L2TP Problem with Windows XP and Windows Mobile

Home Page Forums Network Management Networking L2TP Problem with Windows XP and Windows Mobile

This topic contains 7 replies, has 0 voices, and was last updated by  hoepp 10 years ago.

Viewing 9 posts - 1 through 9 (of 9 total)
  • Author
    Posts
  • #41666

    hoepp
    Member

    Hi,
    I have a problem with setting up L2TP VPN with zeroshell. My configuration is as follows:

    Internet < ---> DLS-Router < ---> zeroshell
    0.0.0.0 192.168.XXX.1 192..168.XXX.XXX

    The Internet address of the router is a dynDNS address.
    Here’s the IPSEC log:
    _________________________________________________________

    11:58:46 INFO: @(#)ipsec-tools 0.6.4 (http://ipsec-tools.sourceforge.net)
    11:58:46 INFO: @(#)This product linked OpenSSL 0.9.8i 15 Sep 2008 (http://www.openssl.org/)
    11:58:46 INFO: 192.168.XXX.XXX[4500] used as isakmp port (fd=6)
    11:58:46 INFO: 192.168.XXX.XXX[4500] used for NAT-T
    11:58:46 INFO: 192.168.XXX.XXX[500] used as isakmp port (fd=7)
    11:58:46 INFO: 192.168.XXX.XXX[500] used for NAT-T
    14:51:25 INFO: respond new phase 1 negotiation: 192.168.XXX.XXX[500]< =>80.80.YYY.YYY[23837]
    14:51:25 INFO: begin Identity Protection mode.
    14:51:25 INFO: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY
    14:51:25 INFO: received Vendor ID: FRAGMENTATION
    14:51:25 INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    14:51:25 INFO: Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02
    14:51:26 INFO: Hashing 192.168.XXX.XXX[500] with algo #1
    14:51:26 INFO: NAT-D payload #0 doesn’t match
    14:51:26 INFO: Hashing 80.80.YYY.YYY[23837] with algo #1
    14:51:26 INFO: NAT-D payload #1 doesn’t match
    14:51:26 INFO: NAT detected: ME PEER
    14:51:26 INFO: Hashing 80.80.YYY.YYY[23837] with algo #1
    14:51:26 INFO: Hashing 192.168.XXX.XXX[500] with algo #1
    14:51:26 INFO: Adding remote and local NAT-D payloads.
    14:51:27 INFO: NAT-T: ports changed to: 80.80.YYY.YYY[16553]< ->192.168.XXX.XXX[4500]
    14:51:27 INFO: KA list add: 192.168.XXX.XXX[4500]->80.80.YYY.YYY[16553]
    14:51:27 INFO: ISAKMP-SA established 192.168.XXX.XXX[4500]-80.80.YYY.YYY[16553] spi:11623ca26e1d5e55:8897fcae4f15e576
    14:51:27 INFO: respond new phase 2 negotiation: 192.168.XXX.XXX[4500]< =>80.80.YYY.YYY[16553]
    14:51:27 INFO: no policy found, try to generate the policy : 80.80.YYY.YYY/32[16553] ZZZ.ZZZ.ZZZ.ZZZ/32[1701] proto=udp dir=in
    14:51:27 INFO: Adjusting my encmode UDP-Transport->Transport
    14:51:27 INFO: Adjusting peer’s encmode UDP-Transport(61444)->Transport(2)
    14:51:27 WARNING: authtype mismatched: my:hmac-md5 peer:hmac-sha
    14:51:27 INFO: IPsec-SA established: ESP/Transport 80.80.YYY.YYY[16553]->192.168.XXX.XXX[4500] spi=102415966(0x61abe5e)
    14:51:27 INFO: IPsec-SA established: ESP/Transport 192.168.XXX.XXX[4500]->80.80.YYY.YYY[16553] spi=10807808(0xa4ea00)
    14:51:27 ERROR: such policy does not already exist: “80.80.YYY.YYY/32[16553] ZZZ.ZZZ.ZZZ.ZZZ/32[1701] proto=udp dir=in”
    14:51:27 ERROR: such policy does not already exist: “ZZZ.ZZZ.ZZZ.ZZZ/32[1701] 80.80.YYY.YYY/32[16553] proto=udp dir=out”
    14:52:06 INFO: purging ISAKMP-SA spi=11623ca26e1d5e55:8897fcae4f15e576.
    14:52:06 INFO: purged ISAKMP-SA spi=11623ca26e1d5e55:8897fcae4f15e576.
    14:52:06 ERROR: unknown Informational exchange received.
    14:52:07 INFO: ISAKMP-SA deleted 192.168.XXX.XXX[4500]-80.80.YYY.YYY[16553] spi:11623ca26e1d5e55:8897fcae4f15e576
    14:52:07 INFO: KA remove: 192.168.XXX.XXX[4500]->80.80.YYY.YYY[16553]
    15:39:27 INFO: IPsec-SA expired: ESP/Transport 80.80.YYY.YYY[0]->192.168.XXX.XXX[0] spi=102415966(0x61abe5e)
    15:39:27 INFO: IPsec-SA expired: ESP/Transport 192.168.XXX.XXX[0]->80.80.YYY.YYY[0] spi=10807808(0xa4ea00)
    15:51:27 INFO: IPsec-SA expired: ESP/Transport 80.80.YYY.YYY[0]->192.168.XXX.XXX[0] spi=102415966(0x61abe5e)
    15:51:27 INFO: IPsec-SA expired: ESP/Transport 192.168.XXX.XXX[0]->80.80.YYY.YYY[0] spi=10807808(0xa4ea00)
    _________________________________________________________

    The strange thing here is that the ports of the IPsec-SA are different. While establishing the WPsec-SA the ports are 16553 and 4500 and during expiration the ports are 0.

