[Openswan Users] L2TPD Routing issue on Ubuntu 9.04
Benjamin Lauret
ben at lauretland.com
Tue Oct 27 06:15:19 EDT 2009
Hi,
I try to setup an IPSEC/L2TPD gateway on ubuntu. It looks like my
problem is the packet sent by xl2tpd are not sent to the client. The
IPSEC tunnel is successfully setup. I can see in xl2tpd logs the
request coming in, but the client never receive the packet back. In
the openswan logs, I can see a rejected packet.
I think my configuration is right. I have another gateway with pretty
much the same setup which is working fine right now.
I put the openswan log below. I replace my client IP by
XXX.XXX.XXX.XXX and the server IP by YYY.YYY.YYY.YYY
Any help would be really appreciated. I've been trying to solve that
for a week, without making any progress.
Rgds,
Ben
Oct 27 10:56:43 leodagan pluto[11856]: packet from XXX.XXX.XXX.XXX:
500: received Vendor ID payload [RFC 3947] method set to=109
Oct 27 10:56:43 leodagan pluto[11856]: packet from XXX.XXX.XXX.XXX:
500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] method
set to=110
Oct 27 10:56:43 leodagan pluto[11856]: packet from XXX.XXX.XXX.XXX:
500: ignoring unknown Vendor ID payload
[8f8d83826d246b6fc7a8a6a428c11de8]
Oct 27 10:56:43 leodagan pluto[11856]: packet from XXX.XXX.XXX.XXX:
500: ignoring unknown Vendor ID payload
[439b59f8ba676c4c7737ae22eab8f582]
Oct 27 10:56:43 leodagan pluto[11856]: packet from XXX.XXX.XXX.XXX:
500: ignoring unknown Vendor ID payload
[4d1e0e136deafa34c4f3ea9f02ec7285]
Oct 27 10:56:43 leodagan pluto[11856]: packet from XXX.XXX.XXX.XXX:
500: ignoring unknown Vendor ID payload
[80d0bb3def54565ee84645d4c85ce3ee]
Oct 27 10:56:43 leodagan pluto[11856]: packet from XXX.XXX.XXX.XXX:
500: ignoring unknown Vendor ID payload
[9909b64eed937c6573de52ace952fa6b]
Oct 27 10:56:43 leodagan pluto[11856]: packet from XXX.XXX.XXX.XXX:
500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
meth=108, but already using method 110
Oct 27 10:56:43 leodagan pluto[11856]: packet from XXX.XXX.XXX.XXX:
500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
meth=107, but already using method 110
Oct 27 10:56:43 leodagan pluto[11856]: packet from XXX.XXX.XXX.XXX:
500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
meth=106, but already using method 110
Oct 27 10:56:43 leodagan pluto[11856]: packet from XXX.XXX.XXX.XXX:
500: received Vendor ID payload [Dead Peer Detection]
Oct 27 10:56:43 leodagan pluto[11856]: | processing connection L2TP-
PSK-NAT[13] XXX.XXX.XXX.XXX
Oct 27 10:56:43 leodagan pluto[11856]: "L2TP-PSK-NAT"[13]
XXX.XXX.XXX.XXX #55: responding to Main Mode from unknown peer
XXX.XXX.XXX.XXX
Oct 27 10:56:43 leodagan pluto[11856]: | ike_alg_enc_ok
(ealg=5,key_len=0): blocksize=8, keyminlen=192, keydeflen=192,
keymaxlen=192, ret=1
Oct 27 10:56:43 leodagan pluto[11856]: "L2TP-PSK-NAT"[13]
XXX.XXX.XXX.XXX #55: transition from state STATE_MAIN_R0 to state
STATE_MAIN_R1
Oct 27 10:56:43 leodagan pluto[11856]: "L2TP-PSK-NAT"[13]
XXX.XXX.XXX.XXX #55: STATE_MAIN_R1: sent MR1, expecting MI2
Oct 27 10:56:43 leodagan pluto[11856]: | processing connection L2TP-
PSK-NAT[13] XXX.XXX.XXX.XXX
Oct 27 10:56:43 leodagan pluto[11856]: "L2TP-PSK-NAT"[13]
XXX.XXX.XXX.XXX #55: NAT-Traversal: Result using draft-ietf-ipsec-nat-
t-ike (MacOS X): both are NATed
Oct 27 10:56:43 leodagan pluto[11856]: | processing connection L2TP-
PSK-NAT[13] XXX.XXX.XXX.XXX
Oct 27 10:56:43 leodagan pluto[11856]: "L2TP-PSK-NAT"[13]
XXX.XXX.XXX.XXX #55: transition from state STATE_MAIN_R1 to state
STATE_MAIN_R2
Oct 27 10:56:43 leodagan pluto[11856]: "L2TP-PSK-NAT"[13]
XXX.XXX.XXX.XXX #55: STATE_MAIN_R2: sent MR2, expecting MI3
Oct 27 10:56:43 leodagan pluto[11856]: | processing connection L2TP-
PSK-NAT[13] XXX.XXX.XXX.XXX
Oct 27 10:56:43 leodagan pluto[11856]: "L2TP-PSK-NAT"[13]
XXX.XXX.XXX.XXX #55: Main mode peer ID is ID_IPV4_ADDR: '10.155.175.125'
Oct 27 10:56:43 leodagan pluto[11856]: "L2TP-PSK-NAT"[13]
XXX.XXX.XXX.XXX #55: switched from "L2TP-PSK-NAT" to "L2TP-PSK-NAT"
Oct 27 10:56:43 leodagan pluto[11856]: | processing connection L2TP-
PSK-NAT[14] XXX.XXX.XXX.XXX
Oct 27 10:56:43 leodagan pluto[11856]: | processing connection L2TP-
PSK-NAT[13] XXX.XXX.XXX.XXX
Oct 27 10:56:43 leodagan pluto[11856]: "L2TP-PSK-NAT"[14]
XXX.XXX.XXX.XXX #55: deleting connection "L2TP-PSK-NAT" instance with
peer XXX.XXX.XXX.XXX {isakmp=#0/ipsec=#0}
Oct 27 10:56:43 leodagan pluto[11856]: "L2TP-PSK-NAT"[14]
XXX.XXX.XXX.XXX #55: I did not send a certificate because I do not
have one.
Oct 27 10:56:43 leodagan pluto[11856]: "L2TP-PSK-NAT"[14]
XXX.XXX.XXX.XXX #55: transition from state STATE_MAIN_R2 to state
STATE_MAIN_R3
Oct 27 10:56:43 leodagan pluto[11856]: | processing connection pda
Oct 27 10:56:43 leodagan pluto[11856]: | processing connection pda
Oct 27 10:56:43 leodagan pluto[11856]: | processing connection L2TP-
PSK-NAT[14] XXX.XXX.XXX.XXX
Oct 27 10:56:43 leodagan pluto[11856]: | processing connection pda
Oct 27 10:56:43 leodagan pluto[11856]: "L2TP-PSK-NAT"[14]
XXX.XXX.XXX.XXX #55: STATE_MAIN_R3: sent MR3, ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
