 23 17:13:59 corp-core01 pluto[2241]: adding interface lo/lo
> 127.0.0.1:4500
>
> Nov 23 17:13:59 corp-core01 pluto[2241]: adding interface lo/lo ::1:500
>
> Nov 23 17:13:59 corp-core01 pluto[2241]: loading secrets from
> "/etc/ipsec.secrets"
>
> Nov 23 17:14:16 corp-core01 pluto[2241]: packet from 201.8.29.194:500:
> ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
>
> Nov 23 17:14:16 corp-core01 pluto[2241]: packet from 201.8.29.194:500:
> ignoring Vendor ID payload [FRAGMENTATION]
>
> Nov 23 17:14:16 corp-core01 pluto[2241]: packet from 201.8.29.194:500:
> received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set
> to=106
>
> Nov 23 17:14:16 corp-core01 pluto[2241]: packet from 201.8.29.194:500:
> ignoring Vendor ID payload [Vid-Initial-Contact]
>
> Nov 23 17:14:16 corp-core01 pluto[2241]: "roadwarrior-l2tp"[1]
> 201.8.29.194 #1: responding to Main Mode from unknown peer 201.8.29.194
>
> Nov 23 17:14:16 corp-core01 pluto[2241]: "roadwarrior-l2tp"[1]
> 201.8.29.194 #1: transition from state STATE_MAIN_R0 to state
> STATE_MAIN_R1
>
> Nov 23 17:14:16 corp-core01 pluto[2241]: "roadwarrior-l2tp"[1]
> 201.8.29.194 #1: STATE_MAIN_R1: sent MR1, expecting MI2
>
> Nov 23 17:14:16 corp-core01 pluto[2241]: "roadwarrior-l2tp"[1]
> 201.8.29.194 #1: NAT-Traversal: Result using
> draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
>
> Nov 23 17:14:16 corp-core01 pluto[2241]: "roadwarrior-l2tp"[1]
> 201.8.29.194 #1: transition from state STATE_MAIN_R1 to state
> STATE_MAIN_R2
>
> Nov 23 17:14:16 corp-core01 pluto[2241]: "roadwarrior-l2tp"[1]
> 201.8.29.194 #1: STATE_MAIN_R2: sent MR2, expecting MI3
>
> Nov 23 17:14:16 corp-core01 pluto[2241]: "roadwarrior-l2tp"[1]
> 201.8.29.194 #1: Main mode peer ID is ID_IPV4_ADDR: '201.8.29.194'
>
> Nov 23 17:14:16 corp-core01 pluto[2241]: "roadwarrior-l2tp"[1]
> 201.8.29.194 #1: transition from state STATE_MAIN_R2 to state
> STATE_MAIN_R3
>
> Nov 23 17:14:16 corp-core01 pluto[2241]: "roadwarrior-l2tp"[1]
> 201.8.29.194 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established
> {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
> group=modp2048}
>
> Nov 23 17:14:17 corp-core01 pluto[2241]: "roadwarrior-l2tp"[1]
> 201.8.29.194 #1: the peer proposed: 189.X.X.X/32:17/1701 ->
> 201.8.29.194/32:17/1701
>
> Nov 23 17:14:17 corp-core01 pluto[2241]: "roadwarrior-l2tp"[1]
> 201.8.29.194 #1: alloc_bytes1() was mistakenly asked to malloc 0 bytes for
> st_skey_ar in duplicate_state, please report to dev at openswan.org
>
> Nov 23 17:14:17 corp-core01 pluto[2241]: "roadwarrior-l2tp"[1]
> 201.8.29.194 #1: alloc_bytes1() was mistakenly asked to malloc 0 bytes for
> st_skey_er in duplicate_state, please report to dev at openswan.org
>
> Nov 23 17:14:17 corp-core01 pluto[2241]: "roadwarrior-l2tp"[1]
> 201.8.29.194 #1: alloc_bytes1() was mistakenly asked to malloc 0 bytes for
> st_skey_pi in duplicate_state, please report to dev at openswan.org
>
> Nov 23 17:14:17 corp-core01 pluto[2241]: "roadwarrior-l2tp"[1]
