[Openswan Users] L2TP/IPSec can not work.
Bob Miller
bob at computerisms.ca
Thu Mar 7 13:10:59 EST 2013
Hello,
>
> # cat ipsec.conf
> config setup
> nat_traversal=no
> oe=off
> protostack=netkey
> interfaces=%defaultroute
>
> conn L2TP-PSK-NAT
> rightsubnet=vhost:%no,%priv
In order to use this you need to have virtual_private configured above,
but given your topology you won't be needing NAT, so this stanza seems
pointless.
> also=L2TP-PSK-noNAT
>
> conn L2TP-PSK-noNAT
> left=172.17.21.81
> leftprotoport=17/1701
> rightprotoport=17/1701
> right=172.17.21.80
try adding left/rightsubnet to this stanza, these settings are not
describing enough of the network for openswan to figure out which
traffic needs to go through the tunnel.
> pfs=no
> keylife=1h
> keyingtries=3
> rekey=no
> ikelifetime=60m
> type=transport
> authby=secret
> auto=add
> #
> Jan 1 04:12:15 daemon err ipsec_setup: Starting Openswan IPsec
> U2.6.38/K2.6.30...
> Jan 1 04:12:15 daemon err ipsec_setup: Using NETKEY(XFRM) stack
> Jan 1 04:12:17 authpriv err ipsec__plutorun: Starting Pluto
> subsystem...
> Jan 1 04:12:17 user warn syslog: adjusting ipsec.d to /var/ipsec.d
> Jan 1 04:12:17 authpriv warn pluto[8314]: LEAK_DETECTIVE support
> [disabled]
> Jan 1 04:12:17 authpriv warn pluto[8314]: OCF support for IKE
> [disabled]
> Jan 1 04:12:17 authpriv warn pluto[8314]: NSS support [disabled]
> Jan 1 04:12:17 authpriv warn pluto[8314]: HAVE_STATSD notification
> support not compiled in
> Jan 1 04:12:17 authpriv warn pluto[8314]: Setting NAT-Traversal
> port-4500 floating to off
> Jan 1 04:12:17 authpriv warn pluto[8314]: port floating activation
> criteria nat_t=0/port_float=1
> Jan 1 04:12:17 authpriv warn pluto[8314]: NAT-Traversal support
> [disabled]
> Jan 1 04:12:17 authpriv warn pluto[8314]: using /dev/urandom as
> source of random entropy
> Jan 1 04:12:17 daemon err ipsec__plutorun: adjusting ipsec.d
> to /var/ipsec.d
> Jan 1 04:12:17 authpriv warn pluto[8314]: ike_alg_register_enc():
> Activating OAKLEY_AES_CBC: Ok (ret=0)
> Jan 1 04:12:17 authpriv warn pluto[8314]: ike_alg_register_hash():
> Activating OAKLEY_SHA2_512: Ok (ret=0)
> Jan 1 04:12:17 authpriv warn pluto[8314]: ike_alg_register_hash():
> Activating OAKLEY_SHA2_256: Ok (ret=0)
> Jan 1 04:12:17 authpriv warn pluto[8314]: starting up 1 cryptographic
> helpers
> Jan 1 04:12:17 authpriv warn pluto[8314]: started helper pid=8319
> (fd:6)
> Jan 1 04:12:17 authpriv warn pluto[8319]: using /dev/urandom as
> source of random entropy
> Jan 1 04:12:17 daemon err ipsec_setup: ...Openswan IPsec started
> Jan 1 04:12:17 authpriv warn pluto[8314]: Using Linux 2.6 IPsec
> interface code on 2.6.30 (experimental code)
> Jan 1 04:12:19 authpriv warn pluto[8314]: ike_alg_register_enc():
> Activating aes_ccm_8: Ok (ret=0)
> Jan 1 04:12:19 authpriv warn pluto[8314]: ike_alg_add(): ERROR:
> algo_type '0', algo_id '0', Algorithm type already exists
> Jan 1 04:12:19 authpriv warn pluto[8314]: ike_alg_register_enc():
> Activating aes_ccm_12: FAILED (ret=-17)
> Jan 1 04:12:19 authpriv warn pluto[8314]: ike_alg_add(): ERROR:
> algo_type '0', algo_id '0', Algorithm type already exists
> Jan 1 04:12:19 authpriv warn pluto[8314]: ike_alg_register_enc():
> Activating aes_ccm_16: FAILED (ret=-17)
> Jan 1 04:12:19 authpriv warn pluto[8314]: ike_alg_add(): ERROR:
> algo_type '0', algo_id '0', Algorithm type already exists
> Jan 1 04:12:19 authpriv warn pluto[8314]: ike_alg_register_enc():
> Activating aes_gcm_8: FAILED (ret=-17)
> Jan 1 04:12:19 authpriv warn pluto[8314]: ike_alg_add(): ERROR:
> algo_type '0', algo_id '0', Algorithm type already exists
> Jan 1 04:12:19 authpriv warn pluto[8314]: ike_alg_register_enc():
> Activating aes_gcm_12: FAILED (ret=-17)
> Jan 1 04:12:19 authpriv warn pluto[8314]: ike_alg_add(): ERROR:
> algo_type '0', algo_id '0', Algorithm type already exists
> Jan 1 04:12:19 authpriv warn pluto[8314]: ike_alg_register_enc():
> Activating aes_gcm_16: FAILED (ret=-17)
> Jan 1 04:12:19 authpriv warn pluto[8314]: Could not change to
> directory '/var/ipsec.d/cacerts': No such file or directory
> Jan 1 04:12:19 authpriv warn pluto[8314]: Could not change to
> directory '/var/ipsec.d/aacerts': No such file or directory
> Jan 1 04:12:19 authpriv warn pluto[8314]: Could not change to
> directory '/var/ipsec.d/ocspcerts': No such file or directory
> Jan 1 04:12:19 authpriv warn pluto[8314]: Could not change to
> directory '/var/ipsec.d/crls': 2 No such file or directory
> Jan 1 04:12:19 authpriv warn pluto[8314]: added connection
> description "L2TP-PSK-NAT"
> Jan 1 04:12:19 daemon err ipsec__plutorun: 002 added connection
> description "L2TP-PSK-NAT"
> Jan 1 04:12:19 authpriv warn pluto[8314]: added connection
> description "L2TP-PSK-noNAT"
> Jan 1 04:12:19 daemon err ipsec__plutorun: 002 added connection
> description "L2TP-PSK-noNAT"
> Jan 1 04:12:20 authpriv warn pluto[8314]: listening for IKE messages
> Jan 1 04:12:20 authpriv warn pluto[8314]: adding interface
> eth0.1/eth0.1 172.17.21.81:500
> Jan 1 04:12:20 authpriv warn pluto[8314]: adding interface br0/br0
> 192.168.1.254:500
> Jan 1 04:12:20 authpriv warn pluto[8314]: adding interface lo/lo
> 127.0.0.1:500
> Jan 1 04:12:20 authpriv warn pluto[8314]: adding interface
> lo/lo ::1:500
> Jan 1 04:12:20 authpriv warn pluto[8314]: loading secrets from
> "/var/ipsec.secrets"
> Jan 1 04:12:21 authpriv warn pluto[8314]: packet from
> 172.17.21.80:500: received Vendor ID payload [RFC 3947] meth=115, but
> port floating is off
> Jan 1 04:12:21 authpriv warn pluto[8314]: packet from
> 172.17.21.80:500: received Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-03] meth=108, but port floating is off
> Jan 1 04:12:21 authpriv warn pluto[8314]: packet from
> 172.17.21.80:500: received Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but port floating is off
> Jan 1 04:12:21 authpriv warn pluto[8314]: packet from
> 172.17.21.80:500: ignoring Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-00]
> Jan 1 04:12:21 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1]
> 172.17.21.80 #1: responding to Main Mode from unknown peer
> 172.17.21.80
> Jan 1 04:12:21 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1]
> 172.17.21.80 #1: transition from state STATE_MAIN_R0 to state
> STATE_MAIN_R1
> Jan 1 04:12:21 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1]
> 172.17.21.80 #1: STATE_MAIN_R1: sent MR1, expecting MI2
> Jan 1 04:12:21 authpriv warn pluto[8314]: packet from
> 172.17.21.80:500: Quick Mode message is for a non-existent (expired?)
> ISAKMP SA
> Jan 1 04:12:21 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1]
> 172.17.21.80 #1: transition from state STATE_MAIN_R1 to state
> STATE_MAIN_R2
> Jan 1 04:12:21 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1]
> 172.17.21.80 #1: STATE_MAIN_R2: sent MR2, expecting MI3
> Jan 1 04:12:21 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1]
> 172.17.21.80 #1: Main mode peer ID is ID_IPV4_ADDR: '172.17.21.80'
> Jan 1 04:12:21 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1]
> 172.17.21.80 #1: transition from state STATE_MAIN_R2 to state
> STATE_MAIN_R3
> Jan 1 04:12:21 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1]
> 172.17.21.80 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established
> {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
> group=modp1024}
> Jan 1 04:12:25 authpriv warn pluto[8314]: packet from
> 172.17.21.80:500: Quick Mode message is for a non-existent (expired?)
> ISAKMP SA
> Jan 1 04:12:29 authpriv warn pluto[8314]: packet from
> 172.17.21.80:500: Quick Mode message is for a non-existent (expired?)
> ISAKMP SA
> Jan 1 04:12:33 authpriv warn pluto[8314]: packet from
> 172.17.21.80:500: Quick Mode message is for a non-existent (expired?)
> ISAKMP SA
> Jan 1 04:12:37 authpriv warn pluto[8314]: packet from
> 172.17.21.80:500: Quick Mode message is for a non-existent (expired?)
> ISAKMP SA
> Jan 1 04:12:41 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1]
> 172.17.21.80 #1: the peer proposed: 172.17.21.81/32:17/1701 ->
> 172.17.21.80/32:17/1701
> Jan 1 04:12:41 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1]
> 172.17.21.80 #1: cannot respond to IPsec SA request because no
> connection is known for
> 172.17.21.81<172.17.21.81>...172.17.21.80<172.17.21.80>
> Jan 1 04:12:41 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1]
> 172.17.21.80 #1: sending encrypted notification INVALID_ID_INFORMATION
> to 172.17.21.80:500
> Jan 1 04:12:45 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1]
> 172.17.21.80 #1: the peer proposed: 172.17.21.81/32:17/1701 ->
> 172.17.21.80/32:17/1701
> Jan 1 04:12:45 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1]
> 172.17.21.80 #1: cannot respond to IPsec SA request because no
> connection is known for
> 172.17.21.81<172.17.21.81>...172.17.21.80<172.17.21.80>
> Jan 1 04:12:45 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1]
> 172.17.21.80 #1: sending encrypted notification INVALID_ID_INFORMATION
> to 172.17.21.80:500
> Jan 1 04:12:49 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1]
> 172.17.21.80 #1: the peer proposed: 172.17.21.81/32:17/1701 ->
> 172.17.21.80/32:17/1701
> Jan 1 04:12:49 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1]
> 172.17.21.80 #1: cannot respond to IPsec SA request because no
> connection is known for
> 172.17.21.81<172.17.21.81>...172.17.21.80<172.17.21.80>
> Jan 1 04:12:49 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1]
> 172.17.21.80 #1: sending encrypted notification INVALID_ID_INFORMATION
> to 172.17.21.80:500
> Jan 1 04:12:53 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1]
> 172.17.21.80 #1: the peer proposed: 172.17.21.81/32:17/1701 ->
> 172.17.21.80/32:17/1701
> Jan 1 04:12:53 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1]
> 172.17.21.80 #1: cannot respond to IPsec SA request because no
> connection is known for
> 172.17.21.81<172.17.21.81>...172.17.21.80<172.17.21.80>
> Jan 1 04:12:53 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1]
> 172.17.21.80 #1: sending encrypted notification INVALID_ID_INFORMATION
> to 172.17.21.80:500
> Jan 1 04:12:57 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1]
> 172.17.21.80 #1: the peer proposed: 172.17.21.81/32:17/1701 ->
> 172.17.21.80/32:17/1701
> Jan 1 04:12:57 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1]
> 172.17.21.80 #1: cannot respond to IPsec SA request because no
> connection is known for
> 172.17.21.81<172.17.21.81>...172.17.21.80<172.17.21.80>
> Jan 1 04:12:57 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1]
> 172.17.21.80 #1: sending encrypted notification INVALID_ID_INFORMATION
> to 172.17.21.80:500
>
>
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
More information about the Users
mailing list