[Openswan Users] iPad IPSEC/L2TP->OpenSwan problem

John E.P. Hynes john at hytronix.com
Mon Nov 1 16:08:45 EDT 2010


  On 10/28/2010 07:04 AM, John E.P. Hynes wrote:
>    On 10/27/2010 08:16 PM, Paul Wouters wrote:
>> On Wed, 27 Oct 2010, John E.P. Hynes wrote:
>>
>>> Thanks Paul - I tried all of your suggestions and changed the PSK to
>>> something without special chars.
>>>
>>> It's looks like it's *almost* there now - now I get:
>> Good. If you have any idea of which characters caused the problem,
>> that would be
>> good to know.
>>
>>> Oct 27 17:57:09 firewall pluto[6492]: "dynip-hosts"[2] x.x.x.x #1:
>>> peer proposal was reject in a virtual connection policy because:
>>> Oct 27 17:57:09 firewall pluto[6492]: "dynip-hosts"[2] x.x.x.x #1:
>>> a private network virtual IP was required, but the proposed IP did
>>> not match our list (virtual_private=)
>> The NAT'ed range where your host is on is not within the defined
>> subnets of
>> virtual_private= on your server.
>>
>> normally virtual_private= contains the RFC1918 address space. Anything
>> else is
>> dangerous because people could cause valid internet reachable routes
>> to go to
>> them instead.
>>
>> If you trust the client and it is not RFC1918, you could add it to
>> virtual_private=
>>
>> Paul
> Thanks Paul.  It is a little strange because all of our private nets are
> in the RFC1918 space, and adding a virtual_private line with the RFC1918
> nets solved that problem.
>
> I've now got some L2TPd issues, but I think I'll be able to get through
> those on my own.  I'll post back with results later.
>
> -John
>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

Well, I lied - I've been trying to figure out what's going on with the 
L2TP part.  I *think* the firewall is blocking certain replies, but it's 
hard to tell - iptables certainly isn't logging anything I can see.

In case anyone here has an idea about this, the debug output from l2tpd 
is this:

get_call: allocating new tunnel for host x.x.x.x, port 51111.
ourtid = 27369, entropy_buf = 6ae9
new_call: initializing ourcid to 0
check_control: control, cid = 0, Ns = 0, Nr = 0
handle_avps: handling avp's for tunnel 27369, call 0
message_type_avp: message type 1 (Start-Control-Connection-Request)
protocol_version_avp: peer is using version 1, revision 0.
framing_caps_avp: supported peer frames: async sync
hostname_avp: peer reports hostname ''
assigned_tunnel_avp: using peer's tunnel 12
receive_window_size_avp: peer wants RWS of 4.  Will use flow control.
my configured LNS hostname:
no configured LAC/LNS hostname found, using network hostname 
firewall.mydomain.com
control_xmit: Scheduling and transmitting packet 0
get_call: allocating new tunnel for host x.x.x.x, port 51111.
ourtid = 36545, entropy_buf = 8ec1
new_call: initializing ourcid to 0
check_control: control, cid = 0, Ns = 0, Nr = 0
handle_avps: handling avp's for tunnel 36545, call 0
message_type_avp: message type 1 (Start-Control-Connection-Request)
protocol_version_avp: peer is using version 1, revision 0.
framing_caps_avp: supported peer frames: async sync
hostname_avp: peer reports hostname ''
assigned_tunnel_avp: using peer's tunnel 12
receive_window_size_avp: peer wants RWS of 4.  Will use flow control.
my configured LNS hostname:
no configured LAC/LNS hostname found, using network hostname 
firewall.mydomain.com
control_finish: Peer requested tunnel 12 twice, ignoring second one.
control_zlb: sending control ZLB on tunnel 12
call_close: Actually closing tunnel 36545
control_xmit: Scheduling and transmitting packet 0
control_xmit: Scheduling and transmitting packet 0
get_call: allocating new tunnel for host x.x.x.x, port 51111.
ourtid = 22072, entropy_buf = 5638
new_call: initializing ourcid to 0
check_control: control, cid = 0, Ns = 0, Nr = 0
handle_avps: handling avp's for tunnel 22072, call 0
message_type_avp: message type 1 (Start-Control-Connection-Request)
protocol_version_avp: peer is using version 1, revision 0.
framing_caps_avp: supported peer frames: async sync
hostname_avp: peer reports hostname ''
assigned_tunnel_avp: using peer's tunnel 12
receive_window_size_avp: peer wants RWS of 4.  Will use flow control.
my configured LNS hostname:
no configured LAC/LNS hostname found, using network hostname 
firewall.mydomain.com
control_finish: Peer requested tunnel 12 twice, ignoring second one.
control_zlb: sending control ZLB on tunnel 12
call_close: Actually closing tunnel 22072
control_xmit: Scheduling and transmitting packet 0
control_xmit: Scheduling and transmitting packet 0
control_xmit: Scheduling and transmitting packet 0
control_xmit: Scheduling and transmitting packet 0
control_xmit: Scheduling and transmitting packet 0
get_call: allocating new tunnel for host x.x.x.x, port 51111.
ourtid = 5929, entropy_buf = 1729
new_call: initializing ourcid to 0
check_control: control, cid = 0, Ns = 0, Nr = 0
handle_avps: handling avp's for tunnel 5929, call 0
message_type_avp: message type 1 (Start-Control-Connection-Request)
protocol_version_avp: peer is using version 1, revision 0.
framing_caps_avp: supported peer frames: async sync
hostname_avp: peer reports hostname ''
assigned_tunnel_avp: using peer's tunnel 12
receive_window_size_avp: peer wants RWS of 4.  Will use flow control.
my configured LNS hostname:
no configured LAC/LNS hostname found, using network hostname 
firewall.mydomain.com
control_finish: Peer requested tunnel 12 twice, ignoring second one.
control_zlb: sending control ZLB on tunnel 12
call_close: Actually closing tunnel 5929
control_xmit: Maximum retries exceeded for peer (null)
call_close: enqueing close message for tunnel
control_xmit: Scheduling and transmitting packet 1
call_close : Connection closed with peer (null), reason: Timeout
control_xmit: Scheduling and transmitting packet 1
control_xmit: Scheduling and transmitting packet 1
control_xmit: Scheduling and transmitting packet 1
control_xmit: Scheduling and transmitting packet 1
control_xmit: Scheduling and transmitting packet 1
control_xmit: Scheduling and transmitting packet 1
get_call: allocating new tunnel for host x.x.x.x, port 51111.
ourtid = 51073, entropy_buf = c781
new_call: initializing ourcid to 0
check_control: control, cid = 0, Ns = 0, Nr = 0
handle_avps: handling avp's for tunnel 51073, call 0
message_type_avp: message type 1 (Start-Control-Connection-Request)
protocol_version_avp: peer is using version 1, revision 0.
framing_caps_avp: supported peer frames: async sync
hostname_avp: peer reports hostname ''
assigned_tunnel_avp: using peer's tunnel 12
receive_window_size_avp: peer wants RWS of 4.  Will use flow control.
my configured LNS hostname:
no configured LAC/LNS hostname found, using network hostname 
firewall.mydomain.com
control_finish: Peer requested tunnel 12 twice, ignoring second one.
control_zlb: sending control ZLB on tunnel 12
call_close: Actually closing tunnel 51073
control_xmit: Scheduling and transmitting packet 1
control_xmit: Unable to deliver closing message for peer (null)
call_close: Actually closing tunnel 27369

...and tcpdump on port 1701 shows:

15:38:42.678660 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto 
UDP (17), length 146) firewall.mydomain.com.l2tp > 
remote-ip.theirdomain.com.58268:  l2tp:[TLS](7/0)Ns=0,Nr=1 
*MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP() |...
15:38:43.250723 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto 
UDP (17), length 40) firewall.mydomain.com.l2tp > 
remote-ip.theirdomain.com.58268: [bad udp cksum 34cd!]  
l2tp:[TLS](7/0)Ns=0,Nr=1 ZLB
15:38:43.678687 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto 
UDP (17), length 146) firewall.mydomain.com.l2tp > 
remote-ip.theirdomain.com.58268:  l2tp:[TLS](7/0)Ns=0,Nr=1 
*MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP() |...
15:38:44.678748 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto 
UDP (17), length 146) firewall.mydomain.com.l2tp > 
remote-ip.theirdomain.com.58268:  l2tp:[TLS](7/0)Ns=0,Nr=1 
*MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP() |...
15:38:45.258490 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto 
UDP (17), length 40) firewall.mydomain.com.l2tp > 
remote-ip.theirdomain.com.58268: [bad udp cksum 34cd!]  
l2tp:[TLS](7/0)Ns=0,Nr=1 ZLB
15:38:45.678764 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto 
UDP (17), length 146) firewall.mydomain.com.l2tp > 
remote-ip.theirdomain.com.58268:  l2tp:[TLS](7/0)Ns=0,Nr=1 
*MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP() |...
15:38:46.678828 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto 
UDP (17), length 146) firewall.mydomain.com.l2tp > 
remote-ip.theirdomain.com.58268:  l2tp:[TLS](7/0)Ns=0,Nr=1 
*MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP() |...
15:38:47.678854 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto 
UDP (17), length 146) firewall.mydomain.com.l2tp > 
remote-ip.theirdomain.com.58268:  l2tp:[TLS](7/0)Ns=0,Nr=1 
*MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP() |...
15:38:48.678912 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto 
UDP (17), length 146) firewall.mydomain.com.l2tp > 
remote-ip.theirdomain.com.58268:  l2tp:[TLS](7/0)Ns=0,Nr=1 
*MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP() |...
15:38:49.366645 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto 
UDP (17), length 40) firewall.mydomain.com.l2tp > 
remote-ip.theirdomain.com.58268: [bad udp cksum 34cd!]  
l2tp:[TLS](7/0)Ns=0,Nr=1 ZLB
15:38:49.678915 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto 
UDP (17), length 146) firewall.mydomain.com.l2tp > 
remote-ip.theirdomain.com.58268:  l2tp:[TLS](7/0)Ns=0,Nr=1 
*MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP() |...
15:38:50.679219 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto 
UDP (17), length 73) firewall.mydomain.com.l2tp > 
remote-ip.theirdomain.com.58268: [bad udp cksum 16e7!]  
l2tp:[TLS](7/0)Ns=1,Nr=1 *MSGTYPE(StopCCN) *ASSND_TUN_ID(49186) 
*RESULT_CODE(1/0 Timeout)
15:38:51.679296 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto 
UDP (17), length 73) firewall.mydomain.com.l2tp > 
remote-ip.theirdomain.com.58268: [bad udp cksum 16e7!]  
l2tp:[TLS](7/0)Ns=1,Nr=1 *MSGTYPE(StopCCN) *ASSND_TUN_ID(49186) 
*RESULT_CODE(1/0 Timeout)
15:38:52.679334 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto 
UDP (17), length 73) firewall.mydomain.com.l2tp > 
remote-ip.theirdomain.com.58268: [bad udp cksum 16e7!]  
l2tp:[TLS](7/0)Ns=1,Nr=1 *MSGTYPE(StopCCN) *ASSND_TUN_ID(49186) 
*RESULT_CODE(1/0 Timeout)
15:38:53.679359 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto 
UDP (17), length 73) firewall.mydomain.com.l2tp > 
remote-ip.theirdomain.com.58268: [bad udp cksum 16e7!]  
l2tp:[TLS](7/0)Ns=1,Nr=1 *MSGTYPE(StopCCN) *ASSND_TUN_ID(49186) 
*RESULT_CODE(1/0 Timeout)
15:38:54.679393 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto 
UDP (17), length 73) firewall.mydomain.com.l2tp > 
remote-ip.theirdomain.com.58268: [bad udp cksum 16e7!]  
l2tp:[TLS](7/0)Ns=1,Nr=1 *MSGTYPE(StopCCN) *ASSND_TUN_ID(49186) 
*RESULT_CODE(1/0 Timeout)
15:38:55.679467 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto 
UDP (17), length 73) firewall.mydomain.com.l2tp > 
remote-ip.theirdomain.com.58268: [bad udp cksum 16e7!]  
l2tp:[TLS](7/0)Ns=1,Nr=1 *MSGTYPE(StopCCN) *ASSND_TUN_ID(49186) 
*RESULT_CODE(1/0 Timeout)
15:38:56.679542 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto 
UDP (17), length 73) firewall.mydomain.com.l2tp > 
remote-ip.theirdomain.com.58268: [bad udp cksum 16e7!]  
l2tp:[TLS](7/0)Ns=1,Nr=1 *MSGTYPE(StopCCN) *ASSND_TUN_ID(49186) 
*RESULT_CODE(1/0 Timeout)
15:38:57.488562 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto 
UDP (17), length 40) firewall.mydomain.com.l2tp > 
remote-ip.theirdomain.com.58268: [bad udp cksum 34cd!]  
l2tp:[TLS](7/0)Ns=0,Nr=1 ZLB
15:38:57.679496 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto 
UDP (17), length 73) firewall.mydomain.com.l2tp > 
remote-ip.theirdomain.com.58268: [bad udp cksum 16e7!]  
l2tp:[TLS](7/0)Ns=1,Nr=1 *MSGTYPE(StopCCN) *ASSND_TUN_ID(49186) 
*RESULT_CODE(1/0 Timeout)

Stumped.

If there's a better place to ask - I'd appreciate it if someone would 
direct me there! :)

-John



More information about the Users mailing list