> 201.8.29.194 #1: alloc_bytes1() was mistakenly asked to malloc 0 bytes for
> st_skey_pr in duplicate_state, please report to dev at openswan.org
>
> Nov 23 17:14:17 corp-core01 pluto[2241]: "roadwarrior-l2tp"[1]
> 201.8.29.194 #2: responding to Quick Mode proposal {msgid:bfe83f53}
>
> Nov 23 17:14:17 corp-core01 pluto[2241]: "roadwarrior-l2tp"[1]
> 201.8.29.194 #2: us: 189.X.X.X<189.X.X.X>[+S=C]:17/1701
>
> Nov 23 17:14:17 corp-core01 pluto[2241]: "roadwarrior-l2tp"[1]
> 201.8.29.194 #2: them: 201.8.29.194[+S=C]:17/1701
>
> Nov 23 17:14:17 corp-core01 pluto[2241]: "roadwarrior-l2tp"[1]
> 201.8.29.194 #2: transition from state STATE_QUICK_R0 to state
> STATE_QUICK_R1
>
> Nov 23 17:14:17 corp-core01 pluto[2241]: "roadwarrior-l2tp"[1]
> 201.8.29.194 #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed,
> expecting QI2
>
> Nov 23 17:14:17 corp-core01 pluto[2241]: "roadwarrior-l2tp"[1]
> 201.8.29.194 #2: transition from state STATE_QUICK_R1 to state
> STATE_QUICK_R2
>
> Nov 23 17:14:17 corp-core01 pluto[2241]: "roadwarrior-l2tp"[1]
> 201.8.29.194 #2: STATE_QUICK_R2: IPsec SA established transport mode
> {ESP=>0x36d7da49 <0x5ab14582 xfrm=3DES_0-HMAC_MD5 NATOA=<invalid>
> NATD=<invalid>:500 DPD=enabled}
>
> Nov 23 17:14:29 corp-core01 pluto[2241]: "roadwarrior-l2tp"[1]
> 201.8.29.194 #1: received Delete SA(0x36d7da49) payload: deleting IPSEC
> State #2
>
> Nov 23 17:14:29 corp-core01 pluto[2241]: "roadwarrior-l2tp"[1]
> 201.8.29.194 #2: request to replace with shunt a prospective erouted
> policy with netkey kernel --- experimental
>
> Nov 23 17:14:29 corp-core01 pluto[2241]: "roadwarrior-l2tp"[1]
> 201.8.29.194 #1: received and ignored informational message
>
> Nov 23 17:14:29 corp-core01 pluto[2241]: "roadwarrior-l2tp"[1]
> 201.8.29.194 #1: received Delete SA payload: deleting ISAKMP State #1
>
> Nov 23 17:14:29 corp-core01 pluto[2241]: "roadwarrior-l2tp"[1]
> 201.8.29.194: deleting connection "roadwarrior-l2tp" instance with peer
> 201.8.29.194 {isakmp=#0/ipsec=#0}
>
> Nov 23 17:14:29 corp-core01 pluto[2241]: "roadwarrior-l2tp": request to
> delete a unrouted policy with netkey kernel --- experimental
>
> Nov 23 17:14:29 corp-core01 pluto[2241]: packet from 201.8.29.194:500:
> received and ignored informational message
>
> Nov 23 17:14:32 corp-core01 pluto[2241]: packet from 189.24.76.188:500:
> ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
>
> Nov 23 17:14:32 corp-core01 pluto[2241]: packet from 189.24.76.188:500:
> ignoring Vendor ID payload [FRAGMENTATION]
>
> Nov 23 17:14:32 corp-core01 pluto[2241]: packet from 189.24.76.188:500:
> received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set
> to=106
>
> Nov 23 17:14:32 corp-core01 pluto[2241]: packet from 189.24.76.188:500:
> ignoring Vendor ID payload [Vid-Initial-Contact]
>
> Nov 23 17:14:32 corp-core01 pluto[2241]: "roadwarrior-l2tp"[2]
> 189.24.76.188 #3: responding to Main Mode from unknown peer 189.24.76.188
>
> Nov 23 17:14:32 corp-core01 pluto[2241]: "roadwarrior-l2tp"[2]
