Hi,
I am trying to connect to a freeswan/l2tpd VPN from a windows machine behind
a netgear WGT624 ADSL router and am getting a strange problem. The intial
IPSEC negotiation works fine, I get a IPSEC SA Established message, but then
nothing happens - l2tpd doesn't fire up. I've logged the traffic on ipsec0
and we are getting incoming traffic from the public IP of the remote router
to the public IP of the freeswan server on UDP ports 1701->1701, but no
reply. Before putting in the router I connected to the same box over a
Windows dial-up connection with no problems, so I am confident that l2tpd is
running and the config is correct.... after putting in the router I had to
add a rightsubnet=x.x.x.x/x in ipsec.conf to get the SA established, but
that is the only change I've made.
Here is the relevanct section of ipsec.conf:
conn Toby-Mitchell
pfs=no
left=%defaultroute
leftcert=vpn.server.pem
leftprotoport=17/0
right=%any
rightsubnet=192.168.0.3/32
rightprotoport=17/1701
auto=add
.. and here is a section of the logs (all ipsec0 traffic is being logged -
1.2.3.4 is the external freeswan interface, 4.3.2.1 is the router's external
interface - the delete SA at the end is me cancelling the connection):
Mar 23 23:52:43 rtr1 pluto[4024]: packet from 4.3.2.1:500: received Vendor
ID
Payload; ASCII hash: \036+Qi\005\031\034}|\026|?5\007da
Mar 23 23:52:43 rtr1 pluto[4024]: "Toby-Mitchell"[9] 4.3.2.1 #11: responding
to Main Mode from unknown peer 4.3.2.1
Mar 23 23:52:43 rtr1 pluto[4024]: "Toby-Mitchell"[9] 4.3.2.1 #11: Peer ID is
ID_DER_ASN1_DN: '<Certificate Details>'
Mar 23 23:52:43 rtr1 pluto[4024]: "Toby-Mitchell"[9] 4.3.2.1 #11: crl update
is overdue since Apr 10 01:51:17 UTC 2003
Mar 23 23:52:43 rtr1 pluto[4024]: "Toby-Mitchell"[9] 4.3.2.1 #11: crl update
is overdue since Apr 10 01:51:17 UTC 2003
Mar 23 23:52:43 rtr1 pluto[4024]: "Toby-Mitchell"[10] 4.3.2.1 #11: deleting
c
onnection "Toby-Mitchell" instance with peer 4.3.2.1 {isakmp=#0/ipsec=#0}
Mar 23 23:52:43 rtr1 pluto[4024]: "Toby-Mitchell"[10] 4.3.2.1 #11: sent MR3,
ISAKMP SA established
Mar 23 23:52:43 rtr1 pluto[4024]: "Toby-Mitchell"[10] 4.3.2.1 #12:
responding
to Quick Mode
Mar 23 23:52:43 rtr1 kernel: IN=ipsec0 OUT= MAC=45:00:00:7e SRC=4.3.2.1
DST=1
2.3.4 LEN=126 TOS=0x00 PREC=0x00 TTL=115 ID=12316 PROTO=UDP SPT=1701 DPT
=1701 LEN=106
Mar 23 23:52:44 rtr1 pluto[4024]: "Toby-Mitchell"[10] 4.3.2.1 #12: IPsec SA
e
stablished {ESP=>0xf15e6bb4 <0xc539f998}
Mar 23 23:52:44 rtr1 kernel: IN=ipsec0 OUT= MAC=45:00:00:7e SRC=4.3.2.1
DST=1
2.3.4 LEN=126 TOS=0x00 PREC=0x00 TTL=115 ID=12317 PROTO=UDP SPT=1701 DPT
=1701 LEN=106
Mar 23 23:52:46 rtr1 kernel: IN=ipsec0 OUT= MAC=45:00:00:7e SRC=4.3.2.1
DST=1
2.3.4 LEN=126 TOS=0x00 PREC=0x00 TTL=115 ID=12318 PROTO=UDP SPT=1701 DPT
=1701 LEN=106
Mar 23 23:52:50 rtr1 kernel: IN=ipsec0 OUT= MAC=45:00:00:7e SRC=4.3.2.1
DST=1
2.3.4 LEN=126 TOS=0x00 PREC=0x00 TTL=115 ID=12337 PROTO=UDP SPT=1701 DPT
=1701 LEN=106
Mar 23 23:52:58 rtr1 kernel: IN=ipsec0 OUT= MAC=45:00:00:7e SRC=4.3.2.1
DST=1
2.3.4 LEN=126 TOS=0x00 PREC=0x00 TTL=115 ID=12383 PROTO=UDP SPT=1701 DPT
=1701 LEN=106
Mar 23 23:53:02 rtr1 pluto[4024]: "Toby-Mitchell"[10] 4.3.2.1 #11: received
D
elete SA(0xf15e6bb4) payload: deleting IPSEC State #12
Mar 23 23:53:02 rtr1 pluto[4024]: "Toby-Mitchell"[10] 4.3.2.1 #11: received
D
elete SA payload: deleting ISAKMP State #11
Mar 23 23:53:02 rtr1 pluto[4024]: "Toby-Mitchell"[10] 4.3.2.1: deleting
conne
ction "Toby-Mitchell" instance with peer 4.3.2.1 {isakmp=#0/ipsec=#0}
Does anyone have any ideas as to why the l2tp daemon might not be responding
to the incoming connection?
Thanks
Toby
