Unlike L2TP, PPTP server , client packages are different.
and they usually, have a particular packages by pptpd, and pptp-client.
(L2tp have l2tpd, rp-l2tpd and xl2tpd solutions)
PPTP server named: pptpd
PPTP client named: pptp
In my environments, server run on mandrake 10.0, with pptp
the basic command of client on need to involve.
pptp 10.0.0.1 user peter password 4321 noauth
the pptpserver run
[root@localhost etc]# cat pptpd.conf
debug
option /etc/ppp/options.pptp
localip 192.168.123.1
remoteip 192.168.123.2-100
and involved pptd daemon.
==========STOP PPTP client====
to stop established PPTP client, just by kill pppd.
yeah, just do that, I tested!
2008年6月24日 星期二
2008年6月20日 星期五
l2tpd server client LAB (add over IPSec)
my server are mandrak 10.1. with l2tpd as server.
[root@localhost l2tpd]# l2tpd -v
Usage: l2tpd -D -c [config file] -s [secret file] -p [pid file]
[root@localhost l2tpd]# pwd /etc/l2tpd
[root@localhost l2tpd]# cat l2tpd.con
[global] ;listen-addr = 192.168.1.98
auth file = /etc/ppp/chap-secrets
[lns default]
ip range = 192.168.1.128-192.168.1.254
local ip = 192.168.1.99
require chap = yes
refuse pap = yes
require authentication = yes
name = Linuxl2tpVPNserver
ppp debug = yes
;pppoptfile = /etc/ppp/options.l2tpd
;length bit = yes
[lac linux]
lns = 172.21.34.138
ppp debug = yes
require authentication = yes
pppoptfile = /etc/ppp/options.l2tpd
================In client [LAC]=======
root@team-server:/etc/ppp# cat options.l2tpd
ipcp-accept-local
ipcp-accept-remote
#ms-dns 10.51.8.15
#ms-dns 10.51.8.243
#noccp
noauth
#require-mschap
#require-mschap-v2
#crtscts
idle 1800
mtu 1200
mru 1200
#username peter
#password 4321
#nodefaultroute
#nodetach
debug
lock
#require-chap
#proxyarp
connect-delay 5000
TIP:
#cat from /var/log/messages with chap user "0123456789" auth failure
Jun 20 16:19:07 localhost pppd[13989]: noccp^I^I# (from /etc/ppp/options)
Jun 20 16:19:07 localhost pppd[13989]: pppd 2.4.2 started by root, uid 0
Jun 20 16:19:07 localhost pppd[13989]: Using interface ppp0
Jun 20 16:19:07 localhost pppd[13989]: Connect: ppp0 <--> /dev/pts/1
Jun 20 16:19:10 localhost pppd[13989]: No CHAP secret found for authenticating 0123456789
Jun 20 16:19:10 localhost pppd[13989]: Peer 0123456789 failed CHAP authentication
http://cad.csie.ncku.edu.tw/~wnlee/l2tp.html
Windows Registry Editor Version 5.00
-------follow up enable/disable l2tp over ipsec in windows.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters]
"ProhibitIPSec"=dword:00000001
下面是xp client l2tp over IPSec quick mode 的proposal
17215 | a1 2a b3 51 a3 7d 54 9d
17216 | responder cookie:
17217 | 6c b9 d5 a5 6d 66 9f 94
17218 | next payload type: ISAKMP_NEXT_HASH
17219 | ISAKMP version: ISAKMP Version 1.0
17220 | exchange type: ISAKMP_XCHG_QUICK
17221 | flags: ISAKMP_FLAG_ENCRYPTION
17222 | message ID: ee 8d 05 29
17223 | length: 300
17224 | processing connection l2tp[3] 172.21.33.203
17225 | ***parse ISAKMP Hash Payload:
17226 | next payload type: ISAKMP_NEXT_SA
17227 | length: 24
17228 | ***parse ISAKMP Security Association Payload:
17229 | next payload type: ISAKMP_NEXT_NONCE
17230 | length: 196
17231 | DOI: ISAKMP_DOI_IPSEC
17232 | ***parse ISAKMP Nonce Payload:
17233 | next payload type: ISAKMP_NEXT_ID
17234 | length: 24
17235 | ***parse ISAKMP Identification Payload (IPsec DOI):
17236 | next payload type: ISAKMP_NEXT_ID
17237 | length: 12
17238 | ID type: ID_IPV4_ADDR
17239 | Protocol ID: 17
17240 | port: 1701
17241 | ***parse ISAKMP Identification Payload (IPsec DOI):
17242 | next payload type: ISAKMP_NEXT_NONE
17243 | length: 12
17244 | ID type: ID_IPV4_ADDR
17245 | Protocol ID: 17
17246 | port: 1701
17247 | removing 4 bytes of padding
17248 | peer client is 172.21.33.203
17249 | peer client protocol/port is 17/1701
17250 | our client is 172.21.46.133
17251 | our client protocol/port is 17/1701
17252 | processing connection l2tp[3] 172.21.33.203
17253 | ****parse IPsec DOI SIT:
17254 | IPsec DOI SIT: SIT_IDENTITY_ONLY
17255 | ****parse ISAKMP Proposal Payload:
17256 | next payload type: ISAKMP_NEXT_P
17257 | length: 92
17258 | proposal number: 1
17259 | protocol ID: PROTO_IPSEC_ESP
17260 | SPI size: 4
17261 | number of transforms: 2
17262 | parsing 4 raw bytes of ISAKMP Proposal Payload into SPI
17263 | SPI 1e 0e 52 3c
17264 | ****parse ISAKMP Proposal Payload:
17265 | next payload type: ISAKMP_NEXT_NONE
17266 | length: 92
17267 | proposal number: 2
17268 | protocol ID: PROTO_IPSEC_AH
17269 | SPI size: 4
17270 | number of transforms: 2
17271 | *****parse ISAKMP Transform Payload (ESP):
17272 | next payload type: ISAKMP_NEXT_T
17273 | length: 40
17274 | transform number: 1
17275 | transform ID: ESP_NULL
17276 | ******parse ISAKMP IPsec DOI attribute:
17277 | af+type: SA_LIFE_TYPE
17278 | length/value: 1
17279 | [1 is SA_LIFE_TYPE_SECONDS]
17280 | ******parse ISAKMP IPsec DOI attribute:
17281 | af+type: SA_LIFE_DURATION (variable length)
17282 | length/value: 4
17283 | long duration: 3600
17284 | ******parse ISAKMP IPsec DOI attribute:
17285 | af+type: SA_LIFE_TYPE
17286 | length/value: 2
17287 | [2 is SA_LIFE_TYPE_KBYTES]
17288 | ******parse ISAKMP IPsec DOI attribute:
17289 | af+type: SA_LIFE_DURATION (variable length)
17290 | length/value: 4
17291 | long duration: 250000
17292 | ******parse ISAKMP IPsec DOI attribute:
17293 | af+type: ENCAPSULATION_MODE
17294 | length/value: 2
17295 | [2 is ENCAPSULATION_MODE_TRANSPORT]
17296 | ******parse ISAKMP IPsec DOI attribute:
17297 | af+type: AUTH_ALGORITHM
17298 | length/value: 2
17299 | [2 is AUTH_ALGORITHM_HMAC_SHA1]
17300 "l2tp"[3] 172.21.33.203 #9: IPsec Transform [ESP_NULL (0), AUTH_ALGORITHM_HMAC_SHA1] refused due to insecure key_len and enc. alg. not listed in "esp" string
17301 | parsing 4 raw bytes of ISAKMP Proposal Payload into SPI
17302 | SPI 1e 0e 52 3c
17303 | *****parse ISAKMP Transform Payload (AH):
17304 | next payload type: ISAKMP_NEXT_T
17305 | length: 40
17306 | transform number: 1
17307 | transform ID: AH_SHA
17308 | ******parse ISAKMP IPsec DOI attribute:
17309 | af+type: SA_LIFE_TYPE
17310 | length/value: 1
17311 | [1 is SA_LIFE_TYPE_SECONDS]
17312 | ******parse ISAKMP IPsec DOI attribute:
17313 | af+type: SA_LIFE_DURATION (variable length)
17314 | length/value: 4
17315 | long duration: 3600
17316 | ******parse ISAKMP IPsec DOI attribute:
17317 | af+type: SA_LIFE_TYPE
17318 | length/value: 2
17319 | [2 is SA_LIFE_TYPE_KBYTES]
17320 | ******parse ISAKMP IPsec DOI attribute:
17321 | af+type: SA_LIFE_DURATION (variable length)
17322 | length/value: 4
17323 | long duration: 250000
17324 | ******parse ISAKMP IPsec DOI attribute:
17325 | af+type: ENCAPSULATION_MODE
17326 | length/value: 2
17327 | [2 is ENCAPSULATION_MODE_TRANSPORT]
17328 | ******parse ISAKMP IPsec DOI attribute:
17329 | af+type: AUTH_ALGORITHM
17330 | length/value: 2
17331 | [2 is AUTH_ALGORITHM_HMAC_SHA1]
17332 "l2tp"[3] 172.21.33.203 #9: no acceptable Proposal in IPsec SA
17333 "l2tp"[3] 172.21.33.203 #9: sending encrypted notification NO_PROPOSAL_CHOSEN to 172.21.33.203:500
17334 "l2tp"[3] 172.21.33.203 #9: failed to build notification for spisize=0
-----------------------------------------------------------------------------------------------------------------
This log is come from my router, client is L2TP over IPSec run on WinXP (SP3?)
