[Openswan Users] L2TP/IPSec can not work.

Ozai ozai.tien at gmail.com
Thu Mar 7 03:12:43 EST 2013


Dear Sirs,

The configuration of L2TP/IPSec are as below. I always could not make the L2TP/IPSec connection.I tried to search the informations in internet.but It did not seem to have the good effect.So could someone help me this question.Really appreciate for any help..

Best Regards,
Ozai

openswan(2.6.38)+l2tp(1.3.1) server (172.17.21.81)-----------client (172.17.21.80)


# cat ipsec.conf
config setup
                nat_traversal=no
                oe=off
                protostack=netkey
                interfaces=%defaultroute

conn L2TP-PSK-NAT
                rightsubnet=vhost:%no,%priv
                also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
                left=172.17.21.81
                leftprotoport=17/1701
                rightprotoport=17/1701
                right=172.17.21.80
                pfs=no
                keylife=1h
                keyingtries=3
                rekey=no
                ikelifetime=60m
                type=transport
                authby=secret
                auto=add
#
Jan  1 04:12:15 daemon err ipsec_setup: Starting Openswan IPsec U2.6.38/K2.6.30...
Jan  1 04:12:15 daemon err ipsec_setup: Using NETKEY(XFRM) stack
Jan  1 04:12:17 authpriv err ipsec__plutorun: Starting Pluto subsystem...
Jan  1 04:12:17 user warn syslog: adjusting ipsec.d to /var/ipsec.d
Jan  1 04:12:17 authpriv warn pluto[8314]: LEAK_DETECTIVE support [disabled]
Jan  1 04:12:17 authpriv warn pluto[8314]: OCF support for IKE [disabled]
Jan  1 04:12:17 authpriv warn pluto[8314]: NSS support [disabled]
Jan  1 04:12:17 authpriv warn pluto[8314]: HAVE_STATSD notification support not compiled in
Jan  1 04:12:17 authpriv warn pluto[8314]: Setting NAT-Traversal port-4500 floating to off
Jan  1 04:12:17 authpriv warn pluto[8314]:    port floating activation criteria nat_t=0/port_float=1
Jan  1 04:12:17 authpriv warn pluto[8314]:    NAT-Traversal support  [disabled]
Jan  1 04:12:17 authpriv warn pluto[8314]: using /dev/urandom as source of random entropy
Jan  1 04:12:17 daemon err ipsec__plutorun: adjusting ipsec.d to /var/ipsec.d
Jan  1 04:12:17 authpriv warn pluto[8314]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Jan  1 04:12:17 authpriv warn pluto[8314]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
Jan  1 04:12:17 authpriv warn pluto[8314]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
Jan  1 04:12:17 authpriv warn pluto[8314]: starting up 1 cryptographic helpers
Jan  1 04:12:17 authpriv warn pluto[8314]: started helper pid=8319 (fd:6)
Jan  1 04:12:17 authpriv warn pluto[8319]: using /dev/urandom as source of random entropy
Jan  1 04:12:17 daemon err ipsec_setup: ...Openswan IPsec started
Jan  1 04:12:17 authpriv warn pluto[8314]: Using Linux 2.6 IPsec interface code on 2.6.30 (experimental code)
Jan  1 04:12:19 authpriv warn pluto[8314]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
Jan  1 04:12:19 authpriv warn pluto[8314]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Jan  1 04:12:19 authpriv warn pluto[8314]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)
Jan  1 04:12:19 authpriv warn pluto[8314]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Jan  1 04:12:19 authpriv warn pluto[8314]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
Jan  1 04:12:19 authpriv warn pluto[8314]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Jan  1 04:12:19 authpriv warn pluto[8314]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)
Jan  1 04:12:19 authpriv warn pluto[8314]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Jan  1 04:12:19 authpriv warn pluto[8314]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)
Jan  1 04:12:19 authpriv warn pluto[8314]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Jan  1 04:12:19 authpriv warn pluto[8314]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
Jan  1 04:12:19 authpriv warn pluto[8314]: Could not change to directory '/var/ipsec.d/cacerts': No such file or directory
Jan  1 04:12:19 authpriv warn pluto[8314]: Could not change to directory '/var/ipsec.d/aacerts': No such file or directory
Jan  1 04:12:19 authpriv warn pluto[8314]: Could not change to directory '/var/ipsec.d/ocspcerts': No such file or directory
Jan  1 04:12:19 authpriv warn pluto[8314]: Could not change to directory '/var/ipsec.d/crls': 2 No such file or directory
Jan  1 04:12:19 authpriv warn pluto[8314]: added connection description "L2TP-PSK-NAT"
Jan  1 04:12:19 daemon err ipsec__plutorun: 002 added connection description "L2TP-PSK-NAT"
Jan  1 04:12:19 authpriv warn pluto[8314]: added connection description "L2TP-PSK-noNAT"
Jan  1 04:12:19 daemon err ipsec__plutorun: 002 added connection description "L2TP-PSK-noNAT"
Jan  1 04:12:20 authpriv warn pluto[8314]: listening for IKE messages
Jan  1 04:12:20 authpriv warn pluto[8314]: adding interface eth0.1/eth0.1 172.17.21.81:500
Jan  1 04:12:20 authpriv warn pluto[8314]: adding interface br0/br0 192.168.1.254:500
Jan  1 04:12:20 authpriv warn pluto[8314]: adding interface lo/lo 127.0.0.1:500
Jan  1 04:12:20 authpriv warn pluto[8314]: adding interface lo/lo ::1:500
