LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices



Reply
 
Search this Thread
Old 01-23-2013, 01:28 AM   #1
nightradio
LQ Newbie
 
Registered: Jan 2013
Posts: 2

Rep: Reputation: Disabled
Openswan+xl2tpd VPN xl2tpd failure


I'm having some problems getting a VPN set up, hopefully someone will be able help me figure out what I'm missing.

Currently I'm trying to set up a 'roadwarrior' config, because I can't be certain what the remote IP will be, I need to allow it to connect to the VPN from anywhere.

The host server has a public IP, the remote computer is expected to be behind a router presumably with NAT.

To clarify, the IPSec connection is negotiated successfully, but the connection is terminated abruptly after that, without any type of authentication negotiation happening.

Additional Info:
My home network, from where I've done the majority of my testing is behind a dd-wrt router, on which I have enabled IPSec and L2TP pass through, so there shouldn't be any problems there. I've also tried connecting from my phone while having a 3G connection, and I've also tried from two other outside networks, both work and school. The logs are all pretty much identical, and fail during Phase 2 negotiation.

Tested Clients:
OSX 10.8
Windows 7
Android 4.2.1

If I've left any information out, please feel free to let me know, I'll be happy to provide anything else I can to help diagnose this.

Code:
##
# HOST
# /etc/ipsec.conf - Openswan IPsec configuration file
##

# basic configuration
config setup
	nat_traversal=yes
	virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10,%v4:!10.0.0.0/24
	oe=off
	protostack=netkey

# Add connections here
conn L2TP-PSK-NAT
	rightsubnet=vhost:%priv
	also=L2TP-PST-noNAT

conn L2TP-PST-noNAT
	authby=secret
	pfs=no
	auto=add
	keyingtries=3
	rekey=no
	ikelifetime=8h
	keylife=1h
	type=transport
	left=A.B.C.D
	leftprotoport=17/1701
	right=%any
	rightprotoport=17/%any
#	rightsubnet=vhost:%no,%priv
	dpddelay=40
      	dpdtimeout=130 
      	dpdaction=clear 
	forceencaps=yes

conn passthrough-for-non-l2tp
	type=passthrough
	left=A.B.C.D
	leftnexthop=0.0.0.0
	right=%any
	rightsubnet=0.0.0.0/0
	auto=route
Code:
##
# HOST
# /etc/xl2tpd/xl2tpd.conf
##
; [global]								; Global parameters:
port = 1701						 	; * Bind to port 1701
auth file = /etc/xl2tpd/l2tp-secrets 	; * Where our challenge secrets are
;access control = no					; * Refuse connections without IP match
; rand source = dev                     ; Source for entropy for random
listen-addr=A.B.C.D
ipsec saref=no

; [lns default]							; Our fallthrough LNS definition
exclusive = no						; * Only permit one tunnel per host
ip range = 10.0.0.100-10.0.0.125	; * Allocate from this IP range
local ip = 10.0.0.1				; * Our local IP to use
assign ip = yes
length bit = yes						; * Use length bit in payload?
;require chap = yes					; * Require CHAP auth. by peer
refuse pap = yes						; * Refuse PAP authentication
refuse chap = yes						; * Refuse CHAP authentication
; refuse authentication = no			; * Refuse authentication altogether
require authentication = yes			; * Require peer to authenticate
; unix authentication = no				; * Use /etc/passwd for auth.
name = VPN-Server						; * Report this as our hostname
ppp debug = yes						; * Turn on PPP debugging
pppoptfile = /etc/ppp/options.xl2tpd	; * ppp options file
Code:
##
# HOST
# /etc/ppp/options.xl2tpd
##		

ipcp-accept-local
ipcp-accept-remote
require-mschap-v2
ms-dns 8.8.8.8
ms-dns 8.8.4.4
noccp
#idle 1800
mtu 1200
mru 1200
#nodefaultroute
#debug
#connect-delay 5000
asyncmap 0
auth
crtscts
lock
hide-password
modem
debug
name VPN-Server
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
Code:
##
# HOST
# /etc/ppp/chap-secrets
##

# Secrets for authentication using CHAP
# user	server	                     secret			IP addresses
      test	VPN-Server	testkey		      *
Code:
##
# HOST
# /etc/ipsec.secrets
##
# host 	remote  	authtype		    password
A.B.C.D 	%any: 	PSK 		"testpassword"
Code:
# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                             		[OK]
Linux Openswan U2.6.38/K2.6.39.1-linode34 (netkey)
Checking for IPsec support in kernel                        		[OK]
 SAref kernel support                                       			[N/A]
 NETKEY:  Testing XFRM related proc values                  	[OK]
						[OK]
						[OK]
Checking that pluto is running                              		[OK]
 Pluto listening for IKE on udp 500                         		[OK]
 Pluto listening for NAT-T on udp 4500                      		[OK]
Two or more interfaces found, checking IP forwarding        	[FAILED]
Checking NAT and MASQUERADEing                              		[OK]
Checking for 'ip' command                                   		[OK]
Checking /bin/sh is not /bin/dash                           		[WARNING]
Checking for 'iptables' command                             		[OK]
Opportunistic Encryption Support                            	[DISABLED]
Code:
##
# BEGIN DEBUG LOGS
# 
# A.B.C.D = Host IP.
# 	IP is static, non-NAT, publically accessible
#
# W.X.Y.Z = Remote IP
#	IP is dynamic, probably public IP for NAT that remote is behind
#
# J.K.L.M = Remote private IP
#	IP dynamic, private IP for W.X.Y.Z NAT
#	In this particular case, internal DHCP ip address was 192.168.1.139
##
Code:
##
# HOST 
#/var/log/auth.log
##

