[Openswan Users] Where does the l2tp timeout come from?
Kai Garlipp
kai at garlipp.de
Mon Oct 27 14:52:09 EDT 2008
Hello,
I'm just stuck for the last few days with my l2tp over ipsec
configuration and I don't know where the error is coming from.
I'm using freshly installed CentOS 5.2 (2.6.18-92.1.13.el5 x86_64),
openswan-2.6.14-1.el5_2.1 and xl2tpd-1.1.12-2.fc9
The server has a static IP and direct internet connection and I'm trying
to connect the server using a Windows client behind NAT (and maybe with
a direct connection too).
But there is still a problem with the l2tp connection, where I'm getting
a timeout error. :-(
My ipsec.conf looks as follows:
version 2.0 # conforms to second version of ipsec.conf specification
config setup
protostack=netkey
interfaces=%defaultroute
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
conn %default
keyingtries=1
compress=yes
disablearrivalcheck=no
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
conn roadwarrior-net
leftsubnet=85.214.xx.yyy/255.255.255.255
also=roadwarrior
conn roadwarrior-l2tp
pfs=no
leftprotoport=17/0
rightprotoport=17/1701
also=roadwarrior
conn roadwarrior-l2tp-updatedwin
pfs=no
leftprotoport=17/1701
rightprotoport=17/1701
also=roadwarrior
conn roadwarrior
left=85.214.xx.yyy
leftnexthop=85.214.44.1
leftcert=darss.pem
right=%any
rightsubnet=vhost:%no,%priv
auto=add
include /etc/ipsec.d/no_oe.conf
The netmask might look weird, but this is how I'm getting it from the
DHCP-server.
ipsec verify doesn't show any errors:
# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.14/K2.6.18-92.1.13.el5 (netkey)
Checking for IPsec support in kernel [OK]
NETKEY detected, testing for disabled ICMP send_redirects [OK]
NETKEY detected, testing for disabled ICMP accept_redirects [OK]
Checking for RSA private key (/etc/ipsec.secrets) [OK]
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
The output from the /var/logs/secure file when I'm connecting from a
Windows (Vista, same problem with XP) PC:
Oct 27 17:52:50 myhostnm pluto[2265]: packet from 84.139.135.155:63648:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000006]
Oct 27 17:52:50 myhostnm pluto[2265]: packet from 84.139.135.155:63648:
received Vendor ID payload [RFC 3947] method set to=109
Oct 27 17:52:50 myhostnm pluto[2265]: packet from 84.139.135.155:63648:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106,
but already using method 109
Oct 27 17:52:50 myhostnm pluto[2265]: packet from 84.139.135.155:63648:
ignoring Vendor ID payload [FRAGMENTATION]
Oct 27 17:52:50 myhostnm pluto[2265]: packet from 84.139.135.155:63648:
ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
Oct 27 17:52:50 myhostnm pluto[2265]: packet from 84.139.135.155:63648:
ignoring Vendor ID payload [Vid-Initial-Contact]
Oct 27 17:52:50 myhostnm pluto[2265]: packet from 84.139.135.155:63648:
ignoring Vendor ID payload [IKE CGA version 1]
Oct 27 17:52:50 myhostnm pluto[2265]: "roadwarrior-net"[1]
84.139.135.155 #1: responding to Main Mode from unknown peer 84.139.135.155
Oct 27 17:52:50 myhostnm pluto[2265]: "roadwarrior-net"[1]
84.139.135.155 #1: OAKLEY_GROUP 20 not supported. Attribute
OAKLEY_GROUP_DESCRIPTION
Oct 27 17:52:50 myhostnm pluto[2265]: "roadwarrior-net"[1]
84.139.135.155 #1: OAKLEY_GROUP 19 not supported. Attribute
OAKLEY_GROUP_DESCRIPTION
Oct 27 17:52:50 myhostnm pluto[2265]: "roadwarrior-net"[1]
84.139.135.155 #1: transition from state STATE_MAIN_R0 to state
STATE_MAIN_R1
Oct 27 17:52:50 myhostnm pluto[2265]: "roadwarrior-net"[1]
84.139.135.155 #1: STATE_MAIN_R1: sent MR1, expecting MI2
Oct 27 17:52:51 myhostnm pluto[2265]: "roadwarrior-net"[1]
84.139.135.155 #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal):
peer is NATed
Oct 27 17:52:51 myhostnm pluto[2265]: "roadwarrior-net"[1]
84.139.135.155 #1: transition from state STATE_MAIN_R1 to state
STATE_MAIN_R2
Oct 27 17:52:51 myhostnm pluto[2265]: "roadwarrior-net"[1]
84.139.135.155 #1: STATE_MAIN_R2: sent MR2, expecting MI3
Oct 27 17:52:52 myhostnm pluto[2265]: "roadwarrior-net"[1]
84.139.135.155 #1: Main mode peer ID is ID_DER_ASN1_DN: 'C=DE, ...'
