[strongSwan] L2TP help

Andreas Steffen andreas.steffen at strongswan.org
Wed Sep 22 21:04:54 CEST 2010 

Hello Troy,

> #4: NAT-Traversal: Transport mode disabled due to security concerns

means that the option

 ./configure --enable-nat-transport

is not active.

Regards

Andreas

On 22.09.2010 20:20, Troy Telford wrote:
> I've got a working Openswan setup (backed up, of course).  I decided to give 
> strongSwan a try, and choose whichever I liked better...
> 
> It also gives me confidence the certificates, etc. working properly.  (Though 
> logfiles help that too...)
> 
> For the moment, my clients are mainly L2TP clients - having the built-in 
> client for Windows, OS X, and iOS devices helps...  So getting that working 
> properly is the highest priority (and since that's in the IKEv1 realm, 
> Openswan fits the need nicely already...)  I'm also a bit curious about which 
> handles the L2TP connections better with regards to clients behind NAT, etc...
> 
> With strongSwan, however, I'm having trouble getting connected.
> 
> I've used 'plutodebug="control controlmore" to get more debugging info, and 
> here's the bits I think are interesting:  (I can send more if needed, 
> though...)
> 
> All the certs and CA validate:
> Sep 22 11:40:13 pilot pluto[8140]: | certificate is valid
> Sep 22 11:40:13 pilot pluto[8140]: | issuer cacert found
> Sep 22 11:40:13 pilot pluto[8140]: | certificate signature is valid
> Sep 22 11:40:13 pilot pluto[8140]: | crl signature is valid
> Sep 22 11:40:13 pilot pluto[8140]: | crl is valid: until Oct 06 13:04:05 2010
> Sep 22 11:40:13 pilot pluto[8140]: | certificate is good
> 
> Phase I seems to complete:
> Sep 22 11:40:13 pilot pluto[8140]: "roadwarrior"[2] 72.254.127.191:4500 #3: 
> sent MR3, ISAKMP SA established
> 
> And next, the part that I think is the problem:
> Sep 22 11:40:13 pilot pluto[8140]: "roadwarrior-l2tp"[2] 72.254.127.191:4500 
> #4: NAT-Traversal: Transport mode disabled due to security concerns
> Sep 22 11:40:13 pilot pluto[8140]: "roadwarrior-l2tp"[2] 72.254.127.191:4500 
> #4: sending encrypted notification BAD_PROPOSAL_SYNTAX to 72.254.127.191:4500
> 
> The "BAD_PROPOSAL_SYNTAX" and Transport mode error happens with both the 
> certificate-based 'roadwarrior-l2tp' connection, and with the PSK-based 
> 'roadwarrior-l2tp-psk' connections.
> 
> (Note, some coments are not in the actual file, but are there for your 
> benefit...)
> 
> I'm using packages from Debian (sid), kernel 2.6.32, and strongSwan 4.4.1.
> 
> My config:
> 
> config setup
>     # plutodebug=all
>     # plutodebug="control controlmore"
>     crlcheckinterval="30"
>     strictcrlpolicy=yes
>     cachecrls=yes
>     nat_traversal=yes
>     virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!
> 192.168.1.0/26,%v4:!192.168.2.0/24,%v4:!192.168.3.0/24
>     interfaces=%defaultroute
>     charonstart=yes
>     plutostart=yes
> 
> conn %default
>     keyingtries=1
>     type=tunnel
>     ike=aes128-sha1-modp1536,aes192-sha1-modp1536,aes256-sha1-modp1536
>     esp=aes128-sha1-modp1536,aes192-sha1-modp1536,aes256-sha1-modp1536
>     compress=yes
>     left=%defaultroute
>     leftsubnet=my_hostname.net/32  # This is dyndns assigned, so it's not
>                                    # static :(
>     right=%any
>     dpddelay=30
>     dpdtimeout=120
>     dpdaction=clear
>     pfs=yes
> 
> conn roadwarrior-l2tp
>     type=transport
>     leftprotoport=17/1701
>     rightprotoport=17/%any
>     rightsubnet=vhost:%no,%priv
>     pfs=no
>     also=roadwarrior
> 
> conn roadwarrior
>     authby=rsasig
>     leftrsasigkey=%cert
>     rightrsasigkey=%cert
>     leftcert=pilotCert.pem
>     leftid=@my_hostname
>     rightid="C=CO, ST=State, O=My Organization, OU=My OrgUnit, CN=*, E=*"
>     rightca=%same
>     auto=add
> 
> # for iOS VPNs...
> conn roadwarrior-l2tp-psk
>     type=transport
>     authby=secret
>     leftprotoport=17/1701
>     rightprotoport=17/%any
>     rightsubnet=vhost:%no,%priv
>     pfs=no
>     auto=add

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

More information about the Users mailing list