[Openswan Users] L2TP/IPSec can not work.
Ozai
ozai.tien at gmail.com
Fri Mar 22 02:56:51 UTC 2013
Hi Willie,
1>
Yes,the secret is match.I changed the leftprotoport=17/1701 and
rightprotoport=17/1701 to
leftprotoport=0/0 and rightprotoport=0/0.The tunnel seem to work.I am
confused.Is it the parameter matched issue?let openswan reject the
connection.And why port/protoport is 0/0 not 17/1701?
2>
Even though the tunnel worked,but L2tp can not work.Do you have any
suggestion on it?
Thank's.
Best Regards,
Ozai
----- Original Message -----
From: "Willie Gillespie" <wgillespie+openswan at es2eng.com>
To: <users at lists.openswan.org>
Sent: Friday, March 15, 2013 11:12 PM
Subject: Re: [Openswan Users] L2TP/IPSec can not work.
> Just a stab in the dark, but do you have a matching secret in your secrets
> file?
>
> On 3/14/2013 3:11 AM, Ozai wrote:
>> Hi Bob,
>>
>> I added left/rightsubnet into ipsec.conf.But I got the same result.
>>
>> Do you have idea on "cannot respond to IPsec SA request because no
>> connection is known for
>> 172.17.21.81<172.17.21.81>...172.17.21.80<172.17.21.80>"?
>>
>> Thank's a lot.
>>
>> Jan 1 02:02:52 authpriv warn pluto[10367]: packet from
>> 172.17.21.80:500: received Vendor ID payload [RFC 3947] meth=115, but
>> port floating is off
>> Jan 1 02:02:52 authpriv warn pluto[10367]: packet from
>> 172.17.21.80:500: received Vendor ID payload
>> [draft-ietf-ipsec-nat-t-ike-03] meth=108, but port floating is off
>> Jan 1 02:02:52 authpriv warn pluto[10367]: packet from
>> 172.17.21.80:500: received Vendor ID payload
>> [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but port floating is off
>> Jan 1 02:02:52 authpriv warn pluto[10367]: packet from
>> 172.17.21.80:500: ignoring Vendor ID payload
>> [draft-ietf-ipsec-nat-t-ike-00]
>> Jan 1 02:02:52 authpriv warn pluto[10367]: "l2tp" #15: responding to
>> Main Mode
>> Jan 1 02:02:52 authpriv warn pluto[10367]: "l2tp" #15: Oakley Transform
>> [OAKLEY_3DES_CBC (192), OAKLEY_SHA1, OAKLEY_GROUP_MODP1024] refused due
>> to strict flag
>> Jan 1 02:02:52 authpriv warn pluto[10367]: "l2tp" #15: transition from
>> state STATE_MAIN_R0 to state STATE_MAIN_R1
>> Jan 1 02:02:52 authpriv warn pluto[10367]: "l2tp" #15: STATE_MAIN_R1:
>> sent MR1, expecting MI2
>> Jan 1 02:02:53 authpriv warn pluto[10367]: "l2tp" #15: transition from
>> state STATE_MAIN_R1 to state STATE_MAIN_R2
>> Jan 1 02:02:53 authpriv warn pluto[10367]: "l2tp" #15: STATE_MAIN_R2:
>> sent MR2, expecting MI3
>> Jan 1 02:02:53 authpriv warn pluto[10367]: "l2tp" #15: Main mode peer
>> ID is ID_IPV4_ADDR: '172.17.21.80'
>> Jan 1 02:02:53 authpriv warn pluto[10367]: "l2tp" #15: transition from
>> state STATE_MAIN_R2 to state STATE_MAIN_R3
>> Jan 1 02:02:53 authpriv warn pluto[10367]: "l2tp" #15: STATE_MAIN_R3:
>> sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
>> cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}
>> Jan 1 02:02:54 authpriv warn pluto[10367]: "l2tp" #15: the peer
>> proposed: 172.17.21.81/32:17/1701 -> 172.17.21.80/32:17/1701
>> Jan 1 02:02:54 authpriv warn pluto[10367]: "l2tp" #15: cannot respond
>> to IPsec SA request because no connection is known for
>> 172.17.21.81<172.17.21.81>...172.17.21.80<172.17.21.80>
>> Jan 1 02:02:54 authpriv warn pluto[10367]: "l2tp" #15: sending
>> encrypted notification INVALID_ID_INFORMATION to 172.17.21.80:500
>> Jan 1 02:02:58 authpriv warn pluto[10367]: "l2tp" #15: the peer
>> proposed: 172.17.21.81/32:17/1701 -> 172.17.21.80/32:17/1701
>> Jan 1 02:02:58 authpriv warn pluto[10367]: "l2tp" #15: cannot respond
>> to IPsec SA request because no connection is known for
>> 172.17.21.81<172.17.21.81>...172.17.21.80<172.17.21.80>
>> Jan 1 02:02:58 authpriv warn pluto[10367]: "l2tp" #15: sending
>> encrypted notification INVALID_ID_INFORMATION to 172.17.21.80:500
>> Jan 1 02:03:02 authpriv warn pluto[10367]: "l2tp" #15: the peer
>> proposed: 172.17.21.81/32:17/1701 -> 172.17.21.80/32:17/1701
>> Jan 1 02:03:02 authpriv warn pluto[10367]: "l2tp" #15: cannot respond
>> to IPsec SA request because no connection is known for
>> 172.17.21.81<172.17.21.81>...172.17.21.80<172.17.21.80>
>> Jan 1 02:03:02 authpriv warn pluto[10367]: "l2tp" #15: sending
>> encrypted notification INVALID_ID_INFORMATION to 172.17.21.80:500
>> Jan 1 02:03:07 authpriv warn pluto[10367]: "l2tp" #15: the peer
>> proposed: 172.17.21.81/32:17/1701 -> 172.17.21.80/32:17/1701
>> Jan 1 02:03:07 authpriv warn pluto[10367]: "l2tp" #15: cannot respond
>> to IPsec SA request because no connection is known for
>> 172.17.21.81<172.17.21.81>...172.17.21.80<172.17.21.80>
>> Jan 1 02:03:07 authpriv warn pluto[10367]: "l2tp" #15: sending
>> encrypted notification INVALID_ID_INFORMATION to 172.17.21.80:500
>>
>> Best Regards,
>> Ozai
>> ----- Original Message ----- From: "Bob Miller" <bob at computerisms.ca>
>> To: <users at lists.openswan.org>
>> Sent: Friday, March 08, 2013 2:10 AM
>> Subject: Re: [Openswan Users] L2TP/IPSec can not work.
>>
>>
>>> Hello,
>>>
>>>>
>>>> # cat ipsec.conf
>>>> config setup
>>>> nat_traversal=no
>>>> oe=off
>>>> protostack=netkey
>>>> interfaces=%defaultroute
>>>>
>>>> conn L2TP-PSK-NAT
>>>> rightsubnet=vhost:%no,%priv
>>>
>>> In order to use this you need to have virtual_private configured above,
>>> but given your topology you won't be needing NAT, so this stanza seems
>>> pointless.
>>>
>>>> also=L2TP-PSK-noNAT
>>>>
>>>> conn L2TP-PSK-noNAT
>>>> left=172.17.21.81
>>>> leftprotoport=17/1701
>>>> rightprotoport=17/1701
>>>> right=172.17.21.80
>>>
>>> try adding left/rightsubnet to this stanza, these settings are not
>>> describing enough of the network for openswan to figure out which
>>> traffic needs to go through the tunnel.
>>>
>>>
>>>
>>>
>>>
>>>> pfs=no
>>>> keylife=1h
>>>> keyingtries=3
>>>> rekey=no
>>>> ikelifetime=60m
>>>> type=transport
>>>> authby=secret
>>>> auto=add
>>>> #
>>>> Jan 1 04:12:15 daemon err ipsec_setup: Starting Openswan IPsec
>>>> U2.6.38/K2.6.30...
>>>> Jan 1 04:12:15 daemon err ipsec_setup: Using NETKEY(XFRM) stack
>>>> Jan 1 04:12:17 authpriv err ipsec__plutorun: Starting Pluto
>>>> subsystem...
>>>> Jan 1 04:12:17 user warn syslog: adjusting ipsec.d to /var/ipsec.d
>>>> Jan 1 04:12:17 authpriv warn pluto[8314]: LEAK_DETECTIVE support
>>>> [disabled]
>>>> Jan 1 04:12:17 authpriv warn pluto[8314]: OCF support for IKE
>>>> [disabled]
>>>> Jan 1 04:12:17 authpriv warn pluto[8314]: NSS support [disabled]
>>>> Jan 1 04:12:17 authpriv warn pluto[8314]: HAVE_STATSD notification
>>>> support not compiled in
>>>> Jan 1 04:12:17 authpriv warn pluto[8314]: Setting NAT-Traversal
>>>> port-4500 floating to off
>>>> Jan 1 04:12:17 authpriv warn pluto[8314]: port floating activation
>>>> criteria nat_t=0/port_float=1
>>>> Jan 1 04:12:17 authpriv warn pluto[8314]: NAT-Traversal support
>>>> [disabled]
>>>> Jan 1 04:12:17 authpriv warn pluto[8314]: using /dev/urandom as
>>>> source of random entropy
>>>> Jan 1 04:12:17 daemon err ipsec__plutorun: adjusting ipsec.d
>>>> to /var/ipsec.d
>>>> Jan 1 04:12:17 authpriv warn pluto[8314]: ike_alg_register_enc():
>>>> Activating OAKLEY_AES_CBC: Ok (ret=0)
>>>> Jan 1 04:12:17 authpriv warn pluto[8314]: ike_alg_register_hash():
>>>> Activating OAKLEY_SHA2_512: Ok (ret=0)
>>>> Jan 1 04:12:17 authpriv warn pluto[8314]: ike_alg_register_hash():
>>>> Activating OAKLEY_SHA2_256: Ok (ret=0)
>>>> Jan 1 04:12:17 authpriv warn pluto[8314]: starting up 1 cryptographic
>>>> helpers
>>>> Jan 1 04:12:17 authpriv warn pluto[8314]: started helper pid=8319
>>>> (fd:6)
>>>> Jan 1 04:12:17 authpriv warn pluto[8319]: using /dev/urandom as
>>>> source of random entropy
>>>> Jan 1 04:12:17 daemon err ipsec_setup: ...Openswan IPsec started
>>>> Jan 1 04:12:17 authpriv warn pluto[8314]: Using Linux 2.6 IPsec
>>>> interface code on 2.6.30 (experimental code)
>>>> Jan 1 04:12:19 authpriv warn pluto[8314]: ike_alg_register_enc():
>>>> Activating aes_ccm_8: Ok (ret=0)
>>>> Jan 1 04:12:19 authpriv warn pluto[8314]: ike_alg_add(): ERROR:
>>>> algo_type '0', algo_id '0', Algorithm type already exists
>>>> Jan 1 04:12:19 authpriv warn pluto[8314]: ike_alg_register_enc():
>>>> Activating aes_ccm_12: FAILED (ret=-17)
>>>> Jan 1 04:12:19 authpriv warn pluto[8314]: ike_alg_add(): ERROR:
>>>> algo_type '0', algo_id '0', Algorithm type already exists
>>>> Jan 1 04:12:19 authpriv warn pluto[8314]: ike_alg_register_enc():
>>>> Activating aes_ccm_16: FAILED (ret=-17)
>>>> Jan 1 04:12:19 authpriv warn pluto[8314]: ike_alg_add(): ERROR:
>>>> algo_type '0', algo_id '0', Algorithm type already exists
>>>> Jan 1 04:12:19 authpriv warn pluto[8314]: ike_alg_register_enc():
>>>> Activating aes_gcm_8: FAILED (ret=-17)
>>>> Jan 1 04:12:19 authpriv warn pluto[8314]: ike_alg_add(): ERROR:
>>>> algo_type '0', algo_id '0', Algorithm type already exists
>>>> Jan 1 04:12:19 authpriv warn pluto[8314]: ike_alg_register_enc():
>>>> Activating aes_gcm_12: FAILED (ret=-17)
>>>> Jan 1 04:12:19 authpriv warn pluto[8314]: ike_alg_add(): ERROR:
>>>> algo_type '0', algo_id '0', Algorithm type already exists
>>>> Jan 1 04:12:19 authpriv warn pluto[8314]: ike_alg_register_enc():
>>>> Activating aes_gcm_16: FAILED (ret=-17)
>>>> Jan 1 04:12:19 authpriv warn pluto[8314]: Could not change to
>>>> directory '/var/ipsec.d/cacerts': No such file or directory
>>>> Jan 1 04:12:19 authpriv warn pluto[8314]: Could not change to
>>>> directory '/var/ipsec.d/aacerts': No such file or directory
>>>> Jan 1 04:12:19 authpriv warn pluto[8314]: Could not change to
>>>> directory '/var/ipsec.d/ocspcerts': No such file or directory
>>>> Jan 1 04:12:19 authpriv warn pluto[8314]: Could not change to
>>>> directory '/var/ipsec.d/crls': 2 No such file or directory
>>>> Jan 1 04:12:19 authpriv warn pluto[8314]: added connection
>>>> description "L2TP-PSK-NAT"
>>>> Jan 1 04:12:19 daemon err ipsec__plutorun: 002 added connection
>>>> description "L2TP-PSK-NAT"
>>>> Jan 1 04:12:19 authpriv warn pluto[8314]: added connection
>>>> description "L2TP-PSK-noNAT"
>>>> Jan 1 04:12:19 daemon err ipsec__plutorun: 002 added connection
>>>> description "L2TP-PSK-noNAT"
>>>> Jan 1 04:12:20 authpriv warn pluto[8314]: listening for IKE messages
>>>> Jan 1 04:12:20 authpriv warn pluto[8314]: adding interface
>>>> eth0.1/eth0.1 172.17.21.81:500
>>>> Jan 1 04:12:20 authpriv warn pluto[8314]: adding interface br0/br0
>>>> 192.168.1.254:500
>>>> Jan 1 04:12:20 authpriv warn pluto[8314]: adding interface lo/lo
>>>> 127.0.0.1:500
>>>> Jan 1 04:12:20 authpriv warn pluto[8314]: adding interface
>>>> lo/lo ::1:500
>>>> Jan 1 04:12:20 authpriv warn pluto[8314]: loading secrets from
>>>> "/var/ipsec.secrets"
>>>> Jan 1 04:12:21 authpriv warn pluto[8314]: packet from
>>>> 172.17.21.80:500: received Vendor ID payload [RFC 3947] meth=115, but
>>>> port floating is off
>>>> Jan 1 04:12:21 authpriv warn pluto[8314]: packet from
>>>> 172.17.21.80:500: received Vendor ID payload
>>>> [draft-ietf-ipsec-nat-t-ike-03] meth=108, but port floating is off
>>>> Jan 1 04:12:21 authpriv warn pluto[8314]: packet from
>>>> 172.17.21.80:500: received Vendor ID payload
>>>> [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but port floating is off
>>>> Jan 1 04:12:21 authpriv warn pluto[8314]: packet from
>>>> 172.17.21.80:500: ignoring Vendor ID payload
>>>> [draft-ietf-ipsec-nat-t-ike-00]
>>>> Jan 1 04:12:21 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1]
>>>> 172.17.21.80 #1: responding to Main Mode from unknown peer
>>>> 172.17.21.80
>>>> Jan 1 04:12:21 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1]
>>>> 172.17.21.80 #1: transition from state STATE_MAIN_R0 to state
>>>> STATE_MAIN_R1
>>>> Jan 1 04:12:21 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1]
>>>> 172.17.21.80 #1: STATE_MAIN_R1: sent MR1, expecting MI2
>>>> Jan 1 04:12:21 authpriv warn pluto[8314]: packet from
>>>> 172.17.21.80:500: Quick Mode message is for a non-existent (expired?)
>>>> ISAKMP SA
>>>> Jan 1 04:12:21 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1]
>>>> 172.17.21.80 #1: transition from state STATE_MAIN_R1 to state
>>>> STATE_MAIN_R2
>>>> Jan 1 04:12:21 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1]
>>>> 172.17.21.80 #1: STATE_MAIN_R2: sent MR2, expecting MI3
>>>> Jan 1 04:12:21 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1]
>>>> 172.17.21.80 #1: Main mode peer ID is ID_IPV4_ADDR: '172.17.21.80'
>>>> Jan 1 04:12:21 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1]
>>>> 172.17.21.80 #1: transition from state STATE_MAIN_R2 to state
>>>> STATE_MAIN_R3
>>>> Jan 1 04:12:21 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1]
>>>> 172.17.21.80 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established
>>>> {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
>>>> group=modp1024}
>>>> Jan 1 04:12:25 authpriv warn pluto[8314]: packet from
>>>> 172.17.21.80:500: Quick Mode message is for a non-existent (expired?)
>>>> ISAKMP SA
>>>> Jan 1 04:12:29 authpriv warn pluto[8314]: packet from
>>>> 172.17.21.80:500: Quick Mode message is for a non-existent (expired?)
>>>> ISAKMP SA
>>>> Jan 1 04:12:33 authpriv warn pluto[8314]: packet from
>>>> 172.17.21.80:500: Quick Mode message is for a non-existent (expired?)
>>>> ISAKMP SA
>>>> Jan 1 04:12:37 authpriv warn pluto[8314]: packet from
>>>> 172.17.21.80:500: Quick Mode message is for a non-existent (expired?)
>>>> ISAKMP SA
>>>> Jan 1 04:12:41 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1]
>>>> 172.17.21.80 #1: the peer proposed: 172.17.21.81/32:17/1701 ->
>>>> 172.17.21.80/32:17/1701
>>>> Jan 1 04:12:41 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1]
>>>> 172.17.21.80 #1: cannot respond to IPsec SA request because no
>>>> connection is known for
>>>> 172.17.21.81<172.17.21.81>...172.17.21.80<172.17.21.80>
>>>> Jan 1 04:12:41 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1]
>>>> 172.17.21.80 #1: sending encrypted notification INVALID_ID_INFORMATION
>>>> to 172.17.21.80:500
>>>> Jan 1 04:12:45 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1]
>>>> 172.17.21.80 #1: the peer proposed: 172.17.21.81/32:17/1701 ->
>>>> 172.17.21.80/32:17/1701
>>>> Jan 1 04:12:45 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1]
>>>> 172.17.21.80 #1: cannot respond to IPsec SA request because no
>>>> connection is known for
>>>> 172.17.21.81<172.17.21.81>...172.17.21.80<172.17.21.80>
>>>> Jan 1 04:12:45 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1]
>>>> 172.17.21.80 #1: sending encrypted notification INVALID_ID_INFORMATION
>>>> to 172.17.21.80:500
>>>> Jan 1 04:12:49 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1]
>>>> 172.17.21.80 #1: the peer proposed: 172.17.21.81/32:17/1701 ->
>>>> 172.17.21.80/32:17/1701
>>>> Jan 1 04:12:49 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1]
>>>> 172.17.21.80 #1: cannot respond to IPsec SA request because no
>>>> connection is known for
>>>> 172.17.21.81<172.17.21.81>...172.17.21.80<172.17.21.80>
>>>> Jan 1 04:12:49 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1]
>>>> 172.17.21.80 #1: sending encrypted notification INVALID_ID_INFORMATION
>>>> to 172.17.21.80:500
>>>> Jan 1 04:12:53 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1]
>>>> 172.17.21.80 #1: the peer proposed: 172.17.21.81/32:17/1701 ->
>>>> 172.17.21.80/32:17/1701
>>>> Jan 1 04:12:53 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1]
>>>> 172.17.21.80 #1: cannot respond to IPsec SA request because no
>>>> connection is known for
>>>> 172.17.21.81<172.17.21.81>...172.17.21.80<172.17.21.80>
>>>> Jan 1 04:12:53 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1]
>>>> 172.17.21.80 #1: sending encrypted notification INVALID_ID_INFORMATION
>>>> to 172.17.21.80:500
>>>> Jan 1 04:12:57 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1]
>>>> 172.17.21.80 #1: the peer proposed: 172.17.21.81/32:17/1701 ->
>>>> 172.17.21.80/32:17/1701
>>>> Jan 1 04:12:57 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1]
>>>> 172.17.21.80 #1: cannot respond to IPsec SA request because no
>>>> connection is known for
>>>> 172.17.21.81<172.17.21.81>...172.17.21.80<172.17.21.80>
>>>> Jan 1 04:12:57 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1]
>>>> 172.17.21.80 #1: sending encrypted notification INVALID_ID_INFORMATION
>>>> to 172.17.21.80:500
>>>>
>>>>
>>>> _______________________________________________
>>>> Users at lists.openswan.org
>>>> https://lists.openswan.org/mailman/listinfo/users
>>>> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>>>> Building and Integrating Virtual Private Networks with Openswan:
>>>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>>
>>> _______________________________________________
>>> Users at lists.openswan.org
>>> https://lists.openswan.org/mailman/listinfo/users
>>> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>>> Building and Integrating Virtual Private Networks with Openswan:
>>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>
>> _______________________________________________
>> Users at lists.openswan.org
>> https://lists.openswan.org/mailman/listinfo/users
>> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>> Building and Integrating Virtual Private Networks with Openswan:
>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
More information about the Users
mailing list