[Openswan Users] L2TP-Ipsec hangs after successed Phase 2
Tim-Ole
toag at izsr.de
Tue Jun 26 16:06:06 EDT 2012
Hi together,
we installed an L2TP/IPSec-Server for the propose of connecting Mac-Systems as well as iPhones and Windows-Clients (XP, 7).
The server is driven on an Ubuntu-System (Ubuntu 12.04 LTS) and behind a Ziggo-Router. Ports are forwarded. When connecting with Mac OS X-System (10.6) and iPhone, there are no problems - both IPsec and L2tp are established quick and fine :-)
But we had no luck so far to conect with Windows-Systems.
The settings on the Ubuntuserver:
/etc/ipsec.conf:
config setup
dumpdir=/var/run/pluto/
nat_traversal=yes
virtual_private=%v4:192.168.178.0/24,%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
oe=off
protostack=auto
conn l2tp
authby=secret
left=192.168.178.50
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
rightsubnet=vhost:%no,%priv
pfs=no
keyingtries=0
auto=add
dpddelay=30
dpdtimeout=60
dpdaction=clear
forceencaps=yes
/etc/xl2tp/xl2tpd.conf:
[global]
port = 1701
auth file = /etc/xl2tpd/l2tp-secrets
[lns default]
ip range = 192.168.178.70-192.168.178.80
local ip = 192.168.178.50
refuse chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options-l2tp
length bit = yes
/etc/ppp/options-l2tp :
asyncmap 0
auth
crtscts
lock
hide-password
modem
lcp-echo-interval 30
lcp-echo-failure 4
noipx
With these settings, it is no problem to get a connection from Mac-Clients work (just the IP of the router who does the forwarding-job, PSK and user/pass-settings).
With Windows-Clients we had no luck. We experienced with Out-of-the-Box-settings, changed some LCP- and CHAP-settings, disabled the firewall at the client-side - no luck :-(
It is always the same error: in the Ipsec-Log on the Ubuntu, everything seems to go fine beneath these point:
Jun 26 18:06:32 L2TP-Server-2 pluto[385]: "l2tp"[2] 1.2.3.4 #2: responding to Quick Mode proposal {msgid:a7c3428e}
Jun 26 18:06:32 L2TP-Server-2 pluto[385]: "l2tp"[2] 1.2.3.4 #2: us: 192.168.178.50<192.168.178.50>[+S=C]:17/1701
Jun 26 18:06:32 L2TP-Server-2 pluto[385]: "l2tp"[2] 1.2.3.4 #2: them: 1.2.3.4[192.168.220.107,+S=C]:17/61190
Jun 26 18:06:32 L2TP-Server-2 pluto[385]: "l2tp"[2] 1.2.3.4 #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Jun 26 18:06:32 L2TP-Server-2 pluto[385]: "l2tp"[2] 1.2.3.4 #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Jun 26 18:06:32 L2TP-Server-2 pluto[385]: "l2tp"[2] 1.2.3.4 #2: Dead Peer Detection (RFC 3706): enabled
Jun 26 18:06:32 L2TP-Server-2 pluto[385]: "l2tp"[2] 1.2.3.4 #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Jun 26 18:06:32 L2TP-Server-2 pluto[385]: "l2tp"[2] 1.2.3.4 #2: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP/NAT=>0x0670e913 <0x7b544619 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=1.2.3.4:64233 DPD=enabled}
... where it says "IPsec SA established tunnel mode" - at 18:06:32. Then, nothing happens for the next 12 - 13 seconds, then the log continues with that:
Jun 26 18:06:45 L2TP-Server-2 pluto[385]: "l2tp"[2] 1.2.3.4 #1: received Delete SA(0x0670e913) payload: deleting IPSEC State #2
Jun 26 18:06:45 L2TP-Server-2 pluto[385]: "l2tp"[2] 1.2.3.4 #1: received and ignored informational message
Jun 26 18:06:45 L2TP-Server-2 pluto[385]: "l2tp"[2] 1.2.3.4 #1: received Delete SA payload: deleting ISAKMP State #1
Jun 26 18:06:45 L2TP-Server-2 pluto[385]: "l2tp"[2] 1.2.3.4: deleting connection "l2tp" instance with peer 1.2.3.4 {isakmp=#0/ipsec=#0}
Jun 26 18:06:45 L2TP-Server-2 pluto[385]: packet from 1.2.3.4:64233: received and ignored informational message
Jun 26 18:07:24 L2TP-Server-2 pluto[385]: packet from 1.2.3.4:64205: received packet that claimed to be (I)nitiator, but rcookie is not zero?
Jun 26 18:07:24 L2TP-Server-2 pluto[385]: packet from 1.2.3.4:64205: sending notification v2N_INVALID_MESSAGE_ID to 1.2.3.4:64205
Jun 26 18:07:44 L2TP-Server-2 pluto[385]: packet from 1.2.3.4:64205: received packet that claimed to be (I)nitiator, but rcookie is not zero?
Jun 26 18:07:44 L2TP-Server-2 pluto[385]: packet from 1.2.3.4:64205: sending notification v2N_INVALID_MESSAGE_ID to 1.2.3.4:64205
... and so on.
Since we have some other L2TP-IPSec-Servers running on Debian and with Mac-Clients as well as with Windows-Clients, it seems to me to be an error on Ubuntu. Might this be possible?
Thanx a lot in advance!
greetings
toag
More information about the Users
mailing list