<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p><font size="+1"><font face="Helvetica, Arial, sans-serif">I am
trying to help some friends get off Windows PPTP (!!!!) and
first stage was to L2TP/Ipsec.</font></font></p>
<p><font size="+1"><font face="Helvetica, Arial, sans-serif">If I
can get them that far we can move to pure ipsec - little steps
!<br>
</font></font></p>
<p><font size="+1"><font face="Helvetica, Arial, sans-serif">I have
a working Libreswan Ipsec setup on my trusty old CentOS 6 box.<br>
</font></font></p>
<p><font size="+1"><font face="Helvetica, Arial, sans-serif">We can
connect from Macs, Linux, iOS and Android handsets.</font></font></p>
<p><font size="+1"><font face="Helvetica, Arial, sans-serif">But not
Windows.....</font></font></p>
<p><font size="+1"><font face="Helvetica, Arial, sans-serif">It
never seems to complete the Ipsec connection so never
progresses to the L2tp/ppp part.<br>
</font></font></p>
<p><font size="+1"><font face="Helvetica, Arial, sans-serif">Any suggestions
gratefully received.</font></font></p>
<p><font size="+1"><font face="Helvetica, Arial, sans-serif">B. Rgds</font></font></p>
<p><font size="+1"><font face="Helvetica, Arial, sans-serif">John</font></font></p>
<p><font size="+1"><font face="Helvetica, Arial, sans-serif"><br>
</font></font></p>
<p><font size="+1"><font face="Helvetica, Arial, sans-serif">ipsec
verify<br>
Verifying installed system and configuration files<br>
<br>
Version check and ipsec on-path [OK]<br>
Libreswan 3.29 (netkey) on 2.6.32-754.23.1.el6.x86_64<br>
Checking for IPsec support in kernel [OK]<br>
NETKEY: Testing XFRM related proc values<br>
ICMP default/send_redirects [OK]<br>
ICMP default/accept_redirects [OK]<br>
XFRM larval drop [OK]<br>
Pluto ipsec.conf syntax [OK]<br>
Checking rp_filter [OK]<br>
Checking that pluto is running [OK]<br>
Pluto listening for IKE on udp 500 [OK]<br>
Pluto listening for IKE/NAT-T on udp 4500 [OK]<br>
Pluto ipsec.secret syntax [OK]<br>
Checking 'ip' command [OK]<br>
Checking 'iptables' command [OK]<br>
Checking 'prelink' command does not interfere with FIPS
[PRESENT]<br>
Checking for obsolete ipsec.conf options [OK]<br>
<br>
config setup<br>
protostack=netkey<br>
plutodebug=none<br>
#klipsdebug=none<br>
plutostderrlog=/var/log/pluto/pluto.log<br>
dumpdir=/var/run/pluto/<br>
virtual_private=%v4:192.168.181.0/24<br>
<br>
include /etc/ipsec.d/ipsec.conf<br>
<br>
conn L2TPD-PSK<br>
authby=secret<br>
pfs=no<br>
auto=add<br>
rekey=no<br>
type=transport<br>
encapsulation=yes<br>
right=%any<br>
rightprotoport=17/%any<br>
left=%defaultroute<br>
leftprotoport=17/1701<br>
ikev2=no<br>
dpddelay=10<br>
dpdtimeout=30<br>
dpdaction=clear<br>
rightsubnet=192.168.181.0/24<br>
<br>
<br>
Here is a good connection from Android:<br>
<br>
Oct 17 14:06:35.841629: "L2TPD-PSK"[1] 1.2.3.4 #1: responding
to Main Mode from unknown peer 1.2.3.4 on port 500<br>
Oct 17 14:06:35.841927: "L2TPD-PSK"[1] 1.2.3.4 #1:
STATE_MAIN_R1: sent MR1, expecting MI2<br>
Oct 17 14:06:36.199194: "L2TPD-PSK"[1] 1.2.3.4 #1:
STATE_MAIN_R2: sent MR2, expecting MI3<br>
Oct 17 14:06:36.435724: "L2TPD-PSK"[1] 1.2.3.4 #1: Peer ID is
ID_IPV4_ADDR: '192.168.10.65'<br>
Oct 17 14:06:36.435756: "L2TPD-PSK"[1] 1.2.3.4 #1: switched
from "L2TPD-PSK"[1] 1.2.3.4 to "L2TPD-PSK"<br>
Oct 17 14:06:36.435776: "L2TPD-PSK"[2] 1.2.3.4 #1: deleting
connection "L2TPD-PSK"[1] 1.2.3.4 instance with peer 1.2.3.4
{isakmp=#0/ipsec=#0}<br>
Oct 17 14:06:36.435776: "L2TPD-PSK"[2] 1.2.3.4 #1: deleting
connection "L2TPD-PSK"[1] 1.2.3.4 instance with peer 1.2.3.4
{isakmp=#0/ipsec=#0}<br>
Oct 17 14:06:36.435788: "L2TPD-PSK"[2] 1.2.3.4 #1: Peer ID is
ID_IPV4_ADDR: '192.168.10.65'<br>
Oct 17 14:06:36.435956: "L2TPD-PSK"[2] 1.2.3.4 #1:
STATE_MAIN_R3: sent MR3, ISAKMP SA established
{auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_384
group=MODP1024}<br>
Oct 17 14:06:36.668159: "L2TPD-PSK"[2] 1.2.3.4 #1: ignoring
informational payload IPSEC_INITIAL_CONTACT, msgid=00000000,
length=28<br>
Oct 17 14:06:36.668180: | ISAKMP Notification Payload<br>
Oct 17 14:06:36.668186: | 00 00 00 1c 00 00 00 01 01 10 60
02<br>
Oct 17 14:06:36.668192: "L2TPD-PSK"[2] 1.2.3.4 #1: received
and ignored notification payload: IPSEC_INITIAL_CONTACT<br>
Oct 17 14:06:37.714038: "L2TPD-PSK"[2] 1.2.3.4 #1: the peer
proposed: 6.7.8.9/32:17/1701 -> 192.168.10.65/32:17/0<br>
Oct 17 14:06:37.714166: "L2TPD-PSK"[2] 1.2.3.4 #2: responding
to Quick Mode proposal {msgid:f2902c17}<br>
Oct 17 14:06:37.714180: "L2TPD-PSK"[2] 1.2.3.4 #2: us:
6.7.8.9:17/1701<br>
Oct 17 14:06:37.714189: "L2TPD-PSK"[2] 1.2.3.4 #2: them:
1.2.3.4[192.168.10.65]:17/0===192.168.181.0/24<br>
Oct 17 14:06:37.714359: "L2TPD-PSK"[2] 1.2.3.4 #2:
STATE_QUICK_R1: sent QR1, inbound IPsec SA installed,
expecting QI2 transport mode {ESP/NAT=>0x00a00064
<0xa8646d52 xfrm=AES_CBC_256-HMAC_SHA2_512_256 NATOA=none
NATD=1.2.3.4:4500 DPD=active}<br>
Oct 17 14:06:37.978259: "L2TPD-PSK"[2] 1.2.3.4 #2:
STATE_QUICK_R2: IPsec SA established transport mode
{ESP/NAT=>0x00a00064 <0xa8646d52
xfrm=AES_CBC_256-HMAC_SHA2_512_256 NATOA=none
NATD=1.2.3.4:4500 DPD=active}<br>
<br>
As soon as that finishes it fires up the xl2tpd connection.<br>
<br>
Failure from Win 7 (and same from Win 10):<br>
<br>
Oct 17 13:58:19.228480: "L2TPD-PSK"[1] 1.2.3.4 #1: responding
to Main Mode from unknown peer 1.2.3.4 on port 500<br>
Oct 17 13:58:19.228826: "L2TPD-PSK"[1] 1.2.3.4 #1:
STATE_MAIN_R1: sent MR1, expecting MI2<br>
Oct 17 13:58:19.476285: "L2TPD-PSK"[1] 1.2.3.4 #1:
STATE_MAIN_R2: sent MR2, expecting MI3<br>
Oct 17 13:58:19.709093: "L2TPD-PSK"[1] 1.2.3.4 #1: Peer ID is
ID_IPV4_ADDR: '192.168.10.28'<br>
Oct 17 13:58:19.709216: "L2TPD-PSK"[1] 1.2.3.4 #1: switched
from "L2TPD-PSK"[1] 1.2.3.4 to "L2TPD-PSK"<br>
Oct 17 13:58:19.709216: "L2TPD-PSK"[1] 1.2.3.4 #1: switched
from "L2TPD-PSK"[1] 1.2.3.4 to "L2TPD-PSK"<br>
Oct 17 13:58:19.709298: "L2TPD-PSK"[2] 1.2.3.4 #1: deleting
connection "L2TPD-PSK"[1] 1.2.3.4 instance with peer 1.2.3.4
{isakmp=#0/ipsec=#0}<br>
Oct 17 13:58:19.709365: "L2TPD-PSK"[2] 1.2.3.4 #1: Peer ID is
ID_IPV4_ADDR: '192.168.10.28'<br>
Oct 17 13:58:19.709925: "L2TPD-PSK"[2] 1.2.3.4 #1:
STATE_MAIN_R3: sent MR3, ISAKMP SA established
{auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA1
group=DH20}<br>
Oct 17 13:58:19.709983: "L2TPD-PSK"[2] 1.2.3.4 #1: Configured
DPD (RFC 3706) support not enabled because remote peer did not
advertise DPD support<br>
Oct 17 13:58:19.709983: "L2TPD-PSK"[2] 1.2.3.4 #1: Configured
DPD (RFC 3706) support not enabled because remote peer did not
advertise DPD support<br>
Oct 17 13:58:19.941532: "L2TPD-PSK"[2] 1.2.3.4 #1: the peer
proposed: 6.7.8.9/32:17/1701 -> 192.168.10.28/32:17/0<br>
Oct 17 13:58:19.941635: "L2TPD-PSK"[2] 1.2.3.4 #1:
NAT-Traversal: received 2 NAT-OA. Using first; ignoring others<br>
Oct 17 13:58:19.941635: "L2TPD-PSK"[2] 1.2.3.4 #1:
NAT-Traversal: received 2 NAT-OA. Using first; ignoring others<br>
Oct 17 13:58:19.942065: "L2TPD-PSK"[2] 1.2.3.4 #2: responding
to Quick Mode proposal {msgid:00000001}<br>
Oct 17 13:58:19.942136: "L2TPD-PSK"[2] 1.2.3.4 #2: us:
6.7.8.9:17/1701<br>
Oct 17 13:58:19.942136: "L2TPD-PSK"[2] 1.2.3.4 #2: us:
6.7.8.9:17/1701<br>
Oct 17 13:58:19.942200: "L2TPD-PSK"[2] 1.2.3.4 #2: them:
1.2.3.4[192.168.10.28]:17/1701===192.168.181.0/24<br>
Oct 17 13:58:19.942896: "L2TPD-PSK"[2] 1.2.3.4 #2:
STATE_QUICK_R1: sent QR1, inbound IPsec SA installed,
expecting QI2 transport mode {ESP/NAT=>0xd2f84fcd
<0x3812889c xfrm=AES_CBC_256-HMAC_SHA1_96
NATOA=192.168.10.28 NATD=1.2.3.4:4500 DPD=unsupported}<br>
Oct 17 13:58:20.206460: "L2TPD-PSK"[2] 1.2.3.4 #2:
STATE_QUICK_R2: IPsec SA established transport mode
{ESP/NAT=>0xd2f84fcd <0x3812889c
xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=192.168.10.28
NATD=1.2.3.4:4500 DPD=unsupported}<br>
Oct 17 13:58:20.206606: "L2TPD-PSK"[2] 1.2.3.4 #1: the peer
proposed: 6.7.8.9/32:17/1701 -> 192.168.10.28/32:17/1701<br>
Oct 17 13:58:20.206639: "L2TPD-PSK"[2] 1.2.3.4 #1:
NAT-Traversal: received 2 NAT-OA. Using first; ignoring others<br>
Oct 17 13:58:20.206639: "L2TPD-PSK"[2] 1.2.3.4 #1:
NAT-Traversal: received 2 NAT-OA. Using first; ignoring others<br>
Oct 17 13:58:20.206802: "L2TPD-PSK"[2] 1.2.3.4 #3: responding
to Quick Mode proposal {msgid:00000002}<br>
Oct 17 13:58:20.206818: "L2TPD-PSK"[2] 1.2.3.4 #3: us:
6.7.8.9:17/1701<br>
Oct 17 13:58:20.206818: "L2TPD-PSK"[2] 1.2.3.4 #3: us:
6.7.8.9:17/1701<br>
Oct 17 13:58:20.206835: "L2TPD-PSK"[2] 1.2.3.4 #3: them:
1.2.3.4[192.168.10.28]:17/1701===192.168.181.0/24<br>
Oct 17 13:58:20.206835: "L2TPD-PSK"[2] 1.2.3.4 #3: them:
1.2.3.4[192.168.10.28]:17/1701===192.168.181.0/24<br>
Oct 17 13:58:20.206924: "L2TPD-PSK"[2] 1.2.3.4 #3: keeping
refhim=0 during rekey<br>
Oct 17 13:58:20.207066: "L2TPD-PSK"[2] 1.2.3.4 #3:
STATE_QUICK_R1: sent QR1, inbound IPsec SA installed,
expecting QI2 transport mode {ESP/NAT=>0x1eeea96c
<0x321e2207 xfrm=AES_CBC_256-HMAC_SHA1_96
NATOA=192.168.10.28 NATD=1.2.3.4:4500 DPD=unsupported}<br>
Oct 17 13:58:20.438199: "L2TPD-PSK"[2] 1.2.3.4 #3:
STATE_QUICK_R2: IPsec SA established transport mode
{ESP/NAT=>0x1eeea96c <0x321e2207
xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=192.168.10.28
NATD=1.2.3.4:4500 DPD=unsupported}<br>
Oct 17 13:58:20.440171: "L2TPD-PSK"[2] 1.2.3.4 #1: received
Delete SA(0xd2f84fcd) payload: deleting IPsec State #2<br>
Oct 17 13:58:20.440236: "L2TPD-PSK"[2] 1.2.3.4 #2: deleting
other state #2 (STATE_QUICK_R2) aged 0.498s and sending
notification<br>
Oct 17 13:58:20.440351: "L2TPD-PSK"[2] 1.2.3.4 #2: ESP traffic
information: in=0B out=0B<br>
Oct 17 13:58:23.164977: "L2TPD-PSK"[2] 1.2.3.4 #1: the peer
proposed: 6.7.8.9/32:17/1701 -> 192.168.10.28/32:17/1701<br>
Oct 17 13:58:23.165084: "L2TPD-PSK"[2] 1.2.3.4 #1:
NAT-Traversal: received 2 NAT-OA. Using first; ignoring others<br>
Oct 17 13:58:23.165084: "L2TPD-PSK"[2] 1.2.3.4 #1:
NAT-Traversal: received 2 NAT-OA. Using first; ignoring others<br>
Oct 17 13:58:23.165407: "L2TPD-PSK"[2] 1.2.3.4 #4: responding
to Quick Mode proposal {msgid:00000003}<br>
Oct 17 13:58:23.165467: "L2TPD-PSK"[2] 1.2.3.4 #4: us:
6.7.8.9:17/1701<br>
Oct 17 13:58:23.165467: "L2TPD-PSK"[2] 1.2.3.4 #4: us:
6.7.8.9:17/1701<br>
Oct 17 13:58:23.165528: "L2TPD-PSK"[2] 1.2.3.4 #4: them:
1.2.3.4[192.168.10.28]:17/1701===192.168.181.0/24<br>
Oct 17 13:58:23.165528: "L2TPD-PSK"[2] 1.2.3.4 #4: them:
1.2.3.4[192.168.10.28]:17/1701===192.168.181.0/24<br>
Oct 17 13:58:23.165823: "L2TPD-PSK"[2] 1.2.3.4 #4: keeping
refhim=0 during rekey<br>
Oct 17 13:58:23.166343: "L2TPD-PSK"[2] 1.2.3.4 #4:
STATE_QUICK_R1: sent QR1, inbound IPsec SA installed,
expecting QI2 transport mode {ESP/NAT=>0x1c609c4b
<0x2cf88fd0 xfrm=AES_CBC_256-HMAC_SHA1_96
NATOA=192.168.10.28 NATD=1.2.3.4:4500 DPD=unsupported}<br>
Oct 17 13:58:23.398271: "L2TPD-PSK"[2] 1.2.3.4 #4:
STATE_QUICK_R2: IPsec SA established transport mode
{ESP/NAT=>0x1c609c4b <0x2cf88fd0
xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=192.168.10.28
NATD=1.2.3.4:4500 DPD=unsupported}<br>
Oct 17 13:58:23.399418: "L2TPD-PSK"[2] 1.2.3.4 #1: received
Delete SA(0x1eeea96c) payload: deleting IPsec State #3<br>
Oct 17 13:58:23.399483: "L2TPD-PSK"[2] 1.2.3.4 #3: deleting
other state #3 (STATE_QUICK_R2) aged 3.192s and sending
notification<br>
Oct 17 13:58:23.399587: "L2TPD-PSK"[2] 1.2.3.4 #3: ESP traffic
information: in=0B out=0B<br>
Oct 17 13:58:27.164013: "L2TPD-PSK"[2] 1.2.3.4 #1: the peer
proposed: 6.7.8.9/32:17/1701 -> 192.168.10.28/32:17/1701<br>
Oct 17 13:58:27.164146: "L2TPD-PSK"[2] 1.2.3.4 #1:
NAT-Traversal: received 2 NAT-OA. Using first; ignoring others<br>
Oct 17 13:58:27.164146: "L2TPD-PSK"[2] 1.2.3.4 #1:
NAT-Traversal: received 2 NAT-OA. Using first; ignoring others<br>
Oct 17 13:58:27.164492: "L2TPD-PSK"[2] 1.2.3.4 #5: responding
to Quick Mode proposal {msgid:00000004}<br>
Oct 17 13:58:27.164551: "L2TPD-PSK"[2] 1.2.3.4 #5: us:
6.7.8.9:17/1701<br>
Oct 17 13:58:27.164551: "L2TPD-PSK"[2] 1.2.3.4 #5: us:
6.7.8.9:17/1701<br>
Oct 17 13:58:27.164612: "L2TPD-PSK"[2] 1.2.3.4 #5: them:
1.2.3.4[192.168.10.28]:17/1701===192.168.181.0/24<br>
Oct 17 13:58:27.164921: "L2TPD-PSK"[2] 1.2.3.4 #5: keeping
refhim=0 during rekey<br>
Oct 17 13:58:27.165391: "L2TPD-PSK"[2] 1.2.3.4 #5:
STATE_QUICK_R1: sent QR1, inbound IPsec SA installed,
expecting QI2 transport mode {ESP/NAT=>0x1728294a
<0x94e2fb05 xfrm=AES_CBC_256-HMAC_SHA1_96
NATOA=192.168.10.28 NATD=1.2.3.4:4500 DPD=unsupported}<br>
Oct 17 13:58:27.395591: "L2TPD-PSK"[2] 1.2.3.4 #5:
STATE_QUICK_R2: IPsec SA established transport mode
{ESP/NAT=>0x1728294a <0x94e2fb05
xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=192.168.10.28
NATD=1.2.3.4:4500 DPD=unsupported}<br>
Oct 17 13:58:27.398147: "L2TPD-PSK"[2] 1.2.3.4 #1: received
Delete SA(0x1c609c4b) payload: deleting IPsec State #4<br>
Oct 17 13:58:27.398194: "L2TPD-PSK"[2] 1.2.3.4 #4: deleting
other state #4 (STATE_QUICK_R2) aged 4.233s and sending
notification<br>
Oct 17 13:58:27.398228: "L2TPD-PSK"[2] 1.2.3.4 #4: ESP traffic
