[Openswan Users] Troubleshooting assistance on openswan 2.6.19

Arnel B. Espanola aespanola at arts.ucla.edu
Fri Jan 30 13:57:08 EST 2009


Hello there,

I've been running this version of Openswan on Fedora 6 for a while
without a problem. And I'm using xl2tpd-1.1.11-2.fc6 for L2TP.

Linux Openswan U2.4.5/K2.6.22.14-72.fc6 (netkey)

But recently I decided to install the latest version of Openswan on
CentOS5 and I'm having issues with it and I couldn't find the solution
for it. And I installed L2TP from source, l2tpd-0.69cvs20051030-1jdl.
Not sure if the L2TP is what causing the problem.

Linux Openswan U2.6.19/K2.6.18-92.1.22.el5 (netkey)


I just copied the my ipsec.config from old version. And kept some
default config from the new version.


/etc/ipsec.conf


config setup
	# Do not set debug= options to debug configuration issues!
	# plutodebug / klipsdebug = "all", "none" or a combation from below:
	# "raw crypt parsing emitting control klips pfkey natt x509 dpd private"
	# eg:
	# plutodebug="control parsing"
	#
	# enable to get logs per-peer
	# plutoopts="--perpeerlog"
	#
	# Only enable *debug=all if you are a developer
	#
	# NAT-TRAVERSAL support, see README.NAT-Traversal
	nat_traversal=yes
	# exclude networks used on server side by adding %v4:!a.b.c.0/24
	virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12
	# OE is now off by default. Uncomment and change to on, to enable.
	OE=off
	# which IPsec stack to use. netkey,klips,mast,auto or none
	protostack=netkey
	 interfaces=%defaultroute
     klipsdebug=none
     plutodebug=none
    #  overridemtu=1410
     protostack=netkey
     nat_traversal=yes
     virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16

# Add connections here


conn %default
     keyingtries=3
     compress=yes
     disablearrivalcheck=no
     authby=secret
     type=tunnel
     keyexchange=ike
     ikelifetime=240m
     keylife=60m
conn roadwarrior-all
     leftsubnet=0.0.0.0/0
     also=roadwarrior
conn roadwarrior-l2tp
     leftprotoport=17/0
     rightprotoport=17/1701
     also=roadwarrior
conn roadwarrior-l2tp-macosx
     leftprotoport=17/1701
     rightprotoport=17/%any
     also=roadwarrior
conn roadwarrior-l2tp-updatedwin
     leftprotoport=17/1701
     rightprotoport=17/1701
     also=roadwarrior
conn roadwarrior
     pfs=no
     left=192.168.1.21
     leftnexthop=192.168.1.254
     right=%any
     auto=add


and here's the log. and it seems ipsec got established but not the L2TP.
I don't see anything being logged in ppp directory.

/var/log/secure

Jan 30 09:45:25 test pluto[26674]: packet from 10.10.10.41:500: ignoring
Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Jan 30 09:45:25 test pluto[26674]: packet from 10.10.10.41:500: ignoring
Vendor ID payload [FRAGMENTATION]
Jan 30 09:45:25 test pluto[26674]: packet from 10.10.10.41:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
Jan 30 09:45:25 test pluto[26674]: packet from 10.10.10.41:500: ignoring
Vendor ID payload [Vid-Initial-Contact]
Jan 30 09:45:25 test pluto[26674]: "roadwarrior-all"[4] 10.10.10.41 #9:
responding to Main Mode from unknown peer 10.10.10.41
Jan 30 09:45:25 test pluto[26674]: "roadwarrior-all"[4] 10.10.10.41 #9:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jan 30 09:45:25 test pluto[26674]: "roadwarrior-all"[4] 10.10.10.41 #9:
STATE_MAIN_R1: sent MR1, expecting MI2
Jan 30 09:45:26 test pluto[26674]: "roadwarrior-all"[4] 10.10.10.41 #9:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT
detected
Jan 30 09:45:26 test pluto[26674]: "roadwarrior-all"[4] 10.10.10.41 #9:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jan 30 09:45:26 test pluto[26674]: "roadwarrior-all"[4] 10.10.10.41 #9:
STATE_MAIN_R2: sent MR2, expecting MI3
Jan 30 09:45:26 test pluto[26674]: "roadwarrior-all"[4] 10.10.10.41 #9:
Main mode peer ID is ID_IPV4_ADDR: '10.10.10.41'
Jan 30 09:45:26 test pluto[26674]: "roadwarrior-all"[4] 10.10.10.41 #9:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jan 30 09:45:26 test pluto[26674]: "roadwarrior-all"[4] 10.10.10.41 #9:
STATE_MAIN_R3: sent MR3, ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
group=modp2048}
Jan 30 09:45:26 test pluto[26674]: "roadwarrior-all"[4] 10.10.10.41 #9:
the peer proposed: 192.168.1.21/32:0/0 -> 10.10.10.41/32:0/0
Jan 30 09:45:26 test pluto[26674]: "roadwarrior-l2tp"[3] 10.10.10.41
#10: responding to Quick Mode proposal {msgid:31e7faf3}
Jan 30 09:45:26 test pluto[26674]: "roadwarrior-l2tp"[3] 10.10.10.41
#10:     us: 192.168.1.21<192.168.1.21>[+S=C]:17/0---192.168.1.254
Jan 30 09:45:26 test pluto[26674]: "roadwarrior-l2tp"[3] 10.10.10.41
#10:   them: 10.10.10.41[+S=C]:17/1701
Jan 30 09:45:26 test pluto[26674]: "roadwarrior-l2tp"[3] 10.10.10.41
#10: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Jan 30 09:45:26 test pluto[26674]: "roadwarrior-l2tp"[3] 10.10.10.41
#10: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Jan 30 09:45:26 test pluto[26674]: "roadwarrior-l2tp"[3] 10.10.10.41
#10: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Jan 30 09:45:26 test pluto[26674]: "roadwarrior-l2tp"[3] 10.10.10.41
#10: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0xf954264a
<0xd247dca8 xfrm=3DES_0-HMAC_MD5 NATOA=<invalid> NATD=<invalid>:500
DPD=enabled}
Jan 30 09:45:31 test pluto[26674]: "roadwarrior-all"[4] 10.10.10.41 #9:
received Delete SA(0xf954264a) payload: deleting IPSEC State #10
Jan 30 09:45:31 test pluto[26674]: "roadwarrior-all"[4] 10.10.10.41 #9:
deleting connection "roadwarrior-l2tp" instance with peer 10.10.10.41
{isakmp=#0/ipsec=#0}
Jan 30 09:45:31 test pluto[26674]: "roadwarrior-all"[4] 10.10.10.41 #9:
received and ignored informational message
Jan 30 09:45:32 test pluto[26674]: "roadwarrior-all"[4] 10.10.10.41 #9:
received Delete SA payload: deleting ISAKMP State #9
Jan 30 09:45:32 test pluto[26674]: "roadwarrior-all"[4] 10.10.10.41:
deleting connection "roadwarrior-all" instance with peer 10.10.10.41
{isakmp=#0/ipsec=#0}
Jan 30 09:45:32 test pluto[26674]: packet from 10.10.10.41:500: received
and ignored informational message


Your help on this will be greatly appreciated. Let me know if you need
more information.

Thanks.

Arnel



More information about the Users mailing list