[Openswan Users] No L2TP after update to 2.39

nev at itsnev.co.uk nev at itsnev.co.uk
Mon Sep 9 09:51:48 UTC 2013 

Anyone got any clues why this might me happening.

Thx
Nev

Message: 2
Date: Thu, 15 Aug 2013 09:33:27 +0100
From: <nev at itsnev.co.uk>
To: <users at lists.openswan.org>
Subject: Re: [Openswan Users] No L2TP after update to 2.39
	(nev at itsnev.co.uk)
Message-ID: <017b01ce9992$1d4b4470$57e1cd50$@itsnev.co.uk>
Content-Type: text/plain;	charset="us-ascii"

Hi,

Anyone got any ideas?

Tx
Nev

----------------------------------------------------------------------

Message: 1
Date: Thu, 8 Aug 2013 15:01:48 +0100
From: <nev at itsnev.co.uk>
To: <users at lists.openswan.org>
Subject: [Openswan Users] No L2TP after update to 2.39
Message-ID: <010201ce943f$d3008440$79018cc0$@itsnev.co.uk>
Content-Type: text/plain; charset="us-ascii"

Hi All,

I just upgraded from 2.38 to 2.39 and can see the IPSEC tunnel established,
but there is NOTHING being passed to XL2TPD?

Checking if IPsec got installed and started correctly:

Version check and ipsec on-path                         [OK]
Openswan U2.6.39/K2.6.32-279.11.1.el6.x86_64 (netkey) See `ipsec
--copyright' for copyright information.
Checking for IPsec support in kernel                    [OK]
NETKEY: Testing XFRM related proc values
         ICMP default/send_redirects                    [OK]
         ICMP default/accept_redirects                  [OK]
         XFRM larval drop                               [OK]
Hardware random device check                            [N/A]
Two or more interfaces found, checking IP forwarding    [OK]
Checking rp_filter                                      [OK]
Checking that pluto is running                          [OK]
Pluto listening for IKE on udp 500                     [OK]
Pluto listening for IKE on tcp 500                     [NOT IMPLEMENTED]
Pluto listening for IKE/NAT-T on udp 4500              [OK]
Pluto listening for IKE/NAT-T on tcp 4500              [NOT IMPLEMENTED]
Pluto listening for IKE on tcp 10000 (cisco)           [OK]
Checking NAT and MASQUERADEing                          [TEST INCOMPLETE]
Checking 'ip' command                                   [IP XFRM BROKEN]
Checking 'iptables' command                             [OK]

 
Aug  8 14:50:04 ssl9 pluto[27321]: packet from A.B.C.D:500: ignoring unknown
Vendor ID payload [01528bbbc00696121849ab9a1c5b2a5100000001]
Aug  8 14:50:04 ssl9 pluto[27321]: packet from A.B.C.D:500: ignoring Vendor
ID payload [MS NT5 ISAKMPOAKLEY 00000009] Aug  8 14:50:04 ssl9 pluto[27321]:
packet from A.B.C.D:500: received Vendor ID payload [RFC 3947] method set
to=115 Aug  8 14:50:04 ssl9 pluto[27321]: packet from A.B.C.D:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already
using method 115 Aug  8 14:50:04 ssl9 pluto[27321]: packet from A.B.C.D:500:
ignoring Vendor ID payload [FRAGMENTATION] Aug  8 14:50:04 ssl9
pluto[27321]: packet from A.B.C.D:500: ignoring Vendor ID payload
[MS-Negotiation Discovery Capable] Aug  8 14:50:04 ssl9 pluto[27321]: packet
from A.B.C.D:500: ignoring Vendor ID payload [Vid-Initial-Contact] Aug  8
14:50:04 ssl9 pluto[27321]: packet from A.B.C.D:500: ignoring Vendor ID
payload [IKE CGA version 1] Aug  8 14:50:04 ssl9 pluto[27321]:
"L2TP-PSK-NAT"[3] A.B.C.D #3: responding to Main Mode from unknown peer
A.B.C.D Aug  8 14:50:04 ssl9 pluto[27321]: "L2TP-PSK-NAT"[3] A.B.C.D #3:
OAKLEY_GROUP 20 not supported.  Attribute OAKLEY_GROUP_DESCRIPTION Aug  8
14:50:04 ssl9 pluto[27321]: "L2TP-PSK-NAT"[3] A.B.C.D #3:
OAKLEY_GROUP 19 not supported.  Attribute OAKLEY_GROUP_DESCRIPTION Aug  8
14:50:04 ssl9 pluto[27321]: "L2TP-PSK-NAT"[3] A.B.C.D #3: transition from
state STATE_MAIN_R0 to state STATE_MAIN_R1 Aug  8 14:50:04 ssl9
pluto[27321]: "L2TP-PSK-NAT"[3] A.B.C.D #3:

STATE_MAIN_R1: sent MR1, expecting MI2
Aug  8 14:50:04 ssl9 pluto[27321]: "L2TP-PSK-NAT"[3] A.B.C.D #3:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): peer is
NATed Aug  8 14:50:04 ssl9 pluto[27321]: "L2TP-PSK-NAT"[3] A.B.C.D #3:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2 Aug  8 14:50:04
ssl9 pluto[27321]: "L2TP-PSK-NAT"[3] A.B.C.D #3:
STATE_MAIN_R2: sent MR2, expecting MI3
Aug  8 14:50:04 ssl9 pluto[27321]: "L2TP-PSK-NAT"[3] A.B.C.D #3: Main mode
peer ID is ID_IPV4_ADDR: '192.168.1.107'
Aug  8 14:50:04 ssl9 pluto[27321]: "L2TP-PSK-NAT"[3] A.B.C.D #3: switched
from "L2TP-PSK-NAT" to "L2TP-PSK-NAT"
Aug  8 14:50:04 ssl9 pluto[27321]: "L2TP-PSK-NAT"[4] A.B.C.D #3: deleting
connection "L2TP-PSK-NAT" instance with peer A.B.C.D {isakmp=#0/ipsec=#0}
Aug  8 14:50:04 ssl9 pluto[27321]: "L2TP-PSK-NAT"[4] A.B.C.D #3: transition
from state STATE_MAIN_R2 to state STATE_MAIN_R3 Aug  8 14:50:04 ssl9
pluto[27321]: "L2TP-PSK-NAT"[4] A.B.C.D #3: new NAT mapping for #3, was
A.B.C.D:500, now A.B.C.D:44116 Aug  8 14:50:04 ssl9 pluto[27321]:
"L2TP-PSK-NAT"[4] A.B.C.D #3:
STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=aes_256 prf=oakley_sha group=modp2048} Aug  8 14:50:04 ssl9
pluto[27321]: "L2TP-PSK-NAT"[4] A.B.C.D #3: Dead Peer Detection (RFC 3706):
not enabled because peer did not advertise it Aug  8 14:50:04 ssl9
pluto[27321]: "L2TP-PSK-NAT"[4] A.B.C.D #3: the peer
proposed: W.X.Y.Z/32:17/1701 -> 192.168.1.107/32:17/0 Aug  8 14:50:04 ssl9
pluto[27321]: "L2TP-PSK-NAT"[4] A.B.C.D #3:
NAT-Traversal: received 2 NAT-OA. using first, ignoring others Aug  8
14:50:04 ssl9 pluto[27321]: "L2TP-PSK-NAT"[4] A.B.C.D #4: responding to
Quick Mode proposal {msgid:01000000}
Aug  8 14:50:04 ssl9 pluto[27321]: "L2TP-PSK-NAT"[4] A.B.C.D #4:     us:
W.X.Y.Z:17/1701---W.X.Y.Z
Aug  8 14:50:04 ssl9 pluto[27321]: "L2TP-PSK-NAT"[4] A.B.C.D #4:   them:
A.B.C.D[192.168.1.107]:17/1701===192.168.1.107/32
Aug  8 14:50:04 ssl9 pluto[27321]: "L2TP-PSK-NAT"[4] A.B.C.D #4: transition
from state STATE_QUICK_R0 to state STATE_QUICK_R1 Aug  8 14:50:04 ssl9
pluto[27321]: "L2TP-PSK-NAT"[4] A.B.C.D #4:
STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2 Aug  8
14:50:04 ssl9 pluto[27321]: "L2TP-PSK-NAT"[4] A.B.C.D #4: Dead Peer
Detection (RFC 3706): not enabled because peer did not advertise it Aug  8
14:50:04 ssl9 pluto[27321]: "L2TP-PSK-NAT"[4] A.B.C.D #4: transition from
state STATE_QUICK_R1 to state STATE_QUICK_R2 Aug  8 14:50:04 ssl9
pluto[27321]: "L2TP-PSK-NAT"[4] A.B.C.D #4:
STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0xaf04dd26
<0xd0ed4241 xfrm=AES_128-HMAC_SHA1 NATOA=192.168.1.107 NATD=A.B.C.D:44116
DPD=none}

 

# basic configuration

config setup

        #dumpdir=/var/run/pluto/

        nat_traversal=yes

 
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:172.
19.0.0/12;%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10

        oe=off

        protostack=netkey

        nhelpers=0

 

# Add connections here

conn L2TP-PSK-NAT
        rightsubnet=vhost:%no,%priv
        also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
        authby=secret
        pfs=no
        auto=add
        keyingtries=3
        rekey=no
        ikelifetime=8h
        keylife=1h
        dpdaction=clear
        dpdtimeout=120
        dpddelay=3
        type=transport
        left=%defaultroute
        leftnexthop=W.X.Y.Z
        leftprotoport=17/1701
        right=%any
        rightprotoport=17/%any

conn passthrough-for-non-l2tp
        type=passthrough
        left=%defaultroute
        leftnexthop=W.X.Y.Z
        right=0.0.0.0
        rightsubnet=0.0.0.0/0
        auto=route


[root at ssl9 xl2tpd]# more xl2tpd.conf

[global]
;listen-addr = W.X.Y.Z
;
; requires openswan-2.5.18 or higher - Also does not yet work in combination
; with kernel mode l2tp as present in linux 2.6.23+ ; ipsec saref = yes ;
forceuserspace = yes ; ; debug tunnel = yes

[lns default]
ip range = 10.200.11.2-10.200.11.254
local ip = 10.200.10.1
assign ip = yes
require chap = yes
refuse pap = yes
require authentication = no
name = OpenSwanVPN
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
 
Many Thanks
Nev

More information about the Users mailing list