[Openswan Users] XL2TP and NAT problems with Ubuntu 9.10 and Openswan 6.22

Damon Morda damon at epartment54.com
Sun Nov 8 10:18:28 EST 2009


Hello everyone,

After 2 hours of unsuccessful troubleshooting, I was hoping someone  
could provide me some guidance.

I recently upgraded from Ubuntu 9.04 (Jaunty) to 9.10 (Karmic). Prior  
to upgrading, my Openswan IPSec/XL2TPD setup was working flawlessly.  
However, as of the recent upgrade (I reinstalled from scratch and  
copied the old config files over) I am unable to successfully  
establish a connection.

The IPSec portion of the connection seems to work (IPsec SA  
established), but I receive errors on the XL2TP part of it. Included  
below are log excerpts and my main configuration files. Any assistance  
would be greatly appreciated.

Thanks in advance!

######################
VERSION INFORMATION
######################

OS: Ubuntu Linux 9.10 Server
Kernel: 2.6.31-14
Openswan: Linux Openswan U2.6.22/K2.6.31-14-generic-pae (netkey)
xl2tpd version: xl2tpd-1.2.4

######################
STARTING IPSEC
######################

Nov  8 00:10:21 localhost kernel: [ 4610.384972] NET: Registered  
protocol family 15
Nov  8 00:10:21 localhost ipsec_setup: Starting Openswan IPsec U2.6.22/ 
K2.6.31-14-generic-pae...
Nov  8 00:10:21 localhost ipsec_setup: Using NETKEY(XFRM) stack
Nov  8 00:10:21 localhost kernel: [ 4610.423692] intel_rng: FWH not  
detected
Nov  8 00:10:21 localhost kernel: [ 4610.511843] Initializing XFRM  
netlink socket
Nov  8 00:10:21 localhost kernel: [ 4610.519338] padlock: VIA PadLock  
not detected.
Nov  8 00:10:21 localhost kernel: [ 4610.525450] padlock: VIA PadLock  
Hash Engine not detected.
Nov  8 00:10:21 localhost kernel: [ 4610.534596] padlock: VIA PadLock  
not detected.
Nov  8 00:10:21 localhost pluto: adjusting ipsec.d to /etc/ipsec.d
Nov  8 00:10:21 localhost ipsec__plutorun: adjusting ipsec.d to /etc/ 
ipsec.d
Nov  8 00:10:21 localhost ipsec_setup: ...Openswan IPsec started
Nov  8 00:10:21 localhost ipsec__plutorun: 002 added connection  
description "roadwarrior-net"
Nov  8 00:10:21 localhost ipsec__plutorun: 002 added connection  
description "roadwarrior-all"
Nov  8 00:10:21 localhost ipsec__plutorun: 002 added connection  
description "roadwarrior-l2tp"
Nov  8 00:10:21 localhost ipsec__plutorun: 002 added connection  
description "roadwarrior-l2tp-osx"
Nov  8 00:10:21 localhost ipsec__plutorun: 002 added connection  
description "roadwarrior-l2tp-updatedwin"
Nov  8 00:10:21 localhost ipsec__plutorun: 002 added connection  
description "roadwarrior"
Nov  8 00:10:21 localhost ipsec__plutorun: 003 NAT-Traversal: Trying  
new style NAT-T
Nov  8 00:10:21 localhost ipsec__plutorun: 003 NAT-Traversal: ESPINUDP 
(1) setup failed for new style NAT-T family IPv4 (errno=19)
Nov  8 00:10:21 localhost ipsec__plutorun: 003 NAT-Traversal: Trying  
old style NAT-T

