Hi all, My first post here - long time d-u subscriber. I'm trying to set up a VPN where WinXP roadwarriors can access a LAN that sits behind a Linux router. I want to use X.509 certificates rather than PSKs.
So I've installed freeswan and l2tpd on the router. There is quite a bit of documentation out there and I have read: http://www.jacco2.dds.nl/networking/win2000xp-freeswan.html and http://www.jacco2.dds.nl/networking/freeswan-l2tp.html. Not to mention http://www.natecarlson.com/linux/ipsec-x509.php. I'm running Woody, hence: Package: freeswan Version: 1.96-1.4 I heard that Woody l2tpd (0.67) wouldn't work, so I downloaded and built 0.69. I have created a .p12 certificate, which I have successfully imported into XP. It's valid. The XP VPN connection is set up properly (e.g. CHAP on, no PPTP etc.) But I still can't connect, and I'm sure it's somewhere in the l2tpd/ppp config that I have a problem. The firewall does run iptables, but I've disabled it and tried, with the same results. I'm confident that I've altered the iptables rules as specified in the docs. Here's some various configs: mailhost:~# cat /etc/ppp/chap-secrets # Secrets for authentication using CHAP # client server secret IP addresses roadwarrior * roadwarrior * mailhost:~# cat /etc/ipsec.conf # /etc/ipsec.conf - FreeS/WAN IPsec configuration file # More elaborate and more varied sample configurations can be found # in FreeS/WAN's doc/examples file, and in the HTML documentation. # basic configuration config setup # THIS SETTING MUST BE CORRECT or almost nothing will work; # %defaultroute is okay for most simple cases. interfaces=%defaultroute # Debug-logging controls: "none" for (almost) none, "all" for # lots. klipsdebug=all plutodebug=all # Use auto= parameters in conn descriptions to control startup # actions. plutoload=%search plutostart=%search # Close down old connection when new one using same ID shows up. uniqueids=yes # defaults for subsequent connection descriptions # (mostly to fix internal defaults which, in retrospect, were badly # chosen) conn %default keyingtries=0 disablearrivalcheck=no authby=rsasig leftrsasigkey=%cert rightrsasigkey=%cert conn mailhost-rw left=<firewall public IP> leftcert=mailhostCert.pem leftnexthop=<what it says!> leftsubnet=10.0.0.0/8 right=%any auto=add keyingtries=1 pfs=yes mailhost:~# cat /etc/l2tp/l2tpd.conf ; Sample l2tpd.conf ; [global] ; listen-addr = 192.168.1.98 [lns default] ip range = 10.100.100.1-10.100.100.100 local ip = 10.100.100.101 require chap = yes refuse pap = yes require authentication = yes name = VPNserver ppp debug = yes pppoptfile = /etc/ppp/options.l2tpd length bit = yes mailhost:~# cat /etc/ppp/options.l2tpd ipcp-accept-local ipcp-accept-remote auth crtscts idle 1800 debug lock proxyarp connect-delay 5000 When I try to log in, I get "Error 792: The L2TP connection attempt failed because security negotiation timed out." I don't get any "verifying username..." message. Nothing in /var/log appears to be of much use. There's lots of klips stuff which is very verbose, but nothing sticks out. Any insight would be much appreciated. I must admit I'm still a little unclear how the whole idea works, but I believe that IPSec receives the connection, then calls l2tpd, which starts ppp. I can post more config / debug if needed. A -- Documentation - http://www.debian.org/doc/ FAQ - http://www.debian.org/doc/FAQ/ Install manual (i386) - http://www.debian.org/releases/stable/i386/install -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
