[Openswan Users] Troubleshooting assistance on openswan 2.6.19
Arnel B. Espanola
aespanola at arts.ucla.edu
Fri Jan 30 13:57:08 EST 2009
Hello there,
I've been running this version of Openswan on Fedora 6 for a while
without a problem. And I'm using xl2tpd-1.1.11-2.fc6 for L2TP.
Linux Openswan U2.4.5/K2.6.22.14-72.fc6 (netkey)
But recently I decided to install the latest version of Openswan on
CentOS5 and I'm having issues with it and I couldn't find the solution
for it. And I installed L2TP from source, l2tpd-0.69cvs20051030-1jdl.
Not sure if the L2TP is what causing the problem.
Linux Openswan U2.6.19/K2.6.18-92.1.22.el5 (netkey)
I just copied the my ipsec.config from old version. And kept some
default config from the new version.
/etc/ipsec.conf
config setup
# Do not set debug= options to debug configuration issues!
# plutodebug / klipsdebug = "all", "none" or a combation from below:
# "raw crypt parsing emitting control klips pfkey natt x509 dpd private"
# eg:
# plutodebug="control parsing"
#
# enable to get logs per-peer
# plutoopts="--perpeerlog"
#
# Only enable *debug=all if you are a developer
#
# NAT-TRAVERSAL support, see README.NAT-Traversal
nat_traversal=yes
# exclude networks used on server side by adding %v4:!a.b.c.0/24
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12
# OE is now off by default. Uncomment and change to on, to enable.
OE=off
# which IPsec stack to use. netkey,klips,mast,auto or none
protostack=netkey
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
# overridemtu=1410
protostack=netkey
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
# Add connections here
conn %default
keyingtries=3
compress=yes
disablearrivalcheck=no
authby=secret
type=tunnel
keyexchange=ike
ikelifetime=240m
keylife=60m
conn roadwarrior-all
leftsubnet=0.0.0.0/0
also=roadwarrior
conn roadwarrior-l2tp
leftprotoport=17/0
rightprotoport=17/1701
also=roadwarrior
conn roadwarrior-l2tp-macosx
leftprotoport=17/1701
rightprotoport=17/%any
also=roadwarrior
conn roadwarrior-l2tp-updatedwin
leftprotoport=17/1701
rightprotoport=17/1701
also=roadwarrior
conn roadwarrior
pfs=no
left=192.168.1.21
leftnexthop=192.168.1.254
right=%any
auto=add
and here's the log. and it seems ipsec got established but not the L2TP.
I don't see anything being logged in ppp directory.
/var/log/secure
Jan 30 09:45:25 test pluto[26674]: packet from 10.10.10.41:500: ignoring
Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Jan 30 09:45:25 test pluto[26674]: packet from 10.10.10.41:500: ignoring
Vendor ID payload [FRAGMENTATION]
Jan 30 09:45:25 test pluto[26674]: packet from 10.10.10.41:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
Jan 30 09:45:25 test pluto[26674]: packet from 10.10.10.41:500: ignoring
Vendor ID payload [Vid-Initial-Contact]
Jan 30 09:45:25 test pluto[26674]: "roadwarrior-all"[4] 10.10.10.41 #9:
responding to Main Mode from unknown peer 10.10.10.41
Jan 30 09:45:25 test pluto[26674]: "roadwarrior-all"[4] 10.10.10.41 #9:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jan 30 09:45:25 test pluto[26674]: "roadwarrior-all"[4] 10.10.10.41 #9:
STATE_MAIN_R1: sent MR1, expecting MI2
Jan 30 09:45:26 test pluto[26674]: "roadwarrior-all"[4] 10.10.10.41 #9:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT
detected
Jan 30 09:45:26 test pluto[26674]: "roadwarrior-all"[4] 10.10.10.41 #9:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jan 30 09:45:26 test pluto[26674]: "roadwarrior-all"[4] 10.10.10.41 #9:
STATE_MAIN_R2: sent MR2, expecting MI3
Jan 30 09:45:26 test pluto[26674]: "roadwarrior-all"[4] 10.10.10.41 #9:
Main mode peer ID is ID_IPV4_ADDR: '10.10.10.41'
Jan 30 09:45:26 test pluto[26674]: "roadwarrior-all"[4] 10.10.10.41 #9:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jan 30 09:45:26 test pluto[26674]: "roadwarrior-all"[4] 10.10.10.41 #9:
STATE_MAIN_R3: sent MR3, ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
group=modp2048}
Jan 30 09:45:26 test pluto[26674]: "roadwarrior-all"[4] 10.10.10.41 #9:
the peer proposed: 192.168.1.21/32:0/0 -> 10.10.10.41/32:0/0
Jan 30 09:45:26 test pluto[26674]: "roadwarrior-l2tp"[3] 10.10.10.41
#10: responding to Quick Mode proposal {msgid:31e7faf3}
Jan 30 09:45:26 test pluto[26674]: "roadwarrior-l2tp"[3] 10.10.10.41
#10: us: 192.168.1.21<192.168.1.21>[+S=C]:17/0---192.168.1.254
Jan 30 09:45:26 test pluto[26674]: "roadwarrior-l2tp"[3] 10.10.10.41
#10: them: 10.10.10.41[+S=C]:17/1701
Jan 30 09:45:26 test pluto[26674]: "roadwarrior-l2tp"[3] 10.10.10.41
#10: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Jan 30 09:45:26 test pluto[26674]: "roadwarrior-l2tp"[3] 10.10.10.41
#10: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Jan 30 09:45:26 test pluto[26674]: "roadwarrior-l2tp"[3] 10.10.10.41
#10: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Jan 30 09:45:26 test pluto[26674]: "roadwarrior-l2tp"[3] 10.10.10.41
#10: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0xf954264a
<0xd247dca8 xfrm=3DES_0-HMAC_MD5 NATOA=<invalid> NATD=<invalid>:500
DPD=enabled}
Jan 30 09:45:31 test pluto[26674]: "roadwarrior-all"[4] 10.10.10.41 #9:
received Delete SA(0xf954264a) payload: deleting IPSEC State #10
Jan 30 09:45:31 test pluto[26674]: "roadwarrior-all"[4] 10.10.10.41 #9:
deleting connection "roadwarrior-l2tp" instance with peer 10.10.10.41
{isakmp=#0/ipsec=#0}
Jan 30 09:45:31 test pluto[26674]: "roadwarrior-all"[4] 10.10.10.41 #9:
received and ignored informational message
Jan 30 09:45:32 test pluto[26674]: "roadwarrior-all"[4] 10.10.10.41 #9:
received Delete SA payload: deleting ISAKMP State #9
Jan 30 09:45:32 test pluto[26674]: "roadwarrior-all"[4] 10.10.10.41:
deleting connection "roadwarrior-all" instance with peer 10.10.10.41
{isakmp=#0/ipsec=#0}
Jan 30 09:45:32 test pluto[26674]: packet from 10.10.10.41:500: received
and ignored informational message
Your help on this will be greatly appreciated. Let me know if you need
more information.
Thanks.
Arnel
More information about the Users
mailing list