# ipsec + xl2tpd - No Connectivity

## skillin

The session isn't getting established.  Any thoughts as to why this isn't working?

```

Oct 25 23:21:01 [pluto] packet from MY.CLIENT.IP.ADDRESS:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000005]

Oct 25 23:21:01 [pluto] packet from MY.CLIENT.IP.ADDRESS:500: received Vendor ID payload [RFC 3947] method set to=110

Oct 25 23:21:01 [pluto] packet from MY.CLIENT.IP.ADDRESS:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 110

Oct 25 23:21:01 [pluto] packet from MY.CLIENT.IP.ADDRESS:500: ignoring Vendor ID payload [FRAGMENTATION]

Oct 25 23:21:01 [pluto] packet from MY.CLIENT.IP.ADDRESS:500: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]

Oct 25 23:21:01 [pluto] packet from MY.CLIENT.IP.ADDRESS:500: ignoring Vendor ID payload [Vid-Initial-Contact]

Oct 25 23:21:01 [pluto] packet from MY.CLIENT.IP.ADDRESS:500: ignoring Vendor ID payload [IKE CGA version 1]

Oct 25 23:21:01 [pluto] "roadwarrior"[7] MY.CLIENT.IP.ADDRESS #7: responding to Main Mode from unknown peer MY.CLIENT.IP.ADDRESS

Oct 25 23:21:01 [pluto] "roadwarrior"[7] MY.CLIENT.IP.ADDRESS #7: Diffie-Hellman group 20 is not a supported modp group.  Attribute OAKLEY_GROUP_DESCRIPTION

Oct 25 23:21:01 [pluto] "roadwarrior"[7] MY.CLIENT.IP.ADDRESS #7: Diffie-Hellman group 19 is not a supported modp group.  Attribute OAKLEY_GROUP_DESCRIPTION

Oct 25 23:21:01 [pluto] "roadwarrior"[7] MY.CLIENT.IP.ADDRESS #7: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1

Oct 25 23:21:01 [pluto] "roadwarrior"[7] MY.CLIENT.IP.ADDRESS #7: STATE_MAIN_R1: sent MR1, expecting MI2

Oct 25 23:21:01 [pluto] "roadwarrior"[7] MY.CLIENT.IP.ADDRESS #7: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): peer is NATed

Oct 25 23:21:02 [pluto] "roadwarrior"[7] MY.CLIENT.IP.ADDRESS #7: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2

Oct 25 23:21:02 [pluto] "roadwarrior"[7] MY.CLIENT.IP.ADDRESS #7: STATE_MAIN_R2: sent MR2, expecting MI3

Oct 25 23:22:12 [pluto] "roadwarrior"[7] MY.CLIENT.IP.ADDRESS #7: max number of retransmissions (2) reached STATE_MAIN_R2

Oct 25 23:22:12 [pluto] "roadwarrior"[7] MY.CLIENT.IP.ADDRESS: deleting connection "roadwarrior" instance with peer MY.CLIENT.IP.ADDRESS {isakmp=#0/ipsec=#0}

```

```

# /etc/ipsec.conf - Openswan IPsec configuration file

# RCSID $Id: ipsec.conf.in,v 1.15.2.2 2005/11/14 20:10:27 paul Exp $

# This file: /usr/share/doc/openswan-2.4.4/ipsec.conf-sample

#

# Manual: ipsec.conf.5

version 2.0 # conforms to second version of ipsec.conf specification

# basic configuration

config setup

    interfaces=%defaultroute

    klipsdebug=none

    plutodebug=none

    overridemtu=1410

    nat_traversal=yes

    virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!172.17.147.0/24

conn %default

    keyingtries=3

    compress=no

    disablearrivalcheck=no

    keyexchange=ike

    ikelifetime=240m

    keylife=60m

conn roadwarrior-osx-xp

    leftprotoport=17/1701

    rightprotoport=17/%any

    rekey=no

    also=roadwarrior

conn roadwarrior

    authby=secret

    pfs=no

    type=tunnel

    left=%defaultroute

    leftnexthop=SERVERS.GATEWAY.IP.ADDRESS

    right=%any

    rightsubnet=vhost:%no,%priv

    auto=add

#Disable Opportunistic Encryption

include /etc/ipsec/ipsec.d/examples/no_oe.conf

```

```

#Openswan Secrets File

MY.SERVER.OUTSIDE.ADDRESS %any: PSK "OpenSSL-RAND-Key-Here"

```

```

ipcp-accept-local

ipcp-accept-remote

ms-dns LAN.DNS.FIRST.IP

ms-dns LAN.DNS.SECOND.IP

noccp

auth

crtscts

idle 1800

mtu 1400

mru 1400

+mschap-v2

nodefaultroute

debug

lock

proxyarp

connect-delay 5000

silent

```

```

# Secrets for authentication using CHAP

myuserid   *   "GoodPassWord"    LOCAL.IP.ADDRESS.RANGE/24

```

```

; xl2tpd.conf

;

[global]

listen-addr = MY.SERVER.IP.ADDRESS

port = 1701

[lns default]

ip range = INTERNAL.RANGE.START.IP-INTERNAL.RANGE.END.IP

local ip = INTERNAL.RANGE.SERVER.ADDRESS

require chap = yes

refuse pap = yes

require authentication = yes

name = MyVPN

ppp debug = yes

pppoptfile = /etc/ppp/options.l2tpd

length bit = yes

```

----------

## platojones

After playing with getting openswan + xl2tpd working all day yesterday and miraculously succeeding, I ran across that exact same error message.  In my case, it was because of this:

```

/etc/ipsec/ipsec.secrets:

#Openswan Secrets File

MY.SERVER.OUTSIDE.ADDRESS %any: PSK "OpenSSL-RAND-Key-Here" 

```

That server address should be the local LAN server address, not the outside server address.   There may be more, but I fiddled with mine for about 8 hours to get it working (I'm obviously no expert with ipsec), but did get it working.  Good luck with it.