Oct 27 17:52:52 myhostnm pluto[2265]: "roadwarrior-net"[1]
84.139.135.155 #1: crl update for "C=DE, ..." is overdue since Oct 21
12:49:44 UTC 2008
Oct 27 17:52:52 myhostnm pluto[2265]: "roadwarrior-net"[1]
84.139.135.155 #1: switched from "roadwarrior-net" to "roadwarrior-net"
Oct 27 17:52:52 myhostnm pluto[2265]: "roadwarrior-net"[2]
84.139.135.155 #1: deleting connection "roadwarrior-net" instance with
peer 84.139.135.155 {isakmp=#0/ipsec=#0}
Oct 27 17:52:52 myhostnm pluto[2265]: "roadwarrior-net"[2]
84.139.135.155 #1: I am sending my cert
Oct 27 17:52:52 myhostnm pluto[2265]: "roadwarrior-net"[2]
84.139.135.155 #1: transition from state STATE_MAIN_R2 to state
STATE_MAIN_R3
Oct 27 17:52:52 myhostnm pluto[2265]: "roadwarrior-net"[2]
84.139.135.155 #1: new NAT mapping for #1, was 84.139.135.155:63648, now
84.139.135.155:63649
Oct 27 17:52:52 myhostnm pluto[2265]: "roadwarrior-net"[2]
84.139.135.155 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established
{auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_sha
group=modp2048}
Oct 27 17:52:53 myhostnm pluto[2265]: "roadwarrior-net"[2]
84.139.135.155 #1: the peer proposed: 85.214.xx.yyy/32:0/0 ->
192.168.178.23/32:0/0
Oct 27 17:52:53 myhostnm pluto[2265]: "roadwarrior-net"[2]
84.139.135.155 #1: NAT-Traversal: received 2 NAT-OA. using first,
ignoring others
Oct 27 17:52:53 myhostnm pluto[2265]: "roadwarrior-net"[2]
84.139.135.155 #1: alloc_bytes1() was mistakenly asked to malloc 0 bytes
for st_skey_ar in duplicate_state, please report to dev at openswan.org
Oct 27 17:52:53 myhostnm pluto[2265]: "roadwarrior-net"[2]
84.139.135.155 #1: alloc_bytes1() was mistakenly asked to malloc 0 bytes
for st_skey_er in duplicate_state, please report to dev at openswan.org
Oct 27 17:52:53 myhostnm pluto[2265]: "roadwarrior-net"[2]
84.139.135.155 #1: alloc_bytes1() was mistakenly asked to malloc 0 bytes
for st_skey_pi in duplicate_state, please report to dev at openswan.org
Oct 27 17:52:53 myhostnm pluto[2265]: "roadwarrior-net"[2]
84.139.135.155 #1: alloc_bytes1() was mistakenly asked to malloc 0 bytes
for st_skey_pr in duplicate_state, please report to dev at openswan.org
Oct 27 17:52:53 myhostnm pluto[2265]: "roadwarrior-l2tp"[1]
84.139.135.155 #2: responding to Quick Mode proposal {msgid:01000000}
Oct 27 17:52:53 myhostnm pluto[2265]: "roadwarrior-l2tp"[1]
84.139.135.155 #2: us:
85.214.xx.yyy<85.214.xx.yyy>[+S=C]:17/0---85.214.44.1
Oct 27 17:52:53 myhostnm pluto[2265]: "roadwarrior-l2tp"[1]
84.139.135.155 #2: them: 84.139.135.155[C=DE,
...,+S=C]:17/1701===192.168.178.23/32
Oct 27 17:52:53 myhostnm pluto[2265]: "roadwarrior-l2tp"[1]
84.139.135.155 #2: transition from state STATE_QUICK_R0 to state
STATE_QUICK_R1
Oct 27 17:52:53 myhostnm pluto[2265]: "roadwarrior-l2tp"[1]
84.139.135.155 #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed,
expecting QI2
Oct 27 17:52:53 myhostnm pluto[2265]: "roadwarrior-l2tp"[1]
84.139.135.155 #2: transition from state STATE_QUICK_R1 to state
STATE_QUICK_R2
Oct 27 17:52:53 myhostnm pluto[2265]: "roadwarrior-l2tp"[1]
84.139.135.155 #2: STATE_QUICK_R2: IPsec SA established tunnel mode
{ESP=>0x8b2bc3c5 <0xac22a84f xfrm=AES_128-HMAC_SHA1 NATOA=192.168.178.23
NATD=84.139.135.155:63649 DPD=none}
I'm I right that the ipsec-configuration is OK and the the tunnel has
gone up properly?
my /etc/xl2tpd/xl2tpd.conf
[global]
;
[lns default]
ip range = 10.168.100.240-10.168.100.250
local ip = 10.168.100.254
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd.lns
length bit = yes
Oct 27 17:53:00 myhostnm xl2tpd[2547]: Maximum retries exceeded for
tunnel 44391. Closing.
Oct 27 17:53:00 myhostnm xl2tpd[2547]: Connection 1 closed to
84.139.135.155, port 1701 (Timeout)
Oct 27 17:53:15 myhostnm xl2tpd[2547]: Maximum retries exceeded for
tunnel 42204. Closing.
