[Openswan Users] L2TP-Ipsec hangs after successed Phase 2

Tim-Ole toag at izsr.de
Tue Jun 26 16:06:06 EDT 2012 

Hi together,

we installed an L2TP/IPSec-Server for the propose of connecting Mac-Systems as well as iPhones and Windows-Clients (XP, 7).

The server is driven on an Ubuntu-System (Ubuntu 12.04 LTS) and behind a Ziggo-Router. Ports are forwarded. When connecting with Mac OS X-System (10.6) and iPhone, there are no problems - both IPsec and L2tp are established quick and fine :-)

But we had no luck so far to conect with Windows-Systems.

The settings on the Ubuntuserver:

/etc/ipsec.conf:

config setup
	dumpdir=/var/run/pluto/
	nat_traversal=yes
	virtual_private=%v4:192.168.178.0/24,%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
	oe=off
	protostack=auto

conn l2tp
        authby=secret
        left=192.168.178.50
        leftprotoport=17/1701
        right=%any
        rightprotoport=17/%any
        rightsubnet=vhost:%no,%priv
        pfs=no
        keyingtries=0
        auto=add
        dpddelay=30
        dpdtimeout=60
        dpdaction=clear
        forceencaps=yes

/etc/xl2tp/xl2tpd.conf:

[global]
port = 1701
auth file = /etc/xl2tpd/l2tp-secrets
[lns default]
ip range = 192.168.178.70-192.168.178.80
local ip = 192.168.178.50
refuse chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options-l2tp
length bit = yes

/etc/ppp/options-l2tp :

asyncmap 0
auth
crtscts
lock
hide-password
modem
lcp-echo-interval 30
lcp-echo-failure 4
noipx

With these settings, it is no problem to get a connection from Mac-Clients work (just the IP of the router who does the forwarding-job, PSK and user/pass-settings).

With Windows-Clients we had no luck. We experienced with Out-of-the-Box-settings, changed some LCP- and CHAP-settings, disabled the firewall at the client-side - no luck :-(

It is always the same error: in the Ipsec-Log on the Ubuntu, everything seems to go fine beneath these point:

Jun 26 18:06:32 L2TP-Server-2 pluto[385]: "l2tp"[2] 1.2.3.4 #2: responding to Quick Mode proposal {msgid:a7c3428e}
Jun 26 18:06:32 L2TP-Server-2 pluto[385]: "l2tp"[2] 1.2.3.4 #2:     us: 192.168.178.50<192.168.178.50>[+S=C]:17/1701
Jun 26 18:06:32 L2TP-Server-2 pluto[385]: "l2tp"[2] 1.2.3.4 #2:   them: 1.2.3.4[192.168.220.107,+S=C]:17/61190
Jun 26 18:06:32 L2TP-Server-2 pluto[385]: "l2tp"[2] 1.2.3.4 #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Jun 26 18:06:32 L2TP-Server-2 pluto[385]: "l2tp"[2] 1.2.3.4 #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Jun 26 18:06:32 L2TP-Server-2 pluto[385]: "l2tp"[2] 1.2.3.4 #2: Dead Peer Detection (RFC 3706): enabled
Jun 26 18:06:32 L2TP-Server-2 pluto[385]: "l2tp"[2] 1.2.3.4 #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Jun 26 18:06:32 L2TP-Server-2 pluto[385]: "l2tp"[2] 1.2.3.4 #2: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP/NAT=>0x0670e913 <0x7b544619 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=1.2.3.4:64233 DPD=enabled}

... where it says "IPsec SA established tunnel mode" - at 18:06:32. Then, nothing happens for the next 12 - 13 seconds, then the log continues with that:


Jun 26 18:06:45 L2TP-Server-2 pluto[385]: "l2tp"[2] 1.2.3.4 #1: received Delete SA(0x0670e913) payload: deleting IPSEC State #2
Jun 26 18:06:45 L2TP-Server-2 pluto[385]: "l2tp"[2] 1.2.3.4 #1: received and ignored informational message
Jun 26 18:06:45 L2TP-Server-2 pluto[385]: "l2tp"[2] 1.2.3.4 #1: received Delete SA payload: deleting ISAKMP State #1
Jun 26 18:06:45 L2TP-Server-2 pluto[385]: "l2tp"[2] 1.2.3.4: deleting connection "l2tp" instance with peer 1.2.3.4 {isakmp=#0/ipsec=#0}
Jun 26 18:06:45 L2TP-Server-2 pluto[385]: packet from 1.2.3.4:64233: received and ignored informational message
Jun 26 18:07:24 L2TP-Server-2 pluto[385]: packet from 1.2.3.4:64205: received packet that claimed to be (I)nitiator, but rcookie is not zero?
Jun 26 18:07:24 L2TP-Server-2 pluto[385]: packet from 1.2.3.4:64205: sending notification v2N_INVALID_MESSAGE_ID to 1.2.3.4:64205
Jun 26 18:07:44 L2TP-Server-2 pluto[385]: packet from 1.2.3.4:64205: received packet that claimed to be (I)nitiator, but rcookie is not zero?
Jun 26 18:07:44 L2TP-Server-2 pluto[385]: packet from 1.2.3.4:64205: sending notification v2N_INVALID_MESSAGE_ID to 1.2.3.4:64205

... and so on.

Since we have some other L2TP-IPSec-Servers running on Debian and with Mac-Clients as well as with Windows-Clients, it seems to me to be an error on Ubuntu. Might this be possible?

Thanx a lot in advance!


greetings


toag

More information about the Users mailing list