-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello, all.
On 5/7/2014 4:04 PM, Nels Lindquist wrote: > On 5/7/2014 2:32 PM, Paul Wouters wrote: >> On Wed, 7 May 2014, Nels Lindquist wrote: > >>>> May 7 07:57:10 mail pluto[28834]: | sending IKE fragment id >>>> '1', number '1' >>>> >>>> Can you try with both ike_frag=force and ike_frag=no ? >>> >>> With ike_frag=force we get additional lines (discarding >>> duplicate packet; already STATE_MAIN_R2); with ike_frag=no the >>> behaviour is the same as before. Would you like >>> "plutodebug=all" logs for either or both of these settings? > >> Hmm. I don't think that will help as it is the other end that is >> unhappy. Have you tried this with another device, eg an iphone >> in L2TP mode or something? Just as reference? > > I've only tested with other Windows devices. In production that's > all we're using for clients connecting from outside. Our current > main VPN gateway is still OpenSWAN, with a bunch of clients > (Windows 7 mostly, but a couple of legacy XP) successfully > connecting. > >>> May 7 13:45:04 mail pluto[14792]: "L2TP-Win2KXP"[1] >>> 209.82.26.89 #6: discarding duplicate packet; already >>> STATE_MAIN_R2 > >> Is there a way to get the ipsec logs from the Windows machine to >> find out what it is complaining about? > >> http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_ipsec_tools.mspx?mfr=true > >> > I'll have to work more on this. So far I've enabled IKE logging > in the Advanced Firewall, but the only message I get is: > > An IPsec main mode negotiation failed. Failure Reason: New policy > invalidated SAs formed with old policy > > I think I'm going to have to delve into enabling the Oakly logs, > which apparently involve downloading XP programs to Windows 7, etc. > I'll have to tackle that tomorrow. Boy howdy, did THAT ever turn out to be harder than I expected (in fact, I'm still not able to read logs for Win7). I've been away on leave for a couple of months and other priorities were higher in the time leading up to my leave, so it's been a while... The good news is that I now have some detailed logs from Windows Vista wherin the problem may be captured. The logs encompass the connection attempt to LibreSWAN/L2TP from inside our network. Please see attached. I'm still working on getting logs from Windows 7, but it turns out that WFP.TMF files (required to interpret the binary logfiles generated by the IKEEXT service) are very difficult to find for anything later than 32-bit Vista (hence the attached log files)... Please let me know if you need additional logging from the Windows side and I'll see what I can do. In case you're curious, I've already tried upgrading to LibreSWAN 3.9, which didn't resolve the issue. Nels Lindquist <[email protected]> -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.20 (MingW32) iEYEARECAAYFAlPyby8ACgkQh6z5POoOLgRdjQCfZB5pByKc3Gh1AeUxFIIHpr4B Lh8An1nUPYyVmIeYynkmzWJesNhhN5Ts =kZD1 -----END PGP SIGNATURE----- An attachment named: wfpout.zip was stripped from this message. It is not possible to retrieve it; please contact the sender if you require it. _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
