Hi, looks like an ipsec isssue as l2tp cant connect. How does freeswan logs looks like ?
On Wed, Dec 24, 2003 at 12:49:31AM +0000, Antony Gelberg wrote: > Hi all, > > My first post here - long time d-u subscriber. I'm trying to set up a > VPN where WinXP roadwarriors can access a LAN that sits behind a Linux > router. I want to use X.509 certificates rather than PSKs. > > So I've installed freeswan and l2tpd on the router. There is quite a > bit of documentation out there and I have read: > http://www.jacco2.dds.nl/networking/win2000xp-freeswan.html and > http://www.jacco2.dds.nl/networking/freeswan-l2tp.html. Not to mention > http://www.natecarlson.com/linux/ipsec-x509.php. > > I'm running Woody, hence: > Package: freeswan > Version: 1.96-1.4 > I heard that Woody l2tpd (0.67) wouldn't work, so I downloaded and > built 0.69. > > I have created a .p12 certificate, which I have successfully imported > into XP. It's valid. The XP VPN connection is set up properly (e.g. > CHAP on, no PPTP etc.) > > But I still can't connect, and I'm sure it's somewhere in the l2tpd/ppp > config that I have a problem. The firewall does run iptables, but I've > disabled it and tried, with the same results. I'm confident that I've > altered the iptables rules as specified in the docs. > > Here's some various configs: > > mailhost:~# cat /etc/ppp/chap-secrets > # Secrets for authentication using CHAP > # client server secret IP addresses > roadwarrior * roadwarrior * > > mailhost:~# cat /etc/ipsec.conf > # /etc/ipsec.conf - FreeS/WAN IPsec configuration file > > # More elaborate and more varied sample configurations can be found > # in FreeS/WAN's doc/examples file, and in the HTML documentation. > > # basic configuration > config setup > # THIS SETTING MUST BE CORRECT or almost nothing will work; > # %defaultroute is okay for most simple cases. > interfaces=%defaultroute > # Debug-logging controls: "none" for (almost) none, "all" for > # lots. > klipsdebug=all > plutodebug=all > # Use auto= parameters in conn descriptions to control startup > # actions. > plutoload=%search > plutostart=%search > # Close down old connection when new one using same ID shows up. > uniqueids=yes > > # defaults for subsequent connection descriptions > # (mostly to fix internal defaults which, in retrospect, were badly > # chosen) > conn %default > keyingtries=0 > disablearrivalcheck=no > authby=rsasig > leftrsasigkey=%cert > rightrsasigkey=%cert > > conn mailhost-rw > left=<firewall public IP> > leftcert=mailhostCert.pem > leftnexthop=<what it says!> > leftsubnet=10.0.0.0/8 > right=%any > auto=add > keyingtries=1 > pfs=yes > > mailhost:~# cat /etc/l2tp/l2tpd.conf > ; Sample l2tpd.conf > ; > [global] > ; listen-addr = 192.168.1.98 > > [lns default] > ip range = 10.100.100.1-10.100.100.100 > local ip = 10.100.100.101 > require chap = yes > refuse pap = yes > require authentication = yes > name = VPNserver > ppp debug = yes > pppoptfile = /etc/ppp/options.l2tpd > length bit = yes > > mailhost:~# cat /etc/ppp/options.l2tpd > ipcp-accept-local > ipcp-accept-remote > auth > crtscts > idle 1800 > debug > lock > proxyarp > connect-delay 5000 > > When I try to log in, I get "Error 792: The L2TP connection attempt > failed because security negotiation timed out." I don't get any > "verifying username..." message. > > Nothing in /var/log appears to be of much use. There's lots of klips > stuff which is very verbose, but nothing sticks out. > > Any insight would be much appreciated. I must admit I'm still a little > unclear how the whole idea works, but I believe that IPSec receives the > connection, then calls l2tpd, which starts ppp. I can post more config > / debug if needed. > > A > -- > Documentation - http://www.debian.org/doc/ > FAQ - http://www.debian.org/doc/FAQ/ > Install manual (i386) - http://www.debian.org/releases/stable/i386/install > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- -> Jean-Francois Dive --> [EMAIL PROTECTED] I think that God in creating Man somewhat overestimated his ability. -- Oscar Wilde
