[Openswan Users] IPSEC/L2TP does not work

M. Theocharides m.theocharides at gmail.com
Sun Nov 6 06:08:37 EST 2011 

Hi,

 

I just bought a router with VPN for office use which runs openswan. I am
trying to connect from home to my office through IPSEC/L2TP unsuccessfully
from my Windows 7 laptop (enterprise version). On my laptop I have the
following VPN configuration: 

 

Type of VPN: L2TP/IPSEC;  Data Encryption: require data encryption
(disconnect if server declines); Allow these protocols: MS-CHAP v2; and
under Networking: use default on remote network is OFF.

 

Please note that the VPN router is behind an Thompson SpeedTouch 585 and I
got the Service Provider to make sure that all ports are open and that the
firewall if off.

 

The VPN Server has the following configuration:

 

L2TP has the following configuration:

Server IP: 192.168.2.100; Client IP Pool: 192.168.2.101-192.168.2.120;
Authentication MS CHAP; Encryption: IPSEC.  

 

IPSEC:

Phase 1: ISAKMP SA (Encr: 3DES, Hash: SHA1, DH: DH2(mod1024)

Phase 2: IPSEC SA: Protocol: ESP, Encapsulation: Tunnel Mode, Encryption:
3DES, Authentication: HMAC MD5, PFS: Off

 

Also the IPSEC configuration is as follows:

 

cid:image001.png at 01CC9C83.DE09E120

 

 

 

On startup of the router the system log shows:

 

Nov  6 12:33:50 pluto[29519]: shutting down

Nov  6 12:33:50 pluto[29519]: forgetting secrets

Nov  6 12:33:50 pluto[29519]: shutting down interface ipsec0/eth1
192.168.10.99

Nov  6 12:33:50 pluto[29519]: shutting down interface ipsec0/eth1
192.168.10.99

Nov  6 12:33:52 ipsec_setup: ...Openswan IPsec stopped

Nov  6 12:34:10 udhcpd[1172]: udhcpd (v0.9.9-pre) started

Nov  6 12:34:10 udhcpd[1172]: max_leases value (254) not sane, setting to
101 instead

Nov  6 12:34:17 init.sh: WAN_MODE=Static IP

Nov  6 12:34:43 miniupnpd[1773]: HTTP listening on port 5000

Nov  6 12:35:17 ipsec_setup: ...Openswan IPsec stopped

Nov  6 12:35:18 l2tpd[2485]: This binary does not support kernel L2TP. 

Nov  6 12:35:18 l2tpd[2490]: l2tpd version 0.69 started on (none) PID:2490 

Nov  6 12:35:18 l2tpd[2490]: Written by Mark Spencer, Copyright (C) 1998,
Adtran, Inc. 

Nov  6 12:35:18 l2tpd[2490]: Forked by Scott Balmos and David Stipp, (C)
2001 

Nov  6 12:35:18 l2tpd[2490]: Inhereted by Jeff McAdams, (C) 2002 

Nov  6 12:35:18 l2tpd[2490]: Linux version 2.4.18-MIPS-01.00 on a mips, port
1701 

Nov  6 12:35:22 ipsec_setup: KLIPS ipsec0 on eth1
192.168.10.99/255.255.255.0 broadcast 192.168.10.255 

Nov  6 12:35:25 ipsec__plutorun: Starting Pluto subsystem...

Nov  6 12:35:25 pluto[2651]: Starting Pluto (Openswan Version 1.0.1)

Nov  6 12:35:25 ipsec_setup: ...Openswan IPsec started

Nov  6 12:35:26 pluto[2651]:   including X.509 patch with traffic selectors
(Version 0.9.37)

Nov  6 12:35:26 pluto[2651]:   including NAT-Traversal patch (Version 0.6)

Nov  6 12:35:26 pluto[2651]: ike_alg_register_enc(): Activating
OAKLEY_AES_CBC: Ok (ret=0)

Nov  6 12:35:26 pluto[2651]: Changing to directory '/etc/ipsec.d/cacerts'

Nov  6 12:35:26 pluto[2651]:   Warning: empty directory

Nov  6 12:35:26 pluto[2651]: Changing to directory '/etc/ipsec.d/crls'

Nov  6 12:35:26 pluto[2651]:   Warning: empty directory

Nov  6 12:35:26 pluto[2651]: OpenPGP certificate file '/etc/pgpcert.pgp' not
found

Nov  6 12:35:29 pluto[2651]: loading secrets from "/etc/ipsec.secrets"

Nov  6 12:35:32 pluto[2651]: listening for IKE messages

Nov  6 12:35:32 pluto[2651]: adding interface ipsec0/eth1 192.168.10.99

Nov  6 12:35:32 pluto[2651]: adding interface ipsec0/eth1 192.168.10.99:4500

Nov  6 12:35:32 pluto[2651]: forgetting secrets

Nov  6 12:35:32 pluto[2651]: loading secrets from "/etc/ipsec.secrets"

