[Openswan Users] L2TP / IPSEC shows problem while connecting from Windows XP(Maximum retries exceeded for tunnel 40334. Closing)!!!!

Shiva Raman raman.shivag at gmail.com
Tue Sep 23 00:51:18 EDT 2008 

Dear all

 i am trying to setup a L2TP/IPSEC vpn server with Linux as server and
windows as clients.
I am facing a problem in which the clients are not able to connect to
openswan server. I tried
with different configuration and also referred to postings in the
openswan list. but i was not able to fix the problem. Let me the
explains the details of my installation.

  I am using the following version of OS and openswan /l2tp.


OS Version
-----------------

Centos 5.2 (64 bit )  as L2TP/IPSEC server
Windows xp sp2 as L2TP/IPSEC client

openswan version
----------------------------
openswan-2.6.12-2.el5

l2tpd version
-----------------
l2tpd-0.69-0.2.20051030.fc4.x86_64.rpm

Kernel version of Centos 5.2 - > 2.6.18-92.el5

Following are the configuration files

Configuartion of  ipsec.conf
----------------------------------------

version 2.0

config setup
        interfaces="ipsec0=ppp0"
        klipsdebug=none
        plutodebug=none
        protostack=netkey
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.10.0/24

conn %default
        keyingtries=3
        compress=yes
        disablearrivalcheck=no
        authby=secret
        type=tunnel
        keyexchange=ike
        ikelifetime=240m
        keylife=60m

conn roadwarrior
        pfs=no
        left=219.64.78.98
        leftprotoport=17/0
        right=%any
        rightprotoport=17/1701
        rightsubnet=vhost:%no,%priv
        auto=add

Configuration of ipsec.secrets
--------------------------------------------
: PSK "theconnectionissecure"


Configuration of  l2tpd.conf
------------------------------------------
[global]
; listen-addr = 192.168.1.98
[lns default]
ip range = 192.168.10.138-192.168.10.254
local ip = 224.64.77.97
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd
length bit = yes

Configuration of  option.l2tpd
------------------------------------------
ipcp-accept-local
ipcp-accept-remote
#ms-dns 192.168.10.1
#ms-wins 192.168.10.1
auth
crtscts
idle 1800
mtu 1200
mru 1200
nodefaultroute
debug
lock
proxyarp
connect-delay 5000
nologfd
#check this noccp


------------------------------------------------------------------------------


Following are the Output of Log messages


tail -f /var/log/secure
------------------------------------

Sep 22 19:03:00 localhost pluto[10196]: "roadwarrior"[1]
211.77.124.191 #2: STATE_MAIN_R1: sent MR1, expecting MI2
Sep 22 19:03:00 localhost pluto[10196]: "roadwarrior"[1]
211.77.124.191 #1: NAT-Traversal: Result using
draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
Sep 22 19:03:00 localhost pluto[10196]: "roadwarrior"[1]
211.77.124.191 #1: transition from state STATE_MAIN_R1 to state
STATE_MAIN_R2
Sep 22 19:03:00 localhost pluto[10196]: "roadwarrior"[1]
211.77.124.191 #1: STATE_MAIN_R2: sent MR2, expecting MI3
Sep 22 19:03:01 localhost pluto[10196]: "roadwarrior"[1]
211.77.124.191 #1: discarding duplicate packet; already STATE_MAIN_R2
Sep 22 19:03:01 localhost pluto[10196]: "roadwarrior"[1]
211.77.124.191 #1: Main mode peer ID is ID_FQDN: '@FAMILY'
Sep 22 19:03:01 localhost pluto[10196]: "roadwarrior"[1]
211.77.124.191 #1: switched from "roadwarrior" to "roadwarrior"
Sep 22 19:03:01 localhost pluto[10196]: "roadwarrior"[2]
211.77.124.191 #1: transition from state STATE_MAIN_R2 to state
STATE_MAIN_R3
Sep 22 19:03:01 localhost pluto[10196]: "roadwarrior"[1]
211.77.124.191 #2: new NAT mapping for #2, was 211.77.124.191:500, now
211.77.124.191:4500
Sep 22 19:03:01 localhost pluto[10196]: "roadwarrior"[2]
211.77.124.191 #1: new NAT mapping for #1, was 211.77.124.191:500, now
211.77.124.191:4500
Sep 22 19:03:01 localhost pluto[10196]: "roadwarrior"[2]
211.77.124.191 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
group=modp2048}
Sep 22 19:03:02 localhost pluto[10196]: "roadwarrior"[2]
211.77.124.191 #1: peer client type is FQDN
Sep 22 19:03:02 localhost pluto[10196]: "roadwarrior"[2]
211.77.124.191 #1: Applying workaround for MS-818043 NAT-T bug
Sep 22 19:03:02 localhost pluto[10196]: "roadwarrior"[2]
211.77.124.191 #1: IDci was FQDN: \333 at Nb, using
NAT_OA=192.168.10.125/32 as IDci
Sep 22 19:03:02 localhost pluto[10196]: "roadwarrior"[2]
211.77.124.191 #1: the peer proposed: 219.64.78.98/32:17/0 ->
192.168.10.125/32:17/1701
Sep 22 19:03:02 localhost pluto[10196]: "roadwarrior"[2]
211.77.124.191 #3: responding to Quick Mode {msgid:9e3dce79}
Sep 22 19:03:02 localhost pluto[10196]: "roadwarrior"[2]
211.77.124.191 #3: transition from state STATE_QUICK_R0 to state
STATE_QUICK_R1
Sep 22 19:03:02 localhost pluto[10196]: "roadwarrior"[2]
211.77.124.191 #3: STATE_QUICK_R1: sent QR1, inbound IPsec SA
installed, expecting QI2
Sep 22 19:03:02 localhost pluto[10196]: "roadwarrior"[2]
211.77.124.191 #3: transition from state STATE_QUICK_R1 to state
STATE_QUICK_R2
Sep 22 19:03:02 localhost pluto[10196]: "roadwarrior"[2]
211.77.124.191 #3: STATE_QUICK_R2: IPsec SA established tunnel mode
{ESP=>0x9504a6c5 <0x7e0a887f xfrm=3DES_0-HMAC_MD5 NATOA=192.168.10.125
NATD=211.77.124.191:4500 DPD=none}


tail -f /var/log/message
-----------------------------------


Sep 22 19:03:10 localhost l2tpd[10033]: Maximum retries exceeded for
tunnel 40334.  Closing.
Sep 22 19:03:10 localhost l2tpd[10033]: Connection 94 closed to
211.77.124.191, port 1701


kindly guide me how to resolve this issue.


Regards

Shiva Raman

More information about the Users mailing list