[Openswan Users] L2tp/ipsec connection issue

Hafeez Rehman hafeezr at msn.com
Sun Mar 8 15:39:18 EDT 2009


I have made some progress but it is strange to me. May be some of you
experts will have input on this. I can connect using windows l2tp/ipsec
client but only while tcpdump is running on wan interface. I have tried
reducing mtu on ipsec0, wan and ppp but it has no affect. This is a
test setup all private ip, no NAT.  If I test it in real world on
public ip, then I suppose I would need a nat patch I would need some
input on that too. Any help would be greatly appreciated.

connects fine While tcpdump running:

Jan 
1 00:15:10 OpenWrt authpriv.warn pluto[848]: packet from
192.168.20.100:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY
00000006]
Jan  1 00:15:10 OpenWrt authpriv.warn pluto[848]: packet
from 192.168.20.100:500: received Vendor ID payload [RFC 3947]
meth=109, but port floating is off
Jan  1 00:15:10 OpenWrt
authpriv.warn pluto[848]: packet from 192.168.20.100:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but port
floating is off
Jan  1 00:15:10 OpenWrt authpriv.warn pluto[848]: packet from 192.168.20.100:500: ignoring Vendor ID payload [FRAGMENTATION]
Jan 
1 00:15:10 OpenWrt authpriv.warn pluto[848]: packet from
192.168.20.100:500: ignoring Vendor ID payload [MS-Negotiation
Discovery Capable]
Jan  1 00:15:10 OpenWrt authpriv.warn pluto[848]:
packet from 192.168.20.100:500: ignoring Vendor ID payload
[Vid-Initial-Contact]
Jan  1 00:15:10 OpenWrt authpriv.warn pluto[848]: packet from 192.168.20.100:500: ignoring Vendor ID payload [IKE CGA version 1]
Jan 
1 00:15:10 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1]
192.168.20.100 #3: responding to Main Mode from unknown peer
192.168.20.100
Jan  1 00:15:10 OpenWrt authpriv.warn pluto[848]:
"roadwarrior-l2tp"[1] 192.168.20.100 #3: OAKLEY_GROUP 20 not
supported.  Attribute OAKLEY_GROUP_DESCRIPTION
Jan  1 00:15:10
OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1] 192.168.20.100
#3: OAKLEY_GROUP 19 not supported.  Attribute OAKLEY_GROUP_DESCRIPTION
Jan 
1 00:15:10 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1]
192.168.20.100 #3: transition from state STATE_MAIN_R0 to state
STATE_MAIN_R1
Jan  1 00:15:10 OpenWrt authpriv.warn pluto[848]:
"roadwarrior-l2tp"[1] 192.168.20.100 #3: STATE_MAIN_R1: sent MR1,
expecting MI2
Jan  1 00:15:11 OpenWrt authpriv.warn pluto[848]:
"roadwarrior-l2tp"[1] 192.168.20.100 #3: discarding packet received
during asynchronous work (DNS or crypto) in STATE_MAIN_R1
Jan  1
00:15:13 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1]
192.168.20.100 #3: discarding packet received during asynchronous work
(DNS or crypto) in STATE_MAIN_R1
Jan  1 00:15:15 OpenWrt
authpriv.warn pluto[848]: "roadwarrior-l2tp"[1] 192.168.20.100 #3:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jan  1
00:15:15 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1]
192.168.20.100 #3: STATE_MAIN_R2: sent MR2, expecting MI3
Jan  1
00:15:16 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1]
192.168.20.100 #3: discarding packet received during asynchronous work
(DNS or crypto) in STATE_MAIN_R2
Jan  1 00:15:18 OpenWrt
authpriv.warn pluto[848]: "roadwarrior-l2tp"[1] 192.168.20.100 #3:
discarding packet received during asynchronous work (DNS or crypto) in
