[Openswan Users] Troubleshooting assistance on openswan 2.6.19
Paul Wouters
paul at xelerance.com
Fri Feb 6 13:41:40 EST 2009
On Fri, 30 Jan 2009, Arnel Espanola wrote:
this is likely http://bugs.xelerance.com/view.php?id=1004
Paul
> Date: Fri, 30 Jan 2009 10:28:31 -0800
> From: Arnel Espanola <aespanola at arts.ucla.edu>
> To: <users at openswan.org>
> Subject: [Openswan Users] Troubleshooting assistance on openswan 2.6.19
>
> Hello there,
>
> I've been running this version of Openswan on Fedora 6 for a while
> without a problem. And I'm using xl2tpd-1.1.11-2.fc6 for L2TP.
>
> Linux Openswan U2.4.5/K2.6.22.14-72.fc6 (netkey)
>
> But recently I decided to install the latest version of Openswan on
> CentOS5 and I'm having issues with it and I couldn't find the solution
> for it. And I installed L2TP from source, l2tpd-0.69cvs20051030-1jdl.
> Not sure if the L2TP is what causing the problem.
>
> Linux Openswan U2.6.19/K2.6.18-92.1.22.el5 (netkey)
>
>
> I just copied the my ipsec.config from old version. And kept some
> default config from the new version.
>
>
> /etc/ipsec.conf
>
>
> config setup
> # Do not set debug= options to debug configuration issues!
> # plutodebug / klipsdebug = "all", "none" or a combation from below:
> # "raw crypt parsing emitting control klips pfkey natt x509 dpd private"
> # eg:
> # plutodebug="control parsing"
> #
> # enable to get logs per-peer
> # plutoopts="--perpeerlog"
> #
> # Only enable *debug=all if you are a developer
> #
> # NAT-TRAVERSAL support, see README.NAT-Traversal
> nat_traversal=yes
> # exclude networks used on server side by adding %v4:!a.b.c.0/24
> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12
> # OE is now off by default. Uncomment and change to on, to enable.
> OE=off
> # which IPsec stack to use. netkey,klips,mast,auto or none
> protostack=netkey
> interfaces=%defaultroute
> klipsdebug=none
> plutodebug=none
> # overridemtu=1410
> protostack=netkey
> nat_traversal=yes
> virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
>
> # Add connections here
>
>
> conn %default
> keyingtries=3
> compress=yes
> disablearrivalcheck=no
> authby=secret
> type=tunnel
> keyexchange=ike
> ikelifetime=240m
> keylife=60m
> conn roadwarrior-all
> leftsubnet=0.0.0.0/0
> also=roadwarrior
> conn roadwarrior-l2tp
> leftprotoport=17/0
> rightprotoport=17/1701
> also=roadwarrior
> conn roadwarrior-l2tp-macosx
> leftprotoport=17/1701
> rightprotoport=17/%any
> also=roadwarrior
> conn roadwarrior-l2tp-updatedwin
> leftprotoport=17/1701
> rightprotoport=17/1701
> also=roadwarrior
> conn roadwarrior
> pfs=no
> left=192.168.1.21
> leftnexthop=192.168.1.254
> right=%any
> auto=add
>
>
> and here's the log. and it seems ipsec got established but not the L2TP.
> I don't see anything being logged in ppp directory.
