[Openswan Users] Help, openswan for the fist time
jens vermand
jvermad at gmail.com
Fri Jun 11 09:31:12 EDT 2010
Hello,
I just got openswan working with PSK ( Linux <---> Mac OS).
Now i want to authenticating VPN clients via LDAP.
Do you know if this is possible?
Do i need additional software?
Any hint would be greet.
Thanks, Jens Vermand
On Thu, Jun 10, 2010 at 4:11 PM, jens vermand <jvermad at gmail.com> wrote:
> Hello,
>
> I am setting up the openswan for the fist time, but have some
> difficulties, maybe you can help hier.
>
> Many thanks in advance.
> Jens vermand
>
>
> ---------------------------
> Setup: Ubuntu <----> clients: Mac OS X Leopard.
>
> Router / gateway are behind a LAN.
> I have standalone server and have only one IP available,
> ----------------------------
> version 2.0 # conforms to second version of ipsec.conf specification
>
> config setup
> nat_traversal=yes
> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
> nhelpers=0
>
> conn L2TP-PSK-NAT
> rightsubnet=vhost:%no,%priv
> also=L2TP-PSK-noNAT
>
> conn L2TP-PSK-noNAT
> leftnexthop=XX_MyGatewayIP_XX
> authby=secret
> pfs=no
> auto=add
> keyingtries=3
> rekey=no
> type=transport
> left=%defaultroute
> #leftprotoport=17/%any
> leftprotoport=17/1701
> right=%any
> rightprotoport=17/%any
>
> -----------
>
> ipsec.secrect
> XX_MyGatewayIP_XX %any: PSK "test"
> ------------
>
> /etc/ppp/options.l2tpd
>
> auth # require authentication
> idle 1800 # disconnect if the link is idle for xx seconds
> mtu 1460 # MTU tx, tunnel overhead=40 bytes => 1500 - 40 = 1460
> mru 1460 # MTU rx, tunnel overhead=40 bytes => 1500 - 40 = 1460
> debug # log control packets to syslog
> proxyarp # reply to ARP requests in the name of the peer
> name *
> proxyarp
> ipcp-accept-local
> ipcp-accept-remote
> lcp-echo-failure 3
> lcp-echo-interval 5
> nodeflate
> -----------------------------
>
> /etc/xl2tpd/l2tp-secrets
>
> # Secrets for authenticating l2tp tunnels
> * * test
>
> -------------------------
>
> Added in to the firewall rules:
>
> permit udp host y.y.y.y eq 500 any gt 1023
> permit udp host y.y.y.y eq 1701 any gt 1023
> permit tcp host y.y.y.y eq 500 any gt 1023
> permit tcp host y.y.y.y eq 1701 any gt 1023
>
>
> ================
> Log when i try to connect:
>
> Jun 10 15:54:10 XX_MyGatewayIP_XX pluto[12998]: listening for IKE messages
> Jun 10 15:54:10 XX_MyGatewayIP_XX pluto[12998]: NAT-Traversal: Trying
> new style NAT-T
> Jun 10 15:54:10 XX_MyGatewayIP_XX pluto[12998]: NAT-Traversal:
> ESPINUDP(1) setup failed for new style NAT-T family IPv4 (errno=19)
> Jun 10 15:54:10 XX_MyGatewayIP_XX pluto[12998]: NAT-Traversal: Trying
> old style NAT-T
> Jun 10 15:54:10 XX_MyGatewayIP_XX pluto[12998]: adding interface
> eth0/eth0 XX_MyGatewayIP_XX:500
> Jun 10 15:54:10 XX_MyGatewayIP_XX pluto[12998]: adding interface
> eth0/eth0 XX_MyGatewayIP_XX:4500
> Jun 10 15:54:10 XX_MyGatewayIP_XX pluto[12998]: adding interface lo/lo
> 127.0.0.1:500
> Jun 10 15:54:10 XX_MyGatewayIP_XX pluto[12998]: adding interface lo/lo
> 127.0.0.1:4500
> Jun 10 15:54:10 XX_MyGatewayIP_XX pluto[12998]: adding interface lo/lo ::1:500
> Jun 10 15:54:10 XX_MyGatewayIP_XX pluto[12998]: loading secrets from
> "/etc/ipsec.secrets"
> Jun 10 15:55:13 XX_MyGatewayIP_XX pluto[12998]: packet from
> XX_MyClientIP_XX:500: received Vendor ID payload [RFC 3947] method set
> to=109
> Jun 10 15:55:13 XX_MyGatewayIP_XX pluto[12998]: packet from
> XX_MyClientIP_XX:500: received Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike] method set to=110
> Jun 10 15:55:13 XX_MyGatewayIP_XX pluto[12998]: packet from
> XX_MyClientIP_XX:500: ignoring unknown Vendor ID payload
> [8f8d83826d246b6fc7a8a6a428c11de8]
> Jun 10 15:55:13 XX_MyGatewayIP_XX pluto[12998]: packet from
> XX_MyClientIP_XX:500: ignoring unknown Vendor ID payload
> [439b59f8ba676c4c7737ae22eab8f582]
> Jun 10 15:55:13 XX_MyGatewayIP_XX pluto[12998]: packet from
> XX_MyClientIP_XX:500: ignoring unknown Vendor ID payload
> [4d1e0e136deafa34c4f3ea9f02ec7285]
> Jun 10 15:55:13 XX_MyGatewayIP_XX pluto[12998]: packet from
> XX_MyClientIP_XX:500: ignoring unknown Vendor ID payload
> [80d0bb3def54565ee84645d4c85ce3ee]
> Jun 10 15:55:13 XX_MyGatewayIP_XX pluto[12998]: packet from
> XX_MyClientIP_XX:500: ignoring unknown Vendor ID payload
> [9909b64eed937c6573de52ace952fa6b]
> Jun 10 15:55:13 XX_MyGatewayIP_XX pluto[12998]: packet from
> XX_MyClientIP_XX:500: received Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 110
> Jun 10 15:55:13 XX_MyGatewayIP_XX pluto[12998]: packet from
> XX_MyClientIP_XX:500: received Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 110
> Jun 10 15:55:13 XX_MyGatewayIP_XX pluto[12998]: packet from
> XX_MyClientIP_XX:500: received Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method
> 110
> Jun 10 15:55:13 XX_MyGatewayIP_XX pluto[12998]: packet from
> XX_MyClientIP_XX:500: received Vendor ID payload [Dead Peer Detection]
> Jun 10 15:55:13 XX_MyGatewayIP_XX pluto[12998]: "L2TP-PSK-NAT"[1]
> XX_MyClientIP_XX #1: responding to Main Mode from unknown peer
> XX_MyClientIP_XX
> Jun 10 15:55:13 XX_MyGatewayIP_XX pluto[12998]: "L2TP-PSK-NAT"[1]
> XX_MyClientIP_XX #1: transition from state STATE_MAIN_R0 to state
> STATE_MAIN_R1
> Jun 10 15:55:13 XX_MyGatewayIP_XX pluto[12998]: "L2TP-PSK-NAT"[1]
> XX_MyClientIP_XX #1: STATE_MAIN_R1: sent MR1, expecting MI2
> Jun 10 15:55:16 XX_MyGatewayIP_XX pluto[12998]: packet from
> XX_MyClientIP_XX:500: received Vendor ID payload [RFC 3947] method set
> to=109
> Jun 10 15:55:16 XX_MyGatewayIP_XX pluto[12998]: packet from
> XX_MyClientIP_XX:500: received Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike] method set to=110
> Jun 10 15:55:16 XX_MyGatewayIP_XX pluto[12998]: packet from
> XX_MyClientIP_XX:500: ignoring unknown Vendor ID payload
> [8f8d83826d246b6fc7a8a6a428c11de8]
> Jun 10 15:55:16 XX_MyGatewayIP_XX pluto[12998]: packet from
