[Openswan Users] No L2TP after update to 2.39

nev at itsnev.co.uk nev at itsnev.co.uk
Thu Aug 8 14:01:48 UTC 2013 

Hi All,

 

I just upgraded from 2.38 to 2.39 and can see the IPSEC tunnel established,
but there is NOTHING being passed to XL2TPD?

 

 

Checking if IPsec got installed and started correctly:

 

Version check and ipsec on-path                         [OK]

Openswan U2.6.39/K2.6.32-279.11.1.el6.x86_64 (netkey)

See `ipsec --copyright' for copyright information.

Checking for IPsec support in kernel                    [OK]

NETKEY: Testing XFRM related proc values

         ICMP default/send_redirects                    [OK]

         ICMP default/accept_redirects                  [OK]

         XFRM larval drop                               [OK]

Hardware random device check                            [N/A]

Two or more interfaces found, checking IP forwarding    [OK]

Checking rp_filter                                      [OK]

Checking that pluto is running                          [OK]

Pluto listening for IKE on udp 500                     [OK]

Pluto listening for IKE on tcp 500                     [NOT IMPLEMENTED]

Pluto listening for IKE/NAT-T on udp 4500              [OK]

Pluto listening for IKE/NAT-T on tcp 4500              [NOT IMPLEMENTED]

Pluto listening for IKE on tcp 10000 (cisco)           [OK]

Checking NAT and MASQUERADEing                          [TEST INCOMPLETE]

Checking 'ip' command                                   [IP XFRM BROKEN]

Checking 'iptables' command                             [OK]

 

 

Aug  8 14:50:04 ssl9 pluto[27321]: packet from A.B.C.D:500: ignoring unknown
Vendor ID payload [01528bbbc00696121849ab9a1c5b2a5100000001]

Aug  8 14:50:04 ssl9 pluto[27321]: packet from A.B.C.D:500: ignoring Vendor
ID payload [MS NT5 ISAKMPOAKLEY 00000009]

Aug  8 14:50:04 ssl9 pluto[27321]: packet from A.B.C.D:500: received Vendor
ID payload [RFC 3947] method set to=115 

Aug  8 14:50:04 ssl9 pluto[27321]: packet from A.B.C.D:500: received Vendor
ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using
method 115

Aug  8 14:50:04 ssl9 pluto[27321]: packet from A.B.C.D:500: ignoring Vendor
ID payload [FRAGMENTATION]

Aug  8 14:50:04 ssl9 pluto[27321]: packet from A.B.C.D:500: ignoring Vendor
ID payload [MS-Negotiation Discovery Capable]

Aug  8 14:50:04 ssl9 pluto[27321]: packet from A.B.C.D:500: ignoring Vendor
ID payload [Vid-Initial-Contact]

Aug  8 14:50:04 ssl9 pluto[27321]: packet from A.B.C.D:500: ignoring Vendor
ID payload [IKE CGA version 1]

Aug  8 14:50:04 ssl9 pluto[27321]: "L2TP-PSK-NAT"[3] A.B.C.D #3: responding
to Main Mode from unknown peer A.B.C.D

Aug  8 14:50:04 ssl9 pluto[27321]: "L2TP-PSK-NAT"[3] A.B.C.D #3:
OAKLEY_GROUP 20 not supported.  Attribute OAKLEY_GROUP_DESCRIPTION

Aug  8 14:50:04 ssl9 pluto[27321]: "L2TP-PSK-NAT"[3] A.B.C.D #3:
OAKLEY_GROUP 19 not supported.  Attribute OAKLEY_GROUP_DESCRIPTION

Aug  8 14:50:04 ssl9 pluto[27321]: "L2TP-PSK-NAT"[3] A.B.C.D #3: transition
from state STATE_MAIN_R0 to state STATE_MAIN_R1

Aug  8 14:50:04 ssl9 pluto[27321]: "L2TP-PSK-NAT"[3] A.B.C.D #3:
STATE_MAIN_R1: sent MR1, expecting MI2

Aug  8 14:50:04 ssl9 pluto[27321]: "L2TP-PSK-NAT"[3] A.B.C.D #3:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): peer is
NATed

Aug  8 14:50:04 ssl9 pluto[27321]: "L2TP-PSK-NAT"[3] A.B.C.D #3: transition
from state STATE_MAIN_R1 to state STATE_MAIN_R2

Aug  8 14:50:04 ssl9 pluto[27321]: "L2TP-PSK-NAT"[3] A.B.C.D #3:
STATE_MAIN_R2: sent MR2, expecting MI3

Aug  8 14:50:04 ssl9 pluto[27321]: "L2TP-PSK-NAT"[3] A.B.C.D #3: Main mode
peer ID is ID_IPV4_ADDR: '192.168.1.107'

Aug  8 14:50:04 ssl9 pluto[27321]: "L2TP-PSK-NAT"[3] A.B.C.D #3: switched
from "L2TP-PSK-NAT" to "L2TP-PSK-NAT"

Aug  8 14:50:04 ssl9 pluto[27321]: "L2TP-PSK-NAT"[4] A.B.C.D #3: deleting
connection "L2TP-PSK-NAT" instance with peer A.B.C.D {isakmp=#0/ipsec=#0}

Aug  8 14:50:04 ssl9 pluto[27321]: "L2TP-PSK-NAT"[4] A.B.C.D #3: transition
from state STATE_MAIN_R2 to state STATE_MAIN_R3

Aug  8 14:50:04 ssl9 pluto[27321]: "L2TP-PSK-NAT"[4] A.B.C.D #3: new NAT
mapping for #3, was A.B.C.D:500, now A.B.C.D:44116

Aug  8 14:50:04 ssl9 pluto[27321]: "L2TP-PSK-NAT"[4] A.B.C.D #3:
STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=aes_256 prf=oakley_sha group=modp2048}

Aug  8 14:50:04 ssl9 pluto[27321]: "L2TP-PSK-NAT"[4] A.B.C.D #3: Dead Peer
Detection (RFC 3706): not enabled because peer did not advertise it

Aug  8 14:50:04 ssl9 pluto[27321]: "L2TP-PSK-NAT"[4] A.B.C.D #3: the peer
proposed: W.X.Y.Z/32:17/1701 -> 192.168.1.107/32:17/0

Aug  8 14:50:04 ssl9 pluto[27321]: "L2TP-PSK-NAT"[4] A.B.C.D #3:
NAT-Traversal: received 2 NAT-OA. using first, ignoring others

Aug  8 14:50:04 ssl9 pluto[27321]: "L2TP-PSK-NAT"[4] A.B.C.D #4: responding
to Quick Mode proposal {msgid:01000000}

Aug  8 14:50:04 ssl9 pluto[27321]: "L2TP-PSK-NAT"[4] A.B.C.D #4:     us:
W.X.Y.Z:17/1701---W.X.Y.Z

Aug  8 14:50:04 ssl9 pluto[27321]: "L2TP-PSK-NAT"[4] A.B.C.D #4:   them:
A.B.C.D[192.168.1.107]:17/1701===192.168.1.107/32

Aug  8 14:50:04 ssl9 pluto[27321]: "L2TP-PSK-NAT"[4] A.B.C.D #4: transition
from state STATE_QUICK_R0 to state STATE_QUICK_R1

Aug  8 14:50:04 ssl9 pluto[27321]: "L2TP-PSK-NAT"[4] A.B.C.D #4:
STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2

Aug  8 14:50:04 ssl9 pluto[27321]: "L2TP-PSK-NAT"[4] A.B.C.D #4: Dead Peer
Detection (RFC 3706): not enabled because peer did not advertise it

Aug  8 14:50:04 ssl9 pluto[27321]: "L2TP-PSK-NAT"[4] A.B.C.D #4: transition
from state STATE_QUICK_R1 to state STATE_QUICK_R2

Aug  8 14:50:04 ssl9 pluto[27321]: "L2TP-PSK-NAT"[4] A.B.C.D #4:
STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0xaf04dd26
<0xd0ed4241 xfrm=AES_128-HMAC_SHA1 NATOA=192.168.1.107 NATD=A.B.C.D:44116
DPD=none}

 

# basic configuration

config setup

        #dumpdir=/var/run/pluto/

        nat_traversal=yes

 
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:172.
19.0.0/12;%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10

        oe=off

        protostack=netkey

        nhelpers=0

 

# Add connections here

conn L2TP-PSK-NAT

        rightsubnet=vhost:%no,%priv

        also=L2TP-PSK-noNAT

 

conn L2TP-PSK-noNAT

        authby=secret

        pfs=no

        auto=add

        keyingtries=3

        rekey=no

        ikelifetime=8h

        keylife=1h

        dpdaction=clear

        dpdtimeout=120

        dpddelay=3

        type=transport

        left=%defaultroute

        leftnexthop=W.X.Y.Z

        leftprotoport=17/1701

        right=%any

        rightprotoport=17/%any

 

conn passthrough-for-non-l2tp

        type=passthrough

        left=%defaultroute

        leftnexthop=W.X.Y.Z

        right=0.0.0.0

        rightsubnet=0.0.0.0/0

        auto=route

 

 

[root at ssl9 xl2tpd]# more xl2tpd.conf

[global]

;listen-addr = W.X.Y.Z

;

; requires openswan-2.5.18 or higher - Also does not yet work in combination

; with kernel mode l2tp as present in linux 2.6.23+

; ipsec saref = yes

; forceuserspace = yes

;

; debug tunnel = yes

 

[lns default]

ip range = 10.200.11.2-10.200.11.254

local ip = 10.200.10.1

assign ip = yes

require chap = yes

refuse pap = yes

require authentication = no

name = OpenSwanVPN

ppp debug = yes

pppoptfile = /etc/ppp/options.xl2tpd

length bit = yes

 

Many Thanks

Nev

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20130808/17b15f50/attachment.html>

More information about the Users mailing list