group=modp1024}
Oct 27 10:56:43 leodagan pluto[11856]: "L2TP-PSK-NAT"[14]
XXX.XXX.XXX.XXX #55: Dead Peer Detection (RFC 3706): enabled
Oct 27 10:56:43 leodagan pluto[11856]: | processing connection L2TP-
PSK-NAT[14] XXX.XXX.XXX.XXX
Oct 27 10:56:43 leodagan pluto[11856]: "L2TP-PSK-NAT"[14]
XXX.XXX.XXX.XXX #55: ignoring informational payload, type
IPSEC_INITIAL_CONTACT
Oct 27 10:56:43 leodagan pluto[11856]: "L2TP-PSK-NAT"[14]
XXX.XXX.XXX.XXX #55: received and ignored informational message
Oct 27 10:56:44 leodagan pluto[11856]: | processing connection L2TP-
PSK-NAT[14] XXX.XXX.XXX.XXX
Oct 27 10:56:44 leodagan pluto[11856]: | netlink_get_spi: allocated
0x702db25d for esp.0 at YYY.YYY.YYY.YYY
Oct 27 10:56:44 leodagan pluto[11856]: "L2TP-PSK-NAT"[14]
XXX.XXX.XXX.XXX #56: responding to Quick Mode {msgid:17eef6ce}
Oct 27 10:56:44 leodagan pluto[11856]: | add inbound eroute
XXX.XXX.XXX.XXX/32:54487 --17-> YYY.YYY.YYY.YYY/32:1701 => tun.10000 at YYY.YYY.YYY.YYY
(raw_eroute)
Oct 27 10:56:44 leodagan pluto[11856]: "L2TP-PSK-NAT"[14]
XXX.XXX.XXX.XXX #56: transition from state STATE_QUICK_R0 to state
STATE_QUICK_R1
Oct 27 10:56:44 leodagan pluto[11856]: "L2TP-PSK-NAT"[14]
XXX.XXX.XXX.XXX #56: STATE_QUICK_R1: sent QR1, inbound IPsec SA
installed, expecting QI2
Oct 27 10:56:44 leodagan pluto[11856]: | processing connection L2TP-
PSK-NAT[14] XXX.XXX.XXX.XXX
Oct 27 10:56:44 leodagan pluto[11856]: | eroute_connection add eroute
YYY.YYY.YYY.YYY/32:1701 --17-> XXX.XXX.XXX.XXX/32:54487 => esp.fb85b7f at XXX.XXX.XXX.XXX
(raw_eroute)
Oct 27 10:56:44 leodagan pluto[11856]: "L2TP-PSK-NAT"[14]
XXX.XXX.XXX.XXX #56: Dead Peer Detection (RFC 3706): enabled
Oct 27 10:56:44 leodagan pluto[11856]: "L2TP-PSK-NAT"[14]
XXX.XXX.XXX.XXX #56: transition from state STATE_QUICK_R1 to state
STATE_QUICK_R2
Oct 27 10:56:44 leodagan pluto[11856]: "L2TP-PSK-NAT"[14]
XXX.XXX.XXX.XXX #56: STATE_QUICK_R2: IPsec SA established {ESP/
NAT=>0x0fb85b7f <0x702db25d xfrm=AES_128-HMAC_SHA1
NATD=XXX.XXX.XXX.XXX:4500 DPD=enabled}
Oct 27 10:56:49 leodagan pluto[11856]: | rejected packet:
Oct 27 10:56:49 leodagan pluto[11856]: | 0f b8 5b 7f 00 00 00 04
3f f9 a9 ba 8e 5b e5 c1
Oct 27 10:56:49 leodagan pluto[11856]: | 52 9b f4 86 ea 69 83 50
d6 6b 87 91 ef 6f 73 fb
Oct 27 10:56:49 leodagan pluto[11856]: | 77 9e 64 7a 9c 39 96 9e
c3 ab 94 97 c3 f0 00 1c
Oct 27 10:56:49 leodagan pluto[11856]: | 48 70 17 c8 0c 03 c3 cd
0b fc 40 f4 ef ad 0a 68
Oct 27 10:56:49 leodagan pluto[11856]: | 56 b3 3c cd 89 25 37 1d
9b 35 4b f1 07 9c ac d6