They seems to prefer ESP NULL algorithm + SHA1,
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2010.03.30 15:25:59 =~=~=~=~=~=~=~=~=~=~=~=
pluto[5161]: |
pluto[5161]: | *received 312 bytes from 172.21.33.203:500 on eth0
pluto[5161]: | **parse ISAKMP Message:
pluto[5161]: | initiator cookie:
pluto[5161]: | 5a 8c 0c 62 6e 27 b4 11
pluto[5161]: | responder cookie:
pluto[5161]: | 00 00 00 00 00 00 00 00
pluto[5161]: | next payload type: ISAKMP_NEXT_SA
pluto[5161]: | ISAKMP version: ISAKMP Version 1.0
pluto[5161]: | exchange type: ISAKMP_XCHG_IDPROT
pluto[5161]: | flags: none
pluto[5161]: | message ID: 00 00 00 00
pluto[5161]: | length: 312
pluto[5161]: | The xchg type is ISAKMP_XCHG_IDPROT (2)
pluto[5161]: | ***parse ISAKMP Security Association Payload:
pluto[5161]: | next payload type: ISAKMP_NEXT_VID
pluto[5161]: | length: 200
pluto[5161]: | DOI: ISAKMP_DOI_IPSEC
pluto[5161]: | ***parse ISAKMP Vendor ID Payload:
pluto[5161]: | next payload type: ISAKMP_NEXT_VID
pluto[5161]: | length: 24
pluto[5161]: | ***parse ISAKMP Vendor ID Payload:
pluto[5161]: | next payload type: ISAKMP_NEXT_VID
pluto[5161]: | length: 20
pluto[5161]: | ***parse ISAKMP Vendor ID Payload:
pluto[5161]: | next payload type: ISAKMP_NEXT_VID
pluto[5161]: | length: 20
pluto[5161]: | ***parse ISAKMP Vendor ID Payload:
pluto[5161]: | next payload type: ISAKMP_NEXT_NONE
pluto[5161]: | length: 20
pluto[5161]: packet from 172.21.33.203:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
pluto[5161]: | VID: 1e 2b 51 69 05 99 1c 7d 7c 96 fc bf b5 87 e4 61
pluto[5161]: | 00 00 00 04
pluto[5161]: packet from 172.21.33.203:500: ignoring Vendor ID payload [FRAGMENTATION]
pluto[5161]: | VID: 40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
pluto[5161]: packet from 172.21.33.203:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
pluto[5161]: | VID: 90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f
pluto[5161]: packet from 172.21.33.203:500: ignoring Vendor ID payload [26244d38eddb61b3172a36e3d0cfb819]
pluto[5161]: | VID: 26 24 4d 38 ed db 61 b3 17 2a 36 e3 d0 cf b8 19
pluto[5161]: | ****parse IPsec DOI SIT:
pluto[5161]: | IPsec DOI SIT: SIT_IDENTITY_ONLY
pluto[5161]: | ****parse ISAKMP Proposal Payload:
pluto[5161]: | next payload type: ISAKMP_NEXT_NONE
pluto[5161]: | length: 188
pluto[5161]: | proposal number: 1
pluto[5161]: | protocol ID: PROTO_ISAKMP
pluto[5161]: | SPI size: 0
pluto[5161]: | number of transforms: 5
pluto[5161]: | *****parse ISAKMP Transform Payload (ISAKMP):
pluto[5161]: | next payload type: ISAKMP_NEXT_T
pluto[5161]: | length: 36
pluto[5161]: | transform number: 1
pluto[5161]: | transform ID: KEY_IKE
pluto[5161]: | ******parse ISAKMP Oakley attribute:
pluto[5161]: | af+type: OAKLEY_ENCRYPTION_ALGORITHM
pluto[5161]: | length/value: 5
pluto[5161]: | ******parse ISAKMP Oakley attribute:
pluto[5161]: | af+type: OAKLEY_HASH_ALGORITHM
pluto[5161]: | length/value: 2
pluto[5161]: | ******parse ISAKMP Oakley attribute:
pluto[5161]: | af+type: OAKLEY_GROUP_DESCRIPTION
pluto[5161]: | length/value: 14
pluto[5161]: | ******parse ISAKMP Oakley attribute:
pluto[5161]: | af+type: OAKLEY_AUTHENTICATION_METHOD
pluto[5161]: | length/value: 1
pluto[5161]: | ******parse ISAKMP Oakley attribute:
pluto[5161]: | af+type: OAKLEY_LIFE_TYPE
pluto[5161]: | length/value: 1
pluto[5161]: | ******parse ISAKMP Oakley attribute:
pluto[5161]: | af+type: OAKLEY_LIFE_DURATION (variable length)
pluto[5161]: | length/value: 4
pluto[5161]: | *****parse ISAKMP Transform Payload (ISAKMP):
pluto[5161]: | next payload type: ISAKMP_NEXT_T
pluto[5161]: | length: 36
pluto[5161]: | transform number: 2
pluto[5161]: | transform ID: KEY_IKE
pluto[5161]: | ******parse ISAKMP Oakley attribute:
pluto[5161]: | af+type: OAKLEY_ENCRYPTION_ALGORITHM
pluto[5161]: | length/value: 5
pluto[5161]: | ******parse ISAKMP Oakley attribute:
pluto[5161]: | af+type: OAKLEY_HASH_ALGORITHM
pluto[5161]: | length/value: 2
pluto[5161]: | ******parse ISAKMP Oakley attribute:
pluto[5161]: | af+type: OAKLEY_GROUP_DESCRIPTION
pluto[5161]: | length/value: 2
pluto[5161]: | ******parse ISAKMP Oakley attribute:
pluto[5161]: | af+type: OAKLEY_AUTHENTICATION_METHOD
pluto[5161]: | length/value: 1
pluto[5161]: | ******parse ISAKMP Oakley attribute:
pluto[5161]: | af+type: OAKLEY_LIFE_TYPE
pluto[5161]: | length/value: 1
pluto[5161]: | ******parse ISAKMP Oakley attribute:
pluto[5161]: | af+type: OAKLEY_LIFE_DURATION (variable length)
pluto[5161]: | length/value: 4
pluto[5161]: | *****parse ISAKMP Transform Payload (ISAKMP):
pluto[5161]: | next payload type: ISAKMP_NEXT_T
pluto[5161]: | length: 36
pluto[5161]: | transform number: 3
pluto[5161]: | transform ID: KEY_IKE
pluto[5161]: | ******parse ISAKMP Oakley attribute:
pluto[5161]: | af+type: OAKLEY_ENCRYPTION_ALGORITHM
pluto[5161]: | length/value: 5
pluto[5161]: | ******parse ISAKMP Oakley attribute:
pluto[5161]: | af+type: OAKLEY_HASH_ALGORITHM
pluto[5161]: | length/value: 1
pluto[5161]: | ******parse ISAKMP Oakley attribute:
pluto[5161]: | af+type: OAKLEY_GROUP_DESCRIPTION
pluto[5161]: | length/value: 2
pluto[5161]: | ******parse ISAKMP Oakley attribute:
pluto[5161]: | af+type: OAKLEY_AUTHENTICATION_METHOD
pluto[5161]: | length/value: 1
pluto[5161]: | ******parse ISAKMP Oakley attribute:
pluto[5161]: | af+type: OAKLEY_LIFE_TYPE
pluto[5161]: | length/value: 1
pluto[5161]: | ******parse ISAKMP Oakley attribute:
pluto[5161]: | af+type: OAKLEY_LIFE_DURATION (variable length)
pluto[5161]: | length/value: 4
pluto[5161]: | *****parse ISAKMP Transform Payload (ISAKMP):
pluto[5161]: | next payload type: ISAKMP_NEXT_T
pluto[5161]: | length: 36
pluto[5161]: | transform number: 4
pluto[5161]: | transform ID: KEY_IKE
pluto[5161]: | ******parse ISAKMP Oakley attribute:
pluto[5161]: | af+type: OAKLEY_ENCRYPTION_ALGORITHM
pluto[5161]: | length/value: 1
pluto[5161]: | ******parse ISAKMP Oakley attribute:
pluto[5161]: | af+type: OAKLEY_HASH_ALGORITHM
pluto[5161]: | length/value: 2
pluto[5161]: | ******parse ISAKMP Oakley attribute:
pluto[5161]: | af+type: OAKLEY_GROUP_DESCRIPTION
pluto[5161]: | length/value: 1
pluto[5161]: | ******parse ISAKMP Oakley attribute:
pluto[5161]: | af+type: OAKLEY_AUTHENTICATION_METHOD
pluto[5161]: | length/value: 1
pluto[5161]: | ******parse ISAKMP Oakley attribute:
pluto[5161]: | af+type: OAKLEY_LIFE_TYPE
pluto[5161]: | length/value: 1
pluto[5161]: | ******parse ISAKMP Oakley attribute:
pluto[5161]: | af+type: OAKLEY_LIFE_DURATION (variable length)
pluto[5161]: | length/value: 4
pluto[5161]: | *****parse ISAKMP Transform Payload (ISAKMP):
pluto[5161]: | next payload type: ISAKMP_NEXT_NONE
pluto[5161]: | length: 36
pluto[5161]: | transform number: 5
pluto[5161]: | transform ID: KEY_IKE
pluto[5161]: | ******parse ISAKMP Oakley attribute:
pluto[5161]: | af+type: OAKLEY_ENCRYPTION_ALGORITHM
pluto[5161]: | length/value: 1
pluto[5161]: | ******parse ISAKMP Oakley attribute:
pluto[5161]: | af+type: OAKLEY_HASH_ALGORITHM
pluto[5161]: | length/value: 1
pluto[5161]: | ******parse ISAKMP Oakley attribute:
pluto[5161]: | af+type: OAKLEY_GROUP_DESCRIPTION
pluto[5161]: | length/value: 1
pluto[5161]: | ******parse ISAKMP Oakley attribute:
pluto[5161]: | af+type: OAKLEY_AUTHENTICATION_METHOD
pluto[5161]: | length/value: 1
pluto[5161]: | ******parse ISAKMP Oakley attribute:
pluto[5161]: | af+type: OAKLEY_LIFE_TYPE
pluto[5161]: | length/value: 1
pluto[5161]: | ******parse ISAKMP Oakley attribute:
pluto[5161]: | af+type: OAKLEY_LIFE_DURATION (variable length)
pluto[5161]: | length/value: 4
pluto[5161]: "conn_pptp_ipsec"[1] 172.21.33.203 #1: responding to Main Mode from unknown peer 172.21.33.203
pluto[5161]: | ****parse IPsec DOI SIT:
pluto[5161]: | IPsec DOI SIT: SIT_IDENTITY_ONLY
pluto[5161]: | ****parse ISAKMP Proposal Payload:
pluto[5161]: | next payload type: ISAKMP_NEXT_NONE
pluto[5161]: | length: 188
pluto[5161]: | proposal number: 1
pluto[5161]: | protocol ID: PROTO_ISAKMP
pluto[5161]: | SPI size: 0
pluto[5161]: | number of transforms: 5
pluto[5161]: | *****parse ISAKMP Transform Payload (ISAKMP):
pluto[5161]: | next payload type: ISAKMP_NEXT_T
pluto[5161]: | length: 36
pluto[5161]: | transform number: 1
pluto[5161]: | transform ID: KEY_IKE
pluto[5161]: | ******parse ISAKMP Oakley attribute:
pluto[5161]: | af+type: OAKLEY_ENCRYPTION_ALGORITHM
pluto[5161]: | length/value: 5
pluto[5161]: | [5 is OAKLEY_3DES_CBC]
pluto[5161]: | ******parse ISAKMP Oakley attribute:
pluto[5161]: | af+type: OAKLEY_HASH_ALGORITHM
pluto[5161]: | length/value: 2
pluto[5161]: | [2 is OAKLEY_SHA]
pluto[5161]: | ******parse ISAKMP Oakley attribute:
pluto[5161]: | af+type: OAKLEY_GROUP_DESCRIPTION
pluto[5161]: | length/value: 14
pluto[5161]: | [14 is OAKLEY_GROUP_MODP2048]
pluto[5161]: | ******parse ISAKMP Oakley attribute:
pluto[5161]: | af+type: OAKLEY_AUTHENTICATION_METHOD
pluto[5161]: | length/value: 1
pluto[5161]: | [1 is OAKLEY_PRESHARED_KEY]
pluto[5161]: | ******parse ISAKMP Oakley attribute:
pluto[5161]: | af+type: OAKLEY_LIFE_TYPE
pluto[5161]: | length/value: 1
pluto[5161]: | [1 is OAKLEY_LIFE_SECONDS]
pluto[5161]: | ******parse ISAKMP Oakley attribute:
pluto[5161]: | af+type: OAKLEY_LIFE_DURATION (variable length)
pluto[5161]: | length/value: 4
pluto[5161]: | long duration: 28800
pluto[5161]: | Oakley Transform 1 accepted
pluto[5161]: "conn_pptp_ipsec"[1] 172.21.33.203 #1: transition from state (null) to state STATE_MAIN_R1
pluto[5161]: |
pluto[5161]: | *received 360 bytes from 172.21.33.203:500 on eth0
pluto[5161]: | **parse ISAKMP Message:
pluto[5161]: | initiator cookie:
pluto[5161]: | 5a 8c 0c 62 6e 27 b4 11
pluto[5161]: | responder cookie:
pluto[5161]: | a6 4e e6 ec da 02 54 6c
pluto[5161]: | next payload type: ISAKMP_NEXT_KE
pluto[5161]: | ISAKMP version: ISAKMP Version 1.0
pluto[5161]: | exchange type: ISAKMP_XCHG_IDPROT
pluto[5161]: | flags: none
pluto[5161]: | message ID: 00 00 00 00
pluto[5161]: | length: 360
pluto[5161]: | The xchg type is ISAKMP_XCHG_IDPROT (2)
pluto[5161]: | ***parse ISAKMP Key Exchange Payload:
pluto[5161]: | next payload type: ISAKMP_NEXT_NONCE
pluto[5161]: | length: 260
pluto[5161]: | ***parse ISAKMP Nonce Payload:
pluto[5161]: | next payload type: ISAKMP_NEXT_NAT-D
pluto[5161]: | length: 24
pluto[5161]: | ***parse ISAKMP NAT-D Payload:
pluto[5161]: | next payload type: ISAKMP_NEXT_NAT-D
pluto[5161]: | length: 24
pluto[5161]: | ***parse ISAKMP NAT-D Payload:
pluto[5161]: | next payload type: ISAKMP_NEXT_NONE
pluto[5161]: | length: 24
pluto[5161]: "conn_pptp_ipsec"[1] 172.21.33.203 #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
pluto[5161]: "conn_pptp_ipsec"[1] 172.21.33.203 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
pluto[5161]: |
pluto[5161]: | *received 68 bytes from 172.21.33.203:500 on eth0
pluto[5161]: | **parse ISAKMP Message:
pluto[5161]: | initiator cookie:
pluto[5161]: | 5a 8c 0c 62 6e 27 b4 11
pluto[5161]: | responder cookie:
pluto[5161]: | a6 4e e6 ec da 02 54 6c
pluto[5161]: | next payload type: ISAKMP_NEXT_ID
pluto[5161]: | ISAKMP version: ISAKMP Version 1.0
pluto[5161]: | exchange type: ISAKMP_XCHG_IDPROT
pluto[5161]: | flags: ISAKMP_FLAG_ENCRYPTION
pluto[5161]: | message ID: 00 00 00 00
pluto[5161]: | length: 68
pluto[5161]: | The xchg type is ISAKMP_XCHG_IDPROT (2)
pluto[5161]: | ***parse ISAKMP Identification Payload:
pluto[5161]: | next payload type: ISAKMP_NEXT_HASH
pluto[5161]: | length: 12
pluto[5161]: | ID type: ID_IPV4_ADDR
pluto[5161]: | DOI specific A: 0
pluto[5161]: | DOI specific B: 0
pluto[5161]: | ***parse ISAKMP Hash Payload:
pluto[5161]: | next payload type: ISAKMP_NEXT_NONE
pluto[5161]: | length: 24
pluto[5161]: | removing 4 bytes of padding
pluto[5161]: "conn_pptp_ipsec"[1] 172.21.33.203 #1: Main mode peer ID is ID_IPV4_ADDR: '172.21.33.203'
pluto[5161]: "conn_pptp_ipsec"[1] 172.21.33.203 #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
pluto[5161]: "conn_pptp_ipsec"[1] 172.21.33.203 #1: sent MR3, ISAKMP SA established
pluto[5161]: |
pluto[5161]: | *received 300 bytes from 172.21.33.203:500 on eth0
pluto[5161]: | **parse ISAKMP Message:
pluto[5161]: | initiator cookie:
pluto[5161]: | 5a 8c 0c 62 6e 27 b4 11
pluto[5161]: | responder cookie:
pluto[5161]: | a6 4e e6 ec da 02 54 6c
pluto[5161]: | next payload type: ISAKMP_NEXT_HASH
pluto[5161]: | ISAKMP version: ISAKMP Version 1.0
pluto[5161]: | exchange type: ISAKMP_XCHG_QUICK
pluto[5161]: | flags: ISAKMP_FLAG_ENCRYPTION
pluto[5161]: | message ID: 23 3c fb 79
pluto[5161]: | length: 300
pluto[5161]: | The xchg type is ISAKMP_XCHG_QUICK (32)
pluto[5161]: | ***parse ISAKMP Hash Payload:
pluto[5161]: | next payload type: ISAKMP_NEXT_SA
pluto[5161]: | length: 24
pluto[5161]: | ***parse ISAKMP Security Association Payload:
pluto[5161]: | next payload type: ISAKMP_NEXT_NONCE
pluto[5161]: | length: 196
pluto[5161]: | DOI: ISAKMP_DOI_IPSEC
pluto[5161]: | ***parse ISAKMP Nonce Payload:
pluto[5161]: | next payload type: ISAKMP_NEXT_ID
pluto[5161]: | length: 24
pluto[5161]: | ***parse ISAKMP Identification Payload (IPsec DOI):
pluto[5161]: | next payload type: ISAKMP_NEXT_ID
pluto[5161]: | length: 12
pluto[5161]: | ID type: ID_IPV4_ADDR
pluto[5161]: | Protocol ID: 17
pluto[5161]: | port: 1701
pluto[5161]: | ***parse ISAKMP Identification Payload (IPsec DOI):
pluto[5161]: | next payload type: ISAKMP_NEXT_NONE
pluto[5161]: | length: 12
pluto[5161]: | ID type: ID_IPV4_ADDR
pluto[5161]: | Protocol ID: 17
pluto[5161]: | port: 1701
pluto[5161]: | removing 4 bytes of padding
pluto[5161]: | peer client is 172.21.33.203/32
pluto[5161]: | peer client protocol/port is 17/1701
pluto[5161]: | our client is 172.21.33.8/32
pluto[5161]: | our client protocol/port is 17/1701
pluto[5161]: | ****parse IPsec DOI SIT:
pluto[5161]: | IPsec DOI SIT: SIT_IDENTITY_ONLY
pluto[5161]: | ****parse ISAKMP Proposal Payload:
pluto[5161]: | next payload type: ISAKMP_NEXT_P
pluto[5161]: | length: 92
pluto[5161]: | proposal number: 1
pluto[5161]: | protocol ID: PROTO_IPSEC_ESP
pluto[5161]: | SPI size: 4
pluto[5161]: | number of transforms: 2
pluto[5161]: | parsing 4 raw bytes of ISAKMP Proposal Payload into SPI
pluto[5161]: | SPI ff 9a 6b fe
pluto[5161]: | ****parse ISAKMP Proposal Payload:
pluto[5161]: | next payload type: ISAKMP_NEXT_NONE
pluto[5161]: | length: 92
pluto[5161]: | proposal number: 2
pluto[5161]: | protocol ID: PROTO_IPSEC_AH
pluto[5161]: | SPI size: 4
pluto[5161]: | number of transforms: 2
pluto[5161]: | *****parse ISAKMP Transform Payload (ESP):
pluto[5161]: | next payload type: ISAKMP_NEXT_T
pluto[5161]: | length: 40
pluto[5161]: | transform number: 1
pluto[5161]: | transform ID: ESP_NULL
pluto[5161]: | ******parse ISAKMP IPsec DOI attribute:
pluto[5161]: | af+type: SA_LIFE_TYPE
pluto[5161]: | length/value: 1
pluto[5161]: | [1 is SA_LIFE_TYPE_SECONDS]
pluto[5161]: | ******parse ISAKMP IPsec DOI attribute:
pluto[5161]: | af+type: SA_LIFE_DURATION (variable length)
pluto[5161]: | length/value: 4
pluto[5161]: | long duration: 3600
pluto[5161]: | ******parse ISAKMP IPsec DOI attribute:
pluto[5161]: | af+type: SA_LIFE_TYPE
pluto[5161]: | length/value: 2
pluto[5161]: | [2 is SA_LIFE_TYPE_KBYTES]
pluto[5161]: | ******parse ISAKMP IPsec DOI attribute:
pluto[5161]: | af+type: SA_LIFE_DURATION (variable length)
pluto[5161]: | length/value: 4
pluto[5161]: | long duration: 250000
pluto[5161]: | ******parse ISAKMP IPsec DOI attribute:
pluto[5161]: | af+type: ENCAPSULATION_MODE
pluto[5161]: | length/value: 2
pluto[5161]: | [2 is ENCAPSULATION_MODE_TRANSPORT]
pluto[5161]: | ******parse ISAKMP IPsec DOI attribute:
pluto[5161]: | af+type: AUTH_ALGORITHM
pluto[5161]: | length/value: 2
pluto[5161]: | [2 is AUTH_ALGORITHM_HMAC_SHA1]
pluto[5161]: "conn_pptp_ipsec"[1] 172.21.33.203 #2: You should NOT use insecure ESP algorithms [ESP_NULL (0)]!
