[Openswan Users] L2tp/ipsec connection issue
No Body is Perfect
news.listener at gmail.com
Mon Mar 9 03:35:55 EDT 2009
Hi,
kernel / openswan / (x)l2tpd/ version ?
Hafeez Rehman schrieb:
> I have made some progress but it is strange to me. May be some of you
> experts will have input on this. I can connect using windows l2tp/ipsec
> client but only while tcpdump is running on wan interface. I have tried
> reducing mtu on ipsec0, wan and ppp but it has no affect. This is a test
> setup all private ip, no NAT. If I test it in real world on public ip,
> then I suppose I would need a nat patch I would need some input on that
> too. Any help would be greatly appreciated.
>
> connects fine While tcpdump running:
>
> Jan 1 00:15:10 OpenWrt authpriv.warn pluto[848]: packet from
> 192.168.20.100:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY
> 00000006]
> Jan 1 00:15:10 OpenWrt authpriv.warn pluto[848]: packet from
> 192.168.20.100:500: received Vendor ID payload [RFC 3947] meth=109, but
> port floating is off
> Jan 1 00:15:10 OpenWrt authpriv.warn pluto[848]: packet from
> 192.168.20.100:500: received Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but port floating is off
> Jan 1 00:15:10 OpenWrt authpriv.warn pluto[848]: packet from
> 192.168.20.100:500: ignoring Vendor ID payload [FRAGMENTATION]
> Jan 1 00:15:10 OpenWrt authpriv.warn pluto[848]: packet from
> 192.168.20.100:500: ignoring Vendor ID payload [MS-Negotiation Discovery
> Capable]
> Jan 1 00:15:10 OpenWrt authpriv.warn pluto[848]: packet from
> 192.168.20.100:500: ignoring Vendor ID payload [Vid-Initial-Contact]
> Jan 1 00:15:10 OpenWrt authpriv.warn pluto[848]: packet from
> 192.168.20.100:500: ignoring Vendor ID payload [IKE CGA version 1]
> Jan 1 00:15:10 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1]
> 192.168.20.100 #3: responding to Main Mode from unknown peer 192.168.20.100
> Jan 1 00:15:10 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1]
> 192.168.20.100 #3: OAKLEY_GROUP 20 not supported. Attribute
> OAKLEY_GROUP_DESCRIPTION
> Jan 1 00:15:10 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1]
> 192.168.20.100 #3: OAKLEY_GROUP 19 not supported. Attribute
> OAKLEY_GROUP_DESCRIPTION
> Jan 1 00:15:10 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1]
> 192.168.20.100 #3: transition from state STATE_MAIN_R0 to state
> STATE_MAIN_R1
> Jan 1 00:15:10 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1]
> 192.168.20.100 #3: STATE_MAIN_R1: sent MR1, expecting MI2
> Jan 1 00:15:11 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1]
> 192.168.20.100 #3: discarding packet received during asynchronous work
> (DNS or crypto) in STATE_MAIN_R1
> Jan 1 00:15:13 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1]
> 192.168.20.100 #3: discarding packet received during asynchronous work
> (DNS or crypto) in STATE_MAIN_R1
> Jan 1 00:15:15 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1]
> 192.168.20.100 #3: transition from state STATE_MAIN_R1 to state
> STATE_MAIN_R2
> Jan 1 00:15:15 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1]
> 192.168.20.100 #3: STATE_MAIN_R2: sent MR2, expecting MI3
> Jan 1 00:15:16 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1]
> 192.168.20.100 #3: discarding packet received during asynchronous work
> (DNS or crypto) in STATE_MAIN_R2
> Jan 1 00:15:18 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1]
> 192.168.20.100 #3: discarding packet received during asynchronous work
> (DNS or crypto) in STATE_MAIN_R2
> Jan 1 00:15:20 OpenWrt authpriv.warn pluto[879]: WARNING:
> calc_dh_shared(): for OAKLEY_GROUP_MODP2048 took 4832039 usec
> Jan 1 00:15:20 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1]
> 192.168.20.100 #3: Main mode peer ID is ID_IPV4_ADDR: '192.168.20.100'
> Jan 1 00:15:20 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1]
> 192.168.20.100 #3: transition from state STATE_MAIN_R2 to state
> STATE_MAIN_R3
> Jan 1 00:15:20 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1]
> 192.168.20.100 #3: STATE_MAIN_R3: sent MR3, ISAKMP SA established
> {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
> group=modp2048}
> Jan 1 00:15:20 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1]
> 192.168.20.100 #3: the peer proposed: 192.168.20.1/32:17/0 ->
> 192.168.20.100/32:17/1701
> Jan 1 00:15:20 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1]
> 192.168.20.100 #4: responding to Quick Mode proposal {msgid:01000000}
> Jan 1 00:15:20 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1]
> 192.168.20.100 #4: us: 192.168.20.1[+S=C]:17/0
> Jan 1 00:15:20 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1]
> 192.168.20.100 #4: them: 192.168.20.100[+S=C]:17/1701
> Jan 1 00:15:20 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1]
> 192.168.20.100 #4: transition from state STATE_QUICK_R0 to state
> STATE_QUICK_R1
> Jan 1 00:15:20 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1]
> 192.168.20.100 #4: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed,
> expecting QI2
> Jan 1 00:15:22 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1]
> 192.168.20.100 #4: transition from state STATE_QUICK_R1 to state
> STATE_QUICK_R2
> Jan 1 00:15:22 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1]
> 192.168.20.100 #4: STATE_QUICK_R2: IPsec SA established tunnel mode
> {ESP=>0x5f46ef61 <0x4a92c57f xfrm=AES_128-HMAC_SHA1 NATOA=<invalid>
> NATD=<invalid>:500 DPD=none}
> Jan 1 00:15:22 OpenWrt daemon.debug xl2tpd[877]: control_finish: Peer
> requested tunnel 20 twice, ignoring second one.
