[Openswan Users] Troubleshooting assistance on openswan 2.6.19

Paul Wouters paul at xelerance.com
Fri Feb 6 13:41:40 EST 2009


On Fri, 30 Jan 2009, Arnel Espanola wrote:

this is likely  http://bugs.xelerance.com/view.php?id=1004

Paul

> Date: Fri, 30 Jan 2009 10:28:31 -0800
> From: Arnel Espanola <aespanola at arts.ucla.edu>
> To:  <users at openswan.org>
> Subject: [Openswan Users] Troubleshooting assistance on openswan 2.6.19
> 
> Hello there,
> 
> I've been running this version of Openswan on Fedora 6 for a while
> without a problem. And I'm using xl2tpd-1.1.11-2.fc6 for L2TP.
> 
> Linux Openswan U2.4.5/K2.6.22.14-72.fc6 (netkey)
> 
> But recently I decided to install the latest version of Openswan on
> CentOS5 and I'm having issues with it and I couldn't find the solution
> for it. And I installed L2TP from source, l2tpd-0.69cvs20051030-1jdl.
> Not sure if the L2TP is what causing the problem.
> 
> Linux Openswan U2.6.19/K2.6.18-92.1.22.el5 (netkey)
> 
> 
> I just copied the my ipsec.config from old version. And kept some
> default config from the new version.
> 
> 
> /etc/ipsec.conf
> 
> 
> config setup
> 	# Do not set debug= options to debug configuration issues!
> 	# plutodebug / klipsdebug = "all", "none" or a combation from below:
> 	# "raw crypt parsing emitting control klips pfkey natt x509 dpd private"
> 	# eg:
> 	# plutodebug="control parsing"
> 	#
> 	# enable to get logs per-peer
> 	# plutoopts="--perpeerlog"
> 	#
> 	# Only enable *debug=all if you are a developer
> 	#
> 	# NAT-TRAVERSAL support, see README.NAT-Traversal
> 	nat_traversal=yes
> 	# exclude networks used on server side by adding %v4:!a.b.c.0/24
> 	virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12
> 	# OE is now off by default. Uncomment and change to on, to enable.
> 	OE=off
> 	# which IPsec stack to use. netkey,klips,mast,auto or none
> 	protostack=netkey
> 	 interfaces=%defaultroute
>      klipsdebug=none
>      plutodebug=none
>     #  overridemtu=1410
>      protostack=netkey
>      nat_traversal=yes
>      virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
> 
> # Add connections here
> 
> 
> conn %default
>      keyingtries=3
>      compress=yes
>      disablearrivalcheck=no
>      authby=secret
>      type=tunnel
>      keyexchange=ike
>      ikelifetime=240m
>      keylife=60m
> conn roadwarrior-all
>      leftsubnet=0.0.0.0/0
>      also=roadwarrior
> conn roadwarrior-l2tp
>      leftprotoport=17/0
>      rightprotoport=17/1701
>      also=roadwarrior
> conn roadwarrior-l2tp-macosx
>      leftprotoport=17/1701
>      rightprotoport=17/%any
>      also=roadwarrior
> conn roadwarrior-l2tp-updatedwin
>      leftprotoport=17/1701
>      rightprotoport=17/1701
>      also=roadwarrior
> conn roadwarrior
>      pfs=no
>      left=192.168.1.21
>      leftnexthop=192.168.1.254
>      right=%any
>      auto=add
> 
> 
> and here's the log. and it seems ipsec got established but not the L2TP.
> I don't see anything being logged in ppp directory.
> 
> /var/log/secure
> 
> Jan 30 09:45:25 test pluto[26674]: packet from 10.10.10.41:500: ignoring
> Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
> Jan 30 09:45:25 test pluto[26674]: packet from 10.10.10.41:500: ignoring
> Vendor ID payload [FRAGMENTATION]
> Jan 30 09:45:25 test pluto[26674]: packet from 10.10.10.41:500: received
> Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
> Jan 30 09:45:25 test pluto[26674]: packet from 10.10.10.41:500: ignoring
