Re: IPSec WinXP interop
On Wed, Dec 24, 2003 at 12:49:31AM +0000, Antony Gelberg wrote:
> My first post here - long time d-u subscriber. I'm trying to set up a
> VPN where WinXP roadwarriors can access a LAN that sits behind a Linux
> router. I want to use X.509 certificates rather than PSKs.
I managed to set up a VPN dial-up connection from Windows Dial-up
Networking to Debian running superfreeswan and l2tpd - so it is
possible to do this (although not too easy). I used l2tpd 0.69-7jdl and
freeswan 1.99.8.
> When I try to log in, I get "Error 792: The L2TP connection attempt
> failed because security negotiation timed out." I don't get any
> "verifying username..." message.
As usual this doesn't tell much. Error messages on the Linux side are
a lot better. Also try monitoring the traffic with tcpdump on different
interfaces (depending on the part of connection you managed to get
working you should either monitor eth0, ipsec0 or ppp0). Try checking
/var/log/auth.log for IPSec messages. A successful connection looks
like this:
pluto[2272]: packet from 10.0.0.100:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000003]
pluto[2272]: "win-vpn"[13] 10.0.0.100 #52: responding to Main Mode from unknown peer 10.0.0.100
pluto[2272]: "win-vpn"[13] 10.0.0.100 #52: Main mode peer ID is ID_DER_ASN1_DN: 'C=HR, L=Zagreb, O=TEST, OU=TEST, CN=vvidic'
pluto[2272]: "win-vpn"[14] 10.0.0.100 #52: sent MR3, ISAKMP SA established
pluto[2272]: "win-vpn"[14] 10.0.0.100 #53: responding to Quick Mode
pluto[2272]: "win-vpn"[14] 10.0.0.100 #53: IPsec SA established
After that take l2tp connection is opened:
l2tpd[18343]: ourtid = 42661, entropy_buf = a6a5
l2tpd[18343]: ourcid = 25187, entropy_buf = 6263
l2tpd[18343]: check_control: control, cid = 0, Ns = 0, Nr = 0
l2tpd[18343]: handle_avps: handling avp's for tunnel 42661, call 25187
l2tpd[18343]: message_type_avp: message type 1 (Start-Control-Connection-Request)
l2tpd[18343]: protocol_version_avp: peer is using version 1, revision 0.
l2tpd[18343]: framing_caps_avp: supported peer frames: sync
l2tpd[18343]: bearer_caps_avp: supported peer bearers:
l2tpd[18343]: firmware_rev_avp: peer reports firmware version 1280 (0x0500)
l2tpd[18343]: hostname_avp: peer reports hostname 'no'
l2tpd[18343]: vendor_avp: peer reports vendor 'Microsoft\200^H'
l2tpd[18343]: assigned_tunnel_avp: using peer's tunnel 1
l2tpd[18343]: receive_window_size_avp: peer wants RWS of 8. Will use flow control.
l2tpd[18343]: ourtid = 11890, entropy_buf = 2e72
l2tpd[18343]: check_control: control, cid = 0, Ns = 0, Nr = 0
l2tpd[18343]: handle_avps: handling avp's for tunnel 11890, call 1886351988
l2tpd[18343]: message_type_avp: message type 1 (Start-Control-Connection-Request)
l2tpd[18343]: protocol_version_avp: peer is using version 1, revision 0.
l2tpd[18343]: framing_caps_avp: supported peer frames: sync
l2tpd[18343]: bearer_caps_avp: supported peer bearers:
l2tpd[18343]: firmware_rev_avp: peer reports firmware version 1280 (0x0500)
l2tpd[18343]: hostname_avp: peer reports hostname 'no'
l2tpd[18343]: vendor_avp: peer reports vendor 'Microsoft\200^H'
l2tpd[18343]: assigned_tunnel_avp: using peer's tunnel 1
l2tpd[18343]: receive_window_size_avp: peer wants RWS of 8. Will use flow control.
l2tpd[18343]: control_finish: Peer requested tunnel 1 twice, ignoring second one.
l2tpd[18343]: ourtid = 4056, entropy_buf = fd8
l2tpd[18343]: ourcid = 46152, entropy_buf = b448
l2tpd[18343]: check_control: control, cid = 0, Ns = 0, Nr = 0
l2tpd[18343]: handle_avps: handling avp's for tunnel 4056, call 46152
l2tpd[18343]: message_type_avp: message type 1 (Start-Control-Connection-Request)
l2tpd[18343]: protocol_version_avp: peer is using version 1, revision 0.