Jan 21 14:28:41 HOST pluto[2141]: packet from W.X.Y.Z:500: received Vendor ID payload [RFC 3947] method set to=109 
Jan 21 14:28:41 HOST pluto[2141]: packet from W.X.Y.Z:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] method set to=110 
Jan 21 14:28:41 HOST pluto[2141]: packet from W.X.Y.Z:500: ignoring unknown Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
Jan 21 14:28:41 HOST pluto[2141]: packet from W.X.Y.Z:500: ignoring unknown Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
Jan 21 14:28:41 HOST pluto[2141]: packet from W.X.Y.Z:500: ignoring unknown Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
Jan 21 14:28:41 HOST pluto[2141]: packet from W.X.Y.Z:500: ignoring unknown Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
Jan 21 14:28:41 HOST pluto[2141]: packet from W.X.Y.Z:500: ignoring unknown Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
Jan 21 14:28:41 HOST pluto[2141]: packet from W.X.Y.Z:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 110
Jan 21 14:28:41 HOST pluto[2141]: packet from W.X.Y.Z:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 110
Jan 21 14:28:41 HOST pluto[2141]: packet from W.X.Y.Z:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 110
Jan 21 14:28:41 HOST pluto[2141]: packet from W.X.Y.Z:500: ignoring Vendor ID payload [FRAGMENTATION 80000000]
Jan 21 14:28:41 HOST pluto[2141]: packet from W.X.Y.Z:500: received Vendor ID payload [Dead Peer Detection]
Jan 21 14:28:41 HOST pluto[2141]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: responding to Main Mode from unknown peer W.X.Y.Z
Jan 21 14:28:41 HOST pluto[2141]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jan 21 14:28:41 HOST pluto[2141]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: STATE_MAIN_R1: sent MR1, expecting MI2
Jan 21 14:28:41 HOST pluto[2141]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): peer is NATed
Jan 21 14:28:41 HOST pluto[2141]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jan 21 14:28:41 HOST pluto[2141]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: STATE_MAIN_R2: sent MR2, expecting MI3
Jan 21 14:28:42 HOST pluto[2141]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
Jan 21 14:28:42 HOST pluto[2141]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: Main mode peer ID is ID_IPV4_ADDR: 'J.K.L.M'
Jan 21 14:28:42 HOST pluto[2141]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: switched from "L2TP-PSK-NAT" to "L2TP-PSK-NAT"
Jan 21 14:28:42 HOST pluto[2141]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: deleting connection "L2TP-PSK-NAT" instance with peer W.X.Y.Z {isakmp=#0/ipsec=#0}
Jan 21 14:28:42 HOST pluto[2141]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jan 21 14:28:42 HOST pluto[2141]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: new NAT mapping for #1, was W.X.Y.Z:500, now W.X.Y.Z:4500
Jan 21 14:28:42 HOST pluto[2141]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1024}
Jan 21 14:28:42 HOST pluto[2141]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: Dead Peer Detection (RFC 3706): enabled
Jan 21 14:28:43 HOST pluto[2141]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: the peer proposed: A.B.C.D/32:17/1701 -> J.K.L.M/32:17/0
Jan 21 14:28:43 HOST pluto[2141]: "L2TP-PSK-NAT"[2] W.X.Y.Z #2: responding to Quick Mode proposal {msgid:a6edd0d8}
Jan 21 14:28:43 HOST pluto[2141]: "L2TP-PSK-NAT"[2] W.X.Y.Z #2:     us: A.B.C.D<A.B.C.D>[+S=C]:17/1701
Jan 21 14:28:43 HOST pluto[2141]: "L2TP-PSK-NAT"[2] W.X.Y.Z #2:   them: W.X.Y.Z[J.K.L.M,+S=C]:17/56328===J.K.L.M/32
Jan 21 14:28:43 HOST pluto[2141]: "L2TP-PSK-NAT"[2] W.X.Y.Z #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Jan 21 14:28:43 HOST pluto[2141]: "L2TP-PSK-NAT"[2] W.X.Y.Z #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Jan 21 14:28:43 HOST pluto[2141]: "L2TP-PSK-NAT"[2] W.X.Y.Z #2: Dead Peer Detection (RFC 3706): enabled
Jan 21 14:28:43 HOST pluto[2141]: "L2TP-PSK-NAT"[2] W.X.Y.Z #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Jan 21 14:28:43 HOST pluto[2141]: "L2TP-PSK-NAT"[2] W.X.Y.Z #2: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0x02c80f61 <0xdd771b05 xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=W.X.Y.Z:4500 DPD=enabled}
Jan 21 14:29:03 HOST pluto[2141]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: received Delete SA(0x02c80f61) payload: deleting IPSEC State #2
Jan 21 14:29:03 HOST pluto[2141]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: ERROR: netlink XFRM_MSG_DELPOLICY response for flow eroute_connection delete included errno 2: No such file or directory
Jan 21 14:29:03 HOST pluto[2141]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: received and ignored informational message
Jan 21 14:29:03 HOST pluto[2141]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: received Delete SA payload: deleting ISAKMP State #1
Jan 21 14:29:03 HOST pluto[2141]: "L2TP-PSK-NAT"[2] W.X.Y.Z: deleting connection "L2TP-PSK-NAT" instance with peer W.X.Y.Z {isakmp=#0/ipsec=#0}
Jan 21 14:29:03 HOST pluto[2141]: packet from W.X.Y.Z:4500: received and ignored informational message
Jan 21 14:34:10 HOST pluto[2141]: | no connection found 
Jan 21 14:34:12 HOST pluto[2141]: | no connection found 
Jan 21 14:34:15 HOST pluto[2141]: | no connection found
Code:
##
# REMOTE 
# /var/log/system.log
##

Jan 22 18:34:59 REMOTE configd[17]: SCNC: start, triggered by SystemUIServer, type L2TP, status 0
Jan 22 18:34:59 REMOTE pppd[45193]: pppd 2.4.2 (Apple version 596.13) started by USER, uid 501
Jan 22 18:34:59 REMOTE pppd[45193]: L2TP connecting to server 'HOST' (A.B.C.D)...
Jan 22 18:34:59 REMOTE pppd[45193]: IPSec connection started
Jan 22 18:34:59 REMOTE racoon[45194]: Connecting.
Jan 22 18:34:59 REMOTE racoon[45194]: IPSec Phase1 started (Initiated by me).
Jan 22 18:34:59 REMOTE racoon[45194]: IKE Packet: transmit success. (Initiator, Main-Mode message 1).
Jan 22 18:34:59 REMOTE racoon[45194]: IKE Packet: receive success. (Initiator, Main-Mode message 2).
Jan 22 18:34:59 REMOTE racoon[45194]: IKE Packet: transmit success. (Initiator, Main-Mode message 3).
Jan 22 18:34:59 REMOTE racoon[45194]: IKE Packet: receive success. (Initiator, Main-Mode message 4).
Jan 22 18:34:59 REMOTE racoon[45194]: IKE Packet: transmit success. (Initiator, Main-Mode message 5).
Jan 22 18:34:59 REMOTE racoon[45194]: IKEv1 Phase1 AUTH: success. (Initiator, Main-Mode Message 6).
Jan 22 18:34:59 REMOTE racoon[45194]: IKE Packet: receive success. (Initiator, Main-Mode message 6).
Jan 22 18:34:59 REMOTE racoon[45194]: IKEv1 Phase1 Initiator: success. (Initiator, Main-Mode).
Jan 22 18:34:59 REMOTE racoon[45194]: IPSec Phase1 established (Initiated by me).
Jan 22 18:35:00 REMOTE racoon[45194]: IPSec Phase2 started (Initiated by me).
Jan 22 18:35:00 REMOTE racoon[45194]: IKE Packet: transmit success. (Initiator, Quick-Mode message 1).
Jan 22 18:35:00 REMOTE racoon[45194]: IKE Packet: receive success. (Initiator, Quick-Mode message 2).
Jan 22 18:35:00 REMOTE racoon[45194]: IKE Packet: transmit success. (Initiator, Quick-Mode message 3).
Jan 22 18:35:00 REMOTE racoon[45194]: IKEv1 Phase2 Initiator: success. (Initiator, Quick-Mode).
Jan 22 18:35:00 REMOTE racoon[45194]: IPSec Phase2 established (Initiated by me).
Jan 22 18:35:00 REMOTE pppd[45193]: IPSec connection established
Jan 22 18:35:20 REMOTE pppd[45193]: L2TP cannot connect to the server
Jan 22 18:35:20 REMOTE racoon[45194]: IPSec disconnecting from server A.B.C.D
Jan 22 18:35:20 REMOTE racoon[45194]: IKE Packet: transmit success. (Information message).
Jan 22 18:35:20 REMOTE racoon[45194]: IKEv1 Information-Notice: transmit success. (Delete IPSEC-SA).
Jan 22 18:35:20 REMOTE racoon[45194]: IKE Packet: transmit success. (Information message).
Jan 22 18:35:20 REMOTE racoon[45194]: IKEv1 Information-Notice: transmit success. (Delete ISAKMP-SA).

Last edited by nightradio; 01-23-2013 at 07:19 PM. Reason: typos, additional info
 
Old 01-23-2013, 07:19 PM   #2
nightradio
LQ Newbie
 
Registered: Jan 2013
Posts: 2

Original Poster
Rep: Reputation: Disabled
Well after endless hours of troubleshooting, launching xl2tpd in debug mode xl2tpd -D helped me track down the typos issues preventing the authentication negotiation to take place. Mainly that [global] and [lns default] in xl2tpd.conf should not be commented out.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
xl2tpd and openswan setup problem? shams Linux - Networking 0 12-24-2012 09:45 PM
LXer: Set up a IPsec/L2TP VPN with Ubuntu 12.04 with OpenSwan, xl2tpd and ppp LXer Syndicated Linux News 0 10-14-2012 01:50 PM
xl2tpd gives errors and can't connect daotiansi Linux - Software 2 07-30-2011 02:02 AM
Problem while disconnecting in xl2tpd neerajnayak Linux - Newbie 0 01-04-2011 01:40 AM
xl2tpd gives errors and disconnects garm0 Linux - Newbie 0 02-24-2009 08:31 PM


All times are GMT -5. The time now is 10:10 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration