nightradio |
01-23-2013 12:28 AM |
Openswan+xl2tpd VPN xl2tpd failure
I'm having some problems getting a VPN set up, hopefully someone will be able help me figure out what I'm missing.
Currently I'm trying to set up a 'roadwarrior' config, because I can't be certain what the remote IP will be, I need to allow it to connect to the VPN from anywhere.
The host server has a public IP, the remote computer is expected to be behind a router presumably with NAT.
To clarify, the IPSec connection is negotiated successfully, but the connection is terminated abruptly after that, without any type of authentication negotiation happening.
Additional Info:
My home network, from where I've done the majority of my testing is behind a dd-wrt router, on which I have enabled IPSec and L2TP pass through, so there shouldn't be any problems there. I've also tried connecting from my phone while having a 3G connection, and I've also tried from two other outside networks, both work and school. The logs are all pretty much identical, and fail during Phase 2 negotiation.
Tested Clients:
OSX 10.8
Windows 7
Android 4.2.1
If I've left any information out, please feel free to let me know, I'll be happy to provide anything else I can to help diagnose this.
Code:
##
# HOST
# /etc/ipsec.conf - Openswan IPsec configuration file
##
# basic configuration
config setup
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10,%v4:!10.0.0.0/24
oe=off
protostack=netkey
# Add connections here
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PST-noNAT
conn L2TP-PST-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=A.B.C.D
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
# rightsubnet=vhost:%no,%priv
dpddelay=40
dpdtimeout=130
dpdaction=clear
forceencaps=yes
conn passthrough-for-non-l2tp
type=passthrough
left=A.B.C.D
leftnexthop=0.0.0.0
right=%any
rightsubnet=0.0.0.0/0
auto=route
Code:
##
# HOST
# /etc/xl2tpd/xl2tpd.conf
##
; [global] ; Global parameters:
port = 1701 ; * Bind to port 1701
auth file = /etc/xl2tpd/l2tp-secrets ; * Where our challenge secrets are
;access control = no ; * Refuse connections without IP match
; rand source = dev ; Source for entropy for random
listen-addr=A.B.C.D
ipsec saref=no
; [lns default] ; Our fallthrough LNS definition
exclusive = no ; * Only permit one tunnel per host
ip range = 10.0.0.100-10.0.0.125 ; * Allocate from this IP range
local ip = 10.0.0.1 ; * Our local IP to use
assign ip = yes
length bit = yes ; * Use length bit in payload?
;require chap = yes ; * Require CHAP auth. by peer
refuse pap = yes ; * Refuse PAP authentication
refuse chap = yes ; * Refuse CHAP authentication
; refuse authentication = no ; * Refuse authentication altogether
require authentication = yes ; * Require peer to authenticate
; unix authentication = no ; * Use /etc/passwd for auth.
name = VPN-Server ; * Report this as our hostname
ppp debug = yes ; * Turn on PPP debugging
pppoptfile = /etc/ppp/options.xl2tpd ; * ppp options file
Code:
##
# HOST
# /etc/ppp/options.xl2tpd
##
ipcp-accept-local
ipcp-accept-remote
require-mschap-v2
ms-dns 8.8.8.8
ms-dns 8.8.4.4
noccp
#idle 1800
mtu 1200
mru 1200
#nodefaultroute
#debug
#connect-delay 5000
asyncmap 0
auth
crtscts
lock
hide-password
modem
debug
name VPN-Server
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
Code:
##
# HOST
# /etc/ppp/chap-secrets
##
# Secrets for authentication using CHAP
# user server secret IP addresses
test VPN-Server testkey *
Code:
##
# HOST
# /etc/ipsec.secrets
##
# host remote authtype password
A.B.C.D %any: PSK "testpassword"
Code:
# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.38/K2.6.39.1-linode34 (netkey)
Checking for IPsec support in kernel [OK]
SAref kernel support [N/A]
NETKEY: Testing XFRM related proc values [OK]
[OK]
[OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Two or more interfaces found, checking IP forwarding [FAILED]
Checking NAT and MASQUERADEing [OK]
Checking for 'ip' command [OK]
Checking /bin/sh is not /bin/dash [WARNING]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
Code:
##
# BEGIN DEBUG LOGS
#
# A.B.C.D = Host IP.
# IP is static, non-NAT, publically accessible
#
# W.X.Y.Z = Remote IP
# IP is dynamic, probably public IP for NAT that remote is behind
#
# J.K.L.M = Remote private IP
# IP dynamic, private IP for W.X.Y.Z NAT
# In this particular case, internal DHCP ip address was 192.168.1.139
##
Code:
##
# HOST
#/var/log/auth.log
##
Jan 21 14:28:41 HOST pluto[2141]: packet from W.X.Y.Z:500: received Vendor ID payload [RFC 3947] method set to=109
Jan 21 14:28:41 HOST pluto[2141]: packet from W.X.Y.Z:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] method set to=110
Jan 21 14:28:41 HOST pluto[2141]: packet from W.X.Y.Z:500: ignoring unknown Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
Jan 21 14:28:41 HOST pluto[2141]: packet from W.X.Y.Z:500: ignoring unknown Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
Jan 21 14:28:41 HOST pluto[2141]: packet from W.X.Y.Z:500: ignoring unknown Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
Jan 21 14:28:41 HOST pluto[2141]: packet from W.X.Y.Z:500: ignoring unknown Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
Jan 21 14:28:41 HOST pluto[2141]: packet from W.X.Y.Z:500: ignoring unknown Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
Jan 21 14:28:41 HOST pluto[2141]: packet from W.X.Y.Z:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 110
Jan 21 14:28:41 HOST pluto[2141]: packet from W.X.Y.Z:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 110
Jan 21 14:28:41 HOST pluto[2141]: packet from W.X.Y.Z:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 110
Jan 21 14:28:41 HOST pluto[2141]: packet from W.X.Y.Z:500: ignoring Vendor ID payload [FRAGMENTATION 80000000]
Jan 21 14:28:41 HOST pluto[2141]: packet from W.X.Y.Z:500: received Vendor ID payload [Dead Peer Detection]
Jan 21 14:28:41 HOST pluto[2141]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: responding to Main Mode from unknown peer W.X.Y.Z
Jan 21 14:28:41 HOST pluto[2141]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jan 21 14:28:41 HOST pluto[2141]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: STATE_MAIN_R1: sent MR1, expecting MI2
Jan 21 14:28:41 HOST pluto[2141]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): peer is NATed
Jan 21 14:28:41 HOST pluto[2141]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jan 21 14:28:41 HOST pluto[2141]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: STATE_MAIN_R2: sent MR2, expecting MI3
Jan 21 14:28:42 HOST pluto[2141]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
Jan 21 14:28:42 HOST pluto[2141]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: Main mode peer ID is ID_IPV4_ADDR: 'J.K.L.M'
Jan 21 14:28:42 HOST pluto[2141]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: switched from "L2TP-PSK-NAT" to "L2TP-PSK-NAT"
Jan 21 14:28:42 HOST pluto[2141]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: deleting connection "L2TP-PSK-NAT" instance with peer W.X.Y.Z {isakmp=#0/ipsec=#0}
Jan 21 14:28:42 HOST pluto[2141]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jan 21 14:28:42 HOST pluto[2141]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: new NAT mapping for #1, was W.X.Y.Z:500, now W.X.Y.Z:4500
Jan 21 14:28:42 HOST pluto[2141]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1024}
Jan 21 14:28:42 HOST pluto[2141]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: Dead Peer Detection (RFC 3706): enabled
Jan 21 14:28:43 HOST pluto[2141]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: the peer proposed: A.B.C.D/32:17/1701 -> J.K.L.M/32:17/0
Jan 21 14:28:43 HOST pluto[2141]: "L2TP-PSK-NAT"[2] W.X.Y.Z #2: responding to Quick Mode proposal {msgid:a6edd0d8}
Jan 21 14:28:43 HOST pluto[2141]: "L2TP-PSK-NAT"[2] W.X.Y.Z #2: us: A.B.C.D<A.B.C.D>[+S=C]:17/1701
Jan 21 14:28:43 HOST pluto[2141]: "L2TP-PSK-NAT"[2] W.X.Y.Z #2: them: W.X.Y.Z[J.K.L.M,+S=C]:17/56328===J.K.L.M/32
Jan 21 14:28:43 HOST pluto[2141]: "L2TP-PSK-NAT"[2] W.X.Y.Z #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Jan 21 14:28:43 HOST pluto[2141]: "L2TP-PSK-NAT"[2] W.X.Y.Z #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Jan 21 14:28:43 HOST pluto[2141]: "L2TP-PSK-NAT"[2] W.X.Y.Z #2: Dead Peer Detection (RFC 3706): enabled
Jan 21 14:28:43 HOST pluto[2141]: "L2TP-PSK-NAT"[2] W.X.Y.Z #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Jan 21 14:28:43 HOST pluto[2141]: "L2TP-PSK-NAT"[2] W.X.Y.Z #2: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0x02c80f61 <0xdd771b05 xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=W.X.Y.Z:4500 DPD=enabled}
Jan 21 14:29:03 HOST pluto[2141]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: received Delete SA(0x02c80f61) payload: deleting IPSEC State #2
Jan 21 14:29:03 HOST pluto[2141]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: ERROR: netlink XFRM_MSG_DELPOLICY response for flow eroute_connection delete included errno 2: No such file or directory
Jan 21 14:29:03 HOST pluto[2141]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: received and ignored informational message
Jan 21 14:29:03 HOST pluto[2141]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: received Delete SA payload: deleting ISAKMP State #1
Jan 21 14:29:03 HOST pluto[2141]: "L2TP-PSK-NAT"[2] W.X.Y.Z: deleting connection "L2TP-PSK-NAT" instance with peer W.X.Y.Z {isakmp=#0/ipsec=#0}
Jan 21 14:29:03 HOST pluto[2141]: packet from W.X.Y.Z:4500: received and ignored informational message
Jan 21 14:34:10 HOST pluto[2141]: | no connection found
Jan 21 14:34:12 HOST pluto[2141]: | no connection found
Jan 21 14:34:15 HOST pluto[2141]: | no connection found
Code:
##
# REMOTE
# /var/log/system.log
##
Jan 22 18:34:59 REMOTE configd[17]: SCNC: start, triggered by SystemUIServer, type L2TP, status 0
Jan 22 18:34:59 REMOTE pppd[45193]: pppd 2.4.2 (Apple version 596.13) started by USER, uid 501
Jan 22 18:34:59 REMOTE pppd[45193]: L2TP connecting to server 'HOST' (A.B.C.D)...
Jan 22 18:34:59 REMOTE pppd[45193]: IPSec connection started
Jan 22 18:34:59 REMOTE racoon[45194]: Connecting.
Jan 22 18:34:59 REMOTE racoon[45194]: IPSec Phase1 started (Initiated by me).
Jan 22 18:34:59 REMOTE racoon[45194]: IKE Packet: transmit success. (Initiator, Main-Mode message 1).
Jan 22 18:34:59 REMOTE racoon[45194]: IKE Packet: receive success. (Initiator, Main-Mode message 2).
Jan 22 18:34:59 REMOTE racoon[45194]: IKE Packet: transmit success. (Initiator, Main-Mode message 3).
Jan 22 18:34:59 REMOTE racoon[45194]: IKE Packet: receive success. (Initiator, Main-Mode message 4).
Jan 22 18:34:59 REMOTE racoon[45194]: IKE Packet: transmit success. (Initiator, Main-Mode message 5).
Jan 22 18:34:59 REMOTE racoon[45194]: IKEv1 Phase1 AUTH: success. (Initiator, Main-Mode Message 6).
Jan 22 18:34:59 REMOTE racoon[45194]: IKE Packet: receive success. (Initiator, Main-Mode message 6).
Jan 22 18:34:59 REMOTE racoon[45194]: IKEv1 Phase1 Initiator: success. (Initiator, Main-Mode).
Jan 22 18:34:59 REMOTE racoon[45194]: IPSec Phase1 established (Initiated by me).
Jan 22 18:35:00 REMOTE racoon[45194]: IPSec Phase2 started (Initiated by me).
Jan 22 18:35:00 REMOTE racoon[45194]: IKE Packet: transmit success. (Initiator, Quick-Mode message 1).
Jan 22 18:35:00 REMOTE racoon[45194]: IKE Packet: receive success. (Initiator, Quick-Mode message 2).
Jan 22 18:35:00 REMOTE racoon[45194]: IKE Packet: transmit success. (Initiator, Quick-Mode message 3).
Jan 22 18:35:00 REMOTE racoon[45194]: IKEv1 Phase2 Initiator: success. (Initiator, Quick-Mode).
Jan 22 18:35:00 REMOTE racoon[45194]: IPSec Phase2 established (Initiated by me).
Jan 22 18:35:00 REMOTE pppd[45193]: IPSec connection established
Jan 22 18:35:20 REMOTE pppd[45193]: L2TP cannot connect to the server
Jan 22 18:35:20 REMOTE racoon[45194]: IPSec disconnecting from server A.B.C.D
Jan 22 18:35:20 REMOTE racoon[45194]: IKE Packet: transmit success. (Information message).
Jan 22 18:35:20 REMOTE racoon[45194]: IKEv1 Information-Notice: transmit success. (Delete IPSEC-SA).
Jan 22 18:35:20 REMOTE racoon[45194]: IKE Packet: transmit success. (Information message).
Jan 22 18:35:20 REMOTE racoon[45194]: IKEv1 Information-Notice: transmit success. (Delete ISAKMP-SA).
|