On Sat, 2006-06-24 at 17:14 +1000, Howard Lowndes wrote: > I'm looking for some heavy guidance on an l2tpd/ipsec problem. > Unfortunately l2tpd.org appears to have been hijacked by cybersquatters. > > The configuration is a Windows XP Pro (SP2) client sitting behind a NAT > and talking over the Internet to a Linux box running Openswan and l2tpd.
You can not NAT an IPSec tunnel unless you have a passthrough thing setup which encapuslates IPSec packets into another (UDP?) packet so the IPSec checksums etc work after NAT and decapsulation.. You should see in the IPSec log (which is not the same as the pppd log) all sorts of messages about rejecting packets if this is the case I could be wrong here though, it's been sometime since I played with IPSec, and it was never with PPP (although I did use PPTP which was XP and NAT friendly) > > I am using PSK for the ipsec authentication, because I can't get the XP > box to find my privately signed x509 key - but that is a separate issue. > > When I bring up the connection window on XP requesting the log in and the > password for the Linux box and then click Connect I can trace everything > that is happening on the Linux box. /var/log/secure shows that the ISAKMP > SA is established and the IPSec SA is established successfully, which > tells me that the ipsec part of the connection appears to be running fine. > > If I run l2tpd in non-daemon mode with almost full debugging mode I get > this output repeated several times until the connection attempt eventually > fails and the IPSec SA is torn down: > > l2tpd[19520]: network_thread: recv packet from www.xxx.yyy.zzz, size = > 101, tunnel = 0, call = 0 > l2tpd[19520]: get_call: allocating new tunnel for host www.xxx.yyy.zzz, > port 1701. > l2tpd[19520]: ourtid = 2799, entropy_buf = aef > l2tpd[19520]: check_control: control, cid = 0, Ns = 0, Nr = 0 > l2tpd[19520]: handle_avps: handling avp's for tunnel 2799, call 0 > l2tpd[19520]: message_type_avp: message type 1 > (Start-Control-Connection-Request) > l2tpd[19520]: protocol_version_avp: peer is using version 1, revision 0. > l2tpd[19520]: framing_caps_avp: supported peer frames: sync > l2tpd[19520]: bearer_caps_avp: supported peer bearers: > l2tpd[19520]: firmware_rev_avp: peer reports firmware version 1280 (0x0500) > l2tpd[19520]: hostname_avp: peer reports hostname 'winxppro' > l2tpd[19520]: vendor_avp: peer reports vendor 'Microsoft' > l2tpd[19520]: assigned_tunnel_avp: using peer's tunnel 30 > l2tpd[19520]: receive_window_size_avp: peer wants RWS of 8. Will use flow > control. > l2tpd[19520]: control_finish: message type is > Start-Control-Connection-Request(1). Tunnel is 30, call is 0. > l2tpd[19520]: control_finish: sending SCCRP > > My /etc/l2tpd/l2tpd.conf file is: > > [global] > auth file = /etc/ppp/chap-secrets > debug avp = yes > debug network = yes > debug packet = no > debug state = yes > debug tunnel = yes > > [lns default] > name = MYVPN > ;exclusive = yes > hostname = host.domain.tld > local ip = 192.168.129.1 > ip range = 192.168.129.41-192.168.129.45 > require authentication = yes > require chap = yes > refuse pap = yes > ;challenge = yes > pppoptfile = /etc/ppp/options.l2tpd > length bit = yes > ppp debug = yes > > It strikes me that either, the Windows box is not trying to start a ppp > sessions, or l2tpd doesn't know how to start a ppp session. > > All and any assistance would be gratefully received. > > > -- > Howard > LANNet Computing Associates <http://lannet.com.au> > When you want a computer system that works, just choose Linux; > When you want a computer system that works, just, choose Microsoft. > -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
