[Openswan Users] XL2TP and NAT problems with Ubuntu 9.10 and Openswan 6.22
Damon Morda
damon at epartment54.com
Sun Nov 8 10:18:28 EST 2009
Hello everyone,
After 2 hours of unsuccessful troubleshooting, I was hoping someone
could provide me some guidance.
I recently upgraded from Ubuntu 9.04 (Jaunty) to 9.10 (Karmic). Prior
to upgrading, my Openswan IPSec/XL2TPD setup was working flawlessly.
However, as of the recent upgrade (I reinstalled from scratch and
copied the old config files over) I am unable to successfully
establish a connection.
The IPSec portion of the connection seems to work (IPsec SA
established), but I receive errors on the XL2TP part of it. Included
below are log excerpts and my main configuration files. Any assistance
would be greatly appreciated.
Thanks in advance!
######################
VERSION INFORMATION
######################
OS: Ubuntu Linux 9.10 Server
Kernel: 2.6.31-14
Openswan: Linux Openswan U2.6.22/K2.6.31-14-generic-pae (netkey)
xl2tpd version: xl2tpd-1.2.4
######################
STARTING IPSEC
######################
Nov 8 00:10:21 localhost kernel: [ 4610.384972] NET: Registered
protocol family 15
Nov 8 00:10:21 localhost ipsec_setup: Starting Openswan IPsec U2.6.22/
K2.6.31-14-generic-pae...
Nov 8 00:10:21 localhost ipsec_setup: Using NETKEY(XFRM) stack
Nov 8 00:10:21 localhost kernel: [ 4610.423692] intel_rng: FWH not
detected
Nov 8 00:10:21 localhost kernel: [ 4610.511843] Initializing XFRM
netlink socket
Nov 8 00:10:21 localhost kernel: [ 4610.519338] padlock: VIA PadLock
not detected.
Nov 8 00:10:21 localhost kernel: [ 4610.525450] padlock: VIA PadLock
Hash Engine not detected.
Nov 8 00:10:21 localhost kernel: [ 4610.534596] padlock: VIA PadLock
not detected.
Nov 8 00:10:21 localhost pluto: adjusting ipsec.d to /etc/ipsec.d
Nov 8 00:10:21 localhost ipsec__plutorun: adjusting ipsec.d to /etc/
ipsec.d
Nov 8 00:10:21 localhost ipsec_setup: ...Openswan IPsec started
Nov 8 00:10:21 localhost ipsec__plutorun: 002 added connection
description "roadwarrior-net"
Nov 8 00:10:21 localhost ipsec__plutorun: 002 added connection
description "roadwarrior-all"
Nov 8 00:10:21 localhost ipsec__plutorun: 002 added connection
description "roadwarrior-l2tp"
Nov 8 00:10:21 localhost ipsec__plutorun: 002 added connection
description "roadwarrior-l2tp-osx"
Nov 8 00:10:21 localhost ipsec__plutorun: 002 added connection
description "roadwarrior-l2tp-updatedwin"
Nov 8 00:10:21 localhost ipsec__plutorun: 002 added connection
description "roadwarrior"
Nov 8 00:10:21 localhost ipsec__plutorun: 003 NAT-Traversal: Trying
new style NAT-T
Nov 8 00:10:21 localhost ipsec__plutorun: 003 NAT-Traversal: ESPINUDP
(1) setup failed for new style NAT-T family IPv4 (errno=19)
Nov 8 00:10:21 localhost ipsec__plutorun: 003 NAT-Traversal: Trying
old style NAT-T
######################
CONNECTION ATTEMPT
######################
Nov 8 00:11:48 localhost pluto[5407]: packet from 166.xxx.xxx.xxx:
19369: received Vendor ID payload [RFC 3947] method set to=109
Nov 8 00:11:48 localhost pluto[5407]: packet from 166.xxx.xxx.xxx:
19369: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] method
set to=110
Nov 8 00:11:48 localhost pluto[5407]: packet from 166.xxx.xxx.xxx:
19369: ignoring unknown Vendor ID payload
[8f8d83826d246b6fc7a8a6a428c11de8]
Nov 8 00:11:48 localhost pluto[5407]: packet from 166.xxx.xxx.xxx:
19369: ignoring unknown Vendor ID payload
[439b59f8ba676c4c7737ae22eab8f582]
Nov 8 00:11:48 localhost pluto[5407]: packet from 166.xxx.xxx.xxx:
19369: ignoring unknown Vendor ID payload
[4d1e0e136deafa34c4f3ea9f02ec7285]
Nov 8 00:11:48 localhost pluto[5407]: packet from 166.xxx.xxx.xxx:
19369: ignoring unknown Vendor ID payload
[80d0bb3def54565ee84645d4c85ce3ee]
Nov 8 00:11:48 localhost pluto[5407]: packet from 166.xxx.xxx.xxx:
19369: ignoring unknown Vendor ID payload
[9909b64eed937c6573de52ace952fa6b]
Nov 8 00:11:48 localhost pluto[5407]: packet from 166.xxx.xxx.xxx:
19369: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
meth=108, but already using method 110
Nov 8 00:11:48 localhost pluto[5407]: packet from 166.xxx.xxx.xxx:
19369: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
meth=107, but already using method 110
Nov 8 00:11:48 localhost pluto[5407]: packet from 166.xxx.xxx.xxx:
19369: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
meth=106, but already using method 110
Nov 8 00:11:48 localhost pluto[5407]: packet from 166.xxx.xxx.xxx:
19369: received Vendor ID payload [Dead Peer Detection]
Nov 8 00:11:48 localhost pluto[5407]: "roadwarrior-net"[1]
166.xxx.xxx.xxx #1: responding to Main Mode from unknown peer
166.xxx.xxx.xxx
Nov 8 00:11:48 localhost pluto[5407]: "roadwarrior-net"[1]
166.xxx.xxx.xxx #1: transition from state STATE_MAIN_R0 to state
STATE_MAIN_R1
Nov 8 00:11:48 localhost pluto[5407]: "roadwarrior-net"[1]
166.xxx.xxx.xxx #1: STATE_MAIN_R1: sent MR1, expecting MI2
Nov 8 00:11:48 localhost pluto[5407]: "roadwarrior-net"[1]
166.xxx.xxx.xxx #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-
ike (MacOS X): both are NATed
Nov 8 00:11:48 localhost pluto[5407]: "roadwarrior-net"[1]
166.xxx.xxx.xxx #1: transition from state STATE_MAIN_R1 to state
STATE_MAIN_R2
Nov 8 00:11:48 localhost pluto[5407]: "roadwarrior-net"[1]
166.xxx.xxx.xxx #1: STATE_MAIN_R2: sent MR2, expecting MI3
Nov 8 00:11:48 localhost pluto[5407]: "roadwarrior-net"[1]
166.xxx.xxx.xxx #1: Main mode peer ID is ID_IPV4_ADDR: '10.181.0.109'
Nov 8 00:11:48 localhost pluto[5407]: "roadwarrior-net"[1]
166.xxx.xxx.xxx #1: switched from "roadwarrior-net" to "roadwarrior-net"
Nov 8 00:11:48 localhost pluto[5407]: "roadwarrior-net"[2]
166.xxx.xxx.xxx #1: deleting connection "roadwarrior-net" instance
with peer 166.xxx.xxx.xxx {isakmp=#0/ipsec=#0}
Nov 8 00:11:48 localhost pluto[5407]: "roadwarrior-net"[2]
166.xxx.xxx.xxx #1: transition from state STATE_MAIN_R2 to state
STATE_MAIN_R3
Nov 8 00:11:48 localhost pluto[5407]: "roadwarrior-net"[2]
166.xxx.xxx.xxx #1: new NAT mapping for #1, was 166.xxx.xxx.xxx:19369,
now 166.xxx.xxx.xxx:19383
Nov 8 00:11:48 localhost pluto[5407]: "roadwarrior-net"[2]
166.xxx.xxx.xxx #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
group=modp1024}
Nov 8 00:11:49 localhost pluto[5407]: "roadwarrior-net"[2]
166.xxx.xxx.xxx #1: ignoring informational payload, type
IPSEC_INITIAL_CONTACT msgid=00000000
Nov 8 00:11:49 localhost pluto[5407]: "roadwarrior-net"[2]
166.xxx.xxx.xxx #1: received and ignored informational message
Nov 8 00:11:50 localhost pluto[5407]: "roadwarrior-net"[2]
166.xxx.xxx.xxx #1: the peer proposed: 67.xxx.xxx.xxx/32:0/0 ->
10.181.0.109/32:0/0
Nov 8 00:11:50 localhost pluto[5407]: "roadwarrior-net"[2]
166.xxx.xxx.xxx #1: peer proposal was reject in a virtual connection
policy because:
Nov 8 00:11:50 localhost pluto[5407]: "roadwarrior-net"[2]
