# Trouble with openswan VPN

## kaltag

Good afternoon. I've been fighting with openswan for 2 days now with little success. I have followed the updates linked here https://forums.gentoo.org/viewtopic-t-324500-highlight-l2tp.html to the letter aside from some of the ip configuration to match my network and I still can not get a connection established from an XP client. here's my syslog of the connection

```
Jan 31 04:15:04 [pluto] packet from 67.139.154.194:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]

Jan 31 04:15:04 [pluto] packet from 67.139.154.194:500: ignoring Vendor ID payload [FRAGMENTATION]

Jan 31 04:15:04 [pluto] packet from 67.139.154.194:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106

Jan 31 04:15:04 [pluto] packet from 67.139.154.194:500: ignoring Vendor ID payload [Vid-Initial-Contact]

Jan 31 04:15:04 [pluto] "roadwarrior"[3] 67.139.154.194 #3: responding to Main Mode from unknown peer 67.139.154.194

Jan 31 04:15:04 [pluto] "roadwarrior"[3] 67.139.154.194 #3: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1

Jan 31 04:15:04 [pluto] "roadwarrior"[3] 67.139.154.194 #3: STATE_MAIN_R1: sent MR1, expecting MI2

Jan 31 04:15:04 [pluto] "roadwarrior"[3] 67.139.154.194 #3: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed

Jan 31 04:15:04 [pluto] "roadwarrior"[3] 67.139.154.194 #3: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2

Jan 31 04:15:04 [pluto] "roadwarrior"[3] 67.139.154.194 #3: STATE_MAIN_R2: sent MR2, expecting MI3

Jan 31 04:15:05 [pluto] "roadwarrior"[3] 67.139.154.194 #3: Main mode peer ID is ID_FQDN: '@backshop.micronet-systems.com'

Jan 31 04:15:05 [pluto] "roadwarrior"[3] 67.139.154.194 #3: switched from "roadwarrior" to "roadwarrior"

Jan 31 04:15:05 [pluto] "roadwarrior"[4] 67.139.154.194 #3: deleting connection "roadwarrior" instance with peer 67.139.154.194 {isakmp=#0/ipsec=#0}

Jan 31 04:15:05 [pluto] "roadwarrior"[4] 67.139.154.194 #3: I did not send a certificate because I do not have one.

Jan 31 04:15:05 [pluto] "roadwarrior"[4] 67.139.154.194 #3: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3

Jan 31 04:15:05 [pluto] "roadwarrior"[4] 67.139.154.194 #3: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}

Jan 31 04:15:05 [pluto] "roadwarrior-osx-xp"[2] 67.139.154.194 #4: responding to Quick Mode {msgid:75a90079}

Jan 31 04:15:05 [pluto] "roadwarrior-osx-xp"[2] 67.139.154.194 #4: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1

Jan 31 04:15:05 [pluto] "roadwarrior-osx-xp"[2] 67.139.154.194 #4: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2

Jan 31 04:15:05 [pluto] "roadwarrior-osx-xp"[2] 67.139.154.194 #4: route-host output: /usr/lib/ipsec/_updown: doroute `ip route add 67.139.154.194/32 via 192.168.1.100 dev ppp0 ' failed (RTNETLINK answers: No such process)

Jan 31 04:15:05 [pluto] "roadwarrior-osx-xp"[2] 67.139.154.194 #4: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2

Jan 31 04:15:05 [pluto] "roadwarrior-osx-xp"[2] 67.139.154.194 #4: STATE_QUICK_R2: IPsec SA established {ESP=>0xe9463e9a <0x8e3946e9 xfrm=3DES_0-HMAC_MD5 NATD=67.139.154.194:4500 DPD=none}

```

my ipsec.conf

```
version 2.0

config setup

    interfaces=%defaultroute

    klipsdebug=none

    plutodebug=none

    overridemtu=1410

    nat_traversal=yes

    virtual_private=%v4:192.168.1.0/24

conn %default

    keyingtries=3

    compress=no

    disablearrivalcheck=no

    keyexchange=ike

    ikelifetime=240m

    keylife=60m

conn roadwarrior-osx-xp

    leftprotoport=17/1701

    rightprotoport=17/%any

    rekey=no

    also=roadwarrior

conn roadwarrior

    authby=secret

    pfs=no

    type=tunnel

    left=%defaultroute

    leftnexthop=192.168.1.100

    right=%any

    rightsubnet=vhost:%no,%priv

    auto=add

#Disable Opportunistic Encryption

include /etc/ipsec/ipsec.d/examples/no_oe.conf

