[Openswan Users] ipsec tunneling + openswam + mac os x + ping

Stefan Miklosovic miklosovic at gmail.com
Sat Apr 24 19:49:53 EDT 2010 

Hi again,

thank you for your support, also with your help, we
figured it out, so we know ipsec / openswan works.

This is not sufficient, second layer is l2tp (with ppp)
It seems to be ok, but this errors appear
http://best.stuba.sk/stewe/ppp.html

so as you can see, I am connected from mac inbuild
vpn client but only for period of 2 minutes.

My kernel is 2.6.29.6, I've compiled ppp support and pppo2tp
module into kernel.

I thing this part is the most interesting:

found interface eth0 for proxy arp
local  IP address 10.0.0.2
remote IP address 10.0.0.201
XPRT: tunl 35862: set retry interval to 2
XPRT: tunl 14938: send zlb ack, ns/nr=2/4
XPRT: RX: tunl 14938/8344: len=40 ns/nr=3/2, our ns/nr=2/4, peer ns/nr=3/2
XPRT: tunl 14938: duplicate packet ns/nr=3/2, our ns/nr=2/4
XPRT: tunl 14938: send zlb ack, ns/nr=2/4
XPRT: tunl 35862: set retry interval to 4
DATA: TX: tunl 35862/0: resend 137 bytes to peer 92.52.32.100, packet
ns/nr 0/1 type 2, retry 1
XPRT: tunl 35862: set retry interval to 8
DATA: TX: tunl 35862/0: resend 137 bytes to peer 92.52.32.100, packet
ns/nr 0/1 type 2, retry 2
DATA: TX: tunl 35862/0: resend 137 bytes to peer 92.52.32.100, packet
ns/nr 0/1 type 2, retry 3
DATA: TX: tunl 35862/0: resend 137 bytes to peer 92.52.32.100, packet
ns/nr 0/1 type 2, retry 4
DATA: TX: tunl 35862/0: resend 137 bytes to peer 92.52.32.100, packet
ns/nr 0/1 type 2, retry 5
XPRT: tunl 35862: retry failure
FSM: CCE(35862) event XPRT_DOWN in state WAITCTLCONN
-------------------------

this is my openl2tp.conf
tunnel profile modify profile_name=default \
	our_udp_port=1701

ppp profile modify profile_name=default \
        auth_eap=no \
	auth_pap=no \
	auth_none=no \
	auth_chap=yes \
	auth_mschapv1=yes \
	local_ipaddr=10.0.0.2 \
	auth_mschapv2=yes
------------------------------

in the end, if we want to use klips, there is issue about non-ESP markers.
so klips does not start. i found option "Secure marking" in kernels
"make menuconfig" (i think in networking support -> networking options
-> Security marking).
 Does it help if I recompile it?

Sorry I am spamming openswan mailing list with l2tp issues, but maybe
you will know solutions


