[Openswan Users] cannot connect xp to openswan (newbie question)

gerard rakoczy gerapcik at gmail.com
Sat Aug 1 15:50:09 EDT 2009


hi,
i know that this is 99% misconfiguration problem, and i try to manage it
myself. i didnt want ask because i realize that it is some plain solution,
but i am not able to resolve it.
whenever i try to connect from win xp, i get 678 error.
it is roadwarrior that has to connect to openswan server behind firewall.
i have openswan 2.6.22, xltpd-1.2.4, centos 5, kernel 2.6.18

thanks again for any help!

here are my logs and configuration files:


--------------------/var/log/secure
Aug  1 21:23:08 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #204:
responding to Main Mode from unknown peer 89.243.161.215
Aug  1 21:23:08 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #204:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Aug  1 21:23:08 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #204:
STATE_MAIN_R1: sent MR1, expecting MI2
Aug  1 21:23:09 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #204:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: both are NATed
Aug  1 21:23:09 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #204:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Aug  1 21:23:09 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #204:
STATE_MAIN_R2: sent MR2, expecting MI3
Aug  1 21:23:10 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #204:
Main mode peer ID is ID_FQDN: '@gerard'
Aug  1 21:23:10 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #204:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Aug  1 21:23:10 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #204:
new NAT mapping for #204, was 89.243.161.215:500, now 89.243.161.215:4500
Aug  1 21:23:10 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #204:
STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}
Aug  1 21:23:10 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #204:
peer client type is FQDN
Aug  1 21:23:10 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #204:
Applying workaround for MS-818043 NAT-T bug
Aug  1 21:23:10 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #204:
IDci was FQDN: Q\250\313\005, using NAT_OA=192.168.0.2/32 as IDci
Aug  1 21:23:10 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #204:
the peer proposed: 81.168.203.5/32:17/1701 -> 192.168.0.2/32:17/0
Aug  1 21:23:10 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #192:
received Delete SA payload: deleting ISAKMP State #192
Aug  1 21:23:10 portal pluto[8145]: packet from 89.243.161.215:4500:
received and ignored informational message
Aug  1 21:23:10 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #205:
responding to Quick Mode proposal {msgid:a1fec9cb}
Aug  1 21:23:10 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215
#205:     us: 192.168.1.126<192.168.1.126>[+S=C]:17/1701---192.168.1.99
Aug  1 21:23:10 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #205:
them: 89.243.161.215[@gerard,+S=C]:17/0===192.168.0.2/32
Aug  1 21:23:10 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #205:
keeping refhim=4294901761 during rekey
Aug  1 21:23:10 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #205:
transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Aug  1 21:23:10 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #205:
STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Aug  1 21:23:10 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #205:
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Aug  1 21:23:10 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #205:
STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0xe2349f07
<0x2e830221 xfrm=3DES_0-HMAC_MD5 NATOA=192.168.0.2
NATD=89.243.161.215:4500DPD=none}
Aug  1 21:23:10 portal pluto[8145]: packet from 89.243.161.215:500: ignoring
Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Aug  1 21:23:10 portal pluto[8145]: packet from 89.243.161.215:500: ignoring
Vendor ID payload [FRAGMENTATION]
Aug  1 21:23:10 portal pluto[8145]: packet from 89.243.161.215:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
Aug  1 21:23:10 portal pluto[8145]: packet from 89.243.161.215:500: ignoring
Vendor ID payload [Vid-Initial-Contact]
Aug  1 21:23:10 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #206:
responding to Main Mode from unknown peer 89.243.161.215
Aug  1 21:23:10 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #206:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Aug  1 21:23:10 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #206:
STATE_MAIN_R1: sent MR1, expecting MI2
Aug  1 21:23:11 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #206:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: both are NATed
Aug  1 21:23:11 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #206:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Aug  1 21:23:11 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #206:
STATE_MAIN_R2: sent MR2, expecting MI3
Aug  1 21:23:11 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #204:
received Delete SA(0xe2349f07) payload: deleting IPSEC State #205
Aug  1 21:23:11 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #204:
received and ignored informational message
Aug  1 21:23:11 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #202:
received Delete SA(0xdeb96beb) payload: deleting IPSEC State #203
Aug  1 21:23:11 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #202:
received and ignored informational message
Aug  1 21:23:11 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #200:
received Delete SA(0x675df714) payload: deleting IPSEC State #201
Aug  1 21:23:11 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #200:
received and ignored informational message
Aug  1 21:23:11 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #198:
received Delete SA(0x5f2a52d7) payload: deleting IPSEC State #199
Aug  1 21:23:11 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #198:
received and ignored informational message
Aug  1 21:23:11 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #196:
received Delete SA(0x43995075) payload: deleting IPSEC State #197
Aug  1 21:23:11 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #196:
received and ignored informational message
Aug  1 21:23:11 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #194:
received Delete SA(0xaf4afd63) payload: deleting IPSEC State #195
Aug  1 21:23:11 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #194:
received and ignored informational message
Aug  1 21:23:11 portal pluto[8145]: packet from 89.243.161.215:4500:
Informational Exchange is for an unknown (expired?) SA with MSGID:0x9f1d4f45
Aug  1 21:23:11 portal pluto[8145]: packet from 89.243.161.215:4500:
Informational Exchange is for an unknown (expired?) SA with MSGID:0x0cfdfe3d
Aug  1 21:23:11 portal pluto[8145]: packet from 89.243.161.215:4500:
Informational Exchange is for an unknown (expired?) SA with MSGID:0x908e64f7
Aug  1 21:23:11 portal pluto[8145]: packet from 89.243.161.215:4500:
Informational Exchange is for an unknown (expired?) SA with MSGID:0xea804dbc
Aug  1 21:23:11 portal pluto[8145]: packet from 89.243.161.215:4500:
Informational Exchange is for an unknown (expired?) SA with MSGID:0xbb82ccdc
Aug  1 21:23:11 portal pluto[8145]: packet from 89.243.161.215:4500:
Informational Exchange is for an unknown (expired?) SA with MSGID:0x06be4a52
Aug  1 21:23:11 portal pluto[8145]: packet from 89.243.161.215:4500:
Informational Exchange is for an unknown (expired?) SA with MSGID:0xae70b9d7
Aug  1 21:23:11 portal pluto[8145]: packet from 89.243.161.215:4500:
Informational Exchange is for an unknown (expired?) SA with MSGID:0xeb8d2a0e
Aug  1 21:23:11 portal pluto[8145]: packet from 89.243.161.215:4500:
Informational Exchange is for an unknown (expired?) SA with MSGID:0x3d8c118c
Aug  1 21:23:11 portal pluto[8145]: packet from 89.243.161.215:4500:
Informational Exchange is for an unknown (expired?) SA with MSGID:0xa9ad6d8c
Aug  1 21:23:11 portal pluto[8145]: packet from 89.243.161.215:4500:
Informational Exchange is for an unknown (expired?) SA with MSGID:0x6467e715
Aug  1 21:23:11 portal pluto[8145]: packet from 89.243.161.215:4500:
Informational Exchange is for an unknown (expired?) SA with MSGID:0x7f941a82
Aug  1 21:23:11 portal pluto[8145]: packet from 89.243.161.215:4500:
Informational Exchange is for an unknown (expired?) SA with MSGID:0x03e01815
Aug  1 21:23:11 portal pluto[8145]: packet from 89.243.161.215:4500:
Informational Exchange is for an unknown (expired?) SA with MSGID:0x7a429c6b
Aug  1 21:23:11 portal pluto[8145]: packet from 89.243.161.215:4500:
Informational Exchange is for an unknown (expired?) SA with MSGID:0x9d5a6331
Aug  1 21:23:11 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #206:
Main mode peer ID is ID_FQDN: '@gerard'
Aug  1 21:23:11 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #206:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Aug  1 21:23:11 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #206:
new NAT mapping for #206, was 89.243.161.215:500, now 89.243.161.215:4500
Aug  1 21:23:11 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #206:
STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}
Aug  1 21:23:11 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #206:
byte 2 of ISAKMP Hash Payload must be zero, but is not
Aug  1 21:23:11 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #206:
malformed payload in packet
Aug  1 21:23:11 portal pluto[8145]: | payload malformed after IV
Aug  1 21:23:11 portal pluto[8145]: |   96 98 74 d4  ec cd e0 cb
Aug  1 21:23:11 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #206:
sending notification PAYLOAD_MALFORMED to 89.243.161.215:4500
Aug  1 21:23:11 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #204:
received Delete SA payload: deleting ISAKMP State #204
Aug  1 21:23:11 portal pluto[8145]: packet from 89.243.161.215:4500:
received and ignored informational message
Aug  1 21:23:11 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #202:
received Delete SA payload: deleting ISAKMP State #202
Aug  1 21:23:11 portal pluto[8145]: packet from 89.243.161.215:4500:
received and ignored informational message
Aug  1 21:23:11 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #200:
received Delete SA payload: deleting ISAKMP State #200
Aug  1 21:23:11 portal pluto[8145]: packet from 89.243.161.215:4500:
received and ignored informational message
Aug  1 21:23:11 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #198:
received Delete SA payload: deleting ISAKMP State #198
Aug  1 21:23:11 portal pluto[8145]: packet from 89.243.161.215:4500:
received and ignored informational message
Aug  1 21:23:11 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #196:
received Delete SA payload: deleting ISAKMP State #196
Aug  1 21:23:11 portal pluto[8145]: packet from 89.243.161.215:4500:
received and ignored informational message
Aug  1 21:23:11 portal pluto[8145]: "roadwarrior"[2] 89.243.161.215 #194:
received Delete SA payload: deleting ISAKMP State #194
Aug  1 21:23:11 portal pluto[8145]: packet from 89.243.161.215:4500:
received and ignored informational message

