[Openswan Users] Xl2tpd - Openswan possible routing issue

Janantha Marasinghe janantha at techcert.lk
Wed Sep 17 23:51:59 EDT 2008


My Setup is as follows

vpn client ------------------- vpn server -------private net
VPN client is Windows XP SP3
VPN server is Fedora Core 4 Kernel version 2.6.1.1-1.1369 , xl2tpd 
version 1.1.12, Openswan version 2.4.4
I don;t have a NAT.
Eth0 represents my public interface and Eth1 is my private interface
Attaching the ipsec.conf

The problem is that when i try to connect it says connecting for a long 
period and just timeouts! I'm pasting the secure log and the messages 
log below

Following is the dump from the secure log

Sep 18 08:36:56 vpnserv1 ipsec__plutorun: Starting Pluto subsystem...
Sep 18 08:36:56 vpnserv1 pluto[23435]: Starting Pluto (Openswan Version 
2.4.4 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID 
OEz}FFFfgr_e)
Sep 18 08:36:56 vpnserv1 pluto[23435]: Setting NAT-Traversal port-4500 
floating to off
Sep 18 08:36:56 vpnserv1 pluto[23435]:    port floating activation 
criteria nat_t=0/port_fload=1
Sep 18 08:36:56 vpnserv1 pluto[23435]:   including NAT-Traversal patch 
(Version 0.6c) [disabled]
Sep 18 08:36:56 vpnserv1 pluto[23435]: ike_alg_register_enc(): 
Activating OAKLEY_AES_CBC: Ok (ret=0)
Sep 18 08:36:56 vpnserv1 pluto[23435]: starting up 1 cryptographic helpers
Sep 18 08:36:56 vpnserv1 pluto[23435]: started helper pid=23440 (fd:6)
Sep 18 08:36:56 vpnserv1 pluto[23435]: Using Linux 2.6 IPsec interface 
code on 2.6.11-1.1369_FC4
Sep 18 08:36:57 vpnserv1 pluto[23435]: Could not change to directory 
'/etc/ipsec.d/cacerts'
Sep 18 08:36:57 vpnserv1 pluto[23435]: Could not change to directory 
'/etc/ipsec.d/aacerts'
Sep 18 08:36:57 vpnserv1 pluto[23435]: Could not change to directory 
'/etc/ipsec.d/ocspcerts'
Sep 18 08:36:57 vpnserv1 pluto[23435]: Could not change to directory 
'/etc/ipsec.d/crls'
Sep 18 08:36:57 vpnserv1 pluto[23435]: added connection description 
"L2TP-PSK"
Sep 18 08:36:57 vpnserv1 pluto[23435]: listening for IKE messages
Sep 18 08:36:57 vpnserv1 pluto[23435]: adding interface eth1/eth1 
10.8.109.65:500
Sep 18 08:36:57 vpnserv1 pluto[23435]: adding interface eth0/eth0 
vpn-public-ip:500
Sep 18 08:36:57 vpnserv1 pluto[23435]: adding interface lo/lo 127.0.0.1:500
Sep 18 08:36:57 vpnserv1 pluto[23435]: adding interface lo/lo ::1:500
Sep 18 08:36:57 vpnserv1 pluto[23435]: loading secrets from 
"/etc/ipsec.secrets"
Sep 18 09:07:40 vpnserv1 pluto[23435]: packet from 
vpn-client-public-ip:500: ignoring Vendor ID payload [MS NT5 
ISAKMPOAKLEY 00000004]
Sep 18 09:07:40 vpnserv1 pluto[23435]: packet from 
vpn-client-public-ip:500: ignoring Vendor ID payload [FRAGMENTATION]
Sep 18 09:07:40 vpnserv1 pluto[23435]: packet from 
vpn-client-public-ip:500: received Vendor ID payload 
[draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but port floating is off
Sep 18 09:07:40 vpnserv1 pluto[23435]: packet from 
vpn-client-public-ip:500: ignoring Vendor ID payload [Vid-Initial-Contact]
Sep 18 09:07:40 vpnserv1 pluto[23435]: "L2TP-PSK"[1] 
vpn-client-public-ip #1: responding to Main Mode from unknown peer 
vpn-client-public-ip
Sep 18 09:07:40 vpnserv1 pluto[23435]: "L2TP-PSK"[1] 
vpn-client-public-ip #1: transition from state STATE_MAIN_R0 to state 
STATE_MAIN_R1
Sep 18 09:07:40 vpnserv1 pluto[23435]: "L2TP-PSK"[1] 
vpn-client-public-ip #1: STATE_MAIN_R1: sent MR1, expecting MI2
Sep 18 09:07:41 vpnserv1 pluto[23435]: "L2TP-PSK"[1] 
vpn-client-public-ip #1: transition from state STATE_MAIN_R1 to state 
STATE_MAIN_R2
Sep 18 09:07:41 vpnserv1 pluto[23435]: "L2TP-PSK"[1] 
vpn-client-public-ip #1: STATE_MAIN_R2: sent MR2, expecting MI3
Sep 18 09:07:41 vpnserv1 pluto[23435]: "L2TP-PSK"[1] 
vpn-client-public-ip #1: Main mode peer ID is ID_IPV4_ADDR: 
'vpn-client-public-ip'
Sep 18 09:07:41 vpnserv1 pluto[23435]: "L2TP-PSK"[1] 
vpn-client-public-ip #1: I did not send a certificate because I do not 
have one.
Sep 18 09:07:41 vpnserv1 pluto[23435]: "L2TP-PSK"[1] 
vpn-client-public-ip #1: transition from state STATE_MAIN_R2 to state 
STATE_MAIN_R3
Sep 18 09:07:41 vpnserv1 pluto[23435]: "L2TP-PSK"[1] 
vpn-client-public-ip #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established 
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha 
group=modp2048}
Sep 18 09:07:41 vpnserv1 pluto[23435]: "L2TP-PSK"[1] 
vpn-client-public-ip #2: responding to Quick Mode {msgid:906bc9b5}
Sep 18 09:07:41 vpnserv1 pluto[23435]: "L2TP-PSK"[1] 
vpn-client-public-ip #2: transition from state STATE_QUICK_R0 to state 
STATE_QUICK_R1
Sep 18 09:07:41 vpnserv1 pluto[23435]: "L2TP-PSK"[1] 
vpn-client-public-ip #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA 
installed, expecting QI2
Sep 18 09:07:41 vpnserv1 pluto[23435]: "L2TP-PSK"[1] 
vpn-client-public-ip #2: transition from state STATE_QUICK_R1 to state 
STATE_QUICK_R2
Sep 18 09:07:41 vpnserv1 pluto[23435]: "L2TP-PSK"[1] 
vpn-client-public-ip #2: STATE_QUICK_R2: IPsec SA established 
{ESP=>0x8832df54 <0xbf845b89 xfrm=3DES_0-HMAC_MD5 NATD=none DPD=none}
Sep 18 09:08:11 vpnserv1 pluto[23435]: "L2TP-PSK"[1] 
vpn-client-public-ip #1: received Delete SA(0x8832df54) payload: 
deleting IPSEC State #2
Sep 18 09:08:11 vpnserv1 pluto[23435]: "L2TP-PSK"[1] 
vpn-client-public-ip #1: received and ignored informational message
Sep 18 09:08:11 vpnserv1 pluto[23435]: "L2TP-PSK"[1] 
vpn-client-public-ip #1: received Delete SA payload: deleting ISAKMP 
State #1
Sep 18 09:08:11 vpnserv1 pluto[23435]: "L2TP-PSK"[1] 
vpn-client-public-ip: deleting connection "L2TP-PSK" instance with peer 
vpn-client-public-ip {isakmp=#0/ipsec=#0}
Sep 18 09:08:11 vpnserv1 pluto[23435]: packet from 
vpn-client-public-ip:500: received and ignored informational message
Sep 18 09:08:14 vpnserv1 pluto[23435]: ERROR: asynchronous network error 
report on eth0 (sport=500) for message to vpn-client-public-ip port 500, 
complainant vpn-public-ip: No route to host [errno 113, origin ICMP type 
3 code 1 (not authenticated)]