Oct 27 10:56:49 leodagan pluto[11856]: | f5 06 0b c3 11 57 46 2e
1e e2 77 1b 52 c2 da 0f
Oct 27 10:56:49 leodagan pluto[11856]: | 80 c7 0d 12 17 8b 9e 9e
03 38 c4 bf ac d6 23 2d
Oct 27 10:56:49 leodagan pluto[11856]: | 0e 14 05 32 64 3b 5f b2
2e fb c0 40 1d 16 97 5a
Oct 27 10:56:49 leodagan pluto[11856]: | db 98 01 c2 6a 33 00 07
20 3d f4 cc 61 5a 7c e2
Oct 27 10:56:49 leodagan pluto[11856]: | bf 01 d0 68 79 ef f1 3f
bd 69 16 6a 4d 39 ca be
Oct 27 10:56:49 leodagan pluto[11856]: | 5c 93 6c 63
Oct 27 10:56:49 leodagan pluto[11856]: | control:
Oct 27 10:56:49 leodagan pluto[11856]: | 18 00 00 00 00 00 00 00
08 00 00 00 01 00 00 00
Oct 27 10:56:49 leodagan pluto[11856]: | 58 a7 af e7 58 a7 af e7
2c 00 00 00 00 00 00 00
Oct 27 10:56:49 leodagan pluto[11856]: | 0b 00 00 00 71 00 00 00
02 03 01 00 00 00 00 00
Oct 27 10:56:49 leodagan pluto[11856]: | 00 00 00 00 02 00 00 00
58 a7 af e7 00 00 00 00
Oct 27 10:56:49 leodagan pluto[11856]: | 00 00 00 00
Oct 27 10:56:49 leodagan pluto[11856]: | name:
Oct 27 10:56:49 leodagan pluto[11856]: | 02 00 11 94 d5 1e b5 5c
00 00 00 00 00 00 00 00
Oct 27 10:56:49 leodagan pluto[11856]: ERROR: asynchronous network
error report on eth0 (sport=4500) for message to XXX.XXX.XXX.XXX port
4500, complainant YYY.YYY.YYY.YYY: No route to host [errno 113, origin
ICMP type 3 code 1 (not authenticated)]
Oct 27 10:56:49 leodagan pluto[11856]: | rejected packet:
Oct 27 10:56:49 leodagan pluto[11856]: | 0f b8 5b 7f 00 00 00 05
20 3d f4 cc 61 5a 7c e2
Oct 27 10:56:49 leodagan pluto[11856]: | bf 01 d0 68 79 ef f1 3f
fc c1 38 36 b0 95 e4 78
Oct 27 10:56:49 leodagan pluto[11856]: | 95 70 d7 79 d0 b2 f6 7c
e8 a9 b0 15 69 6d 1f 22
Oct 27 10:56:49 leodagan pluto[11856]: | 31 cc 21 79 0b 02 f3 ac
3a 83 79 d5 ea 82 9d d4
Oct 27 10:56:49 leodagan pluto[11856]: | 57 1c 9a 38 b6 45 d5 44
c6 4e 6e 77 15 ba 1f f5
Oct 27 10:56:49 leodagan pluto[11856]: | 78 ea 21 55 70 dd 86 48
4e 5e 14 dd 43 13 b3 2b
Oct 27 10:56:49 leodagan pluto[11856]: | bd 3a 2d 28 58 6d b7 2e
9e 6b c6 21 4e 53 48 a1
Oct 27 10:56:49 leodagan pluto[11856]: | 0d 08 86 77 0f 2e 74 83
a2 7e 18 2f f6 9b 44 3e
Oct 27 10:56:49 leodagan pluto[11856]: | 8f 0d c2 cf 8b 88 ce 40
9b 04 39 8c 7e dd f3 e0
Oct 27 10:56:49 leodagan pluto[11856]: | 51 48 f8 f5 b3 e8 2b e5
be a1 51 45 6f eb c8 02
Oct 27 10:56:49 leodagan pluto[11856]: | fd 05 2a a6
Oct 27 10:56:49 leodagan pluto[11856]: | control:
Oct 27 10:56:49 leodagan pluto[11856]: | 18 00 00 00 00 00 00 00
08 00 00 00 01 00 00 00
Oct 27 10:56:49 leodagan pluto[11856]: | 58 a7 af e7 58 a7 af e7
