[Openswan Users] Getting started

Lars Hecking lhecking at users.sourceforge.net
Fri Aug 19 05:04:15 EDT 2011 

 I'm trying to set up an IPSEC/L2TP gateway. While the setup is working in
 principle, I'm now stuck with no idea why it is failing.

 Testing the setup with a Windows XP machine on the LAN side interface of
 the gateway worked, and I was able to establish an IPSEC connection using
 certificates (not a useful achievement as such, but it worked).

 Now I'm trying to connect over the WAN from a Linux client, and I cannot get
 a connection. Even downgrading to a PSK configuration does not help. The
 client is behind NAT, but the server log indicates that this is detected
 and taken care of.

 Server: 11.22.33.44
 Client: 192.168.1.2
 Client NAT: 1.2.3.4

 Server config (openswan-2.6.21-5.el5_6.4):

| version	2.0	# conforms to second version of ipsec.conf specification
| 
| config setup
| 	protostack=netkey
| 	nat_traversal=yes
| 	virtual_private=
| 	oe=off
| 	# Enable this if you see "failed to find any available worker"
| 	nhelpers=0
| 
| conn L2TP-PSK
|         authby=secret
|         pfs=no
|         rekey=no
|         keyingtries=3
| 	left=11.22.33.44
|         leftprotoport=17/1701
| 	right=%any
|         rightprotoport=17/%any
|         auto=add

 Client config (openswan-2.4.15):

| version	2.0	# conforms to second version of ipsec.conf specification
| 
| config setup
| 	nat_traversal=yes
| 	nhelpers=0
| 
| conn L2TP-PSK-CLIENT
| 	authby=secret
| 	pfs=no
| 	rekey=yes
| 	auto=add
| 	keyingtries=3
| 	type=transport
| 	left=%defaultroute
| 	leftprotoport=17/1701
| 	right=11.22.33.44
| 	rightprotoport=17/0
| 
| 
| #Disable Opportunistic Encryption
| include /etc/ipsec/ipsec.d/examples/no_oe.conf

 Server log:

| Aug 18 22:48:45 server pluto[14600]: packet from 1.2.3.4:500: ignoring unknown Vendor ID payload [4f457d78546050757b707245]
| Aug 18 22:48:45 server pluto[14600]: packet from 1.2.3.4:500: received Vendor ID payload [Dead Peer Detection]
| Aug 18 22:48:45 server pluto[14600]: packet from 1.2.3.4:500: received Vendor ID payload [RFC 3947] method set to=109 
| Aug 18 22:48:45 server pluto[14600]: packet from 1.2.3.4:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109
| Aug 18 22:48:45 server pluto[14600]: packet from 1.2.3.4:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
| Aug 18 22:48:45 server pluto[14600]: packet from 1.2.3.4:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
| Aug 18 22:48:45 server pluto[14600]: packet from 1.2.3.4:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
| Aug 18 22:48:45 server pluto[14600]: "L2TP-PSK"[5] 1.2.3.4 #4: responding to Main Mode from unknown peer 1.2.3.4
| Aug 18 22:48:45 server pluto[14600]: "L2TP-PSK"[5] 1.2.3.4 #4: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
| Aug 18 22:48:45 server pluto[14600]: "L2TP-PSK"[5] 1.2.3.4 #4: STATE_MAIN_R1: sent MR1, expecting MI2
| Aug 18 22:48:45 server pluto[14600]: "L2TP-PSK"[5] 1.2.3.4 #4: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): peer is NATed
| Aug 18 22:48:45 server pluto[14600]: packet from 1.2.3.4:500: pluto_do_crypto: helper (-1) is  exiting 
| Aug 18 22:48:45 server pluto[14600]: packet from 1.2.3.4:500: pluto_do_crypto: helper (-1) is  exiting 
| Aug 18 22:48:45 server pluto[14600]: "L2TP-PSK"[5] 1.2.3.4 #4: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
| Aug 18 22:48:45 server pluto[14600]: "L2TP-PSK"[5] 1.2.3.4 #4: STATE_MAIN_R2: sent MR2, expecting MI3
| Aug 18 22:48:45 server pluto[14600]: "L2TP-PSK"[5] 1.2.3.4 #4: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.2'
| Aug 18 22:48:45 server pluto[14600]: "L2TP-PSK"[5] 1.2.3.4 #4: switched from "L2TP-PSK" to "L2TP-PSK"
| Aug 18 22:48:45 server pluto[14600]: "L2TP-PSK"[6] 1.2.3.4 #4: deleting connection "L2TP-PSK" instance with peer 1.2.3.4 {isakmp=#0/ipsec=#0}
| Aug 18 22:48:45 server pluto[14600]: "L2TP-PSK"[6] 1.2.3.4 #4: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
| Aug 18 22:48:45 server pluto[14600]: "L2TP-PSK"[6] 1.2.3.4 #4: new NAT mapping for #4, was 1.2.3.4:500, now 1.2.3.4:4500
| Aug 18 22:48:45 server pluto[14600]: "L2TP-PSK"[6] 1.2.3.4 #4: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1536}
| Aug 18 22:48:45 server pluto[14600]: "L2TP-PSK"[6] 1.2.3.4 #4: the peer proposed: 11.22.33.44/32:17/1701 -> 192.168.1.2/32:17/0
| Aug 18 22:48:45 server pluto[14600]: "L2TP-PSK"[6] 1.2.3.4 #4: cannot respond to IPsec SA request because no connection is known for 11.22.33.44<11.22.33.44>[+S=C]:17/0...1.2.3.4[192.168.1.2,+S=C]:17/%any===192.168.1.2/32
| Aug 18 22:48:45 server pluto[14600]: "L2TP-PSK"[6] 1.2.3.4 #4: sending encrypted notification INVALID_ID_INFORMATION to 1.2.3.4:4500
| Aug 18 22:48:56 server pluto[14600]: "L2TP-PSK"[6] 1.2.3.4 #4: the peer proposed: 11.22.33.44/32:17/1701 -> 192.168.1.2/32:17/0
| Aug 18 22:48:56 server pluto[14600]: "L2TP-PSK"[6] 1.2.3.4 #4: cannot respond to IPsec SA request because no connection is known for 11.22.33.44<11.22.33.44>[+S=C]:17/0...1.2.3.4[192.168.1.2,+S=C]:17/%any===192.168.1.2/32
| Aug 18 22:48:56 server pluto[14600]: "L2TP-PSK"[6] 1.2.3.4 #4: sending encrypted notification INVALID_ID_INFORMATION to 1.2.3.4:4500
| Aug 18 22:49:15 server pluto[14600]: "L2TP-PSK"[6] 1.2.3.4 #4: the peer proposed: 11.22.33.44/32:17/1701 -> 192.168.1.2/32:17/0
| Aug 18 22:49:15 server pluto[14600]: "L2TP-PSK"[6] 1.2.3.4 #4: cannot respond to IPsec SA request because no connection is known for 11.22.33.44<11.22.33.44>[+S=C]:17/0...1.2.3.4[192.168.1.2,+S=C]:17/%any===192.168.1.2/32
| Aug 18 22:49:15 server pluto[14600]: "L2TP-PSK"[6] 1.2.3.4 #4: sending encrypted notification INVALID_ID_INFORMATION to 1.2.3.4:4500
| Aug 18 22:49:56 server pluto[14600]: "L2TP-PSK"[6] 1.2.3.4 #4: the peer proposed: 11.22.33.44/32:17/1701 -> 192.168.1.2/32:17/0
| Aug 18 22:49:56 server pluto[14600]: "L2TP-PSK"[6] 1.2.3.4 #4: cannot respond to IPsec SA request because no connection is known for 11.22.33.44<11.22.33.44>[+S=C]:17/0...1.2.3.4[192.168.1.2,+S=C]:17/%any===192.168.1.2/32
| Aug 18 22:49:56 server pluto[14600]: "L2TP-PSK"[6] 1.2.3.4 #4: sending encrypted notification INVALID_ID_INFORMATION to 1.2.3.4:4500
| Aug 18 22:50:03 server pluto[14600]: "L2TP-PSK"[6] 1.2.3.4 #4: received Delete SA payload: deleting ISAKMP State #4
| Aug 18 22:50:03 server pluto[14600]: "L2TP-PSK"[6] 1.2.3.4: deleting connection "L2TP-PSK" instance with peer 1.2.3.4 {isakmp=#0/ipsec=#0}
| Aug 18 22:50:03 server pluto[14600]: packet from 1.2.3.4:4500: received and ignored informational message