information: in=0B out=0B<br>
Oct 17 13:58:35.163934: "L2TPD-PSK"[2] 1.2.3.4 #1: the peer
proposed: 6.7.8.9/32:17/1701 -> 192.168.10.28/32:17/1701<br>
Oct 17 13:58:35.164036: "L2TPD-PSK"[2] 1.2.3.4 #1:
NAT-Traversal: received 2 NAT-OA. Using first; ignoring others<br>
Oct 17 13:58:35.164036: "L2TPD-PSK"[2] 1.2.3.4 #1:
NAT-Traversal: received 2 NAT-OA. Using first; ignoring others<br>
Oct 17 13:58:35.164414: "L2TPD-PSK"[2] 1.2.3.4 #6: responding
to Quick Mode proposal {msgid:00000005}<br>
Oct 17 13:58:35.164485: "L2TPD-PSK"[2] 1.2.3.4 #6: us:
6.7.8.9:17/1701<br>
Oct 17 13:58:35.164485: "L2TPD-PSK"[2] 1.2.3.4 #6: us:
6.7.8.9:17/1701<br>
Oct 17 13:58:35.164549: "L2TPD-PSK"[2] 1.2.3.4 #6: them:
1.2.3.4[192.168.10.28]:17/1701===192.168.181.0/24<br>
Oct 17 13:58:35.164549: "L2TPD-PSK"[2] 1.2.3.4 #6: them:
1.2.3.4[192.168.10.28]:17/1701===192.168.181.0/24<br>
Oct 17 13:58:35.164844: "L2TPD-PSK"[2] 1.2.3.4 #6: keeping
refhim=0 during rekey<br>
Oct 17 13:58:35.165377: "L2TPD-PSK"[2] 1.2.3.4 #6:
STATE_QUICK_R1: sent QR1, inbound IPsec SA installed,
expecting QI2 transport mode {ESP/NAT=>0xdf8c3b8d
<0xc0ba362d xfrm=AES_CBC_256-HMAC_SHA1_96
NATOA=192.168.10.28 NATD=1.2.3.4:4500 DPD=unsupported}<br>
Oct 17 13:58:35.396346: "L2TPD-PSK"[2] 1.2.3.4 #6:
STATE_QUICK_R2: IPsec SA established transport mode
{ESP/NAT=>0xdf8c3b8d <0xc0ba362d
xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=192.168.10.28
NATD=1.2.3.4:4500 DPD=unsupported}<br>
Oct 17 13:58:35.398667: "L2TPD-PSK"[2] 1.2.3.4 #1: received
Delete SA(0x1728294a) payload: deleting IPsec State #5<br>
Oct 17 13:58:35.398752: "L2TPD-PSK"[2] 1.2.3.4 #5: deleting
other state #5 (STATE_QUICK_R2) aged 8.234s and sending
notification<br>
Oct 17 13:58:35.398752: "L2TPD-PSK"[2] 1.2.3.4 #5: deleting
other state #5 (STATE_QUICK_R2) aged 8.234s and sending
notification<br>
Oct 17 13:58:35.398869: "L2TPD-PSK"[2] 1.2.3.4 #5: ESP traffic
information: in=0B out=0B<br>
Oct 17 13:58:38.725287: "L2TPD-PSK"[2] 1.2.3.4 #1: received
Delete SA(0xdf8c3b8d) payload: deleting IPsec State #6<br>
Oct 17 13:58:38.725373: "L2TPD-PSK"[2] 1.2.3.4 #6: deleting
other state #6 (STATE_QUICK_R2) aged 3.561s and sending
notification<br>
Oct 17 13:58:38.725480: "L2TPD-PSK"[2] 1.2.3.4 #6: ESP traffic
information: in=0B out=0B<br>
Oct 17 13:58:38.751378: "L2TPD-PSK" #1: deleting state
(STATE_MAIN_R3) aged 19.522s and sending notification<br>
Oct 17 13:58:38.751619: "L2TPD-PSK"[2] 1.2.3.4: deleting
connection "L2TPD-PSK"[2] 1.2.3.4 instance with peer 1.2.3.4
{isakmp=#0/ipsec=#0}<br>
<br>
<br>
<br>
<br>
</font></font></p>
</body>
</html>