Host A has the IP 192.168.10.50
Host B has the IP 10.253.24.150
/usr/local/etc/mpd5/mpd.conf
/etc/sysctl.conf
/var/log/racoon.log (xxx.xxx.xxx.xxx is the IP of the VPN server; yyy.yyy.yyy.yyy is the NAT'ed IP of the client)
I solved it. It was a firewall problem. I found it, while I enabled all loggings on the firewall. The guy who is responsible for the firewall didn't see it. Sorry.
Thanks for your help. Have a nice day.
Cheers Daniel
Host B has the IP 10.253.24.150
/usr/local/etc/mpd5/mpd.conf
Code:
startup:
# configure mpd users
set user super superpw admin
# configure the console
set console self 127.0.0.1 5005
set console open
# configure the web server
set web self 0.0.0.0 5006
set web open
default:
load l2tp_server
l2tp_server:
# Define dynamic IP address pool.
set ippool add pool_l2tp 192.168.10.50 192.168.10.100
# Create clonable bundle template named B_l2tp
create bundle template B_l2tp
set iface enable proxy-arp
set iface enable tcpmssfix
set ipcp yes vjcomp
# Specify IP address pool for dynamic assigment.
set ipcp ranges 192.168.10.0/24 ippool pool_l2tp
set ipcp dns 10.253.24.150
/etc/sysctl.conf
Code:
net.inet.ip.forwarding=1
net.inet6.ip6.forwarding=1
/var/log/racoon.log (xxx.xxx.xxx.xxx is the IP of the VPN server; yyy.yyy.yyy.yyy is the NAT'ed IP of the client)
Code:
2012-06-25 10:01:31: INFO: respond new phase 1 negotiation: xxx.xxx.xxx.xxx[500]<=>yyy.yyy.yyy.yyy[500]
2012-06-25 10:01:31: INFO: begin Identity Protection mode.
2012-06-25 10:01:31: INFO: received Vendor ID: RFC 3947
2012-06-25 10:01:31: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
2012-06-25 10:01:31: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
2012-06-25 10:01:31: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
2012-06-25 10:01:31: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
2012-06-25 10:01:31: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
2012-06-25 10:01:31: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
2012-06-25 10:01:31: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
2012-06-25 10:01:31: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
*beep*
2012-06-25 10:01:31: INFO: received Vendor ID: DPD
2012-06-25 10:01:31: [yyy.yyy.yyy.yyy] INFO: Selected NAT-T version: RFC 3947
2012-06-25 10:01:31: [xxx.xxx.xxx.xxx] INFO: Hashing xxx.xxx.xxx.xxx[500] with algo #2
2012-06-25 10:01:31: INFO: NAT-D payload #0 verified
2012-06-25 10:01:31: [yyy.yyy.yyy.yyy] INFO: Hashing yyy.yyy.yyy.yyy[500] with algo #2
2012-06-25 10:01:31: INFO: NAT-D payload #1 doesn't match
2012-06-25 10:01:31: INFO: NAT detected: PEER
2012-06-25 10:01:31: [yyy.yyy.yyy.yyy] INFO: Hashing yyy.yyy.yyy.yyy[500] with algo #2
2012-06-25 10:01:31: [xxx.xxx.xxx.xxx] INFO: Hashing xxx.xxx.xxx.xxx[500] with algo #2
2012-06-25 10:01:31: INFO: Adding remote and local NAT-D payloads.
2012-06-25 10:01:31: INFO: NAT-T: ports changed to: yyy.yyy.yyy.yyy[4500]<->xxx.xxx.xxx.xxx[4500]
2012-06-25 10:01:31: INFO: KA list add: xxx.xxx.xxx.xxx[4500]->yyy.yyy.yyy.yyy[4500]
2012-06-25 10:01:31: [yyy.yyy.yyy.yyy] INFO: received INITIAL-CONTACT
2012-06-25 10:01:31: INFO: ISAKMP-SA established xxx.xxx.xxx.xxx[4500]-yyy.yyy.yyy.yyy[4500] spi:6a18e0234313c7d4:dbbad31af7a253a3
2012-06-25 10:01:32: INFO: respond new phase 2 negotiation: xxx.xxx.xxx.xxx[4500]<=>yyy.yyy.yyy.yyy[4500]
2012-06-25 10:01:32: INFO: Adjusting my encmode UDP-Transport->Transport
2012-06-25 10:01:32: INFO: Adjusting peer's encmode UDP-Transport(4)->Transport(2)
2012-06-25 10:01:32: INFO: IPsec-SA established: ESP/Transport xxx.xxx.xxx.xxx[500]->yyy.yyy.yyy.yyy[500] spi=135798551(0x8181f17)
2012-06-25 10:01:32: INFO: IPsec-SA established: ESP/Transport xxx.xxx.xxx.xxx[500]->yyy.yyy.yyy.yyy[500] spi=195887997(0xbad037d)
*beep*
*beep*
*beep*
2012-06-25 10:02:47: INFO: purged IPsec-SA proto_id=ESP spi=195887997.
2012-06-25 10:02:47: INFO: purging ISAKMP-SA spi=6a18e0234313c7d4:dbbad31af7a253a3.
2012-06-25 10:02:47: INFO: purged IPsec-SA spi=135798551.
2012-06-25 10:02:47: INFO: purged ISAKMP-SA spi=6a18e0234313c7d4:dbbad31af7a253a3.
2012-06-25 10:02:47: INFO: ISAKMP-SA deleted xxx.xxx.xxx.xxx[4500]-yyy.yyy.yyy.yyy[4500] spi:6a18e0234313c7d4:dbbad31af7a253a3
2012-06-25 10:02:47: INFO: KA remove: xxx.xxx.xxx.xxx[4500]->yyy.yyy.yyy.yyy[4500]
2012-06-25 10:02:47: ERROR: no configuration found for yyy.yyy.yyy.yyy.
2012-06-25 10:02:47: ERROR: failed to begin ipsec sa negotiation.
I solved it. It was a firewall problem. I found it, while I enabled all loggings on the firewall. The guy who is responsible for the firewall didn't see it. Sorry.
Thanks for your help. Have a nice day.
Cheers Daniel