[Openswan Users] L2tp/ipsec connection issue
Hafeez Rehman
hafeezr at msn.com
Tue Mar 10 22:30:46 EDT 2009
I am sorry for the duplicate post.
I have the following config files working fine on kernel 2.4 (Openwrt) Openswan 2.4.4 xl2tpd 1.04
Now I have moved to,
Kernel 2.6.25.17 (openwrt 8.09)
xl2tpd 1.2.4
openswan 2.6.18 using klips
I have also compiled Openswan 2.6.20, but it does not even reach xl2tpd.
So I merged ipsec_esp.c from 2.6.20 to 2.6.18 thinking it will fix my problem, but it did not.
I cannot even cross compile 2.6.19 for openwrt. So I am stikking with openswan 2.6.18 it compiles and connects.
I hope I have provided as much info you guys need. Please help me I really need this working.
I can connect using windows l2tp/ipsec client but only while tcpdump is running on wan interface. I have tried reducing mtu on ipsec0, wan and ppp but it has no affect. This is a test setup all private ip, no NAT. If I test it in real world on public ip, then I suppose I would need a nat patch I would need some
input on that too. Any help would be greatly appreciated.
ipsec.conf
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.13 2004/03/24 04:14:39 ken Exp $
# This file: /usr/share/doc/openswan-2.2.0/ipsec.conf-sample
#
# Manual: ipsec.conf.5
version 2.0 # conforms to second version of ipsec.conf specification
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
nat_traversal=yes
fragicmp=no
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.1.0/24
conn %default
keyingtries=3
compress=yes
disablearrivalcheck=no
authby=secret
ike=aes-sha,3des-sha
esp=aes-sha1,3des-sha1
type=tunnel
keyexchange=ike
ikelifetime=240m
keylife=60m
conn roadwarrior-net
leftsubnet=192.168.1.0/24
also=roadwarrior
conn roadwarrior-all
leftsubnet=0.0.0.0/0
also=roadwarrior
conn roadwarrior-l2tp
leftprotoport=17/0
rightprotoport=17/1701
also=roadwarrior
conn roadwarrior-l2tp-updatedwin
leftprotoport=17/1701
rightprotoport=17/1701
also=roadwarrior
conn roadwarrior
pfs=no
left=%defaultroute
right=%any
rightsubnet=vhost:%no,%priv
auto=add
#Disable Opportunistic Encryption
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
xll2tpd.conf
[global]
;listen-addr = 192.168.1.200
;port = 1701
[lns default]
ip range = 192.168.1.10-192.168.1.15
local ip = 192.168.1.1
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd
length bit = yes
options.l2tpd
ipcp-accept-local
ipcp-accept-remote
ms-dns 192.168.1.1
ms-wins 192.168.1.1
noccp
auth
crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
nodetach
debug
lock
proxyarp
connect-delay 5000
connects fine While tcpdump running:
Jan
1 00:15:10 OpenWrt authpriv.warn pluto[848]: packet from
192.168.20.100:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY
00000006]
Jan 1 00:15:10 OpenWrt authpriv.warn pluto[848]: packet
from 192.168.20.100:500: received Vendor ID payload [RFC 3947]
meth=109, but port floating is off
Jan 1 00:15:10 OpenWrt
authpriv.warn pluto[848]: packet from 192.168.20.100:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but port
floating is off
Jan 1 00:15:10 OpenWrt authpriv.warn pluto[848]: packet from 192.168.20.100:500: ignoring Vendor ID payload [FRAGMENTATION]
Jan
1 00:15:10 OpenWrt authpriv.warn pluto[848]: packet from
192.168.20.100:500: ignoring Vendor ID payload [MS-Negotiation
Discovery Capable]
Jan 1 00:15:10 OpenWrt authpriv.warn pluto[848]:
packet from 192.168.20.100:500: ignoring Vendor ID payload
[Vid-Initial-Contact]
Jan 1 00:15:10 OpenWrt authpriv.warn pluto[848]: packet from 192.168.20.100:500: ignoring Vendor ID payload [IKE CGA version 1]
Jan
1 00:15:10 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1]
192.168.20.100 #3: responding to Main Mode from unknown peer
192.168.20.100
Jan 1 00:15:10 OpenWrt authpriv.warn pluto[848]:
"roadwarrior-l2tp"[1] 192.168.20.100 #3: OAKLEY_GROUP 20 not
supported. Attribute OAKLEY_GROUP_DESCRIPTION
Jan 1 00:15:10
OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1] 192.168.20.100
#3: OAKLEY_GROUP 19 not supported. Attribute OAKLEY_GROUP_DESCRIPTION
Jan
1 00:15:10 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1]
192.168.20.100 #3: transition from state STATE_MAIN_R0 to state
STATE_MAIN_R1
Jan 1 00:15:10 OpenWrt authpriv.warn pluto[848]:
"roadwarrior-l2tp"[1] 192.168.20.100 #3: STATE_MAIN_R1: sent MR1,
expecting MI2
Jan 1 00:15:11 OpenWrt authpriv.warn pluto[848]:
"roadwarrior-l2tp"[1] 192.168.20.100 #3: discarding packet received
during asynchronous work (DNS or crypto) in STATE_MAIN_R1
Jan 1
00:15:13 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1]
192.168.20.100 #3: discarding packet received during asynchronous work
(DNS or crypto) in STATE_MAIN_R1
Jan 1 00:15:15 OpenWrt
authpriv.warn pluto[848]: "roadwarrior-l2tp"[1] 192.168.20.100 #3:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jan 1
00:15:15 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1]
192.168.20.100 #3: STATE_MAIN_R2: sent MR2, expecting MI3
Jan 1
00:15:16 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1]
192.168.20.100 #3: discarding packet received during asynchronous work
(DNS or crypto) in STATE_MAIN_R2
Jan 1 00:15:18 OpenWrt
authpriv.warn pluto[848]: "roadwarrior-l2tp"[1] 192.168.20.100 #3:
discarding packet received during asynchronous work (DNS or crypto) in
STATE_MAIN_R2
Jan 1 00:15:20 OpenWrt authpriv.warn pluto[879]: WARNING: calc_dh_shared(): for OAKLEY_GROUP_MODP2048 took 4832039 usec
Jan
1 00:15:20 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1]
192.168.20.100 #3: Main mode peer ID is ID_IPV4_ADDR: '192.168.20.100'
Jan
1 00:15:20 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1]
192.168.20.100 #3: transition from state STATE_MAIN_R2 to state
STATE_MAIN_R3
Jan 1 00:15:20 OpenWrt authpriv.warn pluto[848]:
"roadwarrior-l2tp"[1] 192.168.20.100 #3: STATE_MAIN_R3: sent MR3,
ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}
Jan 1
00:15:20 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1]
192.168.20.100 #3: the peer proposed: 192.168.20.1/32:17/0 ->
192.168.20.100/32:17/1701
Jan 1 00:15:20 OpenWrt authpriv.warn
pluto[848]: "roadwarrior-l2tp"[1] 192.168.20.100 #4: responding to
Quick Mode proposal {msgid:01000000}
Jan 1 00:15:20 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1] 192.168.20.100 #4: us: 192.168.20.1[+S=C]:17/0
Jan 1 00:15:20 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1] 192.168.20.100 #4: them: 192.168.20.100[+S=C]:17/1701
Jan
1 00:15:20 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1]
192.168.20.100 #4: transition from state STATE_QUICK_R0 to state
STATE_QUICK_R1
Jan 1 00:15:20 OpenWrt authpriv.warn pluto[848]:
"roadwarrior-l2tp"[1] 192.168.20.100 #4: STATE_QUICK_R1: sent QR1,
inbound IPsec SA installed, expecting QI2
Jan 1 00:15:22 OpenWrt
authpriv.warn pluto[848]: "roadwarrior-l2tp"[1] 192.168.20.100 #4:
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Jan 1
00:15:22 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1]
192.168.20.100 #4: STATE_QUICK_R2: IPsec SA established tunnel mode
{ESP=>0x5f46ef61 <0x4a92c57f xfrm=AES_128-HMAC_SHA1
NATOA=<invalid> NATD=<invalid>:500 DPD=none}
Jan 1 00:15:22 OpenWrt daemon.debug xl2tpd[877]: control_finish: Peer requested tunnel 20 twice, ignoring second one.
Jan
1 00:15:22 OpenWrt daemon.notice xl2tpd[877]: Connection established to
192.168.20.100, 1701. Local: 63325, Remote: 20 (ref=0/0). LNS session
is 'default'
Jan 1 00:15:22 OpenWrt daemon.debug xl2tpd[877]:
result_code_avp: result code not appropriate for
Incoming-Call-Request. Ignoring.
Jan 1 00:15:22 OpenWrt daemon.debug xl2tpd[877]: start_pppd: I'm running:
Jan 1 00:15:22 OpenWrt daemon.debug xl2tpd[877]: "/usr/sbin/pppd"
Jan 1 00:15:22 OpenWrt daemon.debug xl2tpd[877]: "passive"
Jan 1 00:15:22 OpenWrt daemon.debug xl2tpd[877]: "-detach"
Jan 1 00:15:22 OpenWrt daemon.debug xl2tpd[877]: "192.168.1.1:192.168.1.10"
Jan 1 00:15:22 OpenWrt daemon.debug xl2tpd[877]: "refuse-pap"
Jan 1 00:15:22 OpenWrt daemon.debug xl2tpd[877]: "auth"
Jan 1 00:15:22 OpenWrt daemon.debug xl2tpd[877]: "require-chap"
Jan 1 00:15:22 OpenWrt daemon.debug xl2tpd[877]: "name"
Jan 1 00:15:22 OpenWrt daemon.debug xl2tpd[877]: "LinuxVPNserver"
Jan 1 00:15:22 OpenWrt daemon.debug xl2tpd[877]: "debug"
Jan 1 00:15:22 OpenWrt daemon.debug xl2tpd[877]: "file"
Jan 1 00:15:22 OpenWrt daemon.debug xl2tpd[877]: "/etc/ppp/options.l2tpd"
Jan 1 00:15:22 OpenWrt daemon.debug xl2tpd[877]: "/dev/pts/2"
Jan 1 00:15:23 OpenWrt daemon.notice xl2tpd[877]: Call established with 192.168.20.100, Local: 65211, Remote: 1, Serial: 0
Will not connect without tcpdump running:
Jan
1 00:08:27 OpenWrt authpriv.warn pluto[848]: packet from
192.168.20.100:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY
00000006]
Jan 1 00:08:27 OpenWrt authpriv.warn pluto[848]: packet
from 192.168.20.100:500: received Vendor ID payload [RFC 3947]
meth=109, but port floating is off
Jan 1 00:08:27 OpenWrt
authpriv.warn pluto[848]: packet from 192.168.20.100:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but port
floating is off
Jan 1 00:08:27 OpenWrt authpriv.warn pluto[848]: packet from 192.168.20.100:500: ignoring Vendor ID payload [FRAGMENTATION]
Jan
1 00:08:27 OpenWrt authpriv.warn pluto[848]: packet from
192.168.20.100:500: ignoring Vendor ID payload [MS-Negotiation
Discovery Capable]
Jan 1 00:08:27 OpenWrt authpriv.warn pluto[848]:
packet from 192.168.20.100:500: ignoring Vendor ID payload
[Vid-Initial-Contact]
Jan 1 00:08:27 OpenWrt authpriv.warn pluto[848]: packet from 192.168.20.100:500: ignoring Vendor ID payload [IKE CGA version 1]
Jan
1 00:08:27 OpenWrt authpriv.warn pluto[848]: "roadwarrior-net"[1]
192.168.20.100 #1: responding to Main Mode from unknown peer
192.168.20.100
Jan 1 00:08:27 OpenWrt authpriv.warn pluto[848]:
"roadwarrior-net"[1] 192.168.20.100 #1: OAKLEY_GROUP 20 not supported.
