[Openswan Users] VPN Transport Mode, Windows 7, xl2tpd, openswan

Mon Oct 1 08:21:06 EDT 2012

Rescued from the spam bucket.  Please remember to register to the mailing list before posting to it.

Begin forwarded message:

> From: "Karl" <Horst at skat-foundation.de>
> Subject: VPN Transport Mode, Windows 7, xl2tpd, openswan
> Date: 28 September, 2012 5:06:56 PM EDT
> To: <users at lists.openswan.org>
> 
> 
> Hello everbody,
>  
> for more than 2 weeks I’m struggling with a VPN Connection problem from my Windows 7 PC (Internet) to my home network. I have a Debian host located behind a natting firewall. The debian host has one NIC (192.168.1.30) and is configured to deliver ip-addresses to VPN clients from 192.168.1.40-192.168.1.50. IP forwarding for 500 and 4500 is configured.
>  
> *** Pluto.log with plutodebug=none says ***
> packet from 2.204.196.17:54670: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000008]
> packet from 2.204.196.17:54670: received Vendor ID payload [RFC 3947] method set to=109
> packet from 2.204.196.17:54670: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
> packet from 2.204.196.17:54670: ignoring Vendor ID payload [FRAGMENTATION]
> packet from 2.204.196.17:54670: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
> packet from 2.204.196.17:54670: ignoring Vendor ID payload [Vid-Initial-Contact]
> packet from 2.204.196.17:54670: ignoring Vendor ID payload [IKE CGA version 1]
> "vpnhome"[37] 2.204.196.17 #80: responding to Main Mode from unknown peer 2.204.196.17
> "vpnhome"[37] 2.204.196.17 #80: OAKLEY_GROUP 20 not supported.  Attribute OAKLEY_GROUP_DESCRIPTION
> "vpnhome"[37] 2.204.196.17 #80: OAKLEY_GROUP 19 not supported.  Attribute OAKLEY_GROUP_DESCRIPTION
> "vpnhome"[37] 2.204.196.17 #80: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
> "vpnhome"[37] 2.204.196.17 #80: STATE_MAIN_R1: sent MR1, expecting MI2
> "vpnhome"[37] 2.204.196.17 #80: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): both are NATed
> "vpnhome"[37] 2.204.196.17 #80: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
> "vpnhome"[37] 2.204.196.17 #80: STATE_MAIN_R2: sent MR2, expecting MI3
> "vpnhome"[37] 2.204.196.17 #80: Main mode peer ID is ID_IPV4_ADDR: '10.0.0.2'
> "vpnhome"[37] 2.204.196.17 #80: switched from "vpnhome" to "vpnhome"
> "vpnhome"[38] 2.204.196.17 #80: deleting connection "vpnhome" instance with peer 2.204.196.17 {isakmp=#0/ipsec=#0}
> "vpnhome"[38] 2.204.196.17 #80: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
> "vpnhome"[38] 2.204.196.17 #80: new NAT mapping for #80, was 2.204.196.17:54670, now 2.204.196.17:54671
> "vpnhome"[38] 2.204.196.17 #80: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp2048}
> "vpnhome"[38] 2.204.196.17 #80: Dead Peer Detection (RFC 3706): not enabled because peer did not advertise it
> "vpnhome"[38] 2.204.196.17 #80: the peer proposed: 85.177.255.209/32:17/1701 -> 10.0.0.2/32:17/0
> "vpnhome"[38] 2.204.196.17 #80: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
> "vpnhome"[38] 2.204.196.17 #81: responding to Quick Mode proposal {msgid:01000000}
> "vpnhome"[38] 2.204.196.17 #81:     us: 192.168.1.30<192.168.1.30>[+S=C]:17/1701---192.168.1.1
> "vpnhome"[38] 2.204.196.17 #81:   them: 2.204.196.17[10.0.0.2,+S=C]:17/1701===10.0.0.2/32
> "vpnhome"[38] 2.204.196.17 #81: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
> "vpnhome"[38] 2.204.196.17 #81: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
> "vpnhome"[38] 2.204.196.17 #81: Dead Peer Detection (RFC 3706): not enabled because peer did not advertise it
> "vpnhome"[38] 2.204.196.17 #81: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
> "vpnhome"[38] 2.204.196.17 #81: STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0xeab62830 <0x4a10836c xfrm=AES_128-HMAC_SHA1 NATOA=10.0.0.2 NATD=2.204.196.17:54671 DPD=none}
> "vpnhome"[38] 2.204.196.17 #80: received Delete SA(0xeab62830) payload: deleting IPSEC State #81
> "vpnhome"[38] 2.204.196.17 #80: ERROR: netlink XFRM_MSG_DELPOLICY response for flow eroute_connection delete included errno 2: No such file or directory
> "vpnhome"[38] 2.204.196.17 #80: received and ignored informational message
> "vpnhome"[38] 2.204.196.17 #80: received Delete SA payload: deleting ISAKMP State #80
> "vpnhome"[38] 2.204.196.17: deleting connection "vpnhome" instance with peer 2.204.196.17 {isakmp=#0/ipsec=#0}
> packet from 2.204.196.17:54671: received and ignored informational message
>  
> ** ipsec.conf **
> Version 2.0 # conforms to second version of ipsec.conf specification
>  
> # basic configuration
> config setup
>     klipsdebug=none
>     plutodebug=none
>     plutostderrlog=/var/log/pluto.log
>     uniqueids=yes
>     strictcrlpolicy=no
>     protostack=netkey
>     nhelpers=0
>     oe=off
>     nat_traversal=yes
>     virtual_private=%v4:192.168.0.0/16
>  
> conn vpnhome
>     authby=secret
>     auth=esp
>     auto=add
>     pfs=no
>     type=transport
>     rekey=no
>     compress=yes
>    left=192.168.1.30
>     leftnexthop=192.168.1.1
>     leftprotoport=17/1701
>  
>     right=%any
>     rightsubnet=vhost:%no,%priv
>     rightprotoport=17/%any
>     #forceencaps=yes
>     dpddelay=40
>     dpdtimeout=130
>     dpdaction=clear
>  
> ** ipsec starts **
>  
> Plutorun started on Fri Sep 28 22:49:11 CEST 2012
> adjusting ipsec.d to /etc/ipsec.d
> Starting Pluto (Openswan Version 2.6.28; Vendor ID OEQ{O\177nez{CQ) pid:4855
> SAref support [disabled]: Protocol not available
> SAbind support [disabled]: Protocol not available
> Setting NAT-Traversal port-4500 floating to on
