[Openswan Users] After upgrade to OpenSwan 2.6.22, VPN behind NAT stop to works...with Valid IP it's OK!
Eduardo Coelho
eduardo at lettel.com.br
Mon Aug 3 18:10:25 EDT 2009
Hello,
After upgrade OpenSwan on Ubuntu, VPN behind NAT stop to work...with
valid ip it's ok!
root at slitaz:~# uname -a
Linux slitaz 2.6.27-14-server #1 SMP Tue Jun 30 20:53:11 UTC 2009 i686
GNU/Linux
Original version (using apt-get):
-rw-r--r-- 1 root root 62874 2008-06-27 09:04
xl2tpd_1.2.0+dfsg-1ubuntu1_i386.deb
-rw-r--r-- 1 root root 1674322 2008-10-08 12:05
openswan_1%3a2.4.12+dfsg-1.3_i386.deb
-rw-r--r-- 1 root root 97706 2009-06-09 15:04
ipsec-tools_1%3a0.7-2.1ubuntu1.8.10.1_i386.deb
New version:
root at slitaz:/usr/src# ls -ltr
-rw-r--r-- 1 root src 541039 2009-03-08 20:27 xl2tpd-1.2.4.tar.gz
-rw-r--r-- 1 root src 8152865 2009-06-22 23:55 openswan-2.6.22.tar.gz
root at slitaz:~# ipsec --version
Linux Openswan U2.6.22/K2.6.27-14-server (netkey)
See `ipsec --copyright' for copyright information.
Strange noted bahaviors:
- Got stuck in terminal, but after CTRL+C it's ok
root at slitaz:/etc# /etc/init.d/ipsec restart
ipsec_setup: Stopping Openswan IPsec...
ipsec_setup: Starting Openswan IPsec U2.6.22/K2.6.27-14-server...
- Weird NAT/OAKLEY messages on /var/log/messages
Aug 3 18:40:40 slitaz ipsec__plutorun: Starting Pluto subsystem...
Aug 3 18:40:40 slitaz pluto[17457]: Starting Pluto (Openswan Version
2.6.22; Vendor ID OElj@]rTMBuM) pid:17457
Aug 3 18:40:40 slitaz pluto[17457]: Setting NAT-Traversal port-4500
floating to on
Aug 3 18:40:40 slitaz pluto[17457]: port floating activation
criteria nat_t=1/port_float=1
Aug 3 18:40:40 slitaz pluto[17457]: including NAT-Traversal patch
(Version 0.6c)
Aug 3 18:40:40 slitaz pluto[17457]: using /dev/urandom as source of
random entropy
Aug 3 18:40:40 slitaz pluto[17457]: ike_alg_register_enc(): Activating
OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
Aug 3 18:40:40 slitaz pluto[17457]: ike_alg_register_enc(): Activating
OAKLEY_TWOFISH_CBC: Ok (ret=0)
Aug 3 18:40:40 slitaz pluto[17457]: ike_alg_register_enc(): Activating
OAKLEY_SERPENT_CBC: Ok (ret=0)
Aug 3 18:40:40 slitaz pluto[17457]: ike_alg_register_enc(): Activating
OAKLEY_AES_CBC: Ok (ret=0)
Aug 3 18:40:40 slitaz pluto[17457]: ike_alg_register_enc(): Activating
OAKLEY_BLOWFISH_CBC: Ok (ret=0)
Aug 3 18:40:40 slitaz pluto[17457]: ike_alg_register_hash(): Activating
OAKLEY_SHA2_512: Ok (ret=0)
Aug 3 18:40:40 slitaz pluto[17457]: ike_alg_register_hash(): Activating
OAKLEY_SHA2_256: Ok (ret=0)
Aug 3 18:40:40 slitaz pluto[17457]: starting up 1 cryptographic helpers
Aug 3 18:40:40 slitaz pluto[17458]: using /dev/urandom as source of
random entropy
Aug 3 18:40:40 slitaz pluto[17457]: started helper pid=17458 (fd:7)
Aug 3 18:40:40 slitaz pluto[17457]: Using Linux 2.6 IPsec interface
code on 2.6.27-14-server (experimental code)
Aug 3 18:40:40 slitaz pluto[17457]: ike_alg_register_enc(): WARNING:
enc alg=0 not found in constants.c:oakley_enc_names
Aug 3 18:40:40 slitaz pluto[17457]: ike_alg_register_enc(): Activating
<NULL>: Ok (ret=0)
Aug 3 18:40:40 slitaz pluto[17457]: ike_alg_register_enc(): WARNING:
enc alg=0 not found in constants.c:oakley_enc_names
Aug 3 18:40:40 slitaz pluto[17457]: ike_alg_add(): ERROR: Algorithm
already exists
Aug 3 18:40:40 slitaz pluto[17457]: ike_alg_register_enc(): Activating
<NULL>: FAILED (ret=-17)
Aug 3 18:40:40 slitaz pluto[17457]: ike_alg_register_enc(): WARNING:
enc alg=0 not found in constants.c:oakley_enc_names
Aug 3 18:40:40 slitaz pluto[17457]: ike_alg_add(): ERROR: Algorithm
already exists
Aug 3 18:40:40 slitaz pluto[17457]: ike_alg_register_enc(): Activating
<NULL>: FAILED (ret=-17)
Aug 3 18:40:40 slitaz pluto[17457]: ike_alg_register_enc(): WARNING:
enc alg=0 not found in constants.c:oakley_enc_names
Aug 3 18:40:40 slitaz pluto[17457]: ike_alg_add(): ERROR: Algorithm
already exists
Aug 3 18:40:40 slitaz pluto[17457]: ike_alg_register_enc(): Activating
<NULL>: FAILED (ret=-17)
Aug 3 18:40:40 slitaz pluto[17457]: ike_alg_register_enc(): WARNING:
enc alg=0 not found in constants.c:oakley_enc_names
Aug 3 18:40:40 slitaz pluto[17457]: ike_alg_add(): ERROR: Algorithm
already exists
Aug 3 18:40:40 slitaz pluto[17457]: ike_alg_register_enc(): Activating
<NULL>: FAILED (ret=-17)
Aug 3 18:40:40 slitaz pluto[17457]: ike_alg_register_enc(): WARNING:
enc alg=0 not found in constants.c:oakley_enc_names
Aug 3 18:40:40 slitaz pluto[17457]: ike_alg_add(): ERROR: Algorithm
already exists
Aug 3 18:40:40 slitaz pluto[17457]: ike_alg_register_enc(): Activating
<NULL>: FAILED (ret=-17)
Aug 3 18:40:40 slitaz pluto[17457]: Changed path to directory
'/etc/ipsec.d/cacerts'
Aug 3 18:40:40 slitaz pluto[17457]: loaded CA cert file 'demoCA' (0
bytes)
Aug 3 18:40:40 slitaz pluto[17457]: file coded in unknown format,
discarded
Aug 3 18:40:40 slitaz pluto[17457]: discarded CA cert file 'crl.pem',
bad size 0 bytes
Aug 3 18:40:40 slitaz pluto[17457]: Changed path to directory
'/etc/ipsec.d/aacerts'
Aug 3 18:40:40 slitaz pluto[17457]: Changed path to directory
'/etc/ipsec.d/ocspcerts'
Aug 3 18:40:40 slitaz pluto[17457]: Changing to directory
'/etc/ipsec.d/crls'
Aug 3 18:40:40 slitaz pluto[17457]: Warning: empty directory
Aug 3 18:40:40 slitaz pluto[17457]: added connection description
"L2TP-PSK"
Aug 3 18:40:40 slitaz pluto[17457]: listening for IKE messages
Aug 3 18:40:40 slitaz pluto[17457]: NAT-Traversal: Trying new style
NAT-T
Aug 3 18:40:40 slitaz pluto[17457]: NAT-Traversal: ESPINUDP(1) setup
failed for new style NAT-T family IPv4 (errno=19)
Aug 3 18:40:40 slitaz pluto[17457]: NAT-Traversal: Trying old style
NAT-T
- And last the errors on XL2TPD (occurs with the same errors with old
and new packages)
root at slitaz:/etc# xl2tpd -D
xl2tpd[17539]: setsockopt recvref[22]: Protocol not available
xl2tpd[17539]: L2TP kernel support not detected.
xl2tpd[17539]: xl2tpd version xl2tpd-1.2.4 started on slitaz. PID:17539
xl2tpd[17539]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
xl2tpd[17539]: Forked by Scott Balmos and David Stipp, (C) 2001
xl2tpd[17539]: Inherited by Jeff McAdams, (C) 2002
xl2tpd[17539]: Forked again by Xelerance (www.xelerance.com) (C) 2006
xl2tpd[17539]: Listening on IP address 0.0.0.0, port 1701
xl2tpd[17539]: control_finish: Peer requested tunnel 12 twice, ignoring
second one.
xl2tpd[17539]: control_finish: Peer requested tunnel 12 twice, ignoring
second one.
xl2tpd[17539]: control_finish: Peer requested tunnel 12 twice, ignoring
second one.
xl2tpd[17539]: Maximum retries exceeded for tunnel 41505. Closing.
Below my working config used on my debian and ubuntu boxes:
debian:/etc/ppp# cat options.xl2tpd
require-mschap-v2
ms-dns 192.168.2.254
ms-dns 200.20.0.18
ms-wins 192.168.2.254
asyncmap 0
auth
#noauth
crtscts
lock
hide-password
modem
debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
debian:/etc/xl2tpd# cat xl2tpd.conf
[global]
ipsec saref = yes
[lns default]
ip range = 155.132.0.10-155.132.0.20
local ip = 155.132.0.203
refuse chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
debian:/etc# cat ipsec.conf
# /etc/ipsec.conf - Openswan IPsec configuration file
version 2.0 # conforms to second version of ipsec.conf specification
config setup
nat_traversal=yes
nhelpers=0
protostack=netkey
include /etc/ipsec.d/examples/no_oe.conf
conn L2TP-PSK
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
type=transport
left=%defaultroute
leftprotoport=17/1701
right=%any
rightsubnet=vhost:%no,%priv
rightprotoport=17/1701
debian:/etc# cat ipsec.secrets
: RSA /etc/ipsec.d/private/debianKey.pem
: PSK "PASSWORD"
debian:/etc/ppp# cat chap-secrets
# Secrets for authentication using CHAP
# client server secret IP addresses
user l2tpd password "155.132.0.10"
l2tpd user password "155.132.0.10"
Ofcourse Debian keeps running OK behind NAT....
debian:/etc/ppp# ipsec --version
Linux Openswan U2.4.12/K2.6.26-2-686 (netkey)
See `ipsec --copyright' for copyright information.
-rw-r--r-- 1 root root 60866 2008-03-31 18:47
xl2tpd_1.2.0+dfsg-1_i386.deb
-rw-r--r-- 1 root root 1730858 2009-03-30 20:47
openswan_1%3a2.4.12+dfsg-1.3+lenny1_i386.deb
-rw-r--r-- 1 root root 99098 2009-05-20 12:48
ipsec-tools_1%3a0.7.1-1.3+lenny2_i386.deb
debian:/var/log# tail -f /var/log/daemon.log
Aug 3 18:25:32 debian ipsec_setup: ...Openswan IPsec stopped
Aug 3 18:25:32 debian ipsec_setup: Stopping Openswan IPsec...
Aug 3 18:25:33 debian ipsec_setup: NETKEY on eth1
201.24.73.ZZZ/255.255.255.248 broadcast 201.24.73.BBB
Aug 3 18:25:33 debian ipsec_setup: ...Openswan IPsec started
Aug 3 18:25:33 debian ipsec_setup: Starting Openswan IPsec 2.4.12...
debian:/etc/ppp# xl2tpd -D
xl2tpd[3361]: Enabling IPsec SAref processing for L2TP transport mode
SAs
xl2tpd[3361]: IPsec SAref does not work with L2TP kernel mode yet,
enabling forceuserspace=yes
xl2tpd[3361]: setsockopt recvref: Protocol not available
xl2tpd[3361]: L2TP kernel support not detected.
xl2tpd[3361]: xl2tpd version xl2tpd-1.2.0 started on debian PID:3361
xl2tpd[3361]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
xl2tpd[3361]: Forked by Scott Balmos and David Stipp, (C) 2001
xl2tpd[3361]: Inherited by Jeff McAdams, (C) 2002
xl2tpd[3361]: Forked again by Xelerance (www.xelerance.com) (C) 2006
xl2tpd[3361]: Listening on IP address 201.24.73.ZZZ, port 1701
xl2tpd[3361]: control_finish: Peer requested tunnel 5 twice, ignoring
second one.
