[Openswan Users] xl2tpd or openswan error?

Felipe Alcacibar falcacibar at gmail.com
Tue Jul 14 10:06:54 EDT 2009


Hi, i trying to made a VPN in my server but i got some errors, i try
too much ways to
see, debug etc, but i cannot find why does not connect, the xl2tp
cannot run the ppp
daemon, they stucks, and cannot deliver me a message too..

thanks in advice.

[Info]

internal net = 192.168.0.0/24
external net = 200.29.169.210/32

Server and the WinXP SP3 client  config based from the manual at:
http://wiki.neocortex.dk/index.php/Setup_your_Gentoo_linux_as_VPN_server


Gentoo Linux
OpenSwan 2.4.14
Linux Kernel 2.6.18-xen-r12 with NETKEY stack
xl2tpd 1.2.4
ppp 2.4.4-r22

-- file ipsec.conf
version 2.0
config setup
       nat_traversal=yes
       nhelpers=0
       interfaces=%defaultroute
       overridemtu=1410
       virtual_private=%v4:10.0.0.1/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.0.0/24
       uniqueids=yes

conn %default
       keyingtries=3
       compress=no
       disablearrivalcheck=no
       keyexchange=ike
       ikelifetime=240m
       keylife=60m

conn l2tp-winxp
       leftprotoport=17/1701
       rightprotoport=17/%any
       rekey=no
       also=roadwarrior

conn roadwarrior
       authby=secret
       pfs=no
       type=tunnel
       left=%defaultroute
       right=%any
       rightsubnet=vhost:%no,%priv
       auto=add

include /etc/ipsec/ipsec.d/examples/no_oe.conf


--file xl2tpd.conf
[global]
port=1701
listen-addr = 200.29.169.210
access control = yes
debug avp = yes
debug network = yes
debug packet  = yes
debug state  = yes
debug tunnel = yes

[lns default]
ip range = 192.168.0.205-192.168.0.215
local ip = 192.168.0.211
require chap = yes
refuse pap = yes
require authentication = yes
name = arda
pppoptfile = /etc/ppp/options.l2tpd
length bit = yes
ppp debug = yes
challenge = yes

--file options.l2tpd
ipcp-accept-local
ipcp-accept-remote
ms-dns 192.168.1.253
noccp
auth
crtscts
idle 1800
mtu 1400
mru 1400
+mschap-v2
nodefaultroute
debug
lock
proxyarp
connect-delay 5000
silent

--file chap-secrets
# Secrets for authentication using CHAP
# client        server  secret                  IP addresses
counter         *       "}@#~!*^"        * #192.168.0.0/16
*               counter "}@#~!*^"        * # 192.168.0.0/16

log output

#tail -f /var/log/*.log
==> /var/log/auth.log <==
Jul 14 09:51:35 arda pluto[6714]: shutting down
Jul 14 09:51:35 arda pluto[6714]: forgetting secrets
Jul 14 09:51:35 arda pluto[6714]: "l2tp-winxp": deleting connection
Jul 14 09:51:35 arda pluto[6714]: "roadwarrior": deleting connection
Jul 14 09:51:35 arda pluto[6714]: shutting down interface lo/lo ::1:500
Jul 14 09:51:35 arda pluto[6714]: shutting down interface eth0/eth0
200.29.169.210:4500
Jul 14 09:51:35 arda pluto[6714]: shutting down interface eth0/eth0
200.29.169.210:500
Jul 14 09:51:35 arda pluto[6714]: shutting down interface
eth0:1/eth0:1 200.29.169.211:4500
Jul 14 09:51:35 arda pluto[6714]: shutting down interface
eth0:1/eth0:1 200.29.169.211:500
Jul 14 09:51:35 arda pluto[6714]: shutting down interface eth1/eth1
192.168.0.253:4500
Jul 14 09:51:35 arda pluto[6714]: shutting down interface eth1/eth1
192.168.0.253:500
Jul 14 09:51:35 arda pluto[6714]: shutting down interface lo/lo 127.0.0.1:4500
Jul 14 09:51:35 arda pluto[6714]: shutting down interface lo/lo 127.0.0.1:500

==> /var/log/daemon.log <==
Jul 14 09:51:35 arda ipsec_setup: Stopping Openswan IPsec...

