[Openswan Users] Problem in IPSEC L2TP connectivity

heta shah heta45 at gmail.com
Tue Sep 13 01:14:57 EDT 2011


Hello sir,

Thanks for reply,
But when I am adding leftsourceip=192.168.5.X where X is my ip of other
interface in server. At that time client can not establish VPN connection
with server. At server side this error is coming on /var/log/auth.log file

tailf /var/log/auth.log
Sep 13 10:37:01 UTM pluto[4908]: "L2TP-PSK-NAT"[2] 192.168.1.22 #2:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT
detected
Sep 13 10:37:01 UTM pluto[4908]: "L2TP-PSK-NAT"[2] 192.168.1.22 #2:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Sep 13 10:37:01 UTM pluto[4908]: "L2TP-PSK-NAT"[2] 192.168.1.22 #2:
STATE_MAIN_R2: sent MR2, expecting MI3
Sep 13 10:37:01 UTM pluto[4908]: "L2TP-PSK-NAT"[2] 192.168.1.22 #2:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Sep 13 10:37:01 UTM pluto[4908]: "L2TP-PSK-NAT"[2] 192.168.1.22 #2:
STATE_MAIN_R2: sent MR2, expecting MI3
Sep 13 10:37:01 UTM pluto[4908]: "L2TP-PSK-NAT"[2] 192.168.1.22 #2: Main
mode peer ID is ID_IPV4_ADDR: '192.168.1.22'
Sep 13 10:37:01 UTM pluto[4908]: "L2TP-PSK-NAT"[2] 192.168.1.22 #2:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Sep 13 10:37:01 UTM pluto[4908]: "L2TP-PSK-NAT"[2] 192.168.1.22 #2:
STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}
Sep 13 10:37:01 UTM pluto[4908]: "L2TP-PSK-NAT"[2] 192.168.1.22 #2: Dead
Peer Detection (RFC 3706): not enabled because peer did not advertise it
Sep 13 10:37:01 UTM pluto[4908]: "L2TP-PSK-NAT"[2] 192.168.1.22 #2: the peer
proposed: 192.168.1.121/32:17/1701 -> 192.168.1.22/32:17/0
Sep 13 10:37:01 UTM pluto[4908]: "L2TP-PSK-NAT"[2] 192.168.1.22 #2: cannot
respond to IPsec SA request because no connection is known for
192.168.1.121<192.168.1.121>[+S=C]:17/1701...192.168.1.22[+S=C]:17/%any
Sep 13 10:37:01 UTM pluto[4908]: "L2TP-PSK-NAT"[2] 192.168.1.22 #2: sending
encrypted notification INVALID_ID_INFORMATION to 192.168.1.22:500
Sep 13 10:37:01 UTM pluto[4908]: "L2TP-PSK-NAT"[2] 192.168.1.22 #2:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Sep 13 10:37:01 UTM pluto[4908]: "L2TP-PSK-NAT"[2] 192.168.1.22 #2:
STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}
Sep 13 10:37:01 UTM pluto[4908]: "L2TP-PSK-NAT"[2] 192.168.1.22 #2: Dead
Peer Detection (RFC 3706): not enabled because peer did not advertise it
Sep 13 10:37:01 UTM pluto[4908]: "L2TP-PSK-NAT"[2] 192.168.1.22 #2: the peer
proposed: 192.168.1.121/32:17/1701 -> 192.168.1.22/32:17/0
Sep 13 10:37:01 UTM pluto[4908]: "L2TP-PSK-NAT"[2] 192.168.1.22 #2: cannot
respond to IPsec SA request because no connection is known for
192.168.1.121<192.168.1.121>[+S=C]:17/1701...192.168.1.22[+S=C]:17/%any
Sep 13 10:37:01 UTM pluto[4908]: "L2TP-PSK-NAT"[2] 192.168.1.22 #2: sending
encrypted notification INVALID_ID_INFORMATION to 192.168.1.22:500
Sep 13 10:37:03 UTM pluto[4908]: "L2TP-PSK-NAT"[2] 192.168.1.22 #2: the peer
proposed: 192.168.1.121/32:17/1701 -> 192.168.1.22/32:17/0
Sep 13 10:37:03 UTM pluto[4908]: "L2TP-PSK-NAT"[2] 192.168.1.22 #2: cannot
respond to IPsec SA request because no connection is known for
192.168.1.121<192.168.1.121>[+S=C]:17/1701...192.168.1.22[+S=C]:17/%any
Sep 13 10:37:03 UTM pluto[4908]: "L2TP-PSK-NAT"[2] 192.168.1.22 #2: sending
encrypted notification INVALID_ID_INFORMATION to 192.168.1.22:500
Sep 13 10:37:03 UTM pluto[4908]: "L2TP-PSK-NAT"[2] 192.168.1.22 #2: cannot
respond to IPsec SA request because no connection is known for
192.168.1.121<192.168.1.121>[+S=C]:17/1701...192.168.1.22[+S=C]:17/%any
Sep 13 10:37:03 UTM pluto[4908]: "L2TP-PSK-NAT"[2] 192.168.1.22 #2: sending
encrypted notification INVALID_ID_INFORMATION to 192.168.1.22:500
Sep 13 10:37:05 UTM pluto[4908]: "L2TP-PSK-NAT"[2] 192.168.1.22 #2: the peer
proposed: 192.168.1.121/32:17/1701 -> 192.168.1.22/32:17/0
Sep 13 10:37:05 UTM pluto[4908]: "L2TP-PSK-NAT"[2] 192.168.1.22 #2: cannot
respond to IPsec SA request because no connection is known for
192.168.1.121<192.168.1.121>[+S=C]:17/1701...192.168.1.22[+S=C]:17/%any
Sep 13 10:37:05 UTM pluto[4908]: "L2TP-PSK-NAT"[2] 192.168.1.22 #2: sending
encrypted notification INVALID_ID_INFORMATION to 192.168.1.22:500
Sep 13 10:37:05 UTM pluto[4908]: "L2TP-PSK-NAT"[2] 192.168.1.22 #2: cannot
respond to IPsec SA request because no connection is known for
192.168.1.121<192.168.1.121>[+

And /var/log/debug this error is coming.
xl2tpd[3623]: Call established with 192.168.1.22, Local: 30238, Remote: 1,
Serial: 0
xl2tpd[3623]: check_control: Received out of order control packet on tunnel
1 (got 5, expected 4)
xl2tpd[3623]: handle_packet: bad control packet!
xl2tpd[3623]: check_control: Received out of order control packet on tunnel
1 (got 5, expected 4)
xl2tpd[3623]: handle_packet: bad control packet!
xl2tpd[3623]: Maximum retries exceeded for tunnel 12846.  Closing.
xl2tpd[3623]: control_finish: Connection closed to 192.168.1.22, serial 0 ()
xl2tpd[3623]: Terminating pppd: sending TERM signal to pid 4597
xl2tpd[3623]: Connection 1 closed to 192.168.1.22, port 1701 (Timeout)
xl2tpd[3623]: control_finish: Connection closed to 192.168.1.22, port 1701
(), Local: 12846, Remote: 1
xl2tpd[3623]: Can not find tunnel 12846 (refhim=0)
xl2tpd[3623]: network_thread: unable to find call or tunnel to handle
packet.  call = 0, tunnel = 12846 Dumping.

And I cannot add leftsubnet tag . When I am adding leftsubnet client cannot
able to establish connection .
Is any IPSEC version problem or some configuration problem.

ipsec --version
Linux Openswan U2.6.35/K2.6.28.4-enjay (netkey)

xl2tpd --version

xl2tpd version:  xl2tpd-1.2.8


On Mon, Sep 12, 2011 at 9:24 PM, Paul Wouters <paul at xelerance.com> wrote:

> On Mon, 12 Sep 2011, heta shah wrote:
>
>  Please help me I am doing some error or not . I am facing this one way
>> communication. Is any route add at server side is required
>> or not ?? My internal network is 192.168.5.0/24 and I want to apply
>> remote network VPN client from this network . In this setup I
>> can communicate from client to server but I cannot communicate from server
>> to client But still VPN connection is showing up.
>>
>
> You should never attempt or need to add routes manually.
>
> You might want to add on the server a leftsourceip=192.168.5.X (X is
> whatever IP your server has in that range)
>
> Paul
>



-- 
Thanks and Regards.

Heta
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110913/7f3466ed/attachment-0001.html 


More information about the Users mailing list