I can't seem to get connected to the Freeswan gateway from a Windows
2000 Professional mobile user. The user connects via a local ISP on a
dial up line which dynamically assigns an IP everytime the user
connects.
Any help or pointers would be greatly appreciated. Below are information
pertaining to my configuration.
Diagram
~~~~~~~
__________________
/ \
| Internal network |
| 10.0.0.0/8 |
\__________________/
|
|
| eth0 : 10.0.0.1/8
+----------------+
| Linux box |
| Freeswan+x509 |
+----------------+
| eth1 : 202.10.10.54
|
|
| 202.10.10.53
+-----------------+
| ADSL Router |
| Lucent Cellpipe |
+-----------------+
|
|
____|____
/ \
|Internet |
\_________/
|
|
|
+----------------+
| Win2K using |
| dial-up |
| w/dynamic IP |
+----------------+
/etc/l2tpd/l2ptd.conf
~~~~~~~~~~~~~~~~~~~~~
[global]
port=1701
[lns default]
ip range = 10.0.0.2-10.2.255.255
local ip = 10.0.0.1
require chap = yes
refuse pap = yes
require authentication = yes
name = gw.yltrd
ppp debug = yes
pppoptfile = /etc/ppp/options
length bit = yes
/etc/ppp/options
~~~~~~~~~~~~~~~~
ipcp-accept-local
ipcp-accept-remote
ms-dns 10.10.10.1
ms-wins 10.10.10.1
auth
crtscts
idle 1800
nodefaultroute
debug
lock
proxyarp
connect-delay 15000
mtu 1430
mru 1430
/etc/ipsec.conf
~~~~~~~~~~~~~~~
version 2.0
config setup
interfaces="ipsec0=eth1"
klipsdebug=none
plutodebug=dns
fragicmp=yes
overridemtu=1430
conn %default
keyingtries=0
compress=yes
authby=rsasig
pfs=no
disablearrivalcheck=yes
conn road
left=202.10.10.54
leftsubnet=10.0.0.0/8
leftnexthop=202.10.10.53
leftid="CN=gw.yltrd"
leftrsasigkey=%cert
leftprotoport=17/0
right=%any
rightid=%any
rightrsasigkey=%cert
rightprotoport=17/1701
auto=start
ipsec auto --status
~~~~~~~~~~~~~~~~~~~
000 interface ipsec0/eth1 202.10.10.54
000
000 debug dns
000
000"road"[1]:10.0.0.0/8===202.10.10.54[CN=gw.yltrd]:17/0---202.10.10.53...61.6.103.62:17/1701
000 "road"[1]: ike_life: 3600s; ipsec_life: 28800s; rekey_margin:540s;
rekey_fuzz: 100%; keyingtries: 0
000 "road"[1]: policy:
RSASIG+ENCRYPT+COMPRESS+TUNNEL+DISABLEARRIVALCHECK; interface: eth1;
unrouted
000 "road"[1]: newest ISAKMP SA: #0; newest IPsec SA: #0; eroute
owner: #0
000 "road":
10.0.0.0/8===202.10.10.54[CN=gw.yltrd]:17/0---202.10.10.53...%any:17/1701
000 "road": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 0
000 "road": policy:
RSASIG+ENCRYPT+COMPRESS+TUNNEL+DISABLEARRIVALCHECK; interface: eth1;
unrouted
000 "road": newest ISAKMP SA: #0; newest IPsec SA: #0; eroute owner:
#0
000
000 #1: "road"[1] 61.6.103.62 STATE_MAIN_R2 (sent MR2, expecting MI3);
EVENT_RETRANSMIT in 16s
000
/var/log/secure
~~~~~~~~~~~~~~~
Aug 2 12:14:37 gw ipsec__plutorun: Starting Pluto subsystem...
Aug 2 12:14:37 gw pluto[5845]: Starting Pluto (FreeS/WAN Version 2.01
X.509-1.4.2 PLUTO_USES_KEYRR)
Aug 2 12:14:37 gw pluto[5845]: Changing to directory
'/etc/ipsec.d/cacerts'
Aug 2 12:14:37 gw pluto[5845]: loaded cacert file 'cacert.pem' (1367
bytes)
Aug 2 12:14:37 gw pluto[5845]: Changing to directory
'/etc/ipsec.d/crls'
Aug 2 12:14:37 gw pluto[5845]: loaded crl file 'crl.pem' (601 bytes)
Aug 2 12:14:38 gw pluto[5845]: added connection description "road"
Aug 2 12:14:38 gw pluto[5845]: listening for IKE messages
Aug 2 12:14:38 gw pluto[5845]: adding interface ipsec0/eth1
202.10.10.54
Aug 2 12:14:38 gw pluto[5845]: loading secrets from
"/etc/ipsec.secrets"
Aug 2 12:14:38 gw pluto[5845]: loaded private key file
'/etc/ipsec.d/private/gw.yltrd.key' (1743 bytes)
Aug 2 12:14:38 gw pluto[5845]: "road": cannot route Road Warrior
template
Aug 2 12:14:38 gw pluto[5845]: "road": cannot initiate connection
without knowing peer IP address
Aug 2 12:15:28 gw pluto[5845]: packet from 61.6.103.62:500: received
Vendor ID Payload; ASCII hash: \036+Qi\005\031\034}|\026|?5\007da
Aug 2 12:15:28 gw pluto[5845]: packet from 61.6.103.62:500: received
Vendor ID Payload; ASCII hash: @H7Un<h\005%g^\177
Aug 2 12:15:28 gw pluto[5845]: packet from 61.6.103.62:500: received
Vendor ID Payload; ASCII hash: \020K
Aug 2 12:15:28 gw pluto[5845]: "road"[1] 61.6.103.62 #1: responding to
Main Mode from unknown peer 61.6.103.62
Aug 2 12:15:28 gw pluto[5845]: "road"[1] 61.6.103.62 #1: only
OAKLEY_GROUP_MODP1024 and OAKLEY_GROUP_MODP1536 supported. Attribute
OAKLEY_GROUP_DESCRIPTION
Aug 2 12:15:29 gw pluto[5845]: "road"[1] 61.6.103.62 #1: Peer ID is
ID_DER_ASN1_DN: 'CN=ussenterprise.pract'
Aug 2 12:15:29 gw pluto[5845]: "road"[1] 61.6.103.62 #1: no suitable
connection for peer 'CN=ussenterprise.pract'
Aug 2 12:15:29 gw pluto[5845]: "road"[1] 61.6.103.62 #1: sending
notification INVALID_ID_INFORMATION to 61.6.103.62:500
Aug 2 12:15:30 gw pluto[5845]: "road"[1] 61.6.103.62 #1: Peer ID is
ID_DER_ASN1_DN: 'CN=ussenterprise.pract'
Aug 2 12:15:30 gw pluto[5845]: "road"[1] 61.6.103.62 #1: no suitable
connection for peer 'CN=ussenterprise.pract'
Aug 2 12:15:30 gw pluto[5845]: "road"[1] 61.6.103.62 #1: sending
notification INVALID_ID_INFORMATION to 61.6.103.62:500
Aug 2 12:15:32 gw pluto[5845]: "road"[1] 61.6.103.62 #1: Peer ID is
ID_DER_ASN1_DN: 'CN=ussenterprise.pract'
Aug 2 12:15:32 gw pluto[5845]: "road"[1] 61.6.103.62 #1: no suitable
connection for peer 'CN=ussenterprise.pract'
Aug 2 12:15:32 gw pluto[5845]: "road"[1] 61.6.103.62 #1: sending
notification INVALID_ID_INFORMATION to 61.6.103.62:500
Aug 2 12:16:38 gw pluto[5845]: "road"[1] 61.6.103.62 #1: max number of
retransmissions (2) reached STATE_MAIN_R2
Aug 2 12:16:38 gw pluto[5845]: "road"[1] 61.6.103.62: deleting
connection "road" instance with peer 61.6.103.62
