[Openswan Users] Windows XP & L2TP issue, timeout

FLOC'H Tanguy t.floch at sofrel.com
Mon Dec 14 08:17:16 EST 2009 

Hello,

Did you set the "AssumeUDPEncapsulationContextOnSendRule" registry entry on Windows ?

This is needed, since NAT is involved.

See http://support.microsoft.com/kb/885407

Best regards,

Tanguy Floc'h

-----Message d'origine-----
De : users-bounces at openswan.org [mailto:users-bounces at openswan.org] De la part de Gennady Kovalev
Envoyé : dimanche 13 décembre 2009 23:12
À : users at openswan.org
Objet : [Openswan Users] Windows XP & L2TP issue, timeout

Hello!

I have this network structure:

MyServer, real ip <-- ...internet... --> ADSLModem (nat here) --- 2 
PC(Linux, Windows)

The ipsec connection made from intranet, from linux machine with debian 
and Windows XP SP3 machine.

First, i try to set up linux connection. Where is no problems here. And 
from windows i can't connect to the server with 678 Error, connection 
time out.

Server side:
 - openswan 2.6.23
 - xl2tpd 1.2.4

About windows connection. IPSec layer connected, but l2tp packets didn't 
pass from server to client. I connect one pc between Windows and ADSL 
router, and can't see l2tp packets. Non encapsulated, non clean 1701 udp.

=========== configs =================

ipsec.conf:
config setup
    nat_traversal=yes
    oe=off
    protostack=netkey
    
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!10.1.25.0/24

conn %default
    auto=add

conn roadwarrior
    authby=rsasig
    pfs=no 
    rekey=no
    ikelifetime=8h
    keylife=1h
    type=transport 
    left=94.79.54.16
    #leftid=%fromcert 
    leftrsasigkey=%cert
    leftcert=myserver.crt
    right=%any  
    rightca=%same
    rightrsasigkey=%cert
    rightsubnet=vhost:%no,%priv
    leftprotoport=17/1701
    rightprotoport=17/1701

xl2tpd.conf
[lns default]
ip range = 10.1.25.128-10.1.25.254
local ip = 10.1.25.1
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/ppp-options.xl2tpd
length bit = yes

/etc/ppp/ppp-options.xl2tpd may be not imported now...

=========== /configs =================


And some logs:

========== logs ================

edited ipsec log, x.x.x.x - public ip of client (before nat), y.y.y.y - 
ip of server:

packet from x.x.x.x:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 
00000004]
packet from x.x.x.x:500: ignoring Vendor ID payload [FRAGMENTATION]
packet from x.x.x.x:500: received Vendor ID payload 
[draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
packet from x.x.x.x:500: ignoring Vendor ID payload [Vid-Initial-Contact]
#15: responding to Main Mode from unknown peer x.x.x.x
#15: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
#15: STATE_MAIN_R1: sent MR1, expecting MI2
#15: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer 
is NATed
#15: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
#15: STATE_MAIN_R2: sent MR2, expecting MI3
#15: Main mode peer ID is ID_DER_ASN1_DN: ' ... machine dn ... '
#15: no crl from issuer " ... ca dn ... " found (strict=no)
#15: switched from "roadwarrior" to "roadwarrior"
#15: I am sending my cert
#15: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
#15: new NAT mapping for #15, was x.x.x.x:500, now x.x.x.x:4500
#15: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG 
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}
#15: peer client type is FQDN
#15: Applying workaround for MS-818043 NAT-T bug
#15: IDci was FQDN: ^O6\020, using NAT_OA=192.168.0.101/32 as IDci
#15: the peer proposed: y.y.y.y/32:17/1701 -> 192.168.0.101/32:17/1701
#16: responding to Quick Mode proposal {msgid:bde1b952}
#16:     us: y.y.y.y<y.y.y.y>[+S=C]:17/1701
#16:   them: x.x.x.x[... machine dn ...]:17/1701===192.168.0.101/32
#16: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
#16: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
#16: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
#16: STATE_QUICK_R2: IPsec SA established transport mode 
{ESP=>0x87d54f3f <0x4e10cc73 xfrm=3DES_0-HMAC_MD5 NATOA=192.168.0.101 
NATD=x.x.x.x:4500 DPD=none}

xl2tpd's logs:
control_finish: Peer requested tunnel 49 twice, ignoring second one.
Connection 49 closed to 95.143.213.58, port 1701 (Timeout)

When ipsec connection established, ip xfrm pol:
src 192.168.0.101/32 dst y.y.y.y/32 proto udp dport 1701
        dir in priority 2080
        tmpl src 0.0.0.0 dst 0.0.0.0
                proto esp reqid 16425 mode transport
src y.y.y.y/32 dst 192.168.0.101/32 proto udp sport 1701
        dir out priority 2080
        tmpl src 0.0.0.0 dst 0.0.0.0
                proto esp reqid 16425 mode transport

And tcpdump:
x.x.x.x.500 > y.y.y.y.500: isakmp: phase 1 I ident
y.y.y.y.500 > x.x.x.x.500: isakmp: phase 1 R ident
x.x.x.x.500 > y.y.y.y.500: isakmp: phase 1 I ident
y.y.y.y.500 > x.x.x.x.500: isakmp: phase 1 R ident
x.x.x.x.4500 > y.y.y.y.4500: NONESP-encap: isakmp: phase 1 I ident[E]
y.y.y.y.4500 > x.x.x.x.4500: NONESP-encap: isakmp: phase 1 R ident[E]
x.x.x.x.4500 > y.y.y.y.4500: NONESP-encap: isakmp: phase 2/others I 
oakley-quick[E]
y.y.y.y.4500 > x.x.x.x.4500: NONESP-encap: isakmp: phase 2/others R 
oakley-quick[E]
x.x.x.x.4500 > y.y.y.y.4500: NONESP-encap: isakmp: phase 2/others I 
oakley-quick[E]
x.x.x.x.4500 > y.y.y.y.4500: UDP-encap: ESP(spi=0x6e1167b8,seq=0x1), 
length 140
x.x.x.x.4500 > y.y.y.y.4500: UDP-encap: ESP(spi=0x6e1167b8,seq=0x2), 
length 140
y.y.y.y.1701 > x.x.x.x.1701:  l2tp:[TLS](49/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) 
*PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP() |...
y.y.y.y.1701 > x.x.x.x.1701:  l2tp:[TLS](49/0)Ns=0,Nr=1 ZLB
x.x.x.x.4500 > y.y.y.y.4500: UDP-encap: ESP(spi=0x6e1167b8,seq=0x3), 
length 140
y.y.y.y.1701 > x.x.x.x.1701:  l2tp:[TLS](49/0)Ns=0,Nr=1 ZLB
y.y.y.y.1701 > x.x.x.x.1701:  l2tp:[TLS](49/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) 
*PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP() |...
y.y.y.y.1701 > x.x.x.x.1701:  l2tp:[TLS](49/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) 
*PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP() |...
y.y.y.y.1701 > x.x.x.x.1701:  l2tp:[TLS](49/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) 
*PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP() |...
y.y.y.y.1701 > x.x.x.x.1701:  l2tp:[TLS](49/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) 
*PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP() |...
x.x.x.x.4500 > y.y.y.y.4500: UDP-encap: ESP(spi=0x6e1167b8,seq=0x4), 
length 140
y.y.y.y.1701 > x.x.x.x.1701:  l2tp:[TLS](49/0)Ns=0,Nr=1 ZLB
x.x.x.x.4500 > y.y.y.y.4500: UDP-encap: ESP(spi=0x6e1167b8,seq=0x5), 
length 140
y.y.y.y.1701 > x.x.x.x.1701:  l2tp:[TLS](49/0)Ns=0,Nr=1 ZLB
y.y.y.y.1701 > x.x.x.x.1701:  l2tp:[TLS](49/0)Ns=1,Nr=1 
*MSGTYPE(StopCCN) *ASSND_TUN_ID(9708) *RESULT_CODE(1/0 Timeout)
y.y.y.y.1701 > x.x.x.x.1701:  l2tp:[TLS](49/0)Ns=1,Nr=1 
*MSGTYPE(StopCCN) *ASSND_TUN_ID(9708) *RESULT_CODE(1/0 Timeout)
y.y.y.y.1701 > x.x.x.x.1701:  l2tp:[TLS](49/0)Ns=1,Nr=1 
*MSGTYPE(StopCCN) *ASSND_TUN_ID(9708) *RESULT_CODE(1/0 Timeout)
y.y.y.y.1701 > x.x.x.x.1701:  l2tp:[TLS](49/0)Ns=1,Nr=1 
*MSGTYPE(StopCCN) *ASSND_TUN_ID(9708) *RESULT_CODE(1/0 Timeout)
y.y.y.y.1701 > x.x.x.x.1701:  l2tp:[TLS](49/0)Ns=1,Nr=1 
*MSGTYPE(StopCCN) *ASSND_TUN_ID(9708) *RESULT_CODE(1/0 Timeout)
x.x.x.x.4500 > y.y.y.y.4500: isakmp-nat-keep-alive
x.x.x.x.4500 > y.y.y.y.4500: UDP-encap: ESP(spi=0x6e1167b8,seq=0x6), 
length 140
y.y.y.y.1701 > x.x.x.x.1701:  l2tp:[TLS](49/0)Ns=0,Nr=1 ZLB
x.x.x.x.4500 > y.y.y.y.4500: NONESP-encap: isakmp: phase 2/others I inf[E]
y.y.y.y.4500 > x.x.x.x.4500: NONESP-encap: isakmp: phase 2/others R inf[E]
x.x.x.x.4500 > y.y.y.y.4500: NONESP-encap: isakmp: phase 2/others I inf[E]
y.y.y.y.4500 > x.x.x.x.4500: NONESP-encap: isakmp: phase 2/others R inf[E]
x.x.x.x.4500 > y.y.y.y.4500: isakmp-nat-keep-alive

========== / logs ===============

I have same logs with successful connection from linux, i can send it if 
needed.
One this i write now: differens with tcpdumped packets afted ipsec 
session estableshed:

x.x.x.x.1025 > y.y.y.y.4500: UDP-encap: ESP(spi=0x4ff02f71,seq=0x1), 
length 180
192.168.0.100.1701 > y.y.y.y.1701:  l2tp:[TLS](0/0)Ns=0,Nr=0 
*MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP() |...
x.x.x.x.1025 > y.y.y.y.4500: UDP-encap: ESP(spi=0x4ff02f71,seq=0x2), 
length 180
192.168.0.100.1701 > y.y.y.y.1701:  l2tp:[TLS](0/0)Ns=0,Nr=0 
*MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP() |...
y.y.y.y.4500 > x.x.x.x.1025: UDP-encap: ESP(spi=0x2b2873ca,seq=0x1), 
length 180
y.y.y.y.4500 > x.x.x.x.1025: UDP-encap: ESP(spi=0x2b2873ca,seq=0x2), 
length 84


Here we can see intranet's ip 192.168.0.100, and encapsulated ESP 
packets, but with Windows i can't see this.

Please help,

Thank you,

Gennady Kovalev.
_______________________________________________
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with Openswan: 
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

More information about the Users mailing list