==> /var/log/auth.log <==
Jul 14 09:51:36 arda ipsec__plutorun: Unknown default RSA hostkey
scheme, not generating a default hostkey
Jul 14 09:51:36 arda ipsec__plutorun: Starting Pluto subsystem...
Jul 14 09:51:36 arda pluto[7246]: Starting Pluto (Openswan Version
2.4.14 LDAP_V3 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID
OEjy^\177ZirVrM)
Jul 14 09:51:36 arda pluto[7246]: Setting NAT-Traversal port-4500 floating to on
Jul 14 09:51:36 arda pluto[7246]:    port floating activation criteria
nat_t=1/port_fload=1
Jul 14 09:51:36 arda pluto[7246]:   including NAT-Traversal patch (Version 0.6c)
Jul 14 09:51:36 arda pluto[7246]: ike_alg_register_enc(): Activating
OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
Jul 14 09:51:36 arda pluto[7246]: ike_alg_register_enc(): Activating
OAKLEY_TWOFISH_CBC: Ok (ret=0)
Jul 14 09:51:36 arda pluto[7246]: ike_alg_register_enc(): Activating
OAKLEY_SERPENT_CBC: Ok (ret=0)
Jul 14 09:51:36 arda pluto[7246]: ike_alg_register_enc(): Activating
OAKLEY_AES_CBC: Ok (ret=0)
Jul 14 09:51:36 arda pluto[7246]: ike_alg_register_enc(): Activating
OAKLEY_BLOWFISH_CBC: Ok (ret=0)
Jul 14 09:51:36 arda pluto[7246]: ike_alg_register_hash(): Activating
OAKLEY_SHA2_512: Ok (ret=0)
Jul 14 09:51:36 arda pluto[7246]: ike_alg_register_hash(): Activating
OAKLEY_SHA2_256: Ok (ret=0)
Jul 14 09:51:36 arda pluto[7246]: no helpers will be started, all
cryptographic operations will be done inline
Jul 14 09:51:36 arda pluto[7246]: Using NETKEY IPsec interface code on
2.6.18-xen-r12
Jul 14 09:51:36 arda pluto[7246]: Changing to directory
'/etc/ipsec/ipsec.d/cacerts'
Jul 14 09:51:36 arda pluto[7246]: Changing to directory
'/etc/ipsec/ipsec.d/aacerts'
Jul 14 09:51:36 arda pluto[7246]: Changing to directory
'/etc/ipsec/ipsec.d/ocspcerts'
Jul 14 09:51:36 arda pluto[7246]: Changing to directory
'/etc/ipsec/ipsec.d/crls'
Jul 14 09:51:36 arda pluto[7246]:   Warning: empty directory
Jul 14 09:51:36 arda pluto[7246]: loading secrets from
"/etc/ipsec/ipsec.secrets"
Jul 14 09:51:36 arda pluto[7246]: added connection description "roadwarrior"
Jul 14 09:51:37 arda pluto[7246]: added connection description "l2tp-winxp"
Jul 14 09:51:37 arda pluto[7246]: listening for IKE messages
Jul 14 09:51:37 arda pluto[7246]: adding interface lo/lo 127.0.0.1:500
Jul 14 09:51:37 arda pluto[7246]: adding interface lo/lo 127.0.0.1:4500
Jul 14 09:51:37 arda pluto[7246]: adding interface eth1/eth1 192.168.0.253:500
Jul 14 09:51:37 arda pluto[7246]: adding interface eth1/eth1 192.168.0.253:4500
Jul 14 09:51:37 arda pluto[7246]: adding interface eth0:1/eth0:1
200.29.169.211:500
Jul 14 09:51:37 arda pluto[7246]: adding interface eth0:1/eth0:1
200.29.169.211:4500
Jul 14 09:51:37 arda pluto[7246]: adding interface eth0/eth0 200.29.169.210:500
Jul 14 09:51:37 arda pluto[7246]: adding interface eth0/eth0 200.29.169.210:4500
Jul 14 09:51:37 arda pluto[7246]: adding interface lo/lo ::1:500
Jul 14 09:51:37 arda pluto[7246]: forgetting secrets
Jul 14 09:51:37 arda pluto[7246]: loading secrets from
"/etc/ipsec/ipsec.secrets"

==> /var/log/daemon.log <==
Jul 14 09:51:36 arda ipsec_setup: ...Openswan IPsec stopped
Jul 14 09:51:36 arda ipsec_setup: Starting Openswan IPsec
U2.4.14/K2.6.18-xen-r12...
Jul 14 09:51:36 arda ipsec_setup: WARNING: overridemtu= is ignored
when using the NETKEY stack
Jul 14 09:51:36 arda ipsec_setup: NETKEY on eth0
200.29.169.210/255.255.255.248 broadcast 200.29.169.215 mtu 1410
Jul 14 09:51:36 arda ipsec_setup: ...Openswan IPsec started
Jul 14 09:51:36 arda xl2tpd[6441]: death_handler: Fatal signal 15 received
Jul 14 09:51:37 arda xl2tpd[7413]: setsockopt recvref[22]: Protocol
not available
Jul 14 09:51:37 arda xl2tpd[7413]: This binary does not support kernel L2TP.
Jul 14 09:51:37 arda xl2tpd[7414]: xl2tpd version xl2tpd-1.2.4 started
on arda PID:7414
Jul 14 09:51:37 arda xl2tpd[7414]: Written by Mark Spencer, Copyright
(C) 1998, Adtran, Inc.
Jul 14 09:51:37 arda xl2tpd[7414]: Forked by Scott Balmos and David
Stipp, (C) 2001
Jul 14 09:51:37 arda xl2tpd[7414]: Inherited by Jeff McAdams, (C) 2002
Jul 14 09:51:37 arda xl2tpd[7414]: Forked again by Xelerance
(www.xelerance.com) (C) 2006
Jul 14 09:51:37 arda xl2tpd[7414]: Listening on IP address
200.29.169.210, port 1701

==> /var/log/auth.log <==
Jul 14 09:51:44 arda pluto[7246]: packet from 201.241.98.12:500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Jul 14 09:51:44 arda pluto[7246]: packet from 201.241.98.12:500:
ignoring Vendor ID payload [FRAGMENTATION]
Jul 14 09:51:44 arda pluto[7246]: packet from 201.241.98.12:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method
set to=106
Jul 14 09:51:44 arda pluto[7246]: packet from 201.241.98.12:500:
ignoring Vendor ID payload [Vid-Initial-Contact]
Jul 14 09:51:44 arda pluto[7246]: "roadwarrior"[1] 201.241.98.12 #1:
responding to Main Mode from unknown peer 201.241.98.12
Jul 14 09:51:44 arda pluto[7246]: "roadwarrior"[1] 201.241.98.12 #1:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jul 14 09:51:44 arda pluto[7246]: "roadwarrior"[1] 201.241.98.12 #1:
STATE_MAIN_R1: sent MR1, expecting MI2
Jul 14 09:51:45 arda pluto[7246]: "roadwarrior"[1] 201.241.98.12 #1:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT
detected
Jul 14 09:51:45 arda pluto[7246]: "roadwarrior"[1] 201.241.98.12 #1:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jul 14 09:51:45 arda pluto[7246]: "roadwarrior"[1] 201.241.98.12 #1:
STATE_MAIN_R2: sent MR2, expecting MI3
Jul 14 09:51:45 arda pluto[7246]: "roadwarrior"[1] 201.241.98.12 #1:
Main mode peer ID is ID_IPV4_ADDR: '201.241.98.12'
Jul 14 09:51:45 arda pluto[7246]: "roadwarrior"[1] 201.241.98.12 #1: I
did not send a certificate because I do not have one.
Jul 14 09:51:45 arda pluto[7246]: "roadwarrior"[1] 201.241.98.12 #1:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jul 14 09:51:45 arda pluto[7246]: "roadwarrior"[1] 201.241.98.12 #1:
STATE_MAIN_R3: sent MR3, ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
group=modp2048}
Jul 14 09:51:45 arda pluto[7246]: "l2tp-winxp"[1] 201.241.98.12 #2:
responding to Quick Mode {msgid:e7d228d2}
Jul 14 09:51:45 arda pluto[7246]: "l2tp-winxp"[1] 201.241.98.12 #2:
transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Jul 14 09:51:45 arda pluto[7246]: "l2tp-winxp"[1] 201.241.98.12 #2:
STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Jul 14 09:51:45 arda pluto[7246]: "l2tp-winxp"[1] 201.241.98.12 #2:
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Jul 14 09:51:45 arda pluto[7246]: "l2tp-winxp"[1] 201.241.98.12 #2:
STATE_QUICK_R2: IPsec SA established {ESP=>0x4a19da9c <0x293b8846
xfrm=3DES_0-HMAC_MD5 NATD=none DPD=none}
Jul 14 09:51:45 arda pluto[7246]: "roadwarrior"[1] 201.241.98.12 #1:
received Delete SA(0x4a19da9c) payload: deleting IPSEC State #2
Jul 14 09:51:45 arda pluto[7246]: "roadwarrior"[1] 201.241.98.12 #1:
deleting connection "l2tp-winxp" instance with peer 201.241.98.12
{isakmp=#0/ipsec=#0}
Jul 14 09:51:45 arda pluto[7246]: "roadwarrior"[1] 201.241.98.12 #1:
received and ignored informational message
Jul 14 09:51:45 arda pluto[7246]: "roadwarrior"[1] 201.241.98.12 #1:
received Delete SA payload: deleting ISAKMP State #1
Jul 14 09:51:45 arda pluto[7246]: "roadwarrior"[1] 201.241.98.12:
deleting connection "roadwarrior" instance with peer 201.241.98.12
{isakmp=#0/ipsec=#0}
Jul 14 09:51:45 arda pluto[7246]: packet from 201.241.98.12:500:
received and ignored informational message

==> /var/log/daemon.log <==
Jul 14 09:51:45 arda xl2tpd[7414]: network_thread: recv packet from
201.241.98.12, size = 100, tunnel = 0, call = 0 ref=0 refhim=0
Jul 14 09:51:45 arda xl2tpd[7414]: get_call: allocating new tunnel for
host 201.241.98.12, port 1701.
Jul 14 09:51:45 arda xl2tpd[7414]: handle_avps: handling avp's for
tunnel 12681, call 0
Jul 14 09:51:45 arda xl2tpd[7414]: message_type_avp: message type 1
(Start-Control-Connection-Request)
Jul 14 09:51:45 arda xl2tpd[7414]: protocol_version_avp: peer is using
version 1, revision 0.
Jul 14 09:51:45 arda xl2tpd[7414]: framing_caps_avp: supported peer frames: sync
Jul 14 09:51:45 arda xl2tpd[7414]: bearer_caps_avp: supported peer bearers:
Jul 14 09:51:45 arda xl2tpd[7414]: firmware_rev_avp: peer reports
firmware version 1280 (0x0500)
Jul 14 09:51:45 arda xl2tpd[7414]: hostname_avp: peer reports hostname 'destiny'
Jul 14 09:51:45 arda xl2tpd[7414]: vendor_avp: peer reports vendor 'Microsoft'
Jul 14 09:51:45 arda xl2tpd[7414]: assigned_tunnel_avp: using peer's tunnel 43
Jul 14 09:51:45 arda xl2tpd[7414]: receive_window_size_avp: peer wants
RWS of 8.  Will use flow control.
Jul 14 09:51:45 arda xl2tpd[7414]: control_finish: message type is
Start-Control-Connection-Request(1).  Tunnel is 43, call is 0.
Jul 14 09:51:45 arda xl2tpd[7414]: control_finish: Denied connection
to unauthorized peer 201.241.98.12
Jul 14 09:51:45 arda xl2tpd[7414]: network_thread: bad packet
Jul 14 09:51:45 arda xl2tpd[7414]: build_fdset: closing down tunnel 12681
Jul 14 09:51:45 arda xl2tpd[7414]: Connection 43 closed to
201.241.98.12, port 1701 (No Authorization)
Jul 14 09:51:45 arda xl2tpd[7414]: network_thread: recv packet from
201.241.98.12, size = 12, tunnel = 0, call = 0 ref=0 refhim=0
Jul 14 09:51:45 arda xl2tpd[7414]: get_call: allocating new tunnel for
host 201.241.98.12, port 1701.
Jul 14 09:51:45 arda xl2tpd[7414]: check_control: Received out of
order control packet on tunnel -1 (got 1, expected 0)
Jul 14 09:51:45 arda xl2tpd[7414]: handle_packet: bad control packet!
Jul 14 09:51:45 arda xl2tpd[7414]: network_thread: bad packet
Jul 14 09:51:45 arda xl2tpd[7414]: build_fdset: closing down tunnel 61815
Jul 14 09:51:46 arda xl2tpd[7414]: network_thread: select timeout
Jul 14 09:51:47 arda xl2tpd[7414]: network_thread: select timeout
Jul 14 09:51:48 arda xl2tpd[7414]: network_thread: select timeout
Jul 14 09:51:49 arda xl2tpd[7414]: network_thread: select timeout
Jul 14 09:51:50 arda xl2tpd[7414]: network_thread: select timeout
Jul 14 09:51:50 arda xl2tpd[7414]: Unable to deliver closing
messagefor tunnel 12681. Destroying anyway.


More information about the Users mailing list