[Openswan Users] openswan 2.6.24rc4 pushed, please test!

Marc Fisher m4fisher at gmail.com
Mon Jan 4 13:09:50 EST 2010 

Paul, you just made my day! After so many hours it turned out to be 
"simple" misconfiguration problem.
After copying your configs over mine, it works great on all systems.
I've isolated the problem to the "rightprotoport". Mine config had 
"rightprotoport=17/1701" which was apparently causing the problem - 
changing to "rightprotoport=17/%any" solved it. Everything works now, 
XP, VISTA, WIN7 X64, Windows Mobile :D Many thanks!
Now why did I make such a stupid mistake? I've been wondering this 
myself for a while and I think it was like this.
I downloaded openswan 2.6.24.something 3 months ago and spent hours 
trying to resolve this timeout issue I was having. I remember changing 
this line many times over (also I read that %any is needed only in 
pre-XP windows). It didn't have any effect because apparently the NAT-T 
was broken then. However when you fixed it in rc4, I believe, I didn't 
think of fiddling with this because the problem was the same as 
before...and so I assumed the bug remained until you sent me your test 
server and proved me wrong.
Thanks again, and to repeat for anyone else having this issue:

If you can establish the tunnel successfully (i.e. you see 
"STATE_QUICK_R2: IPsec SA established transport mode" line in 
/var/log/secure) but then the server keeps trying to connect to client 
on port 1701 until it times out with
xl2tpd[10131]: Maximum retries exceeded for tunnel 63039.  Closing.
xl2tpd[10131]: Connection 1 closed to "client_IP" , port 1701 (Timeout)
try changing the "rightprotoport=17/1701" in /etc/ipsec.conf to 
"rightprotoport=17/%any", if it doesn't help check Paul's config in his 
mail below.

P.S. Now I remember why I had the 17/1701 line - because %any caused "no 
connection known for ...." in earlier releases, at least in my 
configuration...

Marc




Paul Wouters wrote:
> On Tue, 29 Dec 2009, Marc Fisher wrote:
>
>> Subject: Re: [Openswan Users] openswan 2.6.24rc4 pushed, please test!
>
> [l2tp test to aivd.xelerance.com]
>
>> worked nice, I'm in. It gave me 193.111.228.106, but thats just 
>> detail ;)
>> Wow, good to know it is possible to make it work, I guess it's just 
>> my linux box then. Could you tell me the specs of the server side? 
>> Like distro, kernel and if it's klips or netkey, also openswan 
>> version please. I'd also very much appreciate, if you could send me 
>> the config including the xl2tpd one if possible. I'd try that and 
>> then I could be certain it's something on my server that I need to 
>> tamper with.
>
> So it must be something on your server then. Below are my configs.
>
> bash-3.2# ipsec --version
> Linux Openswan U2.6.24rc2-dirty/K2.6.26-1-xen-amd64 (netkey)
>
> bash-3.2# /usr/sbin/xl2tpd -h
>
> xl2tpd version:  xl2tpd-1.2.4
>
> Note that eth0, the public interface has an mtu of 1472 instead of 1500
>
> /etc/sysctl.conf has
>
> net.ipv4.ip_forward = 1
> net.ipv4.conf.default.rp_filter = 0
> net.ipv4.conf.default.accept_source_route = 0
> net.ipv4.conf.all.send_redirects = 0
> net.ipv4.conf.default.send_redirects = 0
> net.ipv4.icmp_ignore_bogus_error_responses = 1
> net.ipv4.conf.all.log_martians = 0
> net.ipv4.conf.default.log_martians = 0
> net.ipv4.conf.default.accept_source_route = 0
> net.ipv4.conf.all.accept_redirects = 0
> net.ipv4.conf.default.accept_redirects = 0
>
> ipsec.conf:
>
> config setup
>     nat_traversal=yes
>     virtual_private=%v4:192.168.0.0/16,%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:193.110.157.60/32 
>
>     protostack=netkey
>     nhelpers=0
>     interfaces="%defaultroute"
>     oe=off
>
> conn l2tp-psk
>     authby=secret
>     pfs=no
>     auto=add
>     rekey=no
>     #overlapip=yes
>         type=transport
>     leftsendcert=always
>     left=193.110.157.131
>     leftprotoport=17/1701
>     right=%any
>     rightprotoport=17/%any
>     rightsubnet=vhost:%priv,%no
>
> xl2tpd.conf (note that 193.111.228.0/24 is my "internal" network.
>
> [global]
> listen-addr = 193.110.157.131 ; ipsec saref = yes
> ; ipsec saref = no
> debug tunnel = yes
>
> [lns default]
> ip range = 193.111.228.100-193.111.228.199
> local ip = 193.111.228.1
> require chap = yes
> refuse pap = yes
> require authentication = yes
> name = OpenswanVPN
> ppp debug = yes
> pppoptfile = /etc/ppp/options.xl2tpd
> length bit = yes
>
> options.xl2tpd:
>
> ipcp-accept-local
> ipcp-accept-remote
> ms-dns  193.110.157.136
> ms-dns  193.110.157.2
> ms-wins 192.168.1.2
> ms-wins 192.168.1.4
> noccp
> auth
> crtscts
> idle 1800
> mtu 1400
> mru 1400
> nodefaultroute
> debug
> lock
> proxyarp
> connect-delay 5000
>

More information about the Users mailing list