>
> /var/log/secure
>
> Jan 30 09:45:25 test pluto[26674]: packet from 10.10.10.41:500: ignoring
> Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
> Jan 30 09:45:25 test pluto[26674]: packet from 10.10.10.41:500: ignoring
> Vendor ID payload [FRAGMENTATION]
> Jan 30 09:45:25 test pluto[26674]: packet from 10.10.10.41:500: received
> Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
> Jan 30 09:45:25 test pluto[26674]: packet from 10.10.10.41:500: ignoring
> Vendor ID payload [Vid-Initial-Contact]
> Jan 30 09:45:25 test pluto[26674]: "roadwarrior-all"[4] 10.10.10.41 #9:
> responding to Main Mode from unknown peer 10.10.10.41
> Jan 30 09:45:25 test pluto[26674]: "roadwarrior-all"[4] 10.10.10.41 #9:
> transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
> Jan 30 09:45:25 test pluto[26674]: "roadwarrior-all"[4] 10.10.10.41 #9:
> STATE_MAIN_R1: sent MR1, expecting MI2
> Jan 30 09:45:26 test pluto[26674]: "roadwarrior-all"[4] 10.10.10.41 #9:
> NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT
> detected
> Jan 30 09:45:26 test pluto[26674]: "roadwarrior-all"[4] 10.10.10.41 #9:
> transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
> Jan 30 09:45:26 test pluto[26674]: "roadwarrior-all"[4] 10.10.10.41 #9:
> STATE_MAIN_R2: sent MR2, expecting MI3
> Jan 30 09:45:26 test pluto[26674]: "roadwarrior-all"[4] 10.10.10.41 #9:
> Main mode peer ID is ID_IPV4_ADDR: '10.10.10.41'
> Jan 30 09:45:26 test pluto[26674]: "roadwarrior-all"[4] 10.10.10.41 #9:
> transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
> Jan 30 09:45:26 test pluto[26674]: "roadwarrior-all"[4] 10.10.10.41 #9:
> STATE_MAIN_R3: sent MR3, ISAKMP SA established
> {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
> group=modp2048}
> Jan 30 09:45:26 test pluto[26674]: "roadwarrior-all"[4] 10.10.10.41 #9:
> the peer proposed: 192.168.1.21/32:0/0 -> 10.10.10.41/32:0/0
> Jan 30 09:45:26 test pluto[26674]: "roadwarrior-l2tp"[3] 10.10.10.41
> #10: responding to Quick Mode proposal {msgid:31e7faf3}
> Jan 30 09:45:26 test pluto[26674]: "roadwarrior-l2tp"[3] 10.10.10.41
> #10: us: 192.168.1.21<192.168.1.21>[+S=C]:17/0---192.168.1.254
> Jan 30 09:45:26 test pluto[26674]: "roadwarrior-l2tp"[3] 10.10.10.41
> #10: them: 10.10.10.41[+S=C]:17/1701
> Jan 30 09:45:26 test pluto[26674]: "roadwarrior-l2tp"[3] 10.10.10.41
> #10: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
> Jan 30 09:45:26 test pluto[26674]: "roadwarrior-l2tp"[3] 10.10.10.41
> #10: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
> Jan 30 09:45:26 test pluto[26674]: "roadwarrior-l2tp"[3] 10.10.10.41
> #10: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
> Jan 30 09:45:26 test pluto[26674]: "roadwarrior-l2tp"[3] 10.10.10.41
> #10: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0xf954264a
> <0xd247dca8 xfrm=3DES_0-HMAC_MD5 NATOA=<invalid> NATD=<invalid>:500
> DPD=enabled}
> Jan 30 09:45:31 test pluto[26674]: "roadwarrior-all"[4] 10.10.10.41 #9:
> received Delete SA(0xf954264a) payload: deleting IPSEC State #10
> Jan 30 09:45:31 test pluto[26674]: "roadwarrior-all"[4] 10.10.10.41 #9:
> deleting connection "roadwarrior-l2tp" instance with peer 10.10.10.41
> {isakmp=#0/ipsec=#0}
> Jan 30 09:45:31 test pluto[26674]: "roadwarrior-all"[4] 10.10.10.41 #9:
> received and ignored informational message
> Jan 30 09:45:32 test pluto[26674]: "roadwarrior-all"[4] 10.10.10.41 #9:
> received Delete SA payload: deleting ISAKMP State #9
> Jan 30 09:45:32 test pluto[26674]: "roadwarrior-all"[4] 10.10.10.41:
> deleting connection "roadwarrior-all" instance with peer 10.10.10.41
> {isakmp=#0/ipsec=#0}
> Jan 30 09:45:32 test pluto[26674]: packet from 10.10.10.41:500: received
> and ignored informational message
>
>
> Your help on this will be greatly appreciated. Let me know if you need
> more information.
>
> Thanks.
>
> Arnel
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
More information about the Users
mailing list