Jan  1 04:12:20 authpriv warn pluto[8314]: loading secrets from "/var/ipsec.secrets"
Jan  1 04:12:21 authpriv warn pluto[8314]: packet from 172.17.21.80:500: received Vendor ID payload [RFC 3947] meth=115, but port floating is off
Jan  1 04:12:21 authpriv warn pluto[8314]: packet from 172.17.21.80:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but port floating is off
Jan  1 04:12:21 authpriv warn pluto[8314]: packet from 172.17.21.80:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but port floating is off
Jan  1 04:12:21 authpriv warn pluto[8314]: packet from 172.17.21.80:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Jan  1 04:12:21 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1] 172.17.21.80 #1: responding to Main Mode from unknown peer 172.17.21.80
Jan  1 04:12:21 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1] 172.17.21.80 #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jan  1 04:12:21 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1] 172.17.21.80 #1: STATE_MAIN_R1: sent MR1, expecting MI2
Jan  1 04:12:21 authpriv warn pluto[8314]: packet from 172.17.21.80:500: Quick Mode message is for a non-existent (expired?) ISAKMP SA
Jan  1 04:12:21 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1] 172.17.21.80 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jan  1 04:12:21 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1] 172.17.21.80 #1: STATE_MAIN_R2: sent MR2, expecting MI3
Jan  1 04:12:21 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1] 172.17.21.80 #1: Main mode peer ID is ID_IPV4_ADDR: '172.17.21.80'
Jan  1 04:12:21 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1] 172.17.21.80 #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jan  1 04:12:21 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1] 172.17.21.80 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
Jan  1 04:12:25 authpriv warn pluto[8314]: packet from 172.17.21.80:500: Quick Mode message is for a non-existent (expired?) ISAKMP SA
Jan  1 04:12:29 authpriv warn pluto[8314]: packet from 172.17.21.80:500: Quick Mode message is for a non-existent (expired?) ISAKMP SA
Jan  1 04:12:33 authpriv warn pluto[8314]: packet from 172.17.21.80:500: Quick Mode message is for a non-existent (expired?) ISAKMP SA
Jan  1 04:12:37 authpriv warn pluto[8314]: packet from 172.17.21.80:500: Quick Mode message is for a non-existent (expired?) ISAKMP SA
Jan  1 04:12:41 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1] 172.17.21.80 #1: the peer proposed: 172.17.21.81/32:17/1701 -> 172.17.21.80/32:17/1701
Jan  1 04:12:41 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1] 172.17.21.80 #1: cannot respond to IPsec SA request because no connection is known for 172.17.21.81<172.17.21.81>...172.17.21.80<172.17.21.80>
Jan  1 04:12:41 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1] 172.17.21.80 #1: sending encrypted notification INVALID_ID_INFORMATION to 172.17.21.80:500
Jan  1 04:12:45 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1] 172.17.21.80 #1: the peer proposed: 172.17.21.81/32:17/1701 -> 172.17.21.80/32:17/1701
Jan  1 04:12:45 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1] 172.17.21.80 #1: cannot respond to IPsec SA request because no connection is known for 172.17.21.81<172.17.21.81>...172.17.21.80<172.17.21.80>
Jan  1 04:12:45 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1] 172.17.21.80 #1: sending encrypted notification INVALID_ID_INFORMATION to 172.17.21.80:500
Jan  1 04:12:49 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1] 172.17.21.80 #1: the peer proposed: 172.17.21.81/32:17/1701 -> 172.17.21.80/32:17/1701
Jan  1 04:12:49 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1] 172.17.21.80 #1: cannot respond to IPsec SA request because no connection is known for 172.17.21.81<172.17.21.81>...172.17.21.80<172.17.21.80>
Jan  1 04:12:49 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1] 172.17.21.80 #1: sending encrypted notification INVALID_ID_INFORMATION to 172.17.21.80:500
Jan  1 04:12:53 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1] 172.17.21.80 #1: the peer proposed: 172.17.21.81/32:17/1701 -> 172.17.21.80/32:17/1701
Jan  1 04:12:53 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1] 172.17.21.80 #1: cannot respond to IPsec SA request because no connection is known for 172.17.21.81<172.17.21.81>...172.17.21.80<172.17.21.80>
Jan  1 04:12:53 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1] 172.17.21.80 #1: sending encrypted notification INVALID_ID_INFORMATION to 172.17.21.80:500
Jan  1 04:12:57 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1] 172.17.21.80 #1: the peer proposed: 172.17.21.81/32:17/1701 -> 172.17.21.80/32:17/1701
Jan  1 04:12:57 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1] 172.17.21.80 #1: cannot respond to IPsec SA request because no connection is known for 172.17.21.81<172.17.21.81>...172.17.21.80<172.17.21.80>
Jan  1 04:12:57 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1] 172.17.21.80 #1: sending encrypted notification INVALID_ID_INFORMATION to 172.17.21.80:500

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20130307/6a4fb59d/attachment.html>


More information about the Users mailing list