----------

## skillin

I'm pretty sure that isn't the fix, curious...are you testing from the inside?

I changed the /etc/ipsec/ipsec.secrets as you suggested, and the error changes:

```

Oct 28 12:43:56 [pluto] packet from MY.OUTSIDE.CLIENT.IP:500: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]

Oct 28 12:43:56 [pluto] packet from MY.OUTSIDE.CLIENT.IP:500: ignoring Vendor ID payload [Vid-Initial-Contact]

Oct 28 12:43:56 [pluto] packet from MY.OUTSIDE.CLIENT.IP:500: ignoring Vendor ID payload [IKE CGA version 1]

Oct 28 12:43:56 [pluto] "roadwarrior"[4] MY.OUTSIDE.CLIENT.IP #4: responding to Main Mode from unknown peer MY.OUTSIDE.CLIENT.IP

Oct 28 12:43:56 [pluto] "roadwarrior"[4] MY.OUTSIDE.CLIENT.IP #4: Diffie-Hellman group 20 is not a supported modp group.  Attribute OAKLEY_GROUP_DESCRIPTION

Oct 28 12:43:56 [pluto] "roadwarrior"[4] MY.OUTSIDE.CLIENT.IP #4: Diffie-Hellman group 19 is not a supported modp group.  Attribute OAKLEY_GROUP_DESCRIPTION

Oct 28 12:43:56 [pluto] "roadwarrior"[4] MY.OUTSIDE.CLIENT.IP #4: Can't authenticate: no preshared key found for `MY.SERVER.OUTSIDE.IP' and `%any'.  Attribute OAKLEY_AUTHENTICATION_METHOD

                - Last output repeated twice -

Oct 28 12:43:56 [pluto] "roadwarrior"[4] MY.OUTSIDE.CLIENT.IP #4: no acceptable Oakley Transform

Oct 28 12:43:56 [pluto] "roadwarrior"[4] MY.OUTSIDE.CLIENT.IP #4: sending notification NO_PROPOSAL_CHOSEN to MY.OUTSIDE.CLIENT.IP:500

Oct 28 12:43:56 [pluto] "roadwarrior"[4] MY.OUTSIDE.CLIENT.IP: deleting connection "roadwarrior" instance with peer MY.OUTSIDE.CLIENT.IP {isakmp=#0/ipsec=#0}

```

This error goes away of course when I change /etc/ipsec/ipsec.secrets back to indicating my external (answering) address.

----------

## platojones

 *Quote:*   

> 
> 
> I'm pretty sure that isn't the fix, curious...are you testing from the inside? 
> 
> 

 

So, in the ipsec.secrets file, the MY.SERVER.INSIDE.ADDRESS you are using is the LAN address of the server hosting openswan (I'm using 2.4.9-r1)?

Also, i just used a slightly modified version of the example in /etc/ipsec/ipsec.d/examples called l2tp-psk-orgWIN2KXP.conf and added the leftnexthop to it for handling NAT-T and it works really well.  Here's what I got, and it works.  BTW, I'm behind a standalone NAT'ed firewall (NETGEAR), so I'm not running a firewall or router on the server I'm using to host openswan.  Thought I would mention that cause I'm sure it probably makes a difference, if that is the setup you have:

```

conn l2tp-psk-orgWIN2KXP

        #

        # Configuration for one user with the non-updated Windows 2000/XP.

        #

        #

        # Use a Preshared Key. Disable Perfect Forward Secrecy.

        #

        authby=secret

        pfs=no

        auto=add

        # we cannot rekey for %any, let client rekey

        rekey=no

        # Do not enable the line below. It is implicitely used, and

        # specifying it will currently break when using nat-t.

        # type=transport. See http://bugs.xelerance.com/view.php?id=466

        #

        left=%defaultroute

        leftnexthop=%defaultroute

        # or you can use: left=YourIPAddress

        #

        # Required for original (non-updated) Windows 2000/XP clients.

        # to support new clients as well, use leftprotoport=17/%any

        leftprotoport=17/0

        #

        # The remote user.

        #

        right=%any

        rightprotoport=17/1701

        rightsubnet=vhost:%priv,%no

```

And the ipsec.conf that calls it (again, a slightly modified version of the example that came with openswan):

```

# /etc/ipsec.conf - Openswan IPsec configuration file

# RCSID $Id: ipsec.conf.in,v 1.15.2.6 2006/10/19 03:49:46 paul Exp $

# This file:  /usr/share/doc/openswan-2.4.9/ipsec.conf-sample

#

# Manual:     ipsec.conf.5

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration

config setup

        # plutodebug / klipsdebug = "all", "none" or a combation from below:

        # "raw crypt parsing emitting control klips pfkey natt x509 private"

        # eg: plutodebug="control parsing"

        #

        # ONLY enable plutodebug=all or klipsdebug=all if you are a developer !!

        #

        # NAT-TRAVERSAL support, see README.NAT-Traversal

        nat_traversal=yes

        # virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12

        virtual_private=%v4:192.168.1.0/24,%v4:!192.168.9.0/24

        #

        # enable this if you see "failed to find any available worker"

        nhelpers=0

# Add connections here

# sample VPN connections, see /etc/ipsec.d/examples/

#Disable Opportunistic Encryption

include /etc/ipsec/ipsec.d/examples/no_oe.conf

include /etc/ipsec/ipsec.d/examples/l2tp-psk-orgWIN2KXP.conf

```

I just added the 'virtual_private' and the include line for the 'l2tp-psk-orgWIN2KXP.conf' shown above.

Hope this helps.

----------

