[Openswan Users] status of bug with nat-t and l2tpd -

weirauch at checkmobile.de weirauch at checkmobile.de
Mon Feb 16 04:03:11 EST 2009 

hi, 
is it sure, that the nat-t xl2tpd connection is not working in a netkey 
enviroment?
(there were several entries in the mailing list refering to the following 
bug: http://bugs.xelerance.com/view.php?id=1004)
but i simply cannot believe that such a "basic" functionality (l2tp with 
internal ip and ipsec on external device) does not work. I try since 3 
weeks to get this configuration running (with the help of jacoos web page 
and the book of paul) but there seems to be an error all the time - maybe 
the wrong kernel route from ipsec?? (but if that would really be the bug, 
how come that jacoo and the openswan book both describe this type of 
setup? did it work in earlier times?)

here is my configuration and the log file:
Linux Openswan U2.6.20/K2.6.25.20-0.1-debug (netkey)

ipsec.conf:
========
config setup
        plutodebug="private"
        nat_traversal=yes
 
virtual_private=%v4:10.0.0.0/8,%v4:!192.168.229.0/24,%v4:172.31.13.0/24,%v4:192.168.178.0/24

conn nw-l2tp-psk
        left=87.253.184.140
        #left=%defaultroute
        #leftsubnet=192.168.229.0/24
        leftnexthop=87.253.184.28
        leftprotoport=17/1701
        rightprotoport=17/%any
        rightsubnet=vhost:%priv,%no
        right=%any
        auto=add
        authby=secret
        pfs=no

xl2tpd.conf
========
[global]
listen-addr = 192.168.229.128
ipsec saref = yes
debug tunnel = yes
debug avp = yes
debug network = yes
debug packet = yes
debug state = yes

[lns default]
ip range = 192.168.229.18-192.168.229.100
local ip = 192.168.229.128
require chap = yes
refuse pap = yes
require authentication = yes
name = VPNPW_NW
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
tunnel rws = 4

options.xl2tpd
===========
ipcp-accept-local
ipcp-accept-remote
ms-dns  192.168.229.1
ms-dns  213.191.74.18
noccp
auth
crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
lock
proxyarp
connect-delay 5000

