[Openswan Users] L2TP over IPSec failed

Ozai ozai.tien at gmail.com
Tue Sep 3 03:18:10 UTC 2013 

Dear Sirs,

I setup the L2TP test environment as below.But it did not seem to work.It seem the ipsec negotiation was failed.How do I need to do to check this question?Can someone point me in the right direction?Thank's.

Best Regards,
Ozai

Windows XP -----------(LAN side:192.168.71.X)-----GW-------(WAN side:172.17.21.X)-----------L2TP/IPSec Server
L2TP/IPSec client                                                                                                          Xl2tpd/openswan 2.6.38

####################>>log
Sep  3 03:56:09 daemon err ipsec_setup: Starting Openswan IPsec U2.6.38/K2.6.30...
Sep  3 03:56:09 daemon err ipsec_setup: Using NETKEY(XFRM) stack
Sep  3 03:56:11 authpriv err ipsec__plutorun: Starting Pluto subsystem...
Sep  3 03:56:11 user warn syslog: adjusting ipsec.d to /var/ipsec.d
Sep  3 03:56:11 authpriv warn pluto[5955]: WARNING: 1DES is enabled
Sep  3 03:56:11 authpriv warn pluto[5955]: LEAK_DETECTIVE support [disabled]
Sep  3 03:56:11 authpriv warn pluto[5955]: OCF support for IKE [disabled]
Sep  3 03:56:11 authpriv warn pluto[5955]: NSS support [disabled]
Sep  3 03:56:11 authpriv warn pluto[5955]: HAVE_STATSD notification support not compiled in
Sep  3 03:56:11 authpriv warn pluto[5955]: Setting NAT-Traversal port-4500 floating to off
Sep  3 03:56:11 authpriv warn pluto[5955]:    port floating activation criteria nat_t=0/port_float=1
Sep  3 03:56:11 authpriv warn pluto[5955]:    NAT-Traversal support  [disabled]
Sep  3 03:56:11 authpriv warn pluto[5955]: using /dev/urandom as source of random entropy
Sep  3 03:56:11 authpriv warn pluto[5955]: starting up 1 cryptographic helpers
Sep  3 03:56:11 authpriv warn pluto[5958]: using /dev/urandom as source of random entropy
Sep  3 03:56:11 authpriv warn pluto[5955]: started helper pid=5958 (fd:6)
Sep  3 03:56:11 daemon err ipsec__plutorun: adjusting ipsec.d to /var/ipsec.d
Sep  3 03:56:11 daemon err ipsec_setup: ...Openswan IPsec started
Sep  3 03:56:13 authpriv warn pluto[5955]: Could not change to directory '/var/ipsec.d/cacerts': No such file or directory
Sep  3 03:56:13 authpriv warn pluto[5955]: Could not change to directory '/var/ipsec.d/aacerts': No such file or directory
Sep  3 03:56:13 authpriv warn pluto[5955]: Could not change to directory '/var/ipsec.d/ocspcerts': No such file or directory
Sep  3 03:56:13 authpriv warn pluto[5955]: Could not change to directory '/var/ipsec.d/crls': 2 No such file or directory
Sep  3 03:56:13 authpriv warn pluto[5955]: added connection description "test"
Sep  3 03:56:13 daemon err ipsec__plutorun: 002 added connection description "test"
Sep  3 03:56:14 authpriv warn pluto[5955]: listening for IKE messages
Sep  3 03:56:14 authpriv warn pluto[5955]: adding interface eth0.1/eth0.1 172.17.21.75:500
Sep  3 03:56:14 authpriv warn pluto[5955]: adding interface br0/br0 192.168.1.254:500
Sep  3 03:56:14 authpriv warn pluto[5955]: adding interface lo/lo 127.0.0.1:500
Sep  3 03:56:14 authpriv warn pluto[5955]: adding interface lo/lo ::1:500
Sep  3 03:56:14 authpriv warn pluto[5955]: loading secrets from "/var/ipsec.secrets"
Sep  3 03:56:15 daemon info xl2tpd[6358]: Enabling IPsec SAref processing for L2TP transport mode SAs
Sep  3 03:56:15 daemon warn xl2tpd[6358]: IPsec SAref does not work with L2TP kernel mode yet, enabling forceuserspace=yes
Sep  3 03:56:15 daemon crit xl2tpd[6358]: setsockopt recvref[30]: Protocol not available
Sep  3 03:56:15 daemon info xl2tpd[6358]: This binary does not support kernel L2TP.
Sep  3 03:56:15 daemon info xl2tpd[6359]: xl2tpd version xl2tpd-1.3.1 started on home.gateway PID:6359
Sep  3 03:56:15 daemon info xl2tpd[6359]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
Sep  3 03:56:15 daemon info xl2tpd[6359]: Forked by Scott Balmos and David Stipp, (C) 2001
Sep  3 03:56:15 daemon info xl2tpd[6359]: Inherited by Jeff McAdams, (C) 2002
Sep  3 03:56:15 daemon info xl2tpd[6359]: Forked again by Xelerance (www.xelerance.com) (C) 2006
Sep  3 03:56:15 daemon info xl2tpd[6359]: Listening on IP address 0.0.0.0, port 1701
Sep  3 03:56:26 authpriv warn pluto[5955]: packet from 172.17.21.74:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Sep  3 03:56:26 authpriv warn pluto[5955]: packet from 172.17.21.74:500: ignoring Vendor ID payload [FRAGMENTATION]
Sep  3 03:56:26 authpriv warn pluto[5955]: packet from 172.17.21.74:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but port floating is off
Sep  3 03:56:26 authpriv warn pluto[5955]: packet from 172.17.21.74:500: ignoring Vendor ID payload [Vid-Initial-Contact]
Sep  3 03:56:26 authpriv warn pluto[5955]: "test"[1] 172.17.21.74 #1: responding to Main Mode from unknown peer 172.17.21.74
Sep  3 03:56:26 authpriv warn pluto[5955]: "test"[1] 172.17.21.74 #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Sep  3 03:56:26 authpriv warn pluto[5955]: "test"[1] 172.17.21.74 #1: STATE_MAIN_R1: sent MR1, expecting MI2
Sep  3 03:56:26 authpriv warn pluto[5955]: "test"[1] 172.17.21.74 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Sep  3 03:56:26 authpriv warn pluto[5955]: "test"[1] 172.17.21.74 #1: STATE_MAIN_R2: sent MR2, expecting MI3
Sep  3 03:56:26 authpriv warn pluto[5955]: "test"[1] 172.17.21.74 #1: Main mode peer ID is ID_IPV4_ADDR: '192.168.71.1'
Sep  3 03:56:26 authpriv warn pluto[5955]: "test"[1] 172.17.21.74 #1: switched from "test" to "test"
Sep  3 03:56:26 authpriv warn pluto[5955]: "test"[2] 172.17.21.74 #1: deleting connection "test" instance with peer 172.17.21.74 {isakmp=#0/ipsec=#0}
Sep  3 03:56:26 authpriv warn pluto[5955]: "test"[2] 172.17.21.74 #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Sep  3 03:56:26 authpriv warn pluto[5955]: "test"[2] 172.17.21.74 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}
Sep  3 03:56:26 authpriv warn pluto[5955]: "test"[2] 172.17.21.74 #1: the peer proposed: 172.17.21.75/32:17/1701 -> 192.168.71.1/32:17/0
Sep  3 03:56:26 authpriv warn pluto[5955]: "test"[2] 172.17.21.74 #1: cannot respond to IPsec SA request because no connection is known for 172.17.21.75<172.17.21.75>:17/1701...172.17.21.74[192.168.71.1]:17/%any===192.168.71.1/32
Sep  3 03:56:26 authpriv warn pluto[5955]: "test"[2] 172.17.21.74 #1: sending encrypted notification INVALID_ID_INFORMATION to 172.17.21.74:500
Sep  3 03:56:27 authpriv warn pluto[5955]: "test"[2] 172.17.21.74 #1: the peer proposed: 172.17.21.75/32:17/1701 -> 192.168.71.1/32:17/0
Sep  3 03:56:27 authpriv warn pluto[5955]: "test"[2] 172.17.21.74 #1: cannot respond to IPsec SA request because no connection is known for 172.17.21.75<172.17.21.75>:17/1701...172.17.21.74[192.168.71.1]:17/%any===192.168.71.1/32
Sep  3 03:56:27 authpriv warn pluto[5955]: "test"[2] 172.17.21.74 #1: sending encrypted notification INVALID_ID_INFORMATION to 172.17.21.74:500
Sep  3 03:56:29 authpriv warn pluto[5955]: "test"[2] 172.17.21.74 #1: the peer proposed: 172.17.21.75/32:17/1701 -> 192.168.71.1/32:17/0
Sep  3 03:56:29 authpriv warn pluto[5955]: "test"[2] 172.17.21.74 #1: cannot respond to IPsec SA request because no connection is known for 172.17.21.75<172.17.21.75>:17/1701...172.17.21.74[192.168.71.1]:17/%any===192.168.71.1/32
Sep  3 03:56:29 authpriv warn pluto[5955]: "test"[2] 172.17.21.74 #1: sending encrypted notification INVALID_ID_INFORMATION to 172.17.21.74:500
Sep  3 03:56:33 authpriv warn pluto[5955]: "test"[2] 172.17.21.74 #1: the peer proposed: 172.17.21.75/32:17/1701 -> 192.168.71.1/32:17/0
Sep  3 03:56:33 authpriv warn pluto[5955]: "test"[2] 172.17.21.74 #1: cannot respond to IPsec SA request because no connection is known for 172.17.21.75<172.17.21.75>:17/1701...172.17.21.74[192.168.71.1]:17/%any===192.168.71.1/32
Sep  3 03:56:33 authpriv warn pluto[5955]: "test"[2] 172.17.21.74 #1: sending encrypted notification INVALID_ID_INFORMATION to 172.17.21.74:500

####################>>ipsec.conf
config setup
                nat_traversal=no
                oe=off
                protostack=netkey
                interfaces=%defaultroute

conn test
                left=172.17.21.75
                leftprotoport=17/1701
                connaddrfamily=ipv4
                right=%any
                rightprotoport=17/%any
                pfs=no
                salifetime=60m
                ikelifetime=480m
                type=transport
                phase2=esp
                keyexchange=ike
                authby=secret
                auto=add

####################>>ipsec.secrets
172.17.21.75 %any : PSK "123"
               
####################>>xl2tpd.conf
[global]
auth file=/var/xl2tpd/l2tp-secrets
ipsec saref = yes
port = 1701

[lns default]
ip range = 192.168.1.10-192.168.1.13
local ip = 192.168.1.254
require authentication = yes
name = L2TPServer
pppoptfile = /var/xl2tpd/options.xl2tpd
length bit = yes
challenge = no
#                
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20130903/778f680c/attachment-0001.html>

More information about the Users mailing list