Attribute OAKLEY_GROUP_DESCRIPTION
Jan 1 00:08:27 OpenWrt
authpriv.warn pluto[848]: "roadwarrior-net"[1] 192.168.20.100 #1:
OAKLEY_GROUP 19 not supported. Attribute OAKLEY_GROUP_DESCRIPTION
Jan
1 00:08:27 OpenWrt authpriv.warn pluto[848]: "roadwarrior-net"[1]
192.168.20.100 #1: transition from state STATE_MAIN_R0 to state
STATE_MAIN_R1
Jan 1 00:08:27 OpenWrt authpriv.warn pluto[848]: "roadwarrior-net"[1] 192.168.20.100 #1: STATE_MAIN_R1: sent MR1, expecting MI2
Jan
1 00:08:27 OpenWrt authpriv.warn pluto[848]: "roadwarrior-net"[1]
192.168.20.100 #1: transition from state STATE_MAIN_R1 to state
STATE_MAIN_R2
Jan 1 00:08:27 OpenWrt authpriv.warn pluto[848]: "roadwarrior-net"[1] 192.168.20.100 #1: STATE_MAIN_R2: sent MR2, expecting MI3
Jan
1 00:08:28 OpenWrt authpriv.warn pluto[848]: "roadwarrior-net"[1]
192.168.20.100 #1: Main mode peer ID is ID_IPV4_ADDR: '192.168.20.100'
Jan
1 00:08:28 OpenWrt authpriv.warn pluto[848]: "roadwarrior-net"[1]
192.168.20.100 #1: transition from state STATE_MAIN_R2 to state
STATE_MAIN_R3
Jan 1 00:08:28 OpenWrt authpriv.warn pluto[848]:
"roadwarrior-net"[1] 192.168.20.100 #1: STATE_MAIN_R3: sent MR3, ISAKMP
SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192
prf=oakley_sha group=modp2048}
Jan 1 00:08:28 OpenWrt authpriv.warn
pluto[848]: "roadwarrior-net"[1] 192.168.20.100 #1: the peer proposed:
192.168.20.1/32:0/0 -> 192.168.20.100/32:0/0
Jan 1 00:08:28
OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1] 192.168.20.100
#2: responding to Quick Mode proposal {msgid:01000000}
Jan 1 00:08:28 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1] 192.168.20.100 #2: us: 192.168.20.1[+S=C]:17/0
Jan 1 00:08:28 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1] 192.168.20.100 #2: them: 192.168.20.100[+S=C]:17/1701
Jan
1 00:08:28 OpenWrt authpriv.warn pluto[848]: "roadwarrior-l2tp"[1]
192.168.20.100 #2: transition from state STATE_QUICK_R0 to state
STATE_QUICK_R1
Jan 1 00:08:28 OpenWrt authpriv.warn pluto[848]:
"roadwarrior-l2tp"[1] 192.168.20.100 #2: STATE_QUICK_R1: sent QR1,
inbound IPsec SA installed, expecting QI2
Jan 1 00:08:30 OpenWrt daemon.debug xl2tpd[877]: control_finish: Peer requested tunnel 19 twice, ignoring second one.
Jan 1 00:08:31 OpenWrt daemon.debug xl2tpd[877]: control_finish: Peer requested tunnel 19 twice, ignoring second one.
Jan 1 00:08:35 OpenWrt daemon.debug xl2tpd[877]: control_finish: Peer requested tunnel 19 twice, ignoring second one.
Jan 1 00:08:35 OpenWrt daemon.notice xl2tpd[877]: Maximum retries exceeded for tunnel 44841. Closing.
Jan 1 00:08:35 OpenWrt daemon.info xl2tpd[877]: Connection 19 closed to 192.168.20.100, port 1701 (Timeout)
Jan
1 00:08:35 OpenWrt authpriv.warn pluto[848]: "roadwarrior-net"[1]
192.168.20.100 #1: ignoring Delete SA payload: PROTO_IPSEC_ESP
SA(0xb82c5a58) not found (maybe expired)
Jan 1 00:08:35 OpenWrt
authpriv.warn pluto[848]: "roadwarrior-net"[1] 192.168.20.100 #1:
received and ignored informational message
Jan 1 00:08:35 OpenWrt
authpriv.warn pluto[848]: "roadwarrior-net"[1] 192.168.20.100 #1:
received Delete SA payload: deleting ISAKMP State #1
Jan 1 00:08:35
OpenWrt authpriv.warn pluto[848]: "roadwarrior-net"[1] 192.168.20.100:
deleting connection "roadwarrior-net" instance with peer 192.168.20.100
{isakmp=#0/ipsec=#0}
Jan 1 00:08:35 OpenWrt authpriv.warn pluto[848]: packet from 192.168.20.100:500: received and ignored informational message
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20090311/142c9e55/attachment-0001.html
More information about the Users
mailing list