    I found an article on the IPSEC-Tools bug-tracking page
    https://trac.ipsec-tools.net/ticket/2 which seems to state that there is a problem running racoon on linux.

    My question: Am I doing something wrong or is indeed racoon to blame in this setup ?

    Sincerely hoepp

    #48080

    14:51:27 INFO: IPsec-SA established: ESP/Transport 80.80.YYY.YYY[16553]->192.168.XXX.XXX[4500] spi=102415966(0x61abe5e)
    14:51:27 INFO: IPsec-SA established: ESP/Transport 192.168.XXX.XXX[4500]->80.80.YYY.YYY[16553] spi=10807808(0xa4ea00)
    14:51:27 ERROR: such policy does not already exist: “80.80.YYY.YYY/32[16553] ZZZ.ZZZ.ZZZ.ZZZ/32[1701] proto=udp dir=in”
    14:51:27 ERROR: such policy does not already exist: “ZZZ.ZZZ.ZZZ.ZZZ/32[1701] 80.80.YYY.YYY/32[16553] proto=udp dir=out”

    You can’t run L2TP with NAT on your router.

    It looks like you have Computer1 with a private ip address behind a nat’d router trying to make a L2TP session with a zeroshell box.
    You will need to put your Computer1 in a DMZ so that it gets the public IP address needed to make the L2TP session work.

    If it’s the other way around then you need to give your zeroshell box a public IP address on the wan interface or put it in a DMZ. Either way L2TP is designed to work best with 2 public IP addresses. One on the calling station and one on the RAS.

    If you want to test this without changing your configs just dialup (analog phone line/56k modem) to the internet and connect to your zeroshell box.

    #48081

    hoepp
    Member

    Thank you for this information.

    The setup was zeroshell (192.168) behind a NAT router with dynDNS ZZZ and the road warrior was a Windows Mobile Phone (80.80).

    I was under the impression that this should work anyway because at least MS talks about this

    http://support.microsoft.com/kb/926179/en-us

    BTW: I forgot: I’ve modified my racoon.conf template file by adding the following section:

    listen {
    isakmp 192.168.XXX.XXX [500]
    isakmp_natt 192.168.XXX.XXX [4500]
    }

    without this I do not even get the “ISAKMP-SA established” message but receive time-out messages only.

    Best regards
    Hoepp

    #48082

    NAT-t is not supported on zeroshell or at least not last time I checked. There’s a checkbox there with the option but you’ll get a warning if you try it saying that it’s not supported.

    If IP address space is limited for your vpn application you can put the zeroshell router with the public IP address to accomplish your L2TP sessions without further configurations and place your NAT router behind zeroshell.

    #48083

    hoepp
    Member

    According to fulvio, it should work. See here:
    http://www.zeroshell.net/eng/forum/viewtopic.php?t=966

    After finding this post I even started trying harder to get a successfull connection.

    Regards
    hoepp

    #48084

    The easiest way to resolve this is to connect zeroshell directly to the ISP uplink giving it a global IP address.

    What kernel and build of zeroshell are you using?
    What is the manufacturer and model number of the NAT router that zeroshell is behind?
    What ports are being forwarded to zeroshell(1723,500,4500)?
    What IP traffic is being allowed thru the firewall to zeroshell (ICMP,GRE)?
    What features on the NAT router are enabled such as PPTP,L2TP,IPSec Pass-thru?

    Have you attempted to connect from the LAN to verify that you can even establish a connection locally?

    #48085

    hoepp
    Member

    Thank you offering your help.

    I will try to answer the questions:
    What kernel and build of zeroshell are you using?
    I’m using standard CD-ROM version of ZS 1.0 beta 11

    What is the manufacturer and model number of the NAT router that zeroshell is behind?
    It’s a Samsung SMT-G 3210 Phone WLAN with fw 3.01. AFAIK it’s using a linux 2.4 kernel

    What ports are being forwarded to zeroshell(1723,500,4500)?
    I’m forwaring UDP traffic of the following port: 500, 4500 and 1701 (I’m using L2TP not PPTP)

    What IP traffic is being allowed thru the firewall to zeroshell (ICMP,GRE)?
    I don’t understand this question, sorry.

    What features on the NAT router are enabled such as PPTP,L2TP,IPSec Pass-thru?
    I doubt that the stupid Samsung is offering anything like that.

    Have you attempted to connect from the LAN to verify that you can even establish a connection locally?

    I’ve tried this on both ends of ZS:
    It fails if I connect to 192.168.XXX.XXX (the side that’s connected to the outside.
    I have a successfull connect if I connect to the 10.XXX.XXX.XXX side of my ZS.

    Thank you for reading all this 🙂
    hoepp

    #48086

    I sent this to your private messages.

    #48087

    Gideon
    Member

    Hi.
    I have similar problem.
    i am trying to connect to zeroshell l2tp VPN from a client behinde a NAT.
    When i enable NAT-T option in zeroshell, i’m reciving:

    ERROR: such policy does not already exist: “93.175.xxx.xxx/32[64370] 91.205.xxx.xxx/32[1701] proto=udp dir=in”
    ERROR: such policy does not already exist: “91.205.xxx.xxx/32[1701] 93.175.xxx.xxx/32[64370] proto=udp dir=out”

    but when im first connect from NAT machine, then from machine behinde NAT all working till i reboot server or restart l2tp daemon

    I’m using Release 1.0.beta12, client – WinXP SP3 full updated

    edit:
    same error i am reciving even when connection OK. But if im not connecting from NAT macine beforehand connection from machine behinde NAT stop at this lines.

Viewing 9 posts - 1 through 9 (of 9 total)

You must be logged in to reply to this topic.