> XX_MyClientIP_XX:500: ignoring unknown Vendor ID payload
> [439b59f8ba676c4c7737ae22eab8f582]
> Jun 10 15:55:16 XX_MyGatewayIP_XX pluto[12998]: packet from
> XX_MyClientIP_XX:500: ignoring unknown Vendor ID payload
> [4d1e0e136deafa34c4f3ea9f02ec7285]
> Jun 10 15:55:16 XX_MyGatewayIP_XX pluto[12998]: packet from
> XX_MyClientIP_XX:500: ignoring unknown Vendor ID payload
> [80d0bb3def54565ee84645d4c85ce3ee]
> Jun 10 15:55:16 XX_MyGatewayIP_XX pluto[12998]: packet from
> XX_MyClientIP_XX:500: ignoring unknown Vendor ID payload
> [9909b64eed937c6573de52ace952fa6b]
> Jun 10 15:55:16 XX_MyGatewayIP_XX pluto[12998]: packet from
> XX_MyClientIP_XX:500: received Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 110
> Jun 10 15:55:16 XX_MyGatewayIP_XX pluto[12998]: packet from
> XX_MyClientIP_XX:500: received Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 110
> Jun 10 15:55:16 XX_MyGatewayIP_XX pluto[12998]: packet from
> XX_MyClientIP_XX:500: received Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method
> 110
> Jun 10 15:55:16 XX_MyGatewayIP_XX pluto[12998]: packet from
> XX_MyClientIP_XX:500: received Vendor ID payload [Dead Peer Detection]
> Jun 10 15:55:16 XX_MyGatewayIP_XX pluto[12998]: "L2TP-PSK-NAT"[1]
> XX_MyClientIP_XX #2: responding to Main Mode from unknown peer
> XX_MyClientIP_XX
> Jun 10 15:55:16 XX_MyGatewayIP_XX pluto[12998]: "L2TP-PSK-NAT"[1]
> XX_MyClientIP_XX #2: transition from state STATE_MAIN_R0 to state
> STATE_MAIN_R1
> Jun 10 15:55:16 XX_MyGatewayIP_XX pluto[12998]: "L2TP-PSK-NAT"[1]
> XX_MyClientIP_XX #2: STATE_MAIN_R1: sent MR1, expecting MI2
> Jun 10 15:55:19 XX_MyGatewayIP_XX pluto[12998]: packet from
> XX_MyClientIP_XX:500: received Vendor ID payload [RFC 3947] method set
> to=109
> Jun 10 15:55:19 XX_MyGatewayIP_XX pluto[12998]: packet from
> XX_MyClientIP_XX:500: received Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike] method set to=110
> Jun 10 15:55:19 XX_MyGatewayIP_XX pluto[12998]: packet from
> XX_MyClientIP_XX:500: ignoring unknown Vendor ID payload
> [8f8d83826d246b6fc7a8a6a428c11de8]
> Jun 10 15:55:19 XX_MyGatewayIP_XX pluto[12998]: packet from
> XX_MyClientIP_XX:500: ignoring unknown Vendor ID payload
> [439b59f8ba676c4c7737ae22eab8f582]
> Jun 10 15:55:19 XX_MyGatewayIP_XX pluto[12998]: packet from
> XX_MyClientIP_XX:500: ignoring unknown Vendor ID payload
> [4d1e0e136deafa34c4f3ea9f02ec7285]
> Jun 10 15:55:19 XX_MyGatewayIP_XX pluto[12998]: packet from
> XX_MyClientIP_XX:500: ignoring unknown Vendor ID payload
> [80d0bb3def54565ee84645d4c85ce3ee]
> Jun 10 15:55:19 XX_MyGatewayIP_XX pluto[12998]: packet from
> XX_MyClientIP_XX:500: ignoring unknown Vendor ID payload
> [9909b64eed937c6573de52ace952fa6b]
> Jun 10 15:55:19 XX_MyGatewayIP_XX pluto[12998]: packet from
> XX_MyClientIP_XX:500: received Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 110
> Jun 10 15:55:19 XX_MyGatewayIP_XX pluto[12998]: packet from
> XX_MyClientIP_XX:500: received Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 110
> Jun 10 15:55:19 XX_MyGatewayIP_XX pluto[12998]: packet from
> XX_MyClientIP_XX:500: received Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method
> 110
> Jun 10 15:55:19 XX_MyGatewayIP_XX pluto[12998]: packet from
> XX_MyClientIP_XX:500: received Vendor ID payload [Dead Peer Detection]
> Jun 10 15:55:19 XX_MyGatewayIP_XX pluto[12998]: "L2TP-PSK-NAT"[1]
> XX_MyClientIP_XX #3: responding to Main Mode from unknown peer
> XX_MyClientIP_XX
> Jun 10 15:55:19 XX_MyGatewayIP_XX pluto[12998]: "L2TP-PSK-NAT"[1]
> XX_MyClientIP_XX #3: transition from state STATE_MAIN_R0 to state
> STATE_MAIN_R1
> Jun 10 15:55:19 XX_MyGatewayIP_XX pluto[12998]: "L2TP-PSK-NAT"[1]
> XX_MyClientIP_XX #3: STATE_MAIN_R1: sent MR1, expecting MI2
> Jun 10 15:55:22 XX_MyGatewayIP_XX pluto[12998]: packet from
> XX_MyClientIP_XX:500: received Vendor ID payload [RFC 3947] method set
> to=109
> Jun 10 15:55:22 XX_MyGatewayIP_XX pluto[12998]: packet from
> XX_MyClientIP_XX:500: received Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike] method set to=110
> Jun 10 15:55:22 XX_MyGatewayIP_XX pluto[12998]: packet from
> XX_MyClientIP_XX:500: ignoring unknown Vendor ID payload
> [8f8d83826d246b6fc7a8a6a428c11de8]
> Jun 10 15:55:22 XX_MyGatewayIP_XX pluto[12998]: packet from
> XX_MyClientIP_XX:500: ignoring unknown Vendor ID payload
> [439b59f8ba676c4c7737ae22eab8f582]
> Jun 10 15:55:22 XX_MyGatewayIP_XX pluto[12998]: packet from
> XX_MyClientIP_XX:500: ignoring unknown Vendor ID payload
> [4d1e0e136deafa34c4f3ea9f02ec7285]
> Jun 10 15:55:22 XX_MyGatewayIP_XX pluto[12998]: packet from
> XX_MyClientIP_XX:500: ignoring unknown Vendor ID payload
> [80d0bb3def54565ee84645d4c85ce3ee]
> Jun 10 15:55:22 XX_MyGatewayIP_XX pluto[12998]: packet from
> XX_MyClientIP_XX:500: ignoring unknown Vendor ID payload
> [9909b64eed937c6573de52ace952fa6b]
> Jun 10 15:55:22 XX_MyGatewayIP_XX pluto[12998]: packet from
> XX_MyClientIP_XX:500: received Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 110
> Jun 10 15:55:22 XX_MyGatewayIP_XX pluto[12998]: packet from
> XX_MyClientIP_XX:500: received Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 110
> Jun 10 15:55:22 XX_MyGatewayIP_XX pluto[12998]: packet from
> XX_MyClientIP_XX:500: received Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method
> 110
> Jun 10 15:55:22 XX_MyGatewayIP_XX pluto[12998]: packet from
> XX_MyClientIP_XX:500: received Vendor ID payload [Dead Peer Detection]
> Jun 10 15:55:22 XX_MyGatewayIP_XX pluto[12998]: "L2TP-PSK-NAT"[1]
> XX_MyClientIP_XX #4: responding to Main Mode from unknown peer
> XX_MyClientIP_XX
> Jun 10 15:55:22 XX_MyGatewayIP_XX pluto[12998]: "L2TP-PSK-NAT"[1]
> XX_MyClientIP_XX #4: transition from state STATE_MAIN_R0 to state
> STATE_MAIN_R1
> Jun 10 15:55:22 XX_MyGatewayIP_XX pluto[12998]: "L2TP-PSK-NAT"[1]
> XX_MyClientIP_XX #4: STATE_MAIN_R1: sent MR1, expecting MI2
>
More information about the Users
mailing list