[Openswan Users] VPN L2TP/IPSec fails in securing the tunnel

Bruno de Paula Larini bruno.larini at riosoft.com.br
Tue Jul 12 18:12:16 EDT 2011 

Hello everyone.
I'm trying to allow a non-openswan client to connect on my server which 
is running RHEL6.1, openswan and l2tpns. On tests using openswan as 
IPSec client, the authentication succeds. L2TP tunnel too can be 
established without IPSec. I've already checked firewall rules.
I 'think' that the client is using some sort of Cisco based IPSec and is 
using 3des-sha1 (sorry, no more info about it). All I have is the server 
side config and the logs:

 >> /etc/ipsec.conf

version 2.0
config setup
         # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
         protostack=netkey
         nat_traversal=yes
         virtual_private=
         oe=off

include /etc/ipsec.d/*.conf
--------------------

 >> /etc/ipsec.d/vpn.conf

conn L2TP-PSK
         authby=secret
         pfs=no
         rekey=no
         keyingtries=3
         left=aa.bb.cc.dd
         ike=3des-sha1
         leftprotoport=17/1701
         right=%any
         rightprotoport=17/1701
         rightid=%any
         auto=add
--------------------

 >> /etc/ipsec.d/vpn.secrets
aa.bb.cc.dd %any: PSK "mysecret"
--------------------

 >> Logs from /var/log/secure

Jul 12 18:49:28 myserver pluto[13712]: packet from ww.xx.yy.zz:500: 
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] method set to=108
Jul 12 18:49:28 myserver pluto[13712]: packet from ww.xx.yy.zz:500: 
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, 
but already using method 108
Jul 12 18:49:28 myserver pluto[13712]: "L2TP-PSK"[18] ww.xx.yy.zz #18: 
responding to Main Mode from unknown peer ww.xx.yy.zz
Jul 12 18:49:28 myserver pluto[13712]: "L2TP-PSK"[18] ww.xx.yy.zz #18: 
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jul 12 18:49:28 myserver pluto[13712]: "L2TP-PSK"[18] ww.xx.yy.zz #18: 
STATE_MAIN_R1: sent MR1, expecting MI2
Jul 12 18:49:29 myserver pluto[13712]: "L2TP-PSK"[18] ww.xx.yy.zz #18: 
received Vendor ID payload [Cisco-Unity]
Jul 12 18:49:29 myserver pluto[13712]: "L2TP-PSK"[18] ww.xx.yy.zz #18: 
received Vendor ID payload [Dead Peer Detection]
Jul 12 18:49:29 myserver pluto[13712]: "L2TP-PSK"[18] ww.xx.yy.zz #18: 
ignoring unknown Vendor ID payload [646dd7727d14cf644891351b8c5293b1]
Jul 12 18:49:29 myserver pluto[13712]: "L2TP-PSK"[18] ww.xx.yy.zz #18: 
received Vendor ID payload [XAUTH]
Jul 12 18:49:29 myserver pluto[13712]: "L2TP-PSK"[18] ww.xx.yy.zz #18: 
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT 
detected
Jul 12 18:49:29 myserver pluto[13712]: "L2TP-PSK"[18] ww.xx.yy.zz #18: 
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jul 12 18:49:29 myserver pluto[13712]: "L2TP-PSK"[18] ww.xx.yy.zz #18: 
STATE_MAIN_R2: sent MR2, expecting MI3
Jul 12 18:49:29 myserver pluto[13712]: "L2TP-PSK"[18] ww.xx.yy.zz #18: 
ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
Jul 12 18:49:29 myserver pluto[13712]: "L2TP-PSK"[18] ww.xx.yy.zz #18: 
Main mode peer ID is ID_IPV4_ADDR: 'ww.xx.yy.zz'
Jul 12 18:49:29 myserver pluto[13712]: "L2TP-PSK"[18] ww.xx.yy.zz #18: 
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jul 12 18:49:29 myserver pluto[13712]: "L2TP-PSK"[18] ww.xx.yy.zz #18: 
STATE_MAIN_R3: sent MR3, ISAKMP SA established 
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 
group=modp1024}
Jul 12 18:49:30 myserver pluto[13712]: "L2TP-PSK"[18] ww.xx.yy.zz #18: 
the peer proposed: aa.bb.cc.dd/32:17/1701 -> ss.tt.uu.vv/29:17/1701
Jul 12 18:49:30 myserver pluto[13712]: "L2TP-PSK"[18] ww.xx.yy.zz #18: 
cannot respond to IPsec SA request because no connection is known for 
aa.bb.cc.dd<aa.bb.cc.dd>[+S=C]...ww.xx.yy.zz[+S=C]===ss.tt.uu.vv/29
Jul 12 18:49:30 myserver pluto[13712]: "L2TP-PSK"[18] ww.xx.yy.zz #18: 
sending encrypted notification INVALID_ID_INFORMATION to ww.xx.yy.zz:500
Jul 12 18:49:30 myserver pluto[13712]: "L2TP-PSK"[18] ww.xx.yy.zz #18: 
received Delete SA payload: deleting ISAKMP State #18
Jul 12 18:49:30 myserver pluto[13712]: "L2TP-PSK"[18] ww.xx.yy.zz: 
deleting connection "L2TP-PSK" instance with peer ww.xx.yy.zz 
{isakmp=#0/ipsec=#0}
Jul 12 18:49:30 myserver pluto[13712]: packet from ww.xx.yy.zz:500: 
received and ignored informational message


It stops right before establishing the secure connection. Am I doing 
something wrong?
Thanks in advance for any help!

More information about the Users mailing list