Nov  6 12:35:33 pluto[2651]: | from whack: got --esp=3des-md5

Nov  6 12:35:33 pluto[2651]: | from whack: got --ike=3des-sha-modp1024

Nov  6 12:35:33 pluto[2651]: added connection description "Conn1"

 

When I try the connection I get the following:

 

Nov  6 12:40:10 pluto[2651]: packet from 213.207.172.231:500: ignoring
Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000008]

Nov  6 12:40:10 pluto[2651]: packet from 213.207.172.231:500: ignoring
Vendor ID payload [4a131c8107035845...]

Nov  6 12:40:10 pluto[2651]: packet from 213.207.172.231:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]

Nov  6 12:40:10 pluto[2651]: packet from 213.207.172.231:500: ignoring
Vendor ID payload [FRAGMENTATION]

Nov  6 12:40:10 pluto[2651]: packet from 213.207.172.231:500: ignoring
Vendor ID payload [fb1de3cdf341b7ea...]

Nov  6 12:40:10 pluto[2651]: packet from 213.207.172.231:500: ignoring
Vendor ID payload [26244d38eddb61b3...]

Nov  6 12:40:10 pluto[2651]: packet from 213.207.172.231:500: ignoring
Vendor ID payload [e3a5966a76379fe7...]

Nov  6 12:40:10 pluto[2651]: "Conn1"[1] 213.207.172.231 #1: responding to
Main Mode from unknown peer 213.207.172.231

Nov  6 12:40:10 pluto[2651]: "Conn1"[1] 213.207.172.231 #1: only
OAKLEY_GROUP_MODP768,1024,1536,2048,3072,4096,6144,8192 supported.
Attribute OAKLEY_GROUP_DESCRIPTION

Nov  6 12:40:10 pluto[2651]: "Conn1"[1] 213.207.172.231 #1: only
OAKLEY_GROUP_MODP768,1024,1536,2048,3072,4096,6144,8192 supported.
Attribute OAKLEY_GROUP_DESCRIPTION

Nov  6 12:40:10 pluto[2651]: "Conn1"[1] 213.207.172.231 #1: transition from
state (null) to state STATE_MAIN_R1

Nov  6 12:40:10 pluto[2651]: "Conn1"[1] 213.207.172.231 #1: NAT-Traversal:
Result using draft-ietf-ipsec-nat-t-ike-02/03: both are NATed

Nov  6 12:40:11 pluto[2651]: "Conn1"[1] 213.207.172.231 #1: WARNING:
compute_dh_shared(): for OAKLEY_GROUP_MODP2048 took 370000 usec

Nov  6 12:40:11 pluto[2651]: "Conn1"[1] 213.207.172.231 #1: transition from
state STATE_MAIN_R1 to state STATE_MAIN_R2

Nov  6 12:40:11 pluto[2651]: "Conn1"[1] 213.207.172.231 #1: next payload
type of ISAKMP Identification Payload has an unknown value: 117

Nov  6 12:40:11 pluto[2651]: "Conn1"[1] 213.207.172.231 #1: Rejected IKE
message (213.207.172.231=>192.168.10.99), Cookies (I:
AF-5B-7C-C4-46-E7-60-FF, R: 2A-A0-C9-8F-0E-DB-D8-AC)

Nov  6 12:40:11 pluto[2651]: "Conn1"[1] 213.207.172.231 #1: probable
authentication failure (mismatch of preshared secrets?): malformed payload
in packet

Nov  6 12:40:11 pluto[2651]: "Conn1"[1] 213.207.172.231 #1: sending
notification PAYLOAD_MALFORMED to 213.207.172.231:500

Nov  6 12:40:13 pluto[2651]: "Conn1"[1] 213.207.172.231 #1: next payload
type of ISAKMP Identification Payload has an unknown value: 117

Nov  6 12:40:13 pluto[2651]: "Conn1"[1] 213.207.172.231 #1: Rejected IKE
message (213.207.172.231=>192.168.10.99), Cookies (I:
AF-5B-7C-C4-46-E7-60-FF, R: 2A-A0-C9-8F-0E-DB-D8-AC)

Nov  6 12:40:13 pluto[2651]: "Conn1"[1] 213.207.172.231 #1: probable
authentication failure (mismatch of preshared secrets?): malformed payload
in packet

Nov  6 12:40:13 pluto[2651]: "Conn1"[1] 213.207.172.231 #1: sending
notification PAYLOAD_MALFORMED to 213.207.172.231:500

Nov  6 12:40:16 pluto[2651]: "Conn1"[1] 213.207.172.231 #1: next payload
type of ISAKMP Identification Payload has an unknown value: 117

Nov  6 12:40:16 pluto[2651]: "Conn1"[1] 213.207.172.231 #1: Rejected IKE
message (213.207.172.231=>192.168.10.99), Cookies (I:
AF-5B-7C-C4-46-E7-60-FF, R: 2A-A0-C9-8F-0E-DB-D8-AC)

Nov  6 12:40:16 pluto[2651]: "Conn1"[1] 213.207.172.231 #1: probable
authentication failure (mismatch of preshared secrets?): malformed payload
in packet

Nov  6 12:40:16 pluto[2651]: "Conn1"[1] 213.207.172.231 #1: sending
notification PAYLOAD_MALFORMED to 213.207.172.231:500

Nov  6 12:40:21 pluto[2651]: "Conn1"[1] 213.207.172.231 #1: next payload
type of ISAKMP Identification Payload has an unknown value: 117

Nov  6 12:40:21 pluto[2651]: "Conn1"[1] 213.207.172.231 #1: Rejected IKE
message (213.207.172.231=>192.168.10.99), Cookies (I:
AF-5B-7C-C4-46-E7-60-FF, R: 2A-A0-C9-8F-0E-DB-D8-AC)

Nov  6 12:40:21 pluto[2651]: "Conn1"[1] 213.207.172.231 #1: probable
authentication failure (mismatch of preshared secrets?): malformed payload
in packet

Nov  6 12:40:21 pluto[2651]: "Conn1"[1] 213.207.172.231 #1: sending
notification PAYLOAD_MALFORMED to 213.207.172.231:500

Nov  6 12:40:30 pluto[2651]: "Conn1"[1] 213.207.172.231 #1: next payload
type of ISAKMP Identification Payload has an unknown value: 117

Nov  6 12:40:30 pluto[2651]: "Conn1"[1] 213.207.172.231 #1: Rejected IKE
message (213.207.172.231=>192.168.10.99), Cookies (I:
AF-5B-7C-C4-46-E7-60-FF, R: 2A-A0-C9-8F-0E-DB-D8-AC)

Nov  6 12:40:30 pluto[2651]: "Conn1"[1] 213.207.172.231 #1: probable
authentication failure (mismatch of preshared secrets?): malformed payload
in packet

Nov  6 12:40:30 pluto[2651]: "Conn1"[1] 213.207.172.231 #1: sending
notification PAYLOAD_MALFORMED to 213.207.172.231:500

Nov  6 12:40:46 pluto[2651]: "Conn1"[1] 213.207.172.231 #1: next payload
type of ISAKMP Identification Payload has an unknown value: 117

Nov  6 12:40:46 pluto[2651]: "Conn1"[1] 213.207.172.231 #1: Rejected IKE
message (213.207.172.231=>192.168.10.99), Cookies (I:
AF-5B-7C-C4-46-E7-60-FF, R: 2A-A0-C9-8F-0E-DB-D8-AC)

Nov  6 12:40:46 pluto[2651]: "Conn1"[1] 213.207.172.231 #1: probable
authentication failure (mismatch of preshared secrets?): malformed payload
in packet

Nov  6 12:40:46 pluto[2651]: "Conn1"[1] 213.207.172.231 #1: sending
notification PAYLOAD_MALFORMED to 213.207.172.231:500

Nov  6 12:41:02 pluto[2651]: "Conn1"[1] 213.207.172.231 #1: next payload
type of ISAKMP Identification Payload has an unknown value: 117

Nov  6 12:41:02 pluto[2651]: "Conn1"[1] 213.207.172.231 #1: Rejected IKE
message (213.207.172.231=>192.168.10.99), Cookies (I:
AF-5B-7C-C4-46-E7-60-FF, R: 2A-A0-C9-8F-0E-DB-D8-AC)

Nov  6 12:41:02 pluto[2651]: "Conn1"[1] 213.207.172.231 #1: probable
authentication failure (mismatch of preshared secrets?): malformed payload
in packet

Nov  6 12:41:02 pluto[2651]: "Conn1"[1] 213.207.172.231 #1: sending
notification PAYLOAD_MALFORMED to 213.207.172.231:500

Nov  6 12:41:21 pluto[2651]: "Conn1"[1] 213.207.172.231 #1: max number of
retransmissions (2) reached STATE_MAIN_R2

Nov  6 12:41:21 pluto[2651]: "Conn1"[1] 213.207.172.231: deleting connection
"Conn1" instance with peer 213.207.172.231

 

 

Can you please let me know how to properly configure this from the errors
you see above?

 

Thanks

Marios

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20111106/dd60dc02/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 143127 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20111106/dd60dc02/attachment-0001.png

More information about the Users mailing list