--------------/etc/ipsec.conf
version 2.0

config setup
        nat_traversal=yes
        virtual_private=%v4:
10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.1.0/24
        oe=off
        protostack=netkey
        interfaces=%defaultroute

conn roadwarrior
        keyingtries=3
        rekey=no
        compress=yes
        disablearrivalcheck=no
        authby=secret
        type=tunnel
        keyexchange=ike
        ikelifetime=590m
        keylife=50m
        pfs=no
        left=192.168.1.126
        leftnexthop=192.168.1.99
        leftprotoport=17/1701
        right=%any
        rightprotoport=17/0
        rightsubnet=vhost:%no,%priv
        auto=add


-------------------/etc/ipsec.secrets
192.168.1.126   %any    :       PSK "reallyreallylongpassword"

------------------- /etc/ppp/options.xl2tpd
ipcp-accept-local
ipcp-accept-remote
ms-dns  192.168.1.99
noccp
auth
crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
lock
proxyarp
connect-delay 5000
silent

-------------------/etc/ppp/chap-secrets
user1  *       "password"     192.168.1.128/25
*       user1  "password"     192.168.1.128/25

-------------------/etc/xl2tpd/xl2tpd.conf
[global]
; listen-addr = 192.168.1.98

[lns default]
ip range = 192.168.1.128-192.168.1.254
local ip = 192.168.1.126
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

----------------/etc/sysconfig/iptables
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 137 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 138 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 8080 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 2812 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 10000 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5901 -j
ACCEPT
#vpn
-A RH-Firewall-1-INPUT -i ppp+ -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 500 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 4500 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 4500 -j
ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

-------------------/etc/sysctl.conf
# Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled.  See sysctl(8) and
# sysctl.conf(5) for more details.

# Controls IP packet forwarding
net.ipv4.ip_forward = 1

# Controls source route verification
net.ipv4.conf.default.rp_filter = 0

net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.default.log_martians = 0

net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0

# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0

# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0

# Controls whether core dumps will append the PID to the core filename
# Useful for debugging multi-threaded applications
kernel.core_uses_pid = 1

# Controls the use of TCP syncookies
net.ipv4.tcp_syncookies = 1

# Controls the maximum size of a message, in bytes
kernel.msgmnb = 65536

# Controls the default maxmimum size of a mesage queue
kernel.msgmax = 65536

# Controls the maximum shared segment size, in bytes
kernel.shmmax = 4294967295

# Controls the maximum number of shared memory segments, in pages
kernel.shmall = 268435456
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20090801/fc5e7a87/attachment-0001.html 


More information about the Users mailing list