# Howto l2tp/IPsec VPNServer (PSK MS-Chap for now)

## dashnu

A more up to date version can be found here.

http://teh.sh.nu/HowTo

This will work with the default windows XP and OS-X clients.

    Note: Some patching may be required.

Auth type = PSK / Ms-chap

Ports: 4500 / 500

Protocol = esp

This is more or less a brain dump for me so i do not forget what i did. Once I free up a machine 

NOTE: This same configuration works on gentoo Hardened SELinux.

I took most of my info from the following two sites.

http://www.jacco2.dds.nl/networking/freeswan-l2tp.html

http://megaz.arbuz.com/archives/2005/01/28/linux-vpn-guide/1

In my current setup my VPN is behind a NAT Firewall which caused some issues I will explain how to set this up at the end if it is needed by folks.

I am thinking about running this on a production server but I have a few security issues that need to be addressed. I hope to figure these out soon. (Mainly with VPN behind a nat)

Current Software versions

 *Quote:*   

> kernel-2.6.9-gentoo-r9 (gentoo-dev-sources or gentoo-sources now I think.)
> 
> net-misc/openswan-2.3.0 (2.3.1 is in portage now will most likely update soon)
> 
> net-firewall/ipsec-tools-0.4-r1
> ...

 

Kernel Configuration.

Make sure to have the following . (May have some extra modules you can fine tune as you please)

```
Networking support  --->

                   Networking options  --->

                            <M> PF_KEY socket

                            [*] TCP/IP networking 

                                    <M> IP: AH transformation

                                    <M> IP: ESP transformation

                                    <M> IP: IPComp transformation

                                    <M> IPsec user configuration interface

                            [*] Network device support    

                            <M>     PPP (point-to-point protocol) support

                                     <M>     PPP support for async serial ports

                                     <M>     PPP support for sync tty ports

                                     <M>     PPP Deflate compression                     

                                     <M>     PPP BSD-Compress compression                        

                                     <M>     PPP over Ethernet (EXPERIMENTAL)

              

            Device Drivers  --->

                      Character devices  --->

                               [*] Legacy (BSD) PTY support

```

Note: Last  Kernel option may not be needed.

I have added a bunch of Cryptographic options this can be fine tuned also I am sure.

```

Cryptographic options  --->

         --- Cryptographic API                                     

            ---   HMAC support                                         

            <M>   Null algorithms                                      

            <M>   MD4 digest algorithm                                

            <M>   MD5 digest algorithm                                 

            <M>   SHA1 digest algorithm                                

            <M>   SHA256 digest algorithm                              

            <M>   SHA384 and SHA512 digest algorithms 

            <M>   DES and Triple DES EDE cipher algorithms

            <M>   Blowfish cipher algorithm

            <M>   Twofish cipher algorithm

            <M>   Serpent cipher algorithm

            <M>   Deflate compression algorithm

```

Emerging Software

My Server Specific USE

```
USE="-X -alsa -oss -gif -emboss -f77 -font-server -fortran java -truetype-fonts -type1-fonts -mad -gpm -gnome -motif -mikmod -encode -kde -apm -nls -arts -avi -bitmap-fonts -cups -foomaticdb -gtk -gtk2 -ipv6 -jpeg -mpeg -oggvorbis -opengl -pdflib -png -qt -quicktime -readline -sdl -truetype -xmms -xv nptl ssl pam ssh"
```

```
echo "net-misc/openswan ~x86" >> /etc/portage/package.keywords
```

```
emerge openswan ipsec-tools l2tpd ppp
```

IpSec Configuration

Lets say your external Ip is 50.50.50.50 and an internal subnet of 192.168.1.x

```
vi /etc/ipsec/ipsec.conf
```

```
# /etc/ipsec.conf - Openswan IPsec configuration file

# RCSID $Id: ipsec.conf.in,v 1.13 2004/03/24 04:14:39 ken Exp $

# This file:  /usr/share/doc/openswan-2.2.0/ipsec.conf-sample

#

# Manual:     ipsec.conf.5

version 2.0     # conforms to second version of ipsec.conf specification

config setup

        interfaces=%defaultroute

        klipsdebug=none

        plutodebug=none

        overridemtu=1410

        nat_traversal=yes

        virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.1.0/24

conn %default

        keyingtries=3

        compress=yes

        disablearrivalcheck=no

        authby=secret

        type=tunnel

        keyexchange=ike

        ikelifetime=240m

        keylife=60m

conn roadwarrior-net

        leftsubnet=192.168.1.0/24

        also=roadwarrior

conn roadwarrior-all

        leftsubnet=0.0.0.0/0

        also=roadwarrior

conn roadwarrior-l2tp

        leftprotoport=17/0

        rightprotoport=17/1701

        also=roadwarrior

conn roadwarrior-l2tp-updatedwin

        leftprotoport=17/1701

        rightprotoport=17/1701

        also=roadwarrior

conn roadwarrior

        pfs=no

        left=%defaultroute

        right=%any

        rightsubnet=vhost:%no,%priv

        auto=add

#Disable Opportunistic Encryption

include /etc/ipsec.d/examples/no_oe.conf
```

Next we need to edit the /etc/ipsec/ipsec.secrets file

```
50.50.50.50 %any: PSK "biGl0nGlin3oft3xtwith8725364514and*$@andstuff"
```

This PSK (Private Shared Key) will need to be passed out to all users that use the vpn. You may want to enforce a good security policy for this key if you do decide to run this setup in production.

Note: The %any means that any ip can connect If you are only connecting via one external machine add only its IP address for a more secure install.

l2tpd Configuration

Edit /etc/l2tpd.conf

```
; l2tpd.conf

;

[global]

listen-addr = 50.50.50.50

port = 1701

[lns default]

ip range = 192.168.1.128-192.168.1.254

local ip = 50.50.50.50

require chap = yes

refuse pap = yes

require authentication = yes

name = LinuxVPN

ppp debug = yes

pppoptfile = /etc/ppp/options.l2tpd

length bit = yes

```

Note: the listen-addr will need to be the ip that is known to the machine. 

Note: If you are running behind a NAT, this will be your internal ip. (See VPN behind a NAT at the bottom for more info.)

I set the ip range to match up with my internal subnet and assigned a block of ips that I know I am not using. Also it is nice to set up your dns server to assign a name to this block of ips to debug and for easy tracking.

PPP Configuration

Edit /etc/ppp/options.l2tp

```
ipcp-accept-local

ipcp-accept-remote

ms-dns  192.168.1.1

noccp

auth

crtscts

idle 1800

mtu 1410

mru 1410

nodefaultroute

debug

lock

proxyarp

connect-delay 5000

silent

```

Set ms-dns to your DNS server ip.

To set up your users edit /etc/ppp/chap-secrets

```
# Secrets for authentication using CHAP

# client        server           secret            IP addresses

testuser     *                 "password"      192.168.1.0/24

*                 testuser     "password"      192.168.1.0/24
```

This is an example of one user. You need to add an entry for client and server. Also make sure 192.168.1.0/24 matches your subnet change as needed.

Kicking off the VPN

Add to your default runlevel

```
rc-update add l2tpd default 

rc-update add ipsec default

```

Fire it up and hope....

```
/etc/init.d/l2tpd start

 * Starting l2tpd...

This binary does not support kernel L2TP.                                 [ ok ]

```

Note:  When you start l2tpd you will see the above message. This is not an error. 

```
/etc/init.d/ipsec start

 * Starting IPSEC ......

ipsec_setup: Starting Openswan IPsec 2.3.0...

ipsec_setup: insmod /lib/modules/2.6.9-gentoo-r9/kernel/net/key/af_key.ko

ipsec_setup: insmod /lib/modules/2.6.9-gentoo-r9/kernel/net/ipv4/xfrm4_tunnel.ko

ipsec_setup: insmod /lib/modules/2.6.9-gentoo-r9/kernel/net/xfrm/xfrm_us  [ ok ]

```

I use syslog-ng so the logs to look at for me are /var/log/syslog and messages.

After start up I have the following modules loaded

```

Module                  Size  Used by

xfrm_user              16516  0

xfrm4_tunnel            4100  0

af_key                 33680  0

ppp_async              11392  0

crc_ccitt               2176  1 ppp_async

ppp_generic            25236  1 ppp_async

slhc                    8064  1 ppp_generic

deflate                 3840  0

zlib_deflate           21656  1 deflate

zlib_inflate           17792  1 deflate

twofish                37248  0

serpent                12928  0

blowfish                9984  0

des                    11648  0

sha256                  9344  0

sha1                    8832  0

crypto_null             2304  0

ipcomp                  8456  0

esp4                    8576  0

ah4                     7040  0

md5                     4096  1

```

Setting up Windows XP Client

Ok "clicky, clicky, clicky" folks

Click Start --> Settings --> Network Connections --> New Connection Wizard

because wizards are cool and can turn people into frogs...

Click Next on the first screen

Click Connect to the network at my workplace then click Next

Click Virtual Private Network connection then click Next

Type in a name for the VPN then click Next

Click Do Not dial the initial connection then click Next

Enter the IP address of your new VPN Server then click Next

Add a shortcut if you want then click Finish

A window will open next prompting you for a User name and Password.

We will need to change some of the properties to make the connection happen so click properties.

Click the Security Tab and click IPSec Settings by the bottom. Enter your long PSK that you set up in the /etc/ipsec/ipsec.secrets file.

Next go to the Networking Tab and in the Type of VPN Dropdown box select "L2TP IPSec VPN"

That should be it click ok after. 

Now log in with the username and password that you set up in you /etc/ppp/chap-secrets file.

Setting up OS-X Client

to do..

Setting up Linux Client

to do..

Patching the src so ipsec will work behind a NAT

Get the patch http://lists.openswan.org/pipermail/users/2005-February/003931.html

Save in a happy place.

Since I am sure you emerged openswan already we will need to go to the src dir.

```
cd /usr/portage/distfiles/
```

Extract / Patch / Compress

```

tar xfvz openswan-2.3.0.tar.gz

cd openswan-2.3.0/programs/pluto

patch ipsec_doi.c <path to>/openswan-2.3.0-NATserver.patch

cd /usr/portage/distfiles

tar cfvz openswan-2.3.0.tar.gz openswan-2.3.0

```

Digest and Remerge

```

ebuild /usr/portage/net-misc/openswan/openswan-2.3.0.ebuild digest

emerge openswan

```

Start openswan

```
/etc/init.d/ipsec start
```

That should do it.. 

I by no means am a VPN Expert this was my first shot at one and it was a learning experience so i figured I would post my findings.

i hope it helps someone..Last edited by dashnu on Fri Jul 28, 2006 12:48 pm; edited 8 times in total

----------

## Morbo

Thanks. 

Worked great except for one thing. I had to enable "PF_KEY sockets" under Network Options in the kernel as well.

----------

## dashnu

Cool, I added PF_KEY socket.

----------

## wedge14

Thanks for the how to.  One problem so far, when I close the VPN on the XP machine the pppd process does not always close out propperly.

Successful session looks like this...

```
Apr 18 15:17:06 [pppd] pppd 2.4.2 started by root, uid 0

Apr 18 15:17:06 [pppd] Using interface ppp0

Apr 18 15:17:06 [pppd] Connect: ppp0 <--> /dev/ttyp0

Apr 18 15:17:06 [pppd] Unsupported protocol 'Compression Control Protocol' (0x80fd) received

Apr 18 15:17:06 [pppd] found interface eth1 for proxy arp

Apr 18 15:17:06 [pppd] local  IP address 192.168.101.25

Apr 18 15:17:06 [pppd] remote IP address 192.168.101.26

Apr 18 15:18:51 [kernel] process `host' is using obsolete setsockopt SO_BSDCOMPAT

Apr 18 15:19:26 [pppd] LCP terminated by peer (y~zM-^?^@<M-Mt^@^@^@^@)

Apr 18 15:19:26 [l2tpd] control_finish: Connection closed to xx.xx.xx.xx, port 1701 (), Local: 50947, Remote: 10_

Apr 18 15:19:26 [pppd] Terminating on signal 15.

Apr 18 15:19:26 [pppd] Modem hangup

Apr 18 15:19:26 [pppd] Connection terminated.

Apr 18 15:19:26 [pppd] Connect time 2.4 minutes.

Apr 18 15:19:26 [pppd] Sent 3100 bytes, received 7649 bytes.

Apr 18 15:19:26 [pppd] Connect time 2.4 minutes.

Apr 18 15:19:26 [pppd] Sent 3100 bytes, received 7649 bytes.

Apr 18 15:19:26 [pppd] Exit.
```

But most of the time I get this.. with pppd still running

```
Apr 18 15:20:21 [pppd] pppd 2.4.2 started by root, uid 0

Apr 18 15:20:21 [pppd] Using interface ppp0

Apr 18 15:20:21 [pppd] Connect: ppp0 <--> /dev/ttyp0

Apr 18 15:20:21 [pppd] Unsupported protocol 'Compression Control Protocol' (0x80fd) received

Apr 18 15:20:21 [pppd] found interface eth1 for proxy arp

Apr 18 15:20:21 [pppd] local  IP address 192.168.101.25

Apr 18 15:20:21 [pppd] remote IP address 192.168.101.26

Apr 18 15:20:56 [pppd] LCP terminated by peer (1M-w^XM-^M^@<M-Mt^@^@^@^@)

Apr 18 15:20:57 [l2tpd] control_finish: Connection closed to xx.xx.xx.xx, port 1701 (), Local: 34032, Remote: 11_
```

Naturally the ppp(0,1,2....) interfaces start stacking up.

Any thoughts?

----------

## dashnu

I have not noticed this . I am out of the office today so I will look into this first thing tomorrow morning. I imagine bad things will happen if the ppp connects keep stacking up, good find. 

Also if anyone ends up using this with some 'load' say 10+ users or so I would love to know how it holds up. I have only tested a single user as of now.

----------

## wedge14

Thanks for looking.  As far as I can tell the l2tpd process is spawning a child process, shown here...

```
9357 ?        S      0:00 /usr/sbin/pppd passive -detach 192.168.101.25:192.168.101.26 refuse-pap auth require-chap name VPNserver debug file /etc/ppp/options.l2tpd /dev/ttyp0
```

L2tp is then not propperly killing the process when the session disconnects.  I have to manually kill it almost every time.  Also the client who was connected can't connect again untill I do kill it.

I'm concidering trying rp-l2tp, any expierence with that?

System info:

Kernel 2.6.11-gentoo-r6 - everything built into the kernel rather than modules

Openswan 2.3.1

ppp-2.4.2-r10

Not going through NAT at this time

Other than that it should be identical to your configuration.

Thanks.

----------

## dashnu

I was not able to reproduce your error. I logged in and out about 20 times in a row. Not sure if this has anything to do with it but are the /etc/ppp/ip-up & ip-down executing properly I did not see anything in you logs relating to it? The only other thing i can think of is the fact that you compiled ppp into your kernel rather than a module.

Try to check to make sure ip-up ip-down are executing if so I would recompile you kern with M's.

----------

## wedge14

Got it working!!!

Turns out is was my firewall rules ... duh.

Added the following to iptables for the ppp interfaces..

```
-A FORWARD -i ppp+ -j ACCEPT 

-A FORWARD -o ppp+ -j ACCEPT 

-A OUTPUT -o ppp+ -j ACCEPT
```

Thanks for the help.

----------

## SkidSoft

I keep getting...

```
Apr 28 15:31:49 [pluto] "roadwarrior-l2tp"[1] 192.168.15.2 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2

Apr 28 15:31:49 [pluto] "roadwarrior-l2tp"[1] 192.168.15.2 #1: Main mode peer ID is ID_IPV4_ADDR: '192.168.15.2'

Apr 28 15:31:49 [pluto] "roadwarrior-l2tp"[1] 192.168.15.2 #1: I did not send a certificate because I do not have one.

Apr 28 15:31:49 [pluto] "roadwarrior-l2tp"[1] 192.168.15.2 #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3

Apr 28 15:31:49 [pluto] "roadwarrior-l2tp"[1] 192.168.15.2 #1: sent MR3, ISAKMP SA established

Apr 28 15:31:49 [pluto] "roadwarrior-l2tp"[1] 192.168.15.2 #2: responding to Quick Mode {msgid:9bac738d}

Apr 28 15:31:49 [pluto] "roadwarrior-l2tp"[1] 192.168.15.2 #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1

Apr 28 15:31:50 [l2tpd] control_finish: Connection established to 192.168.15.2, 1701.  Local: 46882, Remote: 8.  LNS session is 'default'_

Apr 28 15:31:50 [l2tpd] start_pppd: Unable to open /dev/ttyp0 to launch pppd!_

Apr 28 15:31:50 [l2tpd] control_finish: Call established with 192.168.15.2, Local: 31999, Remote: 1, Serial: 0_

Apr 28 15:31:50 [pluto] "roadwarrior-l2tp"[1] 192.168.15.2 #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2

Apr 28 15:31:50 [pluto] "roadwarrior-l2tp"[1] 192.168.15.2 #2: IPsec SA established {ESP=>0x19b50f11 <0x5369b9d6 xfrm=3DES_0-HMAC_MD5}

Apr 28 15:32:16 [l2tpd] control_finish: Connection closed to 192.168.15.2, port 1701 (), Local: 46882, Remote: 8_

```

I'm using udev and dont' understand why it can't open /dev/ttyp0. Can some give me a clue?  :Smile: 

----------

## dashnu

To be honest udev is brand new to me. I just installed it like a week ago at home. I have not applied it to any of my work servers yet because devfs just works still  :Razz: 

I looked at home and compared to my work vpn server and both have ttyp0 -> pty/s0.

you have this device and it points to pty/s0?

It may have something to do with the kernel..

 *Quote:*   

> Device Drivers  --->
> 
>                       Character devices  --->
> 
>                                [*] Legacy (BSD) PTY support 

 

Try to compile that in.

----------

## SkidSoft

I have compiled that option in but mine isn't a symlink to the serial port. I"ll try that...

[EDIT]

Bad news, didn't work. Now I dont' even have a way of getting back my ttyp0 even though it didn't work. Can someone give me a mknod or something to get it back?

----------

## SkidSoft

well, got udev a little more configured, but I still get that same error with PPPD above. 

Can anyone think of anything UDEV related that I might not have right or forgotten?

----------

## dashnu

I just set this up on gentoo hardened SELinux running udev with no problems.  Did you ever get this working with udev?

----------

## Narusegawa

You mention

 *Quote:*   

> Auth type = PSK / Ms-chap
> 
> Ports: 4500 / 500 

 

Are these absolutely needed or can this be done with just L2TP 1701?

I'm moving into a house share soon with a net connection already there. And rather than have them port forward tons of stuff for me I want to only forward L2TP VPN if I can help it.

----------

## dashnu

This method used l2tp inside of Ipsec. I would not fully trust just a plain l2tp connect. It is rumored not to be secure.  The method I talk about allows that port to be closed. If you want to do this you can look at ..

```
/etc/l2tpd/l2tp-secrets
```

 for auth maybe and..

```
/etc/l2tpd/l2tpd.conf
```

 for configuration.

However I am not sure how you would set this up. But i bet you could get it to work.

----------

## dashnu

 *wedge14 wrote:*   

> Got it working!!!
> 
> Turns out is was my firewall rules ... duh.
> 
> Added the following to iptables for the ppp interfaces..
> ...

 

I am havin trouble allowing this to pass through my f-wall.. can you explain a bit better what you did?

I have the following so far.

<snip>

```

#External VPN Access

einfo "Creating external vpn traffic chain"

$IPT -N external-vpn-traffic

$IPT -F external-vpn-traffic

$IPT -A external-vpn-traffic -i $EXTIF -p udp  --dport 4500 -j ACCEPT

$IPT -A external-vpn-traffic -i $EXTIF -p udp  --dport 500 -j ACCEPT

#PPP interfaces forward

einfo "Creating ppp forward traffic chain"

$IPT -N ppp-forward-vpn-traffic

$IPT -F ppp-forward-vpn-traffic

$IPT -A ppp-forward-vpn-traffic -i ppp+ -j ACCEPT

$IPT -A ppp-forward-vpn-traffic -o ppp+ -j ACCEPT

#PPP interfaces out

einfo "Creating ppp output traffic chain"

$IPT -N ppp-output-vpn-traffic

$IPT -F ppp-output-vpn-traffic

$IPT -A ppp-output-vpn-traffic -o ppp+ -j ACCEPT

```

Then I add my custom rules to input / output / forward

----------

## dashnu

Fixed.. Added these rules 

```
# External Input VPN Access

$IPT -N external-vpn-traffic

$IPT -F external-vpn-traffic

$IPT -A external-vpn-traffic -i $EXTIF -m mark --mark 1 -j ACCEPT

$IPT -A external-vpn-traffic -d $EXTIP -p udp -m udp --dport 500 \

  -j ACCEPT

$IPT -A external-vpn-traffic -p esp -j ACCEPT

```

```
# Output l2tp traffic

$IPT -N allow-l2tp-traffic-out

$IPT -F allow-l2tp-traffic-out

$IPT -A allow-l2tp-traffic-out -s $EXTIP -p udp -m udp --sport 1701 \

  -j ACCEPT

```

```
# Output VPN traffic chain

$IPT -N allow-vpn-traffic-out

$IPT -F allow-vpn-traffic-out

$IPT -A allow-vpn-traffic-out -s $EXTIP -p udp -m udp --dport 500 \

  -j ACCEPT

```

```
# Output esp packets

$IPT -N allow-esp-traffic-out

$IPT -F allow-esp-traffic-out

$IPT -A allow-esp-traffic-out -p esp -j ACCEPT
```

```

# Rule for VPN (Ipsec/l2tp)

$IPT -t mangle -A PREROUTING -i $EXTIF -p esp -j MARK --set-mark 1

```

also added this rule to redirect ppp to squid for vpn based web browsing.

```
$IPT -A internal-squid-traffic -i $VPN -s $LOCAL_NETWORK -p tcp --dport 3128 -j ACCEPT
```

and this...

```
$IPT -t nat -A PREROUTING -i ppp+ -p tcp --dport 80 -j REDIRECT \

  --to-port 3128

```

my almost complet firewall is here for more reference.. http://teh.sh.nu/scripts/firewall.stable (should be firewall kinda stable.  :Rolling Eyes: )

also if anyone wants to take the time to once over this script that would be cool.. It is my first attempt  at iptables and i tried it the gentoo way.

----------

## Lajasha

Has anyone tried this lately? The reason I ask is I can not get the patch to work.

The current version in portage 2.3.1, so I got the patch for that version and try to apply it but it gets rejected.

```
patching file ipsec_doi.c

Hunk #1 FAILED at 1526.

1 out of 1 hunk FAILED -- saving rejects to file ipsec_doi.c.rej
```

just incase anyone wanted to know what is in the rejects file here it is for your viewing pleasure.

```
****************** 1526,1531 ****

        struct connection *p = find_client_connection(c

            , our_net, his_net, b->my.proto, b->my.port, b->his.proto, b->his.port);

        if (p == NULL)

        {

            /* This message occurs in very puzzling circumstances

--- 1526,1544 ----

        struct connection *p = find_client_connection(c

            , our_net, his_net, b->my.proto, b->my.port, b->his.proto, b->his.port);

+ #ifdef NAT_TRAVERSAL

+ #ifdef I_KNOW_TRANSPORT_MODE_HAS_SECURITY_CONCERN_BUT_I_WANT_IT

+     if( (p1st->hidden_variables.st_nat_traversal & NAT_T_DETECTED)

+        && !(p1st->st_policy & POLICY_TUNNEL)

+        && (p1st->hidden_variables.st_nat_traversal & LELEM(NAT_TRAVERSAL_NAT_BHND_ME))

+        && (p == NULL) )

+         {

+           p = c;

+           DBG(DBG_CONTROL, DBG_log("using (something) old for transport mode connection \"%s\"", p->name));

+         }

+ #endif

+ #endif

+

        if (p == NULL)

        {

            /* This message occurs in very puzzling circumstances

```

Any help on this subject would be great.

----------

## dashnu

Maybe a newer patch is provided for that version but I doubt it.. Someone from the mail-list wrote it try to post there.

----------

## pava_rulez

 *maletek wrote:*   

> Has anyone tried this lately? The reason I ask is I can not get the patch to work.
> 
> The current version in portage 2.3.1, so I got the patch for that version and try to apply it but it gets rejected.
> 
> ```
> ...

 

The same for me, any hint?  :Crying or Very sad: 

----------

## pava_rulez

Moreover I'm gonna ask you another thing: my openwan server is in a DMZ which gateway to the public internet is a linux server. So, which parameters do I have to set in l2tpd.conf? I mean listen-addr, port and so on? (linux server external eth?). However this is my situation:

```
 /etc/init.d/l2tpd start

 * Starting l2tpd ...

parse_config: line 13: data 'listen-addr = xxx.xxx.xxx.xxx' occurs with no context

init: Unable to load config file   
```

----------

## dashnu

Couple things I would use the stable version in portage. I am crashing every night with ~x86 going to log a bug if I get a chance.

That patch should work with x86 (i think)

Also some of the info in this howto in not correct. I will update and make it official after a run stable for a week or so.

```
[global]

port = 1701

[lns default]

ip range = 192.168.1.130-192.168.1.149

local ip = 192.168.1.4

require chap = yes

refuse pap = yes

require authentication = yes

name = VPNd00d

ppp debug = yes

pppoptfile = /etc/ppp/options.l2tpd

length bit = yes

```

ip-range should be the ip's of the virtual netwrok people will get when they connect to your server

local ip should be an _free_ ip that the l2tpd daemon can use ..

listen-addr is not used.. It is a way to allow l2tpd to listen on the internal interface only. Since we do not use this it is very important that l2tpd is blocked by iptables! Port 1701 UDP for external access.

again I will update this doc soon but I go on vaction at the end of day today.

----------

## dashnu

Another thing if you get this up and running test your incoming / outgoing packets to make sure they are encapsulated. You can use tcpdump. Look for ESP packets or UDP 4500 if you are using NAT-T ESP is encapsulated inside of UDP packets with NAT-T.. And nail your firewall to make sure only UDP 500 and 4500 are open externaly. If you have a DROP ALL policy you may want to make sure you log a lot so you can figure out what packets need to be allowed out and forwarded. My firewall settings above are not currently correct. I had to add some stuff for the ppp device also.

----------

## pava_rulez

 *dashnu wrote:*   

> 
> 
> again I will update this doc soon but I go on vaction at the end of day today.

 

NOOOOO, you can't leave me this way... 

I was joking, have a good time and thanks for the howto!  :Very Happy: 

----------

## Lajasha

Sorry no i have not had a chance to work more on this at the moment, however if you do figure it out please post back as to what you did.

----------

## pava_rulez

```
/etc/init.d/l2tpd start

 * Starting l2tpd ...

parse_config: line 15: data 'port = 1701' occurs with no context

init: Unable to load config file
```

 :Question:   :Question:   :Question:   :Question: 

----------

## dashnu

paste your options.l2tpd and your l2tpd.conf

----------

## pava_rulez

Do you want to make a loud laugh? I forgot to uncomment lines with the tag [Global] and [lns default]. No comment...  :Laughing: 

----------

## Lajasha

 *pava_rulez wrote:*   

> Do you want to make a loud laugh? I forgot to uncomment lines with the tag [Global] and [lns default]. No comment... 

 

so is your vpn working?

----------

## pava_rulez

 *maletek wrote:*   

>  *pava_rulez wrote:*   Do you want to make a loud laugh? I forgot to uncomment lines with the tag [Global] and [lns default]. No comment...  
> 
> so is your vpn working?

 

No, I'm only saying that I can start l2tpd and ipsec daemon without errors. Now many other troubles are in sight; for example my XP VPN client wants me to provide a certificate, which I haven't... It's a long road I think  :Rolling Eyes: 

----------

## dashnu

You need to set up your PSK in the windows client...  under security IPSec Settings.

----------

## pava_rulez

No way, I alternatively get 792 code error followed by 789 errors on my XP client. Moreover my lsmod output looks a little different than yours:

```
lsmod

Module                  Size  Used by

blowfish                7808  -

sha1                    8160  -

crypto_null             1824  -

ppp_async               9536  -

ppp_generic            21108  -

slhc                    6304  -

crc_ccitt               1600  -

xfrm4_tunnel            2756  -

sha256                  9216  -

deflate                 2592  -

zlib_deflate           21656  -

zlib_inflate           17088  -

md5                     3488  -

des                    11296  -

twofish                38240  -

xfrm_user              13188  -

ipcomp                  6984  -

esp4                    6336  -

ah4                     4960  -

af_key                 26992  -

```

What can I do?  :Confused: 

----------

## pava_rulez

 *maletek wrote:*   

> 
> 
> so is your vpn working?

 

I just succedeed in setup openswan to use psk. One attempt to use certificates  was successful, but the next ones failed. I'm seriously thinking to use simple psk anyway...  :Rolling Eyes: 

----------

## dashnu

PSK's can be up to 256 characters afaik. pick a good one and you should be fine.. I use them for now.

----------

## pava_rulez

 *dashnu wrote:*   

> PSK's can be up to 256 characters afaik. pick a good one and you should be fine.. I use them for now.

 

Yes sir!

----------

## pava_rulez

Ok, once again troubles  :Sad: 

I've forgotten to say that I had put my vpn server on the internet and this way it worked. Now I've tried to put it back in the DMZ. Gate2 is the firewall with two nics, xxx.xxx.xxx.85 on external router and xxx.xxx.xxx.89 on the DMZ. VPN server has 2 nics too, xxx.xxx.xxx.91 on the DMZ and 192.168.0.xxx on the Lan. I've put the rules for forward and DNAT  for ports 1701, 500, 4500 (UDP) and protocol 50,51. But when I try to make a connection from Windows XP to address 85 this attempt fails. This is what happens on my firewall...

```
Jul  5 17:59:44 gate2 kernel: IPT FORWARD packet died: IN=eth1 OUT=eth0 SRC=xxx.xxx.xxx.82 DST=xxx.xxx.xxx.91 LEN=340 TOS=0x00 PREC=0x00 TTL=125 ID=43908 PROTO=UDP SPT=500 DPT=500 LEN=320

and so on...
```

Can anyone please help me?   :Embarassed: 

----------

## pava_rulez

Any idea?  :Rolling Eyes: 

[EDIT] I' ve mad some little steps to the goal. Now packets are forwarded in the (hopefully) right way and a connection starts. But after a little a problem occurs and tunnel breaks. Logs are as follows:

```
Jul  6 16:36:21 Orione pluto[32645]: packet from xxx.xxx.xxx.82:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]

Jul  6 16:36:21 Orione pluto[32645]: packet from xxx.xxx.xxx.82:500: ignoring Vendor ID payload [FRAGMENTATION]

Jul  6 16:36:21 Orione pluto[32645]: packet from xxx.xxx.xxx.82:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106

Jul  6 16:36:21 Orione pluto[32645]: packet from xxx.xxx.xxx.82:500: ignoring Vendor ID payload [Vid-Initial-Contact]

Jul  6 16:36:21 Orione pluto[32645]: "roadwarrior-l2tp"[1] xxx.xxx.xxx.82 #1: responding to Main Mode from unknown peer xxx.xxx.xxx.82

Jul  6 16:36:22 Orione pluto[32645]: "roadwarrior-l2tp"[1] xxx.xxx.xxx.82 #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1

Jul  6 16:36:22 Orione pluto[32645]: "roadwarrior-l2tp"[1] xxx.xxx.xxx.82 #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: both are NATed

Jul  6 16:36:22 Orione pluto[32645]: "roadwarrior-l2tp"[1] xxx.xxx.xxx.82 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2

Jul  6 16:36:22 Orione pluto[32645]: "roadwarrior-l2tp"[1] xxx.xxx.xxx.82 #1: Main mode peer ID is ID_FQDN: '@org28.icdoc.local'

Jul  6 16:36:22 Orione pluto[32645]: "roadwarrior-l2tp"[2] xxx.xxx.xxx.82 #1: deleting connection "roadwarrior-l2tp" instance with peer xxx.xxx.xxx.82 {isakmp=#0/ipsec=#0}

Jul  6 16:36:22 Orione pluto[32645]: "roadwarrior-l2tp"[2] xxx.xxx.xxx.82 #1: I did not send a certificate because I do not have one.

Jul  6 16:36:22 Orione pluto[32645]: "roadwarrior-l2tp"[2] xxx.xxx.xxx.82 #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3

Jul  6 16:36:22 Orione pluto[32645]: | NAT-T: new mapping xxx.xxx.xxx.82:500/4500)

Jul  6 16:36:22 Orione pluto[32645]: "roadwarrior-l2tp"[2] xxx.xxx.xxx.82 #1: sent MR3, ISAKMP SA established

Jul  6 16:36:22 Orione pluto[32645]: "roadwarrior-l2tp"[2] xxx.xxx.xxx.82 #1: cannot respond to IPsec SA request because no connection is known for xxx.xxx.xxx.85/32===xxx.xxx.xxx.91:17/1701...xxx.xxx.xxx.82[@org28.icdoc.local]:17/1701

Jul  6 16:36:22 Orione pluto[32645]: "roadwarrior-l2tp"[2] xxx.xxx.xxx.82 #1: sending encrypted notification INVALID_ID_INFORMATION to xxx.xxx.xxx.82:4500

Jul  6 16:36:22 Orione pluto[32645]: "roadwarrior-l2tp"[2] xxx.xxx.xxx.82 #1: failed to build notification for spisize=0

Jul  6 16:36:23 Orione pluto[32645]: "roadwarrior-l2tp"[2] xxx.xxx.xxx.82 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xc82704fc (perhaps this is a duplicated packet)

Jul  6 16:36:23 Orione pluto[32645]: "roadwarrior-l2tp"[2] xxx.xxx.xxx.82 #1: sending encrypted notification INVALID_MESSAGE_ID to xxx.xxx.xxx.82:4500

Jul  6 16:36:23 Orione pluto[32645]: "roadwarrior-l2tp"[2] xxx.xxx.xxx.82 #1: failed to build notification for spisize=0

Jul  6 16:36:25 Orione pluto[32645]: "roadwarrior-l2tp"[2] xxx.xxx.xxx.82 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xc82704fc (perhaps this is a duplicated packet)

Jul  6 16:36:25 Orione pluto[32645]: "roadwarrior-l2tp"[2] xxx.xxx.xxx.82 #1: sending encrypted notification INVALID_MESSAGE_ID to xxx.xxx.xxx.82:4500

Jul  6 16:36:25 Orione pluto[32645]: "roadwarrior-l2tp"[2] xxx.xxx.xxx.82 #1: failed to build notification for spisize=0

Jul  6 16:36:29 Orione pluto[32645]: "roadwarrior-l2tp"[2] xxx.xxx.xxx.82 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xc82704fc (perhaps this is a duplicated packet)

Jul  6 16:36:29 Orione pluto[32645]: "roadwarrior-l2tp"[2] xxx.xxx.xxx.82 #1: sending encrypted notification INVALID_MESSAGE_ID to xxx.xxx.xxx.82:4500

Jul  6 16:36:29 Orione pluto[32645]: "roadwarrior-l2tp"[2] xxx.xxx.xxx.82 #1: failed to build notification for spisize=0

Jul  6 16:36:37 Orione pluto[32645]: "roadwarrior-l2tp"[2] xxx.xxx.xxx.82 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xc82704fc (perhaps this is a duplicated packet)

Jul  6 16:36:37 Orione pluto[32645]: "roadwarrior-l2tp"[2] xxx.xxx.xxx.82 #1: sending encrypted notification INVALID_MESSAGE_ID to xxx.xxx.xxx.82:4500

Jul  6 16:36:37 Orione pluto[32645]: "roadwarrior-l2tp"[2] xxx.xxx.xxx.82 #1: failed to build notification for spisize=0

```

----------

## pava_rulez

Can't anyone help me?  :Crying or Very sad: 

----------

## dashnu

```
cannot respond to IPsec SA request because no connection is known for xxx.xxx.xxx.85/32===xxx.xxx.xxx.91:17/1701...xxx.xxx.xxx.82
```

This is a common error. It looks like both machines are behind a NAT and you did not apply the patch server side and make sure you set up the registry in your Windows clients to allow udp encapsulation. It is talked about on jaco's page..

I am on vacation and off the pc until Monday..  ahhhh beaches and sun   :Very Happy: 

BC

----------

## pava_rulez

So, I guess that I have to follow http://support.microsoft.com/default.aspx?kbid=885407 to modify registry and http://www.jacco2.dds.nl/networking/patches/openswan-NATserver.patch on my VPN server. But, sorry for my ignorance, how can I apply this patch? (I've got Openswan 2.3.1). And last question: can you please tell me which port I have to consider with iptables (I guess udp 500, 4500, 1701 while I'm not sure 'bout 1723), and which forward and prerouting rules must be set? Thanks and have a nice holiday (e.g. don't feel forced to answer while you are on a tropical beach...)   :Very Happy: 

----------

## pava_rulez

```
Jul  7 09:09:27 Orione ipsec_setup: Starting Openswan IPsec U2.3.1/K2.6.11-gentoo-r11...

Jul  7 09:09:27 Orione ipsec_setup: KLIPS ipsec0 on eth1 xxx.xxx.xxx.91/255.255.255.248 broadcast xxx.xxx.xxx.95

Jul  7 09:09:27 Orione ipsec__plutorun: Starting Pluto subsystem...

Jul  7 09:09:27 Orione pluto[8444]: Starting Pluto (Openswan Version 2.3.1 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR;

 Vendor ID OEExalF{_o`m)

Jul  7 09:09:27 Orione pluto[8444]: Setting port floating to on

Jul  7 09:09:27 Orione pluto[8444]: port floating activate 1/1

Jul  7 09:09:27 Orione pluto[8444]:   including NAT-Traversal patch (Version 0.6c)

Jul  7 09:09:27 Orione pluto[8444]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)

Jul  7 09:09:27 Orione pluto[8444]: starting up 1 cryptographic helpers

Jul  7 09:09:27 Orione ipsec_setup: ...Openswan IPsec started

Jul  7 09:09:27 Orione pluto[8444]: started helper pid=8445 (fd:6)

Jul  7 09:09:27 Orione pluto[8444]: Using Linux 2.6 IPsec interface code

Jul  7 09:09:28 Orione pluto[8444]: Changing to directory '/etc/ipsec/ipsec.d/cacerts'

Jul  7 09:09:28 Orione pluto[8444]:   loaded CA cert file 'cacert.pem' (1176 bytes)

Jul  7 09:09:28 Orione pluto[8444]: Changing to directory '/etc/ipsec/ipsec.d/aacerts'

Jul  7 09:09:28 Orione pluto[8444]: Changing to directory '/etc/ipsec/ipsec.d/ocspcerts'

Jul  7 09:09:28 Orione pluto[8444]: Changing to directory '/etc/ipsec/ipsec.d/crls'

Jul  7 09:09:28 Orione pluto[8444]:   loaded crl file 'crl.pem' (475 bytes)

Jul  7 09:09:28 Orione pluto[8444]: added connection description "roadwarrior-l2tp"

Jul  7 09:09:28 Orione pluto[8444]: added connection description "roadwarrior"

Jul  7 09:09:28 Orione pluto[8444]: added connection description "roadwarrior-all"

Jul  7 09:09:28 Orione pluto[8444]: added connection description "roadwarrior-net"

Jul  7 09:09:29 Orione pluto[8444]: added connection description "roadwarrior-l2tp-updatedwin"

Jul  7 09:09:29 Orione pluto[8444]: listening for IKE messages

Jul  7 09:09:29 Orione pluto[8444]: adding interface eth1/eth1 xxx.xxx.xxx.91:500

Jul  7 09:09:29 Orione pluto[8444]: adding interface eth1/eth1 xxx.xxx.xxx.91:4500

Jul  7 09:09:29 Orione pluto[8444]: adding interface lo/lo 127.0.0.1:500

Jul  7 09:09:29 Orione pluto[8444]: adding interface lo/lo 127.0.0.1:4500

Jul  7 09:09:29 Orione pluto[8444]: adding interface eth0/eth0 192.168.0.61:500

Jul  7 09:09:29 Orione pluto[8444]: adding interface eth0/eth0 192.168.0.61:4500

Jul  7 09:09:29 Orione pluto[8444]: loading secrets from "/etc/ipsec/ipsec.secrets"

Jul  7 09:10:53 Orione pluto[8444]: packet from xxx.xxx.xxx.82:500: ignoring Delete SA payload: not encrypted

Jul  7 09:10:53 Orione pluto[8444]: packet from xxx.xxx.xxx.82:500: received and ignored informational message

Jul  7 09:11:16 Orione pluto[8444]: packet from xxx.xxx.xxx.82:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]

Jul  7 09:11:16 Orione pluto[8444]: packet from xxx.xxx.xxx.82:500: ignoring Vendor ID payload [FRAGMENTATION]

Jul  7 09:11:16 Orione pluto[8444]: packet from xxx.xxx.xxx.82:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n

] method set to=106

Jul  7 09:11:16 Orione pluto[8444]: packet from xxx.xxx.xxx.82:500: ignoring Vendor ID payload [Vid-Initial-Contact]

Jul  7 09:11:16 Orione pluto[8444]: "roadwarrior-l2tp"[1] xxx.xxx.xxx.82 #1: responding to Main Mode from unknown peer xxx.xxx.5

2.82

Jul  7 09:11:16 Orione pluto[8444]: "roadwarrior-l2tp"[1] xxx.xxx.xxx.82 #1: transition from state STATE_MAIN_R0 to state STATE

_MAIN_R1

Jul  7 09:11:17 Orione pluto[8444]: "roadwarrior-l2tp"[1] xxx.xxx.xxx.82 #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t

-ike-02/03: both are NATed

Jul  7 09:11:17 Orione pluto[8444]: "roadwarrior-l2tp"[1] xxx.xxx.xxx.82 #1: transition from state STATE_MAIN_R1 to state STATE

_MAIN_R2

Jul  7 09:11:17 Orione pluto[8444]: "roadwarrior-l2tp"[1] xxx.xxx.xxx.82 #1: Main mode peer ID is ID_FQDN: '@org05.icdoc.local'

Jul  7 09:11:17 Orione pluto[8444]: "roadwarrior-l2tp"[2] xxx.xxx.xxx.82 #1: deleting connection "roadwarrior-l2tp" instance wi

th peer xxx.xxx.xxx.82 {isakmp=#0/ipsec=#0}

Jul  7 09:11:17 Orione pluto[8444]: "roadwarrior-l2tp"[2] xxx.xxx.xxx.82 #1: I did not send a certificate because I do not have

 one.

Jul  7 09:11:17 Orione pluto[8444]: "roadwarrior-l2tp"[2] xxx.xxx.xxx.82 #1: transition from state STATE_MAIN_R2 to state STATE

_MAIN_R3

Jul  7 09:11:17 Orione pluto[8444]: | NAT-T: new mapping xxx.xxx.xxx.82:500/4500)

Jul  7 09:11:17 Orione pluto[8444]: "roadwarrior-l2tp"[2] xxx.xxx.xxx.82 #1: sent MR3, ISAKMP SA established

Jul  7 09:11:17 Orione pluto[8444]: "roadwarrior-l2tp"[2] xxx.xxx.xxx.82 #1: cannot respond to IPsec SA request because no conn

ection is known for xxx.xxx.xxx.85/32===xxx.xxx.xxx.91:17/1701...xxx.xxx.xxx.82[@org05.icdoc.local]:17/1701

Jul  7 09:11:17 Orione pluto[8444]: "roadwarrior-l2tp"[2] xxx.xxx.xxx.82 #1: sending encrypted notification INVALID_ID_INFORMAT

ION to xxx.xxx.xxx.82:4500

Jul  7 09:11:17 Orione pluto[8444]: "roadwarrior-l2tp"[2] xxx.xxx.xxx.82 #1: failed to build notification for spisize=0

Jul  7 09:11:18 Orione pluto[8444]: "roadwarrior-l2tp"[2] xxx.xxx.xxx.82 #1: Quick Mode I1 message is unacceptable because it u

ses a previously used Message ID 0x6a454e75 (perhaps this is a duplicated packet)

Jul  7 09:11:18 Orione pluto[8444]: "roadwarrior-l2tp"[2] xxx.xxx.xxx.82 #1: sending encrypted notification INVALID_MESSAGE_ID

to xxx.xxx.xxx.82:4500

Jul  7 09:11:18 Orione pluto[8444]: "roadwarrior-l2tp"[2] xxx.xxx.xxx.82 #1: failed to build notification for spisize=0

Jul  7 09:11:20 Orione pluto[8444]: "roadwarrior-l2tp"[2] xxx.xxx.xxx.82 #1: Quick Mode I1 message is unacceptable because it u

ses a previously used Message ID 0x6a454e75 (perhaps this is a duplicated packet)

Jul  7 09:11:20 Orione pluto[8444]: "roadwarrior-l2tp"[2] xxx.xxx.xxx.82 #1: sending encrypted notification INVALID_MESSAGE_ID

to xxx.xxx.xxx.82:4500

Jul  7 09:11:20 Orione pluto[8444]: "roadwarrior-l2tp"[2] xxx.xxx.xxx.82 #1: failed to build notification for spisize=0

Jul  7 09:11:24 Orione pluto[8444]: "roadwarrior-l2tp"[2] xxx.xxx.xxx.82 #1: Quick Mode I1 message is unacceptable because it u

ses a previously used Message ID 0x6a454e75 (perhaps this is a duplicated packet)

Jul  7 09:11:24 Orione pluto[8444]: "roadwarrior-l2tp"[2] xxx.xxx.xxx.82 #1: sending encrypted notification INVALID_MESSAGE_ID

to xxx.xxx.xxx.82:4500

Jul  7 09:11:24 Orione pluto[8444]: "roadwarrior-l2tp"[2] xxx.xxx.xxx.82 #1: failed to build notification for spisize=0

Jul  7 09:11:32 Orione pluto[8444]: "roadwarrior-l2tp"[2] xxx.xxx.xxx.82 #1: Quick Mode I1 message is unacceptable because it u

ses a previously used Message ID 0x6a454e75 (perhaps this is a duplicated packet)

Jul  7 09:11:32 Orione pluto[8444]: "roadwarrior-l2tp"[2] xxx.xxx.xxx.82 #1: sending encrypted notification INVALID_MESSAGE_ID

to xxx.xxx.xxx.82:4500

Jul  7 09:11:32 Orione pluto[8444]: "roadwarrior-l2tp"[2] xxx.xxx.xxx.82 #1: failed to build notification for spisize=0

Jul  7 09:11:48 Orione pluto[8444]: "roadwarrior-l2tp"[2] xxx.xxx.xxx.82 #1: Quick Mode I1 message is unacceptable because it u

ses a previously used Message ID 0x6a454e75 (perhaps this is a duplicated packet)

Jul  7 09:11:48 Orione pluto[8444]: "roadwarrior-l2tp"[2] xxx.xxx.xxx.82 #1: sending encrypted notification INVALID_MESSAGE_ID

to xxx.xxx.xxx.82:4500
```

I've made the change suggested in windows registry to support both sides NATed. And what about this?

```
Jul  7 09:09:27 Orione pluto[8444]:   including NAT-Traversal patch (Version 0.6c)

```

So, why isn't my VPN working???????

----------

## pava_rulez

 *maletek wrote:*   

> Has anyone tried this lately? The reason I ask is I can not get the patch to work.
> 
> The current version in portage 2.3.1, so I got the patch for that version and try to apply it but it gets rejected.
> 
> ```
> ...

 

You have to do 

```
patch ikev1_quick.c...
```

instead of...

```
patch ipsec_doi.c...
```

Now patch has been properly added, but some other troubles occurred...

----------

## pava_rulez

Finally I made it!!!  I realized a ipsec-l2tp tunnel between an host NATed and a VPN server NATed too. Connection was possible using both a 2000 professional and a xp professional client.  Authentication was made using PSK (I didn't succedeed in using certificates), but I hope that a VERY long PSK and my external firewall which nats requets to ports 500,1701 etc. can do the job. Now my next challenge is to make l2tpd listen on internal interface or mark packets forwarded by firewall to better protect openswan server. Thanks to everybody, in particular to Dashnu...

----------

## dashnu

port 1701 (l2tpd) should be _closed_ to the outside world! l2tpd is not secure. 500 and 4500 are the only thing you need open.

Glad it is working for you.

----------

## pava_rulez

Hi everybody (in particular Dashnu),

I got a problem with Pluto; after some hours since my connection to VPN server I receive a f..off from VPN server and connection falls. From this moment on, me or whoever can't connect to VPN. When I restart ipsec a message appears to me telling that pluto orphaned pid is beeing removed. How can I solve this?

----------

## dashnu

The orphaned PIDs are the connects that fail to end properly this. The only thing I can suggest is try using net-misc/openswan-2.2.0. The latest in portage was nothing but troubles for me. If it continues we will have to look at the logs.

----------

## pava_rulez

I've noticed that very often connection lasts almost exactly 296,297 minutes and then dies. Maybe I've some troubles with my configuration files?

l2tpd.conf:

```
port = 1701                                                     ; * Bind to port 1701

; auth file = /etc/l2tpd/l2tp-secrets   ; * Where our challenge secrets are

; access control = yes                                  ; * Refuse connections without IP match

; rand source = dev                     ; Source for entropy for random

;                                       ; numbers, options are:

;                                       ; dev - reads of /dev/urandom

;                                       ; sys - uses rand()

;                                       ; egd - reads from egd socket

;                                       ; egd is not yet implemented

;

 [lns default]                                                  ; Our fallthrough LNS definition

; exclusive = no                                                ; * Only permit one tunnel per host

 ip range = 192.168.0.41-192.168.0.45   ; * Allocate from this IP range

; no ip range = 192.168.0.3-192.168.0.9 ; * Except these hosts

; ip range = 192.168.0.5                                ; * But this one is okay

; ip range = lac1-lac2                                  ; * And anything from lac1 to lac2's IP

; lac = 192.168.1.4 - 192.168.1.8               ; * These can connect as LAC's

; no lac = untrusted.marko.net                  ; * This guy can't connect

; hidden bit = no                                               ; * Use hidden AVP's?

 local ip = 192.168.0.102                               ; * Our local IP to use

 length bit = yes                                               ; * Use length bit in payload?

 require chap = yes                                     ; * Require CHAP auth. by peer

 refuse pap = yes                                               ; * Refuse PAP authentication

; refuse chap = no                                              ; * Refuse CHAP authentication

; refuse authentication = no                    ; * Refuse authentication altogether

 require authentication = yes                   ; * Require peer to authenticate

; unix authentication = no                              ; * Use /etc/passwd for auth.

 name = Orione                                          ; * Report this as our hostname

 ppp debug = yes                                                ; * Turn on PPP debugging

 pppoptfile = /etc/ppp/options.l2tp     ; * ppp options file
```

ipsec.conf:

```
config setup

        interfaces=%defaultroute

        klipsdebug=none

        plutodebug=none

        nat_traversal=yes

        virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.1.0/24,%v4:!192.168.0.0/24

conn %default

        keyingtries=3

        compress=yes

        disablearrivalcheck=no

        authby=secret

        type=tunnel

        keyexchange=ike

        ikelifetime=240m

        keylife=60m

conn roadwarrior-net

        leftsubnet=192.168.0.0/24

        also=roadwarrior

conn roadwarrior-all

        leftsubnet=0.0.0.0/0

        also=roadwarrior

conn roadwarrior-l2tp

        leftsubnet=192.168.0.0/24

        leftprotoport=17/0

        rightprotoport=17/1701

        also roadwarrior

conn roadwarrior-l2tp-updatedwin

        leftprotoport=17/1701

        rightprotoport=17/1701

        also=roadwarrior

conn roadwarrior

        pfs=no

        left=%defaultroute

        right=%any

        rightsubnet=vhost:%no,%priv

        auto=add

#Disable Opportunistic Encryption

include /etc/ipsec.d/examples/no_oe.conf

