Re: IPSec WinXP interop

To: Antony Gelberg <antony@antgel.co.uk>
Cc: debian-security@lists.debian.org, l2tpd-devel@l2tpd.org
Subject: Re: IPSec WinXP interop
From: Jean-Francois Dive <jef@linuxbe.org>
Date: Mon, 5 Jan 2004 08:56:23 +0100
Message-id: <[🔎] 20040105075623.GC1103@gardafou.assamite.eu.org>
In-reply-to: <20031224004931.GA8747@brain.pulsesol.com>
References: <20031224004931.GA8747@brain.pulsesol.com>

Hi, 

looks like an ipsec isssue as l2tp cant connect.  How does freeswan logs
looks like ?

On Wed, Dec 24, 2003 at 12:49:31AM +0000, Antony Gelberg wrote:
> Hi all,
> 
> My first post here - long time d-u subscriber.  I'm trying to set up a
> VPN where WinXP roadwarriors can access a LAN that sits behind a Linux
> router.  I want to use X.509 certificates rather than PSKs.
> 
> So I've installed freeswan and l2tpd on the router.  There is quite a
> bit of documentation out there and I have read:
> http://www.jacco2.dds.nl/networking/win2000xp-freeswan.html and
> http://www.jacco2.dds.nl/networking/freeswan-l2tp.html.  Not to mention
> http://www.natecarlson.com/linux/ipsec-x509.php.
> 
> I'm running Woody, hence:
> Package: freeswan
> Version: 1.96-1.4
> I heard that Woody l2tpd (0.67) wouldn't work, so I downloaded and
> built 0.69.
> 
> I have created a .p12 certificate, which I have successfully imported
> into XP.  It's valid.  The XP VPN connection is set up properly (e.g.
> CHAP on, no PPTP etc.)
> 
> But I still can't connect, and I'm sure it's somewhere in the l2tpd/ppp
> config that I have a problem.  The firewall does run iptables, but I've
> disabled it and tried, with the same results.  I'm confident that I've
> altered the iptables rules as specified in the docs.
> 
> Here's some various configs:
> 
> mailhost:~# cat /etc/ppp/chap-secrets
> # Secrets for authentication using CHAP
> # client        server  secret                  IP addresses
> roadwarrior     *        roadwarrior     *
> 
> mailhost:~# cat /etc/ipsec.conf
> # /etc/ipsec.conf - FreeS/WAN IPsec configuration file
> 
> # More elaborate and more varied sample configurations can be found
> # in FreeS/WAN's doc/examples file, and in the HTML documentation.
> 
> # basic configuration
> config setup
>         # THIS SETTING MUST BE CORRECT or almost nothing will work;
>         # %defaultroute is okay for most simple cases.
>         interfaces=%defaultroute
>         # Debug-logging controls:  "none" for (almost) none, "all" for
>         # lots.
>         klipsdebug=all
>         plutodebug=all
>         # Use auto= parameters in conn descriptions to control startup
>         # actions.
>         plutoload=%search
>         plutostart=%search
>         # Close down old connection when new one using same ID shows up.
>         uniqueids=yes
> 
> # defaults for subsequent connection descriptions
> # (mostly to fix internal defaults which, in retrospect, were badly
> # chosen)
> conn %default
>         keyingtries=0
>         disablearrivalcheck=no
>         authby=rsasig
>         leftrsasigkey=%cert
>         rightrsasigkey=%cert
> 
> conn mailhost-rw
>         left=<firewall public IP>
>         leftcert=mailhostCert.pem
>         leftnexthop=<what it says!>
>         leftsubnet=10.0.0.0/8
>         right=%any
>         auto=add
>         keyingtries=1
>         pfs=yes
> 
> mailhost:~# cat /etc/l2tp/l2tpd.conf
> ; Sample l2tpd.conf
> ;
> [global]
> ; listen-addr = 192.168.1.98
> 
> [lns default]
> ip range = 10.100.100.1-10.100.100.100
> local ip = 10.100.100.101
> require chap = yes
> refuse pap = yes
> require authentication = yes
> name = VPNserver
> ppp debug = yes
> pppoptfile = /etc/ppp/options.l2tpd
> length bit = yes
> 
> mailhost:~# cat /etc/ppp/options.l2tpd
> ipcp-accept-local
> ipcp-accept-remote
> auth
> crtscts
> idle 1800
> debug
> lock
> proxyarp
> connect-delay 5000
> 
> When I try to log in, I get "Error 792: The L2TP connection attempt
> failed because security negotiation timed out."  I don't get any
> "verifying username..." message.
> 
> Nothing in /var/log appears to be of much use.  There's lots of klips
> stuff which is very verbose, but nothing sticks out.
> 
> Any insight would be much appreciated.  I must admit I'm still a little
> unclear how the whole idea works, but I believe that IPSec receives the
> connection, then calls l2tpd, which starts ppp.  I can post more config
> / debug if needed.
> 
> A
> -- 
> Documentation - http://www.debian.org/doc/
> FAQ - http://www.debian.org/doc/FAQ/
> Install manual (i386) - http://www.debian.org/releases/stable/i386/install
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

-- 

-> Jean-Francois Dive
--> jef@linuxbe.org

  I think that God in creating Man somewhat overestimated his ability.
  -- Oscar Wilde

Reply to:

Prev by Date: tiger: howto manage flood of `deleted files' alerts ???
Next by Date: sendmail problem:connection timed out
Previous by thread: Re: tiger: howto manage flood of `deleted files' alerts ???
Next by thread: sendmail problem:connection timed out
Index(es):
- Date
- Thread