2010/4/20 Paul Wouters <paul at xelerance.com>:
> On Mon, 19 Apr 2010, Stefan Miklosovic wrote:
>
>> eth2      Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:xx
>>        inet addr:12.34.56.78  Bcast:255.255.255.255  Mask:
>> 255.255.255.0
>
> That broadcast/mask seems wrong. Not sure if you errored it when
> anonimizing it.
>
>> # cat /etc/ipsec.secrets
>> 10.0.0.1 %any: PSK "thiskeyisshit"
>
> and public now :)
>
>>      nat_traversal=yes
>>      interfaces="ipsec0=eth2"
>> #       virtual_private=
>> %v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
>
> Looks like you did not enable virtual_private, which you need for NAT-T
>
>> conn roadwarrior-net
>> conn roadwarrior-l2tp
>> conn roadwarrior-l2tp-updatewin
>> conn roadwarrior-all
>> conn roadwarrior
>
> Merge all of these into one, see the updated examples in
> /etc/ipsec.d/examples/l2tp*
>
>>      left=12.34.56.78
>>      leftnexthop=12.34.56.1
>>      right=%any
>>      rightsubnet=192.168.0.0/24
>>      forceencaps=yes
>>      ike=3des-md5;modp1024
>>      phase2=esp
>>      phase2alg=3des-md5;modp1024
>>      auto=add
>
> For l2tp use transport mode, and no subnets except a
> rightsubnet=vhost:%no,%priv
> Use leftprotoport=17/1701 and rightprotoport=17/%any
>
>> Apr 19 10:41:52 charon1 pluto[22429]: "roadwarrior-net"[1]
>> 192.168.0.168 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established
>> {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5
>> group=modp1024}
>>
>> Apr 19 10:41:52 charon1 pluto[22429]: "roadwarrior-net"[1]
>> 192.168.0.168 #1: ignoring informational payload, type
>> IPSEC_INITIAL_CONTACT msgid=00000000
>> Apr 19 10:41:52 charon1 pluto[22429]: "roadwarrior-net"[1]
>> 192.168.0.168 #1: received and ignored informational message
>> Apr 19 10:41:53 charon1 pluto[22429]: "roadwarrior-net"[1]
>> 192.168.0.168 #1: the peer proposed: 10.0.0.2/32:0/0 ->
>> 192.168.0.168/32:0/0
>> Apr 19 10:41:53 charon1 pluto[22429]: "roadwarrior-net"[1]
>> 192.168.0.168 #2: responding to Quick Mode proposal {msgid:4c56b781}
>> Apr 19 10:41:53 charon1 pluto[22429]: "roadwarrior-net"[1]
>> 192.168.0.168 #2:     us:
>> 10.0.0.0/16===12.34.56.78<12.34.56.78>[+S=C]---12.34.56.1
>> Apr 19 10:41:53 charon1 pluto[22429]: "roadwarrior-net"[1]
>> 192.168.0.168 #2:   them: 192.168.0.168[+S=C]===192.168.0.0/24
>> Apr 19 10:41:53 charon1 pluto[22429]: | NAT-OA: 32 tunnel: 0
>> Apr 19 10:41:53 charon1 pluto[22429]: "roadwarrior-net"[1]
>> 192.168.0.168 #2: transition from state STATE_QUICK_R0 to state
>> STATE_QUICK_R1
>> Apr 19 10:41:53 charon1 pluto[22429]: "roadwarrior-net"[1]
>> 192.168.0.168 #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA
>> installed, expecting QI2
>> Apr 19 10:41:53 charon1 pluto[22429]: "roadwarrior-net"[1]
>> 192.168.0.168 #2: transition from state STATE_QUICK_R1 to state
>> STATE_QUICK_R2
>> Apr 19 10:41:53 charon1 pluto[22429]: "roadwarrior-net"[1]
>> 192.168.0.168 #2: STATE_QUICK_R2: IPsec SA established tunnel mode
>> {ESP/NAT=>0x0b6204fa <0xd6474be5 xfrm=3DES_0-HMAC_MD5 NATOA=none
>> NATD=192.168.0.168:4500 DPD=none}
>> Apr 19 11:37:22 charon1 pluto[22429]: "roadwarrior-net"[1]
>> 192.168.0.168 #3: initiating Main Mode to replace #1
>> Apr 19 11:38:32 charon1 pluto[22429]: "roadwarrior-net"[1]
>> 192.168.0.168 #3: max number of retransmissions (2) reached
>> STATE_MAIN_I1.  No response (or no acceptable response) to our first
>> IKE message
>> Apr 19 11:41:52 charon1 pluto[22429]: "roadwarrior-net"[1]
>> 192.168.0.168 #1: ISAKMP SA expired (LATEST!)
>
> Make sure to set rekey=no
>
> With those changes, try again and let us know if you see more issues.
>
> Paul
>
>



-- 
Stefan Miklosovic

More information about the Users mailing list