[Openswan Users] connect to the Xl2tp+openswan failed from 2 virtual machine

Spacelee fjctlzy at gmail.com
Tue Aug 10 23:28:13 EDT 2010 

2 virtual machine is bridged
When start a connection from one VM, everything is OK, but start a
connection from another one VM, it can't establish a connection.

===========================/etc/ipsec.conf======================================
version 2.0
config setup

        protostack=netkey
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
        oe=off

        nhelpers=0
include /etc/ipsec.d/*.conf
===============================================================================================
====================================/etc/ipsec.d/L2TP-PSK-NAT.conf===============================================
conn L2TP-PSK-NAT
        rightsubnet=vhost:%priv
        also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
        authby=secret
        pfs=no
        auto=add
        keyingtries=3
        rekey=no
        ikelifetime=8h
        keylife=1h
        type=transport
        left=216.23.52.34
        leftprotoport=17/1701
        right=%any
        rightprotoport=17/%any


===============================================================================================


===================================successful============================================================
Aug 11 11:03:41 moun pluto[5940]: packet from 125.33.176.240:20073: ignoring
Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000008]
Aug 11 11:03:41 moun pluto[5940]: packet from 125.33.176.240:20073: received
Vendor ID payload [RFC 3947] method set to=109
Aug 11 11:03:41 moun pluto[5940]: packet from 125.33.176.240:20073: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already
using method 109
Aug 11 11:03:41 moun pluto[5940]: packet from 125.33.176.240:20073: ignoring
Vendor ID payload [FRAGMENTATION]
Aug 11 11:03:41 moun pluto[5940]: packet from 125.33.176.240:20073: ignoring
Vendor ID payload [MS-Negotiation Discovery Capable]
Aug 11 11:03:41 moun pluto[5940]: packet from 125.33.176.240:20073: ignoring
Vendor ID payload [Vid-Initial-Contact]
Aug 11 11:03:41 moun pluto[5940]: packet from 125.33.176.240:20073: ignoring
Vendor ID payload [IKE CGA version 1]
Aug 11 11:03:41 moun pluto[5940]: "L2TP-PSK-NAT"[16] 125.33.176.240 #18:
responding to Main Mode from unknown peer 125.33.176.240
Aug 11 11:03:41 moun pluto[5940]: "L2TP-PSK-NAT"[16] 125.33.176.240 #18:
OAKLEY_GROUP 20 not supported.  Attribute OAKLEY_GROUP_DESCRIPTION
Aug 11 11:03:41 moun pluto[5940]: "L2TP-PSK-NAT"[16] 125.33.176.240 #18:
OAKLEY_GROUP 19 not supported.  Attribute OAKLEY_GROUP_DESCRIPTION
Aug 11 11:03:41 moun pluto[5940]: "L2TP-PSK-NAT"[16] 125.33.176.240 #18:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Aug 11 11:03:41 moun pluto[5940]: "L2TP-PSK-NAT"[16] 125.33.176.240 #18:
STATE_MAIN_R1: sent MR1, expecting MI2
Aug 11 11:03:41 moun pluto[5940]: "L2TP-PSK-NAT"[16] 125.33.176.240 #18:
NAT-Traversal: Result using RFC 3947 (NAT-Traversal): peer is NATed
Aug 11 11:03:41 moun pluto[5940]: "L2TP-PSK-NAT"[16] 125.33.176.240 #18:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Aug 11 11:03:41 moun pluto[5940]: "L2TP-PSK-NAT"[16] 125.33.176.240 #18:
STATE_MAIN_R2: sent MR2, expecting MI3
Aug 11 11:03:41 moun pluto[5940]: "L2TP-PSK-NAT"[16] 125.33.176.240 #18:
Main mode peer ID is ID_IPV4_ADDR: '10.0.2.15'
Aug 11 11:03:41 moun pluto[5940]: "L2TP-PSK-NAT"[16] 125.33.176.240 #18:
switched from "L2TP-PSK-NAT" to "L2TP-PSK-NAT"
Aug 11 11:03:41 moun pluto[5940]: "L2TP-PSK-NAT"[17] 125.33.176.240 #18:
deleting connection "L2TP-PSK-NAT" instance with peer 125.33.176.240
{isakmp=#0/ipsec=#0}
Aug 11 11:03:41 moun pluto[5940]: "L2TP-PSK-NAT"[17] 125.33.176.240 #18:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Aug 11 11:03:41 moun pluto[5940]: "L2TP-PSK-NAT"[17] 125.33.176.240 #18: new
NAT mapping for #18, was 125.33.176.240:20073, now 125.33.176.240:61846
Aug 11 11:03:41 moun pluto[5940]: "L2TP-PSK-NAT"[17] 125.33.176.240 #18:
STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=aes_256 prf=oakley_sha group=modp2048}
Aug 11 11:03:41 moun pluto[5940]: "L2TP-PSK-NAT"[17] 125.33.176.240 #18: the
peer proposed: 216.23.52.34/32:17/1701 -> 10.0.2.15/32:17/0
Aug 11 11:03:41 moun pluto[5940]: "L2TP-PSK-NAT"[17] 125.33.176.240 #18:
NAT-Traversal: received 2 NAT-OA. using first, ignoring others
Aug 11 11:03:41 moun pluto[5940]: "L2TP-PSK-NAT"[17] 125.33.176.240 #19:
responding to Quick Mode proposal {msgid:01000000}
Aug 11 11:03:41 moun pluto[5940]: "L2TP-PSK-NAT"[17] 125.33.176.240 #19:
us: 216.23.52.34<216.23.52.34>[+S=C]:17/1701
Aug 11 11:03:41 moun pluto[5940]: "L2TP-PSK-NAT"[17] 125.33.176.240 #19:
them: 125.33.176.240[10.0.2.15,+S=C]:17/1701===10.0.2.15/32
Aug 11 11:03:41 moun pluto[5940]: | NAT-OA: 32 tunnel: 1
Aug 11 11:03:41 moun pluto[5940]: "L2TP-PSK-NAT"[17] 125.33.176.240 #19:
transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Aug 11 11:03:41 moun pluto[5940]: "L2TP-PSK-NAT"[17] 125.33.176.240 #19:
STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Aug 11 11:03:42 moun pluto[5940]: "L2TP-PSK-NAT"[17] 125.33.176.240 #19:
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Aug 11 11:03:42 moun pluto[5940]: "L2TP-PSK-NAT"[17] 125.33.176.240 #19:
STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0xc80359b8
<0xeab48ba1 xfrm=AES_128-HMAC_SHA1 NATOA=10.0.2.15
NATD=125.33.176.240:61846DPD=none}