xl2tpd[3361]: Connection established to 201.24.73.XXX, 1701. Local:
55369, Remote: 5 (ref=0/0). LNS session is 'default'
xl2tpd[3361]: check_control: Received out of order control packet on
tunnel 5 (got 4, expected 3)
xl2tpd[3361]: handle_packet: bad control packet!
xl2tpd[3361]: start_pppd: I'm running:
xl2tpd[3361]: "/usr/sbin/pppd"
xl2tpd[3361]: "passive"
xl2tpd[3361]: "-detach"
xl2tpd[3361]: "155.132.0.203:155.132.0.10"
xl2tpd[3361]: "refuse-pap"
xl2tpd[3361]: "refuse-chap"
xl2tpd[3361]: "auth"
xl2tpd[3361]: "debug"
xl2tpd[3361]: "file"
xl2tpd[3361]: "/etc/ppp/options.xl2tpd"
xl2tpd[3361]: "/dev/pts/1"
xl2tpd[3361]: Call established with 201.24.73.XXX, Local: 9389, Remote:
1, Serial: 0
debian:/etc# tail -f /var/log/auth.log
Aug 3 18:57:53 debian pluto[3015]: packet from 201.24.73.XXX:500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Aug 3 18:57:53 debian pluto[3015]: packet from 201.24.73.XXX:500:
ignoring Vendor ID payload [FRAGMENTATION]
Aug 3 18:57:53 debian pluto[3015]: packet from 201.24.73.XXX:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set
to=106
Aug 3 18:57:53 debian pluto[3015]: "L2TP-PSK"[1] 201.24.73.XXX #1:
responding to Main Mode from unknown peer 201.24.73.XXX
Aug 3 18:57:53 debian pluto[3015]: "L2TP-PSK"[1] 201.24.73.XXX #1:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Aug 3 18:57:53 debian pluto[3015]: "L2TP-PSK"[1] 201.24.73.XXX #1:
STATE_MAIN_R1: sent MR1, expecting MI2
Aug 3 18:57:54 debian pluto[3015]: "L2TP-PSK"[1] 201.24.73.XXX #1:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is
NATed
Aug 3 18:57:54 debian pluto[3015]: "L2TP-PSK"[1] 201.24.73.XXX #1:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Aug 3 18:57:54 debian pluto[3015]: "L2TP-PSK"[1] 201.24.73.XXX #1:
STATE_MAIN_R2: sent MR2, expecting MI3
Aug 3 18:57:54 debian pluto[3015]: "L2TP-PSK"[1] 201.24.73.XXX #1: Main
mode peer ID is ID_FQDN: '@winxp'
Aug 3 18:57:54 debian pluto[3015]: "L2TP-PSK"[1] 201.24.73.XXX #1:
switched from "L2TP-PSK" to "L2TP-PSK"
Aug 3 18:57:54 debian pluto[3015]: "L2TP-PSK"[2] 201.24.73.XXX #1:
deleting connection "L2TP-PSK" instance with peer 201.24.73.XXX
{isakmp=#0/ipsec=#0}
Aug 3 18:57:54 debian pluto[3015]: "L2TP-PSK"[2] 201.24.73.XXX #1: I
did not send a certificate because I do not have one.
Aug 3 18:57:54 debian pluto[3015]: "L2TP-PSK"[2] 201.24.73.XXX #1:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Aug 3 18:57:54 debian pluto[3015]: "L2TP-PSK"[2] 201.24.73.XXX #1:
STATE_MAIN_R3: sent MR3, ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
group=modp2048}
Aug 3 18:57:54 debian pluto[3015]: "L2TP-PSK"[2] 201.24.73.XXX #2:
responding to Quick Mode {msgid:c25f786b}
Aug 3 18:57:54 debian pluto[3015]: "L2TP-PSK"[2] 201.24.73.XXX #2:
transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Aug 3 18:57:54 debian pluto[3015]: "L2TP-PSK"[2] 201.24.73.XXX #2:
STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Aug 3 18:57:54 debian pluto[3015]: "L2TP-PSK"[2] 201.24.73.XXX #2:
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Aug 3 18:57:54 debian pluto[3015]: "L2TP-PSK"[2] 201.24.73.XXX #2:
STATE_QUICK_R2: IPsec SA established {ESP=>0x1f1bb521 <0xd43e3428
xfrm=3DES_0-HMAC_MD5 NATD=201.24.73.XXX:4500 DPD=none}
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20090803/1a12435e/attachment-0001.html
More information about the Users
mailing list