[Openswan Users] L2TP over IPSec failed
Leto
letoams at gmail.com
Tue Sep 3 03:28:52 UTC 2013
you need to:
- add rightsubnet=vhost:%priv,%no
- add virtual-private= that includes your 172 range
- configure the real IP address in xl2tpd.comf for listen-addr
sent from a tiny device
On 2013-09-02, at 23:18, "Ozai" <ozai.tien at gmail.com> wrote:
> Dear Sirs,
>
> I setup the L2TP test environment as below.But it did not seem to work.It seem the ipsec negotiation was failed.How do I need to do to check this question?Can someone point me in the right direction?Thank's.
>
> Best Regards,
> Ozai
>
> Windows XP -----------(LAN side:192.168.71.X)-----GW-------(WAN side:172.17.21.X)-----------L2TP/IPSec Server
> L2TP/IPSec client Xl2tpd/openswan 2.6.38
>
> ####################>>log
> Sep 3 03:56:09 daemon err ipsec_setup: Starting Openswan IPsec U2.6.38/K2.6.30...
> Sep 3 03:56:09 daemon err ipsec_setup: Using NETKEY(XFRM) stack
> Sep 3 03:56:11 authpriv err ipsec__plutorun: Starting Pluto subsystem...
> Sep 3 03:56:11 user warn syslog: adjusting ipsec.d to /var/ipsec.d
> Sep 3 03:56:11 authpriv warn pluto[5955]: WARNING: 1DES is enabled
> Sep 3 03:56:11 authpriv warn pluto[5955]: LEAK_DETECTIVE support [disabled]
> Sep 3 03:56:11 authpriv warn pluto[5955]: OCF support for IKE [disabled]
> Sep 3 03:56:11 authpriv warn pluto[5955]: NSS support [disabled]
> Sep 3 03:56:11 authpriv warn pluto[5955]: HAVE_STATSD notification support not compiled in
> Sep 3 03:56:11 authpriv warn pluto[5955]: Setting NAT-Traversal port-4500 floating to off
> Sep 3 03:56:11 authpriv warn pluto[5955]: port floating activation criteria nat_t=0/port_float=1
> Sep 3 03:56:11 authpriv warn pluto[5955]: NAT-Traversal support [disabled]
> Sep 3 03:56:11 authpriv warn pluto[5955]: using /dev/urandom as source of random entropy
> Sep 3 03:56:11 authpriv warn pluto[5955]: starting up 1 cryptographic helpers
> Sep 3 03:56:11 authpriv warn pluto[5958]: using /dev/urandom as source of random entropy
> Sep 3 03:56:11 authpriv warn pluto[5955]: started helper pid=5958 (fd:6)
> Sep 3 03:56:11 daemon err ipsec__plutorun: adjusting ipsec.d to /var/ipsec.d
> Sep 3 03:56:11 daemon err ipsec_setup: ...Openswan IPsec started
> Sep 3 03:56:13 authpriv warn pluto[5955]: Could not change to directory '/var/ipsec.d/cacerts': No such file or directory
> Sep 3 03:56:13 authpriv warn pluto[5955]: Could not change to directory '/var/ipsec.d/aacerts': No such file or directory
> Sep 3 03:56:13 authpriv warn pluto[5955]: Could not change to directory '/var/ipsec.d/ocspcerts': No such file or directory
> Sep 3 03:56:13 authpriv warn pluto[5955]: Could not change to directory '/var/ipsec.d/crls': 2 No such file or directory
> Sep 3 03:56:13 authpriv warn pluto[5955]: added connection description "test"
> Sep 3 03:56:13 daemon err ipsec__plutorun: 002 added connection description "test"
> Sep 3 03:56:14 authpriv warn pluto[5955]: listening for IKE messages
> Sep 3 03:56:14 authpriv warn pluto[5955]: adding interface eth0.1/eth0.1 172.17.21.75:500
> Sep 3 03:56:14 authpriv warn pluto[5955]: adding interface br0/br0 192.168.1.254:500
> Sep 3 03:56:14 authpriv warn pluto[5955]: adding interface lo/lo 127.0.0.1:500
> Sep 3 03:56:14 authpriv warn pluto[5955]: adding interface lo/lo ::1:500
> Sep 3 03:56:14 authpriv warn pluto[5955]: loading secrets from "/var/ipsec.secrets"
> Sep 3 03:56:15 daemon info xl2tpd[6358]: Enabling IPsec SAref processing for L2TP transport mode SAs
> Sep 3 03:56:15 daemon warn xl2tpd[6358]: IPsec SAref does not work with L2TP kernel mode yet, enabling forceuserspace=yes
> Sep 3 03:56:15 daemon crit xl2tpd[6358]: setsockopt recvref[30]: Protocol not available
> Sep 3 03:56:15 daemon info xl2tpd[6358]: This binary does not support kernel L2TP.
> Sep 3 03:56:15 daemon info xl2tpd[6359]: xl2tpd version xl2tpd-1.3.1 started on home.gateway PID:6359
> Sep 3 03:56:15 daemon info xl2tpd[6359]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
> Sep 3 03:56:15 daemon info xl2tpd[6359]: Forked by Scott Balmos and David Stipp, (C) 2001
> Sep 3 03:56:15 daemon info xl2tpd[6359]: Inherited by Jeff McAdams, (C) 2002
> Sep 3 03:56:15 daemon info xl2tpd[6359]: Forked again by Xelerance (www.xelerance.com) (C) 2006
> Sep 3 03:56:15 daemon info xl2tpd[6359]: Listening on IP address 0.0.0.0, port 1701
> Sep 3 03:56:26 authpriv warn pluto[5955]: packet from 172.17.21.74:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
> Sep 3 03:56:26 authpriv warn pluto[5955]: packet from 172.17.21.74:500: ignoring Vendor ID payload [FRAGMENTATION]
> Sep 3 03:56:26 authpriv warn pluto[5955]: packet from 172.17.21.74:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but port floating is off
> Sep 3 03:56:26 authpriv warn pluto[5955]: packet from 172.17.21.74:500: ignoring Vendor ID payload [Vid-Initial-Contact]
> Sep 3 03:56:26 authpriv warn pluto[5955]: "test"[1] 172.17.21.74 #1: responding to Main Mode from unknown peer 172.17.21.74
> Sep 3 03:56:26 authpriv warn pluto[5955]: "test"[1] 172.17.21.74 #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
> Sep 3 03:56:26 authpriv warn pluto[5955]: "test"[1] 172.17.21.74 #1: STATE_MAIN_R1: sent MR1, expecting MI2
> Sep 3 03:56:26 authpriv warn pluto[5955]: "test"[1] 172.17.21.74 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
> Sep 3 03:56:26 authpriv warn pluto[5955]: "test"[1] 172.17.21.74 #1: STATE_MAIN_R2: sent MR2, expecting MI3
> Sep 3 03:56:26 authpriv warn pluto[5955]: "test"[1] 172.17.21.74 #1: Main mode peer ID is ID_IPV4_ADDR: '192.168.71.1'
> Sep 3 03:56:26 authpriv warn pluto[5955]: "test"[1] 172.17.21.74 #1: switched from "test" to "test"
> Sep 3 03:56:26 authpriv warn pluto[5955]: "test"[2] 172.17.21.74 #1: deleting connection "test" instance with peer 172.17.21.74 {isakmp=#0/ipsec=#0}
> Sep 3 03:56:26 authpriv warn pluto[5955]: "test"[2] 172.17.21.74 #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
> Sep 3 03:56:26 authpriv warn pluto[5955]: "test"[2] 172.17.21.74 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}
> Sep 3 03:56:26 authpriv warn pluto[5955]: "test"[2] 172.17.21.74 #1: the peer proposed: 172.17.21.75/32:17/1701 -> 192.168.71.1/32:17/0
> Sep 3 03:56:26 authpriv warn pluto[5955]: "test"[2] 172.17.21.74 #1: cannot respond to IPsec SA request because no connection is known for 172.17.21.75<172.17.21.75>:17/1701...172.17.21.74[192.168.71.1]:17/%any===192.168.71.1/32
> Sep 3 03:56:26 authpriv warn pluto[5955]: "test"[2] 172.17.21.74 #1: sending encrypted notification INVALID_ID_INFORMATION to 172.17.21.74:500
> Sep 3 03:56:27 authpriv warn pluto[5955]: "test"[2] 172.17.21.74 #1: the peer proposed: 172.17.21.75/32:17/1701 -> 192.168.71.1/32:17/0
> Sep 3 03:56:27 authpriv warn pluto[5955]: "test"[2] 172.17.21.74 #1: cannot respond to IPsec SA request because no connection is known for 172.17.21.75<172.17.21.75>:17/1701...172.17.21.74[192.168.71.1]:17/%any===192.168.71.1/32
> Sep 3 03:56:27 authpriv warn pluto[5955]: "test"[2] 172.17.21.74 #1: sending encrypted notification INVALID_ID_INFORMATION to 172.17.21.74:500
> Sep 3 03:56:29 authpriv warn pluto[5955]: "test"[2] 172.17.21.74 #1: the peer proposed: 172.17.21.75/32:17/1701 -> 192.168.71.1/32:17/0
> Sep 3 03:56:29 authpriv warn pluto[5955]: "test"[2] 172.17.21.74 #1: cannot respond to IPsec SA request because no connection is known for 172.17.21.75<172.17.21.75>:17/1701...172.17.21.74[192.168.71.1]:17/%any===192.168.71.1/32
> Sep 3 03:56:29 authpriv warn pluto[5955]: "test"[2] 172.17.21.74 #1: sending encrypted notification INVALID_ID_INFORMATION to 172.17.21.74:500
> Sep 3 03:56:33 authpriv warn pluto[5955]: "test"[2] 172.17.21.74 #1: the peer proposed: 172.17.21.75/32:17/1701 -> 192.168.71.1/32:17/0
> Sep 3 03:56:33 authpriv warn pluto[5955]: "test"[2] 172.17.21.74 #1: cannot respond to IPsec SA request because no connection is known for 172.17.21.75<172.17.21.75>:17/1701...172.17.21.74[192.168.71.1]:17/%any===192.168.71.1/32
> Sep 3 03:56:33 authpriv warn pluto[5955]: "test"[2] 172.17.21.74 #1: sending encrypted notification INVALID_ID_INFORMATION to 172.17.21.74:500
>
> ####################>>ipsec.conf
> config setup
> nat_traversal=no
> oe=off
> protostack=netkey
> interfaces=%defaultroute
>
> conn test
> left=172.17.21.75
> leftprotoport=17/1701
> connaddrfamily=ipv4
> right=%any
> rightprotoport=17/%any
> pfs=no
> salifetime=60m
> ikelifetime=480m
> type=transport
> phase2=esp
> keyexchange=ike
> authby=secret
> auto=add
>
> ####################>>ipsec.secrets
> 172.17.21.75 %any : PSK "123"
>
> ####################>>xl2tpd.conf
> [global]
> auth file=/var/xl2tpd/l2tp-secrets
> ipsec saref = yes
> port = 1701
>
> [lns default]
> ip range = 192.168.1.10-192.168.1.13
> local ip = 192.168.1.254
> require authentication = yes
> name = L2TPServer
> pppoptfile = /var/xl2tpd/options.xl2tpd
> length bit = yes
> challenge = no
> #
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20130902/4182126d/attachment.html>
More information about the Users
mailing list