 Client log:

| Aug 18 22:48:45 client pluto[20856]: "L2TP-PSK-CLIENT" #1: initiating Main Mode
| Aug 18 22:48:45 client pluto[20856]: "L2TP-PSK-CLIENT" #1: ignoring unknown Vendor ID payload [4f457e717f6b5a4e727d576b]
| Aug 18 22:48:45 client pluto[20856]: "L2TP-PSK-CLIENT" #1: received Vendor ID payload [Dead Peer Detection]
| Aug 18 22:48:45 client pluto[20856]: "L2TP-PSK-CLIENT" #1: received Vendor ID payload [RFC 3947] method set to=109 
| Aug 18 22:48:45 client pluto[20856]: "L2TP-PSK-CLIENT" #1: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
| Aug 18 22:48:45 client pluto[20856]: "L2TP-PSK-CLIENT" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
| Aug 18 22:48:45 client pluto[20856]: "L2TP-PSK-CLIENT" #1: STATE_MAIN_I2: sent MI2, expecting MR2
| Aug 18 22:48:46 client pluto[20856]: "L2TP-PSK-CLIENT" #1: I did not send a certificate because I do not have one.
| Aug 18 22:48:46 client pluto[20856]: "L2TP-PSK-CLIENT" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): i am NATed
| Aug 18 22:48:46 client pluto[20856]: "L2TP-PSK-CLIENT" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
| Aug 18 22:48:46 client pluto[20856]: "L2TP-PSK-CLIENT" #1: STATE_MAIN_I3: sent MI3, expecting MR3
| Aug 18 22:48:46 client pluto[20856]: "L2TP-PSK-CLIENT" #1: IKEv2 Vendor ID payload received but not supported in this version
| Aug 18 22:48:46 client pluto[20856]: "L2TP-PSK-CLIENT" #1: received Vendor ID payload [CAN-IKEv2]
| Aug 18 22:48:46 client pluto[20856]: "L2TP-PSK-CLIENT" #1: Main mode peer ID is ID_IPV4_ADDR: '11.22.33.44'
| Aug 18 22:48:46 client pluto[20856]: "L2TP-PSK-CLIENT" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
| Aug 18 22:48:46 client pluto[20856]: "L2TP-PSK-CLIENT" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1536}
| Aug 18 22:48:46 client pluto[20856]: "L2TP-PSK-CLIENT" #2: initiating Quick Mode PSK+ENCRYPT+UP {using isakmp#1}
| Aug 18 22:48:46 client pluto[20856]: "L2TP-PSK-CLIENT" #1: ignoring informational payload, type INVALID_ID_INFORMATION
| Aug 18 22:48:46 client pluto[20856]: "L2TP-PSK-CLIENT" #1: received and ignored informational message
| Aug 18 22:48:56 client pluto[20856]: "L2TP-PSK-CLIENT" #1: ignoring informational payload, type INVALID_ID_INFORMATION
| Aug 18 22:48:56 client pluto[20856]: "L2TP-PSK-CLIENT" #1: received and ignored informational message
| Aug 18 22:49:16 client pluto[20856]: "L2TP-PSK-CLIENT" #1: ignoring informational payload, type INVALID_ID_INFORMATION
| Aug 18 22:49:16 client pluto[20856]: "L2TP-PSK-CLIENT" #1: received and ignored informational message
| Aug 18 22:49:56 client pluto[20856]: "L2TP-PSK-CLIENT" #2: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
| Aug 18 22:49:56 client pluto[20856]: "L2TP-PSK-CLIENT" #2: starting keying attempt 2 of at most 3, but releasing whack
| Aug 18 22:49:56 client pluto[20856]: "L2TP-PSK-CLIENT" #3: initiating Quick Mode PSK+ENCRYPT+UP to replace #2 {using isakmp#1}
| Aug 18 22:49:56 client pluto[20856]: "L2TP-PSK-CLIENT" #1: ignoring informational payload, type INVALID_ID_INFORMATION
| Aug 18 22:49:56 client pluto[20856]: "L2TP-PSK-CLIENT" #1: received and ignored informational message
| Aug 18 22:50:04 client pluto[20856]: "L2TP-PSK-CLIENT": terminating SAs using this connection
| Aug 18 22:50:04 client pluto[20856]: "L2TP-PSK-CLIENT" #3: deleting state (STATE_QUICK_I1)
| Aug 18 22:50:04 client pluto[20856]: "L2TP-PSK-CLIENT" #1: deleting state (STATE_MAIN_I4)
| Aug 18 22:50:04 client pluto[20856]: packet from 11.22.33.44:4500: Informational Exchange is for an unknown (expired?) SA

 Thanks for any insights.

More information about the Users mailing list