[Openswan Users] Setting up a VPN: xl2tpd errors at control_finish, or Openswan fails to connect

Colin Cogle signofzeta at gmail.com
Fri Sep 4 14:39:34 EDT 2009 

New member here, looking for some help setting up a VPN.  Google seems  
to fail me.

I'm trying to set up a L2TP/IPsec VPN for my company's road warriors.   
However, I can't get any clients to connect.  My iPhone (3.0.1) can  
connect via IPsec, but L2TP fails.  A Windows XP (SP3) box inside my  
LAN requests about fifty IPsec sessions, but doesn't complete logging  
into any of them.

Because I'm having the most luck with the iPhone, here's its log,  
snipped for brevity.  My Mac (OS X 10.5.8, now 10.6) gives me this  
output.  The last line comes up a few seconds after the iPhone  
declares the connection failed:

| Sep  4 14:13:32 hostname pluto[2389]: "roadwarrior-ipv4"[4]  
32.140.219.57 #509: STATE_QUICK_R2: IPsec SA established {ESP/ 
NAT=>0x03c99b13 <0x6b8596e9 xfrm=AES_128-HMAC_SHA1  
NATD=32.140.219.57:4500 DPD=enabled}
| Sep  4 14:13:34 hostname xl2tpd[23602]: control_finish: Peer  
requested tunnel 29 twice, ignoring second one.
| Sep  4 14:13:34 hostname xl2tpd[23602]: control_finish: Peer  
requested tunnel 29 twice, ignoring second one.
| Sep  4 14:13:39 hostname xl2tpd[23602]: Maximum retries exceeded for  
tunnel 9984.  Closing.
| Sep  4 14:13:39 hostname xl2tpd[23602]: control_finish: Peer  
requested tunnel 29 twice, ignoring second one.
| Sep  4 14:13:39 hostname xl2tpd[23602]: Connection 29 closed to  
32.140.219.57, port 49180 (Timeout)
| Sep  4 14:13:44 hostname xl2tpd[23602]: Unable to deliver closing  
message for tunnel 9984. Destroying anyway.
| Sep  4 14:13:46 hostname xl2tpd[23602]: control_finish: Peer  
requested tunnel 29 twice, ignoring second one.
| Sep  4 14:14:34 hostname pluto[2389]: ERROR: asynchronous network  
error report on bond0 (sport=4500) for message to 32.140.219.57 port  
4500, complainant 32.140.219.57: Connection refused [errno 111, origin  
ICMP type 3 code 3 (not authenticated)]


The Windows client gives me this and more, about fifty times over per  
connection attempt.  It finally bombs out after almost a minute with  
error 800:

| Sep  4 13:42:29 hostname pluto[2389]: "roadwarrior-ipv4"[2]  
172.16.2.146 #502: STATE_QUICK_R2: IPsec SA established {ESP/ 
NAT=>0x02f1db30 <0x6abbee93 xfrm=3DES_0-HMAC_MD5  
NATD=172.16.2.146:4500 DPD=none}
| Sep  4 13:42:29 hostname pluto[2389]: packet from 172.16.2.146:500:  
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
| Sep  4 13:42:29 hostname pluto[2389]: packet from 172.16.2.146:500:  
ignoring Vendor ID payload [FRAGMENTATION]
| Sep  4 13:42:29 hostname pluto[2389]: packet from 172.16.2.146:500:  
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method  
set to=106
| Sep  4 13:42:29 hostname pluto[2389]: packet from 172.16.2.146:500:  
ignoring Vendor ID payload [Vid-Initial-Contact]


I've been looking at this for a few weeks now, and I can't figure  
anything out.  Copies of my configuration files, or the full error  
logs (very large!) are available upon request.  The server is running  
Linux kernel 2.6.29-gentoo-r5 (will try rebooting into 2.6.30-gentoo- 
r4 after hours), Openswan 2.4.15, and xl2tpd 1.2.4.

Thanks in advance.

More information about the Users mailing list