######################
CONNECTION ATTEMPT
######################

Nov  8 00:11:48 localhost pluto[5407]: packet from 166.xxx.xxx.xxx: 
19369: received Vendor ID payload [RFC 3947] method set to=109
Nov  8 00:11:48 localhost pluto[5407]: packet from 166.xxx.xxx.xxx: 
19369: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] method  
set to=110
Nov  8 00:11:48 localhost pluto[5407]: packet from 166.xxx.xxx.xxx: 
19369: ignoring unknown Vendor ID payload  
[8f8d83826d246b6fc7a8a6a428c11de8]
Nov  8 00:11:48 localhost pluto[5407]: packet from 166.xxx.xxx.xxx: 
19369: ignoring unknown Vendor ID payload  
[439b59f8ba676c4c7737ae22eab8f582]
Nov  8 00:11:48 localhost pluto[5407]: packet from 166.xxx.xxx.xxx: 
19369: ignoring unknown Vendor ID payload  
[4d1e0e136deafa34c4f3ea9f02ec7285]
Nov  8 00:11:48 localhost pluto[5407]: packet from 166.xxx.xxx.xxx: 
19369: ignoring unknown Vendor ID payload  
[80d0bb3def54565ee84645d4c85ce3ee]
Nov  8 00:11:48 localhost pluto[5407]: packet from 166.xxx.xxx.xxx: 
19369: ignoring unknown Vendor ID payload  
[9909b64eed937c6573de52ace952fa6b]
Nov  8 00:11:48 localhost pluto[5407]: packet from 166.xxx.xxx.xxx: 
19369: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]  
meth=108, but already using method 110
Nov  8 00:11:48 localhost pluto[5407]: packet from 166.xxx.xxx.xxx: 
19369: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]  
meth=107, but already using method 110
Nov  8 00:11:48 localhost pluto[5407]: packet from 166.xxx.xxx.xxx: 
19369: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]  
meth=106, but already using method 110
Nov  8 00:11:48 localhost pluto[5407]: packet from 166.xxx.xxx.xxx: 
19369: received Vendor ID payload [Dead Peer Detection]
Nov  8 00:11:48 localhost pluto[5407]: "roadwarrior-net"[1]  
166.xxx.xxx.xxx #1: responding to Main Mode from unknown peer  
166.xxx.xxx.xxx
Nov  8 00:11:48 localhost pluto[5407]: "roadwarrior-net"[1]  
166.xxx.xxx.xxx #1: transition from state STATE_MAIN_R0 to state  
STATE_MAIN_R1
Nov  8 00:11:48 localhost pluto[5407]: "roadwarrior-net"[1]  
166.xxx.xxx.xxx #1: STATE_MAIN_R1: sent MR1, expecting MI2
Nov  8 00:11:48 localhost pluto[5407]: "roadwarrior-net"[1]  
166.xxx.xxx.xxx #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t- 
ike (MacOS X): both are NATed
Nov  8 00:11:48 localhost pluto[5407]: "roadwarrior-net"[1]  
166.xxx.xxx.xxx #1: transition from state STATE_MAIN_R1 to state  
STATE_MAIN_R2
Nov  8 00:11:48 localhost pluto[5407]: "roadwarrior-net"[1]  
166.xxx.xxx.xxx #1: STATE_MAIN_R2: sent MR2, expecting MI3
Nov  8 00:11:48 localhost pluto[5407]: "roadwarrior-net"[1]  
166.xxx.xxx.xxx #1: Main mode peer ID is ID_IPV4_ADDR: '10.181.0.109'
Nov  8 00:11:48 localhost pluto[5407]: "roadwarrior-net"[1]  
166.xxx.xxx.xxx #1: switched from "roadwarrior-net" to "roadwarrior-net"
Nov  8 00:11:48 localhost pluto[5407]: "roadwarrior-net"[2]  
166.xxx.xxx.xxx #1: deleting connection "roadwarrior-net" instance  
with peer 166.xxx.xxx.xxx {isakmp=#0/ipsec=#0}
Nov  8 00:11:48 localhost pluto[5407]: "roadwarrior-net"[2]  
166.xxx.xxx.xxx #1: transition from state STATE_MAIN_R2 to state  
STATE_MAIN_R3
Nov  8 00:11:48 localhost pluto[5407]: "roadwarrior-net"[2]  
166.xxx.xxx.xxx #1: new NAT mapping for #1, was 166.xxx.xxx.xxx:19369,  
now 166.xxx.xxx.xxx:19383
Nov  8 00:11:48 localhost pluto[5407]: "roadwarrior-net"[2]  
166.xxx.xxx.xxx #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established  
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha  
group=modp1024}
Nov  8 00:11:49 localhost pluto[5407]: "roadwarrior-net"[2]  
166.xxx.xxx.xxx #1: ignoring informational payload, type  
IPSEC_INITIAL_CONTACT msgid=00000000
Nov  8 00:11:49 localhost pluto[5407]: "roadwarrior-net"[2]  
166.xxx.xxx.xxx #1: received and ignored informational message
Nov  8 00:11:50 localhost pluto[5407]: "roadwarrior-net"[2]  
166.xxx.xxx.xxx #1: the peer proposed: 67.xxx.xxx.xxx/32:0/0 ->  
10.181.0.109/32:0/0
Nov  8 00:11:50 localhost pluto[5407]: "roadwarrior-net"[2]  
166.xxx.xxx.xxx #1: peer proposal was reject in a virtual connection  
policy because:
Nov  8 00:11:50 localhost pluto[5407]: "roadwarrior-net"[2]  
166.xxx.xxx.xxx #1:   a private network virtual IP was required, but  
the proposed IP did not match our list (virtual_private=)
Nov  8 00:11:50 localhost pluto[5407]: "roadwarrior-net"[2]  
166.xxx.xxx.xxx #2: responding to Quick Mode proposal {msgid:d2a35cd0}
Nov  8 00:11:50 localhost pluto[5407]: "roadwarrior-net"[2]  
166.xxx.xxx.xxx #2:     us: 192.168.1.0/24===67.xxx.xxx.xx 
[+S=C]---67.xxx.xxx.x
Nov  8 00:11:50 localhost pluto[5407]: "roadwarrior-net"[2]  
166.xxx.xxx.xxx #2:   them: 166.xxx.xxx.xxx[10.181.0.109,+S=C] 
===10.181.0.109/32
Nov  8 00:11:50 localhost pluto[5407]: "roadwarrior-net"[2]  
166.xxx.xxx.xxx #2: transition from state STATE_QUICK_R0 to state  
STATE_QUICK_R1
Nov  8 00:11:50 localhost pluto[5407]: "roadwarrior-net"[2]  
166.xxx.xxx.xxx #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA  
installed, expecting QI2
Nov  8 00:11:50 localhost pluto[5407]: "roadwarrior-net"[2]  
166.xxx.xxx.xxx #2: transition from state STATE_QUICK_R1 to state  
STATE_QUICK_R2
Nov  8 00:11:50 localhost pluto[5407]: "roadwarrior-net"[2]  
166.xxx.xxx.xxx #2: STATE_QUICK_R2: IPsec SA established tunnel mode  
{ESP/NAT=>0x0490e377 <0xdfb4152e xfrm=AES_128-HMAC_SHA1 NATOA=none  
NATD=166.xxx.xxx.xxx:19383 DPD=none}

######################
XL2TPD ERRORS
######################

Nov  8 00:11:52 localhost xl2tpd[5146]: control_finish: Peer requested  
tunnel 18 twice, ignoring second one.
Nov  8 00:11:53 localhost xl2tpd[5146]: control_finish: Peer requested  
tunnel 18 twice, ignoring second one.
Nov  8 00:11:57 localhost xl2tpd[5146]: Maximum retries exceeded for  
tunnel 39810.  Closing.
Nov  8 00:11:57 localhost xl2tpd[5146]: control_finish: Peer requested  
tunnel 18 twice, ignoring second one.
Nov  8 00:11:57 localhost xl2tpd[5146]: Connection 18 closed to  
166.xxx.xxx.xxx, port 49169 (Timeout)
Nov  8 00:12:02 localhost xl2tpd[5146]: Unable to deliver closing  
message for tunnel 39810. Destroying anyway.
Nov  8 00:12:05 localhost xl2tpd[5146]: control_finish: Peer requested  
tunnel 18 twice, ignoring second one.


######################
IPSEC.CONF
######################

version 2.0
config setup
        interfaces=%defaultroute
	protostack=netkey
	nat_traversal=yes
        virtual_private= 
%v4 
: 
10.0.0.0 
/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:172.17.17.0/32,%v4:! 
192.168.100.0/24

conn %default
        keyingtries=3
        compress=yes
        disablearrivalcheck=no
        authby=secret
        type=tunnel
        keyexchange=ike
        ikelifetime=240m
        keylife=60m
	forceencaps=yes

conn roadwarrior-net
        leftsubnet=192.168.1.0/24
        also=roadwarrior

conn roadwarrior-all
        leftsubnet=0.0.0.0/0
        also=roadwarrior

conn roadwarrior-l2tp
        leftprotoport=17/0
        rightprotoport=17/1701
        also=roadwarrior

conn roadwarrior-l2tp-osx
        leftprotoport=17/1701
        rightprotoport=17/%any
        also=roadwarrior

conn roadwarrior-l2tp-updatedwin
        leftprotoport=17/1701
        rightprotoport=17/1701
        also=roadwarrior

conn roadwarrior
        pfs=no
        left=%defaultroute
	leftnexthop=%defaultroute
        right=%any
        rightsubnet=vhost:%no,%priv
	auto=add

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf

######################
XL2TPD.CONF
######################

[global]
ipsec saref = yes
auth file = /etc/xl2tpd/xl2tp-secrets
port = 1701

[lns default]
ip range = 192.168.100.100-192.168.100.110
local ip = 192.168.100.1
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPN
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd.lns
length bit = yes


More information about the Users mailing list