> Jan 1 00:15:22 OpenWrt daemon.notice xl2tpd[877]: Connection
> established to 192.168.20.100, 1701. Local: 63325, Remote: 20
> (ref=0/0). LNS session is 'default'
> Jan 1 00:15:22 OpenWrt daemon.debug xl2tpd[877]: result_code_avp:
> result code not appropriate for Incoming-Call-Request. Ignoring.
> Jan 1 00:15:22 OpenWrt daemon.debug xl2tpd[877]: start_pppd: I'm running:
> Jan 1 00:15:22 OpenWrt daemon.debug xl2tpd[877]: "/usr/sbin/pppd"
> Jan 1 00:15:22 OpenWrt daemon.debug xl2tpd[877]: "passive"
> Jan 1 00:15:22 OpenWrt daemon.debug xl2tpd[877]: "-detach"
> Jan 1 00:15:22 OpenWrt daemon.debug xl2tpd[877]: "192.168.1.1:192.168.1.10"
> Jan 1 00:15:22 OpenWrt daemon.debug xl2tpd[877]: "refuse-pap"
> Jan 1 00:15:22 OpenWrt daemon.debug xl2tpd[877]: "auth"
> Jan 1 00:15:22 OpenWrt daemon.debug xl2tpd[877]: "require-chap"
> Jan 1 00:15:22 OpenWrt daemon.debug xl2tpd[877]: "name"
> Jan 1 00:15:22 OpenWrt daemon.debug xl2tpd[877]: "LinuxVPNserver"
> Jan 1 00:15:22 OpenWrt daemon.debug xl2tpd[877]: "debug"
> Jan 1 00:15:22 OpenWrt daemon.debug xl2tpd[877]: "file"
> Jan 1 00:15:22 OpenWrt daemon.debug xl2tpd[877]: "/etc/ppp/options.l2tpd"
> Jan 1 00:15:22 OpenWrt daemon.debug xl2tpd[877]: "/dev/pts/2"
> Jan 1 00:15:23 OpenWrt daemon.notice xl2tpd[877]: Call established with
> 192.168.20.100, Local: 65211, Remote: 1, Serial: 0
>
>
>
> Will not connect without tcpdump running:
>
> Jan 1 00:08:27 OpenWrt authpriv.warn pluto[848]: packet from
> 192.168.20.100:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY
> 00000006]
> Jan 1 00:08:27 OpenWrt authpriv.warn pluto[848]: packet from
> 192.168.20.100:500: received Vendor ID payload [RFC 3947] meth=109, but
> port floating is off
> Jan 1 00:08:27 OpenWrt authpriv.warn pluto[848]: packet from
> 192.168.20.100:500: received Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but port floating is off
> Jan 1 00:08:27 OpenWrt authpriv.warn pluto[848]: packet from
> 192.168.20.100:500: ignoring Vendor ID payload [FRAGMENTATION]
> Jan 1 00:08:27 OpenWrt authpriv.warn pluto[848]: packet from
> 192.168.20.100:500: ignoring Vendor ID payload [MS-Negotiation Discovery
> Capable]
> Jan 1 00:08:27 OpenWrt authpriv.warn pluto[848]: packet from
> 192.168.20.100:500: ignoring Vendor ID payload [Vid-Initial-Contact]
> Jan 1 00:08:27 OpenWrt authpriv.warn pluto[848]: packet from
> 192.168.20.100:500: ignoring Vendor ID payload [IKE CGA version 1]
> Jan 1 00:08:27 OpenWrt authpriv.warn pluto[848]: "roadwarrior-net"[1]
> 192.168.20.100 #1: responding to Main Mode from unknown peer 192.168.20.100
> Jan 1 00:08:27 OpenWrt authpriv.warn pluto[848]: "roadwarrior-net"[1]
> 192.168.20.100 #1: OAKLEY_GROUP 20 not supported. Attribute
> OAKLEY_GROUP_DESCRIPTION
> Jan 1 00:08:27 OpenWrt authpriv.warn pluto[848]: "roadwarrior-net"[1]
> 192.168.20.100 #1: OAKLEY_GROUP 19 not supported. Attribute
> OAKLEY_GROUP_DESCRIPTION
> Jan 1 00:08:27 OpenWrt authpriv.warn pluto[848]: "roadwarrior-net"[1]
> 192.168.20.100 #1: transition from state STATE_MAIN_R0 to state
> STATE_MAIN_R1
> Jan 1 00:08:27 OpenWrt authpriv.warn pluto[848]: "roadwarrior-net"[1]
> 192.168.20.100 #1: STATE_MAIN_R1: sent MR1, expecting MI2
