[Openswan Users] Vista and Openswan L2TP IPSEC vpn connection problem

Danilo Godec danilo.godec at agenda.si
Tue Oct 14 04:41:25 EDT 2008 

Jacco de Leeuw pravi:
> You need this parameter if there is at least one client behind NAT.
> See man ipsec.conf or
> http://www.jacco2.dds.nl/networking/openswan-l2tp.html#NAT
>   
Hi,

I recently updated a server from SuSE Linux 9.3 (with openswan-2.4.0-5
and l2tpd-0.69-12jdl) to SuSE Enterprise Linux 10 SP2 (with
openswan-2.4.4-18.6.1 and l2tpd-0.69-12jdl). Most of the configuration
was simply carried over and it works well for Linux - Linux IPSEC
tunnels and L2TP tunnels with Windows XP.

However, it just doesn't work with Vista. This is what I get in server
logs when I try to connect Vista:

> Oct 14 10:23:11 dioda pluto[8671]: packet from YYY.YYY.YYY.YYY:500:
> ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000005]
> Oct 14 10:23:11 dioda pluto[8671]: packet from YYY.YYY.YYY.YYY:500:
> received Vendor ID payload [RFC 3947] method set to=109
> Oct 14 10:23:11 dioda pluto[8671]: packet from YYY.YYY.YYY.YYY:500:
> received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106,
> but already using method 109
> Oct 14 10:23:11 dioda pluto[8671]: packet from YYY.YYY.YYY.YYY:500:
> ignoring Vendor ID payload [FRAGMENTATION]
> Oct 14 10:23:11 dioda pluto[8671]: packet from YYY.YYY.YYY.YYY:500:
> ignoring unknown Vendor ID payload [fb1de3cdf341b7ea16b7e5be0855f120]
> Oct 14 10:23:11 dioda pluto[8671]: packet from YYY.YYY.YYY.YYY:500:
> ignoring Vendor ID payload [Vid-Initial-Contact]
> Oct 14 10:23:11 dioda pluto[8671]: packet from YYY.YYY.YYY.YYY:500:
> ignoring unknown Vendor ID payload [e3a5966a76379fe707228231e5ce8652]
> Oct 14 10:23:11 dioda pluto[8671]: "rw1-net"[1] YYY.YYY.YYY.YYY #7:
> responding to Main Mode from unknown peer YYY.YYY.YYY.YYY
> Oct 14 10:23:11 dioda pluto[8671]: "rw1-net"[1] YYY.YYY.YYY.YYY #7:
> only OAKLEY_GROUP_MODP1024 and OAKLEY_GROUP_MODP1536 supported. 
> Attribute OAKLEY_GROUP_DESCRIPTION
> Oct 14 10:23:11 dioda pluto[8671]: "rw1-net"[1] YYY.YYY.YYY.YYY #7:
> only OAKLEY_GROUP_MODP1024 and OAKLEY_GROUP_MODP1536 supported. 
> Attribute OAKLEY_GROUP_DESCRIPTION
> Oct 14 10:23:11 dioda pluto[8671]: "rw1-net"[1] YYY.YYY.YYY.YYY #7:
> transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
> Oct 14 10:23:11 dioda pluto[8671]: "rw1-net"[1] YYY.YYY.YYY.YYY #7:
> STATE_MAIN_R1: sent MR1, expecting MI2
> Oct 14 10:23:11 dioda pluto[8671]: "rw1-net"[1] YYY.YYY.YYY.YYY #7:
> NAT-Traversal: Result using 3: peer is NATed
> Oct 14 10:23:11 dioda pluto[8671]: "rw1-net"[1] YYY.YYY.YYY.YYY #7:
> transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
> Oct 14 10:23:11 dioda pluto[8671]: "rw1-net"[1] YYY.YYY.YYY.YYY #7:
> STATE_MAIN_R2: sent MR2, expecting MI3
> Oct 14 10:23:11 dioda pluto[8671]: "rw1-net"[1] YYY.YYY.YYY.YYY #7:
> Main mode peer ID is ID_DER_ASN1_DN: 'C=SI, ST=Slovenija, L=Ljubljana,
> O=IBE, OU=IT, CN=Sebastijan Silec, E=ca at ibe.si'
> Oct 14 10:23:11 dioda pluto[8671]: "rw1-net"[2] YYY.YYY.YYY.YYY #7:
> deleting connection "rw1-net" instance with peer YYY.YYY.YYY.YYY
> {isakmp=#0/ipsec=#0}
> Oct 14 10:23:11 dioda pluto[8671]: "rw1-net"[2] YYY.YYY.YYY.YYY #7: I
> am sending my cert
> Oct 14 10:23:11 dioda pluto[8671]: "rw1-net"[2] YYY.YYY.YYY.YYY #7:
> transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
> Oct 14 10:23:11 dioda pluto[8671]: | NAT-T: new mapping
> YYY.YYY.YYY.YYY:500/4500)
> Oct 14 10:23:11 dioda pluto[8671]: "rw1-net"[2] YYY.YYY.YYY.YYY #7:
> STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG
> cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}
> Oct 14 10:23:11 dioda pluto[8671]: "rw1-net"[2] YYY.YYY.YYY.YYY #7:
> cannot respond to IPsec SA request because no connection is known for
> XXX.XXX.XXX.XXX[C=SI, ST=Slovenija, L=Ljubljana, O=IBE, CN=lj.ibe.si,
> E=ca at ibe.si]:17/1701...YYY.YYY.YYY.YYY[C=SI, ST=Slovenija,
> L=Ljubljana, O=IBE, OU=IT, CN=Sebastijan Silec,
> E=ca at ibe.si]:17/1701===172.16.0.92/32
> Oct 14 10:23:11 dioda pluto[8671]: "rw1-net"[2] YYY.YYY.YYY.YYY #7:
> sending encrypted notification INVALID_ID_INFORMATION to
> YYY.YYY.YYY.YYY:4500
> Oct 14 10:23:12 dioda pluto[8671]: "rw1-net"[2] YYY.YYY.YYY.YYY #7:
> Quick Mode I1 message is unacceptable because it uses a previously
> used Message ID 0x01000000 (perhaps this is a duplicated packet)
> Oct 14 10:23:12 dioda pluto[8671]: "rw1-net"[2] YYY.YYY.YYY.YYY #7:
> sending encrypted notification INVALID_MESSAGE_ID to YYY.YYY.YYY.YYY:4500
> Oct 14 10:23:14 dioda pluto[8671]: "rw1-net"[2] YYY.YYY.YYY.YYY #7:
> Quick Mode I1 message is unacceptable because it uses a previously
> used Message ID 0x01000000 (perhaps this is a duplicated packet)
> Oct 14 10:23:14 dioda pluto[8671]: "rw1-net"[2] YYY.YYY.YYY.YYY #7:
> sending encrypted notification INVALID_MESSAGE_ID to YYY.YYY.YYY.YYY:4500
where:
- XXX.XXX.XXX.XXX is the public IP of the Openswan server
- YYY.YYY.YYY.YYY is the public IP of the router behind which the
Windows XP and Vista reside

The Vista and XP that I use for testing are in the same private network
(ie. behind NAT), while the server has a public IP. The private network
behind the server is 172.16.0.0/16, my private network is 172.16.0.0/24.
L2TP gives me an IP in the range of 172.17.4.1-100. As mentioned above -
this works with XP !?

This is my configuration (excluding comments and other Linux - Linux
connections:
> version 2.0
>
> config setup
>         nat_traversal=yes
>         uniqueids=yes
>        
> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12,%v4:!172.16.11.0/16
>         plutowait=yes
>
> conn %default
>         leftrsasigkey=%cert
>         rightrsasigkey=%cert
>         compress=no
>         disablearrivalcheck=no
>         auto=route
>         authby=rsasig
>
> include /etc/ipsec.d/examples/no_oe.conf
>
> conn rw1-net
>         pfs=no
>         left=XXX.XXX.XXX.XXX
>         leftnexthop=193.77.13.33
>         leftupdown=/etc/ipsec.d/road-updown
>         leftprotoport=17/1701
>         leftrsasigkey=%cert
>         leftcert=lj.ibe.si.pem
>         rightrsasigkey=%cert
>         rightprotoport=17/1701
>         rightca=%same
>         right=%any
>         rightsubnet=vhost:%no,%priv
>         auto=add
>         keyingtries=3
>         keylife=5h
>         ikelifetime=5h

What am I missing here?

 Thanks, Danilo

-------------- next part --------------
A non-text attachment was scrubbed...
Name: danilo_godec.vcf
Type: text/x-vcard
Size: 302 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20081014/1d060b5f/attachment.vcf

More information about the Users mailing list