Messages log Dump

Sep 18 08:36:56 vpnserv1 ipsec_setup: KLIPS ipsec0 on eth0 
vpn-server-public-ip/255.255.255.224 broadcast broadcast-ip
Sep 18 08:36:56 vpnserv1 ipsec_setup: ...Openswan IPsec started
Sep 18 08:38:28 vpnserv1 xl2tpd[2255]: death_handler: Fatal signal 15 
received
Sep 18 08:38:28 vpnserv1 xl2tpd[23525]: setsockopt recvref: Protocol not 
available
Sep 18 08:38:28 vpnserv1 xl2tpd[23525]: This binary does not support 
kernel L2TP.
Sep 18 08:38:28 vpnserv1 xl2tpd[23526]: xl2tpd version xl2tpd-1.1.12 
started on vpnserv1.myserver.domain PID:23526
Sep 18 08:38:28 vpnserv1 xl2tpd[23526]: Written by Mark Spencer, 
Copyright (C) 1998, Adtran, Inc.
Sep 18 08:38:28 vpnserv1 xl2tpd[23526]: Forked by Scott Balmos and David 
Stipp, (C) 2001
Sep 18 08:38:28 vpnserv1 xl2tpd[23526]: Inherited by Jeff McAdams, (C) 2002
Sep 18 08:38:28 vpnserv1 xl2tpd[23526]: Forked again by Xelerance 
(www.xelerance.com) (C) 2006
Sep 18 08:38:28 vpnserv1 xl2tpd[23526]: Listening on IP address 0.0.0.0, 
port 1701
Sep 18 09:07:48 vpnserv1 xl2tpd[23526]: Maximum retries exceeded for 
tunnel 7508.  Closing.
Sep 18 09:07:48 vpnserv1 xl2tpd[23526]: Connection 1 closed to 
vpn-client-pub-ip, port 1701 (Timeout)
Sep 18 09:08:03 vpnserv1 xl2tpd[23526]: Maximum retries exceeded for 
tunnel 17567.  Closing.
Sep 18 09:08:03 vpnserv1 xl2tpd[23526]: Connection 1 closed to 
vpn-client-pub-ip, port 1701 (Timeout)



-- 
-----------------------------------------------------
Best Regards
Janantha

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ipsec.conf.bk
Url: http://lists.openswan.org/pipermail/users/attachments/20080918/d788b59a/attachment.pl 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: janantha.vcf
Type: text/x-vcard
Size: 371 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20080918/d788b59a/attachment.vcf 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2437 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.openswan.org/pipermail/users/attachments/20080918/d788b59a/attachment.bin 


More information about the Users mailing list