[Openswan Users] Problems connecting using 2.6.41

Patrick Naubert patrickn at xelerance.com
Tue May 6 11:08:05 EDT 2014


Rescued from the Spam bucket.  Please remember to subscribe to the mailing list before posting to it.

From: Dr Josef Karthauser <joe at karthauser.co.uk>
Subject: Problems connecting using 2.6.41
Date: May 6, 2014 at 10:58:48 AM EDT
To: users at lists.openswan.org


I'm trying to get openswan/l2tp working between my mac and my linux server; had it mostly working with 2.6.37 (shipped with ubuntu) but it seemed broken with lots of users behind a number of NAT 

With 2.6.41 I can't get it to connect at all. Looks like an SA is established, but my xl2tpd daemon doesn't see any traffic and so doesn't attempt to establish a connection.

Been scratching my head trying to work out what's going on! :(.

Does this make any sense to anyone?

Joe

root at vpnserver:/home/ubuntu# ip xfrm monitor
src 10.3.1.2 dst 86.188.177.234
	proto esp spi 0x02a0d100 reqid 16449 mode transport
	replay-window 32 
	auth-trunc hmac(sha1) 0x9fe00fbe150af32a4cec92573928577f9206fd1b 96
	enc cbc(aes) 0xce513c6a6c30c6be51c2d14a3aa87f99f02fe43cb478af876349fababcac130d
	encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
	sel src 10.3.1.2/32 dst 192.168.1.178/32 proto udp sport 1701 dport 58005 
Updated src 86.188.177.234 dst 10.3.1.2
	proto esp spi 0x0c80e873 reqid 16449 mode transport
	replay-window 32 
	auth-trunc hmac(sha1) 0x8b02379fe158b5a8ae70051867a849ff40568fe9 96
	enc cbc(aes) 0x93cfe97eef3887611d43182056950d080f8e14010dd1916b919464d23a1a270f
	encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
	sel src 192.168.1.178/32 dst 10.3.1.2/32 proto udp sport 58005 dport 1701 
Updated src 192.168.1.178/32 dst 10.3.1.2/32 proto udp sport 58005 dport 1701 
	dir in priority 2080 
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 16449 mode transport
Updated src 10.3.1.2/32 dst 86.188.177.234/32 proto udp sport 1701 dport 58005 
	dir out priority 2080 
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 16449 mode transport
Async event  (0x10)  replay update 
	src 86.188.177.234 dst 10.3.1.2  reqid 0x4041 protocol esp  SPI 0xc80e873
Async event  (0x20)  timer expired 
	src 86.188.177.234 dst 10.3.1.2  reqid 0x4041 protocol esp  SPI 0xc80e873
Async event  (0x20)  timer expired 
	src 86.188.177.234 dst 10.3.1.2  reqid 0x4041 protocol esp  SPI 0xc80e873
Async event  (0x20)  timer expired 
	src 86.188.177.234 dst 10.3.1.2  reqid 0x4041 protocol esp  SPI 0xc80e873
Async event  (0x20)  timer expired 
	src 86.188.177.234 dst 10.3.1.2  reqid 0x4041 protocol esp  SPI 0xc80e873
Async event  (0x20)  timer expired 
	src 86.188.177.234 dst 10.3.1.2  reqid 0x4041 protocol esp  SPI 0xc80e873
Deleted src 10.3.1.2 dst 86.188.177.234
	proto esp spi 0x02a0d100 reqid 16449 mode transport
	replay-window 32 
	auth-trunc hmac(sha1) 0x9fe00fbe150af32a4cec92573928577f9206fd1b 96
	enc cbc(aes) 0xce513c6a6c30c6be51c2d14a3aa87f99f02fe43cb478af876349fababcac130d
	encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
	sel src 10.3.1.2/32 dst 192.168.1.178/32 proto udp sport 1701 dport 58005 
Deleted src 192.168.1.178/32 dst 10.3.1.2/32 proto udp sport 58005 dport 1701 
	dir in priority 2080 
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 16449 mode transport
Deleted src 86.188.177.234 dst 10.3.1.2
	proto esp spi 0x0c80e873 reqid 16449 mode transport
	replay-window 32 
	auth-trunc hmac(sha1) 0x8b02379fe158b5a8ae70051867a849ff40568fe9 96
	enc cbc(aes) 0x93cfe97eef3887611d43182056950d080f8e14010dd1916b919464d23a1a270f
	encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
	sel src 192.168.1.178/32 dst 10.3.1.2/32 proto udp sport 58005 dport 1701 





May  6 14:56:12 vpnserver pluto[5780]: packet from 86.188.177.234:500: received Vendor ID payload [RFC 3947] method set to=115 
May  6 14:56:12 vpnserver pluto[5780]: packet from 86.188.177.234:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] meth=114, but already using method 115
May  6 14:56:12 vpnserver pluto[5780]: packet from 86.188.177.234:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-08] meth=113, but already using method 115
May  6 14:56:12 vpnserver pluto[5780]: packet from 86.188.177.234:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-07] meth=112, but already using method 115
May  6 14:56:12 vpnserver pluto[5780]: packet from 86.188.177.234:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-06] meth=111, but already using method 115
May  6 14:56:12 vpnserver pluto[5780]: packet from 86.188.177.234:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-05] meth=110, but already using method 115
May  6 14:56:12 vpnserver pluto[5780]: packet from 86.188.177.234:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-04] meth=109, but already using method 115
May  6 14:56:12 vpnserver pluto[5780]: packet from 86.188.177.234:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 115
May  6 14:56:12 vpnserver pluto[5780]: packet from 86.188.177.234:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 115
May  6 14:56:12 vpnserver pluto[5780]: packet from 86.188.177.234:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 115
May  6 14:56:12 vpnserver pluto[5780]: packet from 86.188.177.234:500: ignoring Vendor ID payload [FRAGMENTATION 80000000]
May  6 14:56:12 vpnserver pluto[5780]: packet from 86.188.177.234:500: received Vendor ID payload [Dead Peer Detection]
May  6 14:56:12 vpnserver pluto[5780]: "L2TP-PSK-NAT"[12] 86.188.177.234 #13: responding to Main Mode from unknown peer 86.188.177.234
May  6 14:56:12 vpnserver pluto[5780]: "L2TP-PSK-NAT"[12] 86.188.177.234 #13: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
May  6 14:56:12 vpnserver pluto[5780]: "L2TP-PSK-NAT"[12] 86.188.177.234 #13: STATE_MAIN_R1: sent MR1, expecting MI2
May  6 14:56:12 vpnserver pluto[5780]: "L2TP-PSK-NAT"[12] 86.188.177.234 #13: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): both are NATed
May  6 14:56:12 vpnserver pluto[5780]: "L2TP-PSK-NAT"[12] 86.188.177.234 #13: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
May  6 14:56:12 vpnserver pluto[5780]: "L2TP-PSK-NAT"[12] 86.188.177.234 #13: STATE_MAIN_R2: sent MR2, expecting MI3
May  6 14:56:12 vpnserver pluto[5780]: "L2TP-PSK-NAT"[12] 86.188.177.234 #13: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
May  6 14:56:12 vpnserver pluto[5780]: "L2TP-PSK-NAT"[12] 86.188.177.234 #13: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.178'
May  6 14:56:12 vpnserver pluto[5780]: "L2TP-PSK-NAT"[12] 86.188.177.234 #13: switched from "L2TP-PSK-NAT" to "L2TP-PSK-NAT"
May  6 14:56:12 vpnserver pluto[5780]: "L2TP-PSK-NAT"[13] 86.188.177.234 #13: deleting connection "L2TP-PSK-NAT" instance with peer 86.188.177.234 {isakmp=#0/ipsec=#0}
May  6 14:56:12 vpnserver pluto[5780]: "L2TP-PSK-NAT"[13] 86.188.177.234 #13: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
May  6 14:56:12 vpnserver pluto[5780]: "L2TP-PSK-NAT"[13] 86.188.177.234 #13: new NAT mapping for #13, was 86.188.177.234:500, now 86.188.177.234:4500