```

----------

## pava_rulez

These are error messages...

```
Aug  4 11:51:02 Orione pluto[7875]: "roadwarrior"[2] xxx.xxx.xxx.234 #78: max number of retransmissions (2) reached STATE_MAIN_I1.  No response (or no acceptable response) to our first IKE message

Aug  4 11:51:02 Orione pluto[7875]: "roadwarrior"[2] xxx.xxx.xxx.234 #78: starting keying attempt 2 of at most 3

Aug  4 11:51:02 Orione pluto[7875]: "roadwarrior"[2] xxx.xxx.xxx.234 #79: initiating Main Mode to replace #78

Aug  4 11:51:16 Orione l2tpd[8091]: check_control: control, cid = 0, Ns = 4, Nr = 249

Aug  4 11:51:53 Orione postfix/smtpd[12721]: connect from unknown[192.168.0.102]

Aug  4 11:51:53 Orione postfix/smtpd[12721]: disconnect from unknown[192.168.0.102]

Aug  4 11:52:12 Orione pluto[7875]: "roadwarrior"[2] xxx.xxx.xxx.234 #79: max number of retransmissions (2) reached STATE_MAIN_I1.  No response (or no acceptable response) to our first IKE message

Aug  4 11:52:12 Orione pluto[7875]: "roadwarrior"[2] xxx.xxx.xxx.234 #79: starting keying attempt 3 of at most 3

Aug  4 11:52:12 Orione pluto[7875]: "roadwarrior"[2] xxx.xxx.xxx.234 #80: initiating Main Mode to replace #79

Aug  4 11:52:16 Orione l2tpd[8091]: check_control: control, cid = 0, Ns = 4, Nr = 250

Aug  4 11:53:07 Orione pluto[7875]: packet from xxx.xxx.xxx.234:28700: Quick Mode message is for a non-existent (expired?) ISAKMP SA

Aug  4 11:53:08 Orione pluto[7875]: packet from xxx.xxx.xxx.234:28700: Quick Mode message is for a non-existent (expired?) ISAKMP SA

Aug  4 11:53:10 Orione pluto[7875]: packet from xxx.xxx.xxx.234:28700: Quick Mode message is for a non-existent (expired?) ISAKMP SA

Aug  4 11:53:14 Orione pluto[7875]: packet from xxx.xxx.xxx.234:28700: Quick Mode message is for a non-existent (expired?) ISAKMP SA

Aug  4 11:53:16 Orione l2tpd[8091]: check_control: control, cid = 0, Ns = 4, Nr = 251

Aug  4 11:53:22 Orione pluto[7875]: "roadwarrior"[2] xxx.xxx.xxx.234 #80: max number of retransmissions (2) reached STATE_MAIN_I1.  No response (or no acceptable response) to our first IKE message

Aug  4 11:53:22 Orione pluto[7875]: packet from xxx.xxx.xxx.234:28700: Quick Mode message is for a non-existent (expired?) ISAKMP SA

Aug  4 11:53:38 Orione pluto[7875]: packet from xxx.xxx.xxx.234:28700: Quick Mode message is for a non-existent (expired?) ISAKMP SA

Aug  4 11:54:10 Orione pluto[7875]: packet from xxx.xxx.xxx.234:28700: Informational Exchange is for an unknown (expired?) SA

Aug  4 11:54:10 Orione pluto[7875]: packet from xxx.xxx.xxx.234:28700: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000002]

Aug  4 11:54:10 Orione pluto[7875]: packet from xxx.xxx.xxx.234:28700: ignoring Vendor ID payload [FRAGMENTATION]

Aug  4 11:54:10 Orione pluto[7875]: packet from xxx.xxx.xxx.234:28700: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106

Aug  4 11:54:10 Orione pluto[7875]: "roadwarrior"[7] xxx.xxx.xxx.234 #81: responding to Main Mode from unknown peer xxx.xxx.xxx.234

Aug  4 11:54:10 Orione pluto[7875]: "roadwarrior"[7] xxx.xxx.xxx.234 #81: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1

Aug  4 11:54:11 Orione pluto[7875]: "roadwarrior"[7] xxx.xxx.xxx.234 #81: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: both are NATed

Aug  4 11:54:11 Orione pluto[7875]: "roadwarrior"[7] xxx.xxx.xxx.234 #81: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2

Aug  4 11:54:11 Orione pluto[7875]: "roadwarrior"[7] xxx.xxx.xxx.234 #81: Main mode peer ID is ID_FQDN: '@cristiana'

Aug  4 11:54:11 Orione pluto[7875]: "roadwarrior"[8] xxx.xxx.xxx.234 #81: deleting connection "roadwarrior" instance with peer xxx.xxx.xxx.234 {isakmp=#0/ipsec=#0}

Aug  4 11:54:11 Orione pluto[7875]: "roadwarrior"[8] xxx.xxx.xxx.234 #81: I did not send a certificate because I do not have one.

Aug  4 11:54:11 Orione pluto[7875]: "roadwarrior"[8] xxx.xxx.xxx.234 #81: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3

Aug  4 11:54:11 Orione pluto[7875]: "roadwarrior"[8] xxx.xxx.xxx.234 #81: sent MR3, ISAKMP SA established

Aug  4 11:54:11 Orione pluto[7875]: "roadwarrior"[8] xxx.xxx.xxx.234 #82: responding to Quick Mode {msgid:73d8903f}

Aug  4 11:54:11 Orione pluto[7875]: "roadwarrior"[8] xxx.xxx.xxx.234 #82: cannot route -- route already in use for "roadwarrior"

Aug  4 11:54:12 Orione pluto[7875]: "roadwarrior"[8] xxx.xxx.xxx.234 #82: ASSERTION FAILED at crypto.c:219: st->st_new_iv_len >= e->enc_blocksize

Aug  4 11:54:12 Orione pluto[7875]: "roadwarrior"[8] xxx.xxx.xxx.234 #82: interface eth0/eth0 192.168.0.102

Aug  4 11:54:12 Orione pluto[7875]: "roadwarrior"[8] xxx.xxx.xxx.234 #82: interface eth0/eth0 192.168.0.102

Aug  4 11:54:12 Orione pluto[7875]: "roadwarrior"[8] xxx.xxx.xxx.234 #82: interface lo/lo 127.0.0.1

Aug  4 11:54:12 Orione pluto[7875]: "roadwarrior"[8] xxx.xxx.xxx.234 #82: interface lo/lo 127.0.0.1

Aug  4 11:54:12 Orione pluto[7875]: "roadwarrior"[8] xxx.xxx.xxx.234 #82: interface eth1/eth1 xxx.xxx.xxx.91

Aug  4 11:54:12 Orione pluto[7875]: "roadwarrior"[8] xxx.xxx.xxx.234 #82: interface eth1/eth1 xxx.xxx.xxx.91

Aug  4 11:54:12 Orione pluto[7875]: "roadwarrior"[8] xxx.xxx.xxx.234 #82: %myid = (none)

Aug  4 11:54:12 Orione pluto[7875]: "roadwarrior"[8] xxx.xxx.xxx.234 #82: debug none

Aug  4 11:54:12 Orione pluto[7875]: "roadwarrior"[8] xxx.xxx.xxx.234 #82:

Aug  4 11:54:12 Orione pluto[7875]: "roadwarrior"[8] xxx.xxx.xxx.234 #82: algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64

Aug  4 11:54:12 Orione pluto[7875]: "roadwarrior"[8] xxx.xxx.xxx.234 #82: algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192

Aug  4 11:54:12 Orione pluto[7875]: "roadwarrior"[8] xxx.xxx.xxx.234 #82: algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448

Aug  4 11:54:12 Orione pluto[7875]: "roadwarrior"[8] xxx.xxx.xxx.234 #82: algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0

Aug  4 11:54:12 Orione pluto[7875]: "roadwarrior"[8] xxx.xxx.xxx.234 #82: algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256

Aug  4 11:54:12 Orione pluto[7875]: "roadwarrior"[8] xxx.xxx.xxx.234 #82: algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128

Aug  4 11:54:12 Orione pluto[7875]: "roadwarrior"[8] xxx.xxx.xxx.234 #82: algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160

Aug  4 11:54:12 Orione pluto[7875]: "roadwarrior"[8] xxx.xxx.xxx.234 #82: algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256

Aug  4 11:54:12 Orione pluto[7875]: "roadwarrior"[8] xxx.xxx.xxx.234 #82: algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0

Aug  4 11:54:12 Orione pluto[7875]: "roadwarrior"[8] xxx.xxx.xxx.234 #82:

Aug  4 11:54:12 Orione pluto[7875]: "roadwarrior"[8] xxx.xxx.xxx.234 #82: algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128

Aug  4 11:54:12 Orione pluto[7875]: "roadwarrior"[8] xxx.xxx.xxx.234 #82: algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192

Aug  4 11:54:12 Orione pluto[7875]: "roadwarrior"[8] xxx.xxx.xxx.234 #82: algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20

Aug  4 11:54:12 Orione pluto[7875]: "roadwarrior"[8] xxx.xxx.xxx.234 #82: algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16

Aug  4 11:54:12 Orione pluto[7875]: "roadwarrior"[8] xxx.xxx.xxx.234 #82: algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024

Aug  4 11:54:12 Orione pluto[7875]: "roadwarrior"[8] xxx.xxx.xxx.234 #82: algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536

Aug  4 11:54:12 Orione pluto[7875]: "roadwarrior"[8] xxx.xxx.xxx.234 #82: algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048

Aug  4 11:54:12 Orione pluto[7875]: "roadwarrior"[8] xxx.xxx.xxx.234 #82: algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072

Aug  4 11:54:12 Orione pluto[7875]: "roadwarrior"[8] xxx.xxx.xxx.234 #82: algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096

Aug  4 11:54:12 Orione pluto[7875]: "roadwarrior"[8] xxx.xxx.xxx.234 #82: algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144

Aug  4 11:54:12 Orione pluto[7875]: "roadwarrior"[8] xxx.xxx.xxx.234 #82: algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192

Aug  4 11:54:12 Orione pluto[7875]: "roadwarrior"[8] xxx.xxx.xxx.234 #82:

Aug  4 11:54:12 Orione pluto[7875]: "roadwarrior"[8] xxx.xxx.xxx.234 #82: stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}

Aug  4 11:54:12 Orione pluto[7875]: "roadwarrior"[8] xxx.xxx.xxx.234 #82:

Aug  4 11:54:12 Orione pluto[7875]: "roadwarrior"[8] xxx.xxx.xxx.234 #82: "roadwarrior": xxx.xxx.xxx.91---xxx.xxx.xxx.89...%virtual===?; unrouted; eroute owner: #0

Aug  4 11:54:12 Orione pluto[7875]: "roadwarrior"[8] xxx.xxx.xxx.234 #82: "roadwarrior":     srcip=unset; dstip=unset

Aug  4 11:54:12 Orione pluto[7875]: "roadwarrior"[8] xxx.xxx.xxx.234 #82: "roadwarrior":   ike_life: 14400s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3

Aug  4 11:54:12 Orione pluto[7875]: "roadwarrior"[8] xxx.xxx.xxx.234 #82: "roadwarrior":   policy: PSK+ENCRYPT+COMPRESS+TUNNEL; prio: 32,32; interface: eth1;

Aug  4 11:54:12 Orione pluto[7875]: "roadwarrior"[8] xxx.xxx.xxx.234 #82: "roadwarrior":   newest ISAKMP SA: #0; newest IPsec SA: #0;

Aug  4 11:54:12 Orione pluto[7875]: "roadwarrior"[8] xxx.xxx.xxx.234 #82: "roadwarrior"[2]: xxx.xxx.xxx.91---xxx.xxx.xxx.89...xxx.xxx.xxx.234[@cristiana]; erouted; eroute owner: #74

Aug  4 11:54:12 Orione pluto[7875]: "roadwarrior"[8] xxx.xxx.xxx.234 #82: "roadwarrior"[2]:     srcip=unset; dstip=unset

Aug  4 11:54:12 Orione pluto[7875]: "roadwarrior"[8] xxx.xxx.xxx.234 #82: "roadwarrior"[2]:   ike_life: 14400s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3

Aug  4 11:54:12 Orione pluto[7875]: "roadwarrior"[8] xxx.xxx.xxx.234 #82: "roadwarrior"[2]:   policy: PSK+ENCRYPT+COMPRESS+TUNNEL; prio: 32,32; interface: eth1;

Aug  4 11:54:12 Orione pluto[7875]: "roadwarrior"[8] xxx.xxx.xxx.234 #82: "roadwarrior"[2]:   newest ISAKMP SA: #0; newest IPsec SA: #74;

Aug  4 11:54:12 Orione pluto[7875]: "roadwarrior"[8] xxx.xxx.xxx.234 #82: "roadwarrior"[8]: xxx.xxx.xxx.91---xxx.xxx.xxx.89...xxx.xxx.xxx.234[@cristiana]; unrouted; eroute owner: #0

Aug  4 11:54:12 Orione pluto[7875]: "roadwarrior"[8] xxx.xxx.xxx.234 #82: "roadwarrior"[8]:     srcip=unset; dstip=unset

Aug  4 11:54:12 Orione pluto[7875]: "roadwarrior"[8] xxx.xxx.xxx.234 #82: "roadwarrior"[8]:   ike_life: 14400s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3

Aug  4 11:54:12 Orione pluto[7875]: "roadwarrior"[8] xxx.xxx.xxx.234 #82: "roadwarrior"[8]:   policy: PSK+ENCRYPT+COMPRESS+TUNNEL; prio: 32,32; interface: eth1;

Aug  4 11:54:12 Orione pluto[7875]: "roadwarrior"[8] xxx.xxx.xxx.234 #82: "roadwarrior"[8]:   newest ISAKMP SA: #81; newest IPsec SA: #0;

Aug  4 11:54:12 Orione pluto[7875]: "roadwarrior"[8] xxx.xxx.xxx.234 #82: "roadwarrior"[8]:   IKE algorithm newest: 3DES_CBC_192-SHA1-MODP1024

Aug  4 11:54:12 Orione pluto[7875]: "roadwarrior"[8] xxx.xxx.xxx.234 #82: "roadwarrior-all": 0.0.0.0/0===xxx.xxx.xxx.91---xxx.xxx.xxx.89...%virtual===?; unrouted; eroute owner: #0

Aug  4 11:54:12 Orione pluto[7875]: "roadwarrior"[8] xxx.xxx.xxx.234 #82: "roadwarrior-all":     srcip=unset; dstip=unset

Aug  4 11:54:12 Orione pluto[7875]: "roadwarrior"[8] xxx.xxx.xxx.234 #82: "roadwarrior-all":   ike_life: 14400s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3

Aug  4 11:54:12 Orione pluto[7875]: "roadwarrior"[8] xxx.xxx.xxx.234 #82: "roadwarrior-all":   policy: PSK+ENCRYPT+COMPRESS+TUNNEL; prio: 0,32; interface: eth1;

Aug  4 11:54:12 Orione pluto[7875]: "roadwarrior"[8] xxx.xxx.xxx.234 #82: "roadwarrior-all":   newest ISAKMP SA: #0; newest IPsec SA: #0;

Aug  4 11:54:12 Orione pluto[7875]: "roadwarrior"[8] xxx.xxx.xxx.234 #82: "roadwarrior-l2tp-updatedwin": xxx.xxx.xxx.91:17/1701---xxx.xxx.xxx.89...%virtual:17/1701===?; unrouted; eroute owner: #0

Aug  4 11:54:12 Orione pluto[7875]: "roadwarrior"[8] xxx.xxx.xxx.234 #82: "roadwarrior-l2tp-updatedwin":     srcip=unset; dstip=unset

Aug  4 11:54:12 Orione pluto[7875]: "roadwarrior"[8] xxx.xxx.xxx.234 #82: "roadwarrior-l2tp-updatedwin":   ike_life: 14400s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3

Aug  4 11:54:12 Orione pluto[7875]: "roadwarrior"[8] xxx.xxx.xxx.234 #82: "roadwarrior-l2tp-updatedwin":   policy: PSK+ENCRYPT+COMPRESS+TUNNEL; prio: 32,32; interface: eth1;

Aug  4 11:54:12 Orione pluto[7875]: "roadwarrior"[8] xxx.xxx.xxx.234 #82: "roadwarrior-l2tp-updatedwin":   newest ISAKMP SA: #0; newest IPsec SA: #0;

Aug  4 11:54:12 Orione pluto[7875]: "roadwarrior"[8] xxx.xxx.xxx.234 #82: "roadwarrior-net": 192.168.0.0/24===xxx.xxx.xxx.91---xxx.xxx.xxx.89...%virtual===?; unrouted; eroute owner: #0

Aug  4 11:54:12 Orione pluto[7875]: "roadwarrior"[8] xxx.xxx.xxx.234 #82: "roadwarrior-net":     srcip=unset; dstip=unset

Aug  4 11:54:12 Orione pluto[7875]: "roadwarrior"[8] xxx.xxx.xxx.234 #82: "roadwarrior-net":   ike_life: 14400s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3

Aug  4 11:54:12 Orione pluto[7875]: "roadwarrior"[8] xxx.xxx.xxx.234 #82: "roadwarrior-net":   policy: PSK+ENCRYPT+COMPRESS+TUNNEL; prio: 24,32; interface: eth1;

Aug  4 11:54:12 Orione pluto[7875]: "roadwarrior"[8] xxx.xxx.xxx.234 #82: "roadwarrior-net":   newest ISAKMP SA: #0; newest IPsec SA: #0;

Aug  4 11:54:12 Orione pluto[7875]: "roadwarrior"[8] xxx.xxx.xxx.234 #82:

Aug  4 11:54:12 Orione pluto[7875]: "roadwarrior"[8] xxx.xxx.xxx.234 #82: #74: "roadwarrior"[2] xxx.xxx.xxx.234:28700 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_EXPIRE in 10s; newest IPSEC; eroute owner

Aug  4 11:54:12 Orione pluto[7875]: "roadwarrior"[8] xxx.xxx.xxx.234 #82: #74: "roadwarrior"[2] xxx.xxx.xxx.234 esp.4814f211@xxx.xxx.xxx.234 esp.404aa211@xxx.xxx.xxx.91

Aug  4 11:54:12 Orione pluto[7875]: "roadwarrior"[8] xxx.xxx.xxx.234 #82: #82: "roadwarrior"[8] xxx.xxx.xxx.234:28700 STATE_QUICK_R0 (expecting QI1); EVENT_CRYPTO_FAILED in 299s; nodpd

Aug  4 11:54:12 Orione pluto[7875]: "roadwarrior"[8] xxx.xxx.xxx.234 #82: #81: "roadwarrior"[8] xxx.xxx.xxx.234:28700 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 14129s; newest ISAKMP; nodpd

Aug  4 11:54:12 Orione pluto[7875]: "roadwarrior"[8] xxx.xxx.xxx.234 #82:

Aug  4 11:54:12 Orione ipsec__plutorun: /usr/lib/ipsec/_plutorun: line 221:  7875 Aborted                 /usr/libexec/ipsec/pluto --nofork --secretsfile /etc/ipsec/ipsec.secrets --ipsecdir /etc/ipsec/ipsec.d --debug-none --uniqueids --nat_traversal --virtual_private %v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.1.0/24,%v4:!192.168.0.0/24

Aug  4 11:54:12 Orione ipsec__plutorun: !pluto failure!:  exited with error status 134 (signal 6)

Aug  4 11:54:12 Orione ipsec__plutorun: restarting IPsec after pause...

Aug  4 11:54:21 Orione l2tpd[8091]: control_xmit: Maximum retries exceeded for tunnel 14215.  Closing.

Aug  4 11:54:21 Orione pppd[8859]: Terminating on signal 15.

Aug  4 11:54:21 Orione pppd[8859]: Modem hangup

Aug  4 11:54:21 Orione pppd[8859]: Script /etc/ppp/ip-down started (pid 12760)

Aug  4 11:54:21 Orione pppd[8859]: Connection terminated.

Aug  4 11:54:21 Orione pppd[8859]: Connect time 250.1 minutes.

Aug  4 11:54:21 Orione pppd[8859]: Sent 47142761 bytes, received 2381677 bytes.

Aug  4 11:54:21 Orione pppd[8859]: Waiting for 1 child processes...

Aug  4 11:54:21 Orione pppd[8859]:   script /etc/ppp/ip-down, pid 12760

Aug  4 11:54:21 Orione pppd[8859]: Script /etc/ppp/ip-down finished (pid 12760), status = 0x1

Aug  4 11:54:21 Orione pppd[8859]: Connect time 250.1 minutes.

Aug  4 11:54:21 Orione pppd[8859]: Sent 47142761 bytes, received 2381677 bytes.

Aug  4 11:54:21 Orione pppd[8859]: Exit.

Aug  4 11:54:21 Orione l2tpd[8091]: call_close : Connection 1 closed to xxx.xxx.xxx.234, port 1701 (Timeout)

Aug  4 11:54:22 Orione rc-scripts: ERROR:  wrong args. (  _autorestart / _autorestart )

Aug  4 11:54:22 Orione rc-scripts: Usage: ipsec { start|stop|restart|pause|zap }

Aug  4 11:54:22 Orione rc-scripts:        ipsec without arguments for full help

Aug  4 11:54:26 Orione l2tpd[8091]: control_xmit: Unable to deliver closing message for tunnel 14215. Destroying anyway.

```

----------

## dashnu

I got that error on the newest portage version also.. I could not figure out what was causing it. Are you on openswan-2.2.0 ? If not use it. Or you can try to make the restart process work mess with the init.d script maybe. I do not really know enough about ipsec to determine if this is a bug on gentoos end or what. Maybe file a bug and see what happens. My best guess is to say it is a bug because it works fine on the older version (for me at least).

----------

## pava_rulez

```
Orione ~ # ipsec version

Linux Openswan U2.3.1/K2.6.11-gentoo-r11 (netkey)

See `ipsec --copyright' for copyright information.

```

What can I do???  :Sad: 

----------

## dashnu

downgrade

```
emerge -C openswan

emerge ="net-misc/openswan-2.2.0"

```

Configs should remain in tact, but back them up if you want.

----------

## pava_rulez

 *dashnu wrote:*   

> downgrade
> 
> ```
> emerge -C openswan
> 
> ...

 

Ok, I'll let you know if it works. Thanks as usually Dashnu!!!  :Wink: 

EDIT: What about patch for NAT-T and so on? Will I have to reapply it?

----------

## dashnu

if your VPN is behind the nat you will. The steps in this doc should work with that version.

----------

## pava_rulez

Hi Dashnu,

last morning I was in a hurry 'cause I had to go to work, and I was making some changed to my ipsec.conf. After restarted ipsec I went to my office and there I tried to change something in ipsec.conf to make it work. Hours passed and my home <-> VPN connection made using (home modified) ipsec.conf seemed to work in a great way (I manually stopped from office after 500 minutes it was started). 

The ugly thing is that in the meantime I had made some changes to my ipsec.conf and I can't remember which, but I know I haven't to downgrade openswan.

What I'm asking to you is: can you please help me remember what I've changed?

From my log there's no reference to connection roadwarrior-l2tp, so I'm wondering if yesterday in the morning I had commented out lines of ipsec.conf about this connection.

However this is my ipsec.conf and my error log messages...

```
version 2.0     # conforms to second version of ipsec.conf specification

config setup

        interfaces=%defaultroute

        klipsdebug=none

        plutodebug=none

        nat_traversal=yes

        virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/24

conn %default

        keyingtries=3

        compress=yes

        disablearrivalcheck=no

        authby=secret

        type=tunnel

        keyexchange=ike

        ikelifetime=19m

        keylife=23m

conn roadwarrior-net

        leftsubnet=192.168.0.0/24

        also=roadwarrior

conn roadwarrior-all

        leftsubnet=0.0.0.0/0

        also=roadwarrior

#conn roadwarrior-l2tp

#       leftprotoport=17/0

#        leftsubnet=192.168.0.0/24

#        rightprotoport=17/1701

#        also=roadwarrior

conn roadwarrior-l2tp-updatedwin

        leftprotoport=17/1701

        leftsubnet=192.168.0.0/24

        rightprotoport=17/1701

        also=roadwarrior

conn roadwarrior

        pfs=no

        left=%defaultroute

        #leftsubnet=182.168.0.0/24

        right=%any

        rightsubnet=vhost:%no,%priv

        auto=add

include /etc/ipsec.d/examples/no_oe.conf
```

and 

```
 Aug  6 15:20:30 Orione l2tpd[8157]: check_control: control, cid = 0, Ns = 4, Nr = 16

Aug  6 15:20:59 Orione pluto[9221]: "roadwarrior"[2] xxx.xxx.xxx.123 #3: initiating Main Mode to replace #1

Aug  6 15:21:30 Orione l2tpd[8157]: check_control: control, cid = 0, Ns = 4, Nr = 17

Aug  6 15:22:09 Orione pluto[9221]: "roadwarrior"[2] xxx.xxx.xxx.123 #3: max number of retransmissions (2) reached STA

TE_MAIN_I1.  No response (or no acceptable response) to our first IKE message

Aug  6 15:22:09 Orione pluto[9221]: "roadwarrior"[2] xxx.xxx.xxx.123 #3: starting keying attempt 2 of at most 3

Aug  6 15:22:09 Orione pluto[9221]: "roadwarrior"[2] xxx.xxx.xxx.123 #4: initiating Main Mode to replace #3

Aug  6 15:22:30 Orione l2tpd[8157]: check_control: control, cid = 0, Ns = 4, Nr = 18

Aug  6 15:23:19 Orione pluto[9221]: "roadwarrior"[2] xxx.xxx.xxx.123 #4: max number of retransmissions (2) reached STA

TE_MAIN_I1.  No response (or no acceptable response) to our first IKE message

Aug  6 15:23:19 Orione pluto[9221]: "roadwarrior"[2] xxx.xxx.xxx.123 #4: starting keying attempt 3 of at most 3

Aug  6 15:23:19 Orione pluto[9221]: "roadwarrior"[2] xxx.xxx.xxx.123 #5: initiating Main Mode to replace #4

Aug  6 15:23:30 Orione l2tpd[8157]: check_control: control, cid = 0, Ns = 4, Nr = 19

Aug  6 15:24:29 Orione pluto[9221]: "roadwarrior"[2] xxx.xxx.xxx.123 #5: max number of retransmissions (2) reached STA

TE_MAIN_I1.  No response (or no acceptable response) to our first IKE message

Aug  6 15:24:30 Orione l2tpd[8157]: check_control: control, cid = 0, Ns = 4, Nr = 20

Aug  6 15:25:00 Orione pluto[9221]: "roadwarrior"[2] xxx.xxx.xxx.123 #6: initiating Quick Mode PSK+ENCRYPT+COMPRESS+TU

NNEL to replace #2 {using isakmp#1}

Aug  6 15:25:00 Orione pluto[9221]: "roadwarrior"[2] xxx.xxx.xxx.123 #1: ignoring informational payload, type INVALID_

ID_INFORMATION

Aug  6 15:25:00 Orione pluto[9221]: "roadwarrior"[2] xxx.xxx.xxx.123 #1: received and ignored informational message

Aug  6 15:25:29 Orione pluto[9221]: "roadwarrior"[2] xxx.xxx.xxx.123 #1: ISAKMP SA expired (LATEST!)

Aug  6 15:25:30 Orione l2tpd[8157]: check_control: control, cid = 0, Ns = 4, Nr = 21

Aug  6 15:26:10 Orione pluto[9221]: "roadwarrior"[2] xxx.xxx.xxx.123 #6: max number of retransmissions (2) reached STA

TE_QUICK_I1

Aug  6 15:26:10 Orione pluto[9221]: "roadwarrior"[2] xxx.xxx.xxx.123 #6: starting keying attempt 2 of at most 3

Aug  6 15:26:10 Orione pluto[9221]: "roadwarrior"[2] xxx.xxx.xxx.123 #7: initiating Main Mode

Aug  6 15:26:30 Orione l2tpd[8157]: check_control: control, cid = 0, Ns = 4, Nr = 22

Aug  6 15:27:20 Orione pluto[9221]: "roadwarrior"[2] xxx.xxx.xxx.123 #7: max number of retransmissions (2) reached STA

TE_MAIN_I1.  No response (or no acceptable response) to our first IKE message

Aug  6 15:27:20 Orione pluto[9221]: "roadwarrior"[2] xxx.xxx.xxx.123 #7: starting keying attempt 3 of at most 3

Aug  6 15:27:20 Orione pluto[9221]: "roadwarrior"[2] xxx.xxx.xxx.123 #8: initiating Main Mode to replace #7

Aug  6 15:27:30 Orione l2tpd[8157]: check_control: control, cid = 0, Ns = 4, Nr = 23

Aug  6 15:28:30 Orione l2tpd[8157]: check_control: control, cid = 0, Ns = 4, Nr = 24

Aug  6 15:28:30 Orione pluto[9221]: "roadwarrior"[2] xxx.xxx.xxx.123 #8: max number of retransmissions (2) reached STA

TE_MAIN_I1.  No response (or no acceptable response) to our first IKE message

Aug  6 15:29:30 Orione l2tpd[8157]: check_control: control, cid = 0, Ns = 4, Nr = 25

Aug  6 15:29:30 Orione pluto[9221]: "roadwarrior"[2] xxx.xxx.xxx.123 #2: IPsec SA expired (LATEST!)

Aug  6 15:29:30 Orione pluto[9221]: "roadwarrior"[2] xxx.xxx.xxx.123: deleting connection "roadwarrior" instance with

peer xxx.xxx.xxx.123 {isakmp=#0/ipsec=#0}

Aug  6 15:30:35 Orione l2tpd[8157]: control_xmit: Maximum retries exceeded for tunnel 29079.  Closing.

Aug  6 15:30:35 Orione pppd[9392]: Terminating on signal 15.

Aug  6 15:30:35 Orione pppd[9392]: Modem hangup

Aug  6 15:30:35 Orione pppd[9392]: Script /etc/ppp/ip-down started (pid 9768)

Aug  6 15:30:35 Orione pppd[9392]: Connection terminated.

Aug  6 15:30:35 Orione pppd[9392]: Connect time 24.1 minutes.

Aug  6 15:30:35 Orione pppd[9392]: Sent 288656 bytes, received 31774 bytes.

Aug  6 15:30:35 Orione pppd[9392]: Waiting for 1 child processes...

Aug  6 15:30:35 Orione pppd[9392]:   script /etc/ppp/ip-down, pid 9768

Aug  6 15:30:35 Orione pppd[9392]: Script /etc/ppp/ip-down finished (pid 9768), status = 0x1

Aug  6 15:30:35 Orione pppd[9392]: Connect time 24.1 minutes.

Aug  6 15:30:35 Orione pppd[9392]: Sent 288656 bytes, received 31774 bytes.

Aug  6 15:30:35 Orione pppd[9392]: Exit.

Aug  6 15:30:35 Orione l2tpd[8157]: call_close : Connection 43 closed to xxx.xxx.xxx.123, port 1701 (Timeout)

Aug  6 15:30:40 Orione l2tpd[8157]: control_xmit: Unable to deliver closing message for tunnel 29079. Destroying anyw

ay.

Aug  6 15:31:30 Orione pluto[9221]: packet from xxx.xxx.xxx.123:21365: Informational Exchange is for an unknown (expir

ed?) SA

```

I'd kill myself for beeing so idiot!!!  :Confused: 

----------

## pava_rulez

Hellooooo, is there anybody there? I'm really stuck with this problem. An help will be very appreciated...I can't surrender at this point!!!

----------

## Quinny

Your guide is very good and easy to follow, thanks. (I tried some guides about a year ago with freeswan but gave up after three weeks of nothing...)