```

my xl2tpd.conf

```
; xl2tpd.conf

;

[global]

port = 1701

[lns default]

ip range = 192.168.1.1-192.168.1.50

local ip = 192.168.1.100

require chap = yes

refuse pap = yes

require authentication = yes

name = MyVPN

ppp debug = yes

pppoptfile = /etc/ppp/options.l2tpd

length bit = yes

```

my options.l2tpd

```
ipcp-accept-local

ipcp-accept-remote

ms-dns 192.168.1.100

noccp

auth

crtscts

idle 1800

mtu 1400

mru 1400

+mschap-v2

nodefaultroute

debug

lock

proxyarp

connect-delay 5000

silent

```

The XP client just sits there and eventually times out. Any help/feedback is greatly appreciated.

EDIT: my network layout is as follows

LAN<--eth0 192.168.1.100--gentoo vpn server/gateway--ppp0 external IP-->net--->client behind NAT

----------

## kaltag

ok after looking that log over it looks like the IPsec connection is actually establishing but I don't see any info from xl2tpd. I verified it's running and the ports are all open. I think logging is enabled in xl2tpd config file but I'm not seeing anything. Is there a way to verify xl2tpd is actually running?

EDIT: OK I think I got the routing issue sorted but I now have a new problem. After restarting the ppp0 interface and ipsec/xl2tpd services and initiating a client connection all networking stops for about a minute and the ppp0 interface drops and reconnects. Client still hangs with no obvious activiy form l2tpd. I'm starting winder if it's a problem with ppp because I'm already using ppp0 for my pppoe connection on my DSL. should I have to create a ppp1 or similar?

----------

## korban

Hi kaltag!

How did you solve your routing problem?

I ran into same problem:

```
Mar  2 00:02:16 pluto[1054]: packet from ***.***.***.***:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]

Mar  2 00:02:16 pluto[1054]: packet from ***.***.***.***:500: ignoring Vendor ID payload [FRAGMENTATION]

Mar  2 00:02:16 pluto[1054]: packet from ***.***.***.***:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106 

Mar  2 00:02:16 pluto[1054]: packet from ***.***.***.***:500: ignoring Vendor ID payload [Vid-Initial-Contact]

Mar  2 00:02:16 pluto[1054]: "roadwarrior"[5] ***.***.***.*** #5: responding to Main Mode from unknown peer ***.***.***.**

Mar  2 00:02:16 pluto[1054]: "roadwarrior"[5] ***.***.***.*** #5: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1

Mar  2 00:02:16 pluto[1054]: "roadwarrior"[5] ***.***.***.*** #5: STATE_MAIN_R1: sent MR1, expecting MI2

Mar  2 00:02:16 pluto[1054]: "roadwarrior"[5] ***.***.***.*** #5: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed

Mar  2 00:02:16 pluto[1054]: "roadwarrior"[5] ***.***.***.*** #5: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2

Mar  2 00:02:16 pluto[1054]: "roadwarrior"[5] ***.***.***.*** #5: STATE_MAIN_R2: sent MR2, expecting MI3

Mar  2 00:02:16 pluto[1054]: "roadwarrior"[5] ***.***.***.*** #5: Main mode peer ID is ID_FQDN: '@*****'

Mar  2 00:02:16 pluto[1054]: "roadwarrior"[5] ***.***.***.*** #5: switched from "roadwarrior" to "roadwarrior"

Mar  2 00:02:16 pluto[1054]: "roadwarrior"[6] ***.***.***.*** #5: deleting connection "roadwarrior" instance with peer ***.***.***.** {isakmp=#0/ipsec=#0}

Mar  2 00:02:16 pluto[1054]: "roadwarrior"[6] ***.***.***.** #5: I did not send a certificate because I do not have one.

Mar  2 00:02:16 pluto[1054]: "roadwarrior"[6] ***.***.***.** #5: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3

Mar  2 00:02:16 pluto[1054]: "roadwarrior"[6] ***.***.***.** #5: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}

Mar  2 00:02:16 pluto[1054]: "roadwarrior-osx-xp"[3] ***.***.***.** #6: responding to Quick Mode {msgid:f33c147b}

Mar  2 00:02:16 pluto[1054]: "roadwarrior-osx-xp"[3] ***.***.***.** #6: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1

Mar  2 00:02:16 pluto[1054]: "roadwarrior-osx-xp"[3] ***.***.***.** #6: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2

Mar  2 00:02:16 pluto[1054]: "roadwarrior-osx-xp"[3] ***.***.***.** #6: route-host output: /usr/lib/ipsec/_updown: doroute `ip route add ***.***.***.**/32 via 192.168.97.100 dev eth1 ' failed (RTNETLINK answers: No such process)

Mar  2 00:02:16 pluto[1054]: "roadwarrior-osx-xp"[3] ***.***.***.** #6: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2

Mar  2 00:02:16 pluto[1054]: "roadwarrior-osx-xp"[3] ***.***.***.** #6: STATE_QUICK_R2: IPsec SA established {ESP=>0x22171b7e <0xb10cd24f xfrm=3DES_0-HMAC_MD5 NATD=***.***.***.**:4500 DPD=none}

Mar  2 00:02:51 pluto[1054]: "roadwarrior"[6] ***.***.***.** #5: received Delete SA(0x22171b7e) payload: deleting IPSEC State #6

Mar  2 00:02:51 pluto[1054]: "roadwarrior-osx-xp"[3] ***.***.***.** #6: unroute-host output: /usr/lib/ipsec/_updown: doroute `ip route delete ***.***.***.**/32 via 192.168.97.100 dev eth1 ' failed (RTNETLINK answers: No such process)

Mar  2 00:02:51 pluto[1054]: "roadwarrior"[6] ***.***.***.** #5: deleting connection "roadwarrior-osx-xp" instance with peer ***.***.***.** {isakmp=#0/ipsec=#0}

Mar  2 00:02:51 pluto[1054]: "roadwarrior"[6] ***.***.***.** #5: received and ignored informational message

Mar  2 00:02:51 pluto[1054]: "roadwarrior"[6]  ***.***.***.**#5: received Delete SA payload: deleting ISAKMP State #5

Mar  2 00:02:51 pluto[1054]: "roadwarrior"[6] ***.***.***.**: deleting connection "roadwarrior" instance with peer ***.***.***.** {isakmp=#0/ipsec=#0}

Mar  2 00:02:51 pluto[1054]: packet from ***.***.***.**:4500: received and ignored informational message