STATE_MAIN_R2
Jan  1 00:15:20 OpenWrt authpriv.warn pluto[879]: WARNING: calc_dh_shared(): for OAKLEY_GROUP_MODP2048 took 4832039 usec
Jan 
1 00:15:20 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1]
192.168.20.100 #3: Main mode peer ID is ID_IPV4_ADDR: '192.168.20.100'
Jan 
1 00:15:20 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1]
192.168.20.100 #3: transition from state STATE_MAIN_R2 to state
STATE_MAIN_R3
Jan  1 00:15:20 OpenWrt authpriv.warn pluto[848]:
"roadwarrior-l2tp"[1] 192.168.20.100 #3: STATE_MAIN_R3: sent MR3,
ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}
Jan  1
00:15:20 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1]
192.168.20.100 #3: the peer proposed: 192.168.20.1/32:17/0 ->
192.168.20.100/32:17/1701
Jan  1 00:15:20 OpenWrt authpriv.warn
pluto[848]: "roadwarrior-l2tp"[1] 192.168.20.100 #4: responding to
Quick Mode proposal {msgid:01000000}
Jan  1 00:15:20 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1] 192.168.20.100 #4:     us: 192.168.20.1[+S=C]:17/0
Jan  1 00:15:20 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1] 192.168.20.100 #4:   them: 192.168.20.100[+S=C]:17/1701
Jan 
1 00:15:20 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1]
192.168.20.100 #4: transition from state STATE_QUICK_R0 to state
STATE_QUICK_R1
Jan  1 00:15:20 OpenWrt authpriv.warn pluto[848]:
"roadwarrior-l2tp"[1] 192.168.20.100 #4: STATE_QUICK_R1: sent QR1,
inbound IPsec SA installed, expecting QI2
Jan  1 00:15:22 OpenWrt
authpriv.warn pluto[848]: "roadwarrior-l2tp"[1] 192.168.20.100 #4:
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Jan  1
00:15:22 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1]
192.168.20.100 #4: STATE_QUICK_R2: IPsec SA established tunnel mode
{ESP=>0x5f46ef61 <0x4a92c57f xfrm=AES_128-HMAC_SHA1
NATOA=<invalid> NATD=<invalid>:500 DPD=none}
Jan  1 00:15:22 OpenWrt daemon.debug xl2tpd[877]: control_finish: Peer requested tunnel 20 twice, ignoring second one.
Jan 
1 00:15:22 OpenWrt daemon.notice xl2tpd[877]: Connection established to
192.168.20.100, 1701.  Local: 63325, Remote: 20 (ref=0/0).  LNS session
is 'default'
Jan  1 00:15:22 OpenWrt daemon.debug xl2tpd[877]:
result_code_avp: result code not appropriate for
Incoming-Call-Request.  Ignoring.
Jan  1 00:15:22 OpenWrt daemon.debug xl2tpd[877]: start_pppd: I'm running:
Jan  1 00:15:22 OpenWrt daemon.debug xl2tpd[877]: "/usr/sbin/pppd"
Jan  1 00:15:22 OpenWrt daemon.debug xl2tpd[877]: "passive"
Jan  1 00:15:22 OpenWrt daemon.debug xl2tpd[877]: "-detach"
Jan  1 00:15:22 OpenWrt daemon.debug xl2tpd[877]: "192.168.1.1:192.168.1.10"
Jan  1 00:15:22 OpenWrt daemon.debug xl2tpd[877]: "refuse-pap"
Jan  1 00:15:22 OpenWrt daemon.debug xl2tpd[877]: "auth"
Jan  1 00:15:22 OpenWrt daemon.debug xl2tpd[877]: "require-chap"
Jan  1 00:15:22 OpenWrt daemon.debug xl2tpd[877]: "name"
Jan  1 00:15:22 OpenWrt daemon.debug xl2tpd[877]: "LinuxVPNserver"
Jan  1 00:15:22 OpenWrt daemon.debug xl2tpd[877]: "debug"
Jan  1 00:15:22 OpenWrt daemon.debug xl2tpd[877]: "file"
Jan  1 00:15:22 OpenWrt daemon.debug xl2tpd[877]: "/etc/ppp/options.l2tpd"
Jan  1 00:15:22 OpenWrt daemon.debug xl2tpd[877]: "/dev/pts/2"
Jan  1 00:15:23 OpenWrt daemon.notice xl2tpd[877]: Call established with 192.168.20.100, Local: 65211, Remote: 1, Serial: 0



Will not connect without tcpdump running:

Jan 
1 00:08:27 OpenWrt authpriv.warn pluto[848]: packet from
192.168.20.100:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY
00000006]
Jan  1 00:08:27 OpenWrt authpriv.warn pluto[848]: packet
from 192.168.20.100:500: received Vendor ID payload [RFC 3947]
meth=109, but port floating is off
Jan  1 00:08:27 OpenWrt
authpriv.warn pluto[848]: packet from 192.168.20.100:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but port
floating is off
Jan  1 00:08:27 OpenWrt authpriv.warn pluto[848]: packet from 192.168.20.100:500: ignoring Vendor ID payload [FRAGMENTATION]
Jan 
1 00:08:27 OpenWrt authpriv.warn pluto[848]: packet from
192.168.20.100:500: ignoring Vendor ID payload [MS-Negotiation
Discovery Capable]
Jan  1 00:08:27 OpenWrt authpriv.warn pluto[848]:
packet from 192.168.20.100:500: ignoring Vendor ID payload
[Vid-Initial-Contact]
Jan  1 00:08:27 OpenWrt authpriv.warn pluto[848]: packet from 192.168.20.100:500: ignoring Vendor ID payload [IKE CGA version 1]
Jan 
1 00:08:27 OpenWrt authpriv.warn pluto[848]: "roadwarrior-net"[1]
192.168.20.100 #1: responding to Main Mode from unknown peer
192.168.20.100
Jan  1 00:08:27 OpenWrt authpriv.warn pluto[848]:
"roadwarrior-net"[1] 192.168.20.100 #1: OAKLEY_GROUP 20 not supported. 
Attribute OAKLEY_GROUP_DESCRIPTION
Jan  1 00:08:27 OpenWrt
authpriv.warn pluto[848]: "roadwarrior-net"[1] 192.168.20.100 #1:
OAKLEY_GROUP 19 not supported.  Attribute OAKLEY_GROUP_DESCRIPTION
Jan 
1 00:08:27 OpenWrt authpriv.warn pluto[848]: "roadwarrior-net"[1]
192.168.20.100 #1: transition from state STATE_MAIN_R0 to state
STATE_MAIN_R1
Jan  1 00:08:27 OpenWrt authpriv.warn pluto[848]: "roadwarrior-net"[1] 192.168.20.100 #1: STATE_MAIN_R1: sent MR1, expecting MI2
Jan 
1 00:08:27 OpenWrt authpriv.warn pluto[848]: "roadwarrior-net"[1]
192.168.20.100 #1: transition from state STATE_MAIN_R1 to state
STATE_MAIN_R2
Jan  1 00:08:27 OpenWrt authpriv.warn pluto[848]: "roadwarrior-net"[1] 192.168.20.100 #1: STATE_MAIN_R2: sent MR2, expecting MI3
Jan 
1 00:08:28 OpenWrt authpriv.warn pluto[848]: "roadwarrior-net"[1]
192.168.20.100 #1: Main mode peer ID is ID_IPV4_ADDR: '192.168.20.100'
Jan 
1 00:08:28 OpenWrt authpriv.warn pluto[848]: "roadwarrior-net"[1]
192.168.20.100 #1: transition from state STATE_MAIN_R2 to state
STATE_MAIN_R3
Jan  1 00:08:28 OpenWrt authpriv.warn pluto[848]:
"roadwarrior-net"[1] 192.168.20.100 #1: STATE_MAIN_R3: sent MR3, ISAKMP
SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192
prf=oakley_sha group=modp2048}
Jan  1 00:08:28 OpenWrt authpriv.warn
pluto[848]: "roadwarrior-net"[1] 192.168.20.100 #1: the peer proposed:
192.168.20.1/32:0/0 -> 192.168.20.100/32:0/0
Jan  1 00:08:28
OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1] 192.168.20.100
#2: responding to Quick Mode proposal {msgid:01000000}
Jan  1 00:08:28 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1] 192.168.20.100 #2:     us: 192.168.20.1[+S=C]:17/0
Jan  1 00:08:28 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1] 192.168.20.100 #2:   them: 192.168.20.100[+S=C]:17/1701
Jan 
1 00:08:28 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1]
192.168.20.100 #2: transition from state STATE_QUICK_R0 to state
STATE_QUICK_R1
Jan  1 00:08:28 OpenWrt authpriv.warn pluto[848]:
"roadwarrior-l2tp"[1] 192.168.20.100 #2: STATE_QUICK_R1: sent QR1,
inbound IPsec SA installed, expecting QI2
Jan  1 00:08:30 OpenWrt daemon.debug xl2tpd[877]: control_finish: Peer requested tunnel 19 twice, ignoring second one.
Jan  1 00:08:31 OpenWrt daemon.debug xl2tpd[877]: control_finish: Peer requested tunnel 19 twice, ignoring second one.
Jan  1 00:08:35 OpenWrt daemon.debug xl2tpd[877]: control_finish: Peer requested tunnel 19 twice, ignoring second one.
Jan  1 00:08:35 OpenWrt daemon.notice xl2tpd[877]: Maximum retries exceeded for tunnel 44841.  Closing.
Jan  1 00:08:35 OpenWrt daemon.info xl2tpd[877]: Connection 19 closed to 192.168.20.100, port 1701 (Timeout)
Jan 
1 00:08:35 OpenWrt authpriv.warn pluto[848]: "roadwarrior-net"[1]
192.168.20.100 #1: ignoring Delete SA payload: PROTO_IPSEC_ESP
SA(0xb82c5a58) not found (maybe expired)
Jan  1 00:08:35 OpenWrt
authpriv.warn pluto[848]: "roadwarrior-net"[1] 192.168.20.100 #1:
received and ignored informational message
Jan  1 00:08:35 OpenWrt
authpriv.warn pluto[848]: "roadwarrior-net"[1] 192.168.20.100 #1:
received Delete SA payload: deleting ISAKMP State #1
Jan  1 00:08:35
OpenWrt authpriv.warn pluto[848]: "roadwarrior-net"[1] 192.168.20.100:
deleting connection "roadwarrior-net" instance with peer 192.168.20.100
{isakmp=#0/ipsec=#0}
Jan  1 00:08:35 OpenWrt authpriv.warn pluto[848]: packet from 192.168.20.100:500: received and ignored informational message
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20090308/cb956384/attachment-0001.html 


More information about the Users mailing list