Oct 27 17:53:15 myhostnm xl2tpd[2547]: Connection 1 closed to
84.139.135.155, port 1701 (Timeout)
and the dump of the network traffic:
# tcpdump -n -i eth0 not port 22
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
18:21:56.746595 IP 84.139.135.155.63868 > 85.214.xx.yyy.isakmp: isakmp:
phase 1 I ident
18:21:56.747592 IP 85.214.xx.yyy.isakmp > 84.139.135.155.63868: isakmp:
phase 1 R ident
18:21:57.422468 IP 84.139.135.155.63868 > 85.214.xx.yyy.isakmp: isakmp:
phase 1 I ident
18:21:57.429973 IP 85.214.xx.yyy.isakmp > 84.139.135.155.63868: isakmp:
phase 1 R ident
18:21:57.909938 802.1d unknown version
18:21:57.952414 IP 84.139.135.155.63869 > 85.214.xx.yyy.ipsec-nat-t:
NONESP-encap: isakmp: phase 1 I ident[E]
18:21:57.956315 IP 85.214.xx.yyy.ipsec-nat-t > 84.139.135.155.63869:
NONESP-encap: isakmp: phase 1 R ident[E]
18:21:58.068847 IP 84.139.135.155.63869 > 85.214.xx.yyy.ipsec-nat-t:
NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
18:21:58.071009 IP 85.214.xx.yyy.ipsec-nat-t > 84.139.135.155.63869:
NONESP-encap: isakmp: phase 2/others R oakley-quick[E]
18:21:58.267487 IP 84.139.135.155.63869 > 85.214.xx.yyy.ipsec-nat-t:
UDP-encap: ESP(spi=0x0a6eb3e9,seq=0x1), length 148
18:21:58.275232 IP 84.139.135.155.63869 > 85.214.xx.yyy.ipsec-nat-t:
NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
18:21:59.266427 IP 84.139.135.155.63869 > 85.214.xx.yyy.ipsec-nat-t:
UDP-encap: ESP(spi=0x0a6eb3e9,seq=0x2), length 148
18:21:59.909558 802.1d unknown version
18:22:00.269100 IP 85.214.xx.yyy.l2tp > 84.139.135.155.l2tp:
l2tp:[TLS](2/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0)
*FRAMING_CAP(AS) *BEARER_CAP() |...
18:22:00.269430 IP 85.214.xx.yyy.l2tp > 84.139.135.155.l2tp:
l2tp:[TLS](2/0)Ns= 0,Nr=1 ZLB
18:22:00.338733 IP 84.139.135.155 > 85.214.xx.yyy: ICMP host
84.139.135.155 unreachable - admin prohibited filter, length 36
18:22:00.342563 IP 84.139.135.155 > 85.214.xx.yyy: ICMP host
84.139.135.155 unreachable - admin prohibited filter, length 36
18:22:01.267292 IP 84.139.135.155.63869 > 85.214.xx.yyy.ipsec-nat-t:
UDP-encap: ESP(spi=0x0a6eb3e9,seq=0x3), length 148
18:22:01.267739 IP 85.214.xx.yyy.l2tp > 84.139.135.155.l2tp:
l2tp:[TLS](2/0)Ns=0,Nr=1 ZLB
18:22:01.270072 IP 85.214.xx.yyy.l2tp > 84.139.135.155.l2tp:
l2tp:[TLS](2/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0)
*FRAMING_CAP(AS) *BEARER_CAP() |...
18:22:01.331005 IP 84.139.135.155 > 85.214.xx.yyy: ICMP host
84.139.135.155 unreachable - admin prohibited filter, length 36
18:22:01.336252 IP 84.139.135.155 > 85.214.xx.yyy: ICMP host
84.139.135.155 unreachable - admin prohibited filter, length 36
18:22:02.271088 IP 85.214.xx.yyy.l2tp > 84.139.135.155.l2tp:
l2tp:[TLS](2/0)Ns= 0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0)
*FRAMING_CAP(AS) *BEARER_CAP() |...
18:22:02.332939 IP 84.139.135.155 > 85.214.xx.yyy: ICMP host
84.139.135.155 unreachable - admin prohibited filter, length 36
18:22:03.272101 IP 85.214.xx.yyy.l2tp > 84.139.135.155.l2tp:
l2tp:[TLS](2/0)Ns= 0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0)
*FRAMING_CAP(AS) *BEARER_CAP() |...
18:22:03.334374 IP 84.139.135.155 > 85.214.xx.yyy: ICMP host
84.139.135.155 unreachable - admin prohibited filter, length 36
I don't know where the "unreachable - admin prohibited filter" error
lines are coming from. :-( They are still there when I switch off
iptables. And they are still there when I'm connecting from a different
client or using a different dial-in infrastructure, so I don't think
that is coming from the build-in Windows-firewall or from the NAT-Router.
Any ideas what I'm doing wrong?
Thanks, Kai
More information about the Users
mailing list