pluto[5161]: "conn_pptp_ipsec"[1] 172.21.33.203 #2: responding to Quick Mode
pluto[5161]: | compute_proto_keymat:needed_len (after ESP enc)=0
pluto[5161]: | kernel_alg_esp_auth_keylen(auth=2, sadb_aalg=3): a_keylen=20
pluto[5161]: | compute_proto_keymat:needed_len (after ESP auth)=20
pluto[5161]: "conn_pptp_ipsec"[1] 172.21.33.203 #2: transition from state (null) to state STATE_QUICK_R1
pluto[5161]: |
pluto[5161]: | *received 52 bytes from 172.21.33.203:500 on eth0
pluto[5161]: | **parse ISAKMP Message:
pluto[5161]: | initiator cookie:
pluto[5161]: | 5a 8c 0c 62 6e 27 b4 11
pluto[5161]: | responder cookie:
pluto[5161]: | a6 4e e6 ec da 02 54 6c
pluto[5161]: | next payload type: ISAKMP_NEXT_HASH
pluto[5161]: | ISAKMP version: ISAKMP Version 1.0
pluto[5161]: | exchange type: ISAKMP_XCHG_QUICK
pluto[5161]: | flags: ISAKMP_FLAG_ENCRYPTION
pluto[5161]: | message ID: 23 3c fb 79
pluto[5161]: | length: 52
pluto[5161]: | The xchg type is ISAKMP_XCHG_QUICK (32)
pluto[5161]: | ***parse ISAKMP Hash Payload:
pluto[5161]: | next payload type: ISAKMP_NEXT_NONE
pluto[5161]: | length: 24
pluto[5161]: "conn_pptp_ipsec"[1] 172.21.33.203 #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
pluto[5161]: "conn_pptp_ipsec"[1] 172.21.33.203 #2: IPsec SA established
#
[root@localhost l2tpd]# l2tpd -v
Usage: l2tpd -D -c [config file] -s [secret file] -p [pid file]
[root@localhost l2tpd]# pwd /etc/l2tpd
[root@localhost l2tpd]# cat l2tpd.con
[global] ;listen-addr = 192.168.1.98
auth file = /etc/ppp/chap-secrets
[lns default]
ip range = 192.168.1.128-192.168.1.254
local ip = 192.168.1.99
require chap = yes
refuse pap = yes
require authentication = yes
name = Linuxl2tpVPNserver
ppp debug = yes
;pppoptfile = /etc/ppp/options.l2tpd
;length bit = yes
[lac linux]
lns = 172.21.34.138
ppp debug = yes
require authentication = yes
pppoptfile = /etc/ppp/options.l2tpd
================In client [LAC]=======
root@team-server:/etc/ppp# cat options.l2tpd
ipcp-accept-local
ipcp-accept-remote
#ms-dns 10.51.8.15
#ms-dns 10.51.8.243
#noccp
noauth
#require-mschap
#require-mschap-v2
#crtscts
idle 1800
mtu 1200
mru 1200
#username peter
#password 4321
#nodefaultroute
#nodetach
debug
lock
#require-chap
#proxyarp
connect-delay 5000
TIP:
#cat from /var/log/messages with chap user "0123456789" auth failure
Jun 20 16:19:07 localhost pppd[13989]: noccp^I^I# (from /etc/ppp/options)
Jun 20 16:19:07 localhost pppd[13989]: pppd 2.4.2 started by root, uid 0
Jun 20 16:19:07 localhost pppd[13989]: Using interface ppp0
Jun 20 16:19:07 localhost pppd[13989]: Connect: ppp0 <--> /dev/pts/1
Jun 20 16:19:10 localhost pppd[13989]: No CHAP secret found for authenticating 0123456789
Jun 20 16:19:10 localhost pppd[13989]: Peer 0123456789 failed CHAP authentication
http://cad.csie.ncku.edu.tw/~wnlee/l2tp.html
Windows Registry Editor Version 5.00
-------follow up enable/disable l2tp over ipsec in windows.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters]
"ProhibitIPSec"=dword:00000001
下面是xp client l2tp over IPSec quick mode 的proposal
17215 | a1 2a b3 51 a3 7d 54 9d
17216 | responder cookie:
17217 | 6c b9 d5 a5 6d 66 9f 94
17218 | next payload type: ISAKMP_NEXT_HASH
17219 | ISAKMP version: ISAKMP Version 1.0
17220 | exchange type: ISAKMP_XCHG_QUICK
17221 | flags: ISAKMP_FLAG_ENCRYPTION
17222 | message ID: ee 8d 05 29
17223 | length: 300
17224 | processing connection l2tp[3] 172.21.33.203
17225 | ***parse ISAKMP Hash Payload:
17226 | next payload type: ISAKMP_NEXT_SA
17227 | length: 24
17228 | ***parse ISAKMP Security Association Payload:
17229 | next payload type: ISAKMP_NEXT_NONCE
17230 | length: 196
17231 | DOI: ISAKMP_DOI_IPSEC
17232 | ***parse ISAKMP Nonce Payload:
17233 | next payload type: ISAKMP_NEXT_ID
17234 | length: 24
17235 | ***parse ISAKMP Identification Payload (IPsec DOI):
17236 | next payload type: ISAKMP_NEXT_ID
17237 | length: 12
17238 | ID type: ID_IPV4_ADDR
17239 | Protocol ID: 17
17240 | port: 1701
17241 | ***parse ISAKMP Identification Payload (IPsec DOI):
17242 | next payload type: ISAKMP_NEXT_NONE
17243 | length: 12
17244 | ID type: ID_IPV4_ADDR
17245 | Protocol ID: 17
17246 | port: 1701
17247 | removing 4 bytes of padding
17248 | peer client is 172.21.33.203
17249 | peer client protocol/port is 17/1701
17250 | our client is 172.21.46.133
17251 | our client protocol/port is 17/1701
17252 | processing connection l2tp[3] 172.21.33.203
17253 | ****parse IPsec DOI SIT:
17254 | IPsec DOI SIT: SIT_IDENTITY_ONLY
17255 | ****parse ISAKMP Proposal Payload:
17256 | next payload type: ISAKMP_NEXT_P
17257 | length: 92
17258 | proposal number: 1
17259 | protocol ID: PROTO_IPSEC_ESP
17260 | SPI size: 4
17261 | number of transforms: 2
17262 | parsing 4 raw bytes of ISAKMP Proposal Payload into SPI
17263 | SPI 1e 0e 52 3c
17264 | ****parse ISAKMP Proposal Payload:
17265 | next payload type: ISAKMP_NEXT_NONE
17266 | length: 92
17267 | proposal number: 2
17268 | protocol ID: PROTO_IPSEC_AH
17269 | SPI size: 4
17270 | number of transforms: 2
17271 | *****parse ISAKMP Transform Payload (ESP):
17272 | next payload type: ISAKMP_NEXT_T
17273 | length: 40
17274 | transform number: 1
17275 | transform ID: ESP_NULL
17276 | ******parse ISAKMP IPsec DOI attribute:
17277 | af+type: SA_LIFE_TYPE
17278 | length/value: 1
17279 | [1 is SA_LIFE_TYPE_SECONDS]
17280 | ******parse ISAKMP IPsec DOI attribute:
17281 | af+type: SA_LIFE_DURATION (variable length)
17282 | length/value: 4
17283 | long duration: 3600
17284 | ******parse ISAKMP IPsec DOI attribute:
17285 | af+type: SA_LIFE_TYPE
17286 | length/value: 2
17287 | [2 is SA_LIFE_TYPE_KBYTES]
17288 | ******parse ISAKMP IPsec DOI attribute:
17289 | af+type: SA_LIFE_DURATION (variable length)
17290 | length/value: 4
17291 | long duration: 250000
17292 | ******parse ISAKMP IPsec DOI attribute:
17293 | af+type: ENCAPSULATION_MODE
17294 | length/value: 2
17295 | [2 is ENCAPSULATION_MODE_TRANSPORT]
17296 | ******parse ISAKMP IPsec DOI attribute:
17297 | af+type: AUTH_ALGORITHM
17298 | length/value: 2
17299 | [2 is AUTH_ALGORITHM_HMAC_SHA1]
17300 "l2tp"[3] 172.21.33.203 #9: IPsec Transform [ESP_NULL (0), AUTH_ALGORITHM_HMAC_SHA1] refused due to insecure key_len and enc. alg. not listed in "esp" string
17301 | parsing 4 raw bytes of ISAKMP Proposal Payload into SPI
17302 | SPI 1e 0e 52 3c
17303 | *****parse ISAKMP Transform Payload (AH):
17304 | next payload type: ISAKMP_NEXT_T
17305 | length: 40
17306 | transform number: 1
17307 | transform ID: AH_SHA
17308 | ******parse ISAKMP IPsec DOI attribute:
17309 | af+type: SA_LIFE_TYPE
17310 | length/value: 1
17311 | [1 is SA_LIFE_TYPE_SECONDS]
17312 | ******parse ISAKMP IPsec DOI attribute:
17313 | af+type: SA_LIFE_DURATION (variable length)
17314 | length/value: 4
17315 | long duration: 3600
17316 | ******parse ISAKMP IPsec DOI attribute:
17317 | af+type: SA_LIFE_TYPE
17318 | length/value: 2
17319 | [2 is SA_LIFE_TYPE_KBYTES]
17320 | ******parse ISAKMP IPsec DOI attribute:
17321 | af+type: SA_LIFE_DURATION (variable length)
17322 | length/value: 4
17323 | long duration: 250000
17324 | ******parse ISAKMP IPsec DOI attribute:
17325 | af+type: ENCAPSULATION_MODE
17326 | length/value: 2
17327 | [2 is ENCAPSULATION_MODE_TRANSPORT]
17328 | ******parse ISAKMP IPsec DOI attribute:
17329 | af+type: AUTH_ALGORITHM
17330 | length/value: 2
17331 | [2 is AUTH_ALGORITHM_HMAC_SHA1]
17332 "l2tp"[3] 172.21.33.203 #9: no acceptable Proposal in IPsec SA
17333 "l2tp"[3] 172.21.33.203 #9: sending encrypted notification NO_PROPOSAL_CHOSEN to 172.21.33.203:500
17334 "l2tp"[3] 172.21.33.203 #9: failed to build notification for spisize=0
-----------------------------------------------------------------------------------------------------------------
This log is come from my router, client is L2TP over IPSec run on WinXP (SP3?)
They seems to prefer ESP NULL algorithm + SHA1,
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2010.03.30 15:25:59 =~=~=~=~=~=~=~=~=~=~=~=
pluto[5161]: |
pluto[5161]: | *received 312 bytes from 172.21.33.203:500 on eth0
pluto[5161]: | **parse ISAKMP Message:
pluto[5161]: | initiator cookie:
pluto[5161]: | 5a 8c 0c 62 6e 27 b4 11
pluto[5161]: | responder cookie:
pluto[5161]: | 00 00 00 00 00 00 00 00
pluto[5161]: | next payload type: ISAKMP_NEXT_SA
pluto[5161]: | ISAKMP version: ISAKMP Version 1.0
pluto[5161]: | exchange type: ISAKMP_XCHG_IDPROT
pluto[5161]: | flags: none
pluto[5161]: | message ID: 00 00 00 00
pluto[5161]: | length: 312
pluto[5161]: | The xchg type is ISAKMP_XCHG_IDPROT (2)
pluto[5161]: | ***parse ISAKMP Security Association Payload:
pluto[5161]: | next payload type: ISAKMP_NEXT_VID
pluto[5161]: | length: 200
pluto[5161]: | DOI: ISAKMP_DOI_IPSEC
pluto[5161]: | ***parse ISAKMP Vendor ID Payload:
pluto[5161]: | next payload type: ISAKMP_NEXT_VID
pluto[5161]: | length: 24
pluto[5161]: | ***parse ISAKMP Vendor ID Payload:
pluto[5161]: | next payload type: ISAKMP_NEXT_VID
pluto[5161]: | length: 20
pluto[5161]: | ***parse ISAKMP Vendor ID Payload:
pluto[5161]: | next payload type: ISAKMP_NEXT_VID
pluto[5161]: | length: 20
pluto[5161]: | ***parse ISAKMP Vendor ID Payload:
pluto[5161]: | next payload type: ISAKMP_NEXT_NONE
pluto[5161]: | length: 20
pluto[5161]: packet from 172.21.33.203:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
pluto[5161]: | VID: 1e 2b 51 69 05 99 1c 7d 7c 96 fc bf b5 87 e4 61
pluto[5161]: | 00 00 00 04
pluto[5161]: packet from 172.21.33.203:500: ignoring Vendor ID payload [FRAGMENTATION]
pluto[5161]: | VID: 40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
pluto[5161]: packet from 172.21.33.203:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
pluto[5161]: | VID: 90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f
pluto[5161]: packet from 172.21.33.203:500: ignoring Vendor ID payload [26244d38eddb61b3172a36e3d0cfb819]
pluto[5161]: | VID: 26 24 4d 38 ed db 61 b3 17 2a 36 e3 d0 cf b8 19
pluto[5161]: | ****parse IPsec DOI SIT:
pluto[5161]: | IPsec DOI SIT: SIT_IDENTITY_ONLY
pluto[5161]: | ****parse ISAKMP Proposal Payload:
pluto[5161]: | next payload type: ISAKMP_NEXT_NONE
pluto[5161]: | length: 188
pluto[5161]: | proposal number: 1
pluto[5161]: | protocol ID: PROTO_ISAKMP
pluto[5161]: | SPI size: 0
pluto[5161]: | number of transforms: 5
pluto[5161]: | *****parse ISAKMP Transform Payload (ISAKMP):
pluto[5161]: | next payload type: ISAKMP_NEXT_T
pluto[5161]: | length: 36
pluto[5161]: | transform number: 1
pluto[5161]: | transform ID: KEY_IKE
pluto[5161]: | ******parse ISAKMP Oakley attribute:
pluto[5161]: | af+type: OAKLEY_ENCRYPTION_ALGORITHM
pluto[5161]: | length/value: 5
pluto[5161]: | ******parse ISAKMP Oakley attribute:
pluto[5161]: | af+type: OAKLEY_HASH_ALGORITHM
pluto[5161]: | length/value: 2
pluto[5161]: | ******parse ISAKMP Oakley attribute:
pluto[5161]: | af+type: OAKLEY_GROUP_DESCRIPTION
pluto[5161]: | length/value: 14
pluto[5161]: | ******parse ISAKMP Oakley attribute:
pluto[5161]: | af+type: OAKLEY_AUTHENTICATION_METHOD
pluto[5161]: | length/value: 1
pluto[5161]: | ******parse ISAKMP Oakley attribute:
pluto[5161]: | af+type: OAKLEY_LIFE_TYPE
pluto[5161]: | length/value: 1
pluto[5161]: | ******parse ISAKMP Oakley attribute:
pluto[5161]: | af+type: OAKLEY_LIFE_DURATION (variable length)
pluto[5161]: | length/value: 4
pluto[5161]: | *****parse ISAKMP Transform Payload (ISAKMP):
pluto[5161]: | next payload type: ISAKMP_NEXT_T
pluto[5161]: | length: 36
pluto[5161]: | transform number: 2
pluto[5161]: | transform ID: KEY_IKE
pluto[5161]: | ******parse ISAKMP Oakley attribute:
pluto[5161]: | af+type: OAKLEY_ENCRYPTION_ALGORITHM
pluto[5161]: | length/value: 5
pluto[5161]: | ******parse ISAKMP Oakley attribute:
pluto[5161]: | af+type: OAKLEY_HASH_ALGORITHM
pluto[5161]: | length/value: 2
pluto[5161]: | ******parse ISAKMP Oakley attribute:
pluto[5161]: | af+type: OAKLEY_GROUP_DESCRIPTION
pluto[5161]: | length/value: 2
pluto[5161]: | ******parse ISAKMP Oakley attribute:
pluto[5161]: | af+type: OAKLEY_AUTHENTICATION_METHOD
pluto[5161]: | length/value: 1
pluto[5161]: | ******parse ISAKMP Oakley attribute:
pluto[5161]: | af+type: OAKLEY_LIFE_TYPE
pluto[5161]: | length/value: 1
pluto[5161]: | ******parse ISAKMP Oakley attribute:
pluto[5161]: | af+type: OAKLEY_LIFE_DURATION (variable length)
pluto[5161]: | length/value: 4
pluto[5161]: | *****parse ISAKMP Transform Payload (ISAKMP):
pluto[5161]: | next payload type: ISAKMP_NEXT_T
pluto[5161]: | length: 36
pluto[5161]: | transform number: 3
pluto[5161]: | transform ID: KEY_IKE
pluto[5161]: | ******parse ISAKMP Oakley attribute:
pluto[5161]: | af+type: OAKLEY_ENCRYPTION_ALGORITHM
pluto[5161]: | length/value: 5
pluto[5161]: | ******parse ISAKMP Oakley attribute:
pluto[5161]: | af+type: OAKLEY_HASH_ALGORITHM
pluto[5161]: | length/value: 1
pluto[5161]: | ******parse ISAKMP Oakley attribute:
pluto[5161]: | af+type: OAKLEY_GROUP_DESCRIPTION
pluto[5161]: | length/value: 2
pluto[5161]: | ******parse ISAKMP Oakley attribute:
pluto[5161]: | af+type: OAKLEY_AUTHENTICATION_METHOD
pluto[5161]: | length/value: 1
pluto[5161]: | ******parse ISAKMP Oakley attribute:
pluto[5161]: | af+type: OAKLEY_LIFE_TYPE
pluto[5161]: | length/value: 1
pluto[5161]: | ******parse ISAKMP Oakley attribute:
pluto[5161]: | af+type: OAKLEY_LIFE_DURATION (variable length)
pluto[5161]: | length/value: 4
pluto[5161]: | *****parse ISAKMP Transform Payload (ISAKMP):
pluto[5161]: | next payload type: ISAKMP_NEXT_T
pluto[5161]: | length: 36
pluto[5161]: | transform number: 4
pluto[5161]: | transform ID: KEY_IKE
pluto[5161]: | ******parse ISAKMP Oakley attribute:
pluto[5161]: | af+type: OAKLEY_ENCRYPTION_ALGORITHM
pluto[5161]: | length/value: 1
pluto[5161]: | ******parse ISAKMP Oakley attribute:
pluto[5161]: | af+type: OAKLEY_HASH_ALGORITHM
pluto[5161]: | length/value: 2
pluto[5161]: | ******parse ISAKMP Oakley attribute:
pluto[5161]: | af+type: OAKLEY_GROUP_DESCRIPTION
pluto[5161]: | length/value: 1
pluto[5161]: | ******parse ISAKMP Oakley attribute:
pluto[5161]: | af+type: OAKLEY_AUTHENTICATION_METHOD
pluto[5161]: | length/value: 1
pluto[5161]: | ******parse ISAKMP Oakley attribute:
pluto[5161]: | af+type: OAKLEY_LIFE_TYPE
pluto[5161]: | length/value: 1
pluto[5161]: | ******parse ISAKMP Oakley attribute:
pluto[5161]: | af+type: OAKLEY_LIFE_DURATION (variable length)
pluto[5161]: | length/value: 4
pluto[5161]: | *****parse ISAKMP Transform Payload (ISAKMP):
pluto[5161]: | next payload type: ISAKMP_NEXT_NONE
pluto[5161]: | length: 36
pluto[5161]: | transform number: 5
pluto[5161]: | transform ID: KEY_IKE
pluto[5161]: | ******parse ISAKMP Oakley attribute:
pluto[5161]: | af+type: OAKLEY_ENCRYPTION_ALGORITHM
pluto[5161]: | length/value: 1
pluto[5161]: | ******parse ISAKMP Oakley attribute:
pluto[5161]: | af+type: OAKLEY_HASH_ALGORITHM
pluto[5161]: | length/value: 1
pluto[5161]: | ******parse ISAKMP Oakley attribute:
pluto[5161]: | af+type: OAKLEY_GROUP_DESCRIPTION
pluto[5161]: | length/value: 1
pluto[5161]: | ******parse ISAKMP Oakley attribute:
pluto[5161]: | af+type: OAKLEY_AUTHENTICATION_METHOD
pluto[5161]: | length/value: 1
pluto[5161]: | ******parse ISAKMP Oakley attribute:
pluto[5161]: | af+type: OAKLEY_LIFE_TYPE
pluto[5161]: | length/value: 1
pluto[5161]: | ******parse ISAKMP Oakley attribute:
pluto[5161]: | af+type: OAKLEY_LIFE_DURATION (variable length)
pluto[5161]: | length/value: 4
pluto[5161]: "conn_pptp_ipsec"[1] 172.21.33.203 #1: responding to Main Mode from unknown peer 172.21.33.203
pluto[5161]: | ****parse IPsec DOI SIT:
pluto[5161]: | IPsec DOI SIT: SIT_IDENTITY_ONLY
pluto[5161]: | ****parse ISAKMP Proposal Payload:
pluto[5161]: | next payload type: ISAKMP_NEXT_NONE
pluto[5161]: | length: 188
pluto[5161]: | proposal number: 1
pluto[5161]: | protocol ID: PROTO_ISAKMP
pluto[5161]: | SPI size: 0
pluto[5161]: | number of transforms: 5
pluto[5161]: | *****parse ISAKMP Transform Payload (ISAKMP):
pluto[5161]: | next payload type: ISAKMP_NEXT_T
pluto[5161]: | length: 36
pluto[5161]: | transform number: 1
pluto[5161]: | transform ID: KEY_IKE
pluto[5161]: | ******parse ISAKMP Oakley attribute:
pluto[5161]: | af+type: OAKLEY_ENCRYPTION_ALGORITHM
pluto[5161]: | length/value: 5
pluto[5161]: | [5 is OAKLEY_3DES_CBC]
pluto[5161]: | ******parse ISAKMP Oakley attribute:
pluto[5161]: | af+type: OAKLEY_HASH_ALGORITHM
pluto[5161]: | length/value: 2
pluto[5161]: | [2 is OAKLEY_SHA]
pluto[5161]: | ******parse ISAKMP Oakley attribute:
pluto[5161]: | af+type: OAKLEY_GROUP_DESCRIPTION
pluto[5161]: | length/value: 14
pluto[5161]: | [14 is OAKLEY_GROUP_MODP2048]
pluto[5161]: | ******parse ISAKMP Oakley attribute:
pluto[5161]: | af+type: OAKLEY_AUTHENTICATION_METHOD
pluto[5161]: | length/value: 1
pluto[5161]: | [1 is OAKLEY_PRESHARED_KEY]
pluto[5161]: | ******parse ISAKMP Oakley attribute:
pluto[5161]: | af+type: OAKLEY_LIFE_TYPE
pluto[5161]: | length/value: 1
pluto[5161]: | [1 is OAKLEY_LIFE_SECONDS]
pluto[5161]: | ******parse ISAKMP Oakley attribute:
pluto[5161]: | af+type: OAKLEY_LIFE_DURATION (variable length)
pluto[5161]: | length/value: 4
pluto[5161]: | long duration: 28800
pluto[5161]: | Oakley Transform 1 accepted
pluto[5161]: "conn_pptp_ipsec"[1] 172.21.33.203 #1: transition from state (null) to state STATE_MAIN_R1
pluto[5161]: |
pluto[5161]: | *received 360 bytes from 172.21.33.203:500 on eth0
pluto[5161]: | **parse ISAKMP Message:
pluto[5161]: | initiator cookie:
pluto[5161]: | 5a 8c 0c 62 6e 27 b4 11
pluto[5161]: | responder cookie:
pluto[5161]: | a6 4e e6 ec da 02 54 6c
pluto[5161]: | next payload type: ISAKMP_NEXT_KE
pluto[5161]: | ISAKMP version: ISAKMP Version 1.0
pluto[5161]: | exchange type: ISAKMP_XCHG_IDPROT
pluto[5161]: | flags: none
pluto[5161]: | message ID: 00 00 00 00
pluto[5161]: | length: 360
pluto[5161]: | The xchg type is ISAKMP_XCHG_IDPROT (2)
pluto[5161]: | ***parse ISAKMP Key Exchange Payload:
pluto[5161]: | next payload type: ISAKMP_NEXT_NONCE
pluto[5161]: | length: 260
pluto[5161]: | ***parse ISAKMP Nonce Payload:
pluto[5161]: | next payload type: ISAKMP_NEXT_NAT-D
pluto[5161]: | length: 24
pluto[5161]: | ***parse ISAKMP NAT-D Payload:
pluto[5161]: | next payload type: ISAKMP_NEXT_NAT-D
pluto[5161]: | length: 24
pluto[5161]: | ***parse ISAKMP NAT-D Payload:
pluto[5161]: | next payload type: ISAKMP_NEXT_NONE
pluto[5161]: | length: 24
pluto[5161]: "conn_pptp_ipsec"[1] 172.21.33.203 #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
pluto[5161]: "conn_pptp_ipsec"[1] 172.21.33.203 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
pluto[5161]: |
pluto[5161]: | *received 68 bytes from 172.21.33.203:500 on eth0
pluto[5161]: | **parse ISAKMP Message:
pluto[5161]: | initiator cookie:
pluto[5161]: | 5a 8c 0c 62 6e 27 b4 11
pluto[5161]: | responder cookie:
pluto[5161]: | a6 4e e6 ec da 02 54 6c
pluto[5161]: | next payload type: ISAKMP_NEXT_ID
pluto[5161]: | ISAKMP version: ISAKMP Version 1.0
pluto[5161]: | exchange type: ISAKMP_XCHG_IDPROT
pluto[5161]: | flags: ISAKMP_FLAG_ENCRYPTION
pluto[5161]: | message ID: 00 00 00 00
pluto[5161]: | length: 68
pluto[5161]: | The xchg type is ISAKMP_XCHG_IDPROT (2)
pluto[5161]: | ***parse ISAKMP Identification Payload:
pluto[5161]: | next payload type: ISAKMP_NEXT_HASH
pluto[5161]: | length: 12
pluto[5161]: | ID type: ID_IPV4_ADDR
pluto[5161]: | DOI specific A: 0
pluto[5161]: | DOI specific B: 0
pluto[5161]: | ***parse ISAKMP Hash Payload:
pluto[5161]: | next payload type: ISAKMP_NEXT_NONE
pluto[5161]: | length: 24
pluto[5161]: | removing 4 bytes of padding
pluto[5161]: "conn_pptp_ipsec"[1] 172.21.33.203 #1: Main mode peer ID is ID_IPV4_ADDR: '172.21.33.203'
pluto[5161]: "conn_pptp_ipsec"[1] 172.21.33.203 #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
pluto[5161]: "conn_pptp_ipsec"[1] 172.21.33.203 #1: sent MR3, ISAKMP SA established
pluto[5161]: |
pluto[5161]: | *received 300 bytes from 172.21.33.203:500 on eth0
pluto[5161]: | **parse ISAKMP Message:
pluto[5161]: | initiator cookie:
pluto[5161]: | 5a 8c 0c 62 6e 27 b4 11
pluto[5161]: | responder cookie:
pluto[5161]: | a6 4e e6 ec da 02 54 6c
pluto[5161]: | next payload type: ISAKMP_NEXT_HASH
pluto[5161]: | ISAKMP version: ISAKMP Version 1.0
pluto[5161]: | exchange type: ISAKMP_XCHG_QUICK
pluto[5161]: | flags: ISAKMP_FLAG_ENCRYPTION
pluto[5161]: | message ID: 23 3c fb 79
pluto[5161]: | length: 300
pluto[5161]: | The xchg type is ISAKMP_XCHG_QUICK (32)
pluto[5161]: | ***parse ISAKMP Hash Payload:
pluto[5161]: | next payload type: ISAKMP_NEXT_SA
pluto[5161]: | length: 24
pluto[5161]: | ***parse ISAKMP Security Association Payload:
pluto[5161]: | next payload type: ISAKMP_NEXT_NONCE
pluto[5161]: | length: 196
pluto[5161]: | DOI: ISAKMP_DOI_IPSEC
pluto[5161]: | ***parse ISAKMP Nonce Payload:
pluto[5161]: | next payload type: ISAKMP_NEXT_ID
pluto[5161]: | length: 24
pluto[5161]: | ***parse ISAKMP Identification Payload (IPsec DOI):
pluto[5161]: | next payload type: ISAKMP_NEXT_ID
pluto[5161]: | length: 12
pluto[5161]: | ID type: ID_IPV4_ADDR
pluto[5161]: | Protocol ID: 17
pluto[5161]: | port: 1701
pluto[5161]: | ***parse ISAKMP Identification Payload (IPsec DOI):
pluto[5161]: | next payload type: ISAKMP_NEXT_NONE
pluto[5161]: | length: 12
pluto[5161]: | ID type: ID_IPV4_ADDR
pluto[5161]: | Protocol ID: 17
pluto[5161]: | port: 1701
pluto[5161]: | removing 4 bytes of padding
pluto[5161]: | peer client is 172.21.33.203/32
pluto[5161]: | peer client protocol/port is 17/1701
pluto[5161]: | our client is 172.21.33.8/32
pluto[5161]: | our client protocol/port is 17/1701
pluto[5161]: | ****parse IPsec DOI SIT:
pluto[5161]: | IPsec DOI SIT: SIT_IDENTITY_ONLY
pluto[5161]: | ****parse ISAKMP Proposal Payload:
pluto[5161]: | next payload type: ISAKMP_NEXT_P
pluto[5161]: | length: 92
pluto[5161]: | proposal number: 1
pluto[5161]: | protocol ID: PROTO_IPSEC_ESP
pluto[5161]: | SPI size: 4
pluto[5161]: | number of transforms: 2
pluto[5161]: | parsing 4 raw bytes of ISAKMP Proposal Payload into SPI
pluto[5161]: | SPI ff 9a 6b fe
pluto[5161]: | ****parse ISAKMP Proposal Payload:
pluto[5161]: | next payload type: ISAKMP_NEXT_NONE
pluto[5161]: | length: 92
pluto[5161]: | proposal number: 2
pluto[5161]: | protocol ID: PROTO_IPSEC_AH
pluto[5161]: | SPI size: 4
pluto[5161]: | number of transforms: 2
pluto[5161]: | *****parse ISAKMP Transform Payload (ESP):
pluto[5161]: | next payload type: ISAKMP_NEXT_T
pluto[5161]: | length: 40
pluto[5161]: | transform number: 1
pluto[5161]: | transform ID: ESP_NULL
pluto[5161]: | ******parse ISAKMP IPsec DOI attribute:
pluto[5161]: | af+type: SA_LIFE_TYPE
pluto[5161]: | length/value: 1
pluto[5161]: | [1 is SA_LIFE_TYPE_SECONDS]
pluto[5161]: | ******parse ISAKMP IPsec DOI attribute:
pluto[5161]: | af+type: SA_LIFE_DURATION (variable length)
pluto[5161]: | length/value: 4
pluto[5161]: | long duration: 3600
pluto[5161]: | ******parse ISAKMP IPsec DOI attribute:
pluto[5161]: | af+type: SA_LIFE_TYPE
pluto[5161]: | length/value: 2
pluto[5161]: | [2 is SA_LIFE_TYPE_KBYTES]
pluto[5161]: | ******parse ISAKMP IPsec DOI attribute:
pluto[5161]: | af+type: SA_LIFE_DURATION (variable length)
pluto[5161]: | length/value: 4
pluto[5161]: | long duration: 250000
pluto[5161]: | ******parse ISAKMP IPsec DOI attribute:
pluto[5161]: | af+type: ENCAPSULATION_MODE
pluto[5161]: | length/value: 2
pluto[5161]: | [2 is ENCAPSULATION_MODE_TRANSPORT]
pluto[5161]: | ******parse ISAKMP IPsec DOI attribute:
pluto[5161]: | af+type: AUTH_ALGORITHM
pluto[5161]: | length/value: 2
pluto[5161]: | [2 is AUTH_ALGORITHM_HMAC_SHA1]
pluto[5161]: "conn_pptp_ipsec"[1] 172.21.33.203 #2: You should NOT use insecure ESP algorithms [ESP_NULL (0)]!
pluto[5161]: "conn_pptp_ipsec"[1] 172.21.33.203 #2: responding to Quick Mode
pluto[5161]: | compute_proto_keymat:needed_len (after ESP enc)=0
pluto[5161]: | kernel_alg_esp_auth_keylen(auth=2, sadb_aalg=3): a_keylen=20
pluto[5161]: | compute_proto_keymat:needed_len (after ESP auth)=20
pluto[5161]: "conn_pptp_ipsec"[1] 172.21.33.203 #2: transition from state (null) to state STATE_QUICK_R1
pluto[5161]: |
pluto[5161]: | *received 52 bytes from 172.21.33.203:500 on eth0
pluto[5161]: | **parse ISAKMP Message:
pluto[5161]: | initiator cookie:
pluto[5161]: | 5a 8c 0c 62 6e 27 b4 11
pluto[5161]: | responder cookie:
pluto[5161]: | a6 4e e6 ec da 02 54 6c
pluto[5161]: | next payload type: ISAKMP_NEXT_HASH
pluto[5161]: | ISAKMP version: ISAKMP Version 1.0
pluto[5161]: | exchange type: ISAKMP_XCHG_QUICK
pluto[5161]: | flags: ISAKMP_FLAG_ENCRYPTION
pluto[5161]: | message ID: 23 3c fb 79
pluto[5161]: | length: 52
pluto[5161]: | The xchg type is ISAKMP_XCHG_QUICK (32)
pluto[5161]: | ***parse ISAKMP Hash Payload:
pluto[5161]: | next payload type: ISAKMP_NEXT_NONE
pluto[5161]: | length: 24
pluto[5161]: "conn_pptp_ipsec"[1] 172.21.33.203 #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
pluto[5161]: "conn_pptp_ipsec"[1] 172.21.33.203 #2: IPsec SA established
#
訂閱:
文章 (Atom)