2c 00 00 00 00 00 00 00
Oct 27 10:56:49 leodagan pluto[11856]: | 0b 00 00 00 71 00 00 00
02 03 01 00 00 00 00 00
Oct 27 10:56:49 leodagan pluto[11856]: | 00 00 00 00 02 00 00 00
58 a7 af e7 00 00 00 00
Oct 27 10:56:49 leodagan pluto[11856]: | 00 00 00 00
Oct 27 10:56:49 leodagan pluto[11856]: | name:
Oct 27 10:56:49 leodagan pluto[11856]: | 02 00 11 94 d5 1e b5 5c
00 00 00 00 00 00 00 00
Oct 27 10:56:49 leodagan pluto[11856]: ERROR: asynchronous network
error report on eth0 (sport=4500) for message to XXX.XXX.XXX.XXX port
4500, complainant YYY.YYY.YYY.YYY: No route to host [errno 113, origin
ICMP type 3 code 1 (not authenticated)]
Oct 27 10:56:49 leodagan pluto[11856]: | rejected packet:
Oct 27 10:56:49 leodagan pluto[11856]: | 0f b8 5b 7f 00 00 00 06
9b 04 39 8c 7e dd f3 e0
Oct 27 10:56:49 leodagan pluto[11856]: | 51 48 f8 f5 b3 e8 2b e5
2d 68 cc c0 1f f5 11 f0
Oct 27 10:56:49 leodagan pluto[11856]: | 54 a6 05 8b 6c b1 ee 9d
38 8a 2c ed 5b 8f fa 0f
Oct 27 10:56:49 leodagan pluto[11856]: | 3d 8d 42 1e fc 6c 17 56
dd e2 bd cb e9 96 3c 6a
Oct 27 10:56:49 leodagan pluto[11856]: | 58 15 55 0d 9b 77 1f ee
30 40 be 46 17 6f 00 98
Oct 27 10:56:49 leodagan pluto[11856]: | cc ec 23 f7 0d c7 a8 41
5e 1f 0a ef 36 8f 76 20
Oct 27 10:56:49 leodagan pluto[11856]: | 30 72 2e ee 27 5c 42 f0
a4 f5 77 16 1f ab ff f3
Oct 27 10:56:49 leodagan pluto[11856]: | f1 31 9c e2 41 76 3d 97
fa fa a5 18 eb c1 c6 33
Oct 27 10:56:49 leodagan pluto[11856]: | 9a f6 d0 e6 f8 d6 45 77
d1 41 36 bb 60 71 6f 07
Oct 27 10:56:49 leodagan pluto[11856]: | 34 8f 99 8e 3d d0 c5 7a
bb 19 23 09 95 20 95 21
Oct 27 10:56:49 leodagan pluto[11856]: | 25 97 fc cf
Oct 27 10:56:49 leodagan pluto[11856]: | control:
Oct 27 10:56:49 leodagan pluto[11856]: | 18 00 00 00 00 00 00 00
08 00 00 00 01 00 00 00
Oct 27 10:56:49 leodagan pluto[11856]: | 58 a7 af e7 58 a7 af e7
2c 00 00 00 00 00 00 00
Oct 27 10:56:49 leodagan pluto[11856]: | 0b 00 00 00 71 00 00 00
02 03 01 00 00 00 00 00
Oct 27 10:56:49 leodagan pluto[11856]: | 00 00 00 00 02 00 00 00
58 a7 af e7 00 00 00 00
Oct 27 10:56:49 leodagan pluto[11856]: | 00 00 00 00
Oct 27 10:56:49 leodagan pluto[11856]: | name:
Oct 27 10:56:49 leodagan pluto[11856]: | 02 00 11 94 d5 1e b5 5c
00 00 00 00 00 00 00 00
Oct 27 10:56:49 leodagan pluto[11856]: ERROR: asynchronous network
error report on eth0 (sport=4500) for message to XXX.XXX.XXX.XXX port
4500, complainant YYY.YYY.YYY.YYY: No route to host [errno 113, origin
ICMP type 3 code 1 (not authenticated)]
More information about the Users
mailing list