But: My VPN seems to be working but I suspect it is not using IPsec.

My collegue wanted to see what happened when he typed the wrong IPsec key in his Windows XP Home client and he could just connect as easily as with the correct key? We then tried pinging and some file transfers, everything worked fine with the wrong key...

The username/password from the /etc/ppp/chap-secrets file needs to be correct though, so luckily my network isn't wide open, but still not quite ready for production use jet.

I checked useflags, reinstalled everything, compared config files a thousand times with the ones posted in here and checked the logs. I only see output from ipsec (pluto) when I start it, even though I've set the debug options to "all"... (I can even stop IPsec and still connect to and use the vpn connection)

Does anyone have any idea on how this could be happening? Did I miss something while configuring?

----------

## dashnu

Pava..  I have no idea what you got going on.. I think I see you on the mailing lists getting responses..

Quinny.. You do have something wrong.  It sounds like you do not have your psk set up correct.  First externaly I would block 1701 UDP that is the l2tp port.. Test to see if it is open using nmap..

```
nmap -P0 -sU hostname
```

i think...

Open UDP 500 4500 (if you are useing NAT-T) and protocal esp that is all you should need open.

Do not go to production until you clear this up also use tcpdump on a middle man machine to confirm packets are encapsulated.  If you use NAT-T the packet info will not show up as ESP packets afaik those are tunneled inside of udp 4500..

----------

## pava_rulez

 *dashnu wrote:*   

> Pava..  I have no idea what you got going on.. I think I see you on the mailing lists getting responses..
> 
> 

 

Hi Dashnu, and thanks as usually...

Yes, I wrote  also on mailing list about results I've achieved. Now connection between both server and client natted works, except for this situation. When another client tried to connect when first connection is still alive, after keylife expiration  he receive this message...

```
Aug 13 12:12:16 Orione pluto[8493]: ERROR: netlink XFRM_MSG_DELPOLICY response for flow int.0@0.0.0.0 included errno 2: No such file or directory

```

This was my ipsec.conf and I wonder if the problem were lines rightid= and leftid that were uncommented. Now I will retry commenting out these 2 lines and I'll see what will happen...

Oh, another question. Is there a l2tp/ipsec linux client to connect to openswan server? It would be very useful  for me...

```
version 2.0     # conforms to second version of ipsec.conf specification

config setup

        interfaces=%defaultroute

        klipsdebug=none

        plutodebug=none

        nat_traversal=yes

        virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:37.xxx.xxx.0/21,%v4:!192.168.0.0/24

conn %default

        keyingtries=3

        compress=yes

        disablearrivalcheck=no

        authby=secret

        type=tunnel

        ikelifetime=240m

        keylife=60m

conn I-hate-vpn

        pfs=no

        left=%defaultroute

        leftprotoport=17/1701

        rightprotoport=17/1701

        #rightid=

        #leftid=

        right=%any

        rightsubnet=vhost:%no,%priv

        auto=add

include /etc/ipsec.d/examples/no_oe.conf
```

----------

## dashnu

In theory you should be able to nail up a straight ipsec to ipsec conection with a linux client. However I have not got that to work yet. I am stuck with what may be a kernel issue and have yet to try new kernels. Also you should be able to use ipsec/l2tp with linux but again I failed at that..

If anyone has linux clients connecting to this VPN let me know.. I would love to add it to the doc.

----------

## maffle

hi,

i have troubles with ipsec since days and i cant getting it to work:

```
Aug 22 17:34:12 webs_linux l2tpd[9032]: This binary does not support kernel L2TP.

Aug 22 17:34:12 webs_linux l2tpd[9033]: l2tpd version 0.69 started on webs_linux PID:9033

Aug 22 17:34:12 webs_linux l2tpd[9033]: Linux version 2.6.7-mm6 on a i686, listening on IP address 10.0.0.100, port 1701

Aug 22 17:34:17 webs_linux ipsec_setup: Starting Openswan IPsec U2.3.1/K2.6.7-mm6...

Aug 22 17:34:18 webs_linux ipsec_setup: WARNING: overridemtu= is ignored when using the NETKEY stack

Aug 22 17:34:18 webs_linux ipsec_setup: KLIPS ipsec0 on ppp0 80.139.249.148/255.255.255.255 pointopoint 217.0.116.142 mtu 1410

Aug 22 17:34:18 webs_linux ipsec__plutorun: Starting Pluto subsystem...

Aug 22 17:34:18 webs_linux pluto[9145]: Starting Pluto (Openswan Version 2.3.1 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OEExalF{_o`m)

Aug 22 17:34:18 webs_linux pluto[9145]: Setting port floating to on

Aug 22 17:34:18 webs_linux pluto[9145]: port floating activate 1/1

Aug 22 17:34:18 webs_linux pluto[9145]:   including NAT-Traversal patch (Version 0.6c)

Aug 22 17:34:18 webs_linux ipsec_setup: ...Openswan IPsec started

Aug 22 17:34:18 webs_linux pluto[9145]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)

Aug 22 17:34:18 webs_linux pluto[9145]: starting up 1 cryptographic helpers

Aug 22 17:34:18 webs_linux pluto[9145]: started helper pid=9154 (fd:6)

Aug 22 17:34:18 webs_linux pluto[9145]: Using Linux 2.6 IPsec interface code

Aug 22 17:34:18 webs_linux pluto[9145]: Changing to directory '/etc/ipsec/ipsec.d/cacerts'

Aug 22 17:34:18 webs_linux pluto[9145]: Changing to directory '/etc/ipsec/ipsec.d/aacerts'

Aug 22 17:34:18 webs_linux pluto[9145]: Changing to directory '/etc/ipsec/ipsec.d/ocspcerts'

Aug 22 17:34:18 webs_linux pluto[9145]: Changing to directory '/etc/ipsec/ipsec.d/crls'

Aug 22 17:34:18 webs_linux pluto[9145]:   Warning: empty directory

Aug 22 17:34:18 webs_linux pluto[9145]: added connection description "roadwarrior-l2tp"

Aug 22 17:34:19 webs_linux pluto[9145]: added connection description "roadwarrior"

Aug 22 17:34:19 webs_linux pluto[9145]: added connection description "roadwarrior-all"

Aug 22 17:34:19 webs_linux pluto[9145]: added connection description "roadwarrior-net"

Aug 22 17:34:19 webs_linux pluto[9145]: added connection description "roadwarrior-l2tp-updatedwin"

Aug 22 17:34:19 webs_linux pluto[9145]: listening for IKE messages

Aug 22 17:34:19 webs_linux pluto[9145]: adding interface ppp0/ppp0 80.139.249.148:500

Aug 22 17:34:19 webs_linux pluto[9145]: adding interface ppp0/ppp0 80.139.249.148:4500

Aug 22 17:34:19 webs_linux pluto[9145]: adding interface eth2/eth2 10.0.1.100:500

Aug 22 17:34:19 webs_linux pluto[9145]: adding interface eth2/eth2 10.0.1.100:4500

Aug 22 17:34:19 webs_linux pluto[9145]: adding interface eth1/eth1 10.0.0.100:500

Aug 22 17:34:19 webs_linux pluto[9145]: adding interface eth1/eth1 10.0.0.100:4500

Aug 22 17:34:19 webs_linux pluto[9145]: adding interface lo/lo 127.0.0.1:500

Aug 22 17:34:19 webs_linux pluto[9145]: adding interface lo/lo 127.0.0.1:4500

Aug 22 17:34:19 webs_linux pluto[9145]: loading secrets from "/etc/ipsec/ipsec.secrets"
```

every time i connect with xp client i get this into log:

```
Aug 22 17:34:26 webs_linux pluto[9145]: packet from 10.0.0.1:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]

Aug 22 17:34:26 webs_linux pluto[9145]: packet from 10.0.0.1:500: ignoring Vendor ID payload [FRAGMENTATION]

Aug 22 17:34:26 webs_linux pluto[9145]: packet from 10.0.0.1:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106 

Aug 22 17:34:26 webs_linux pluto[9145]: packet from 10.0.0.1:500: ignoring Vendor ID payload [Vid-Initial-Contact]

Aug 22 17:34:26 webs_linux pluto[9145]: packet from 10.0.0.1:500: initial Main Mode message received on 10.0.0.100:500 but no connection has been authorized

Aug 22 17:34:27 webs_linux pluto[9145]: packet from 10.0.0.1:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]

Aug 22 17:34:27 webs_linux pluto[9145]: packet from 10.0.0.1:500: ignoring Vendor ID payload [FRAGMENTATION]

Aug 22 17:34:27 webs_linux pluto[9145]: packet from 10.0.0.1:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106 

Aug 22 17:34:27 webs_linux pluto[9145]: packet from 10.0.0.1:500: ignoring Vendor ID payload [Vid-Initial-Contact]

Aug 22 17:34:27 webs_linux pluto[9145]: packet from 10.0.0.1:500: initial Main Mode message received on 10.0.0.100:500 but no connection has been authorized

Aug 22 17:34:29 webs_linux pluto[9145]: packet from 10.0.0.1:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]

Aug 22 17:34:29 webs_linux pluto[9145]: packet from 10.0.0.1:500: ignoring Vendor ID payload [FRAGMENTATION]

Aug 22 17:34:29 webs_linux pluto[9145]: packet from 10.0.0.1:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106 

Aug 22 17:34:29 webs_linux pluto[9145]: packet from 10.0.0.1:500: ignoring Vendor ID payload [Vid-Initial-Contact]

Aug 22 17:34:29 webs_linux pluto[9145]: packet from 10.0.0.1:500: initial Main Mode message received on 10.0.0.100:500 but no connection has been authorized

Aug 22 17:34:31 webs_linux pluto[9145]: packet from 10.0.0.1:500: ignoring Delete SA payload: not encrypted

Aug 22 17:34:31 webs_linux pluto[9145]: packet from 10.0.0.1:500: received and ignored informational message
```

i used your step by step guide, but i coulnd compile the latest ipsec-tools  0.5.3, i have older installation of 0.3.3, but i dont think thats this is the problem?

```
Calculating dependencies ...done!

>>> emerge (1 of 1) net-firewall/ipsec-tools-0.5.2 to /

>>> md5 files   ;-) ipsec-tools-0.2.5.ebuild

>>> md5 files   ;-) ipsec-tools-0.4-r1.ebuild

>>> md5 files   ;-) ipsec-tools-0.3.1.ebuild

>>> md5 files   ;-) ipsec-tools-0.3.3.ebuild

>>> md5 files   ;-) ipsec-tools-0.4.ebuild

>>> md5 files   ;-) ipsec-tools-0.5-r1.ebuild

>>> md5 files   ;-) ipsec-tools-0.5.ebuild

>>> md5 files   ;-) ipsec-tools-0.5-r2.ebuild

>>> md5 files   ;-) ipsec-tools-0.5.2.ebuild

>>> md5 files   ;-) files/digest-ipsec-tools-0.2.5

>>> md5 files   ;-) files/ipsec.conf.sample

>>> md5 files   ;-) files/racoon.conf.d

>>> md5 files   ;-) files/racoon.init.d

>>> md5 files   ;-) files/digest-ipsec-tools-0.4-r1

>>> md5 files   ;-) files/digest-ipsec-tools-0.3.1

>>> md5 files   ;-) files/digest-ipsec-tools-0.3.3

>>> md5 files   ;-) files/digest-ipsec-tools-0.4

>>> md5 files   ;-) files/ipsec-tools-0.5-isakmp-underrun.diff

>>> md5 files   ;-) files/ipsec-tools-0.4-gcc34.diff

>>> md5 files   ;-) files/digest-ipsec-tools-0.5

>>> md5 files   ;-) files/digest-ipsec-tools-0.5-r1

>>> md5 files   ;-) files/digest-ipsec-tools-0.5-r2

>>> md5 files   ;-) files/digest-ipsec-tools-0.5.2

>>> md5 files   ;-) files/ipsec-tools-0.5-ipv6.diff

>>> md5 src_uri ;-) ipsec-tools-0.5.2.tar.bz2

>>> Unpacking source...

>>> Unpacking ipsec-tools-0.5.2.tar.bz2 to /var/tmp/portage/ipsec-tools-0.5.2/work

 * Removing useless C++ checks...                                         [ ok ]

libtoolize: `/usr/share/aclocal/libtool.m4' is serial 46, less than 47 in `aclocal.m4'

To remain compatible, you should update your `aclocal.m4' by running aclocal.

/usr/share/aclocal/pkg.m4:5: warning: underquoted definition of PKG_CHECK_MODULES

  run info '(automake)Extending aclocal'

  or see http://sources.redhat.com/automake/automake.html#Extending%20aclocal

/usr/share/aclocal/libmcrypt.m4:17: warning: underquoted definition of AM_PATH_LIBMCRYPT

/usr/share/aclocal/gtk.m4:7: warning: underquoted definition of AM_PATH_GTK

/usr/share/aclocal/glib.m4:8: warning: underquoted definition of AM_PATH_GLIB

/usr/share/aclocal/freetype2.m4:7: warning: underquoted definition of AC_CHECK_FT2

/usr/share/aclocal/audiofile.m4:12: warning: underquoted definition of AM_PATH_AUDIOFILE

>>> Source unpacked.

 * econf: updating ipsec-tools-0.5.2/config.guess with /usr/share/gnuconfig/config.guess

 * econf: updating ipsec-tools-0.5.2/config.sub with /usr/share/gnuconfig/config.sub

./configure --prefix=/usr --host=i686-pc-linux-gnu --mandir=/usr/share/man --infodir=/usr/share/info --datadir=/usr/share --sysconfdir=/etc --localstatedir=/var/lib --build=i686-pc-linux-gnu --enable-ipv6 --enable-frag --enable-hybrid --enable-dpd --enable-natt --enable-adminport

checking for a BSD-compatible install... /bin/install -c

checking whether build environment is sane... yes

checking for gawk... gawk

checking whether make sets $(MAKE)... yes

checking for i686-pc-linux-gnu-gcc... gcc

checking for C compiler default output file name... a.out

checking whether the C compiler works... yes

checking whether we are cross compiling... no

checking for suffix of executables... 

checking for suffix of object files... o

checking whether we are using the GNU C compiler... yes

checking whether gcc accepts -g... yes

checking for gcc option to accept ANSI C... none needed

checking for style of include used by make... GNU

checking dependency style of gcc... gcc3

checking for i686-pc-linux-gnu-gcc... (cached) gcc

checking whether we are using the GNU C compiler... (cached) yes

checking whether gcc accepts -g... (cached) yes

checking for gcc option to accept ANSI C... (cached) none needed

checking dependency style of gcc... (cached) gcc3

checking how to run the C preprocessor... gcc -E

checking for egrep... grep -E

checking for ANSI C header files... yes

checking build system type... i686-pc-linux-gnu

checking host system type... i686-pc-linux-gnu

checking for ld used by GCC... /usr/i686-pc-linux-gnu/bin/ld

checking if the linker (/usr/i686-pc-linux-gnu/bin/ld) is GNU ld... yes

checking for /usr/i686-pc-linux-gnu/bin/ld option to reload object files... -r

checking for BSD-compatible nm... nm

checking for a sed that does not truncate output... /bin/sed

checking whether ln -s works... yes

checking how to recognise dependent libraries... pass_all

checking command to parse nm output... ok

checking for sys/types.h... yes

checking for sys/stat.h... yes

checking for stdlib.h... yes

checking for string.h... yes

checking for memory.h... yes

checking for strings.h... yes

checking for inttypes.h... yes

checking for stdint.h... yes

checking for unistd.h... yes

checking dlfcn.h usability... yes

checking dlfcn.h presence... yes

checking for dlfcn.h... yes

checking for i686-pc-linux-gnu-ranlib... no

checking for ranlib... ranlib

checking for i686-pc-linux-gnu-strip... no

checking for strip... strip

checking for objdir... .libs

checking for gcc option to produce PIC... -fPIC

checking if gcc PIC flag -fPIC works... yes

checking if gcc static flag -static works... yes

checking if gcc supports -c -o file.o... yes

checking if gcc supports -c -o file.lo... yes

checking if gcc supports -fno-rtti -fno-exceptions... no

checking whether the linker (/usr/i686-pc-linux-gnu/bin/ld) supports shared libraries... yes

checking how to hardcode library paths into programs... immediate

checking whether stripping libraries is possible... yes

checking dynamic linker characteristics... GNU/Linux ld.so

checking if libtool supports shared libraries... yes

checking whether to build shared libraries... no

checking whether to build static libraries... yes

creating libtool

checking for bison... bison -y

checking for flex... flex

checking for yywrap in -lfl... yes

checking lex output file root... lex.yy

checking whether yytext is a pointer... yes

checking for egrep... (cached) grep -E

checking net/pfkeyv2.h usability... no

checking net/pfkeyv2.h presence... no

checking for net/pfkeyv2.h... no

checking netinet/ipsec.h usability... no

checking netinet/ipsec.h presence... no

checking for netinet/ipsec.h... no

checking netinet6/ipsec.h usability... no

checking netinet6/ipsec.h presence... no

checking for netinet6/ipsec.h... no

checking /lib/modules/2.6.7-mm6/build/include/linux/pfkeyv2.h usability... yes

checking /lib/modules/2.6.7-mm6/build/include/linux/pfkeyv2.h presence... yes

checking for /lib/modules/2.6.7-mm6/build/include/linux/pfkeyv2.h... yes

checking for struct sadb_x_policy.sadb_x_policy_priority... yes

checking for ANSI C header files... (cached) yes

checking for sys/wait.h that is POSIX.1 compatible... yes

checking limits.h usability... yes

checking limits.h presence... yes

checking for limits.h... yes

checking sys/time.h usability... yes

checking sys/time.h presence... yes

checking for sys/time.h... yes

checking for unistd.h... (cached) yes

checking stdarg.h usability... yes

checking stdarg.h presence... yes

checking for stdarg.h... yes

checking varargs.h usability... no

checking varargs.h presence... no

checking for varargs.h... no

checking for an ANSI C-conforming const... yes

checking for pid_t... yes

checking for size_t... yes

checking whether time.h and sys/time.h may both be included... yes

checking whether struct tm is in sys/time.h or time.h... time.h

checking for working memcmp... yes

checking return type of signal handlers... void

checking for vprintf... yes

checking for _doprnt... no

checking for gettimeofday... yes

checking for select... no

checking for socket... yes

checking for strerror... yes

checking for strtol... yes

checking for strtoul... yes

checking for strlcpy... no

checking for strdup... yes

checking for an implementation of va_copy()... yes

checking if printf accepts %z... yes

checking if __func__ is available... yes

checking if readline support is requested... yes

checking readline/readline.h usability... yes

checking readline/readline.h presence... yes

checking for readline/readline.h... yes

checking for readline in -lreadline... no

checking if --with-flex option is specified... dirdefault

checking if --with-flexlib option is specified... default

checking if --with-openssl option is specified... default

checking openssl version... ok

checking openssl/engine.h usability... yes

checking openssl/engine.h presence... yes

checking for openssl/engine.h... yes

checking openssl/aes.h usability... yes

checking openssl/aes.h presence... yes

checking for openssl/aes.h... yes

checking sha2 support... checking openssl/sha2.h usability... no

checking openssl/sha2.h presence... no

checking for openssl/sha2.h... no

checking if --enable-adminport option is specified... yes

checking if --enable-gssapi option is specified... no

checking for krb5-config... no

checking if --enable-hybrid option is specified... yes

checking if --enable-frag option is specified... yes

checking for crypto containing MD5_Init... -lcrypto

checking if --with-libradius option is specified... no

checking if --enable-stats option is specified... no

checking if --enable-dpd option is specified... yes

checking if --enable-samode-unspec option is specified... no

checking whether to enable ipv6... yes

checking for advanced API support... yes

checking getaddrinfo bug... good

checking kernel NAT-Traversal support... yes

checking whether to support NAT-T... yes

checking which NAT-T versions to support... 00,02,rfc

checking whether we support FWD policy... yes

configure: creating ./config.status

config.status: creating Makefile

config.status: creating package_version.h

config.status: creating src/Makefile

config.status: creating src/include-glibc/Makefile

config.status: creating src/libipsec/Makefile

config.status: creating src/setkey/Makefile

config.status: creating src/racoon/Makefile

config.status: creating src/racoon/samples/psk.txt

config.status: creating src/racoon/samples/racoon.conf

config.status: creating rpm/Makefile

config.status: creating rpm/suse/Makefile

config.status: creating rpm/suse/ipsec-tools.spec

config.status: creating config.h

config.status: executing depfiles commands

 cd . && /bin/sh /var/tmp/portage/ipsec-tools-0.5.2/work/ipsec-tools-0.5.2/missing --run automake-1.8 --foreign 

 cd . && /bin/sh ./config.status Makefile 

config.status: creating Makefile

cd . && /bin/sh /var/tmp/portage/ipsec-tools-0.5.2/work/ipsec-tools-0.5.2/missing --run autoheader

rm -f stamp-h1

touch config.h.in

cd . && /bin/sh ./config.status config.h

config.status: creating config.h

config.status: config.h is unchanged

make  all-recursive

make[1]: Entering directory `/var/tmp/portage/ipsec-tools-0.5.2/work/ipsec-tools-0.5.2'

Making all in src

make[2]: Entering directory `/var/tmp/portage/ipsec-tools-0.5.2/work/ipsec-tools-0.5.2/src'

 cd .. && /bin/sh ./config.status src/Makefile 

config.status: creating src/Makefile

make[2]: Leaving directory `/var/tmp/portage/ipsec-tools-0.5.2/work/ipsec-tools-0.5.2/src'

make[2]: Entering directory `/var/tmp/portage/ipsec-tools-0.5.2/work/ipsec-tools-0.5.2/src'

Making all in include-glibc

make[3]: Entering directory `/var/tmp/portage/ipsec-tools-0.5.2/work/ipsec-tools-0.5.2/src/include-glibc'

 cd ../.. && /bin/sh ./config.status src/include-glibc/Makefile 

config.status: creating src/include-glibc/Makefile

make[3]: Leaving directory `/var/tmp/portage/ipsec-tools-0.5.2/work/ipsec-tools-0.5.2/src/include-glibc'

make[3]: Entering directory `/var/tmp/portage/ipsec-tools-0.5.2/work/ipsec-tools-0.5.2/src/include-glibc'

ln -sf /lib/modules/2.6.7-mm6/build/include/linux

touch .includes

make[3]: Leaving directory `/var/tmp/portage/ipsec-tools-0.5.2/work/ipsec-tools-0.5.2/src/include-glibc'

Making all in libipsec

make[3]: Entering directory `/var/tmp/portage/ipsec-tools-0.5.2/work/ipsec-tools-0.5.2/src/libipsec'

Makefile:314: .deps/ipsec_dump_policy.Plo: No such file or directory

Makefile:315: .deps/ipsec_get_policylen.Plo: No such file or directory

Makefile:316: .deps/ipsec_strerror.Plo: No such file or directory

Makefile:317: .deps/key_debug.Plo: No such file or directory

Makefile:318: .deps/pfkey.Plo: No such file or directory

Makefile:319: .deps/pfkey_dump.Plo: No such file or directory

Makefile:320: .deps/policy_parse.Plo: No such file or directory

Makefile:321: .deps/policy_token.Plo: No such file or directory

make[3]: *** No rule to make target `.deps/policy_token.Plo'.  Stop.

make[3]: Leaving directory `/var/tmp/portage/ipsec-tools-0.5.2/work/ipsec-tools-0.5.2/src/libipsec'

make[2]: *** [all-recursive] Error 1

make[2]: Leaving directory `/var/tmp/portage/ipsec-tools-0.5.2/work/ipsec-tools-0.5.2/src'

make[1]: *** [all-recursive] Error 1

make[1]: Leaving directory `/var/tmp/portage/ipsec-tools-0.5.2/work/ipsec-tools-0.5.2'

make: *** [all] Error 2

!!! ERROR: net-firewall/ipsec-tools-0.5.2 failed.

!!! Function src_compile, Line 48, Exitcode 2

!!! (no error message)

!!! If you need support, post the topmost build error, NOT this status message.

```

----------

## evol262

Getting an awk error trying to start ipsec.  It looks like it's due to --enable-switch being set in the gawk ebuild, which nukes the default array, as default can't be used anymore.  awk hacker/python hacker I am not, though (significant whitespace>me).  Any ideas?  I'm comfortable editing the ebuild/whatever as long as you can tell me what to comment out...

----------

## dashnu

Yea, I just went to restart my server and ran into this! WTF  any luck on a fix yet ?

*edit looked at gawk in bugs.gentoo looks like I will roll back

----------

## evol262

Not really.  Oneshotted back to an earlier version.  Different problem now (and all my confs/etc seem to be fine).

```
 * Starting IPSEC ... ...

ipsec_setup: Starting Openswan IPsec U2.3.1/K2.6.12-gentoo-r6...

ipsec_setup: /usr/lib/ipsec/_realsetup: line 85: /var/run/pluto/ipsec_setup.pid: No such file or directory

ipsec_setup: ...unable to create /var/run/pluto/ipsec_setup.pid, aborting start!                                      [ !! ]

```

Edit:  Comes up fine if I manually start Pluto, wtf?

Edit #2: Solved.  It appears to look in /etc/ipsec/ipsec.conf instead of /etc/ipsec.conf now.

----------

## dashnu

yea that bug should be fixed soon. If a stable version of gawk breaks the stable version of openswan that is a problem for me. Either fix it or stablize the ~86 openswan.. Not to mention I had a shitload of issues with the more recent gentoo builds of openswan. Now that I am running it again I am just waiting for my users to come yelling. 

2.4 is out lets hope we get it soon

any luck getting a linux client to connect with this server config yet ? anyone?

----------

## tomatopi

I just upgraded OpenSwan 2.2.0 to 2.3.0 and kept getting pluto failure 134 and the debug showed EVENT_CRYPO_FAILED. It appears OpenSwan 2.3.0 changed the default esp crypto routine to use aes and it wasn't compiled in my kernel or as a module. Adding a key in ipsec.conf to your appropriate connection (or %default) of esp=3des-md5-96 fixes it. I will be recompiling the kernel to support the proper encryption.

Hope that helps at least somebody out there.

----------

## Michael Chen

Thanks for the how-to Dashnu!

I've tried this for some time, but dunno how, it just don't work on my box.

Also, I'm not sure if this box is behind a firewall... It IS a firewall actually, and doing SNAT on a subnet 192.168.0.0/24.