> Vendor ID payload [Vid-Initial-Contact]
> Jan 30 09:45:25 test pluto[26674]: "roadwarrior-all"[4] 10.10.10.41 #9:
> responding to Main Mode from unknown peer 10.10.10.41
> Jan 30 09:45:25 test pluto[26674]: "roadwarrior-all"[4] 10.10.10.41 #9:
> transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
> Jan 30 09:45:25 test pluto[26674]: "roadwarrior-all"[4] 10.10.10.41 #9:
> STATE_MAIN_R1: sent MR1, expecting MI2
> Jan 30 09:45:26 test pluto[26674]: "roadwarrior-all"[4] 10.10.10.41 #9:
> NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT
> detected
> Jan 30 09:45:26 test pluto[26674]: "roadwarrior-all"[4] 10.10.10.41 #9:
> transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
> Jan 30 09:45:26 test pluto[26674]: "roadwarrior-all"[4] 10.10.10.41 #9:
> STATE_MAIN_R2: sent MR2, expecting MI3
> Jan 30 09:45:26 test pluto[26674]: "roadwarrior-all"[4] 10.10.10.41 #9:
> Main mode peer ID is ID_IPV4_ADDR: '10.10.10.41'
> Jan 30 09:45:26 test pluto[26674]: "roadwarrior-all"[4] 10.10.10.41 #9:
> transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
> Jan 30 09:45:26 test pluto[26674]: "roadwarrior-all"[4] 10.10.10.41 #9:
> STATE_MAIN_R3: sent MR3, ISAKMP SA established
> {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
> group=modp2048}
> Jan 30 09:45:26 test pluto[26674]: "roadwarrior-all"[4] 10.10.10.41 #9:
> the peer proposed: 192.168.1.21/32:0/0 -> 10.10.10.41/32:0/0
> Jan 30 09:45:26 test pluto[26674]: "roadwarrior-l2tp"[3] 10.10.10.41
> #10: responding to Quick Mode proposal {msgid:31e7faf3}
> Jan 30 09:45:26 test pluto[26674]: "roadwarrior-l2tp"[3] 10.10.10.41
> #10:     us: 192.168.1.21<192.168.1.21>[+S=C]:17/0---192.168.1.254
> Jan 30 09:45:26 test pluto[26674]: "roadwarrior-l2tp"[3] 10.10.10.41
> #10:   them: 10.10.10.41[+S=C]:17/1701
> Jan 30 09:45:26 test pluto[26674]: "roadwarrior-l2tp"[3] 10.10.10.41
> #10: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
> Jan 30 09:45:26 test pluto[26674]: "roadwarrior-l2tp"[3] 10.10.10.41
> #10: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
> Jan 30 09:45:26 test pluto[26674]: "roadwarrior-l2tp"[3] 10.10.10.41
> #10: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
> Jan 30 09:45:26 test pluto[26674]: "roadwarrior-l2tp"[3] 10.10.10.41
> #10: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0xf954264a
> <0xd247dca8 xfrm=3DES_0-HMAC_MD5 NATOA=<invalid> NATD=<invalid>:500
> DPD=enabled}
> Jan 30 09:45:31 test pluto[26674]: "roadwarrior-all"[4] 10.10.10.41 #9:
> received Delete SA(0xf954264a) payload: deleting IPSEC State #10
> Jan 30 09:45:31 test pluto[26674]: "roadwarrior-all"[4] 10.10.10.41 #9:
> deleting connection "roadwarrior-l2tp" instance with peer 10.10.10.41
> {isakmp=#0/ipsec=#0}
> Jan 30 09:45:31 test pluto[26674]: "roadwarrior-all"[4] 10.10.10.41 #9:
> received and ignored informational message
> Jan 30 09:45:32 test pluto[26674]: "roadwarrior-all"[4] 10.10.10.41 #9:
> received Delete SA payload: deleting ISAKMP State #9
> Jan 30 09:45:32 test pluto[26674]: "roadwarrior-all"[4] 10.10.10.41:
> deleting connection "roadwarrior-all" instance with peer 10.10.10.41
> {isakmp=#0/ipsec=#0}
> Jan 30 09:45:32 test pluto[26674]: packet from 10.10.10.41:500: received
> and ignored informational message
> 
> 
> Your help on this will be greatly appreciated. Let me know if you need
> more information.
> 
> Thanks.
> 
> Arnel
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> 


More information about the Users mailing list