[Openswan Users] Problems with ipsec/l2tp connection
Eugenio Vescovi
eugevesco at hotmail.com
Tue Sep 16 11:13:48 EDT 2008
Hi all,
I'm working on a thesis project , and i need to create a VPN roadwarrior connection for my University Department's LAN.
This is the configuration
SERVER:Linux Debian 2.4.6 with Openswan 2.4(netkey),l2tpd 0.69 and pppd2.4.3, not NATted, public ip: 141.250.40.34.(attila.diei.unipg.it).
CLIENT: Linux Ubuntu, 2.6 with Openswan 2.4(netkey),xl2tpd 1.1 and pppd2.4.4, NATted, provate ip10.1.1.16, gateway 10.1.1.1
I have to astablish a vpn connection with the server machine and give to the warriors the VIRTUAL IP addresses within the pool 141.250.40.51 - 141.250.40.52
I'm working on it from over one month, but without luck.
At the moment I can establish a tunnel between the two end point(this is what ipsec says), but i can't ping each-other.
Plus I can't start a right l2tpd connection for virtual ip assigning.
Once the IPsec tunnel is up, and startup the l2tpd server by #/etc/init.d/l2tpd start
At this time i need to start the xl2tpd daemon in the client machine, but I can't do it, because I can't find the right command. Googling I've found several ways that should do it:
1) #/etc/init.d/xl2tpd start
2)#/usr/sbin/xl2tpd -D
3)#echo "c <xl2tpd connection name>" > /var/run/xl2tpd"l2tp-control (If I want to use this command, I need to create the folder and l2tp-control file before).
When I try to startup the xl2tpd connection, nothing happen. Even sniffing with tcpdump I can't see any packets (except the isakmp-nat-keep-alive pachets between the two end-points).
I can't really understand what I have to do.
Can you help me some way?
Here's all the configuration file of CLIENT and SERVER.
============================================
ipsec.conf of the client
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
nat_traversal=yes
conn Prova
left=141.250.40.34
right=%defaultroute
rightnexthop=10.1.1.1
auto=start
authby=secret
leftprotoport=17/1701
rightprotoport=17/1701
ipsec.conf of the server
config setup
interfaces=%defaultroute
nat_traversal=yes
virtual_private=%v4:192.168.0.0/16,%v4:10.1.0.0/16
klipsdebug=none
plutodebug=none
conn prova
left=%defaultroute
leftnexthop=141.250.40.30
right=%any
rightsubnet=vhost:%no,%priv
rightprotoport=17/1701
leftprotoport=17/1701
authby=secret
type=tunnel
auto=start
=================================================
xl2tpd.conf of the client
[global]
port = 1701
access control = no
[lac Eugenio_prova]
lns = 141.250.40.34
redial = yes
require chap = yes
refuse pap = yes
name = warrior
pppoptfile = /etc/ppp/options.l2tpd.lac
l2tpd.conf of the server
[global]
port = 1701
access control = no
[lns default]
ip range = 141.250.40.51 - 141.250.40.52
local ip = 141.250.40.56
length bit = yes
require chap = yes
refuse pap = yes
name = server_diei
pppoptfile=/etc/ppp/options.l2tpd.lns
=====================================
options.xl2tpd.lac of the client
ipcp-accept-local
ipcp-accept-remote
refuse-eap
noccp
noauth
crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
lock
proxyarp
connect-delay 5000
options.l2tpd.lns of the server
ipcp-accept-remote
ipcp-accept-local
asyncmap 0
#auth
crtscts
lock
hide-password
modem
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
ipcp-accept-local
ipcp-accept-remote
=========================================
chap-secret of the client
#client server secret IP addresses
warrior server_diei "*********" *
chap-secret of the server
# client server secret IP addresses
warrior * "pppsecret" 141.250.40.51
* server_diei "pppsecret" 141.250.40.51
In order to skip complicated configuration, I tried to use WinXP Service Pack 2 following the Jacco's networking stuff on th web, but without luck.
Here's my auth.log file (client side)
Sep 16 17:07:44 eugenio-laptop pluto[12568]: "Prova" #1: initiating Main Mode
Sep 16 17:07:44 eugenio-laptop pluto[12568]: "Prova" #1: ignoring unknown Vendor ID payload [4f456c4c4f5d5264574e5244]
Sep 16 17:07:44 eugenio-laptop pluto[12568]: "Prova" #1: received Vendor ID payload [Dead Peer Detection]
Sep 16 17:07:44 eugenio-laptop pluto[12568]: "Prova" #1: received Vendor ID payload [RFC 3947] method set to=109
Sep 16 17:07:44 eugenio-laptop pluto[12568]: "Prova" #1: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
Sep 16 17:07:44 eugenio-laptop pluto[12568]: "Prova" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Sep 16 17:07:44 eugenio-laptop pluto[12568]: "Prova" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Sep 16 17:07:44 eugenio-laptop pluto[12568]: "Prova" #1: I did not send a certificate because I do not have one.
Sep 16 17:07:44 eugenio-laptop pluto[12568]: "Prova" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): i am NATed
Sep 16 17:07:44 eugenio-laptop pluto[12568]: "Prova" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Sep 16 17:07:44 eugenio-laptop pluto[12568]: "Prova" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Sep 16 17:07:44 eugenio-laptop pluto[12568]: "Prova" #1: Main mode peer ID is ID_IPV4_ADDR: '141.250.40.34'
Sep 16 17:07:44 eugenio-laptop pluto[12568]: "Prova" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Sep 16 17:07:44 eugenio-laptop pluto[12568]: "Prova" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1536}
Sep 16 17:07:44 eugenio-laptop pluto[12568]: "Prova" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
Sep 16 17:07:44 eugenio-laptop pluto[12568]: "Prova" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Sep 16 17:07:44 eugenio-laptop pluto[12568]: "Prova" #2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x9f7bc26c <0x4fa27949 xfrm=AES_0-HMAC_SHA1 NATD=141.250.40.34:4500 DPD=none}
When I try to startup xl2tpd , this is what happen
xl2tpd[12809]: xl2tpd version xl2tpd-1.1.12 started on eugenio-laptop PID:12809
xl2tpd[12809]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
xl2tpd[12809]: Forked by Scott Balmos and David Stipp, (C) 2001
xl2tpd[12809]: Inherited by Jeff McAdams, (C) 2002
xl2tpd[12809]: Forked again by Xelerance (www.xelerance.com) (C) 2006
xl2tpd[12809]: Listening on IP address 0.0.0.0, port 1701
[ctrl+c]
^Vxl2tpd[12809]: death_handler: Fatal signal 2 received
.
I really hope somebody can help me, because I've no idea where I'm wrong.
Thank you all in advance.
Eugenio.
_________________________________________________________________
Tutto il mondo MSN a portata di clic!
http://toolbar.msn.com/overview.aspx?loc=it-it
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080916/6d775689/attachment-0001.html
More information about the Users
mailing list