[Openswan Users] Problems with ipsec/l2tp connection

Eugenio Vescovi eugevesco at hotmail.com
Tue Sep 16 11:13:48 EDT 2008 

Hi all,
I'm working on a thesis project , and i need to create a VPN roadwarrior connection for my University Department's LAN.
This is the configuration
SERVER:Linux Debian 2.4.6 with Openswan 2.4(netkey),l2tpd 0.69 and pppd2.4.3, not NATted, public ip: 141.250.40.34.(attila.diei.unipg.it).
CLIENT: Linux Ubuntu, 2.6 with Openswan 2.4(netkey),xl2tpd 1.1 and pppd2.4.4, NATted, provate ip10.1.1.16, gateway 10.1.1.1
I have to astablish a vpn connection with the server machine and give to the warriors the VIRTUAL IP addresses within the pool 141.250.40.51 - 141.250.40.52

I'm working on it from over one month, but without luck.
At the moment I can establish a tunnel between the two end point(this is what ipsec says), but i can't ping each-other.
Plus I can't start a right l2tpd connection for virtual ip assigning.
Once the IPsec tunnel is up, and  startup the l2tpd server by #/etc/init.d/l2tpd start
At this time i need to start the xl2tpd daemon in the client machine, but I can't do it, because I can't find the right command. Googling I've found several ways that should do it:
1) #/etc/init.d/xl2tpd start
2)#/usr/sbin/xl2tpd -D
3)#echo "c <xl2tpd connection name>" > /var/run/xl2tpd"l2tp-control (If I want to use this command, I need to create the folder and l2tp-control file before).
When I try to startup the xl2tpd connection, nothing happen. Even sniffing with tcpdump I can't see any packets (except the isakmp-nat-keep-alive pachets between the two end-points).
I can't really understand what I have to do.
Can you help me some way?
Here's all the configuration file of CLIENT and SERVER.
============================================
ipsec.conf of the client
config setup
    interfaces=%defaultroute
    klipsdebug=none
    plutodebug=none
    nat_traversal=yes
conn Prova
    left=141.250.40.34                    
    right=%defaultroute
    rightnexthop=10.1.1.1
    auto=start
    authby=secret
    leftprotoport=17/1701
    rightprotoport=17/1701

ipsec.conf of the server

config setup
    interfaces=%defaultroute
    nat_traversal=yes
    virtual_private=%v4:192.168.0.0/16,%v4:10.1.0.0/16
    klipsdebug=none
    plutodebug=none
    
conn prova
    left=%defaultroute
    leftnexthop=141.250.40.30
    right=%any
    rightsubnet=vhost:%no,%priv
    rightprotoport=17/1701
    leftprotoport=17/1701
    authby=secret
    type=tunnel
    auto=start
=================================================
xl2tpd.conf of the client

[global]                                
  port = 1701                             
  access control = no
                            
 [lac Eugenio_prova]                    
  lns = 141.250.40.34                    
  redial = yes                            
   require chap = yes                    
   refuse pap = yes                        
   name = warrior                            
  pppoptfile = /etc/ppp/options.l2tpd.lac

l2tpd.conf of the server 

  [global]    
  port = 1701                             
  access control = no   
                 
  [lns default]                            
  ip range = 141.250.40.51 - 141.250.40.52    
  local ip = 141.250.40.56        
  length bit = yes                        
  require chap = yes                    
  refuse pap = yes                        
  name = server_diei                    
  pppoptfile=/etc/ppp/options.l2tpd.lns
=====================================
options.xl2tpd.lac of the client

ipcp-accept-local
ipcp-accept-remote
refuse-eap
noccp
noauth
crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
lock
proxyarp
connect-delay 5000

options.l2tpd.lns of the server

ipcp-accept-remote
ipcp-accept-local
asyncmap 0
#auth
crtscts
lock
hide-password
modem
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
ipcp-accept-local
ipcp-accept-remote
=========================================

chap-secret of the client

#client    server            secret            IP addresses
warrior    server_diei    "*********"        *

chap-secret of the server

# client    server         secret            IP addresses

warrior        *          "pppsecret"        141.250.40.51
*        server_diei    "pppsecret"        141.250.40.51

In order to skip complicated configuration, I tried to use WinXP Service Pack 2 following the Jacco's networking stuff on th web, but without luck.
Here's my auth.log file (client side)

Sep 16 17:07:44 eugenio-laptop pluto[12568]: "Prova" #1: initiating Main Mode
Sep 16 17:07:44 eugenio-laptop pluto[12568]: "Prova" #1: ignoring unknown Vendor ID payload [4f456c4c4f5d5264574e5244]
Sep 16 17:07:44 eugenio-laptop pluto[12568]: "Prova" #1: received Vendor ID payload [Dead Peer Detection]
Sep 16 17:07:44 eugenio-laptop pluto[12568]: "Prova" #1: received Vendor ID payload [RFC 3947] method set to=109 
Sep 16 17:07:44 eugenio-laptop pluto[12568]: "Prova" #1: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
Sep 16 17:07:44 eugenio-laptop pluto[12568]: "Prova" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Sep 16 17:07:44 eugenio-laptop pluto[12568]: "Prova" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Sep 16 17:07:44 eugenio-laptop pluto[12568]: "Prova" #1: I did not send a certificate because I do not have one.
Sep 16 17:07:44 eugenio-laptop pluto[12568]: "Prova" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): i am NATed
Sep 16 17:07:44 eugenio-laptop pluto[12568]: "Prova" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Sep 16 17:07:44 eugenio-laptop pluto[12568]: "Prova" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Sep 16 17:07:44 eugenio-laptop pluto[12568]: "Prova" #1: Main mode peer ID is ID_IPV4_ADDR: '141.250.40.34'
Sep 16 17:07:44 eugenio-laptop pluto[12568]: "Prova" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Sep 16 17:07:44 eugenio-laptop pluto[12568]: "Prova" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1536}
Sep 16 17:07:44 eugenio-laptop pluto[12568]: "Prova" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
Sep 16 17:07:44 eugenio-laptop pluto[12568]: "Prova" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Sep 16 17:07:44 eugenio-laptop pluto[12568]: "Prova" #2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x9f7bc26c <0x4fa27949 xfrm=AES_0-HMAC_SHA1 NATD=141.250.40.34:4500 DPD=none}


When I try to startup xl2tpd , this is what happen

xl2tpd[12809]: xl2tpd version xl2tpd-1.1.12 started on eugenio-laptop PID:12809
xl2tpd[12809]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
xl2tpd[12809]: Forked by Scott Balmos and David Stipp, (C) 2001
xl2tpd[12809]: Inherited by Jeff McAdams, (C) 2002
xl2tpd[12809]: Forked again by Xelerance (www.xelerance.com) (C) 2006
xl2tpd[12809]: Listening on IP address 0.0.0.0, port 1701
                    [ctrl+c]
^Vxl2tpd[12809]: death_handler: Fatal signal 2 received
.
I really hope somebody can help me, because I've no idea where I'm wrong.

Thank you all in advance.
Eugenio.

_________________________________________________________________
Tutto il mondo MSN a portata di clic!
http://toolbar.msn.com/overview.aspx?loc=it-it
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080916/6d775689/attachment-0001.html

More information about the Users mailing list