[Openswan Users] Help, openswan for the fist time

jens vermand jvermad at gmail.com
Thu Jun 10 10:11:43 EDT 2010 

Hello,

I am setting up the openswan for the fist time, but have some
difficulties, maybe you can help hier.

Many thanks in advance.
Jens vermand


---------------------------
Setup: Ubuntu <----> clients: Mac OS X Leopard.

Router / gateway are behind a LAN.
I have standalone server and have only one IP available,
----------------------------
version 2.0     # conforms to second version of ipsec.conf specification

config setup
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
        nhelpers=0

conn L2TP-PSK-NAT
        rightsubnet=vhost:%no,%priv
        also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
        leftnexthop=XX_MyGatewayIP_XX
        authby=secret
        pfs=no
        auto=add
        keyingtries=3
        rekey=no
        type=transport
        left=%defaultroute
        #leftprotoport=17/%any
        leftprotoport=17/1701
        right=%any
        rightprotoport=17/%any

-----------

ipsec.secrect
XX_MyGatewayIP_XX %any: PSK "test"
------------

/etc/ppp/options.l2tpd

auth                  # require authentication
idle 1800             # disconnect if the link is idle for xx seconds
mtu 1460              # MTU tx, tunnel overhead=40 bytes => 1500 - 40 = 1460
mru 1460              # MTU rx, tunnel overhead=40 bytes => 1500 - 40 = 1460
debug                 # log control packets to syslog
proxyarp              # reply to ARP requests in the name of the peer
name *
proxyarp
ipcp-accept-local
ipcp-accept-remote
lcp-echo-failure 3
lcp-echo-interval 5
nodeflate
-----------------------------

/etc/xl2tpd/l2tp-secrets

# Secrets for authenticating l2tp tunnels
*       *       test

-------------------------

Added in to the firewall rules:

permit udp host y.y.y.y eq 500 any gt 1023
 permit udp host y.y.y.y eq 1701 any gt 1023
 permit tcp host y.y.y.y eq 500 any gt 1023
 permit tcp host y.y.y.y eq 1701 any gt 1023


================
Log when i try to connect:

Jun 10 15:54:10 XX_MyGatewayIP_XX pluto[12998]: listening for IKE messages
Jun 10 15:54:10 XX_MyGatewayIP_XX pluto[12998]: NAT-Traversal: Trying
new style NAT-T
Jun 10 15:54:10 XX_MyGatewayIP_XX pluto[12998]: NAT-Traversal:
ESPINUDP(1) setup failed for new style NAT-T family IPv4 (errno=19)
Jun 10 15:54:10 XX_MyGatewayIP_XX pluto[12998]: NAT-Traversal: Trying
old style NAT-T
Jun 10 15:54:10 XX_MyGatewayIP_XX pluto[12998]: adding interface
eth0/eth0 XX_MyGatewayIP_XX:500
Jun 10 15:54:10 XX_MyGatewayIP_XX pluto[12998]: adding interface
eth0/eth0 XX_MyGatewayIP_XX:4500
Jun 10 15:54:10 XX_MyGatewayIP_XX pluto[12998]: adding interface lo/lo
127.0.0.1:500
Jun 10 15:54:10 XX_MyGatewayIP_XX pluto[12998]: adding interface lo/lo
127.0.0.1:4500
Jun 10 15:54:10 XX_MyGatewayIP_XX pluto[12998]: adding interface lo/lo ::1:500
Jun 10 15:54:10 XX_MyGatewayIP_XX pluto[12998]: loading secrets from
"/etc/ipsec.secrets"
Jun 10 15:55:13 XX_MyGatewayIP_XX pluto[12998]: packet from
XX_MyClientIP_XX:500: received Vendor ID payload [RFC 3947] method set
to=109
Jun 10 15:55:13 XX_MyGatewayIP_XX pluto[12998]: packet from
XX_MyClientIP_XX:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike] method set to=110
Jun 10 15:55:13 XX_MyGatewayIP_XX pluto[12998]: packet from
XX_MyClientIP_XX:500: ignoring unknown Vendor ID payload
[8f8d83826d246b6fc7a8a6a428c11de8]
Jun 10 15:55:13 XX_MyGatewayIP_XX pluto[12998]: packet from
XX_MyClientIP_XX:500: ignoring unknown Vendor ID payload
[439b59f8ba676c4c7737ae22eab8f582]
Jun 10 15:55:13 XX_MyGatewayIP_XX pluto[12998]: packet from
XX_MyClientIP_XX:500: ignoring unknown Vendor ID payload
[4d1e0e136deafa34c4f3ea9f02ec7285]
Jun 10 15:55:13 XX_MyGatewayIP_XX pluto[12998]: packet from
XX_MyClientIP_XX:500: ignoring unknown Vendor ID payload
[80d0bb3def54565ee84645d4c85ce3ee]
Jun 10 15:55:13 XX_MyGatewayIP_XX pluto[12998]: packet from
XX_MyClientIP_XX:500: ignoring unknown Vendor ID payload
[9909b64eed937c6573de52ace952fa6b]
Jun 10 15:55:13 XX_MyGatewayIP_XX pluto[12998]: packet from
XX_MyClientIP_XX:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 110
Jun 10 15:55:13 XX_MyGatewayIP_XX pluto[12998]: packet from
XX_MyClientIP_XX:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 110
Jun 10 15:55:13 XX_MyGatewayIP_XX pluto[12998]: packet from
XX_MyClientIP_XX:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method
110
Jun 10 15:55:13 XX_MyGatewayIP_XX pluto[12998]: packet from
XX_MyClientIP_XX:500: received Vendor ID payload [Dead Peer Detection]
Jun 10 15:55:13 XX_MyGatewayIP_XX pluto[12998]: "L2TP-PSK-NAT"[1]
XX_MyClientIP_XX #1: responding to Main Mode from unknown peer
XX_MyClientIP_XX
Jun 10 15:55:13 XX_MyGatewayIP_XX pluto[12998]: "L2TP-PSK-NAT"[1]
XX_MyClientIP_XX #1: transition from state STATE_MAIN_R0 to state
STATE_MAIN_R1
Jun 10 15:55:13 XX_MyGatewayIP_XX pluto[12998]: "L2TP-PSK-NAT"[1]
XX_MyClientIP_XX #1: STATE_MAIN_R1: sent MR1, expecting MI2
Jun 10 15:55:16 XX_MyGatewayIP_XX pluto[12998]: packet from
XX_MyClientIP_XX:500: received Vendor ID payload [RFC 3947] method set
to=109
Jun 10 15:55:16 XX_MyGatewayIP_XX pluto[12998]: packet from
XX_MyClientIP_XX:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike] method set to=110
Jun 10 15:55:16 XX_MyGatewayIP_XX pluto[12998]: packet from
XX_MyClientIP_XX:500: ignoring unknown Vendor ID payload
[8f8d83826d246b6fc7a8a6a428c11de8]
Jun 10 15:55:16 XX_MyGatewayIP_XX pluto[12998]: packet from
XX_MyClientIP_XX:500: ignoring unknown Vendor ID payload
[439b59f8ba676c4c7737ae22eab8f582]
Jun 10 15:55:16 XX_MyGatewayIP_XX pluto[12998]: packet from
XX_MyClientIP_XX:500: ignoring unknown Vendor ID payload
[4d1e0e136deafa34c4f3ea9f02ec7285]
Jun 10 15:55:16 XX_MyGatewayIP_XX pluto[12998]: packet from
XX_MyClientIP_XX:500: ignoring unknown Vendor ID payload
[80d0bb3def54565ee84645d4c85ce3ee]
Jun 10 15:55:16 XX_MyGatewayIP_XX pluto[12998]: packet from
XX_MyClientIP_XX:500: ignoring unknown Vendor ID payload
[9909b64eed937c6573de52ace952fa6b]
Jun 10 15:55:16 XX_MyGatewayIP_XX pluto[12998]: packet from
XX_MyClientIP_XX:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 110
Jun 10 15:55:16 XX_MyGatewayIP_XX pluto[12998]: packet from
XX_MyClientIP_XX:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 110
Jun 10 15:55:16 XX_MyGatewayIP_XX pluto[12998]: packet from
XX_MyClientIP_XX:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method
110
Jun 10 15:55:16 XX_MyGatewayIP_XX pluto[12998]: packet from
XX_MyClientIP_XX:500: received Vendor ID payload [Dead Peer Detection]
