Re: IPSec WinXP interop
Hi,
looks like an ipsec isssue as l2tp cant connect. How does freeswan logs
looks like ?
On Wed, Dec 24, 2003 at 12:49:31AM +0000, Antony Gelberg wrote:
> Hi all,
>
> My first post here - long time d-u subscriber. I'm trying to set up a
> VPN where WinXP roadwarriors can access a LAN that sits behind a Linux
> router. I want to use X.509 certificates rather than PSKs.
>
> So I've installed freeswan and l2tpd on the router. There is quite a
> bit of documentation out there and I have read:
> http://www.jacco2.dds.nl/networking/win2000xp-freeswan.html and
> http://www.jacco2.dds.nl/networking/freeswan-l2tp.html. Not to mention
> http://www.natecarlson.com/linux/ipsec-x509.php.
>
> I'm running Woody, hence:
> Package: freeswan
> Version: 1.96-1.4
> I heard that Woody l2tpd (0.67) wouldn't work, so I downloaded and
> built 0.69.
>
> I have created a .p12 certificate, which I have successfully imported
> into XP. It's valid. The XP VPN connection is set up properly (e.g.
> CHAP on, no PPTP etc.)
>
> But I still can't connect, and I'm sure it's somewhere in the l2tpd/ppp
> config that I have a problem. The firewall does run iptables, but I've
> disabled it and tried, with the same results. I'm confident that I've
> altered the iptables rules as specified in the docs.
>
> Here's some various configs:
>
> mailhost:~# cat /etc/ppp/chap-secrets
> # Secrets for authentication using CHAP
> # client server secret IP addresses
> roadwarrior * roadwarrior *
>
> mailhost:~# cat /etc/ipsec.conf
> # /etc/ipsec.conf - FreeS/WAN IPsec configuration file
>
> # More elaborate and more varied sample configurations can be found
> # in FreeS/WAN's doc/examples file, and in the HTML documentation.
>
> # basic configuration
> config setup
> # THIS SETTING MUST BE CORRECT or almost nothing will work;
> # %defaultroute is okay for most simple cases.
> interfaces=%defaultroute
> # Debug-logging controls: "none" for (almost) none, "all" for
> # lots.
> klipsdebug=all
> plutodebug=all
> # Use auto= parameters in conn descriptions to control startup
> # actions.
> plutoload=%search
> plutostart=%search
> # Close down old connection when new one using same ID shows up.
> uniqueids=yes
>
> # defaults for subsequent connection descriptions
> # (mostly to fix internal defaults which, in retrospect, were badly
> # chosen)
> conn %default
> keyingtries=0
> disablearrivalcheck=no
> authby=rsasig
> leftrsasigkey=%cert
> rightrsasigkey=%cert
>
> conn mailhost-rw
> left=<firewall public IP>
> leftcert=mailhostCert.pem
> leftnexthop=<what it says!>
> leftsubnet=10.0.0.0/8
> right=%any
> auto=add
> keyingtries=1
> pfs=yes
>
> mailhost:~# cat /etc/l2tp/l2tpd.conf
> ; Sample l2tpd.conf
> ;
> [global]
> ; listen-addr = 192.168.1.98
>
> [lns default]
> ip range = 10.100.100.1-10.100.100.100
> local ip = 10.100.100.101
> require chap = yes
> refuse pap = yes
> require authentication = yes
> name = VPNserver
> ppp debug = yes
> pppoptfile = /etc/ppp/options.l2tpd
> length bit = yes
>
> mailhost:~# cat /etc/ppp/options.l2tpd
> ipcp-accept-local
> ipcp-accept-remote
> auth
> crtscts
> idle 1800
> debug
> lock
> proxyarp
> connect-delay 5000
>
> When I try to log in, I get "Error 792: The L2TP connection attempt
> failed because security negotiation timed out." I don't get any
> "verifying username..." message.
>
> Nothing in /var/log appears to be of much use. There's lots of klips
> stuff which is very verbose, but nothing sticks out.
>
> Any insight would be much appreciated. I must admit I'm still a little
> unclear how the whole idea works, but I believe that IPSec receives the
> connection, then calls l2tpd, which starts ppp. I can post more config
> / debug if needed.
>
> A
> --
> Documentation - http://www.debian.org/doc/
> FAQ - http://www.debian.org/doc/FAQ/
> Install manual (i386) - http://www.debian.org/releases/stable/i386/install
>
>
> --
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
--
-> Jean-Francois Dive
--> jef@linuxbe.org
I think that God in creating Man somewhat overestimated his ability.
-- Oscar Wilde
Reply to: