[Openswan Users] Openswan/xl2tpd issue with nated roadwarriors
Sebastian Gomez Velasco
blass_sgv at hotmail.com
Sat Jun 20 12:11:13 EDT 2009
Hello openswan users.
I'm trying to setup a VPN
Server with Openswan 2.6.14 and xl2tpd 1.2.4, in a Centos 5.2 with Kernel
2.6.29. I want to connect multiple roadwarriors (Windows XP and Windows Vista)
that can or not be nated. First I tried with roadwarriors that are not nated,
and it works fine. When I tried with roadwarriors that are nated, I added this
line to my ipsec.conf file:
rightsubnet=vhost:%no,%priv
(I have tried with rightid
and leftid, the result is the same)
Doing this my connections
fails. In my /var/log/secure file I found this:
STATE_QUICK_R2: IPsec SA
established tunnel mode {ESP/NAT=>0x74cb12e6 <0xb9e57168
xfrm=3DES_0-HMAC_MD5 NATOA=10.0.0.20 NATD=190.154.77.1:4500 DPD=none}
so, the connection with
ipsec works.
In my /var/log/messages
file, I found this:
Jun
10 16:45:39 VPN xl2tpd[4867]: Maximum retries exceeded for tunnel 59111. Closing.
Jun 10 16:45:47 VPN
xl2tpd[4867]: Connection 1 closed to 190.154.77.1, port 1701 (Timeout)
Only this two lines for each
connection attempt.
I get error 678 in Windows
XP, and error 809 in Windows Vista, both said that the remote server is not
responding.
I thought it was a fiwerall
issue, so I tried the connection with a roadwarrior that is not nated, and I
got the same messages in /var/log/secure and /var/log/messages (even tried a
direct connection between the roadwarrior and the VPN Server)
Then
I commented the line rightsubnet=vhost:%no,%priv (and rightid and leftid lines),
and again my connection works!!!, but I need the connection with nated roadwarriors.
If
someone knows the answer please reply.
PD:
I'm not using any patch, and I have added the registry key AssumeUDPEncapsulationContextOnSendRule
(2) in the roadwarriors.
ipsec.conf:
config
setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
# overridemtu=1440
nat_traversal=yes
protostack=netkey
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.80.0/24
uniqueids=yes
conn
%default
keyingtries=3
compress=no
disablearrivalcheck=no
keyexchange=ike
ikelifetime=240m
keylife=60m
authby=secret
pfs=no
conn
roadwarrior-l2tp-updatewin
pfs=no
leftprotoport=17/1701
rightprotoport=17/1701
also=roadwarrior
conn
roadwarrior-l2tp
pfs=no
leftprotoport=17/0
rightprotoport=17/1701
also=roadwarrior
conn
mac-l2tp
pfs=no
leftprotoport=17/1701
rightprotoport=17/%any
also=roadwarrior
conn
roadwarrior
type=tunnel
forceencaps=yes
left=190.154.77.146
leftnexthop=190.154.77.1
leftid=190.154.77.146
right=%any
rightsubnet=vhost:%no,%priv
rightid=@Matrix
# rightid=10.0.0.20
auto=add
conn
packetdefault
auto=ignore
conn
private
auto=ignore
conn
clear
auto=ignore
conn
private-or-clear
auto=ignore
conn
clear-or-private
auto=ignore
xl2tpd.conf
[global]
port=1701
[lns
default]
ip
range = 192.168.80.101-192.168.80.254
local
ip = 192.168.80.100
require
chap = yes
refuse
pap = yes
require
authentication = yes
name
= LinuxVPNserver
ppp
debug = yes
pppoptfile
= /etc/ppp/options.xl2tpd
length
bit = yes
options.xl2tpd
ipcp-accept-local
ipcp-accept-remote
noccp
auth
crtscts
idle
1800
mtu
1410
mru
1410
nodefaultroute
debug
lock
proxyarp
connect-delay
5000
Get news, entertainment and everything you care about at Live.com. Check it out!
_________________________________________________________________
News, entertainment and everything you care about at Live.com. Get it now!
http://www.live.com/getstarted.aspx
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20090620/461420f0/attachment-0001.html
More information about the Users
mailing list