Openswan L2TP/IPSEC: asynchronous network error report on eth0

[bettmenn]

Hallo,

on my rootserver running Debian, I would like to set up a VPN with L2TP/IpSec. The root machine should be running as vpn gateway, to secure my internet traffic, e.g. while surfing the web using unencrypted wifi hotstops.

My auth.log shows the following error:

Code:

Jun 18 11:44:45 bett02 pluto[22357]: ERROR: asynchronous network error report on eth0 (sport=4500) for message to 178.203.x.y port 4500, complainant 217.172.x.y: No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]

178.203.x.y is the dynamic ip of the client
217.172.x.y is the static ip of the root server

My Windows Vista Clients outputs the following error after approx. 30 minutes:

Code:

Error 809 The network connection between your computer and the VPN server could not be established because the remote server is not responding. This could be because one of the network devices (e.g, firewalls, NAT, routers, etc) between your computer and the remote server is not configured to allow VPN connections. Please contact your Administrator or your service provider to determine which device may be causing the problem

For the sake of simplicity, for now I would only like to work with a private shared key and not using certificates.

The server machine is running Debian with a 2.6 Kernel
Openswan: Linux Openswan U2.4.12/K2.6.26-2-amd64 (netkey)
Xl2tpd: xl2tpd-1.2.0

Here's my config file and other logs that might be interesting. Many thanks for your help!

Flo

/etc/ipsec.conf

Code:

version 2.0

config setup
        interfaces=%defaultroute
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16

conn %default
        keyingtries=1
        compress=yes
        disablearrivalcheck=no
        authby=secret

conn L2TP-PSK
        rekey=no
        authby=secret
        pfs=no
        keyingtries=0
        left=%defaultroute
        leftprotoport=17/%any
        right=%any
        rightprotoport=17/%any
        rightsubnetwithin=0.0.0.0/0
        auto=add

conn block
        auto=ignore
conn private
        auto=ignore
conn private-or-clear
        auto=ignore
conn clear-or-private
        auto=ignore
conn clear
        auto=ignore
conn packetdefault
        auto=ignore

/etc/ipsec.secrets:

Code:

: PSK "thepsk"

217.172.a.b und 217.172.c.d are local nameservers of my rootservers, 10.66.66.* should be the internal subnet.

/etc/xl2tpd/xl2tpd.conf

Code:

[global]
auth file = /etc/xl2tpd/l2tp-secrets
listen-addr = 217.172.x.y
port = 1701

[lns default]
ip range = 10.66.66.2-10.66.66.254
local ip = 217.172.x.y
refuse pap = yes

require authentication = yes
name = bett
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd.lns
length bit = yes

/etc/ppp/options.l2tpd.lns

Code:

ipcp-accept-local
ipcp-accept-remote
ms-dns 217.172.a.b
ms-dns 217.172.c.d
auth
crtscts
idle 1800
mtu 1410

mru 1410
nodefaultroute
debug
lock
connect-delay 5000

auth.log:

Code:

Jun 18 12:20:30 bett02 pluto[23629]: Starting Pluto (Openswan Version 2.4.12 LDAP_V3 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OE`lPH|Vbpuu)
Jun 18 12:20:30 bett02 pluto[23629]: Setting NAT-Traversal port-4500 floating to on
Jun 18 12:20:30 bett02 pluto[23629]:    port floating activation criteria nat_t=1/port_fload=1
Jun 18 12:20:30 bett02 pluto[23629]:   including NAT-Traversal patch (Version 0.6c)
Jun 18 12:20:30 bett02 pluto[23629]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Jun 18 12:20:30 bett02 pluto[23629]: starting up 3 cryptographic helpers
Jun 18 12:20:30 bett02 pluto[23629]: started helper pid=23644 (fd:6)
Jun 18 12:20:30 bett02 pluto[23629]: started helper pid=23648 (fd:7)
Jun 18 12:20:30 bett02 pluto[23629]: started helper pid=23649 (fd:8)
Jun 18 12:20:30 bett02 pluto[23629]: Using NETKEY IPsec interface code on 2.6.26-2-amd64
Jun 18 12:20:30 bett02 pluto[23629]: Changing to directory '/etc/ipsec.d/cacerts'
Jun 18 12:20:30 bett02 pluto[23629]:   loaded CA cert file 'cacert.pem' (4877 bytes)
Jun 18 12:20:30 bett02 pluto[23629]: Changing to directory '/etc/ipsec.d/aacerts'
Jun 18 12:20:30 bett02 pluto[23629]: Changing to directory '/etc/ipsec.d/ocspcerts'
Jun 18 12:20:30 bett02 pluto[23629]: Changing to directory '/etc/ipsec.d/crls'
Jun 18 12:20:30 bett02 pluto[23629]:   loaded crl file 'crl.pem' (707 bytes)
Jun 18 12:20:30 bett02 pluto[23629]: loading secrets from "/etc/ipsec.secrets"
Jun 18 12:20:30 bett02 pluto[23629]: added connection description "L2TP-PSK"
Jun 18 12:20:30 bett02 pluto[23629]: listening for IKE messages
Jun 18 12:20:30 bett02 pluto[23629]: adding interface tun0/tun0 10.66.66.1:500
Jun 18 12:20:30 bett02 pluto[23629]: adding interface tun0/tun0 10.66.66.1:4500
Jun 18 12:20:30 bett02 pluto[23629]: adding interface eth0/eth0 217.172.x.y:500
Jun 18 12:20:30 bett02 pluto[23629]: adding interface eth0/eth0 217.172.x.y:4500
Jun 18 12:20:30 bett02 pluto[23629]: adding interface lo/lo 127.0.0.1:500
Jun 18 12:20:30 bett02 pluto[23629]: adding interface lo/lo 127.0.0.1:4500
Jun 18 12:20:30 bett02 pluto[23629]: adding interface lo/lo ::1:500
Jun 18 12:20:30 bett02 pluto[23629]: forgetting secrets
Jun 18 12:20:30 bett02 pluto[23629]: loading secrets from "/etc/ipsec.secrets"
Jun 18 12:20:49 bett02 pluto[23629]: packet from 178.203.x.y:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000006]
Jun 18 12:20:49 bett02 pluto[23629]: packet from 178.203.x.y:500: received Vendor ID payload [RFC 3947] method set to=109
Jun 18 12:20:49 bett02 pluto[23629]: packet from 178.203.x.y:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
Jun 18 12:20:49 bett02 pluto[23629]: packet from 178.203.x.y:500: ignoring Vendor ID payload [FRAGMENTATION]
Jun 18 12:20:49 bett02 pluto[23629]: packet from 178.203.x.y:500: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
Jun 18 12:20:49 bett02 pluto[23629]: packet from 178.203.x.y:500: ignoring Vendor ID payload [Vid-Initial-Contact]
Jun 18 12:20:49 bett02 pluto[23629]: packet from 178.203.x.y:500: ignoring Vendor ID payload [IKE CGA version 1]
Jun 18 12:20:49 bett02 pluto[23629]: "L2TP-PSK"[1] 178.203.x.y #1: responding to Main Mode from unknown peer 178.203.x.y
Jun 18 12:20:49 bett02 pluto[23629]: "L2TP-PSK"[1] 178.203.x.y #1: Diffie-Hellman group 20 is not a supported modp group.  Attribute OAKLEY_GROUP_DESCRIPTION
Jun 18 12:20:49 bett02 pluto[23629]: "L2TP-PSK"[1] 178.203.x.y #1: Diffie-Hellman group 19 is not a supported modp group.  Attribute OAKLEY_GROUP_DESCRIPTION
Jun 18 12:20:49 bett02 pluto[23629]: "L2TP-PSK"[1] 178.203.x.y #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jun 18 12:20:49 bett02 pluto[23629]: "L2TP-PSK"[1] 178.203.x.y #1: STATE_MAIN_R1: sent MR1, expecting MI2
Jun 18 12:20:49 bett02 pluto[23629]: "L2TP-PSK"[1] 178.203.x.y #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): peer is NATed
Jun 18 12:20:49 bett02 pluto[23629]: "L2TP-PSK"[1] 178.203.x.y #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jun 18 12:20:49 bett02 pluto[23629]: "L2TP-PSK"[1] 178.203.x.y #1: STATE_MAIN_R2: sent MR2, expecting MI3
Jun 18 12:20:49 bett02 pluto[23629]: "L2TP-PSK"[1] 178.203.x.y #1: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.101'
Jun 18 12:20:49 bett02 pluto[23629]: "L2TP-PSK"[1] 178.203.x.y #1: switched from "L2TP-PSK" to "L2TP-PSK"
Jun 18 12:20:49 bett02 pluto[23629]: "L2TP-PSK"[2] 178.203.x.y #1: deleting connection "L2TP-PSK" instance with peer 178.203.x.y {isakmp=#0/ipsec=#0}
Jun 18 12:20:49 bett02 pluto[23629]: "L2TP-PSK"[2] 178.203.x.y #1: I did not send a certificate because I do not have one.
Jun 18 12:20:49 bett02 pluto[23629]: "L2TP-PSK"[2] 178.203.x.y #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jun 18 12:20:49 bett02 pluto[23629]: "L2TP-PSK"[2] 178.203.x.y #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}
Jun 18 12:20:49 bett02 pluto[23629]: "L2TP-PSK"[2] 178.203.x.y #2: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
Jun 18 12:20:49 bett02 pluto[23629]: "L2TP-PSK"[2] 178.203.x.y #2: responding to Quick Mode {msgid:01000000}
Jun 18 12:20:49 bett02 pluto[23629]: "L2TP-PSK"[2] 178.203.x.y #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Jun 18 12:20:49 bett02 pluto[23629]: "L2TP-PSK"[2] 178.203.x.y #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Jun 18 12:20:49 bett02 pluto[23629]: "L2TP-PSK"[2] 178.203.x.y #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Jun 18 12:20:49 bett02 pluto[23629]: "L2TP-PSK"[2] 178.203.x.y #2: STATE_QUICK_R2: IPsec SA established {ESP=>0xd41ffc87 <0x94e92b85 xfrm=AES_128-HMAC_SHA1 NATD=178.203.x.y:4500 DPD=none}
Jun 18 12:21:24 bett02 pluto[23629]: "L2TP-PSK"[2] 178.203.x.y #1: received Delete SA(0xd41ffc87) payload: deleting IPSEC State #2
Jun 18 12:21:24 bett02 pluto[23629]: "L2TP-PSK"[2] 178.203.x.y #1: received and ignored informational message
Jun 18 12:21:24 bett02 pluto[23629]: "L2TP-PSK"[2] 178.203.x.y #1: received Delete SA payload: deleting ISAKMP State #1
Jun 18 12:21:24 bett02 pluto[23629]: "L2TP-PSK"[2] 178.203.x.y: deleting connection "L2TP-PSK" instance with peer 178.203.x.y {isakmp=#0/ipsec=#0}
Jun 18 12:21:24 bett02 pluto[23629]: packet from 178.203.x.y:4500: received and ignored informational message
Jun 18 12:21:27 bett02 pluto[23629]: ERROR: asynchronous network error report on eth0 (sport=4500) for message to 178.203.x.y port 4500, complainant 217.172.x.y: No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]