The error message created by metalog looks like this:

```
Sep 18 22:44:20 [l2tpd] control_finish: Connection closed to 202.178.195.24, port 1701 (), Local: 9815, Remote: 5_

Sep 18 22:44:20 [pluto] "roadwarrior-l2tp"[10] 202.178.195.24 #9: received Delete SA(0xcdfe4b38) payload: deleting IPSEC State #

Sep 18 22:44:20 [pluto] "roadwarrior-l2tp"[10] 202.178.195.24 #9: received and ignored informational message

Sep 18 22:44:20 [pluto] "roadwarrior-l2tp"[10] 202.178.195.24 #9: received Delete SA payload: deleting ISAKMP State #9

Sep 18 22:44:20 [pluto] "roadwarrior-l2tp"[10] 202.178.195.24: deleting connection "roadwarrior-l2tp" instance with peer 202.178

Sep 18 22:44:20 [pluto] packet from 202.178.195.24:64939: received and ignored informational message

Sep 18 22:44:21 [pluto] packet from 202.178.195.24:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]

Sep 18 22:44:21 [pluto] packet from 202.178.195.24:500: ignoring Vendor ID payload [FRAGMENTATION]

Sep 18 22:44:21 [pluto] packet from 202.178.195.24:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set

Sep 18 22:44:21 [pluto] packet from 202.178.195.24:500: ignoring Vendor ID payload [Vid-Initial-Contact]

Sep 18 22:44:21 [pluto] "roadwarrior-l2tp"[11] 202.178.195.24 #11: responding to Main Mode from unknown peer 202.178.195.24

Sep 18 22:44:21 [pluto] "roadwarrior-l2tp"[11] 202.178.195.24 #11: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1

Sep 18 22:44:22 [pluto] "roadwarrior-l2tp"[11] 202.178.195.24 #11: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03:

Sep 18 22:44:22 [pluto] "roadwarrior-l2tp"[11] 202.178.195.24 #11: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2

Sep 18 22:44:22 [pluto] "roadwarrior-l2tp"[11] 202.178.195.24 #11: Main mode peer ID is ID_FQDN: '@mikenotebook'

Sep 18 22:44:22 [pluto] "roadwarrior-l2tp"[12] 202.178.195.24 #11: deleting connection "roadwarrior-l2tp" instance with peer 202

Sep 18 22:44:22 [pluto] "roadwarrior-l2tp"[12] 202.178.195.24 #11: I did not send a certificate because I do not have one.

Sep 18 22:44:22 [pluto] "roadwarrior-l2tp"[12] 202.178.195.24 #11: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3

Sep 18 22:44:22 [pluto] "roadwarrior-l2tp"[12] 202.178.195.24 #11: sent MR3, ISAKMP SA established

Sep 18 22:44:22 [pluto] "roadwarrior-l2tp"[12] 202.178.195.24 #12: responding to Quick Mode {msgid:b949918a}

Sep 18 22:44:22 [pluto] "roadwarrior-l2tp"[12] 202.178.195.24 #12: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1

Sep 18 22:44:22 [l2tpd] control_finish: Connection established to 202.178.195.24, 1701.  Local: 7204, Remote: 6.  LNS session is

Sep 18 22:44:22 [pppd] pppd 2.4.2 started by root, uid 0

Sep 18 22:44:22 [l2tpd] control_finish: Call established with 202.178.195.24, Local: 3782, Remote: 1, Serial: 0_   

Sep 18 22:44:22 [pppd] Couldn't set tty to PPP discipline: Invalid argument

Sep 18 22:44:22 [pppd] Exit.

Sep 18 22:44:22 [l2tpd] call_close: Call 3782 to 202.178.195.24 disconnected_
```

The problem seems to be this line:

```
Sep 18 22:44:22 [pppd] Couldn't set tty to PPP discipline: Invalid argument 
```

but I do have the tty option enabled in the kernel.

The windows client returns a error 619.

Any suggestions would be appreciated   :Very Happy: 

----------

## Michael Chen

OK I've found the problem...

It's the PPP package. I added these in the /etc/portage/package.use:

```
net-dialup/ppp activefilter dhcp mppe-mppc
```

and then

```
emerge ppp --newuse -uD
```

and I can now connect into the VPN.

I had another problem, however... There seems to be something wrong with the DNS settings, I can view websites on the internet with their IP address but not domain name. Still playing around with it.

Thanks for the guide again!

----------

## Kleini

Hello, 

I've read the post carefulley, but I have a problem with the connection:

I try to connect with a XP machine to the server. They are on the same network. The connection fails and I have a pppd failure in the logs:

 *Quote:*   

> 
> 
> Sep 30 17:50:12 [pppd] The remote system is required to authenticate itself
> 
> Sep 30 17:50:12 [pppd] but I couldn't find any suitable secret (password) for it to use to do so.
> ...

 

After searching I changed the "Auth" line in options.l2tpd into "Noauth". Then XP can login, but without authentication and security. No user or password is needed.

Anybody out there who have a similar problem and have solved it?Last edited by Kleini on Fri Sep 30, 2005 4:27 pm; edited 1 time in total

----------

## dashnu

Did you set up your chap.secrets file ?

a sample..

```
#Secrets for authentication using CHAP

# client        server           secret            IP addresses

#################################################################

#Firstname Lastname

user         *           "secretpass"         192.168.1.0/24

*                 user   "secretpass"         192.168.1.0/24

#################################################################

```

----------

## dashnu

Looks like the Openswan Devs have created a patch to work around Mac implementation of NAT-T for those who are interested.

It will be in the 2.4.2 release I think. 

It checks the VendorIDs of the client that is connecting to see if it is a Mac, and if so, the "Apple NAT-T" is used instead of the

official NAT-T.

----------

## Kleini

 *dashnu wrote:*   

> Did you set up your chap.secrets file ?
> 
> 

 

Yes, I thought so, but after your post I looked at it and removed the old entries from rp-pppoe for my Internet connection (which i dont need now). What should I say, this did the trick! Now it works, thank you for your advise, it gives me the right way to think  :Wink: .

----------

## rdvrey

Sep 30 21:56:47 bridge1 l2tpd[5077]: This binary does not support kernel L2TP.

Sep 30 21:56:47 bridge1 l2tpd[5078]: l2tpd version 0.69 started on bridge1 PID:5078

Sep 30 21:56:47 bridge1 l2tpd[5078]: Linux version 2.6.12-gentoo-r10 on a i686, listening on IP address 192.168.196.6, port 1701

Sep 30 21:57:00 bridge1 ipsec_setup: Starting Openswan IPsec U2.3.1/K2.6.12-gentoo-r10...

Sep 30 21:57:00 bridge1 ipsec_setup: WARNING: overridemtu= is ignored when using the NETKEY stack

Sep 30 21:57:00 bridge1 ipsec_setup: no default route, %defaultroute cannot cope!!!

Sep 30 21:57:23 bridge1 ipsec_setup: Starting Openswan IPsec U2.3.1/K2.6.12-gentoo-r10...

Sep 30 21:57:23 bridge1 ipsec_setup: WARNING: overridemtu= is ignored when using the NETKEY stack

Sep 30 21:57:23 bridge1 ipsec_setup: KLIPS ipsec0 on eth1 192.168.196.6/255.255.255.0 broadcast 192.168.196.255 mtu 1410

Sep 30 21:57:24 bridge1 ipsec__plutorun: Starting Pluto subsystem...

Sep 30 21:57:24 bridge1 ipsec_setup: ...Openswan IPsec started

Sep 30 21:57:24 bridge1 pluto[5299]: Starting Pluto (Openswan Version 2.3.1 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OEExalF{_o`m)

Sep 30 21:57:24 bridge1 pluto[5299]: Setting port floating to on

Sep 30 21:57:24 bridge1 pluto[5299]: port floating activate 1/1

Sep 30 21:57:24 bridge1 pluto[5299]:   including NAT-Traversal patch (Version 0.6c)

Sep 30 21:57:24 bridge1 pluto[5299]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)

Sep 30 21:57:24 bridge1 pluto[5299]: starting up 1 cryptographic helpers

Sep 30 21:57:24 bridge1 pluto[5299]: started helper pid=5316 (fd:6)

Sep 30 21:57:24 bridge1 pluto[5299]: Using Linux 2.6 IPsec interface code

Sep 30 21:57:24 bridge1 pluto[5299]: Changing to directory '/etc/ipsec/ipsec.d/cacerts'

Sep 30 21:57:24 bridge1 pluto[5299]: Changing to directory '/etc/ipsec/ipsec.d/aacerts'

Sep 30 21:57:24 bridge1 pluto[5299]: Changing to directory '/etc/ipsec/ipsec.d/ocspcerts'

Sep 30 21:57:24 bridge1 pluto[5299]: Changing to directory '/etc/ipsec/ipsec.d/crls'

Sep 30 21:57:24 bridge1 pluto[5299]:   Warning: empty directory

Sep 30 21:57:24 bridge1 ipsec__plutorun: ipsec_auto: fatal error in "roadwarrior-l2tp": ID "%any" cannot have RSA key                          <----------

Sep 30 21:57:24 bridge1 ipsec__plutorun: ipsec_auto: fatal error in "roadwarrior": ID "%any" cannot have RSA key                                 <----------

Sep 30 21:57:25 bridge1 ipsec__plutorun: ipsec_auto: fatal error in "roadwarrior-all": ID "%any" cannot have RSA key                             <----------

Sep 30 21:57:25 bridge1 ipsec__plutorun: ipsec_auto: fatal error in "roadwarrior-net": ID "%any" cannot have RSA key                            <----------

Sep 30 21:57:25 bridge1 ipsec__plutorun: ipsec_auto: fatal error in "roadwarrior-l2tp-updatedwin": ID "%any" cannot have RSA key          <----------

Sep 30 21:57:25 bridge1 pluto[5299]: listening for IKE messages

Sep 30 21:57:25 bridge1 pluto[5299]: adding interface eth1/eth1 192.168.196.6:500

Sep 30 21:57:25 bridge1 pluto[5299]: adding interface eth1/eth1 192.168.196.6:4500

Sep 30 21:57:25 bridge1 pluto[5299]: adding interface lo/lo 127.0.0.1:500

Sep 30 21:57:25 bridge1 pluto[5299]: adding interface lo/lo 127.0.0.1:4500

Sep 30 21:57:25 bridge1 pluto[5299]: adding interface eth0/eth0 10.0.0.1:500

Sep 30 21:57:25 bridge1 pluto[5299]: adding interface eth0/eth0 10.0.0.1:4500

Sep 30 21:57:25 bridge1 pluto[5299]: loading secrets from "/etc/ipsec/ipsec.secrets"

~

Anyone ?

regards

Robert

----------

## rdvrey

rightid=0.0.0.0

solved the problem

----------

## SkidSoft

Hey all, I've done the downgrade to 2.2.0 in order to keep from having to restart the services and that's worked fine. BUT I'm now setting up another vpn for another network that will have to reside behind NAT. I've tried to apply the patch(s) I've found that are mostly for 2.3.0 and I get the following...

```
vpnserver pluto # patch ipsec_doi.c /root/patch

patching file ipsec_doi.c

patch: **** malformed patch at line 22: @@ -4850,16 +4863,16 @@

```

Can anyone help me with patching 2.2.0?

The patch I'm using is the one from the tutorial for this thread...

----------

## dtmf

When I try and start ipsec, errors and give me this:

```
 * Starting IPSEC ... ...

awk: cmd. line:100:     default[""] = ""

awk: cmd. line:100:     ^ syntax error

awk: cmd. line:205:                     for (i in default)

awk: cmd. line:205:                               ^ syntax error

awk: cmd. line:344:     } else if (search in default)

awk: cmd. line:344:                          ^ syntax error

awk: cmd. line:348:                     default[search] = rest

awk: cmd. line:348:                     ^ syntax error

awk: cmd. line:349:             else

awk: cmd. line:349:             ^ syntax error

awk: cmd. line:410:     if (name in default)

awk: cmd. line:410:                 ^ syntax error

awk: cmd. line:412:     default[name] = value

awk: cmd. line:412:     ^ syntax error

awk: cmd. line:484:             for (name in default)

awk: cmd. line:484:                          ^ syntax error

awk: cmd. line:486:                             output(o_parm, name, default[name])

awk: cmd. line:486:                                                  ^ syntax error

awk: cmd. line:488:             if (default[search] in wanted)

awk: cmd. line:488:                 ^ syntax error

/usr/lib/ipsec/_include: line 100: 22276 Broken pipe             awk 'BEGIN {

        wasfile = ""

}

FNR == 1 {

        print ""

        print "#<", FILENAME, 1

        lineno = 0

        wasfile = FILENAME

}

{

        lineno++

        # lineno is now the number of this line

}

/^#[<>:]/ {

        next

}

/^include[ \t]+/ {

        orig = $0

        sub(/[ \t]+#.*$/, "")

        if (NF != 2) {

                msg = "(" FILENAME ", line " lineno ")"

                msg = msg " include syntax error in \"" orig "\""

                print "#:" msg

                exit 1

        }

        newfile = $2

        if (newfile !~ /^\// && FILENAME ~ /\//) {

                prefix = FILENAME

                sub("[^/]+$", "", prefix)

                newfile = prefix newfile

        }

        system("ipsec _include " newfile)

        print ""

        print "#>", FILENAME, lineno + 1

        next

}

{ print }' $*

/usr/lib/ipsec/_include: line 100: 22274 Broken pipe             awk 'BEGIN {

        wasfile = ""

}

FNR == 1 {

        print ""

        print "#<", FILENAME, 1

        lineno = 0

        wasfile = FILENAME

}

{

        lineno++

        # lineno is now the number of this line

}

/^#[<>:]/ {

        next

}

/^include[ \t]+/ {

        orig = $0

        sub(/[ \t]+#.*$/, "")

        if (NF != 2) {

                msg = "(" FILENAME ", line " lineno ")"

                msg = msg " include syntax error in \"" orig "\""

                print "#:" msg

                exit 1

        }

        newfile = $2

        if (newfile !~ /^\// && FILENAME ~ /\//) {

                prefix = FILENAME

                sub("[^/]+$", "", prefix)

                newfile = prefix newfile

        }

        system("ipsec _include " newfile)

        print ""

        print "#>", FILENAME, lineno + 1

        next

}

{ print }' $*

ipsec_setup: ipsec setup: /usr/lib/ipsec/_realsetup must be called by ipsec_setup                [ !! ]
```

Has anyone had this problem that knows how to fix it. That would help me out.

----------

## dashnu

There is a bug on bugs.gentoo. Downgrade gawk to  sys-apps/gawk-3.1.3-r2 or patch.

https://bugs.gentoo.org/show_bug.cgi?id=94681

----------

## dtmf

How would I go about downgrading or getting the patchs. The patchs sound like the best option, any help would be great.

----------

## dashnu

if you are not sure how to patch just do this for now..

```
emerge  =sys-apps/gawk-3.1.3-r2
```

----------

## dtmf

That worked now I have a new problem. Not sure how to fix it. 

```
Nov  3 18:48:42 superserver pluto[30018]: packet from 10.69.69.98:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike]

Nov  3 18:48:42 superserver pluto[30018]: packet from 10.69.69.98:500: initial Main Mode message received on 10.69.69.254:500 but no connection has been authorized

Nov  3 18:48:45 superserver pluto[30018]: packet from 10.69.69.98:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike]

Nov  3 18:48:45 superserver pluto[30018]: packet from 10.69.69.98:500: initial Main Mode message received on 10.69.69.254:500 but no connection has been authorized

Nov  3 18:48:48 superserver pluto[30018]: packet from 10.69.69.98:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike]

Nov  3 18:48:48 superserver pluto[30018]: packet from 10.69.69.98:500: initial Main Mode message received on 10.69.69.254:500 but no connection has been authorized

Nov  3 18:48:51 superserver pluto[30018]: packet from 10.69.69.98:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike]

Nov  3 18:48:51 superserver pluto[30018]: packet from 10.69.69.98:500: initial Main Mode message received on 10.69.69.254:500 but no connection has been authorized

Nov  3 18:48:54 superserver pluto[30018]: packet from 10.69.69.98:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike]

Nov  3 18:48:54 superserver pluto[30018]: packet from 10.69.69.98:500: initial Main Mode message received on 10.69.69.254:500 but no connection has been authorized

Nov  3 18:48:57 superserver pluto[30018]: packet from 10.69.69.98:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike]

Nov  3 18:48:57 superserver pluto[30018]: packet from 10.69.69.98:500: initial Main Mode message received on 10.69.69.254:500 but no connection has been authorized

Nov  3 18:49:00 superserver pluto[30018]: packet from 10.69.69.98:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike]

Nov  3 18:49:00 superserver pluto[30018]: packet from 10.69.69.98:500: initial Main Mode message received on 10.69.69.254:500 but no connection has been authorized

Nov  3 18:49:03 superserver pluto[30018]: packet from 10.69.69.98:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike]

Nov  3 18:49:03 superserver pluto[30018]: packet from 10.69.69.98:500: initial Main Mode message received on 10.69.69.254:500 but no connection has been authorized

Nov  3 18:49:06 superserver pluto[30018]: packet from 10.69.69.98:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike]

Nov  3 18:49:06 superserver pluto[30018]: packet from 10.69.69.98:500: initial Main Mode message received on 10.69.69.254:500 but no connection has been authorized

Nov  3 18:49:09 superserver pluto[30018]: packet from 10.69.69.98:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike]

Nov  3 18:49:09 superserver pluto[30018]: packet from 10.69.69.98:500: initial Main Mode message received on 10.69.69.254:500 but no connection has been authorized

Nov  3 18:49:12 superserver pluto[30018]: packet from 10.69.69.98:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike]

Nov  3 18:49:12 superserver pluto[30018]: packet from 10.69.69.98:500: initial Main Mode message received on 10.69.69.254:500 but no connection has been authorized

```

----------

## dashnu

post your ipsec.conf

----------

## dtmf

```
# /etc/ipsec.conf - Openswan IPsec configuration file 

# RCSID $Id: ipsec.conf.in,v 1.13 2004/03/24 04:14:39 ken Exp $ 

# This file:  /usr/share/doc/openswan-2.2.0/ipsec.conf-sample 

# 

# Manual:     ipsec.conf.5 

version 2.0     # conforms to second version of ipsec.conf specification 

config setup 

        interfaces=%defaultroute 

        klipsdebug=none 

        plutodebug=none 

        overridemtu=1410 

        nat_traversal=yes 

        virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.1.0/24 

conn %default 

        keyingtries=3 

        compress=yes 

        disablearrivalcheck=no 

        authby=secret 

        type=tunnel 

        keyexchange=ike 

        ikelifetime=240m 

        keylife=60m 

conn roadwarrior-net 

        leftsubnet=192.168.1.0/24 

        also=roadwarrior 

conn roadwarrior-all 

        leftsubnet=0.0.0.0/0 

        also=roadwarrior 

conn roadwarrior-l2tp 

        leftprotoport=17/0 

        rightprotoport=17/1701 

        also=roadwarrior 

conn roadwarrior-l2tp-updatedwin 

        leftprotoport=17/1701 

        rightprotoport=17/1701 

        also=roadwarrior 

conn roadwarrior 

        pfs=no 

        left=%defaultroute 

        right=%any 

        rightsubnet=vhost:%no,%priv 

        auto=add 

#Disable Opportunistic Encryption 

include /etc/ipsec.d/examples/no_oe.conf

```

----------

## Henning Rogge

Can I use this documentation without a fixed IP ?

----------

## dashnu

Try to take out the following..

```
conn roadwarrior-all 

        leftsubnet=0.0.0.0/0 

        also=roadwarrior 

conn roadwarrior-l2tp 

        leftprotoport=17/0 

        rightprotoport=17/1701 

        also=roadwarrior 
```

And in your ipsec.secrets what are you using for an ip? Your internal or external? do you have %any ?

@ Henning

I assume you have dhcp from your isp? If so this may work however you would need to change the secrets file each time your ip changed.. worth a try anyways.

----------

## dtmf

for the ipsec.sercets file I have 

```
0.0.0.0 %any: PSK "mysercet"
```

 After I have made the changes it's still giving me the same error in the messages log. Also when I restart the ipsec i get the following 

```
 * Stopping IPSEC ... ...

ipsec_setup: Stopping Openswan IPsec...                                        [ ok ]

 * Starting IPSEC ... ...

ipsec_setup: Starting Openswan IPsec U2.3.1/K2.6.13-gentoo-r5...

ipsec_setup: WARNING: overridemtu= is ignored when using the NETKEY stack      [ ok ]
```

----------

## dashnu

try your external ip instead of 0.0.0.0

----------

## dtmf

I tried it with my internal ip address then tried to connect from in side my network. Still have the same problem.

----------

## dashnu

you can not do that. The virtual private lines says not to allow that. This is needed. You need to test externaly.

```
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.1.0/24

```

That says allow those ip ranges execpt 192.168.1.0/24

What is your internal net?

----------

## dtmf

Oh ok. I will have to test then when I am on a internet connection out side of my network. I will let u know how that goes when I do that.

----------

## Henning Rogge

 *dashnu wrote:*   

> I assume you have dhcp from your isp? If so this may work however you would need to change the secrets file each time your ip changed.. worth a try anyways.

 

Not good...  :Sad: 

Hmm, I'm using dyndns, can I place an adress like mydns.dyndns.org into my secrets file ?

----------

## Overpeer

Hi!!

I'm trying to config a VPN with this great HOWTO.

I have :

|MyWinClient@192.168.15.102|---192.168.15.X/24 ---|Router|---81.202.x.x---|Internet|---80.33.x.x---|Router|---192.168.1.x/24---|GentooBox@192.168.1.88|---10.0.0.0/24(SecureNetwork)

I can conect to VPN on Gentoo Box from 192.168.1.9 and access to secure net 10.0.0.0 without problems, but... i can´t connect from  MyWinClient with same configuration  :Neutral: 

I modified de registry value for NAT-T, and indicate NAT-T in my ipsec.conf. I maped the ports 500,4500 and 1701 to my gentoo box.

```

Aug 26 16:41:27 localhost pluto[6722]: packet from 81.202.x.x:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]

Aug 26 16:41:27 localhost pluto[6722]: packet from 81.202.x.x:500: ignoring Vendor ID payload [FRAGMENTATION]

Aug 26 16:41:27 localhost pluto[6722]: packet from 81.202.x.x:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106

Aug 26 16:41:27 localhost pluto[6722]: packet from 81.202.x.x:500: ignoring Vendor ID payload [Vid-Initial-Contact]

Aug 26 16:41:27 localhost pluto[6722]: "Usuario-VPN"[3] 81.202.x.x #3: responding to Main Mode from unknown peer 81.202.x.x

Aug 26 16:41:27 localhost pluto[6722]: "Usuario-VPN"[3] 81.202.x.x #3: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1

Aug 26 16:41:27 localhost pluto[6722]: "Usuario-VPN"[3] 81.202.x.x #3: STATE_MAIN_R1: sent MR1, expecting MI2

Aug 26 16:41:28 localhost pluto[6722]: "Usuario-VPN"[3] 81.202.x.x #3: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: both are NATed

Aug 26 16:41:28 localhost pluto[6722]: "Usuario-VPN"[3] 81.202.x.x #3: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2

Aug 26 16:41:28 localhost pluto[6722]: "Usuario-VPN"[3] 81.202.x.x #3: STATE_MAIN_R2: sent MR2, expecting MI3

Aug 26 16:41:29 localhost pluto[6722]: "Usuario-VPN"[3] 81.202.x.x #3: Main mode peer ID is ID_FQDN: '@catarroj-y69axu'

Aug 26 16:41:29 localhost pluto[6722]: "Usuario-VPN"[4] 81.202.x.x #3: deleting connection "Usuario-VPN" instance with peer 81.202.x.x {isakmp=#0/ipsec=#0}

Aug 26 16:41:29 localhost pluto[6722]: "Usuario-VPN"[4] 81.202.x.x #3: I did not send a certificate because I do not have one.

Aug 26 16:41:29 localhost pluto[6722]: "Usuario-VPN"[4] 81.202.x.x #3: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3

Aug 26 16:41:29 localhost pluto[6722]: | NAT-T: new mapping 81.202.x.x:500/4500)

Aug 26 16:41:29 localhost pluto[6722]: "Usuario-VPN"[4] 81.202.x.x #3: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}

Aug 26 16:41:29 localhost pluto[6722]: "Usuario-VPN"[4] 81.202.x.x #3: cannot respond to IPsec SA request because no connection is known for 80.33.x.x/32===192.168.1.88:17/1701...81.202.x.x[@catarroj-y69axu]:17/1701

Aug 26 16:41:29 localhost pluto[6722]: "Usuario-VPN"[4] 81.202.x.x #3: sending encrypted notification INVALID_ID_INFORMATION to 81.202.x.x:4500

Aug 26 16:41:30 localhost pluto[6722]: "Usuario-VPN"[4] 81.202.x.x #3: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x2dbbdb18 (perhaps this is a duplicated packet)

Aug 26 16:41:30 localhost pluto[6722]: "Usuario-VPN"[4] 81.202.x.x #3: sending encrypted notification INVALID_MESSAGE_ID to 81.202.x.x:4500

Aug 26 16:41:32 localhost pluto[6722]: "Usuario-VPN"[4] 81.202.x.x #3: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x2dbbdb18 (perhaps this is a duplicated packet)

Aug 26 16:41:32 localhost pluto[6722]: "Usuario-VPN"[4] 81.202.x.x #3: sending encrypted notification INVALID_MESSAGE_ID to 81.202.x.x:4500

Aug 26 16:41:36 localhost pluto[6722]: "Usuario-VPN"[4] 81.202.x.x #3: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x2dbbdb18 (perhaps this is a duplicated packet)

Aug 26 16:41:36 localhost pluto[6722]: "Usuario-VPN"[4] 81.202.x.x #3: sending encrypted notification INVALID_MESSAGE_ID to 81.202.2.36:4500

Aug 26 16:41:45 localhost pluto[6722]: "Usuario-VPN"[4] 81.202.x.x #3: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x2dbbdb18 (perhaps this is a duplicated packet)

Aug 26 16:41:45 localhost pluto[6722]: "Usuario-VPN"[4] 81.202.x.x #3: sending encrypted notification INVALID_MESSAGE_ID to 81.202.x.x:4500

Aug 26 16:42:01 localhost pluto[6722]: "Usuario-VPN"[4] 81.202.x.x #3: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x2dbbdb18 (perhaps this is a duplicated packet)

Aug 26 16:42:01 localhost pluto[6722]: "Usuario-VPN"[4] 81.202.x.x #3: sending encrypted notification INVALID_MESSAGE_ID to 81.202.x.x:4500

Aug 26 16:42:33 localhost pluto[6722]: "Usuario-VPN"[4] 81.202.x.x #3: received Delete SA payload: deleting ISAKMP State #3

Aug 26 16:42:33 localhost pluto[6722]: "Usuario-VPN"[4] 81.202.x.x: deleting connection "Usuario-VPN" instance with peer 81.202.x.x {isakmp=#0/ipsec=#0}

Aug 26 16:42:33 localhost pluto[6722]: packet from 81.202.x.x:4500: received and ignored informational message

```

My ipsec.conf :

```

version 2.0 # conforms to second version of ipsec.conf specification

config setup

interfaces=%defaultroute

klipsdebug=none

plutodebug=none

nat_traversal=yes

virtual_private=%v4:182.0.20.0/24,%v4:192.168.1.0/24,%v4:0.0.0.0/0

conn %default

keyingtries=3

compress=yes

disablearrivalcheck=no

authby=secret

type=tunnel

ikelifetime=240m

keylife=60m

conn Usuario-VPN

pfs=no

left=%defaultroute

leftprotoport=17/1701

rightprotoport=17/1701

rightid=0.0.0.0

#leftid=

right=%any

rightsubnet=vhost:%no,%priv

auto=add

include /etc/ipsec.d/examples/no_oe.conf

```

My ipsec.secrets:

```

192.168.1.88 %any: PSK "secret1"

192.168.1.88 : PSK "secret2"

%any %any: PSK "secret1"

```

And my versions:

```

sys-apps/gawk-3.1.3-r2

net-misc/openswan-2.4.4

net-dialup/l2tpd-0.70_pre20031121

net-firewall/ipsec-tools-0.6.2-r1

```

I know that the problem is in the ipsec.conf because i didn'd study good this file ¿some good explanation of ipsec.conf?  :Smile:  ... or ... some main help?? I'm crazy with this theme.

A greeting.

----------

## dashnu

Change your virtual private line add your internal subnet with a "!".  Mine is 192.168.1.0/24 so I have a 

```
%v4:!192.168.1.0/24
```

  at the end of the line.

Also in your ipsec.secrets test with a single entry first. It should also be the External IP of the VPN Server. So use the first line in your ipsec.secrets and change that to your external ip.

----------

## Overpeer

Thanks, now try.

----------

## khuongdp

I follow the tutorial and got it working in some way. My network is like this

client(192.168.0.4)<-->(192.168.0.1)Router(x.x.x.x)<-->Internet<-->(x.x.x.x)Router(192.168.0.1)<-->(192.168.0.2)Firewall/dhcp(192.168.10.1)

<----->(192.168.10.2)Client1

<----->(192.168.10.3)Client2

<----->(192.168.10.4)Client3 

Both the client and server is behind nat.

I can connect to the vpn and ping/ssh to my firewall/dhcp machine. But when I try to ping/ssh Client1-3 I get a timeout. I am fine ping/ssh to client1-3 through my Firewall/dhcp machine.

I think it's somthing wrong with my iptables rules

```
# vpn

iptables -A INPUT -m state --state NEW -m udp -p udp --dport 500 -j ACCEPT

iptables -A OUTPUT -m state --state NEW -m udp -p udp --dport 500 -j ACCEPT

iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 4500 -j ACCEPT

iptables -A OUTPUT -m state --state NEW -m tcp -p tcp --dport 4500 -j ACCEPT

iptables -A INPUT -m state --state NEW -m udp -p udp --dport 4500 -j ACCEPT

iptables -A OUTPUT -m state --state NEW -m udp -p udp --dport 4500 -j ACCEPT

iptables -A FORWARD -i ppp+ -j ACCEPT

iptables -A FORWARD -o ppp+ -j ACCEPT

iptables -A OUTPUT -o ppp+ -j ACCEPT

# ---------------------------------------------------------------------------------

# ESP encryption and authentication

# Allow ESP Traffic from/to Gateway

iptables -A INPUT -i $WAN_MIC -p esp -j ACCEPT

iptables -A OUTPUT -o $WAN_MIC -p esp -j ACCEPT

# Tag Incoming IPSec Traffic. 'mark' sticks after processing.

iptables -t mangle -A PREROUTING -i $WAN_MIC -p esp -j MARK --set-mark 1

# Forward Authenticated Traffic to LAN.

iptables -A FORWARD -i $WAN_MIC -m mark --mark 1 -d $PERSONAL_LAN_IP_NET -j ACCEPT

# SRC nat everything apart from esp traffic.

iptables -t nat -A POSTROUTING -o $WAN_MIC -p ! esp -j SNAT --to-source $WAN_IP
```

----------

## dashnu

My chains. (I use a DROP all f-wall and create special rules for my vpn users.)

INPUT extif

```

$IPT -A external-vpn-traffic -i $EXTIF -m mark --mark 1 -j ACCEPT

$IPT -A external-vpn-traffic -d $EXTIP -p udp -m udp --dport 4500 \

  -j ACCEPT

$IPT -A external-vpn-traffic -d $EXTIP -p udp -m udp --dport 500 \

  -j ACCEPT

$IPT -A external-vpn-traffic -p esp -j ACCEPT

```

OUTPUT

```

$IPT -A allow-l2tp-traffic-out -s $EXTIP -p udp -m udp --sport 1701 \

  -j ACCEPT

$IPT -A allow-vpn-traffic-out -s $EXTIP -p udp -m udp --dport 500 \

  -j ACCEPT

$IPT -A allow-esp-traffic-out -p esp -j ACCEPT

```

A PPP rule.

```
$IPT -A allow-www-traffic-out -o $VPN -p tcp --dport http -j ACCEPT
```

PREROUTING

```
$IPT -t mangle -A PREROUTING -i $EXTIF -p esp -j MARK --set-mark 1
```

Sorry I did not get back to you sooner. This post seemed to vanish of my "your posts list"

----------

## johnny_martins00

Does anyone know howto setup a vpn using this protocol, l2tp/ipsec, but with 2 machines working on linux, gentoo ofcourse  :Very Happy: .

Thk

----------

## dashnu

be more specific, run ipsec on a machine l2tpd on another?? no idea what you mean.

----------

## johnny_martins00

using the protocol ipsec/l2tp, on 2 unix machines. usually its the server machine unix and the client side windows, but i was wonder if its possible to apply the protocol on 2 unix machines??

Thk

----------

## dashnu

I think it is possible to do that but why? Just use a straight ipsec conn using RSA keys. Tons of Documents on the web for that.

----------

## Lex_Brugman

I've got a gentoo box directly connected to the internet running shorewall as router, my internal network is in the 10.0.0.0 range and my gentoo box has 10.0.0.1 as his internal ip, the external ip will be referred to as 123.123.123.123 and the client as 321.321.321.321.

But if i try to connect with a winxp client after following this guide /var/log/messages reports the following:

```
Jul  5 23:47:12 server pluto[28628]: packet from 321.321.321.321:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]

Jul  5 23:47:12 server pluto[28628]: packet from 321.321.321.321:500: ignoring Vendor ID payload [FRAGMENTATION]

Jul  5 23:47:12 server pluto[28628]: packet from 321.321.321.321:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106

Jul  5 23:47:12 server pluto[28628]: packet from 321.321.321.321:500: ignoring Vendor ID payload [Vid-Initial-Contact]

Jul  5 23:47:12 server pluto[28628]: "roadwarrior-l2tp"[1] 321.321.321.321 #1: responding to Main Mode from unknown peer 321.321.321.321

Jul  5 23:47:12 server pluto[28628]: "roadwarrior-l2tp"[1] 321.321.321.321 #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1

Jul  5 23:47:12 server pluto[28628]: "roadwarrior-l2tp"[1] 321.321.321.321 #1: STATE_MAIN_R1: sent MR1, expecting MI2

Jul  5 23:47:12 server pluto[28628]: "roadwarrior-l2tp"[1] 321.321.321.321 #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected

Jul  5 23:47:12 server pluto[28628]: "roadwarrior-l2tp"[1] 321.321.321.321 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2

Jul  5 23:47:12 server pluto[28628]: "roadwarrior-l2tp"[1] 321.321.321.321 #1: STATE_MAIN_R2: sent MR2, expecting MI3

Jul  5 23:47:12 server pluto[28628]: "roadwarrior-l2tp"[1] 321.321.321.321 #1: Main mode peer ID is ID_IPV4_ADDR: '321.321.321.321'

Jul  5 23:47:12 server pluto[28628]: "roadwarrior-l2tp"[1] 321.321.321.321 #1: I did not send a certificate because I do not have one.

Jul  5 23:47:12 server pluto[28628]: "roadwarrior-l2tp"[1] 321.321.321.321 #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3

Jul  5 23:47:12 server pluto[28628]: "roadwarrior-l2tp"[1] 321.321.321.321 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=o

akley_3des_cbc_192 prf=oakley_sha group=modp2048}

Jul  5 23:47:12 server pluto[28628]: "roadwarrior-l2tp"[1] 321.321.321.321 #2: responding to Quick Mode {msgid:b3182fba}

Jul  5 23:47:12 server pluto[28628]: "roadwarrior-l2tp"[1] 321.321.321.321 #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1

Jul  5 23:47:12 server pluto[28628]: "roadwarrior-l2tp"[1] 321.321.321.321 #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2

Jul  5 23:47:12 server Shorewall:INPUT:REJECT:IN=eth1 OUT= MAC=00:11:d8:42:7b:3c:00:0e:a6:c4:77:e6:08:00 SRC=321.321.321.321 DST=123.123.123.123 LEN=127 TOS=0x00 PRE

C=0x00 TTL=128 ID=24651 PROTO=UDP SPT=1701 DPT=1701 LEN=107

Jul  5 23:47:12 server pluto[28628]: "roadwarrior-l2tp"[1] 321.321.321.321 #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2

Jul  5 23:47:12 server pluto[28628]: "roadwarrior-l2tp"[1] 321.321.321.321 #2: STATE_QUICK_R2: IPsec SA established {ESP=>0xfcc245c6 <0x6d27ab20 xfrm=3DES_0-HMAC

_MD5 NATD=321.321.321.321:500 DPD=none}

Jul  5 23:47:13 server Shorewall:INPUT:REJECT:IN=eth1 OUT= MAC=00:11:d8:42:7b:3c:00:0e:a6:c4:77:e6:08:00 SRC=321.321.321.321 DST=123.123.123.123 LEN=127 TOS=0x00 PRE

C=0x00 TTL=128 ID=24657 PROTO=UDP SPT=1701 DPT=1701 LEN=107

Jul  5 23:47:15 server Shorewall:INPUT:REJECT:IN=eth1 OUT= MAC=00:11:d8:42:7b:3c:00:0e:a6:c4:77:e6:08:00 SRC=321.321.321.321 DST=123.123.123.123 LEN=127 TOS=0x00 PRE

C=0x00 TTL=128 ID=24659 PROTO=UDP SPT=1701 DPT=1701 LEN=107

Jul  5 23:47:19 server pluto[28628]: "roadwarrior-l2tp"[1] 321.321.321.321 #1: received Delete SA(0xfcc245c6) payload: deleting IPSEC State #2

Jul  5 23:47:19 server pluto[28628]: "roadwarrior-l2tp"[1] 321.321.321.321 #1: received and ignored informational message

Jul  5 23:47:19 server pluto[28628]: "roadwarrior-l2tp"[1] 321.321.321.321 #1: received Delete SA payload: deleting ISAKMP State #1

Jul  5 23:47:19 server pluto[28628]: "roadwarrior-l2tp"[1] 321.321.321.321: deleting connection "roadwarrior-l2tp" instance with peer 321.321.321.321 {isakmp=#0/ipsec

=#0}

Jul  5 23:47:19 server pluto[28628]: packet from 321.321.321.321:500: received and ignored informational message
```

It looks like shorewall blocks the l2tp traffic, while shorewall should not block anything from the vpn interface?

These are all the relevant configs:

/etc/shorewall/interfaces:

```
#ZONE   INTERFACE       BROADCAST       OPTIONS

loc     eth0            detect          dhcp

vpn     ppp+            detect          dhcp

net     eth1            detect          dhcp,routefilter,logmartians,norfc1918,tcpflags

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
```

/etc/shorewall/zones:

```
#ZONE   TYPE            OPTIONS         IN                      OUT

#                                       OPTIONS                 OPTIONS

fw      firewall

loc     ipv4

vpn     ipsec

net     ipv4

#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
```

/etc/shorewall/tunnels:

```
#TYPE                   ZONE    GATEWAY         GATEWAY

#                                               ZONE

ipsecnat                net     0.0.0.0/0       vpn

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
```

/etc/shorewall/policy:

```
#SOURCE         DEST            POLICY          LOG             LIMIT:BURST

#                                               LEVEL

#Source net

net             all             DROP            info

#Source loc:

loc             net             ACCEPT

loc             vpn             ACCEPT

loc             fw              ACCEPT

#Source vpn:

vpn             loc             ACCEPT

vpn             net             ACCEPT

vpn             fw              ACCEPT

#Source fw:

fw              net             ACCEPT

fw              vpn             ACCEPT

fw              loc             ACCEPT

#

# THE FOLLOWING POLICY MUST BE LAST

#

all             all             REJECT          info

#LAST LINE -- DO NOT REMOVE
```

/etc/ipsec/ipsec.conf:

```
version 2.0     # conforms to second version of ipsec.conf specification

config setup

        interfaces=%defaultroute

        klipsdebug=none

        plutodebug=none

        overridemtu=1410

        nat_traversal=yes

        virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16

conn %default

        keyingtries=3

        compress=yes

        disablearrivalcheck=no

        authby=secret

        type=tunnel

        keyexchange=ike

        ikelifetime=240m

        keylife=60m

conn roadwarrior-net

        leftsubnet=10.0.0.0/24

        also=roadwarrior

conn roadwarrior-all

        leftsubnet=0.0.0.0/0

        also=roadwarrior

conn roadwarrior-l2tp

        leftprotoport=17/0

        rightprotoport=17/1701

        also=roadwarrior

conn roadwarrior-l2tp-updatedwin

        leftprotoport=17/1701

        rightprotoport=17/1701

        also=roadwarrior

conn roadwarrior

        pfs=no

        left=%defaultroute

        right=%any

        rightsubnet=vhost:%no,%priv

        auto=add

#Disable Opportunistic Encryption

include /etc/ipsec/ipsec.d/examples/no_oe.conf
```

/etc/ipsec/ipsec.secrets:

```
123.123.123.123 %any: PSK "abcdabcdabcdabcdabcdabcdabcdabcdabcd"
```

/etc/ppp/options.l2tpd:

```
ipcp-accept-local

ipcp-accept-remote

ms-dns 10.0.0.1

ms-wins 10.0.0.1

noccp

auth

crtscts

idle 1800

mtu 1410

mru 1410

nodefaultroute

lock

debug

proxyarp

connect-delay 5000

silent
```

/etc/ppp/chap-secrets:

```
# Secrets for authentication using CHAP

# client        server  secret                  IP addresses

lex             *       "password"                10.0.0.0/24

*               lex     "password"                10.0.0.0/24
```

/etc/l2tpd/l2tpd.conf:

```
[global]

port = 1701

[lns default]

ip range = 10.0.0.200-10.0.0.254

local ip = 10.0.0.1

require chap = yes

refuse pap = yes

require authentication = yes

name = LinuxVPN

ppp debug = yes

pppoptfile = /etc/ppp/options.l2tpd

length bit = yes
```

----------

## dashnu

I do not use shorewall but it looks to me as if you are blocking 1701udp which is l2tpd.

also in you virtual_private line you want to exclude your network.  

local ip = 10.0.0.1 in l2tpd.conf should be changed to an unused IP address that your l2tpd can claim.

You could trim down you ipsec.conf also.

```

# /etc/ipsec.conf - Openswan IPsec configuration file

# RCSID $Id: ipsec.conf.in,v 1.15.2.2 2005/11/14 20:10:27 paul Exp $

# This file:  /usr/share/doc/openswan-2.4.4/ipsec.conf-sample

#

# Manual:     ipsec.conf.5

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration

config setup

       interfaces=%defaultroute

       klipsdebug=none

       plutodebug=none

       overridemtu=1410

       nat_traversal=yes

       virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.0.0.0/24

conn %default

       keyingtries=3

       compress=no

       disablearrivalcheck=no

       keyexchange=ike

       ikelifetime=240m

       keylife=60m

conn roadwarrior-osx-xp

       leftprotoport=17/1701

       rightprotoport=17/%any

       rekey=no

       also=roadwarrior

conn roadwarrior

       authby=secret

       pfs=no

       type=tunnel

       left=%defaultroute

       right=%any

       rightsubnet=vhost:%no,%priv

       auto=add

#Disable Opportunistic Encryption

include /etc/ipsec/ipsec.d/examples/no_oe.conf
```

This will work for Windows and OSX.

I am working on a howto on my site but it is coming along slower then I would like..

----------

## Quinny

Any pointers to a Linux client setup?

My VPN server has been working perfect for about one and a half years now, in the beginning I used to have to restart the ipsec daemon periodically, but I fixed that about a year ago. Windows clients can connect, disconnect and reconnect as often as they like, it's really stable.

The only thing is connections aren't dropped soon enough when a connection breaks. For example: wireless lan dies, windows says: VPN connection disabled, but I can't reconnect, because ipsec of l2tp still thinks I'm logged in, so I have to restart the daemon to drop it manually. But I can't do that when other people are using the VPN too, off course...

But I'm going off-topic in my own post, I'd really like to use my Linux laptop as a client for my VPN, any help? Links to documentation?

<edit>

OK, found some documentation, tried it > My VPN server is running openswan 2.3.0, portage currently only has 2.4.4. They don't seem to be compatible, when I try to connect to the server, the server crashes. (something aboud SHA1 being not implemented)

It says it'll restart itself but then doesn't do that because of an error in the script somewhere so I have to restart it manually.

Copied the older version from the server to the client, including patches and stuff, but it won't compile. The other VPN is in production use (the one that crashed) so I'm not even going to try and update that one at the moment (don't know who are using it atm..)

In any case, a linux client for this VPN setup seems harder than it is  :Wink: 

----------

## dashnu

I was not able to get this to work, I was pointing the problems at SELINUX though.

Try this type of config for Linux to Linux...

I do not have rights config because I do not have that box anymore.. I was able to make the connection however it seemed the routing was not correct.

```

conn roadwarrior-gentoo

        authby=rsasig

        left=<external-ip>

        leftid=@vpn

        leftsubnet=192.168.1.0/24

        leftrsasigkey=0sAQNxbQYtVgyoDeqk0eFtXZiwN3DC(cut)

        right=%any

        rightid=@lappy

        rightsubnet=10.0.0.0/24

        rightrsasigkey=0sAQN2eCQDz1U6/9ZgkwQI+VP0ITqYtK(cut)

        auto=add

```

Good luck..

Also to everyone I am not updating this anymore here.. I have a new version on http://teh.sh.nu/HowTo

Right now it is just psk ipsec/l2tp but soon will have linux to linux connect and A subnet passthrough for remote offices.

----------

## plut0

I followed the tutorial at, http://teh.sh.nu/HowTo, but I cannot connect.  When I try to connect the client just "hangs".  Eventually it times out with this message: "The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer." OR "The L2TP connection attempt failed because security negotiation timed out."  The client is running Windows XP SP2.  I am connecting internally and shut down the firewall for debugging purporses.

I am at a loss on how to debug this.  I know very little about openswan and how to log events.  If anyone can point me in the right direction I will post more information.

Thanks!

----------

## dashnu

If you are using the default logging setup on gentoo (syslog-ng) all logging will go to /var/log/messages.

tail -f /var/log/messages 

while tring to connect to the server. Post the relevant lines.

----------

## plut0

I deleted my configs and copy/pasting everything again...now I can connect.  Musta been a typo somewhere!

----------

## dashnu

Cool I think your the first one to test my howto on my page.. Glad it works well for you.

-Brett

----------

## khuongdp

Anybody tried openswan-2.4.6 ...ebuild?

----------

## dashnu

@khuongdp : No I have not.

Other news:

In the FWIW department.. I was able to establish a linux to linux roadwarrior connect.

Notice left == local on both ends.

Server / Gateway

```

conn linux-to-linux

        authby=rsasig

        left=<external ip>

        leftid=@vpn.domain.net

        leftsubnet=172.17.170.0/24

        leftrsasigkey=0sAQOapWmExxxx.....

        right=%any

        rightid=@road.you.com

        rightsubnet=vhost:%no,%priv

        rightrsasigkey=0sAQN/WxhRxxxx......

        auto=ignore

```

Client

```

conn linux-to-linux

        authby=rsasig

        right=<external ip>

        rightid=@vpn.domain.net

        rightsubnet=172.17.170.0/24

        rightrsasigkey=0sAQOapWmExxxx.......

        left=%defaultroute

        leftid=@road.you.com

        leftrsasigkey=0sAQN/WxhRxxxx.......

        auto=add

```

Problems...

the leftid/rightid do not appear to be working. With this conn set to auto=add a XP roadwarrior will try to use it and of course not be able to connect.

Firewall rules.. I run iptables DROP ALL policies on this box and firewall rules a proving to be a pain. Looks like it needs forward rules from ext inerface to internal interface however that opens up your network.. need to get by that.

If anyone out there is following this thread and wants to mess with this and try to figure out why the ids are not being used properly that would be great.

----------

## newfangled

I've been playing with this for a while now.. (actually I tried a few months ago but then gave up and have been too busy until now) I've followed the new HOWTO (thanks btw) but can't get things working. I have both client and server behind NAT routers. But really I don't expect to know anything about the client's IP, routing etc.. for testing I do, but under normal circumstances it's down to whatever the hotel/coffee shop thinks is best   :Wink: 

I've spent a good couple days on google and there is so much information (some conflicting) but mostly related to mutli-homed hosts and not NAT-T nastiness.

I've applied the registry change to the Windows XP test client and plan to have OS X and XP SP2 clients. Here are the versions of my gentoo software:

```
[root@oak ~]# emerge -pv openswan ppp xl2tpd ipsec-tools

These are the packages that would be merged, in order:

Calculating dependencies... done!

[ebuild   R   ] net-misc/openswan-2.4.4  0 kB 

[ebuild   R   ] net-dialup/ppp-2.4.3-r16  USE="gtk ipv6 pam -activefilter

-atm -dhcp -eap-tls -mppe-mppc -radius" 0 kB 

[ebuild   R   ] net-dialup/xl2tpd-1.1.05  0 kB 

[ebuild   R   ] net-firewall/ipsec-tools-0.6.3  USE="ipv6 pam readline -idea

-rc5 (-selinux)" 0 kB 

```

Here's my ipsec.conf: (note for the purposes of this forum 1.2.3.4 is the WAN address on the server's router and 192.168.99.1 is the LAN side of the router. The server has 192.168.99.2 and the remote client is behind a router with a WAN IP of 5.6.7.8 and the remote subnet is DIFFERENT at 192.168.2.0/24)

```
version 2.0

config setup

        interfaces=%defaultroute

        klipsdebug=none

        plutodebug=none

        overridemtu=1410

        nat_traversal=yes

        virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.99.0/24

conn %default

        keyingtries=3

        compress=no

        disablearrivalcheck=no

        keyexchange=ike

        ikelifetime=240m

        keylife=60m

        authby=secret

        pfs=no

        type=tunnel

conn roadwarrior-net

        leftsubnet=192.168.99.0/24

        also=roadwarrior

conn roadwarrior-all

        leftsubnet=0.0.0.0/0

        also=roadwarrior

conn roadwarrior-osx-xp

        leftprotoport=17/1701

        rightprotoport=17/%any

        rekey=no

        also=roadwarrior

conn roadwarrior

        left=%defaultroute

        right=%any

        rightsubnet=vhost:%no,%priv

        auto=add

# Disable Opportunistic Encryption

include /etc/ipsec/ipsec.d/examples/no_oe.conf
```

I've tried every combination of left, leftid, leftnexthop etc.. and with and without those roadwarrior-net|all entries.

Here's the log:

```
Nov 22 00:36:00 [pluto] packet from 5.6.7.8:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]

Nov 22 00:36:00 [pluto] packet from 5.6.7.8:500: ignoring Vendor ID payload [FRAGMENTATION]

Nov 22 00:36:00 [pluto] packet from 5.6.7.8:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106 

Nov 22 00:36:00 [pluto] packet from 5.6.7.8:500: ignoring Vendor ID payload [Vid-Initial-Contact]

Nov 22 00:36:00 [pluto] "roadwarrior"[1] 5.6.7.8 #1: responding to Main Mode from unknown peer 5.6.7.8

Nov 22 00:36:00 [pluto] "roadwarrior"[1] 5.6.7.8 #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1

Nov 22 00:36:00 [pluto] "roadwarrior"[1] 5.6.7.8 #1: STATE_MAIN_R1: sent MR1, expecting MI2

Nov 22 00:36:01 [pluto] "roadwarrior"[1] 5.6.7.8 #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: both are NATed

Nov 22 00:36:01 [pluto] "roadwarrior"[1] 5.6.7.8 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2

Nov 22 00:36:01 [pluto] "roadwarrior"[1] 5.6.7.8 #1: STATE_MAIN_R2: sent MR2, expecting MI3

Nov 22 00:36:01 [pluto] "roadwarrior"[1] 5.6.7.8 #1: Main mode peer ID is ID_FQDN: '@sequioa'

Nov 22 00:36:01 [pluto] "roadwarrior"[2] 5.6.7.8 #1: deleting connection "roadwarrior" instance with peer 5.6.7.8 {isakmp=#0/ipsec=#0}

Nov 22 00:36:01 [pluto] "roadwarrior"[2] 5.6.7.8 #1: I did not send a certificate because I do not have one.

Nov 22 00:36:01 [pluto] "roadwarrior"[2] 5.6.7.8 #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3

Nov 22 00:36:01 [pluto] "roadwarrior"[2] 5.6.7.8 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}

Nov 22 00:36:01 [pluto] "roadwarrior"[2] 5.6.7.8 #1: cannot respond to IPsec SA request because no connection is known for 1.2.3.4/32===192.168.99.2:17/1701...5.6.7.8[@sequioa]:17/1701

Nov 22 00:36:01 [pluto] "roadwarrior"[2] 5.6.7.8 #1: sending encrypted notification INVALID_ID_INFORMATION to 5.6.7.8:4500

Nov 22 00:36:02 [pluto] "roadwarrior"[2] 5.6.7.8 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x255feb6a (perhaps this is a duplicated packet)

```

I have only had success using the following in my roadwarrior config (and eliminating any conflicting parts obviously):

```
...

       left=%defaultroute

       leftsubnet=1.2.3.4/32

       right=%any

       rightsubnet=vhost:%no,%priv

       auto=add

...
```

When using this ipsec.conf I see the following in my log:

```
Nov 21 22:58:45 [pluto] packet from 5.6.7.8:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]

Nov 21 22:58:45 [pluto] packet from 5.6.7.8:500: ignoring Vendor ID payload [FRAGMENTATION]

Nov 21 22:58:45 [pluto] packet from 5.6.7.8:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106 

Nov 21 22:58:45 [pluto] packet from 5.6.7.8:500: ignoring Vendor ID payload [Vid-Initial-Contact]

Nov 21 22:58:45 [pluto] "roadwarrior"[7] 5.6.7.8 #7: responding to Main Mode from unknown peer 5.6.7.8

Nov 21 22:58:45 [pluto] "roadwarrior"[7] 5.6.7.8 #7: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1

Nov 21 22:58:45 [pluto] "roadwarrior"[7] 5.6.7.8 #7: STATE_MAIN_R1: sent MR1, expecting MI2

Nov 21 22:58:45 [pluto] "roadwarrior"[7] 5.6.7.8 #7: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: both are NATed

Nov 21 22:58:45 [pluto] "roadwarrior"[7] 5.6.7.8 #7: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2

Nov 21 22:58:45 [pluto] "roadwarrior"[7] 5.6.7.8 #7: STATE_MAIN_R2: sent MR2, expecting MI3

Nov 21 22:58:45 [pluto] "roadwarrior"[7] 5.6.7.8 #7: Main mode peer ID is ID_FQDN: '@sequioa'

Nov 21 22:58:45 [pluto] "roadwarrior"[8] 5.6.7.8 #7: deleting connection "roadwarrior" instance with peer 5.6.7.8 {isakmp=#0/ipsec=#0}

Nov 21 22:58:45 [pluto] "roadwarrior"[8] 5.6.7.8 #7: I did not send a certificate because I do not have one.

Nov 21 22:58:45 [pluto] "roadwarrior"[8] 5.6.7.8 #7: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3

Nov 21 22:58:45 [pluto] "roadwarrior"[8] 5.6.7.8 #7: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}

Nov 21 22:58:46 [pluto] "roadwarrior"[8] 5.6.7.8 #7: retransmitting in response to duplicate packet; already STATE_MAIN_R3

Nov 21 22:58:46 [pluto] "roadwarrior-osx-xp"[4] 5.6.7.8 #8: responding to Quick Mode {msgid:a74830e0}

Nov 21 22:58:46 [pluto] "roadwarrior-osx-xp"[4] 5.6.7.8 #8: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1

Nov 21 22:58:46 [pluto] "roadwarrior-osx-xp"[4] 5.6.7.8 #8: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2

Nov 21 22:58:46 [pluto] "roadwarrior-osx-xp"[4] 5.6.7.8 #8: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2

Nov 21 22:58:46 [pluto] "roadwarrior-osx-xp"[4] 5.6.7.8 #8: STATE_QUICK_R2: IPsec SA established {ESP=>0x66f2baa9 <0xa6018990 xfrm=3DES_0-HMAC_MD5 NATD=5.6.7.8:4500 DPD=none}

Nov 21 22:58:53 [l2tpd] Maximum retries exceeded for tunnel 44988.  Closing._

Nov 21 22:58:53 [l2tpd] Connection 22 closed to 5.6.7.8, port 1701 (Timeout)_

Nov 21 22:58:58 [pluto] "roadwarrior"[8] 5.6.7.8 #7: received Delete SA(0x66f2baa9) payload: deleting IPSEC State #8

Nov 21 22:58:58 [pluto] "roadwarrior"[8] 5.6.7.8 #7: deleting connection "roadwarrior-osx-xp" instance with peer 5.6.7.8 {isakmp=#0/ipsec=#0}

Nov 21 22:58:58 [pluto] "roadwarrior"[8] 5.6.7.8 #7: received and ignored informational message

Nov 21 22:58:58 [pluto] "roadwarrior"[8] 5.6.7.8 #7: received Delete SA payload: deleting ISAKMP State #7

Nov 21 22:58:58 [pluto] "roadwarrior"[8] 5.6.7.8: deleting connection "roadwarrior" instance with peer 5.6.7.8 {isakmp=#0/ipsec=#0}
```

So this leads me to believe that at the very least my PSK and router setup is OK? However I think things should work with the first version of ipsec.conf based on this forum and others so my worry is I have been wasting all this time because openswan-2.4.4 doesn't really have the NAT-T patch despite it saying so in the logs??? Has anyone else used 2.4.4 successfully in a similar situation?

