Setting up L2TP over IPSec VPN server under CentOS 5.3

fantasygoat · 09-15-2009, 04:03 PM

I've been banging my head against this problem for almost a week now without much success.

What I want is a VPN server running L2TP over IPSec using a PSK to allow Windows XP and Mac OSX clients to connect and allow access to our local network.

I've put a box with two interfaces, one inside the private LAN and one with live IP. I'm using OpenSWAN and xl2tp.

I got it working using all internal IPs, but once I moved the config to the live IPs it stopped working.

From my OSX box at home I seem to be able to establish IPSec:

Sep 15 15:47:34 gateway pluto[6849]: "L2TP-PSK"[2] [remote IP address] #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Sep 15 15:47:34 gateway pluto[6849]: "L2TP-PSK"[2] [remote IP address] #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Sep 15 15:47:34 gateway pluto[6849]: "L2TP-PSK"[2] [remote IP address] #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Sep 15 15:47:34 gateway pluto[6849]: "L2TP-PSK"[2] [remote IP address] #2: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP/NAT=>0x0dca8d83 <0x8c0b136e xfrm=AES_128-HMAC_SHA1 NATOA=<invalid> NATD=<invalid>:4500 DPD=enabled}

But it disconnects and I get the following error:

Sep 15 15:47:41 gateway xl2tpd[6157]: Maximum retries exceeded for tunnel 16877. Closing.
Sep 15 15:47:48 gateway xl2tpd[6157]: Connection 10 closed to [home IP address], port 51077 (Timeout)

Here's my config files:

/etc/ipsec.conf

Quote:

version 2.0

config setup
protostack=netkey
interfaces=%defaultroute
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16

conn %default
authby=secret

conn L2TP-PSK
authby=secret
rekey=no
keyingtries=3
left=[the external IP]
leftnexthop=192.168.1.1
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
rightsubnet=vhost:%no,%priv
forceencaps=yes
pfs=no
auto=add

/etc/xl2tpd/xl2tpd.conf

Quote:

[lns default]
ip range = 192.168.10.200-192.168.10.254
local ip = 192.168.10.199
refuse pap = yes
require authentication = yes
name = gateway
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

/etc/ppp/options.xl2tpd

Quote:

name *
debug
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
ms-dns [our internal DNS]
proxyarp
lock
nobsdcomp
novj
novjccomp
nologfd
auth
nodefaultroute
plugin winbind.so
ntlm_auth-helper "/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1"

Any pointers on how to get this thing running would be much appreciated.

OdinnBurkni · 09-23-2009, 07:57 PM

Not sure but I think LeftNextHop should be your internet gateway. Like... your IP is 22.22.22.22 and your external gateway is 22.22.22.254 then that should be your leftnexthop, I think...

fantasygoat · 09-25-2009, 07:33 AM

Actually, it turned out to be a problem with Openswan. The current version is 2.6.x, which is what was installed by default from RPMForge. However, there is a bug in 2.6.x that causes L2TP to fail.

Downgrading Openswan to 2.4.15 fixed the problem.

OdinnBurkni · 09-25-2009, 08:03 AM

Thank you for sharing this with us. I'm sure many others have had similiar problems without figuring out why the he.. it doesn't work.

Randeep · 06-18-2011, 08:45 AM

Here is a nice link on how to set xl2tpd vps
It worked for me.

http://helpinlinux.blogspot.com/2011...-l2tp-vpn.html