[Openswan Users] No L2TP after update to 2.39
nev at itsnev.co.uk
nev at itsnev.co.uk
Thu Aug 8 14:01:48 UTC 2013
Hi All,
I just upgraded from 2.38 to 2.39 and can see the IPSEC tunnel established,
but there is NOTHING being passed to XL2TPD?
Checking if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Openswan U2.6.39/K2.6.32-279.11.1.el6.x86_64 (netkey)
See `ipsec --copyright' for copyright information.
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [OK]
ICMP default/accept_redirects [OK]
XFRM larval drop [OK]
Hardware random device check [N/A]
Two or more interfaces found, checking IP forwarding [OK]
Checking rp_filter [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for IKE on tcp 500 [NOT IMPLEMENTED]
Pluto listening for IKE/NAT-T on udp 4500 [OK]
Pluto listening for IKE/NAT-T on tcp 4500 [NOT IMPLEMENTED]
Pluto listening for IKE on tcp 10000 (cisco) [OK]
Checking NAT and MASQUERADEing [TEST INCOMPLETE]
Checking 'ip' command [IP XFRM BROKEN]
Checking 'iptables' command [OK]
Aug 8 14:50:04 ssl9 pluto[27321]: packet from A.B.C.D:500: ignoring unknown
Vendor ID payload [01528bbbc00696121849ab9a1c5b2a5100000001]
Aug 8 14:50:04 ssl9 pluto[27321]: packet from A.B.C.D:500: ignoring Vendor
ID payload [MS NT5 ISAKMPOAKLEY 00000009]
Aug 8 14:50:04 ssl9 pluto[27321]: packet from A.B.C.D:500: received Vendor
ID payload [RFC 3947] method set to=115
Aug 8 14:50:04 ssl9 pluto[27321]: packet from A.B.C.D:500: received Vendor
ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using
method 115
Aug 8 14:50:04 ssl9 pluto[27321]: packet from A.B.C.D:500: ignoring Vendor
ID payload [FRAGMENTATION]
Aug 8 14:50:04 ssl9 pluto[27321]: packet from A.B.C.D:500: ignoring Vendor
ID payload [MS-Negotiation Discovery Capable]
Aug 8 14:50:04 ssl9 pluto[27321]: packet from A.B.C.D:500: ignoring Vendor
ID payload [Vid-Initial-Contact]
Aug 8 14:50:04 ssl9 pluto[27321]: packet from A.B.C.D:500: ignoring Vendor
ID payload [IKE CGA version 1]
Aug 8 14:50:04 ssl9 pluto[27321]: "L2TP-PSK-NAT"[3] A.B.C.D #3: responding
to Main Mode from unknown peer A.B.C.D
Aug 8 14:50:04 ssl9 pluto[27321]: "L2TP-PSK-NAT"[3] A.B.C.D #3:
OAKLEY_GROUP 20 not supported. Attribute OAKLEY_GROUP_DESCRIPTION
Aug 8 14:50:04 ssl9 pluto[27321]: "L2TP-PSK-NAT"[3] A.B.C.D #3:
OAKLEY_GROUP 19 not supported. Attribute OAKLEY_GROUP_DESCRIPTION
Aug 8 14:50:04 ssl9 pluto[27321]: "L2TP-PSK-NAT"[3] A.B.C.D #3: transition
from state STATE_MAIN_R0 to state STATE_MAIN_R1
Aug 8 14:50:04 ssl9 pluto[27321]: "L2TP-PSK-NAT"[3] A.B.C.D #3:
STATE_MAIN_R1: sent MR1, expecting MI2
Aug 8 14:50:04 ssl9 pluto[27321]: "L2TP-PSK-NAT"[3] A.B.C.D #3:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): peer is
NATed
Aug 8 14:50:04 ssl9 pluto[27321]: "L2TP-PSK-NAT"[3] A.B.C.D #3: transition
from state STATE_MAIN_R1 to state STATE_MAIN_R2
Aug 8 14:50:04 ssl9 pluto[27321]: "L2TP-PSK-NAT"[3] A.B.C.D #3:
STATE_MAIN_R2: sent MR2, expecting MI3
Aug 8 14:50:04 ssl9 pluto[27321]: "L2TP-PSK-NAT"[3] A.B.C.D #3: Main mode
peer ID is ID_IPV4_ADDR: '192.168.1.107'
Aug 8 14:50:04 ssl9 pluto[27321]: "L2TP-PSK-NAT"[3] A.B.C.D #3: switched
from "L2TP-PSK-NAT" to "L2TP-PSK-NAT"
Aug 8 14:50:04 ssl9 pluto[27321]: "L2TP-PSK-NAT"[4] A.B.C.D #3: deleting