Jun 10 15:55:16 XX_MyGatewayIP_XX pluto[12998]: "L2TP-PSK-NAT"[1]
XX_MyClientIP_XX #2: responding to Main Mode from unknown peer
XX_MyClientIP_XX
Jun 10 15:55:16 XX_MyGatewayIP_XX pluto[12998]: "L2TP-PSK-NAT"[1]
XX_MyClientIP_XX #2: transition from state STATE_MAIN_R0 to state
STATE_MAIN_R1
Jun 10 15:55:16 XX_MyGatewayIP_XX pluto[12998]: "L2TP-PSK-NAT"[1]
XX_MyClientIP_XX #2: STATE_MAIN_R1: sent MR1, expecting MI2
Jun 10 15:55:19 XX_MyGatewayIP_XX pluto[12998]: packet from
XX_MyClientIP_XX:500: received Vendor ID payload [RFC 3947] method set
to=109
Jun 10 15:55:19 XX_MyGatewayIP_XX pluto[12998]: packet from
XX_MyClientIP_XX:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike] method set to=110
Jun 10 15:55:19 XX_MyGatewayIP_XX pluto[12998]: packet from
XX_MyClientIP_XX:500: ignoring unknown Vendor ID payload
[8f8d83826d246b6fc7a8a6a428c11de8]
Jun 10 15:55:19 XX_MyGatewayIP_XX pluto[12998]: packet from
XX_MyClientIP_XX:500: ignoring unknown Vendor ID payload
[439b59f8ba676c4c7737ae22eab8f582]
Jun 10 15:55:19 XX_MyGatewayIP_XX pluto[12998]: packet from
XX_MyClientIP_XX:500: ignoring unknown Vendor ID payload
[4d1e0e136deafa34c4f3ea9f02ec7285]
Jun 10 15:55:19 XX_MyGatewayIP_XX pluto[12998]: packet from
XX_MyClientIP_XX:500: ignoring unknown Vendor ID payload
[80d0bb3def54565ee84645d4c85ce3ee]
Jun 10 15:55:19 XX_MyGatewayIP_XX pluto[12998]: packet from
XX_MyClientIP_XX:500: ignoring unknown Vendor ID payload
[9909b64eed937c6573de52ace952fa6b]
Jun 10 15:55:19 XX_MyGatewayIP_XX pluto[12998]: packet from
XX_MyClientIP_XX:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 110
Jun 10 15:55:19 XX_MyGatewayIP_XX pluto[12998]: packet from
XX_MyClientIP_XX:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 110
Jun 10 15:55:19 XX_MyGatewayIP_XX pluto[12998]: packet from
XX_MyClientIP_XX:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method
110
Jun 10 15:55:19 XX_MyGatewayIP_XX pluto[12998]: packet from
XX_MyClientIP_XX:500: received Vendor ID payload [Dead Peer Detection]
Jun 10 15:55:19 XX_MyGatewayIP_XX pluto[12998]: "L2TP-PSK-NAT"[1]
XX_MyClientIP_XX #3: responding to Main Mode from unknown peer
XX_MyClientIP_XX
Jun 10 15:55:19 XX_MyGatewayIP_XX pluto[12998]: "L2TP-PSK-NAT"[1]
XX_MyClientIP_XX #3: transition from state STATE_MAIN_R0 to state
STATE_MAIN_R1
Jun 10 15:55:19 XX_MyGatewayIP_XX pluto[12998]: "L2TP-PSK-NAT"[1]
XX_MyClientIP_XX #3: STATE_MAIN_R1: sent MR1, expecting MI2
Jun 10 15:55:22 XX_MyGatewayIP_XX pluto[12998]: packet from
XX_MyClientIP_XX:500: received Vendor ID payload [RFC 3947] method set
to=109
Jun 10 15:55:22 XX_MyGatewayIP_XX pluto[12998]: packet from
XX_MyClientIP_XX:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike] method set to=110
Jun 10 15:55:22 XX_MyGatewayIP_XX pluto[12998]: packet from
XX_MyClientIP_XX:500: ignoring unknown Vendor ID payload
[8f8d83826d246b6fc7a8a6a428c11de8]
Jun 10 15:55:22 XX_MyGatewayIP_XX pluto[12998]: packet from
XX_MyClientIP_XX:500: ignoring unknown Vendor ID payload
[439b59f8ba676c4c7737ae22eab8f582]
Jun 10 15:55:22 XX_MyGatewayIP_XX pluto[12998]: packet from
XX_MyClientIP_XX:500: ignoring unknown Vendor ID payload
[4d1e0e136deafa34c4f3ea9f02ec7285]
Jun 10 15:55:22 XX_MyGatewayIP_XX pluto[12998]: packet from
XX_MyClientIP_XX:500: ignoring unknown Vendor ID payload
[80d0bb3def54565ee84645d4c85ce3ee]
Jun 10 15:55:22 XX_MyGatewayIP_XX pluto[12998]: packet from
XX_MyClientIP_XX:500: ignoring unknown Vendor ID payload
[9909b64eed937c6573de52ace952fa6b]
Jun 10 15:55:22 XX_MyGatewayIP_XX pluto[12998]: packet from
XX_MyClientIP_XX:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 110
Jun 10 15:55:22 XX_MyGatewayIP_XX pluto[12998]: packet from
XX_MyClientIP_XX:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 110
Jun 10 15:55:22 XX_MyGatewayIP_XX pluto[12998]: packet from
XX_MyClientIP_XX:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method
110
Jun 10 15:55:22 XX_MyGatewayIP_XX pluto[12998]: packet from
XX_MyClientIP_XX:500: received Vendor ID payload [Dead Peer Detection]
Jun 10 15:55:22 XX_MyGatewayIP_XX pluto[12998]: "L2TP-PSK-NAT"[1]
XX_MyClientIP_XX #4: responding to Main Mode from unknown peer
XX_MyClientIP_XX
Jun 10 15:55:22 XX_MyGatewayIP_XX pluto[12998]: "L2TP-PSK-NAT"[1]
XX_MyClientIP_XX #4: transition from state STATE_MAIN_R0 to state
STATE_MAIN_R1
Jun 10 15:55:22 XX_MyGatewayIP_XX pluto[12998]: "L2TP-PSK-NAT"[1]
XX_MyClientIP_XX #4: STATE_MAIN_R1: sent MR1, expecting MI2

More information about the Users mailing list