[Openswan Users] Windows XP & L2TP issue, timeout

Gennady Kovalev gik at bigur.ru
Wed Dec 16 17:29:26 EST 2009 

В Tue, 15 Dec 2009 14:15:54 +0100
"FLOC'H Tanguy" <t.floch at sofrel.com> wrote:

> The only openswan version I got successfully working with L2TP/NAT-T
> is 2.4.x, from now.
> 
> See my 2.4.x ipsec.conf config here:
> http://lists.openswan.org/pipermail/users/2009-December/017946.html

I have another problem with 2.4.12: "asynchronous network error
report ... no route to host" on client side. I can't setup connection
even from linux.

Again, but for 2.4.12:

Server debian:

Linux gnom 2.6.26-2-openvz-686 #1 SMP Wed Aug 19 07:30:34 UTC 2009 i686
GNU/Linux
Openswan 1:2.4.12+dfsg-1.3+lenny2

Client with debian too:

Linux shin 2.6.30-2-686 #1 SMP Sat Sep 26 01:16:22 UTC 2009 i686
GNU/Linux
Openswan version the same.

Server side config:

# basic configuration
config setup
    interfaces=%defaultroute
    nat_traversal=yes
    virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16

conn roadwarrior 
    authby=rsasig
    pfs=no  
    rekey=no
    keyingtries=3   
    left=y.y.y.y
    leftnexthop=y.y.y.1
    leftprotoport=17/1701
    leftrsasigkey=%cert
    leftcert=certfile....
    right=%any
    rightrsasigkey=%cert  
    rightprotoport=17/1701
    rightsubnet=vhost:%no,%priv
    auto=add

# disable opportunistic encryption
include /etc/ipsec.d/examples/no_oe.conf

Client side config:

# basic configuration
config setup
    interfaces=%defaultroute
    nat_traversal=yes

# default connection settings
conn roadwarrior
    authby=rsasig
    pfs=no
    type=transport
    left=y.y.y.y
    leftprotoport=17/1701
    leftcert=certfile...
    leftrsasigkey=%cert
    right=%defaultroute
    rightprotoport=17/1701
    rightcert=certfile...
    rightrsasigkey=%cert
    auto=add

# disable opportunistic encryption
include /etc/ipsec.d/examples/no_oe.conf

And while connect start to establish, ip xfrm pol shows:

At server side:
src x.x.x.x/32 dst y.y.y.y/32 proto udp sport 1701 dport 1701 
        dir in priority 2080 
        tmpl src 0.0.0.0 dst 0.0.0.0
                proto esp reqid 16393 mode transport

At client side:
src 192.168.0.100/32 dst y.y.y.y/32 proto udp sport 1701 dport 1701 
        dir out priority 2080 
        tmpl src 0.0.0.0 dst 0.0.0.0
                proto esp reqid 16385 mode transport
src y.y.y.y/32 dst 192.168.0.100/32 proto udp sport 1701 dport 1701 
        dir in priority 2080 
        tmpl src 0.0.0.0 dst 0.0.0.0
                proto esp reqid 16385 mode transport

As server side where is no logs with some errors, last lines:
... #2:responding to Quick Mode {msgid:aef075ec}
... #2:transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
... #2:STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting
QI2

But at client's logs i have errors:
ERROR: asynchronous network error report on wlan0 (sport=4500) for
message to y.y.y.y port 4500, complainant 192.168.0.100: No route
to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]

Gennady Kovalev.

More information about the Users mailing list