/var/log/messages
==============
Feb 16 09:31:22 vpn pluto[15792]: "nw-l2tp-psk"[2] 85.182.252.146 #803: 
max number of retransmissions (20) reached STATE_MAIN_I1.  No response (or 
no acceptable response) to our first IKE message
Feb 16 09:31:22 vpn pluto[15792]: "nw-l2tp-psk"[2] 85.182.252.146 #803: 
starting keying attempt 399 of an unlimited number
Feb 16 09:31:22 vpn pluto[15792]: | processing connection nw-l2tp-psk[2] 
85.182.252.146
Feb 16 09:31:22 vpn pluto[15792]: | processing connection nw-l2tp-psk[2] 
85.182.252.146
Feb 16 09:31:22 vpn pluto[15792]: "nw-l2tp-psk"[2] 85.182.252.146 #805: 
initiating Main Mode to replace #803
Feb 16 09:31:22 vpn pluto[15792]: | processing connection nw-l2tp-psk[3] 
85.182.252.146
Feb 16 09:31:32 vpn pluto[15792]: | processing connection nw-l2tp-psk[2] 
85.182.252.146
Feb 16 09:31:32 vpn pluto[15792]: | processing connection nw-l2tp-psk[2] 
85.182.252.146
Feb 16 09:32:02 vpn pluto[15792]: | processing connection nw-l2tp-psk[3] 
85.182.252.146
Feb 16 09:32:32 vpn pluto[15792]: | processing connection nw-l2tp-psk[2] 
85.182.252.146
Feb 16 09:32:42 vpn pluto[15792]: | processing connection nw-l2tp-psk[3] 
85.182.252.146
Feb 16 09:32:42 vpn pluto[15792]: "nw-l2tp-psk"[3] 85.182.252.146 #804: 
max number of retransmissions (20) reached STATE_MAIN_I1.  No response (or 
no acceptable response) to our first IKE message
Feb 16 09:32:42 vpn pluto[15792]: "nw-l2tp-psk"[3] 85.182.252.146 #804: 
starting keying attempt 399 of an unlimited number
Feb 16 09:32:42 vpn pluto[15792]: | processing connection nw-l2tp-psk[3] 
85.182.252.146
Feb 16 09:32:42 vpn pluto[15792]: | processing connection nw-l2tp-psk[3] 
85.182.252.146
Feb 16 09:32:42 vpn pluto[15792]: "nw-l2tp-psk"[3] 85.182.252.146 #806: 
initiating Main Mode to replace #804
Feb 16 09:32:52 vpn pluto[15792]: | processing connection nw-l2tp-psk[3] 
85.182.252.146
Feb 16 09:33:12 vpn pluto[15792]: | processing connection nw-l2tp-psk[3] 
85.182.252.146
Feb 16 09:33:12 vpn pluto[15792]: | processing connection nw-l2tp-psk[2] 
85.182.252.146
Feb 16 09:33:12 vpn pluto[15792]: | processing connection nw-l2tp-psk[2] 
85.182.252.146
Feb 16 09:33:52 vpn pluto[15792]: | processing connection nw-l2tp-psk[3] 
85.182.252.146
Feb 16 09:34:20 vpn sshd[8072]: Accepted keyboard-interactive/pam for root 
from 192.168.229.1 port 14883 ssh2
Feb 16 09:34:32 vpn pluto[15792]: | processing connection nw-l2tp-psk[3] 
85.182.252.146
Feb 16 09:34:32 vpn pluto[15792]: | processing connection nw-l2tp-psk[2] 
85.182.252.146
Feb 16 09:34:41 vpn pluto[15792]: packet from 85.182.252.146:1: received 
Vendor ID payload [RFC 3947] method set to=109 
Feb 16 09:34:41 vpn pluto[15792]: packet from 85.182.252.146:1: received 
Vendor ID payload [draft-ietf-ipsec-nat-t-ike] method set to=110 
Feb 16 09:34:41 vpn pluto[15792]: packet from 85.182.252.146:1: ignoring 
unknown Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
Feb 16 09:34:41 vpn pluto[15792]: packet from 85.182.252.146:1: ignoring 
unknown Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
Feb 16 09:34:41 vpn pluto[15792]: packet from 85.182.252.146:1: ignoring 
unknown Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
Feb 16 09:34:41 vpn pluto[15792]: packet from 85.182.252.146:1: ignoring 
unknown Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
Feb 16 09:34:41 vpn pluto[15792]: packet from 85.182.252.146:1: ignoring 
unknown Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
Feb 16 09:34:41 vpn pluto[15792]: packet from 85.182.252.146:1: received 
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already 
using method 110
Feb 16 09:34:41 vpn pluto[15792]: packet from 85.182.252.146:1: received 
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already 
using method 110
Feb 16 09:34:41 vpn pluto[15792]: packet from 85.182.252.146:1: received 
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already 
using method 110
Feb 16 09:34:41 vpn pluto[15792]: packet from 85.182.252.146:1: received 
Vendor ID payload [Dead Peer Detection]
Feb 16 09:34:41 vpn pluto[15792]: | processing connection nw-l2tp-psk[4] 
85.182.252.146
Feb 16 09:34:41 vpn pluto[15792]: "nw-l2tp-psk"[4] 85.182.252.146 #807: 