Thanks in advace for any help.

----------

## VinzC

You should try OpenSwan 2.4.7 (actually masked by ~ARCH). It includes fixes for NAT-T [EDIT: client-side] implementations including those by Microsoft. Set leftnexthop to the LAN address of your internet router. I tried it and it works (well, almost) perfectly as I can make a successful connection to the NAT'ed server from my NAT'ed Windows workstation. Note my server currently crashes when the connection is closed but I might have just missed something.

Just my 2c.

----------

## newfangled

Thanks for the tip, I hadn't noticed the addition of the 2.4.7 ebuild since I got this up and running. I created an overlay for the 2.4.4 with the NAT-T patch added to the portage provided patch file and it works well with all my clients. My config files are as stated above and if anyone wants more information about the overlay I will provide it, but it wasn't difficult to figure it out.

I'll play with the masked ebuild and see if it is a better solution. I don't have a problem with crashes after disconnection so maybe it is something in the latest ebuild.

One thing I would say is that the connection can be really slow at times.. it can take a while just to refresh window contents of samba shares when viewed over the VPN. What kind of performance are other people seeing? How much upstream bandwidth do you have?

----------

## VinzC

I already experienced slow connections the first time I played with OpenSwan. Once the load increased the line seemed to drop down completely. You might be experiencing such kinds of problems.

As for the bandwidth I still have to do some more tests. But I must first get the server back on  :Laughing:  and it's about 25 miles from where I am ATM...

----------

## dashnu

I am thinking about trying the latest ~ openswan again. I had the same error as you but I want to try your leftnexthop=lanip .. You scaring me a bit with the server "crashing" can you explain what happens?

FWIW I have never had any speed issues.. 768k up 1M down.

----------

## newfangled

 *VinzC wrote:*   

> 
> 
> As for the bandwidth I still have to do some more tests. But I must first get the server back on  and it's about 25 miles from where I am ATM...

 

Heh so crashing after closing a session must be tons of fun for you   :Very Happy: 

I've done some more testing where I VNC (via ssh) to a client box and then connect to the VPN and it seems fine with one or two users (all I need) so there must have been another reason for the speed issues. The server is a Pentium D and it doesn't break a sweat but the ADSL at that site is only 256k UP 2M DOWN.

----------

## VinzC

Well the server didn't crash. I saw from the logs today morning it got back control again one hour and a half later. There were probably network problems at that very moment, a true coïncidence. I made another connection attempt. Successful this time. So I have some more opportunities for testing later on  :Smile:  .

----------

## dashnu

Ah, Well I gave it a go anyways. All good on my end. Thanks for the info.

The Howto on my site is also now fully up to date and in sync with my current system.

----------

## VinzC

 *dashnu wrote:*   

> Ah, Well I gave it a go anyways. All good on my end. Thanks for the info.
> 
> The Howto on my site is also now fully up to date and in sync with my current system.

 

Good to know. BTW didn't you have to unmask (keyword) OpenSwan? I'm currently trying to setup OpenSwan as client; see you soon for feedback  :Smile:  .

Also, just a little note: would you mind not forcing a new window (using JScript) in your Howto? I know you can tweak Firefox to stay in single-window mode but it is best to let the visitor decide whether a new window or a new tab.

EDIT: Ah, yes, one more detail, I didn't have (until now) to duplicate lines (with user accounts and peer IP flipped) in /etc/ppp/chap.secrets. It seems to work correctly with user account in the leftmost column and the server (the star sign) in the second one. Maybe it's ppp-2.4.* specific  :Question: 

----------

## VinzC

As for the speed issues, a friend who has good knowledge of FreeSwan told me that the slowdown could be caused by exchanging packets of larger size. Since IPSEC encapsulates IP (correct?), unnecessary packet fragmentation might occur. If I understood correctly, one has to play a little with MTU values to fix the problem.

----------

## dashnu

 *VinzC wrote:*   

> 
> 
> Good to know. BTW didn't you have to unmask (keyword) OpenSwan? I'm currently trying to setup OpenSwan as client; see you soon for feedback  .

 

Yea I will update that.

 *VinzC wrote:*   

> 
> 
> Also, just a little note: would you mind not forcing a new window (using JScript) in your Howto? I know you can tweak Firefox to stay in single-window mode but it is best to let the visitor decide whether a new window or a new tab.
> 
> 

 

I am far from a web developer... and the response you will get from me is use the direct link.

 *VinzC wrote:*   

> 
> 
> EDIT: Ah, yes, one more detail, I didn't have (until now) to duplicate lines (with user accounts and peer IP flipped) in /etc/ppp/chap.secrets. It seems to work correctly with user account in the leftmost column and the server (the star sign) in the second one. Maybe it's ppp-2.4.* specific 

 

Interesting, I will mess around with this a bit. Thanks for the info.

as to the mtu stuff. I have been tinkering with it for about a month now. This can be a problem especially with DSL users. One of my end-users connection terminates while sending large packets. I have tried everything fiddling with icmp filter pmtu discovery.... still no luck. I would question if mtu could cause slowdown.. I would think the fragmented packet would just get lost on either end. A side note: be careful when messing with mtu directly on you interfaces. you could lock yourself out.

----------

## VinzC

Hi again.

I've just made a successful connection between a NAT'ed OpenSwan server and:

NAT'ed Windows XP;

a Gentoo Linux client that is directly connected to the Internet.

I've followed Jacco de Leuuw's guide but it was incomplete to some extent. I've somehow guessed the missing information. The IPSec/secrets configuration has driven me mad but I've got it working now  :Twisted Evil:  . Here are my *client* configuration files for a road-warrior config   :Exclamation:  using PSK  :Exclamation:  .

```
#Openswan Secrets File

# Syntax:

# Client FQDNS/public IP address, Remote server internal IP, "PSK", shared secret

client.public.fqdns 1.2.3.4 : PSK "biglongl0ngsh@reds3cret"
```

Note:Use client.public.fqdns if you have one or your [fixed] public IP address (not quite road-warrior, I know  :Wink:  ). For instance I have subscribed to DynDNS since my IP address is variable and set by my ISP. If you don't have a fully qualified DNS and have a variable IP address, then... er... things get nasty - I haven't got that far yet  :Wink:  .

1.2.3.4 is the LAN IP address of your VPN server (remember it's behind NAT)

```
version 2.0     # conforms to second version of ipsec.conf specification

config setup

        nat_traversal=yes

        nhelpers=0

conn exclude-lo

        authby=never

        left=127.0.0.1

        leftsubnet=127.0.0.0/8

        right=127.0.0.2

        rightsubnet=127.0.0.0/8

        type=passthrough

        auto=route

conn L2TP-PSK-CLIENT

        authby=secret

        pfs=no

        rekey=no

        keyingtries=3

        type=transport

        left=%defaultroute

        leftid=client.public.fqdns

        leftprotoport=17/1701

        right=123.123.123.123

        rightid=1.2.3.4

        rightsubnet=1.2.3.0/24

        rightprotoport=17/1701

        auto=add

include /etc/ipsec/ipsec.d/examples/no_oe.conf
```

Note:123.123.123.123 is your VPN server's *public* IP address but a fully qualified domain name string can be used - the latter depends on proper DNS resolution. I used the FQDNS (another DynDNS record) since my server's public IP is variable.

Address 1.2.3.4 refers to the VPJ server's local IP in /etc/ipsec/ipsec.secrets.

Run /etc/init.d/ipsec [re]start. You can make sure ipsec link establishes properly:

```
104 "L2TP-PSK-CLIENT" #3: STATE_MAIN_I1: initiate

003 "L2TP-PSK-CLIENT" #3: received Vendor ID payload [Openswan (this version) 2.4.7  PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]

003 "L2TP-PSK-CLIENT" #3: received Vendor ID payload [Dead Peer Detection]

003 "L2TP-PSK-CLIENT" #3: received Vendor ID payload [RFC 3947] method set to=110

106 "L2TP-PSK-CLIENT" #3: STATE_MAIN_I2: sent MI2, expecting MR2

003 "L2TP-PSK-CLIENT" #3: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): peer is NATed

108 "L2TP-PSK-CLIENT" #3: STATE_MAIN_I3: sent MI3, expecting MR3

004 "L2TP-PSK-CLIENT" #3: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1536}

117 "L2TP-PSK-CLIENT" #4: STATE_QUICK_I1: initiate

004 "L2TP-PSK-CLIENT" #4: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x1d12308b <0xda528de9 xfrm=AES_0-HMAC_SHA1 NATD=123.123.123.123:4500 DPD=none}
```

Next create l2tp configuration file. I have installed (masked by ~ARCH) xl2tpd 1.1.06 for both my server and client.

```
; Connect as a client to a server at client.public.fqdns

[lac L2TP-CLIENT]

lns = client.public.fqdns

require chap = yes

refuse pap = yes

require authentication = yes

; Name should be the same as the username in the PPP authentication!

name = pppusername

ppp debug = yes

pppoptfile = /etc/ppp/options-client.xl2tpd

length bit = yes
```

Now the global ppp client options file. (You must create a separate option file if you're also running a VPN server on the client machine.)

```
ipcp-accept-local

ipcp-accept-remote

noipdefault

refuse-eap

noccp

noauth

# crtscts

idle 1800

mtu 1410

mru 1410

nodefaultroute

debug

lock

proxyarp

connect-delay 5000
```

The noipdefault keyword is required to get an IP address from the range defined at the server's side (in the server's /etc/xl2tpd/xl2tpd.conf). Example:

```
; l2tpd.conf

;

[global]

port = 1701

[lns default]

ip range = 1.2.3.200-1.2.3.209

local ip = 1.2.3.4

...
```

Run /etc/init.d/xl2tpd [re]start and finally create/edit ppp secret file:

```
# Secrets for authentication using CHAP

# client        server  secret                  IP addresses

pppusername     *       password                *
```

Initiate the connection with echo "c L2TP-CLIENT" > /var/run/l2tp-control (if ipsec link is still active). Make sure module ppp_async is loaded:

```
ppp_async               7488  0

ppp_generic            15764  1 ppp_async

slhc                    5504  1 ppp_generic

crc_ccitt               1792  1 ppp_async

```

You should see something like this in the log:

```
Jan  3 23:30:42 athena xl2tpd[28453]: Connecting to host client.public.fqdns, port 1701

Jan  3 23:30:44 athena xl2tpd[28453]: Connection established to 123.123.123.123, 1701.  Local: 64636, Remote: 63141 (ref=0/0).

Jan  3 23:30:44 athena xl2tpd[28453]: Calling on tunnel 64636

Jan  3 23:30:44 athena xl2tpd[28453]: check_control: Received out of order control packet on tunnel 63141 (got 0, expected 1)

Jan  3 23:30:44 athena xl2tpd[28453]: handle_packet: bad control packet!

Jan  3 23:30:44 athena xl2tpd[28453]: check_control: Received out of order control packet on tunnel 63141 (got 0, expected 1)

Jan  3 23:30:44 athena xl2tpd[28453]: handle_packet: bad control packet!

Jan  3 23:30:44 athena xl2tpd[28453]: Call established with 123.123.123.123, Local: 19192, Remote: 12178, Serial: 3 (ref=0/0)

Jan  3 23:30:44 athena pppd[32172]: pppd 2.4.4 started by root, uid 0

Jan  3 23:30:44 athena pppd[32172]: using channel 4

Jan  3 23:30:44 athena pppd[32172]: Using interface ppp0

Jan  3 23:30:44 athena pppd[32172]: Connect: ppp0 <--> /dev/pts/3

Jan  3 23:30:44 athena pppd[32172]: sent [LCP ConfReq id=0x1 <mru 1410> <asyncmap 0x0> <magic 0x2d3cf00b> <pcomp> <accomp>]

Jan  3 23:30:44 athena pppd[32172]: rcvd [LCP ConfReq id=0x1 <mru 1400> <asyncmap 0x0> <auth chap MD5> <magic 0xaab13ac0> <pcomp> <accomp>]

Jan  3 23:30:44 athena pppd[32172]: sent [LCP ConfAck id=0x1 <mru 1400> <asyncmap 0x0> <auth chap MD5> <magic 0xaab13ac0> <pcomp> <accomp>]

Jan  3 23:30:44 athena pppd[32172]: rcvd [LCP ConfAck id=0x1 <mru 1410> <asyncmap 0x0> <magic 0x2d3cf00b> <pcomp> <accomp>]

Jan  3 23:30:44 athena pppd[32172]: rcvd [CHAP Challenge id=0xda <2f8e0cb3fc5e533ac4c506565703f73bb839>, name = "LinuxVPN"]

Jan  3 23:30:44 athena pppd[32172]: sent [CHAP Response id=0xda <d6a439dac48ec8cd8a03eddd11702f63>, name = "pppusername"]

Jan  3 23:30:45 athena pppd[32172]: rcvd [CHAP Success id=0xda "Access granted"]

Jan  3 23:30:45 athena pppd[32172]: CHAP authentication succeeded: Access granted

Jan  3 23:30:45 athena pppd[32172]: CHAP authentication succeeded

Jan  3 23:30:45 athena pppd[32172]: sent [IPCP ConfReq id=0x1 <compress VJ 0f 01> <addr 0.0.0.0>]

Jan  3 23:30:45 athena pppd[32172]: rcvd [IPCP ConfReq id=0x1 <compress VJ 0f 01> <addr 1.2.3.4>]

Jan  3 23:30:45 athena pppd[32172]: sent [IPCP ConfAck id=0x1 <compress VJ 0f 01> <addr 1.2.3.4>]

Jan  3 23:30:45 athena pppd[32172]: rcvd [IPCP ConfNak id=0x1 <addr 1.2.3.200>]

Jan  3 23:30:45 athena pppd[32172]: sent [IPCP ConfReq id=0x2 <compress VJ 0f 01> <addr 1.2.3.200>]

Jan  3 23:30:45 athena pppd[32172]: rcvd [IPCP ConfAck id=0x2 <compress VJ 0f 01> <addr 1.2.3.200>]

Jan  3 23:30:45 athena pppd[32172]: Cannot determine ethernet address for proxy ARP

Jan  3 23:30:45 athena pppd[32172]: local  IP address 1.2.3.200

Jan  3 23:30:45 athena pppd[32172]: remote IP address 1.2.3.4

Jan  3 23:30:45 athena pppd[32172]: Script /etc/ppp/ip-up started (pid 32173)

Jan  3 23:30:45 athena pppd[32172]: Script /etc/ppp/ip-up finished (pid 32173), status = 0x1

```

Here are the full commands to initiate and close the VPN connection (respectively):

```
ipsec auto --up L2TP-PSK-CLIENT && echo "c L2TP-CLIENT" > /var/run/l2tp-control
```

```
echo "d L2TP-CLIENT" > /var/run/l2tp-control && ipsec auto --down L2TP-PSK-CLIENT
```

 :Idea:  Don't forget to add a route to subnet 1.2.3.0/24:

```
route add -net 1.2.3.0/24 dev ppp0
```

After this I was able to ping any machine in the remote LAN, including the server, of course.

Here are the packages I used:net-misc/openswan-2.4.7

net-firewall/ipsec-tools-0.6.3

net-dialup/xl2tpd-1.1.06

net-dialup/ppp-2.4.4-r4Hope this helped. Please post if any comment or question.

----------

## dashnu

Good info man. I am going to test this today. Mind if I add it to my howto, I will give you credit?

It is kinda a bummer that we have to go through all this to nail up a linux client. Using PSK leftid / rightid do not seem to work and if you have another conn like i described in the thread somewhere (straight ipsec / ipsec) the roadwarrior conn will not properly identify to the correct connection.

I am working on setting up my own CA and using certs, I am having a few troubles but will post that info once I get it working. This is how it _should_ be done in production. Once certs are working connections will identify correctly and we can then use just ipsec for linux clients. 

thanks again.

----------

## dashnu

Just noticed you have client external IP in ipsec.secret does %any work ?

----------

## newfangled

I have a CA and use certs, let me know what you need help with.

As for MTU, I played with that when I set this up but didn't want to take it too low as the VPN usage is only ever going to be light and I didn't want to compromise the other activities this server is used for. It works but I guess I just expected more responsive performance as I am used to ssh, vnc, and X11 forwarding over the same connection.

----------

## dashnu

So, I went through this howto http://www.natecarlson.com/linux/ipsec-l2tp.php for certs. I get all the way to the end without problems but I can not convert it to pk12.

```
frogger sslca # openssl pkcs12 -export -in danp-laptop/danp.client.pem -inkey danp-laptop/danp.client.key -certfile demoCA/cacert.pem -out danp-client.p12

unable to load private key

```

I must be missing something..

What guide did you follow?

----------

## newfangled

Can you post a recursive listing of everything under your sslca directory? The howto looks correct, the most obvious step for an error is after the signing step not moving the newcert.pem and newreq.key to your danp-laptop directory. Hence that is why I asked for the directory listing.

I already had a CA setup for signing certs used with courier-imap, apache etc.. So I just created host requests, signed them and then did the PKCS12 export. When I get home I can check for steps I took.

----------

## VinzC

 *dashnu wrote:*   

> Good info man. I am going to test this today. Mind if I add it to my howto, I will give you credit?

 

Absolutely no problem, sir. I haven't put any copyright notice on my text...  :Wink: 

 *dashnu wrote:*   

> It is kinda a bummer that we have to go through all this to nail up a linux client. Using PSK leftid / rightid do not seem to work and if you have another conn like i described in the thread somewhere (straight ipsec / ipsec) the roadwarrior conn will not properly identify to the correct connection.

 

In fact I focused on having something that worked first. I wanted PSK to work first before I switched to certificates. I'll try certificates after I have a NAT'ed Linux client working properly.

Anyway I noticed every keyword mattered. Change one and *poof* problems arise  :Very Happy:  . For sure rightid is required. If it misses then you have messages like "We required peer to identify as 123.123.123.123 but declares as 1.2.3.4."

BTW you can safely replace

```
        left=%defaultroute

        leftid=client.public.fqdns
```

with

```
        left=client.public.fqdns
```

 *dashnu wrote:*   

> thanks again.

 

My pleasure to help  :Smile: 

 *dashnu wrote:*   

> Just noticed you have client external IP in ipsec.secret does %any work ?

 

I don't know for I haven't yet. I'll try and tell you.

----------

## dashnu

 *newfangled wrote:*   

> Can you post a recursive listing of everything under your sslca directory? The howto looks correct, the most obvious step for an error is after the signing step not moving the newcert.pem and newreq.key to your danp-laptop directory. Hence that is why I asked for the directory listing.
> 
> I already had a CA setup for signing certs used with courier-imap, apache etc.. So I just created host requests, signed them and then did the PKCS12 export. When I get home I can check for steps I took.

 

Here it is.... I tried again from scratch..

```
frogger new-sslca # openssl pkcs12 -export -in dp.pem -inkey dp.key -certfile demoCA/cacert.pem -out dp.p12

unable to load private key

frogger new-sslca # ls -lR

.:

total 20

-rwxr-xr-x 1 root root 3758 Jan  4 13:39 CA.sh

-rw-r--r-- 1 root root  459 Jan  4 13:41 crl.pem

drwxr-xr-x 6 root root  400 Jan  4 13:42 demoCA

-rw-r--r-- 1 root root  680 Jan  4 13:42 dp.key

-rw-r--r-- 1 root root    0 Jan  4 13:58 dp.p12

-rw-r--r-- 1 root root 3165 Jan  4 13:42 dp.pem

-rw-r--r-- 1 root root  963 Jan  4 13:42 newkey.pem

./demoCA:

total 32

-rw-r--r-- 1 root root 3115 Jan  4 13:41 cacert.pem

-rw-r--r-- 1 root root  672 Jan  4 13:40 careq.pem

drwxr-xr-x 2 root root   48 Jan  4 13:40 certs

drwxr-xr-x 2 root root   48 Jan  4 13:40 crl

-rw-r--r-- 1 root root  208 Jan  4 13:42 index.txt

-rw-r--r-- 1 root root   20 Jan  4 13:42 index.txt.attr

-rw-r--r-- 1 root root   21 Jan  4 13:41 index.txt.attr.old

-rw-r--r-- 1 root root   96 Jan  4 13:41 index.txt.old

drwxr-xr-x 2 root root   96 Jan  4 13:42 newcerts

drwxr-xr-x 2 root root   80 Jan  4 13:40 private

-rw-r--r-- 1 root root    3 Jan  4 13:42 serial

-rw-r--r-- 1 root root    3 Jan  4 13:41 serial.old

./demoCA/certs:

total 0

./demoCA/crl:

total 0

./demoCA/newcerts:

total 8

-rw-r--r-- 1 root root 3115 Jan  4 13:41 00.pem

-rw-r--r-- 1 root root 3165 Jan  4 13:42 01.pem

./demoCA/private:

total 4

-rw-r--r-- 1 root root 963 Jan  4 13:40 cakey.pem

frogger new-sslca # 

```

----------

## newfangled

Ok I just copied the CA.sh from /etc/ssl/misc to a fresh directory and ran through the steps in the how-to you quoted. Nothing special happened with any of the CA.sh commands (newca, newreq and sign) and this is the end result:

```
[root@jubjub dashnu]# openssl pkcs12 -export -in newcert.pem -inkey newkey.pem -certfile demoCA/cacert.pem -out test.p12

Enter pass phrase for newkey.pem:

Enter Export Password:

Verifying - Enter Export Password:

[root@jubjub dashnu]# ll

total 20

drwx------ 3 root root  216 Jan  5 03:59 ./

drwx------ 8 root root  384 Jan  5 04:00 ../

-rwx------ 1 root root 3758 Jan  5 03:50 CA.sh*

drwx------ 6 root root  400 Jan  5 03:59 demoCA/

-rw------- 1 root root 3123 Jan  5 03:59 newcert.pem

-rw------- 1 root root  963 Jan  5 03:58 newkey.pem

-rw------- 1 root root  664 Jan  5 03:58 newreq.pem

-rw------- 1 root root 2469 Jan  5 04:00 test.p12

[root@jubjub dashnu]# 
```

Maybe try re-emerging openssl.. what version are you using and are you using the provided CA.sh?

```
[ebuild   R   ] dev-libs/openssl-0.9.8d  USE="zlib -bindist -emacs -sse2 -test" 0 kB
```

I've also run through everything on my Mac OS X laptop where I keep my real CA and didn't have a problem with pkcs12 step. Do you have another machine you can test on? Perhaps a livecd or something. In both cases I at least get the prompt for a password for the key so that is where I would start looking.

----------

## newfangled

I think I figured it out! In the how-to it says:

```
nate@example:~/sslca$ mv newreq.pem host.example.com.key
```

and from the directory listing you posted it looks like your dp.key is your newreq.pem which is the problem. Run this:

```
mv dp.key dp.req && mv newkey.pem dp.key && openssl pkcs12 -export -in dp.pem -inkey dp.key -certfile demoCA/cacert.pem -out dp.p12 
```

My guess is that should work...

----------

## dashnu

Thanks a lot.. !  So the howto had me mv the keys to the wrong files..

I will probably be posting again soon for help with the configuration.

If you want you could post your ipsec.conf  :Smile: 

Thanks again.

-b

----------

## dashnu

I get this error when trying to use certs... any ideas?

An error 786 windows side & this in my logs openswan side...

```
Jan 13 14:31:00 defender64 pluto[3067]: packet from 74.65.156.181:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]

Jan 13 14:31:00 defender64 pluto[3067]: packet from 74.65.156.181:500: ignoring Vendor ID payload [FRAGMENTATION]

Jan 13 14:31:00 defender64 pluto[3067]: packet from 74.65.156.181:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106 

Jan 13 14:31:00 defender64 pluto[3067]: packet from 74.65.156.181:500: ignoring Vendor ID payload [Vid-Initial-Contact]

Jan 13 14:31:00 defender64 pluto[3067]: "roadwarrior-osx-xp"[4] 74.65.156.181 #7: responding to Main Mode from unknown peer 74.65.156.181

Jan 13 14:31:00 defender64 pluto[3067]: "roadwarrior-osx-xp"[4] 74.65.156.181 #7: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1

Jan 13 14:31:00 defender64 pluto[3067]: "roadwarrior-osx-xp"[4] 74.65.156.181 #7: STATE_MAIN_R1: sent MR1, expecting MI2

Jan 13 14:31:00 defender64 pluto[3067]: "roadwarrior-osx-xp"[4] 74.65.156.181 #7: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed

Jan 13 14:31:00 defender64 pluto[3067]: "roadwarrior-osx-xp"[4] 74.65.156.181 #7: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2

Jan 13 14:31:00 defender64 pluto[3067]: "roadwarrior-osx-xp"[4] 74.65.156.181 #7: STATE_MAIN_R2: sent MR2, expecting MI3

Jan 13 14:31:00 defender64 pluto[3067]: "roadwarrior-osx-xp"[4] 74.65.156.181 #7: next payload type of ISAKMP Hash Payload has an unknown value: 193

Jan 13 14:31:00 defender64 pluto[3067]: "roadwarrior-osx-xp"[4] 74.65.156.181 #7: malformed payload in packet

Jan 13 14:31:00 defender64 pluto[3067]: | payload malformed after IV

Jan 13 14:31:00 defender64 pluto[3067]: |   2f 4d cf 15  60 83 8a ca  3d 5b 47 39  bb bf a6 1c

Jan 13 14:31:00 defender64 pluto[3067]: |   fc f3 87 88

Jan 13 14:31:00 defender64 pluto[3067]: "roadwarrior-osx-xp"[4] 74.65.156.181 #7: sending notification PAYLOAD_MALFORMED to 74.65.156.181:500

Jan 13 14:31:00 defender64 pluto[3067]: "roadwarrior-osx-xp"[4] 74.65.156.181 #7: next payload type of ISAKMP Hash Payload has an unknown value: 25

Jan 13 14:31:00 defender64 pluto[3067]: "roadwarrior-osx-xp"[4] 74.65.156.181 #7: malformed payload in packet
```

----------

## VinzC

I did have that error - IIRC - until I upgraded OpenSwan to version 2.4.7 (both sides). But I suppose you already did?

----------

## dashnu

server side is 2.4.7 client is WinXp.

----------

## VinzC

Did you also disable all XP's wills of compression? (E.g. In Network management tab, button Parameters; only Enable LCP extensions should be checked.)

----------

## dashnu

This same laptop works fine with a psk.

----------

## VinzC

Well... I'm going to try too as soon as I can and I'll post my results.

----------

## dashnu

I just tried a x509 configuration on a new machine and still I have the same results as posted above. Can someone give me a hand please?

----------

## VinzC

If you can afford waiting a little (until I finish backing up/restoring my home server, my main priority for now) I'll get into it soon. I've put little priority to this but I'd be glad to raise it since you need results.

----------

## dashnu

Sure let me know what you come up with.

----------

## mhoogenbosch

Can't seem to get it to work, it constantly gives me the same error:

ip route add 217.xx.xx.xx/32 via 192.168.20.254 dev eth0 ' failed (RTNETLINK answers: Network is unreachable)

the 217 address is the ip adres from wich i'm connecting to my home server. The 192.168.20.254 is my router and gateway. eth0 is the external interface of my router wich isn't 192.168.20.254 but a 83.83.x.x address, maybe that is the problem?

When I change the leftnexthop to my external ip, i'm getting errors that left and leftnexthop must be the same. 

What can this be, don't know wich config i need to post, i recon this had nothing to do with xl2tpd because of the server isn't requesting for any username or anything.. i think this is a problem with a configfile from Openswan (2.4.7). 

If a configfile would come in handy just ask and i'll post it..

----------

## dashnu

This error is a bug in something I think. I just checked my logs on my working connection and I see the same results. 

However my conn is still working. Maybe this was caused by the recent ppp update? Try rolling back a version or two.

-b

*edit

try rolling back to openswan 2.4.4 after looking at the problem I do not think it is ppp related.. I think its leftnexthop related.. in 2.4.4 that param was not needed. I posted to the lists about this, i will post the response back here.

----------

## VinzC

Annoying... 2.4.7 is the only one (available) version that has fully implemented NAT-T.

----------

## mhoogenbosch

 *dashnu wrote:*   

> This error is a bug in something I think. I just checked my logs on my working connection and I see the same results. 
> 
> However my conn is still working. Maybe this was caused by the recent ppp update? Try rolling back a version or two.
> 
> -b
> ...

 if i remove the leftnexthop=192.168.20.254 part in my config i'm getting a completely different error, if i search on that error the main advise is to add the leftnexthop statement. I'll try rolling back to 2.4.4

With 2.4.4:

```
pluto[6548]: packet from 217.xxx.xxx.xxx:71: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]

pluto[6548]: packet from 217.xxx.xxx.xxx:71: ignoring Vendor ID payload [FRAGMENTATION]

pluto[6548]: packet from 217.xxx.xxx.xxx:71: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106

pluto[6548]: packet from 217.xxx.xxx.xxx:71: ignoring Vendor ID payload [Vid-Initial-Contact]

pluto[6548]: "roadwarrior-osx-xp"[1] 217.xxx.xxx.xxx #148: responding to Main Mode from unknown peer 217.xxx.xxx.xxx

pluto[6548]: "roadwarrior-osx-xp"[1] 217.xxx.xxx.xxx #148: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1

pluto[6548]: "roadwarrior-osx-xp"[1] 217.xxx.xxx.xxx #148: STATE_MAIN_R1: sent MR1, expecting MI2

pluto[6548]: "roadwarrior-osx-xp"[1] 217.xxx.xxx.xxx #148: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed

pluto[6548]: "roadwarrior-osx-xp"[1] 217.xxx.xxx.xxx #148: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2

pluto[6548]: "roadwarrior-osx-xp"[1] 217.xxx.xxx.xxx #148: STATE_MAIN_R2: sent MR2, expecting MI3

pluto[6548]: "roadwarrior-osx-xp"[1] 217.xxx.xxx.xxx #148: Main mode peer ID is ID_FQDN: '@martijn'

pluto[6548]: "roadwarrior-osx-xp"[1] 217.xxx.xxx.xxx #148: I did not send a certificate because I do not have one.

pluto[6548]: "roadwarrior-osx-xp"[1] 217.xxx.xxx.xxx #148: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3

pluto[6548]: | NAT-T: new mapping 217.xxx.xxx.xxx:71/8606)

pluto[6548]: "roadwarrior-osx-xp"[1] 217.xxx.xxx.xxx= #148: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}

pluto[6548]: "roadwarrior-osx-xp"[1] 217.xxx.xxx.xxx #149: responding to Quick Mode {msgid:6d23fcb1}

pluto[6548]: "roadwarrior-osx-xp"[1] 217.xxx.xxx.xxx #149: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1

pluto[6548]: "roadwarrior-osx-xp"[1] 217.xxx.xxx.xxx #149: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2

pluto[6548]: "roadwarrior-osx-xp"[1] 217.xxx.xxx.xxx #149: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2

pluto[6548]: "roadwarrior-osx-xp"[1] 217.xxx.xxx.xxx #149: STATE_QUICK_R2: IPsec SA established {ESP=>0xa641e1d9 <0x83cdfd40 xfrm=3DES_0-HMAC_MD5 NATD=217.xxx.xxx.xxx:8606 DPD=none}
```

And then it starts again with:

```
pluto[6548]: packet from 217.xxx.xxx.xxx:71: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]

pluto[6548]: packet from 217.xxx.xxx.xxx:71: ignoring Vendor ID payload [FRAGMENTATION]

pluto[6548]: packet from 217.xxx.xxx.xxx:71: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106

pluto[6548]: packet from 217.xxx.xxx.xxx:71: ignoring Vendor ID payload [Vid-Initial-Contact]
```

It looks like openswan thinks my server is NATed, but it isn't, its connected directly to the internet, the external interface has also the external ip adres...

----------

## sabitov

Hi all! 

Could anybody help me to solve my problem, I have gentoo, =net-misc/openswan-2.4.7, =net-dialup/xl2tpd-1.1.09, =net-dialup/ppp-2.4.4-r4 on VPN server, and WinXP SP2 as a client. It works fine, if both server and client are located in the same Ethernet segment :))) 

Now, I try to make a test 'remote' connection:

vpnserver (eth0:1.2.3.2/25, eth1:172.16.0.2/16) --- (eth0:1.2.3.21/25, eth0:172.16.1.1/16) test-router (eth1:10.10.10.1/24) --- (eth0:10.10.10.2/24) vpnclient

There is no NAT, firewall or so on each node. I can ping, ssh, ... from vpnclient to vpnserver. Now I run on test-router 

```
tcpdump -nn -i eth0 host 10.10.10.2
```

and try to make VPN connection. 

On test-router I got this from tcpdump (skip a lot of other packets):

```
=========================================================================

11:12:05.033232 arp who-has 10.10.10.2 tell 1.2.3.2

11:12:06.033682 arp who-has 10.10.10.2 tell 1.2.3.2

11:12:07.034159 arp who-has 10.10.10.2 tell 1.2.3.2

11:12:08.046658 arp who-has 10.10.10.2 tell 1.2.3.2

11:12:09.047121 arp who-has 10.10.10.2 tell 1.2.3.2

11:12:10.047606 arp who-has 10.10.10.2 tell 1.2.3.2

11:12:11.060089 arp who-has 10.10.10.2 tell 1.2.3.2

11:12:12.060565 arp who-has 10.10.10.2 tell 1.2.3.2

=========================================================================

```

On vpnserver I got these messages in /var/log/messages:

```
=========================================================================

May 21 11:11:47 vpnServer pluto[3771]: packet from 10.10.10.2:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]

May 21 11:11:47 vpnServer pluto[3771]: packet from 10.10.10.2:500: ignoring Vendor ID payload [FRAGMENTATION]

May 21 11:11:47 vpnServer pluto[3771]: packet from 10.10.10.2:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106 

May 21 11:11:47 vpnServer pluto[3771]: packet from 10.10.10.2:500: ignoring Vendor ID payload [Vid-Initial-Contact]

May 21 11:11:47 vpnServer pluto[3771]: "roadwarrior-l2tp"[7] 10.10.10.2 #7: responding to Main Mode from unknown peer 10.10.10.2

May 21 11:11:47 vpnServer pluto[3771]: "roadwarrior-l2tp"[7] 10.10.10.2 #7: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1

May 21 11:11:47 vpnServer pluto[3771]: "roadwarrior-l2tp"[7] 10.10.10.2 #7: STATE_MAIN_R1: sent MR1, expecting MI2

May 21 11:11:47 vpnServer pluto[3771]: "roadwarrior-l2tp"[7] 10.10.10.2 #7: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected

May 21 11:11:47 vpnServer pluto[3771]: "roadwarrior-l2tp"[7] 10.10.10.2 #7: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2

May 21 11:11:47 vpnServer pluto[3771]: "roadwarrior-l2tp"[7] 10.10.10.2 #7: STATE_MAIN_R2: sent MR2, expecting MI3

May 21 11:11:47 vpnServer pluto[3771]: "roadwarrior-l2tp"[7] 10.10.10.2 #7: Main mode peer ID is ID_DER_ASN1_DN: 'C=RU, ST=Novosibirsk Region, ...'

May 21 11:11:47 vpnServer pluto[3771]: "roadwarrior-l2tp"[7] 10.10.10.2 #7: crl update for "C=RU, ST=Novosibirsk Region, ..." is overdue since Apr 14 17:02:39 UTC 2007

May 21 11:11:47 vpnServer pluto[3771]: "roadwarrior-l2tp"[7] 10.10.10.2 #7: switched from "roadwarrior-l2tp" to "roadwarrior-l2tp"

May 21 11:11:47 vpnServer pluto[3771]: "roadwarrior-l2tp"[8] 10.10.10.2 #7: deleting connection "roadwarrior-l2tp" instance with peer 10.10.10.2 {isakmp=#0/ipsec=#0}

May 21 11:11:47 vpnServer pluto[3771]: "roadwarrior-l2tp"[8] 10.10.10.2 #7: I am sending my cert

May 21 11:11:47 vpnServer pluto[3771]: "roadwarrior-l2tp"[8] 10.10.10.2 #7: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3

May 21 11:11:47 vpnServer pluto[3771]: "roadwarrior-l2tp"[8] 10.10.10.2 #7: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}

May 21 11:11:47 vpnServer pluto[3771]: "roadwarrior-l2tp"[8] 10.10.10.2 #8: responding to Quick Mode {msgid:f8bd1373}

May 21 11:11:47 vpnServer pluto[3771]: "roadwarrior-l2tp"[8] 10.10.10.2 #8: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1

May 21 11:11:47 vpnServer pluto[3771]: "roadwarrior-l2tp"[8] 10.10.10.2 #8: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2

May 21 11:11:48 vpnServer pluto[3771]: "roadwarrior-l2tp"[8] 10.10.10.2 #8: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2

May 21 11:11:48 vpnServer pluto[3771]: "roadwarrior-l2tp"[8] 10.10.10.2 #8: STATE_QUICK_R2: IPsec SA established {ESP=>0x159bfc5b <0x2a87697f xfrm=3DES_0-HMAC_MD5 NATD=none DPD=none}

May 21 11:11:49 vpnServer xl2tpd[11909]: control_finish: Peer requested tunnel 11 twice, ignoring second one.

May 21 11:11:50 vpnServer xl2tpd[11909]: control_finish: Peer requested tunnel 11 twice, ignoring second one.

May 21 11:11:54 vpnServer xl2tpd[11909]: control_finish: Peer requested tunnel 11 twice, ignoring second one.

May 21 11:11:55 vpnServer xl2tpd[11909]: Maximum retries exceeded for tunnel 45311.  Closing.

May 21 11:11:55 vpnServer xl2tpd[11909]: Connection 11 closed to 10.10.10.2, port 1701 (Timeout)

May 21 11:12:00 vpnServer xl2tpd[11909]: Unable to deliver closing message for tunnel 45311. Destroying anyway.

May 21 11:12:10 vpnServer xl2tpd[11909]: Maximum retries exceeded for tunnel 56855.  Closing.

May 21 11:12:10 vpnServer xl2tpd[11909]: Connection 11 closed to 10.10.10.2, port 1701 (Timeout)

May 21 11:12:13 vpnServer xl2tpd[11909]: control_finish: Peer requested tunnel 11 twice, ignoring second one.

May 21 11:12:15 vpnServer xl2tpd[11909]: Unable to deliver closing message for tunnel 56855. Destroying anyway.

May 21 11:12:23 vpnServer pluto[3771]: "roadwarrior-l2tp"[8] 10.10.10.2 #7: received Delete SA(0x159bfc5b) payload: deleting IPSEC State #8

May 21 11:12:23 vpnServer pluto[3771]: "roadwarrior-l2tp"[8] 10.10.10.2 #7: received and ignored informational message

May 21 11:12:23 vpnServer pluto[3771]: "roadwarrior-l2tp"[8] 10.10.10.2 #7: received Delete SA payload: deleting ISAKMP State #7

May 21 11:12:23 vpnServer pluto[3771]: "roadwarrior-l2tp"[8] 10.10.10.2: deleting connection "roadwarrior-l2tp" instance with peer 10.10.10.2 {isakmp=#0/ipsec=#0}

May 21 11:12:23 vpnServer pluto[3771]: packet from 10.10.10.2:500: received and ignored informational message

May 21 11:12:26 vpnServer pluto[3771]: ERROR: asynchronous network error report on eth0 (sport=500) for message to 10.10.10.2 port 500, complainant 1.2.3.2: No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]

May 21 11:12:26 vpnServer pluto[3771]: ERROR: asynchronous network error report on eth0 (sport=500) for message to 10.10.10.2 port 500, complainant 1.2.3.2: No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]

=========================================================================
```

My ipsec.conf is:

```
=========================================================================

version 2.0

config setup

           interfaces=%defaultroute

           klipsdebug=none

           plutodebug=control

           forwardcontrol=yes

           nat_traversal=yes

           virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!172.16.7.0/24

           overridemtu=1400

conn %default

           keyingtries=1

           compress=yes

           disablearrivalcheck=no

           authby=rsasig

           leftrsasigkey=%cert

           rightrsasigkey=%cert

           pfs=no

conn roadwarrior-l2tp-updatedwin

           pfs=no

           leftprotoport=17/1701

           rightprotoport=17/1701

           also=roadwarrior

conn roadwarrior-l2tp

          pfs=no

          leftprotoport=17/0

          rightprotoport=17/1701

          also=roadwarrior

conn macintosh-l2tp

           pfs=no

           leftprotoport=17/1701

           rightprotoport=17/%any

           also=roadwarrior

conn roadwarrior

           left=%defaultroute

           leftcert=vpnServer.pem

           right=%any

           auto=add

           type=transport 

conn block

        auto=ignore

conn private

        auto=ignore

conn private-or-clear

        auto=ignore

conn clear-or-private

        auto=ignore

conn clear

        auto=ignore

conn packetdefault

        auto=ignore

=========================================================================
```

My /etc/xl2tpd/xl2tpd.conf:

```
=========================================================================

[global]

port = 1701

[lns default]

ip range = 172.16.7.0-172.16.7.7

local ip = 172.16.7.1

require chap = yes

refuse pap = yes

require authentication = yes

name = MyVPN

ppp debug = yes

pppoptfile = /etc/ppp/options.l2tpd

length bit = yes

=========================================================================
```

What's worng in my ipsec config???

----------

## mrness

 *sabitov wrote:*   

> 
> 
> Could anybody help me to solve my problem, I have gentoo, =net-misc/openswan-2.4.7, =net-dialup/xl2tpd-1.1.09, =net-dialup/ppp-2.4.4-r4 on VPN server, and WinXP SP2 as a client. It works fine, if both server and client are located in the same Ethernet segment )) 
> 
> ....
> ...

 

You don't have a leftnexthop.

----------

## sabitov

[quote="mrness"] *sabitov wrote:*   

> You don't have a leftnexthop.

 

Thank you very much!!!

Yes, it was!  :Smile: 

----------

## AVNazyrov

Thank you very much for this complete manual! It really helped me. One question: have somebody tried to use OpenVPN instead of L2TP? Nasim Mansurov wrote on his site (http://megaz.arbuz.com/2006/12/24/l2tp-vs-openvpn/) that it's much faster and more stable.

----------

## mrness

 *Quote:*   

> L2TP: Feature-rich backend allows complicated configurations with SSL or PSKs

 

I wasn't aware that L2TP has anything to do with SSL. Are you sure this guy has any idea what he's talking about?

IMO, when you say VPN, you're referring to some sort of IPSec. Anything else is just a toy.

----------

## VinzC

 *mrness wrote:*   

> ...
> 
> IMO, when you say VPN, you're referring to some sort of IPSec. Anything else is just a toy.

 

OMG! Don't shout it otherwise I can see OpenVPN fans coming at you and tap you on the shoulder...  :Wink: 

----------

## AVNazyrov

 *Quote:*   

> L2TP: Feature-rich backend allows complicated configurations with SSL or PSKs

 

Hmm... I lost it when I read that article.   :Embarassed:  I'm not very familiar with VPN but it really sounds strange...

 *mrness wrote:*   

> IMO, when you say VPN, you're referring to some sort of IPSec. Anything else is just a toy.

 

What did you mean? SSL is just another one type of securing VPN.

Anyway, I am interested by it:

 *Quote:*   

> Considerably faster than L2TP

 

Have anybody else tested it?

P.S.

Sorry for my english - I don't speak it very often.   :Rolling Eyes: 

----------

## VinzC

 *AVNazyrov wrote:*   

> ... have somebody tried to use OpenVPN instead of L2TP?

 

I have. And to say the truth it's easier to accomplish than IPsec. While there are blocking cases with IPsec (like NATed networks), OpenVPN only needs a single UDP port (1194) and it works in all cases.

It's safe as it uses connection-less protocols like UDP hence blinded against SYN flood and other classical TCP attacks. It involves principles easy to understand as it relies on well know technologies like SSL encryption and routing/bridging - nothing more nothing less.

It has a GUI client for Windows and, IIRC, Mac OS. Linux has kvpnc and many other clients, text or graphical. I have tried and used Windows GUI. Not much to say about it: I like it very much  :Smile:  .

----------

## VinzC

 *Quote:*   

> Considerably faster than L2TP

  *AVNazyrov wrote:*   

> Have anybody else tested it?

 

To add to your question, I've tested both at that time (one year and a half ago). I started with OpenSwan to link two networks from our company through the Internet. The purpose was to work remotely with Citrix.

OpenSwan proved unstable as soon as more than 3-4 users were using the link between both sites. It was probably a configuration/fine tuning problem but we switched to OpenVPN and it worked at once - with my limited knowledge of VPN [internals] at that time  :Smile:  . So I can confirm that L2TP/IPsec requires strong knowledge in that domain...

----------

## AVNazyrov

VinzC, many thanks for your answer. I think, I'll try to use OpenVPN soon.

One remark: now OpenSWAN works with NATed nets perfectly too and requires only three UDP ports opened in firewall. 

 *VinzC wrote:*   

> So I can confirm that L2TP/IPsec requires strong knowledge in that domain...

 

Two thumbs up!   :Very Happy: 

----------

## dashnu

Some random comments..

 *Quote:*   

> L2TP VPN Cons:
> 
> Unstable L2TP code; l2tpd requires heavy patching with the latest kernels; kernel recompilation with TTY support is preferable 
> 
> 

 

Xelerance maintains a version of this code.. Frequent updates and seems pretty active to me.

 *Quote:*   

> 
> 
> Unexpected crashes when the client connection is not closed properly 
> 
> 

 

I have _never_ seen this.

 *Quote:*   

> 
> 
> Hard to configure; requires good linux skills along with solid understanding of networking and VPN technology 
> 
> 

 

I would hope so.

 *Quote:*   

> 
> 
> Slower than OpenVPN 
> 
> 

 

Probably due to the layers and encryption..  NAT-T --> ESP --> L2TP ... Anyways never had any speed issues myself. I would imagine when push came to shove ESP is a bit more secure then SSL based VPNs and probably much much more widely accepted.  :Wink: 

 *Quote:*   

> 
> 
> Almost no support from the community 
> 
> 

 

I find the openswan lists to be exceptional. Especially Paul from Xelerance he has helped me out a countless number of times.. The openswan book is also a great read/help.. Hey i am in the community and helped out several people between this thread and my howto..  :Smile: 

I am not trying to flame just reponding to these comments with my experiences... I never used openvpn and may be a bit partial to openswan seeing I connect/secure all my networks together using gentoo endpoints with openswan & iptables.

----------

## VinzC

 *dashnu wrote:*   

> Some random comments...

 

 *Quote:*   

> Almost no support from the community

 

I also find quite odd that such a message is posted... in a forum. I love paradoxes like this...  :Very Happy: 

----------

## mike123abc

Suse 9.3 2.6.11 Kernel <----> NAT Windows XP

I have openswan 2.2.0 and the latests download xl2tpd-1.1.11

The syslog info from pluto, it looks like it does its job and establishes an ipsec connection.

 *Quote:*   

> Aug 23 22:58:15 www pluto[11446]: packet from 75.23.215.33:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
> 
> Aug 23 22:58:15 www pluto[11446]: packet from 75.23.215.33:500: ignoring Vendor ID payload [FRAGMENTATION]
> 
> Aug 23 22:58:15 www pluto[11446]: packet from 75.23.215.33:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
> ...

 

Nothing happens until the XP box times out or you press cancel, then it gets a nice delete message from XP

 *Quote:*   

> Aug 23 22:58:31 www pluto[11446]: "roadwarrior-all"[8] 75.23.215.33:4500 #7: received Delete SA(0x928e14de) payload: deleting IPSEC State #8
> 
> Aug 23 22:58:31 www pluto[11446]: "roadwarrior-all"[8] 75.23.215.33:4500 #7: deleting connection "roadwarrior-l2tp" instance with peer 75.23.215.33 {isakmp=#0/ipsec=#0}
> 
> Aug 23 22:58:31 www pluto[11446]: "roadwarrior-all"[8] 75.23.215.33:4500 #7: received and ignored informational message
> ...

 

My ipsec.conf file: (note the indents are there, just not appearing in this post)

 *Quote:*   

> # /etc/ipsec.conf - Openswan IPsec configuration file
> 
> # RCSID $Id: ipsec.conf.in,v 1.13 2004/03/24 04:14:39 ken Exp $
> 
> # This file:  /usr/share/doc/openswan-2.2.0/ipsec.conf-sample
> ...

 

My xl2tpd with all the debugging on sitting on the terminal does not seem to do anything after initial load:

 *Quote:*   

> xl2tpd[11865]: init_config: Using old style config files /etc/l2tp/l2tpd.conf and /etc/l2tpd/l2tp-secrets
> 
> xl2tpd[11865]: parse_config: global context descriptor
> 
> xl2tpd[11865]: parse_config: field is port, value is 1701
> ...

 

So, I guess the problem/question is:

I have a successful ipsec connection made, but now I need to figure out how to get the l2tpd involved.  I checked firewall rules there is nothing for port 1701.  The other issue is that there is no ipsec0 interface (seems the 2.6 kernel does not need it), is this the issue?   The linux box is directly connected to the internet, there is no private net.  I have not figured out the right internet search to quite figure out how ipsec packets get to l2tpd.  If there was a virtual ipsec0 interface I could see them being routed to port 1701 there and the l2tpd listening on that interface and getting the packets.  Do I need to create/configure a device?  What do I need to do to at least get to the next stage of debugging where packets get to l2tpd.

I was able to get openvpn up and running with a tap0 working and got a VPN working with my XP box.  But, XP does not really like to use openVPN, you have to do all the stuff manually and the spiffy UI that users would use wants to use l2tp.  The only complaint I can see from l2tp is that recvref is not available in setsockopt.  Maybe it is something, the source does not give much insite, exploring this some more at the moment...

----------

## temper

HI. It's my first time doing this king of connection... so I need little help from the community.

When I connect my client (windows xp sp3) to my host, internet goes down on client. I can ping both local and global ips in both ways, but client cannot ping anything outside vpn  :Sad: 

I'm using: 

```
2.6.26-gentoo-r4 kernel

net-misc/openswan version:  2.4.13-r2

net-firewall/ipsec-tools version:  0.6.7 0.7.1

net-dialup/ppp version:  2.4.4-r21

net-dialup/xl2tpd version:  1.1.12 1.1.12-r1 

(There is no l2tpd daemon in my portage tree)

```

I beleive I have configured kernel correctly. 

This is my ipsec.conf:

```
# /etc/ipsec.conf - Openswan IPsec configuration file

# RCSID $Id: ipsec.conf.in,v 1.13 2004/03/24 04:14:39 ken Exp $

# This file:  /usr/share/doc/openswan-2.2.0/ipsec.conf-sample

#

# Manual:     ipsec.conf.5

version 2.0     # conforms to second version of ipsec.conf specification

config setup

        interfaces=%defaultroute

        klipsdebug=none

        plutodebug=none

        overridemtu=1410

        nat_traversal=yes

        virtual_private=%v4:!192.168.1.0/24

conn %default

        keyingtries=3

        compress=no

        disablearrivalcheck=no

        authby=secret

        type=tunnel

        keyexchange=ike

        ikelifetime=240m

        keylife=60m

conn roadwarrior-net

        leftsubnet=192.168.1.0/24

        also=roadwarrior

#conn roadwarrior-all

#        leftsubnet=0.0.0.0/0

#        also=roadwarrior

conn roadwarrior-l2tp

        leftprotoport=17/1701

        rightprotoport=17/1701

        rekey=no

        also=roadwarrior

conn roadwarrior-l2tp-updatedwin

        leftprotoport=17/1701

        rightprotoport=17/1701

        also=roadwarrior

conn roadwarrior

        pfs=no

        authby=secret

        type=tunnel

        left=%defaultroute

        right=%any

        rightsubnet=vhost:%no,%priv

        auto=add

#Disable Opportunistic Encryption

include /etc/ipsec.d/examples/no_oe.conf
```

ipsec.secrets 

xx.xx.xx.xx is my global ip.

```
ipsec.secrets

XX.XX.XX.XX %any: PSK "verylongpassword"
```

chap-secrets:

```

# Secrets for authentication using CHAP

# client        server  secret                  IP addresses

client            *       "password"                      192.168.1.5

*               client    "password"                      192.168.1.5

```

options.l2tp:

```
ipcp-accept-local

ipcp-accept-remote

ms-dns  192.168.1.1

noccp

auth

crtscts

idle 1800

mtu 1410

mru 1410

nodefaultroute

debug

lock

proxyarp

connect-delay 5000

silent

```

and this is /etc/xl2tpd/xl2tpd.conf

```

; l2tpd.conf

;

[global]

port = 1701

[lns default]

ip range = 192.168.1.4-192.168.1.40

local ip = 192.168.1.2

require chap = yes

refuse pap = yes

require authentication = yes

name = MyVPN

ppp debug = yes

pppoptfile = /etc/ppp/options.l2tpd

length bit = yes

```

I  setup XP  correcty. I don't why internet is not working

I looked in /var/log/messages, route -n, iptables -L, emerge --info, tcpdump, lsmod... but I don't how

to troubles shoot this. I've been struggling very long time to get it working, but I don't have enough skills yet to make it all on my own...I hope someone can guide me through this... TIA

----------

## VinzC

Remember what a VPN is: a secure tunnel between your computer and the remote network. Secure tunnel means every network packet is sent through the tunnel for security. Hence there's no route to the Internet by default, other than through the default gateway at the opposite side of the tunnel.

That is to say that a host connected through VPN must isolate itself as well as the remote network from external attacks. If a VPN host is compromised then the remote network is under threat as well. This is why it is unwise to have a VPN host also connected to the Internet directly.

There are two ways for a host to also send/receive packets to/from the Internet: either directly (dangerous as I've just explained) or through a gateway on the remote network. The latter option is preferable and requires adding routes to the gateway on the remote network and possibly changing firewall rules on the remote Internet gateway. If this is not possible then the former option is your only choice

By default, Windows VPN hosts use the remote gateway as the default gateway, making Internet unavailable on the VPN host. You can change that behaviour on Windows XP by changing how Windows routes packets. There is a checkbox «Use default gateway on the remote network» (typing from memory) in the TCP/IP properties of your VPN connection. It is checked by default. Uncheck it before making the VPN connection and you'll be able to surf the Internet from your machine while the VPN link is active.

You've been warned  :Wink:  .

----------

## dashnu

I do not use this setup anymore however, it sounds to me as if your firewall at the remote end-point is causing the problem.

I routed all packets outbound from client through the tunnel and out the VPN. 

Keep in mind with this setup a PPP+ interface is created and the proper forwarding rules must be set. 

Is this VPN end-point also your firewall ? Or behind a firewall in place already?

----------

## temper

OK, now I get little better understanding of how vpn works. But I'm still ubber n00b, I know...  :Laughing: 

Well, I will test this when my brother gets off of his MMORPG games  :Very Happy:  and let you know. I'll try both methods.  This is my home network and I have no information sensitive things on it, or any service running to be concerned about security. My initial goal was to setup LAN connetion, but I don't have a router and spare NIC's to plug into PC's to setup LAN, they are both Laptops btw. I know there are other solution, like ftp, ssh but want to learn how to setup VPN's over IPsec...Thank you for help.

EDIT:

VinzC 

dashnu 

Thanks for helping me. I got it working finally. Thank you!!! 

Aand have a Happy new year!

----------

