[Openswan Users] Openswan 2.6.38 and Windows XP breaking everything!

Bart Swedrowski bart at timedout.org
Mon Apr 16 18:46:04 EDT 2012 

Hello Openswan Users,

For the last few days I have been trying to set up a little VPN server based on:
- Linux Debian Squeeze
- Openswan (first from Squeeze debs, upgraded to latest recently) 2.6.38
- xl2tpd (as above, initially from Squeeze, then upgraded to the
latest one; compiled manually).

I want to be using this VPN server solely for road warriors using PSKs
and simply usernames and passwords to call-in.

Everything is going nice and well, I can connect without any problems
from my Mac (running Lion), from Mac Snow Leopard and Leopard, from
iPad, iPhone, Windows 7…  I also need to add I am testing this using a
single NAT connection from my home - running few tunnels at the same
time poses no problem as long as aforementioned devices/operating
systems are used.

Now, as soon as Windows XP comes into the game things are getting
really hairy right away.  Everything is fine until I disconnect on the
Windows XP from the VPN.  As soon as I do this I am not able to
reconnect from any other device until I manually remove policy which
is getting on top.

1.2.3.4 - this is my external IP
5.6.7.8 - this is the VPNs external IP
10.17.17.X - my internal IPs

Now, auth.log from the connection establish from the Windows XP:

Apr 16 23:28:57 vpn02 pluto[25162]: packet from 1.2.3.4:500: ignoring
Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Apr 16 23:28:57 vpn02 pluto[25162]: packet from 1.2.3.4:500: ignoring
Vendor ID payload [FRAGMENTATION]
Apr 16 23:28:57 vpn02 pluto[25162]: packet from 1.2.3.4:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
Apr 16 23:28:57 vpn02 pluto[25162]: packet from 1.2.3.4:500: ignoring
Vendor ID payload [Vid-Initial-Contact]
Apr 16 23:28:57 vpn02 pluto[25162]: "L2TP-PSK-NAT"[30] 1.2.3.4 #67:
responding to Main Mode from unknown peer 1.2.3.4
Apr 16 23:28:57 vpn02 pluto[25162]: "L2TP-PSK-NAT"[30] 1.2.3.4 #67:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Apr 16 23:28:57 vpn02 pluto[25162]: "L2TP-PSK-NAT"[30] 1.2.3.4 #67:
STATE_MAIN_R1: sent MR1, expecting MI2
Apr 16 23:28:57 vpn02 pluto[25162]: "L2TP-PSK-NAT"[30] 1.2.3.4 #67:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is
NATed
Apr 16 23:28:57 vpn02 pluto[25162]: "L2TP-PSK-NAT"[30] 1.2.3.4 #67:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Apr 16 23:28:57 vpn02 pluto[25162]: "L2TP-PSK-NAT"[30] 1.2.3.4 #67:
STATE_MAIN_R2: sent MR2, expecting MI3
Apr 16 23:28:57 vpn02 pluto[25162]: "L2TP-PSK-NAT"[30] 1.2.3.4 #67:
Main mode peer ID is ID_FQDN: '@szczepan'
Apr 16 23:28:57 vpn02 pluto[25162]: "L2TP-PSK-NAT"[30] 1.2.3.4 #67:
switched from "L2TP-PSK-NAT" to "L2TP-PSK-NAT"
Apr 16 23:28:57 vpn02 pluto[25162]: "L2TP-PSK-NAT"[31] 1.2.3.4 #67:
deleting connection "L2TP-PSK-NAT" instance with peer 1.2.3.4
{isakmp=#0/ipsec=#0}
Apr 16 23:28:57 vpn02 pluto[25162]: "L2TP-PSK-NAT"[31] 1.2.3.4 #67:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Apr 16 23:28:57 vpn02 pluto[25162]: "L2TP-PSK-NAT"[31] 1.2.3.4 #67:
new NAT mapping for #67, was 1.2.3.4:500, now 1.2.3.4:4500
Apr 16 23:28:57 vpn02 pluto[25162]: "L2TP-PSK-NAT"[31] 1.2.3.4 #67:
STATE_MAIN_R3: sent MR3, ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
group=modp2048}
Apr 16 23:28:57 vpn02 pluto[25162]: "L2TP-PSK-NAT"[31] 1.2.3.4 #67:
peer client type is FQDN
Apr 16 23:28:57 vpn02 pluto[25162]: "L2TP-PSK-NAT"[31] 1.2.3.4 #67:
Applying workaround for MS-818043 NAT-T bug
Apr 16 23:28:57 vpn02 pluto[25162]: "L2TP-PSK-NAT"[31] 1.2.3.4 #67:
IDci was FQDN: \262 $\023, using NAT_OA=10.17.17.48/32 0 as IDci
Apr 16 23:28:57 vpn02 pluto[25162]: "L2TP-PSK-NAT"[31] 1.2.3.4 #67:
the peer proposed: 5.6.7.8/32:17/1701 -> 10.17.17.48/32:17/0
Apr 16 23:28:57 vpn02 pluto[25162]: "L2TP-PSK-NAT"[31] 1.2.3.4 #68:
responding to Quick Mode proposal {msgid:b436f0df}
Apr 16 23:28:57 vpn02 pluto[25162]: "L2TP-PSK-NAT"[31] 1.2.3.4 #68:
 us: 5.6.7.8<5.6.7.8>:17/1701
Apr 16 23:28:57 vpn02 pluto[25162]: "L2TP-PSK-NAT"[31] 1.2.3.4 #68:
them: 1.2.3.4[@szczepan]:17/1701===10.17.17.48/32
Apr 16 23:28:57 vpn02 pluto[25162]: "L2TP-PSK-NAT"[31] 1.2.3.4 #68:
transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Apr 16 23:28:57 vpn02 pluto[25162]: "L2TP-PSK-NAT"[31] 1.2.3.4 #68:
STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Apr 16 23:28:57 vpn02 pluto[25162]: "L2TP-PSK-NAT"[31] 1.2.3.4 #68:
netlink_raw_eroute: WARNING: that_client port 0 and that_host port
1701 don't match. Using that_client port.
Apr 16 23:28:57 vpn02 pluto[25162]: "L2TP-PSK-NAT"[31] 1.2.3.4 #68:
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Apr 16 23:28:57 vpn02 pluto[25162]: "L2TP-PSK-NAT"[31] 1.2.3.4 #68:
STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0x5eac03c9
<0x746bee5c xfrm=3DES_0-HMAC_MD5 NATOA=10.17.17.48 NATD=1.2.3.4:4500
DPD=none}