166.xxx.xxx.xxx #1: a private network virtual IP was required, but
the proposed IP did not match our list (virtual_private=)
Nov 8 00:11:50 localhost pluto[5407]: "roadwarrior-net"[2]
166.xxx.xxx.xxx #2: responding to Quick Mode proposal {msgid:d2a35cd0}
Nov 8 00:11:50 localhost pluto[5407]: "roadwarrior-net"[2]
166.xxx.xxx.xxx #2: us: 192.168.1.0/24===67.xxx.xxx.xx
[+S=C]---67.xxx.xxx.x
Nov 8 00:11:50 localhost pluto[5407]: "roadwarrior-net"[2]
166.xxx.xxx.xxx #2: them: 166.xxx.xxx.xxx[10.181.0.109,+S=C]
===10.181.0.109/32
Nov 8 00:11:50 localhost pluto[5407]: "roadwarrior-net"[2]
166.xxx.xxx.xxx #2: transition from state STATE_QUICK_R0 to state
STATE_QUICK_R1
Nov 8 00:11:50 localhost pluto[5407]: "roadwarrior-net"[2]
166.xxx.xxx.xxx #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA
installed, expecting QI2
Nov 8 00:11:50 localhost pluto[5407]: "roadwarrior-net"[2]
166.xxx.xxx.xxx #2: transition from state STATE_QUICK_R1 to state
STATE_QUICK_R2
Nov 8 00:11:50 localhost pluto[5407]: "roadwarrior-net"[2]
166.xxx.xxx.xxx #2: STATE_QUICK_R2: IPsec SA established tunnel mode
{ESP/NAT=>0x0490e377 <0xdfb4152e xfrm=AES_128-HMAC_SHA1 NATOA=none
NATD=166.xxx.xxx.xxx:19383 DPD=none}
######################
XL2TPD ERRORS
######################
Nov 8 00:11:52 localhost xl2tpd[5146]: control_finish: Peer requested
tunnel 18 twice, ignoring second one.
Nov 8 00:11:53 localhost xl2tpd[5146]: control_finish: Peer requested
tunnel 18 twice, ignoring second one.
Nov 8 00:11:57 localhost xl2tpd[5146]: Maximum retries exceeded for
tunnel 39810. Closing.
Nov 8 00:11:57 localhost xl2tpd[5146]: control_finish: Peer requested
tunnel 18 twice, ignoring second one.
Nov 8 00:11:57 localhost xl2tpd[5146]: Connection 18 closed to
166.xxx.xxx.xxx, port 49169 (Timeout)
Nov 8 00:12:02 localhost xl2tpd[5146]: Unable to deliver closing
message for tunnel 39810. Destroying anyway.
Nov 8 00:12:05 localhost xl2tpd[5146]: control_finish: Peer requested
tunnel 18 twice, ignoring second one.
######################
IPSEC.CONF
######################
version 2.0
config setup
interfaces=%defaultroute
protostack=netkey
nat_traversal=yes
virtual_private=
%v4
:
10.0.0.0
/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:172.17.17.0/32,%v4:!
192.168.100.0/24
conn %default
keyingtries=3
compress=yes
disablearrivalcheck=no
authby=secret
type=tunnel
keyexchange=ike
ikelifetime=240m
keylife=60m
forceencaps=yes
conn roadwarrior-net
leftsubnet=192.168.1.0/24
also=roadwarrior
conn roadwarrior-all
leftsubnet=0.0.0.0/0
also=roadwarrior
conn roadwarrior-l2tp
leftprotoport=17/0
rightprotoport=17/1701
also=roadwarrior
conn roadwarrior-l2tp-osx
leftprotoport=17/1701
rightprotoport=17/%any
also=roadwarrior
conn roadwarrior-l2tp-updatedwin
leftprotoport=17/1701
rightprotoport=17/1701
also=roadwarrior
conn roadwarrior
pfs=no
left=%defaultroute
leftnexthop=%defaultroute
right=%any
rightsubnet=vhost:%no,%priv
auto=add
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
######################
XL2TPD.CONF
######################
[global]
ipsec saref = yes
auth file = /etc/xl2tpd/xl2tp-secrets
port = 1701
[lns default]
ip range = 192.168.100.100-192.168.100.110
local ip = 192.168.100.1
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPN
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd.lns
length bit = yes
More information about the Users
mailing list