May  6 14:56:12 vpnserver pluto[5780]: "L2TP-PSK-NAT"[13] 86.188.177.234 #13: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1024}
May  6 14:56:12 vpnserver pluto[5780]: "L2TP-PSK-NAT"[13] 86.188.177.234 #13: Dead Peer Detection (RFC 3706): enabled
May  6 14:56:13 vpnserver pluto[5780]: "L2TP-PSK-NAT"[13] 86.188.177.234 #13: the peer proposed: 185.40.8.213/32:17/1701 -> 192.168.1.178/32:17/0
May  6 14:56:13 vpnserver pluto[5780]: "L2TP-PSK-NAT"[13] 86.188.177.234 #13: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
May  6 14:56:13 vpnserver pluto[5780]: "L2TP-PSK-NAT"[13] 86.188.177.234 #14: responding to Quick Mode proposal {msgid:2d6b29a5}
May  6 14:56:13 vpnserver pluto[5780]: "L2TP-PSK-NAT"[13] 86.188.177.234 #14:     us: 10.3.1.2<10.3.1.2>[@vpn.tools.tax.service.gov.uk]:17/1701
May  6 14:56:13 vpnserver pluto[5780]: "L2TP-PSK-NAT"[13] 86.188.177.234 #14:   them: 86.188.177.234[192.168.1.178]:17/57218===192.168.1.178/32
May  6 14:56:13 vpnserver pluto[5780]: | warning: NETKEY/XFRM in transport mode accepts ALL encrypted protoport packets between the hosts in violation of RFC 4301, Section 5.2
May  6 14:56:13 vpnserver pluto[5780]: "L2TP-PSK-NAT"[13] 86.188.177.234 #14: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
May  6 14:56:13 vpnserver pluto[5780]: "L2TP-PSK-NAT"[13] 86.188.177.234 #14: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
May  6 14:56:13 vpnserver pluto[5780]: | warning: NETKEY/XFRM in transport mode accepts ALL encrypted protoport packets between the hosts in violation of RFC 4301, Section 5.2
May  6 14:56:13 vpnserver pluto[5780]: "L2TP-PSK-NAT"[13] 86.188.177.234 #14: Dead Peer Detection (RFC 3706): enabled
May  6 14:56:13 vpnserver pluto[5780]: "L2TP-PSK-NAT"[13] 86.188.177.234 #14: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
May  6 14:56:13 vpnserver pluto[5780]: "L2TP-PSK-NAT"[13] 86.188.177.234 #14: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0x00bcc8d5 <0x3db1dd2d xfrm=AES_256-HMAC_SHA1 NATOA=192.168.1.178 NATD=86.188.177.234:4500 DPD=enabled}
May  6 14:56:33 vpnserver pluto[5780]: "L2TP-PSK-NAT"[13] 86.188.177.234 #13: received Delete SA(0x00bcc8d5) payload: deleting IPSEC State #14
May  6 14:56:33 vpnserver pluto[5780]: | warning: NETKEY/XFRM in transport mode accepts ALL encrypted protoport packets between the hosts in violation of RFC 4301, Section 5.2
May  6 14:56:33 vpnserver pluto[5780]: "L2TP-PSK-NAT"[13] 86.188.177.234 #13: ERROR: netlink XFRM_MSG_DELPOLICY response for flow eroute_connection delete included errno 2: No such file or directory
May  6 14:56:33 vpnserver pluto[5780]: | warning: NETKEY/XFRM in transport mode accepts ALL encrypted protoport packets between the hosts in violation of RFC 4301, Section 5.2
May  6 14:56:33 vpnserver pluto[5780]: "L2TP-PSK-NAT"[13] 86.188.177.234 #13: received and ignored informational message
May  6 14:56:33 vpnserver pluto[5780]: "L2TP-PSK-NAT"[13] 86.188.177.234 #13: received Delete SA payload: deleting ISAKMP State #13
May  6 14:56:33 vpnserver pluto[5780]: "L2TP-PSK-NAT"[13] 86.188.177.234: deleting connection "L2TP-PSK-NAT" instance with peer 86.188.177.234 {isakmp=#0/ipsec=#0}
May  6 14:56:33 vpnserver pluto[5780]: packet from 86.188.177.234:4500: received and ignored informational message





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20140506/f3d42f7a/attachment.html>


More information about the Users mailing list