Re: IPSec WinXP interop

To: debian-security@lists.debian.org
Subject: Re: IPSec WinXP interop
From: Valentin Vidic <vvidic@public.srce.hr>
Date: Thu, 25 Dec 2003 16:18:39 +0100
Message-id: <[🔎] 20031225151839.GA1155@lastan>
In-reply-to: <[🔎] 20031224004931.GA8747@brain.pulsesol.com>
References: <[🔎] 20031224004931.GA8747@brain.pulsesol.com>
On Wed, Dec 24, 2003 at 12:49:31AM +0000, Antony Gelberg wrote:
> My first post here - long time d-u subscriber.  I'm trying to set up a
> VPN where WinXP roadwarriors can access a LAN that sits behind a Linux
> router.  I want to use X.509 certificates rather than PSKs.

  I managed to set up a VPN dial-up connection from Windows Dial-up
Networking to Debian running superfreeswan and l2tpd - so it is
possible to do this (although not too easy). I used l2tpd 0.69-7jdl and
freeswan 1.99.8.

> When I try to log in, I get "Error 792: The L2TP connection attempt
> failed because security negotiation timed out."  I don't get any
> "verifying username..." message.

  As usual this doesn't tell much. Error messages on the Linux side are
a lot better. Also try monitoring the traffic with tcpdump on different
interfaces (depending on the part of connection you managed to get
working you should either monitor eth0, ipsec0 or ppp0). Try checking
/var/log/auth.log for IPSec messages. A successful connection looks
like this:

 pluto[2272]: packet from 10.0.0.100:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000003]
 pluto[2272]: "win-vpn"[13] 10.0.0.100 #52: responding to Main Mode from unknown peer 10.0.0.100
 pluto[2272]: "win-vpn"[13] 10.0.0.100 #52: Main mode peer ID is ID_DER_ASN1_DN: 'C=HR, L=Zagreb, O=TEST, OU=TEST, CN=vvidic'
 pluto[2272]: "win-vpn"[14] 10.0.0.100 #52: sent MR3, ISAKMP SA established
 pluto[2272]: "win-vpn"[14] 10.0.0.100 #53: responding to Quick Mode
 pluto[2272]: "win-vpn"[14] 10.0.0.100 #53: IPsec SA established

  After that take l2tp connection is opened:

 l2tpd[18343]: ourtid = 42661, entropy_buf = a6a5 
 l2tpd[18343]: ourcid = 25187, entropy_buf = 6263 
 l2tpd[18343]: check_control: control, cid = 0, Ns = 0, Nr = 0 
 l2tpd[18343]: handle_avps: handling avp's for tunnel 42661, call 25187 
 l2tpd[18343]: message_type_avp: message type 1 (Start-Control-Connection-Request) 
 l2tpd[18343]: protocol_version_avp: peer is using version 1, revision 0. 
 l2tpd[18343]: framing_caps_avp: supported peer frames: sync 
 l2tpd[18343]: bearer_caps_avp: supported peer bearers: 
 l2tpd[18343]: firmware_rev_avp: peer reports firmware version 1280 (0x0500) 
 l2tpd[18343]: hostname_avp: peer reports hostname 'no' 
 l2tpd[18343]: vendor_avp: peer reports vendor 'Microsoft\200^H' 
 l2tpd[18343]: assigned_tunnel_avp: using peer's tunnel 1 
 l2tpd[18343]: receive_window_size_avp: peer wants RWS of 8.  Will use flow control. 
 l2tpd[18343]: ourtid = 11890, entropy_buf = 2e72 
 l2tpd[18343]: check_control: control, cid = 0, Ns = 0, Nr = 0 
 l2tpd[18343]: handle_avps: handling avp's for tunnel 11890, call 1886351988 
 l2tpd[18343]: message_type_avp: message type 1 (Start-Control-Connection-Request) 
 l2tpd[18343]: protocol_version_avp: peer is using version 1, revision 0. 
 l2tpd[18343]: framing_caps_avp: supported peer frames: sync 
 l2tpd[18343]: bearer_caps_avp: supported peer bearers: 
 l2tpd[18343]: firmware_rev_avp: peer reports firmware version 1280 (0x0500) 
 l2tpd[18343]: hostname_avp: peer reports hostname 'no' 
 l2tpd[18343]: vendor_avp: peer reports vendor 'Microsoft\200^H' 
 l2tpd[18343]: assigned_tunnel_avp: using peer's tunnel 1 
 l2tpd[18343]: receive_window_size_avp: peer wants RWS of 8.  Will use flow control. 
 l2tpd[18343]: control_finish: Peer requested tunnel 1 twice, ignoring second one. 
 l2tpd[18343]: ourtid = 4056, entropy_buf = fd8 
 l2tpd[18343]: ourcid = 46152, entropy_buf = b448 
 l2tpd[18343]: check_control: control, cid = 0, Ns = 0, Nr = 0 
 l2tpd[18343]: handle_avps: handling avp's for tunnel 4056, call 46152 
 l2tpd[18343]: message_type_avp: message type 1 (Start-Control-Connection-Request) 
 l2tpd[18343]: protocol_version_avp: peer is using version 1, revision 0. 
 l2tpd[18343]: framing_caps_avp: supported peer frames: sync 
 l2tpd[18343]: bearer_caps_avp: supported peer bearers: 
 l2tpd[18343]: firmware_rev_avp: peer reports firmware version 1280 (0x0500) 
 l2tpd[18343]: hostname_avp: peer reports hostname 'no' 
 l2tpd[18343]: vendor_avp: peer reports vendor 'Microsoft\200^H' 
 l2tpd[18343]: assigned_tunnel_avp: using peer's tunnel 1 
 l2tpd[18343]: receive_window_size_avp: peer wants RWS of 8.  Will use flow control. 
 l2tpd[18343]: control_finish: Peer requested tunnel 1 twice, ignoring second one. 
 l2tpd[18343]: check_control: control, cid = 0, Ns = 1, Nr = 1 
 l2tpd[18343]: handle_avps: handling avp's for tunnel 42661, call 25187 
 l2tpd[18343]: message_type_avp: message type 3 (Start-Control-Connection-Connected) 
 l2tpd[18343]: control_finish: Connection established to 10.0.0.100, 1701.  Local: 42661, Remote: 1.  LNS session is 'default' 
 l2tpd[18343]: check_control: control, cid = 0, Ns = 2, Nr = 1 
 l2tpd[18343]: handle_avps: handling avp's for tunnel 42661, call 25187 
 l2tpd[18343]: message_type_avp: message type 10 (Incoming-Call-Request) 
 l2tpd[18343]: message_type_avp: new incoming call 
 l2tpd[18343]: ourcid = 15796, entropy_buf = 3db4 
 l2tpd[18343]: assigned_call_avp: using peer's call 1 
 l2tpd[18343]: call_serno_avp: serial number is 0 
 l2tpd[18343]: bearer_type_avp: peer bears: analog 
 l2tpd[18343]: check_control: control, cid = 0, Ns = 3, Nr = 1 
 l2tpd[18343]: check_control: control, cid = 1, Ns = 3, Nr = 2 
 l2tpd[18343]: handle_avps: handling avp's for tunnel 42661, call 15796 
 l2tpd[18343]: message_type_avp: message type 12 (Incoming-Call-Connected) 
 l2tpd[18343]: tx_speed_avp: transmit baud rate is 11000000 
 l2tpd[18343]: frame_type_avp: peer uses:sync frames 
 l2tpd[18343]: ignore_avp : Ignoring AVP 
 l2tpd[18343]: start_pppd: I'm running:  
 l2tpd[18343]: "/usr/sbin/pppd" 
 l2tpd[18343]: "passive" 
 l2tpd[18343]: "-detach" 
 l2tpd[18343]: "192.168.0.1:192.168.0.2" 
 l2tpd[18343]: "file" 
 l2tpd[18343]: "/etc/ppp/l2tpdopt" 
 l2tpd[18343]: "/dev/ttyp0" 
 l2tpd[18343]:  
 l2tpd[18343]: control_finish: Call established with 10.0.0.100, Local: 15796, Remote: 1, Serial: 0 
 l2tpd[18343]: check_control: control, cid = 0, Ns = 4, Nr = 2 

  Then pppd is started:

 pppd[21430]: pppd 2.4.2b3 started by root, uid 0
 pppd[21430]: Using interface ppp0
 pppd[21430]: Connect: ppp0 <--> /dev/ttyp0
 pppd[21430]: CHAP peer authentication succeeded for vvidic
 pppd[21430]: Cannot determine ethernet address for proxy ARP
 pppd[21430]: local  IP address 192.168.0.1
 pppd[21430]: remote IP address 192.168.0.2

  Relevant part of ipsec.conf (note the *protoport options):

conn win-vpn
        type=transport
        authby=rsasig
        pfs=no
        left=10.0.0.1
        leftcert=vpn.pem
        leftprotoport=17/0
        right=%any
        rightrsasigkey=%cert
        rightprotoport=17/1701
        auto=add

> Nothing in /var/log appears to be of much use.  There's lots of klips
> stuff which is very verbose, but nothing sticks out.

  Turn of the verbosity for IPSsec- the normal log level was always
enough for me, but use debug option for pppd.

> Any insight would be much appreciated.  I must admit I'm still a little
> unclear how the whole idea works, but I believe that IPSec receives the
> connection, then calls l2tpd, which starts ppp.  I can post more config
> / debug if needed.

  First IPSec tunnel is established. Over that tunnel L2TP connection is
created via l2tp. L2TP packets than carry standard PPP frames - that is
what pppd handles.

  Hope this helps. Post some of your logs if not. :)

  Valentin
Reply to:
Follow-Ups:
- Re: IPSec WinXP interop
  - From: Antony Gelberg <antony@antgel.co.uk>
References:
- IPSec WinXP interop
  - From: Antony Gelberg <antony@antgel.co.uk>
Prev by Date: Re: IPSec WinXP interop
Next by Date: Re: IPSec WinXP interop
Previous by thread: Re: IPSec WinXP interop
Next by thread: Re: IPSec WinXP interop
Index(es):
- Date
- Thread