[Openswan Users] [ solved] Re: ipsec/l2tp server behind NAT

Curu Wong prinbra at gmail.com
Sat Jul 30 07:50:10 EDT 2011 

Finally this get solved before I really go mad.

I was in the wrong direction once, I thought it may be config problem, or
maybe server environment problem.  I tried to change gateway from Linux to
FreeBSD, tried to change the server from KVM to VMWare, then to physical
box  but all without luck. I asked people  in this list about config
problem, but as you know ,the config seems OK, have no problem.

Today when I continue the pain of trying to find out what's wrong, I get
this Link:

http://support.microsoft.com/kb/926179/en-us

So it's just miscrosoft client issue!

I followed the instruction, changed the registry in my Windows XP SP3, and
Windows 7,  and *reboot*. then  the connection succeeded like a damn magic!
(I tried to reconnect without reboot, but that failed, so, must
*reboot*after change the registry value)

In fact, the configuration of L2TP/IPSec is not that difficult and no much
place to make mistake. However, I spent much of my time trying to figure out
configuration problem...

Anyway, Thanks to all you guys.  Now I am saved.

2011/7/30 Curu Wong <prinbra at gmail.com>

> IPSec tunnels up, but never make it way to l2tp!
>
> xx.xx.xxx.109(public IP of gateway)
>
> yyy.yy.248.161(an windows 7 client connected via ADSL)
>
> yyy.yy.248.161-------->Internet--------->xx.xx.xxx.109(192.168.6.1)----------->
> 192.168.6.18
>
>
> =======================================================================
> Jul 30 02:41:22 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #661:
> received Delete SA(0xfb0f531d) payload: deleting IPSEC State #662
> Jul 30 02:41:22 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #661:
> received and ignored informational message
> Jul 30 02:41:25 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #661: the
> peer proposed: xx.xx.xxx.109/32:17/1701 -> yyy.yy.248.161/32:17/1701
> Jul 30 02:41:25 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #661:
> NAT-Traversal: received 2 NAT-OA. ignored because peer is not NATed
> Jul 30 02:41:25 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #664:
> responding to Quick Mode proposal {msgid:03000000}
> Jul 30 02:41:25 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #664:
> us: 192.168.6.18<192.168.6.18>[+S=C]:17/1701---192.168.6.18
> Jul 30 02:41:25 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #664:
> them: yyy.yy.248.161[+S=C]:17/1701
> Jul 30 02:41:25 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #664:
> keeping refhim=4294901761 during rekey
> Jul 30 02:41:25 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #664:
> transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
> Jul 30 02:41:25 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #664:
> STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
> Jul 30 02:41:25 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #664:
> transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
> Jul 30 02:41:25 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #664:
> STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0x06e893de
> <0x94e87dbe xfrm=AES_128-HMAC_
> SHA1 NATOA=none NATD=yyy.yy.248.161:4500 DPD=none}
> Jul 30 02:41:25 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #661:
> received Delete SA(0xacc6f55f) payload: deleting IPSEC State #663
> Jul 30 02:41:25 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #661:
> received and ignored informational message
> Jul 30 02:41:29 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #661: the
> peer proposed: xx.xx.xxx.109/32:17/1701 -> yyy.yy.248.161/32:17/1701
> Jul 30 02:41:29 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #661:
> NAT-Traversal: received 2 NAT-OA. ignored because peer is not NATed
> Jul 30 02:41:29 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #665:
> responding to Quick Mode proposal {msgid:04000000}
> Jul 30 02:41:29 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #665:
> us: 192.168.6.18<192.168.6.18>[+S=C]:17/1701---192.168.6.18
> Jul 30 02:41:29 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #665:
> them: yyy.yy.248.161[+S=C]:17/1701
> Jul 30 02:41:29 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #665:
> keeping refhim=4294901761 during rekey
> Jul 30 02:41:29 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #665:
> transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
> Jul 30 02:41:29 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #665:
> STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
> Jul 30 02:41:29 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #665:
> transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
> Jul 30 02:41:29 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #665:
> STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0x62e4dbed
> <0x60c4b2c4 xfrm=AES_128-HMAC_
> SHA1 NATOA=none NATD=yyy.yy.248.161:4500 DPD=none}
> Jul 30 02:41:29 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #661:
> received Delete SA(0x06e893de) payload: deleting IPSEC State #664
> Jul 30 02:41:29 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #661:
> received and ignored informational message
> Jul 30 02:41:37 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #661: the
> peer proposed: xx.xx.xxx.109/32:17/1701 -> yyy.yy.248.161/32:17/1701
> Jul 30 02:41:37 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #661:
> NAT-Traversal: received 2 NAT-OA. ignored because peer is not NATed
> Jul 30 02:41:37 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #666:
> responding to Quick Mode proposal {msgid:05000000}
> Jul 30 02:41:37 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #666:
> us: 192.168.6.18<192.168.6.18>[+S=C]:17/1701---192.168.6.18
> Jul 30 02:41:37 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #666:
> them: yyy.yy.248.161[+S=C]:17/1701
> Jul 30 02:41:37 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #666:
> keeping refhim=4294901761 during rekey
> Jul 30 02:41:37 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #666:
> transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
> Jul 30 02:41:37 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #666:
> STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
> Jul 30 02:41:37 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #666:
> transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
> Jul 30 02:41:37 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #666:
> STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0xe030f135
> <0x330430c4 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=yyy.yy.248.161:4500
> DPD=none}
> Jul 30 02:41:37 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #661:
> received Delete SA(0x62e4dbed) payload: deleting IPSEC State #665
> Jul 30 02:41:37 ynot pluto[5006]: "l2tp-psk"[4] yyy.yy.248.161 #661:
> received and ignored informational message
>
> ======================================================================================
>
>
> Can anyone please help me out ?  I have been trapped here for several days.
> still I can't make the ipsec/l2tp vpn server behind NAT work.
>
> Tried Ubuntu 10.04 lts with its own openswan , still fai. tried CentOS,
> still fail. all fail.
>
> use DNAT and one-to-one nat on the gw, still fail.
>
> I will go mad without solving this. Seems other people with the identical
> config will work smoothly, But I always fail. why? What did I miss ?
>
> here's my  ipsec.conf
> ==================================================================
> config setup
>         nat_traversal=yes
>         virtual_private=%v4:
> 10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
>         oe=off
>         protostack=netkey
>
> conn l2tp-psk
>         left=192.168.6.18
>         leftprotoport=17/1701
>         right=%any
>         rightprotoport=17/%any
>         rightsubnet=vhost:%priv,%no
>         pfs=no
>         rekey=no
>         type=transport
>         authby=secret
>         auto=add
> ======================================
>
> /etc/xl2tpd/xl2tpd.conf
> ======================================
> [global]
> listen-addr = 192.168.6.18
> debug tunnel= yes
> [lns default]
> ip range = 192.168.6.100-192.168.6.200
> local ip = 192.168.6.99
> assign ip = yes
> require chap = yes
> refuse pap = yes
> require authentication = yes
> pppoptfile = /etc/ppp/ppp-options.xl2tpd
> length bit = yes
> ========================================
>
>
> Thanks  anyone here for your kind help!
>
>
> 2011/7/28 Curu Wong <prinbra at gmail.com>
>
>> Maybe this has nothing to do with xl2tpd.
>>
>> I know that l2tp/ipsec will use transport mode. However, I managed to run
>> the server in tunnel mode. and let an Linux client( use openswan+ xl2tpd)
>> connect to the server, it works.
>>
>> Then, when I change from tunnel mode to transport, connection failed(ipsec
>> tunnel still up, but never goes to l2tp).
>>
>> Again, I tcpdump on mast0 interface. and find that when in transport mode,
>> the destination address packets from client has been changed to the internal
>> address of the server. thus I think. even this packet can goes to l2tpd, it
>> will never goes back to the client, because client never know the server's
>> internal address
>>
>> on clientA.
>> ping GW(S.111.111.111)
>> ========================================================================
>> 22:53:28.841232 IP 192.168.9.106 > 192.168.11.19: ICMP echo request, id
>> 53249, seq 1, length 64
>> 22:53:29.838744 IP 192.168.9.106 > 192.168.11.19: ICMP echo request, id
>> 53249, seq 2, length 64
>> 22:53:30.840031 IP 192.168.9.106 > 192.168.11.19: ICMP echo request, id
>> 53249, seq 3, length 64
>> 22:53:31.843266 IP 192.168.9.106 > 192.168.11.19: ICMP echo request, id
>> 53249, seq 4, length 64
>> ========================================================================
>>
>> by the way, I add this line to my previous config to make it work  in
>> tunnel mode
>> =============================
>> leftsubnet=S.111.111.111/32 #public IP of the gw
>> =============================
>>
>> and add the public  IP as an alias interface
>>
>> ip addr add S.111.111.111/32 dev eth0 label eth0:0
>>
>> I don't know why in transport mode, the dst IP changed to l2tp/ipsec GW's
>> internal IP, the tcpdump when using tunnel mode shows  the public
>> IP(S.111.111.111) and that works fine.
>>
>>
>>
>>
>>
>> 2011/7/28 Paul Wouters <paul at xelerance.com>
>>
>>>  On Thu, 28 Jul 2011, Curu Wong wrote:
>>>
>>>  Now I am testing ipsec/l2tp with the server itself behind NAT. here's
>>>> the new network topology:
>>>>
>>>> clientA(192.168.9.106)----->**clientGWA(A.111.111.111)------**-->Server
>>>> GW(S.111.111.111)------>l2tp/**ipsec GW(192.168.11.19)
>>>>
>>>
>>>
>>>>  but, there's nothing happen to xl2tpd. the log just stops at this line:
>>>> ==============================**========================
>>>> Jul 28 14:38:13 tvpn xl2tpd[1660]: Listening on IP address 0.0.0.0, port
>>>> 1701
>>>>
>>>
>>> Specify the real IP address in listen-addr, do not let it default to ANY.
>>>
>>> Paul
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110730/dcb62006/attachment-0001.html

More information about the Users mailing list