responding to Main Mode from unknown peer 85.182.252.146
Feb 16 09:34:41 vpn pluto[15792]: | Preshared Key  6d 6f 6e 64  72 61 6c 
69  6e 21
Feb 16 09:34:41 vpn pluto[15792]: "nw-l2tp-psk"[4] 85.182.252.146 #807: 
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Feb 16 09:34:41 vpn pluto[15792]: "nw-l2tp-psk"[4] 85.182.252.146 #807: 
STATE_MAIN_R1: sent MR1, expecting MI2
Feb 16 09:34:41 vpn pluto[15792]: | processing connection nw-l2tp-psk[4] 
85.182.252.146
Feb 16 09:34:41 vpn pluto[15792]: "nw-l2tp-psk"[4] 85.182.252.146 #807: 
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): peer is 
NATed
Feb 16 09:34:42 vpn pluto[15792]: | processing connection nw-l2tp-psk[4] 
85.182.252.146
Feb 16 09:34:42 vpn pluto[15792]: | Preshared Key  6d 6f 6e 64  72 61 6c 
69  6e 21
Feb 16 09:34:42 vpn pluto[15792]: "nw-l2tp-psk"[4] 85.182.252.146 #807: 
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Feb 16 09:34:42 vpn pluto[15792]: "nw-l2tp-psk"[4] 85.182.252.146 #807: 
STATE_MAIN_R2: sent MR2, expecting MI3
Feb 16 09:34:42 vpn pluto[15792]: | processing connection nw-l2tp-psk[4] 
85.182.252.146
Feb 16 09:34:42 vpn pluto[15792]: | processing connection nw-l2tp-psk[4] 
85.182.252.146
Feb 16 09:34:42 vpn pluto[15792]: "nw-l2tp-psk"[4] 85.182.252.146 #807: 
Main mode peer ID is ID_IPV4_ADDR: '172.31.13.10'
Feb 16 09:34:43 vpn pluto[15792]: | Preshared Key  6d 6f 6e 64  72 61 6c 
69  6e 21
Feb 16 09:34:43 vpn pluto[15792]: | Preshared Key  6d 6f 6e 64  72 61 6c 
69  6e 21
Feb 16 09:34:43 vpn pluto[15792]: "nw-l2tp-psk"[4] 85.182.252.146 #807: 
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Feb 16 09:34:43 vpn pluto[15792]: | processing connection nw-l2tp-psk[3] 
85.182.252.146
Feb 16 09:34:43 vpn pluto[15792]: | processing connection nw-l2tp-psk[2] 
85.182.252.146
Feb 16 09:34:43 vpn pluto[15792]: | processing connection nw-l2tp-psk[4] 
85.182.252.146
Feb 16 09:34:43 vpn pluto[15792]: "nw-l2tp-psk"[4] 85.182.252.146 #807: 
new NAT mapping for #807, was 85.182.252.146:1, now 85.182.252.146:4500
Feb 16 09:34:43 vpn pluto[15792]: "nw-l2tp-psk"[4] 85.182.252.146 #807: 
STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY 
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
Feb 16 09:34:43 vpn pluto[15792]: | processing connection nw-l2tp-psk[4] 
85.182.252.146
Feb 16 09:34:43 vpn pluto[15792]: "nw-l2tp-psk"[4] 85.182.252.146 #807: 
ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
Feb 16 09:34:43 vpn pluto[15792]: "nw-l2tp-psk"[4] 85.182.252.146 #807: 
received and ignored informational message
Feb 16 09:34:44 vpn pluto[15792]: | processing connection nw-l2tp-psk[4] 
85.182.252.146
Feb 16 09:34:44 vpn pluto[15792]: "nw-l2tp-psk"[4] 85.182.252.146 #807: 
the peer proposed: 87.253.184.140/32:17/1701 -> 172.31.13.10/32:17/52917
Feb 16 09:34:44 vpn pluto[15792]: | processing connection nw-l2tp-psk[5] 
85.182.252.146
Feb 16 09:34:44 vpn syslog-ng[2130]: last message repeated 2 times
Feb 16 09:34:44 vpn pluto[15792]: "nw-l2tp-psk"[5] 85.182.252.146 #808: 
responding to Quick Mode proposal {msgid:4f9a7cca}
Feb 16 09:34:44 vpn pluto[15792]: "nw-l2tp-psk"[5] 85.182.252.146 #808:  
us: 87.253.184.140<87.253.184.140>[+S=C]:17/1701---87.253.184.28
Feb 16 09:34:44 vpn pluto[15792]: "nw-l2tp-psk"[5] 85.182.252.146 #808: 
them: 85.182.252.146[172.31.13.10,+S=C]:17/49674===172.31.13.10/32
Feb 16 09:34:44 vpn pluto[15792]: "nw-l2tp-psk"[5] 85.182.252.146 #808: 
transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Feb 16 09:34:44 vpn pluto[15792]: "nw-l2tp-psk"[5] 85.182.252.146 #808: 
STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Feb 16 09:34:44 vpn pluto[15792]: | processing connection nw-l2tp-psk[5] 
85.182.252.146
Feb 16 09:34:44 vpn pluto[15792]: "nw-l2tp-psk"[5] 85.182.252.146 #808: 
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Feb 16 09:34:44 vpn pluto[15792]: "nw-l2tp-psk"[5] 85.182.252.146 #808: 
STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0x0a0db4f5 
<0x7fe0482c xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=85.182.252.146:4500 
DPD=none}


after that there is silence...
thank you a lot for any comment and help!

regards,
philipp

More information about the Users mailing list