>    port floating activation criteria nat_t=1/port_float=1
>    NAT-Traversal support  [enabled]
> using /dev/urandom as source of random entropy
> ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
> ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
> ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
> ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
> ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
> ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
> ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
> no helpers will be started, all cryptographic operations will be done inline
> Using Linux 2.6 IPsec interface code on 2.6.32-5-686 (experimental code)
> ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
> ike_alg_add(): ERROR: Algorithm already exists
> ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)
> ike_alg_add(): ERROR: Algorithm already exists
> ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
> ike_alg_add(): ERROR: Algorithm already exists
> ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)
> ike_alg_add(): ERROR: Algorithm already exists
> ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)
> ike_alg_add(): ERROR: Algorithm already exists
> ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
> Changed path to directory '/etc/ipsec.d/cacerts'
> Changed path to directory '/etc/ipsec.d/aacerts'
> Changed path to directory '/etc/ipsec.d/ocspcerts'
> Changing to directory '/etc/ipsec.d/crls'
>   Warning: empty directory
> added connection description "vpnhome"
> listening for IKE messages
> NAT-Traversal: Trying new style NAT-T
> NAT-Traversal: ESPINUDP(1) setup failed for new style NAT-T family IPv4 (errno=19)
> NAT-Traversal: Trying old style NAT-T
> adding interface eth0/eth0 192.168.1.30:500
> adding interface eth0/eth0 192.168.1.30:4500
> adding interface lo/lo 127.0.0.1:500
> adding interface lo/lo 127.0.0.1:4500
> loading secrets from "/etc/ipsec.secrets"
>  
> ** ipsec auto –status **
>  
> 000 using kernel interface: netkey
> 000 interface lo/lo 127.0.0.1
> 000 interface lo/lo 127.0.0.1
> 000 interface eth0/eth0 192.168.1.30
> 000 interface eth0/eth0 192.168.1.30
> 000 %myid = (none)
> 000 debug none
> 000
> 000 virtual_private (%priv):
> 000 - allowed 1 subnet: 192.168.0.0/16
> 000 - disallowed 0 subnets:
> 000 WARNING: Disallowed subnets in virtual_private= is empty. If you have
> 000          private address space in internal use, it should be excluded!
> 000
> 000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
> 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
> 000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40, keysizemax=128
> 000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
> 000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
> 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=160, keysizemax=288
> 000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8, keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8, keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8, keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
> 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
> 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
> 000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
> 000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160
> 000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128
> 000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
> 000
> 000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131
> 000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC, blocksize=8, keydeflen=128
> 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
> 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
> 000 algorithm IKE encrypt: id=65004, name=OAKLEY_SERPENT_CBC, blocksize=16, keydeflen=128
> 000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC, blocksize=16, keydeflen=128
> 000 algorithm IKE encrypt: id=65289, name=OAKLEY_TWOFISH_CBC_SSH, blocksize=16, keydeflen=128
> 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
> 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
> 000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
> 000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
> 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
> 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
> 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
> 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
> 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
> 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
> 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
> 000
> 000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}
> 000
> 000 "vpnhome": 192.168.1.30<192.168.1.30>[+S=C]:17/1701---192.168.1.1...%virtual[+S=C]:17/%any===?; unrouted; eroute owner: #0
> 000 "vpnhome":     myip=unset; hisip=unset;
> 000 "vpnhome":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
> 000 "vpnhome":   policy: PSK+ENCRYPT+COMPRESS+DONTREKEY+IKEv2ALLOW+lKOD+rKOD; prio: 32,32; interface: eth0;
> 000 "vpnhome":   dpd: action:clear; delay:40; timeout:130;
> 000 "vpnhome":   newest ISAKMP SA: #0; newest IPsec SA: #0;
>  
>  
>  
> ** Windows 7 says **
> Disconnected: Error619: A connection to the remote computer could not be established, so the port used for this connection was closed.
> I have disabled Windows 7 firewall and nothing changed.
>  
> Any hints, ideas and tricks are welcome.
>  
> Regards
> Horst
>  
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20121001/86127e78/attachment-0001.html>