Interesting bit here that caught my attention right away was:

Apr 16 23:28:57 vpn02 pluto[25162]: "L2TP-PSK-NAT"[31] 1.2.3.4 #68:
netlink_raw_eroute: WARNING: that_client port 0 and that_host port
1701 don't match. Using that_client port.

Is it anything I should be really worried about?  I tried exploring
this warning a bit further but didn’t really find anything specific…

Now, once the XP host is connected, I can see following ip policies
relating to that connection:

src 5.6.7.8/32 dst 1.2.3.4/32 proto udp sport 1701
	dir out priority 2080 ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 16517 mode transport
src 10.17.17.48/32 dst 5.6.7.8/32 proto udp dport 1701
	dir in priority 2080 ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 16517 mode transport

As soon as I disconnect the XP host, there is one that is remaining
from those two:

src 5.6.7.8/32 dst 1.2.3.4/32 proto udp sport 1701
	dir out priority 2080 ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 16517 mode transport

And now, if I try to connect from any other device, eg. my iPhone I
get the following in my auth log and connection is not getting
established.

Apr 16 23:37:39 vpn02 pluto[25162]: packet from 1.2.3.4:500: received
Vendor ID payload [RFC 3947] method set to=115
Apr 16 23:37:39 vpn02 pluto[25162]: packet from 1.2.3.4:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike] meth=114, but already
using method 115
Apr 16 23:37:39 vpn02 pluto[25162]: packet from 1.2.3.4:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-08] meth=113, but
already using method 115
Apr 16 23:37:39 vpn02 pluto[25162]: packet from 1.2.3.4:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-07] meth=112, but
already using method 115
Apr 16 23:37:39 vpn02 pluto[25162]: packet from 1.2.3.4:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-06] meth=111, but
already using method 115
Apr 16 23:37:39 vpn02 pluto[25162]: packet from 1.2.3.4:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-05] meth=110, but
already using method 115
Apr 16 23:37:39 vpn02 pluto[25162]: packet from 1.2.3.4:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-04] meth=109, but
already using method 115
Apr 16 23:37:39 vpn02 pluto[25162]: packet from 1.2.3.4:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but
already using method 115
Apr 16 23:37:39 vpn02 pluto[25162]: packet from 1.2.3.4:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but
already using method 115
Apr 16 23:37:39 vpn02 pluto[25162]: packet from 1.2.3.4:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but
already using method 115
Apr 16 23:37:39 vpn02 pluto[25162]: packet from 1.2.3.4:500: received
Vendor ID payload [Dead Peer Detection]
Apr 16 23:37:39 vpn02 pluto[25162]: "L2TP-PSK-NAT"[32] 1.2.3.4 #70:
responding to Main Mode from unknown peer 1.2.3.4
Apr 16 23:37:39 vpn02 pluto[25162]: "L2TP-PSK-NAT"[32] 1.2.3.4 #70:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Apr 16 23:37:39 vpn02 pluto[25162]: "L2TP-PSK-NAT"[32] 1.2.3.4 #70:
STATE_MAIN_R1: sent MR1, expecting MI2
Apr 16 23:37:40 vpn02 pluto[25162]: "L2TP-PSK-NAT"[32] 1.2.3.4 #70:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): peer
is NATed
Apr 16 23:37:40 vpn02 pluto[25162]: "L2TP-PSK-NAT"[32] 1.2.3.4 #70:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Apr 16 23:37:40 vpn02 pluto[25162]: "L2TP-PSK-NAT"[32] 1.2.3.4 #70:
STATE_MAIN_R2: sent MR2, expecting MI3
Apr 16 23:37:40 vpn02 pluto[25162]: "L2TP-PSK-NAT"[32] 1.2.3.4 #70:
ignoring informational payload, type IPSEC_INITIAL_CONTACT
msgid=00000000
Apr 16 23:37:40 vpn02 pluto[25162]: "L2TP-PSK-NAT"[32] 1.2.3.4 #70:
Main mode peer ID is ID_IPV4_ADDR: '10.17.17.43'
Apr 16 23:37:40 vpn02 pluto[25162]: "L2TP-PSK-NAT"[32] 1.2.3.4 #70:
switched from "L2TP-PSK-NAT" to "L2TP-PSK-NAT"
Apr 16 23:37:40 vpn02 pluto[25162]: "L2TP-PSK-NAT"[33] 1.2.3.4 #70:
deleting connection "L2TP-PSK-NAT" instance with peer 1.2.3.4
{isakmp=#0/ipsec=#0}
Apr 16 23:37:40 vpn02 pluto[25162]: "L2TP-PSK-NAT"[33] 1.2.3.4 #70:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Apr 16 23:37:40 vpn02 pluto[25162]: "L2TP-PSK-NAT"[33] 1.2.3.4 #70:
new NAT mapping for #70, was 1.2.3.4:500, now 1.2.3.4:1030
Apr 16 23:37:40 vpn02 pluto[25162]: "L2TP-PSK-NAT"[33] 1.2.3.4 #70:
STATE_MAIN_R3: sent MR3, ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha
group=modp1024}
Apr 16 23:37:40 vpn02 pluto[25162]: "L2TP-PSK-NAT"[33] 1.2.3.4 #70:
the peer proposed: 5.6.7.8/32:17/1701 -> 10.17.17.43/32:17/0
Apr 16 23:37:40 vpn02 pluto[25162]: "L2TP-PSK-NAT"[33] 1.2.3.4 #70:
NAT-Traversal: received 2 NAT-OA. using first, ignoring others
Apr 16 23:37:40 vpn02 pluto[25162]: "L2TP-PSK-NAT"[33] 1.2.3.4 #71:
responding to Quick Mode proposal {msgid:4c14f28e}
Apr 16 23:37:40 vpn02 pluto[25162]: "L2TP-PSK-NAT"[33] 1.2.3.4 #71:
 us: 5.6.7.8<5.6.7.8>:17/1701
Apr 16 23:37:40 vpn02 pluto[25162]: "L2TP-PSK-NAT"[33] 1.2.3.4 #71:
them: 1.2.3.4[10.17.17.43]:17/57660===10.17.17.43/32
Apr 16 23:37:40 vpn02 pluto[25162]: "L2TP-PSK-NAT"[33] 1.2.3.4 #71:
transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Apr 16 23:37:40 vpn02 pluto[25162]: "L2TP-PSK-NAT"[33] 1.2.3.4 #71:
STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Apr 16 23:37:40 vpn02 pluto[25162]: "L2TP-PSK-NAT"[33] 1.2.3.4 #71:
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Apr 16 23:37:40 vpn02 pluto[25162]: "L2TP-PSK-NAT"[33] 1.2.3.4 #71:
STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0x09744524
<0x614a9687 xfrm=AES_256-HMAC_SHA1 NATOA=10.17.17.43 NATD=1.2.3.4:1030
DPD=none}
Apr 16 23:37:42 vpn02 pluto[25162]: initiate on demand from
5.6.7.8:1701 to 1.2.3.4:57660 proto=17 state: fos_start because:
acquire

Interesting bit:

Apr 16 23:37:42 vpn02 pluto[25162]: initiate on demand from
5.6.7.8:1701 to 1.2.3.4:57660 proto=17 state: fos_start because:
acquire

Also, at the same time I can see following fragments in the syslog
coming from xl2tpd…

Apr 16 23:37:47 vpn02 xl2tpd[21328]: control_finish: Peer requested
tunnel 4 twice, ignoring second one.
Apr 16 23:37:51 vpn02 xl2tpd[21328]: control_finish: Peer requested
tunnel 4 twice, ignoring second one.
Apr 16 23:37:52 vpn02 xl2tpd[21328]: Unable to deliver closing message
for tunnel 59955. Destroying anyway.
Apr 16 23:37:59 vpn02 xl2tpd[21328]: control_finish: Peer requested
tunnel 4 twice, ignoring second one.
Apr 16 23:38:02 vpn02 xl2tpd[21328]: Maximum retries exceeded for
tunnel 17123.  Closing.
Apr 16 23:38:02 vpn02 xl2tpd[21328]: Connection 4 closed to 1.2.3.4,
port 57660 (Timeout)
Apr 16 23:38:07 vpn02 xl2tpd[21328]: Unable to deliver closing message
for tunnel 17123. Destroying anyway.

Now, the really interesting bit is I can still keep on connecting from
the XP host, but not from the other ones.

I have dig out through most of the Openswan users archives, a lot of
Google and even though find few references to similar problems they
were either ending without solution or with information it was a bug
and it should work in latest version.

I am definitelly not an expert in Openswan (or ipsec+l2tpd) area,
however would greatly appreciate any pointers, advices you could give
me to pursue solution to this problem.  Below I am attaching rest of
the relevant config files I use.  Should you need anything please do
let me know.

Kind regards,
Bart

My /etc/ipsec.conf file goes as follows:

version 2.0
config setup
    nat_traversal=yes
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
    oe=off
    protostack=netkey
    listen=5.6.7.8

conn L2TP-PSK-NAT
    rightsubnet=vhost:%priv
    also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
    authby=secret
    pfs=no
    auto=add
    keyingtries=3
    rekey=no
    ikelifetime=8h
    keylife=1h
    type=transport
    left=5.6.7.8
    leftprotoport=17/1701
    right=%any
    rightprotoport=17/%any

And xl2tpd.conf file:

[global]
listen-addr = 5.6.7.8
ipsec saref = yes

[lns default]
ip range = 10.1.2.2-10.1.2.255
local ip = 10.1.2.1
refuse chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

More information about the Users mailing list