```

Thanks.

----------

## kaltag

Actually I'm not entirely sure It's right as the problem came back while continuing to fight with this. I do believe adding the external IP and leftnexthop correctly took care of the problem as I have now done. The  VPN connection appears to be establishing and the route gets added but just hangs at this point and xl2tpd/ppp never takes over as it does on my other vpn set up.

```

Apr 21 16:14:03 server pluto[16178]: "roadwarrior-osx-xp"[2] 67.139.154.194 #4: STATE_QUICK_R2: IPsec SA established {ESP=>0xe12a02b3 <0xafeb8292 xfrm=3DES_0-HMAC_MD5 NATD=67.139.154.194:8044 DPD=none}

Apr 21 16:14:03 server pluto[16178]: | modecfg pull: noquirk policy:push not-client

Apr 21 16:14:03 server pluto[16178]: | phase 1 is done, looking for phase 1 to unpend

Apr 21 16:14:03 server pluto[16178]: | next event EVENT_PENDING_PHASE2 in 8 second
```

I may be wrong but it seems like the problem may stem from ipsec trying to use whatever ppp device I am using for my external interface. Here is my routing table before ipsec establishes

```
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

67.41.38.205    0.0.0.0         255.255.255.255 UH    0      0        0 ppp100

192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1

127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo

0.0.0.0         67.41.38.205    0.0.0.0         UG    0      0        0 ppp100

```

and here it is after

```
67.41.38.205    0.0.0.0         255.255.255.255 UH    0      0        0 ppp100

67.139.154.194  67.41.38.205    255.255.255.255 UGH   0      0        0 ppp100

192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1

127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo

0.0.0.0         67.41.38.205    0.0.0.0         UG    0      0        0 ppp100

```

And here is my revised ipsec.conf

```
version 2.0

config setup

    klipsdebug=all

    plutodebug=all

    overridemtu=1410

    nat_traversal=yes

    virtual_private=%v4:10.0.0.0/8,%v4:!192.168.0.0/16

conn %default

    keyingtries=3

    compress=no

    disablearrivalcheck=no

    keyexchange=ike

    ikelifetime=240m

    keylife=60m

conn roadwarrior-net

        leftsubnet=192.168.0.0/16

        also=roadwarrior

conn roadwarrior-all

        leftsubnet=0.0.0.0/0

        also=roadwarrior

conn roadwarrior-osx-xp

    leftprotoport=17/1701

    rightprotoport=17/%any

    rekey=no

    also=roadwarrior

conn roadwarrior

    authby=secret

    pfs=no

    type=tunnel

    left=70.58.167.254

        leftnexthop=67.41.38.205

    right=%any

    rightsubnet=vhost:%no,%priv

    auto=add

include /etc/ipsec.d/examples/no_oe.conf
```

Any ideas?

----------