======================================================================================================

==========================================unsuccessful========================================================
Aug 11 11:04:23 moun pluto[5940]: packet from 125.33.176.240:62093: ignoring
Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Aug 11 11:04:23 moun pluto[5940]: packet from 125.33.176.240:62093: ignoring
Vendor ID payload [FRAGMENTATION]
Aug 11 11:04:23 moun pluto[5940]: packet from 125.33.176.240:62093: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
Aug 11 11:04:23 moun pluto[5940]: packet from 125.33.176.240:62093: ignoring
Vendor ID payload [Vid-Initial-Contact]
Aug 11 11:04:23 moun pluto[5940]: "L2TP-PSK-NAT"[17] 125.33.176.240 #20:
responding to Main Mode from unknown peer 125.33.176.240
Aug 11 11:04:23 moun pluto[5940]: "L2TP-PSK-NAT"[17] 125.33.176.240 #20:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Aug 11 11:04:23 moun pluto[5940]: "L2TP-PSK-NAT"[17] 125.33.176.240 #20:
STATE_MAIN_R1: sent MR1, expecting MI2
Aug 11 11:04:23 moun pluto[5940]: "L2TP-PSK-NAT"[17] 125.33.176.240 #20:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
Aug 11 11:04:23 moun pluto[5940]: "L2TP-PSK-NAT"[17] 125.33.176.240 #20:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Aug 11 11:04:23 moun pluto[5940]: "L2TP-PSK-NAT"[17] 125.33.176.240 #20:
STATE_MAIN_R2: sent MR2, expecting MI3
Aug 11 11:04:23 moun pluto[5940]: "L2TP-PSK-NAT"[17] 125.33.176.240 #20:
Main mode peer ID is ID_FQDN: '@john-af0f0acd'
Aug 11 11:04:23 moun pluto[5940]: "L2TP-PSK-NAT"[17] 125.33.176.240 #20:
switched from "L2TP-PSK-NAT" to "L2TP-PSK-NAT"
Aug 11 11:04:23 moun pluto[5940]: "L2TP-PSK-NAT"[18] 125.33.176.240 #20:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Aug 11 11:04:23 moun pluto[5940]: "L2TP-PSK-NAT"[18] 125.33.176.240 #20: new
NAT mapping for #20, was 125.33.176.240:62093, now 125.33.176.240:28712
Aug 11 11:04:23 moun pluto[5940]: "L2TP-PSK-NAT"[18] 125.33.176.240 #20:
STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}
Aug 11 11:04:24 moun pluto[5940]: "L2TP-PSK-NAT"[18] 125.33.176.240 #20:
peer client type is FQDN
Aug 11 11:04:24 moun pluto[5940]: "L2TP-PSK-NAT"[18] 125.33.176.240 #20:
Applying workaround for MS-818043 NAT-T bug
Aug 11 11:04:24 moun pluto[5940]: "L2TP-PSK-NAT"[18] 125.33.176.240 #20:
IDci was FQDN: \330S3\204, using NAT_OA=10.0.2.15/32 as IDci
Aug 11 11:04:24 moun pluto[5940]: "L2TP-PSK-NAT"[18] 125.33.176.240 #20: the
peer proposed: 216.23.52.34/32:17/1701 -> 10.0.2.15/32:17/0
Aug 11 11:04:24 moun pluto[5940]: "L2TP-PSK-NAT"[18] 125.33.176.240 #21:
responding to Quick Mode proposal {msgid:7b632bb8}
Aug 11 11:04:24 moun pluto[5940]: "L2TP-PSK-NAT"[18] 125.33.176.240 #21:
us: 216.23.52.34<216.23.52.34>[+S=C]:17/1701
Aug 11 11:04:24 moun pluto[5940]: "L2TP-PSK-NAT"[18] 125.33.176.240 #21:
them: 125.33.176.240[@john-af0f0acd,+S=C]:17/1701===10.0.2.15/32
