LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Openswan+xl2tpd VPN xl2tpd failure (https://www.linuxquestions.org/questions/linux-networking-3/openswan-xl2tpd-vpn-xl2tpd-failure-4175446842/)

nightradio 01-23-2013 12:28 AM
Openswan+xl2tpd VPN xl2tpd failure
 
I'm having some problems getting a VPN set up, hopefully someone will be able help me figure out what I'm missing.

Currently I'm trying to set up a 'roadwarrior' config, because I can't be certain what the remote IP will be, I need to allow it to connect to the VPN from anywhere.

The host server has a public IP, the remote computer is expected to be behind a router presumably with NAT.

To clarify, the IPSec connection is negotiated successfully, but the connection is terminated abruptly after that, without any type of authentication negotiation happening.

Additional Info:
My home network, from where I've done the majority of my testing is behind a dd-wrt router, on which I have enabled IPSec and L2TP pass through, so there shouldn't be any problems there. I've also tried connecting from my phone while having a 3G connection, and I've also tried from two other outside networks, both work and school. The logs are all pretty much identical, and fail during Phase 2 negotiation.

Tested Clients:
OSX 10.8
Windows 7
Android 4.2.1

If I've left any information out, please feel free to let me know, I'll be happy to provide anything else I can to help diagnose this.

Code:
##
# HOST
# /etc/ipsec.conf - Openswan IPsec configuration file
##

# basic configuration
config setup
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10,%v4:!10.0.0.0/24
        oe=off
        protostack=netkey

# Add connections here
conn L2TP-PSK-NAT
        rightsubnet=vhost:%priv
        also=L2TP-PST-noNAT

conn L2TP-PST-noNAT
        authby=secret
        pfs=no
        auto=add
        keyingtries=3
        rekey=no
        ikelifetime=8h
        keylife=1h
        type=transport
        left=A.B.C.D
        leftprotoport=17/1701
        right=%any
        rightprotoport=17/%any
#        rightsubnet=vhost:%no,%priv
        dpddelay=40
              dpdtimeout=130
              dpdaction=clear
        forceencaps=yes

conn passthrough-for-non-l2tp
        type=passthrough
        left=A.B.C.D
        leftnexthop=0.0.0.0
        right=%any
        rightsubnet=0.0.0.0/0
        auto=route
Code:
##
# HOST
# /etc/xl2tpd/xl2tpd.conf
##
; [global]                                                                ; Global parameters:
port = 1701                                                        ; * Bind to port 1701
auth file = /etc/xl2tpd/l2tp-secrets        ; * Where our challenge secrets are
;access control = no                                        ; * Refuse connections without IP match
; rand source = dev                    ; Source for entropy for random
listen-addr=A.B.C.D
ipsec saref=no

; [lns default]                                                        ; Our fallthrough LNS definition
exclusive = no                                                ; * Only permit one tunnel per host
ip range = 10.0.0.100-10.0.0.125        ; * Allocate from this IP range
local ip = 10.0.0.1                                ; * Our local IP to use
assign ip = yes
length bit = yes                                                ; * Use length bit in payload?
;require chap = yes                                        ; * Require CHAP auth. by peer
refuse pap = yes                                                ; * Refuse PAP authentication
refuse chap = yes                                                ; * Refuse CHAP authentication
; refuse authentication = no                        ; * Refuse authentication altogether
require authentication = yes                        ; * Require peer to authenticate
; unix authentication = no                                ; * Use /etc/passwd for auth.
name = VPN-Server                                                ; * Report this as our hostname
ppp debug = yes                                                ; * Turn on PPP debugging
pppoptfile = /etc/ppp/options.xl2tpd        ; * ppp options file
Code:
##
# HOST
# /etc/ppp/options.xl2tpd
##               

ipcp-accept-local
ipcp-accept-remote
require-mschap-v2
ms-dns 8.8.8.8
ms-dns 8.8.4.4
noccp
#idle 1800
mtu 1200
mru 1200
#nodefaultroute
#debug
#connect-delay 5000
asyncmap 0
auth
crtscts
lock
hide-password
modem
debug
name VPN-Server
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
Code:
##
# HOST
# /etc/ppp/chap-secrets
##

# Secrets for authentication using CHAP
# user        server                            secret                        IP addresses
      test        VPN-Server        testkey                      *
Code:
##
# HOST
# /etc/ipsec.secrets
##
# host        remote          authtype                    password
A.B.C.D        %any:        PSK                "testpassword"
Code:
# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                            [OK]
Linux Openswan U2.6.38/K2.6.39.1-linode34 (netkey)
Checking for IPsec support in kernel                                        [OK]
 SAref kernel support                                                              [N/A]
 NETKEY:  Testing XFRM related proc values                          [OK]
                                                [OK]
                                                [OK]
Checking that pluto is running                                              [OK]
 Pluto listening for IKE on udp 500                                        [OK]
 Pluto listening for NAT-T on udp 4500                                      [OK]
Two or more interfaces found, checking IP forwarding                [FAILED]
Checking NAT and MASQUERADEing                                              [OK]
Checking for 'ip' command                                                  [OK]
Checking /bin/sh is not /bin/dash                                          [WARNING]
Checking for 'iptables' command                                            [OK]
Opportunistic Encryption Support                                    [DISABLED]
Code:
##
# BEGIN DEBUG LOGS
#
# A.B.C.D = Host IP.
#        IP is static, non-NAT, publically accessible
#
# W.X.Y.Z = Remote IP
#        IP is dynamic, probably public IP for NAT that remote is behind
#
# J.K.L.M = Remote private IP
#        IP dynamic, private IP for W.X.Y.Z NAT
#        In this particular case, internal DHCP ip address was 192.168.1.139
##
Code:
##
# HOST
#/var/log/auth.log
##

Jan 21 14:28:41 HOST pluto[2141]: packet from W.X.Y.Z:500: received Vendor ID payload [RFC 3947] method set to=109
Jan 21 14:28:41 HOST pluto[2141]: packet from W.X.Y.Z:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] method set to=110
Jan 21 14:28:41 HOST pluto[2141]: packet from W.X.Y.Z:500: ignoring unknown Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
Jan 21 14:28:41 HOST pluto[2141]: packet from W.X.Y.Z:500: ignoring unknown Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
Jan 21 14:28:41 HOST pluto[2141]: packet from W.X.Y.Z:500: ignoring unknown Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
Jan 21 14:28:41 HOST pluto[2141]: packet from W.X.Y.Z:500: ignoring unknown Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
Jan 21 14:28:41 HOST pluto[2141]: packet from W.X.Y.Z:500: ignoring unknown Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
Jan 21 14:28:41 HOST pluto[2141]: packet from W.X.Y.Z:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 110
Jan 21 14:28:41 HOST pluto[2141]: packet from W.X.Y.Z:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 110
Jan 21 14:28:41 HOST pluto[2141]: packet from W.X.Y.Z:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 110
Jan 21 14:28:41 HOST pluto[2141]: packet from W.X.Y.Z:500: ignoring Vendor ID payload [FRAGMENTATION 80000000]
Jan 21 14:28:41 HOST pluto[2141]: packet from W.X.Y.Z:500: received Vendor ID payload [Dead Peer Detection]
Jan 21 14:28:41 HOST pluto[2141]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: responding to Main Mode from unknown peer W.X.Y.Z
Jan 21 14:28:41 HOST pluto[2141]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jan 21 14:28:41 HOST pluto[2141]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: STATE_MAIN_R1: sent MR1, expecting MI2
Jan 21 14:28:41 HOST pluto[2141]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): peer is NATed
Jan 21 14:28:41 HOST pluto[2141]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jan 21 14:28:41 HOST pluto[2141]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: STATE_MAIN_R2: sent MR2, expecting MI3
Jan 21 14:28:42 HOST pluto[2141]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
Jan 21 14:28:42 HOST pluto[2141]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: Main mode peer ID is ID_IPV4_ADDR: 'J.K.L.M'
Jan 21 14:28:42 HOST pluto[2141]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: switched from "L2TP-PSK-NAT" to "L2TP-PSK-NAT"
Jan 21 14:28:42 HOST pluto[2141]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: deleting connection "L2TP-PSK-NAT" instance with peer W.X.Y.Z {isakmp=#0/ipsec=#0}
Jan 21 14:28:42 HOST pluto[2141]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jan 21 14:28:42 HOST pluto[2141]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: new NAT mapping for #1, was W.X.Y.Z:500, now W.X.Y.Z:4500
Jan 21 14:28:42 HOST pluto[2141]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1024}
Jan 21 14:28:42 HOST pluto[2141]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: Dead Peer Detection (RFC 3706): enabled
Jan 21 14:28:43 HOST pluto[2141]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: the peer proposed: A.B.C.D/32:17/1701 -> J.K.L.M/32:17/0
Jan 21 14:28:43 HOST pluto[2141]: "L2TP-PSK-NAT"[2] W.X.Y.Z #2: responding to Quick Mode proposal {msgid:a6edd0d8}
Jan 21 14:28:43 HOST pluto[2141]: "L2TP-PSK-NAT"[2] W.X.Y.Z #2:    us: A.B.C.D<A.B.C.D>[+S=C]:17/1701
Jan 21 14:28:43 HOST pluto[2141]: "L2TP-PSK-NAT"[2] W.X.Y.Z #2:  them: W.X.Y.Z[J.K.L.M,+S=C]:17/56328===J.K.L.M/32
Jan 21 14:28:43 HOST pluto[2141]: "L2TP-PSK-NAT"[2] W.X.Y.Z #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Jan 21 14:28:43 HOST pluto[2141]: "L2TP-PSK-NAT"[2] W.X.Y.Z #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Jan 21 14:28:43 HOST pluto[2141]: "L2TP-PSK-NAT"[2] W.X.Y.Z #2: Dead Peer Detection (RFC 3706): enabled
Jan 21 14:28:43 HOST pluto[2141]: "L2TP-PSK-NAT"[2] W.X.Y.Z #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Jan 21 14:28:43 HOST pluto[2141]: "L2TP-PSK-NAT"[2] W.X.Y.Z #2: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0x02c80f61 <0xdd771b05 xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=W.X.Y.Z:4500 DPD=enabled}
Jan 21 14:29:03 HOST pluto[2141]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: received Delete SA(0x02c80f61) payload: deleting IPSEC State #2
Jan 21 14:29:03 HOST pluto[2141]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: ERROR: netlink XFRM_MSG_DELPOLICY response for flow eroute_connection delete included errno 2: No such file or directory
Jan 21 14:29:03 HOST pluto[2141]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: received and ignored informational message
Jan 21 14:29:03 HOST pluto[2141]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: received Delete SA payload: deleting ISAKMP State #1
Jan 21 14:29:03 HOST pluto[2141]: "L2TP-PSK-NAT"[2] W.X.Y.Z: deleting connection "L2TP-PSK-NAT" instance with peer W.X.Y.Z {isakmp=#0/ipsec=#0}
Jan 21 14:29:03 HOST pluto[2141]: packet from W.X.Y.Z:4500: received and ignored informational message
Jan 21 14:34:10 HOST pluto[2141]: | no connection found
Jan 21 14:34:12 HOST pluto[2141]: | no connection found
Jan 21 14:34:15 HOST pluto[2141]: | no connection found
Code:
##
# REMOTE
# /var/log/system.log
##

Jan 22 18:34:59 REMOTE configd[17]: SCNC: start, triggered by SystemUIServer, type L2TP, status 0
Jan 22 18:34:59 REMOTE pppd[45193]: pppd 2.4.2 (Apple version 596.13) started by USER, uid 501
Jan 22 18:34:59 REMOTE pppd[45193]: L2TP connecting to server 'HOST' (A.B.C.D)...
Jan 22 18:34:59 REMOTE pppd[45193]: IPSec connection started
Jan 22 18:34:59 REMOTE racoon[45194]: Connecting.
Jan 22 18:34:59 REMOTE racoon[45194]: IPSec Phase1 started (Initiated by me).
Jan 22 18:34:59 REMOTE racoon[45194]: IKE Packet: transmit success. (Initiator, Main-Mode message 1).
Jan 22 18:34:59 REMOTE racoon[45194]: IKE Packet: receive success. (Initiator, Main-Mode message 2).
Jan 22 18:34:59 REMOTE racoon[45194]: IKE Packet: transmit success. (Initiator, Main-Mode message 3).
Jan 22 18:34:59 REMOTE racoon[45194]: IKE Packet: receive success. (Initiator, Main-Mode message 4).
Jan 22 18:34:59 REMOTE racoon[45194]: IKE Packet: transmit success. (Initiator, Main-Mode message 5).
Jan 22 18:34:59 REMOTE racoon[45194]: IKEv1 Phase1 AUTH: success. (Initiator, Main-Mode Message 6).
Jan 22 18:34:59 REMOTE racoon[45194]: IKE Packet: receive success. (Initiator, Main-Mode message 6).
Jan 22 18:34:59 REMOTE racoon[45194]: IKEv1 Phase1 Initiator: success. (Initiator, Main-Mode).
Jan 22 18:34:59 REMOTE racoon[45194]: IPSec Phase1 established (Initiated by me).
Jan 22 18:35:00 REMOTE racoon[45194]: IPSec Phase2 started (Initiated by me).
Jan 22 18:35:00 REMOTE racoon[45194]: IKE Packet: transmit success. (Initiator, Quick-Mode message 1).
Jan 22 18:35:00 REMOTE racoon[45194]: IKE Packet: receive success. (Initiator, Quick-Mode message 2).
Jan 22 18:35:00 REMOTE racoon[45194]: IKE Packet: transmit success. (Initiator, Quick-Mode message 3).
Jan 22 18:35:00 REMOTE racoon[45194]: IKEv1 Phase2 Initiator: success. (Initiator, Quick-Mode).
Jan 22 18:35:00 REMOTE racoon[45194]: IPSec Phase2 established (Initiated by me).
Jan 22 18:35:00 REMOTE pppd[45193]: IPSec connection established
Jan 22 18:35:20 REMOTE pppd[45193]: L2TP cannot connect to the server
Jan 22 18:35:20 REMOTE racoon[45194]: IPSec disconnecting from server A.B.C.D
Jan 22 18:35:20 REMOTE racoon[45194]: IKE Packet: transmit success. (Information message).
Jan 22 18:35:20 REMOTE racoon[45194]: IKEv1 Information-Notice: transmit success. (Delete IPSEC-SA).
Jan 22 18:35:20 REMOTE racoon[45194]: IKE Packet: transmit success. (Information message).
Jan 22 18:35:20 REMOTE racoon[45194]: IKEv1 Information-Notice: transmit success. (Delete ISAKMP-SA).

nightradio 01-23-2013 06:19 PM
Well after endless hours of troubleshooting, launching xl2tpd in debug mode xl2tpd -D helped me track down the typos issues preventing the authentication negotiation to take place. Mainly that [global] and [lns default] in xl2tpd.conf should not be commented out.


All times are GMT -5. The time now is 04:56 AM.