> Jan 1 00:08:27 OpenWrt authpriv.warn pluto[848]: "roadwarrior-net"[1]
> 192.168.20.100 #1: transition from state STATE_MAIN_R1 to state
> STATE_MAIN_R2
> Jan 1 00:08:27 OpenWrt authpriv.warn pluto[848]: "roadwarrior-net"[1]
> 192.168.20.100 #1: STATE_MAIN_R2: sent MR2, expecting MI3
> Jan 1 00:08:28 OpenWrt authpriv.warn pluto[848]: "roadwarrior-net"[1]
> 192.168.20.100 #1: Main mode peer ID is ID_IPV4_ADDR: '192.168.20.100'
> Jan 1 00:08:28 OpenWrt authpriv.warn pluto[848]: "roadwarrior-net"[1]
> 192.168.20.100 #1: transition from state STATE_MAIN_R2 to state
> STATE_MAIN_R3
> Jan 1 00:08:28 OpenWrt authpriv.warn pluto[848]: "roadwarrior-net"[1]
> 192.168.20.100 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established
> {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
> group=modp2048}
> Jan 1 00:08:28 OpenWrt authpriv.warn pluto[848]: "roadwarrior-net"[1]
> 192.168.20.100 #1: the peer proposed: 192.168.20.1/32:0/0 ->
> 192.168.20.100/32:0/0
> Jan 1 00:08:28 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1]
> 192.168.20.100 #2: responding to Quick Mode proposal {msgid:01000000}
> Jan 1 00:08:28 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1]
> 192.168.20.100 #2: us: 192.168.20.1[+S=C]:17/0
> Jan 1 00:08:28 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1]
> 192.168..20.100 #2: them: 192.168.20.100[+S=C]:17/1701
> Jan 1 00:08:28 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1]
> 192.168.20.100 #2: transition from state STATE_QUICK_R0 to state
> STATE_QUICK_R1
> Jan 1 00:08:28 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1]
> 192.168.20.100 #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed,
> expecting QI2
> Jan 1 00:08:30 OpenWrt daemon.debug xl2tpd[877]: control_finish: Peer
> requested tunnel 19 twice, ignoring second one.
> Jan 1 00:08:31 OpenWrt daemon.debug xl2tpd[877]: control_finish: Peer
> requested tunnel 19 twice, ignoring second one.
> Jan 1 00:08:35 OpenWrt daemon.debug xl2tpd[877]: control_finish: Peer
> requested tunnel 19 twice, ignoring second one.
> Jan 1 00:08:35 OpenWrt daemon.notice xl2tpd[877]: Maximum retries
> exceeded for tunnel 44841. Closing.
> Jan 1 00:08:35 OpenWrt daemon..info xl2tpd[877]: Connection 19 closed
> to 192.168.20.100, port 1701 (Timeout)
> Jan 1 00:08:35 OpenWrt authpriv.warn pluto[848]: "roadwarrior-net"[1]
> 192.168.20.100 #1: ignoring Delete SA payload: PROTO_IPSEC_ESP
> SA(0xb82c5a58) not found (maybe expired)
> Jan 1 00:08:35 OpenWrt authpriv.warn pluto[848]: "roadwarrior-net"[1]
> 192.168.20.100 #1: received and ignored informational message
> Jan 1 00:08:35 OpenWrt authpriv.warn pluto[848]: "roadwarrior-net"[1]
> 192.168.20.100 #1: received Delete SA payload: deleting ISAKMP State #1
> Jan 1 00:08:35 OpenWrt authpriv.warn pluto[848]: "roadwarrior-net"[1]
> 192.168.20.100: deleting connection "roadwarrior-net" instance with peer
> 192.168.20.100 {isakmp=#0/ipsec=#0}
> Jan 1 00:08:35 OpenWrt authpriv.warn pluto[848]: packet from
> 192.168.20.100:500: received and ignored informational message
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
More information about the Users
mailing list