Aug 11 11:04:24 moun pluto[5940]: | NAT-OA: 4 tunnel: 1
Aug 11 11:04:24 moun pluto[5940]: "L2TP-PSK-NAT"[18] 125.33.176.240 #21:
cannot install eroute -- it is in use for "L2TP-PSK-NAT"[17] 125.33.176.240
#19
Aug 11 11:04:24 moun pluto[5940]: "L2TP-PSK-NAT"[18] 125.33.176.240 #20:
peer client type is FQDN
Aug 11 11:04:24 moun pluto[5940]: "L2TP-PSK-NAT"[18] 125.33.176.240 #20:
Applying workaround for MS-818043 NAT-T bug
Aug 11 11:04:24 moun pluto[5940]: "L2TP-PSK-NAT"[18] 125.33.176.240 #20:
IDci was FQDN: \330S3\204, using NAT_OA=10.0.2.15/32 as IDci
Aug 11 11:04:24 moun pluto[5940]: "L2TP-PSK-NAT"[18] 125.33.176.240 #20: the
peer proposed: 216.23.52.34/32:17/1701 -> 10.0.2.15/32:17/1701
Aug 11 11:04:24 moun pluto[5940]: "L2TP-PSK-NAT"[19] 125.33.176.240 #22:
responding to Quick Mode proposal {msgid:7b632bb8}
Aug 11 11:04:24 moun pluto[5940]: "L2TP-PSK-NAT"[19] 125.33.176.240 #22:
us: 216.23.52.34<216.23.52.34>[+S=C]:17/1701
Aug 11 11:04:24 moun pluto[5940]: "L2TP-PSK-NAT"[19] 125.33.176.240 #22:
them: 125.33.176.240[@john-af0f0acd,+S=C]:17/1701===10.0.2.15/32
Aug 11 11:04:24 moun pluto[5940]: | NAT-OA: 4 tunnel: 1
Aug 11 11:04:24 moun pluto[5940]: "L2TP-PSK-NAT"[19] 125.33.176.240 #22:
cannot install eroute -- it is in use for "L2TP-PSK-NAT"[17] 125.33.176.240
#19
Aug 11 11:04:24 moun pluto[5940]: "L2TP-PSK-NAT"[19] 125.33.176.240:
deleting connection "L2TP-PSK-NAT" instance with peer 125.33.176.240
{isakmp=#0/ipsec=#0}
Aug 11 11:04:26 moun pluto[5940]: "L2TP-PSK-NAT"[18] 125.33.176.240 #20:
peer client type is FQDN
Aug 11 11:04:26 moun pluto[5940]: "L2TP-PSK-NAT"[18] 125.33.176.240 #20:
Applying workaround for MS-818043 NAT-T bug
Aug 11 11:04:26 moun pluto[5940]: "L2TP-PSK-NAT"[18] 125.33.176.240 #20:
IDci was FQDN: \330S3\204, using NAT_OA=10.0.2.15/32 as IDci
Aug 11 11:04:26 moun pluto[5940]: "L2TP-PSK-NAT"[18] 125.33.176.240 #20: the
peer proposed: 216.23.52.34/32:17/1701 -> 10.0.2.15/32:17/1701
Aug 11 11:04:26 moun pluto[5940]: "L2TP-PSK-NAT"[20] 125.33.176.240 #23:
responding to Quick Mode proposal {msgid:7b632bb8}
Aug 11 11:04:26 moun pluto[5940]: "L2TP-PSK-NAT"[20] 125.33.176.240 #23:
us: 216.23.52.34<216.23.52.34>[+S=C]:17/1701
Aug 11 11:04:26 moun pluto[5940]: "L2TP-PSK-NAT"[20] 125.33.176.240 #23:
them: 125.33.176.240[@john-af0f0acd,+S=C]:17/1701===10.0.2.15/32
Aug 11 11:04:26 moun pluto[5940]: | NAT-OA: 4 tunnel: 1
Aug 11 11:04:26 moun pluto[5940]: "L2TP-PSK-NAT"[20] 125.33.176.240 #23:
cannot install eroute -- it is in use for "L2TP-PSK-NAT"[17] 125.33.176.240
#19
Aug 11 11:04:26 moun pluto[5940]: "L2TP-PSK-NAT"[20] 125.33.176.240:
deleting connection "L2TP-PSK-NAT" instance with peer 125.33.176.240
{isakmp=#0/ipsec=#0}
===============================================================================================



-- 
Spacelee
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20100811/489a7a5c/attachment-0001.html

More information about the Users mailing list