> 189.24.76.188 #3: transition from state STATE_MAIN_R0 to state
> STATE_MAIN_R1
>
> Nov 23 17:14:32 corp-core01 pluto[2241]: "roadwarrior-l2tp"[2]
> 189.24.76.188 #3: STATE_MAIN_R1: sent MR1, expecting MI2
>
> Nov 23 17:14:32 corp-core01 pluto[2241]: "roadwarrior-l2tp"[2]
> 189.24.76.188 #3: NAT-Traversal: Result using
> draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
>
> Nov 23 17:14:32 corp-core01 pluto[2241]: "roadwarrior-l2tp"[2]
> 189.24.76.188 #3: transition from state STATE_MAIN_R1 to state
> STATE_MAIN_R2
>
> Nov 23 17:14:32 corp-core01 pluto[2241]: "roadwarrior-l2tp"[2]
> 189.24.76.188 #3: STATE_MAIN_R2: sent MR2, expecting MI3
>
> Nov 23 17:14:32 corp-core01 pluto[2241]: "roadwarrior-l2tp"[2]
> 189.24.76.188 #3: Main mode peer ID is ID_FQDN: '@casa01'
>
> Nov 23 17:14:32 corp-core01 pluto[2241]: "roadwarrior-l2tp"[2]
> 189.24.76.188 #3: switched from "roadwarrior-l2tp" to "roadwarrior-l2tp"
>
> Nov 23 17:14:32 corp-core01 pluto[2241]: "roadwarrior-l2tp"[3]
> 189.24.76.188 #3: deleting connection "roadwarrior-l2tp" instance with
> peer 189.24.76.188 {isakmp=#0/ipsec=#0}
>
> Nov 23 17:14:32 corp-core01 pluto[2241]: "roadwarrior-l2tp"[3]
> 189.24.76.188 #3: transition from state STATE_MAIN_R2 to state
> STATE_MAIN_R3
>
> Nov 23 17:14:32 corp-core01 pluto[2241]: "roadwarrior-l2tp"[3]
> 189.24.76.188 #3: new NAT mapping for #3, was 189.24.76.188:500, now
> 189.24.76.188:4500
>
> Nov 23 17:14:32 corp-core01 pluto[2241]: "roadwarrior-l2tp"[3]
> 189.24.76.188 #3: STATE_MAIN_R3: sent MR3, ISAKMP SA established
> {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
> group=modp2048}
>
> Nov 23 17:14:32 corp-core01 pluto[2241]: "roadwarrior-l2tp"[3]
> 189.24.76.188 #3: peer client type is FQDN
>
> Nov 23 17:14:32 corp-core01 pluto[2241]: "roadwarrior-l2tp"[3]
> 189.24.76.188 #3: Applying workaround for MS-818043 NAT-T bug
>
> Nov 23 17:14:32 corp-core01 pluto[2241]: "roadwarrior-l2tp"[3]
> 189.24.76.188 #3: IDci was FQDN: \275\031(V, using NAT_OA=192.168.0.100/32as IDci
>
> Nov 23 17:14:32 corp-core01 pluto[2241]: "roadwarrior-l2tp"[3]
> 189.24.76.188 #3: the peer proposed: 189.X.X.X/32:17/1701 ->
> 192.168.0.100/32:17/1701
>
> Nov 23 17:14:32 corp-core01 pluto[2241]: "roadwarrior-l2tp"[3]
> 189.24.76.188 #3: alloc_bytes1() was mistakenly asked to malloc 0 bytes
> for st_skey_ar in duplicate_state, please report to dev at openswan.org
>
> Nov 23 17:14:32 corp-core01 pluto[2241]: "roadwarrior-l2tp"[3]
> 189.24.76.188 #3: alloc_bytes1() was mistakenly asked to malloc 0 bytes
> for st_skey_er in duplicate_state, please report to dev at openswan.org
>
> Nov 23 17:14:32 corp-core01 pluto[2241]: "roadwarrior-l2tp"[3]
> 189.24.76.188 #3: alloc_bytes1() was mistakenly asked to malloc 0 bytes
> for st_skey_pi in duplicate_state, please report to dev at openswan.org
>
> Nov 23 17:14:32 corp-core01 pluto[2241]: "roadwarrior-l2tp"[3]
> 189.24.76.188 #3: alloc_bytes1() was mistakenly asked to malloc 0 bytes
> for st_skey_pr in duplicate_state, please report to dev at openswan.org
>
> Nov 23 17:14:32 corp-core01 pluto[2241]: "roadwarrior-l2tp"[3]
> 189.24.76.188 #4: responding to Quick Mode proposal {msgid:8b2e7e93}
>
> Nov 23 17:14:32 corp-core01 pluto[2241]: "roadwarrior-l2tp"[3]
> 189.24.76.188 #4: us: 189.X.X.X<189.X.X.X>[+S=C]:17/1701
>
> Nov 23 17:14:32 corp-core01 pluto[2241]: "roadwarrior-l2tp"[3]
> 189.24.76.188 #4: them: 189.24.76.188[@casa01,+S=C]:17/1701===
> 192.168.0.100/32
>
> Nov 23 17:14:32 corp-core01 pluto[2241]: "roadwarrior-l2tp"[3]
> 189.24.76.188 #4: transition from state STATE_QUICK_R0 to state
> STATE_QUICK_R1
>
> Nov 23 17:14:33 corp-core01 pluto[2241]: "roadwarrior-l2tp"[3]
> 189.24.76.188 #4: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed,
> expecting QI2
>
> Nov 23 17:14:33 corp-core01 pluto[2241]: "roadwarrior-l2tp"[3]
> 189.24.76.188 #4: transition from state STATE_QUICK_R1 to state
> STATE_QUICK_R2
>
> Nov 23 17:14:33 corp-core01 pluto[2241]: "roadwarrior-l2tp"[3]
> 189.24.76.188 #4: STATE_QUICK_R2: IPsec SA established transport mode
> {ESP=>0xf0887f84 <0x63648101 xfrm=3DES_0-HMAC_MD5 NATOA=192.168.0.100NATD=
> 189.24.76.188:4500 DPD=none}
>
>
>
> (After 678 error)
>
> Nov 23 17:15:08 corp-core01 pluto[2241]: "roadwarrior-l2tp"[3]
> 189.24.76.188 #3: received Delete SA(0xf0887f84) payload: deleting IPSEC
> State #4
>
> Nov 23 17:15:08 corp-core01 pluto[2241]: "roadwarrior-l2tp"[3]
> 189.24.76.188 #4: request to replace with shunt a prospective erouted
> policy with netkey kernel --- experimental
>
> Nov 23 17:15:08 corp-core01 pluto[2241]: "roadwarrior-l2tp"[3]
> 189.24.76.188 #3: received and ignored informational message
>
> Nov 23 17:15:08 corp-core01 pluto[2241]: "roadwarrior-l2tp"[3]
> 189.24.76.188 #3: received Delete SA payload: deleting ISAKMP State #3
>
> Nov 23 17:15:08 corp-core01 pluto[2241]: "roadwarrior-l2tp"[3]
> 189.24.76.188: deleting connection "roadwarrior-l2tp" instance with peer
> 189.24.76.188 {isakmp=#0/ipsec=#0}
>
> Nov 23 17:15:08 corp-core01 pluto[2241]: "roadwarrior-l2tp": request to
> delete a unrouted policy with netkey kernel --- experimental
>
> Nov 23 17:15:08 corp-core01 pluto[2241]: packet from 189.24.76.188:4500:
> received and ignored informational message
>
>
>
> /var/log/messages
>
> Nov 23 17:14:40 corp-core01 xl2tpd[1950]: Maximum retries exceeded for
> tunnel 48658. Closing.
>
> Nov 23 17:14:40 corp-core01 xl2tpd[1950]: Connection 13 closed to
> 189.24.76.188, port 1701 (Timeout)
>
> Nov 23 17:14:50 corp-core01 xl2tpd[1950]: Can not find tunnel 37989
> (refhim=0)
>
> Nov 23 17:14:55 corp-core01 xl2tpd[1950]: Maximum retries exceeded for
> tunnel 7179. Closing.
>
> Nov 23 17:14:55 corp-core01 xl2tpd[1950]: Connection 13 closed to
> 189.24.76.188, port 1701 (Timeout)
>
> Nov 23 17:14:59 corp-core01 xl2tpd[1950]: Can not find tunnel 37989
> (refhim=0)
>
>
>
>
>
> Thanks in advance for any help,
>
>
>
> Jorge
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20081126/7ce7411a/attachment-0001.html
More information about the Users
mailing list