[Users] [SOS]Troubles in WinXP L2TP/IPSEC with SuperSwan

Hi All,

I am a newer for IPSEC.
In recent days, I tried to setup a VPN system, let Winxp roadwarriors can access internal network. I followed the good guide: http://www.jacco2.dds.nl/networking/freeswan-l2tp.html to setup.

The follow is my test network:

200.10.1.100 <---> 200.10.1.1 / 192.168.0.1 <---> 192.168.0.0/24

(winxp RW)            ( FreeSwan Secure GW)        (Internal Network)
 No ipsec update      super-freeswan-1.99.8

I want to use Windows L2TP/IPsec to access my internal net on Winxp RW. I follow the above guide to setup freeswan, l2tpd, and winxp client, but when I tried to connect to Freeswan GW from Win XP, it report: remote server no response. I get the following infos by tcpdumping ( tcpdump -i eth0) on GW:

15:47:39.305917 200.10.1.100.l2tp > 200.10.1.1.l2tp: l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(S) *BEARER_CAP() |...
15:47:39.306446 200.10.1.1 > 200.10.1.100: icmp: 200.10.1.1 udp port l2tp unreachable [tos 0xc0]

In /var/log/secure, have no any log about ipsec connection; no ipsec connection, no l2tp connection.

the follow are my cofig files:
1. l2tpd.conf
[global]
listen-addr = 192.168.0.1

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.freeswan.org Links 1998-fall 1998-spring 1998-summer 1998-winter 1999-winter announce briefs bugs design freeswan-list hipsec ietf-sectest users users-admin Request more information about Pantek

[lns default]
ip range = 192.168.0.128-192.168.0.254
local ip = 192.168.0.2
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd
length bit = yes

2. ipsec.conf
conn L2TP-CERT-orgWIN2KXP
#
# Configuration for one user with the non-updated Windows 2000/XP.
#
#
# Use a certificate. Disable Perfect Forward Secrecy.
#

 authby=rsasig
 pfs=no
#

 left=200.10.1.1
 leftrsasigkey=%cert
 leftcert=/etc/ipsec.d/ssl/localCERT.pem
#
# Required for original (non-updated) Windows 2000/XP clients.
 leftprotoport=17/0
#
# The remote user.
#

 right=%any
 rightrsasigkey=%cert
 rightprotoport=17/1701
#
# Change 'ignore' to 'add' to enable the configuration for this user.
#

 auto=add
 keyingtries=0

I ever tried to access freeswan GW by "plain" ipsec( without L2TP/ipsec, by adding ipsec policy on XP manually, auth by cert) it is OK, I can see connection established in log.

I also tried to comment the line "listen-addr" in l2tpd.conf, then the l2tp connection is OK, but
In /var/log/secure, have no any log about ipsec connection; no ipsec connection. I think it is unsecure.

It seem that the XP l2tp/ipsec client do not try to make a ipsec connection to GW, only try a l2tp connection while it make L2TP/ipsec connection.

This issue blocked me for two weeks, Does anyone can help me fix it? Any help ,comments, hints will be high appreciated!

Thank you very much!

Best Regards,
Jian Received on Mon Feb 16 01:03:35 2004

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.freeswan.org Links 1998-fall 1998-spring 1998-summer 1998-winter 1999-winter announce briefs bugs design freeswan-list hipsec ietf-sectest users users-admin Request more information about Pantek