connection "L2TP-PSK-NAT" instance with peer A.B.C.D {isakmp=#0/ipsec=#0}
Aug 8 14:50:04 ssl9 pluto[27321]: "L2TP-PSK-NAT"[4] A.B.C.D #3: transition
from state STATE_MAIN_R2 to state STATE_MAIN_R3
Aug 8 14:50:04 ssl9 pluto[27321]: "L2TP-PSK-NAT"[4] A.B.C.D #3: new NAT
mapping for #3, was A.B.C.D:500, now A.B.C.D:44116
Aug 8 14:50:04 ssl9 pluto[27321]: "L2TP-PSK-NAT"[4] A.B.C.D #3:
STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=aes_256 prf=oakley_sha group=modp2048}
Aug 8 14:50:04 ssl9 pluto[27321]: "L2TP-PSK-NAT"[4] A.B.C.D #3: Dead Peer
Detection (RFC 3706): not enabled because peer did not advertise it
Aug 8 14:50:04 ssl9 pluto[27321]: "L2TP-PSK-NAT"[4] A.B.C.D #3: the peer
proposed: W.X.Y.Z/32:17/1701 -> 192.168.1.107/32:17/0
Aug 8 14:50:04 ssl9 pluto[27321]: "L2TP-PSK-NAT"[4] A.B.C.D #3:
NAT-Traversal: received 2 NAT-OA. using first, ignoring others
Aug 8 14:50:04 ssl9 pluto[27321]: "L2TP-PSK-NAT"[4] A.B.C.D #4: responding
to Quick Mode proposal {msgid:01000000}
Aug 8 14:50:04 ssl9 pluto[27321]: "L2TP-PSK-NAT"[4] A.B.C.D #4: us:
W.X.Y.Z:17/1701---W.X.Y.Z
Aug 8 14:50:04 ssl9 pluto[27321]: "L2TP-PSK-NAT"[4] A.B.C.D #4: them:
A.B.C.D[192.168.1.107]:17/1701===192.168.1.107/32
Aug 8 14:50:04 ssl9 pluto[27321]: "L2TP-PSK-NAT"[4] A.B.C.D #4: transition
from state STATE_QUICK_R0 to state STATE_QUICK_R1
Aug 8 14:50:04 ssl9 pluto[27321]: "L2TP-PSK-NAT"[4] A.B.C.D #4:
STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Aug 8 14:50:04 ssl9 pluto[27321]: "L2TP-PSK-NAT"[4] A.B.C.D #4: Dead Peer
Detection (RFC 3706): not enabled because peer did not advertise it
Aug 8 14:50:04 ssl9 pluto[27321]: "L2TP-PSK-NAT"[4] A.B.C.D #4: transition
from state STATE_QUICK_R1 to state STATE_QUICK_R2
Aug 8 14:50:04 ssl9 pluto[27321]: "L2TP-PSK-NAT"[4] A.B.C.D #4:
STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0xaf04dd26
<0xd0ed4241 xfrm=AES_128-HMAC_SHA1 NATOA=192.168.1.107 NATD=A.B.C.D:44116
DPD=none}
# basic configuration
config setup
#dumpdir=/var/run/pluto/
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:172.
19.0.0/12;%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
oe=off
protostack=netkey
nhelpers=0
# Add connections here
conn L2TP-PSK-NAT
rightsubnet=vhost:%no,%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
ikelifetime=8h
keylife=1h
dpdaction=clear
dpdtimeout=120
dpddelay=3
type=transport
left=%defaultroute
leftnexthop=W.X.Y.Z
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
conn passthrough-for-non-l2tp
type=passthrough
left=%defaultroute
leftnexthop=W.X.Y.Z
right=0.0.0.0
rightsubnet=0.0.0.0/0
auto=route
[root at ssl9 xl2tpd]# more xl2tpd.conf
[global]
;listen-addr = W.X.Y.Z
;
; requires openswan-2.5.18 or higher - Also does not yet work in combination
; with kernel mode l2tp as present in linux 2.6.23+
; ipsec saref = yes
; forceuserspace = yes
;
; debug tunnel = yes
[lns default]
ip range = 10.200.11.2-10.200.11.254
local ip = 10.200.10.1
assign ip = yes
require chap = yes
refuse pap = yes
require authentication = no
name = OpenSwanVPN
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
Many Thanks
Nev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20130808/17b15f50/attachment.html>
More information about the Users
mailing list