l2tpd[18343]: framing_caps_avp: supported peer frames: sync
l2tpd[18343]: bearer_caps_avp: supported peer bearers:
l2tpd[18343]: firmware_rev_avp: peer reports firmware version 1280 (0x0500)
l2tpd[18343]: hostname_avp: peer reports hostname 'no'
l2tpd[18343]: vendor_avp: peer reports vendor 'Microsoft\200^H'
l2tpd[18343]: assigned_tunnel_avp: using peer's tunnel 1
l2tpd[18343]: receive_window_size_avp: peer wants RWS of 8. Will use flow control.
l2tpd[18343]: control_finish: Peer requested tunnel 1 twice, ignoring second one.
l2tpd[18343]: check_control: control, cid = 0, Ns = 1, Nr = 1
l2tpd[18343]: handle_avps: handling avp's for tunnel 42661, call 25187
l2tpd[18343]: message_type_avp: message type 3 (Start-Control-Connection-Connected)
l2tpd[18343]: control_finish: Connection established to 10.0.0.100, 1701. Local: 42661, Remote: 1. LNS session is 'default'
l2tpd[18343]: check_control: control, cid = 0, Ns = 2, Nr = 1
l2tpd[18343]: handle_avps: handling avp's for tunnel 42661, call 25187
l2tpd[18343]: message_type_avp: message type 10 (Incoming-Call-Request)
l2tpd[18343]: message_type_avp: new incoming call
l2tpd[18343]: ourcid = 15796, entropy_buf = 3db4
l2tpd[18343]: assigned_call_avp: using peer's call 1
l2tpd[18343]: call_serno_avp: serial number is 0
l2tpd[18343]: bearer_type_avp: peer bears: analog
l2tpd[18343]: check_control: control, cid = 0, Ns = 3, Nr = 1
l2tpd[18343]: check_control: control, cid = 1, Ns = 3, Nr = 2
l2tpd[18343]: handle_avps: handling avp's for tunnel 42661, call 15796
l2tpd[18343]: message_type_avp: message type 12 (Incoming-Call-Connected)
l2tpd[18343]: tx_speed_avp: transmit baud rate is 11000000
l2tpd[18343]: frame_type_avp: peer uses:sync frames
l2tpd[18343]: ignore_avp : Ignoring AVP
l2tpd[18343]: start_pppd: I'm running:
l2tpd[18343]: "/usr/sbin/pppd"
l2tpd[18343]: "passive"
l2tpd[18343]: "-detach"
l2tpd[18343]: "192.168.0.1:192.168.0.2"
l2tpd[18343]: "file"
l2tpd[18343]: "/etc/ppp/l2tpdopt"
l2tpd[18343]: "/dev/ttyp0"
l2tpd[18343]:
l2tpd[18343]: control_finish: Call established with 10.0.0.100, Local: 15796, Remote: 1, Serial: 0
l2tpd[18343]: check_control: control, cid = 0, Ns = 4, Nr = 2
Then pppd is started:
pppd[21430]: pppd 2.4.2b3 started by root, uid 0
pppd[21430]: Using interface ppp0
pppd[21430]: Connect: ppp0 <--> /dev/ttyp0
pppd[21430]: CHAP peer authentication succeeded for vvidic
pppd[21430]: Cannot determine ethernet address for proxy ARP
pppd[21430]: local IP address 192.168.0.1
pppd[21430]: remote IP address 192.168.0.2
Relevant part of ipsec.conf (note the *protoport options):
conn win-vpn
type=transport
authby=rsasig
pfs=no
left=10.0.0.1
leftcert=vpn.pem
leftprotoport=17/0
right=%any
rightrsasigkey=%cert
rightprotoport=17/1701
auto=add
> Nothing in /var/log appears to be of much use. There's lots of klips
> stuff which is very verbose, but nothing sticks out.
Turn of the verbosity for IPSsec- the normal log level was always
enough for me, but use debug option for pppd.
> Any insight would be much appreciated. I must admit I'm still a little
> unclear how the whole idea works, but I believe that IPSec receives the
> connection, then calls l2tpd, which starts ppp. I can post more config
> / debug if needed.
First IPSec tunnel is established. Over that tunnel L2TP connection is
created via l2tp. L2TP packets than carry standard PPP frames - that is
what pppd handles.
Hope this helps. Post some of your logs if not. :)
Valentin
Reply to: