LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   Issues connecting Ubuntu Machine using L2TP over Ipsec. (https://www.linuxquestions.org/questions/linux-newbie-8/issues-connecting-ubuntu-machine-using-l2tp-over-ipsec-4175474389/)

srijivdimri 08-23-2013 06:38 AM

Issues connecting Ubuntu Machine using L2TP over Ipsec.
 
Hello Experts.

I am facing some issues with the L2TP Over Ipsec connections using Ubuntu as a client.
Server--Meraki
Client--Ubuntu 12.04LTS

I followed the Meraki guide for the set-up--https://kb.meraki.com/knowledge_base/linux---ubuntu-client-vpn

I installed the required packages-l2tp-ipsec-vpn. Did the set-up using the GUI--Entered the server ip, pre-shared key, PPP protocol as PAP, but somehow now able to connect. It comes up with an error message
Aug 23 16:18:30.181 ipsec_setup: Stopping Openswan IPsec...
Aug 23 16:18:31.679 xl2tpd[8284]: death_handler: Fatal signal 15 received
Aug 23 16:18:31.680 Stopping xl2tpd: xl2tpd.
Aug 23 16:18:31.702 ipsec_setup: Starting Openswan IPsec U2.6.37/K3.0.0-32-generic...
Aug 23 16:18:31.997 ipsec__plutorun: Starting Pluto subsystem...
Aug 23 16:18:32.004 ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
Aug 23 16:18:32.009 recvref[30]: Protocol not available
Aug 23 16:18:32.010 xl2tpd[8588]: This binary does not support kernel L2TP.
Aug 23 16:18:32.010 xl2tpd[8590]: xl2tpd version xl2tpd-1.3.1 started on w2w-illuminati PID:8590
Aug 23 16:18:32.012 xl2tpd[8590]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
Aug 23 16:18:32.012 xl2tpd[8590]: Forked by Scott Balmos and David Stipp, (C) 2001
Aug 23 16:18:32.013 xl2tpd[8590]: Inherited by Jeff McAdams, (C) 2002
Aug 23 16:18:32.013 xl2tpd[8590]: Forked again by Xelerance (www.xelerance.com) (C) 2006
Aug 23 16:18:32.013 xl2tpd[8590]: Listening on IP address 0.0.0.0, port 1701
Aug 23 16:18:32.013 Starting xl2tpd: xl2tpd.
Aug 23 16:18:32.050 ipsec__plutorun: 002 added connection description "US-L2TP-IPsec."
Aug 23 16:19:42.917 104 "US-L2TP-IPsec." #1: STATE_MAIN_I1: initiate
Aug 23 16:19:42.917 003 "US-L2TP-IPsec." #1: received Vendor ID payload [RFC 3947] method set to=109
Aug 23 16:19:42.917 003 "US-L2TP-IPsec." #1: received Vendor ID payload [Dead Peer Detection]
Aug 23 16:19:42.918 106 "US-L2TP-IPsec." #1: STATE_MAIN_I2: sent MI2, expecting MR2
Aug 23 16:19:42.918 003 "US-L2TP-IPsec." #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): i am NATed
Aug 23 16:19:42.918 108 "US-L2TP-IPsec." #1: STATE_MAIN_I3: sent MI3, expecting MR3
Aug 23 16:19:42.919 004 "US-L2TP-IPsec." #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
Aug 23 16:19:42.919 117 "US-L2TP-IPsec." #2: STATE_QUICK_I1: initiate
Aug 23 16:19:42.919 003 "US-L2TP-IPsec." #2: byte 7 of ISAKMP NAT-OA Payload must be zero, but is not
Aug 23 16:19:42.919 003 "US-L2TP-IPsec." #2: malformed payload in packet

Aug 23 16:19:42.920 010 "US-L2TP-IPsec." #2: STATE_QUICK_I1: retransmission; will wait 20s for response
Aug 23 16:19:42.920 003 "US-L2TP-IPsec." #2: byte 7 of ISAKMP NAT-OA Payload must be zero, but is not
Aug 23 16:19:42.920 003 "US-L2TP-IPsec." #2: malformed payload in packet
Aug 23 16:19:42.920 003 "US-L2TP-IPsec." #2: byte 7 of ISAKMP NAT-OA Payload must be zero, but is not
Aug 23 16:19:42.921 003 "US-L2TP-IPsec." #2: malformed payload in packet
Aug 23 16:19:42.921 003 "US-L2TP-IPsec." #2: byte 7 of ISAKMP NAT-OA Payload must be zero, but is not
Aug 23 16:19:42.921 003 "US-L2TP-IPsec." #2: malformed payload in packet
Aug 23 16:19:42.921 010 "US-L2TP-IPsec." #2: STATE_QUICK_I1: retransmission; will wait 40s for response
Aug 23 16:19:42.921 003 "US-L2TP-IPsec." #2: byte 7 of ISAKMP NAT-OA Payload must be zero, but is not
Aug 23 16:19:42.922 003 "US-L2TP-IPsec." #2: malformed payload in packet
Aug 23 16:19:42.922 031 "US-L2TP-IPsec." #2: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
Aug 23 16:19:42.922 000 "US-L2TP-IPsec." #2: starting keying attempt 2 of at most 3, but releasing whack
Aug 23 16:19:42.923 [ERROR 300] 'IPsec' failed to negotiate or establish security associations

sudo ipsec verify output:-

ati:~$ sudo ipsec verify
[sudo] password for srijiv:
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.37/K3.0.0-32-generic (netkey)
Checking for IPsec support in kernel [OK]
SAref kernel support [N/A]
NETKEY: Testing XFRM related proc values [FAILED]

Please disable /proc/sys/net/ipv4/conf/*/send_redirects
or NETKEY will cause the sending of bogus ICMP redirects!

[FAILED]

Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
or NETKEY will accept bogus ICMP redirects!

[OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Checking for 'ip' command [OK]
Checking /bin/sh is not /bin/dash [WARNING]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]

My /etc/ipsec.conf file looks like

# Manual: ipsec.conf(5)

# Created: Fri Aug 23 16:15:39 2013
# by: The L2TP IPsec VPN Manager application version 1.0.9
#
# WARNING! All changes made in this file will be lost!

version 2.0 # conforms to second version of ipsec.conf specification

config setup
# plutodebug="parsing emitting control private"
plutodebug=none
strictcrlpolicy=no
nat_traversal=yes
interfaces=%defaultroute
oe=off
# which IPsec stack to use. netkey,klips,mast,auto or none
protostack=netkey

conn %default
keyingtries=3
pfs=no
rekey=yes
type=transport
left=%defaultroute
leftprotoport=17/1701
rightprotoport=17/1701

# Add connections here.


conn US-L2TP-IPsec.
authby=secret

right=1.2.3.4
rightid=""
auto=add

Your expert advice will be highly appreciated.
Thanks in advance.

rootboy 08-24-2013 03:00 PM

I see that you got this error: "Aug 23 16:18:32.010 xl2tpd[8588]: This binary does not support kernel L2TP." Maybe that's the problem?


This site runs it in kernel space, which looks like what you are setup for.

http://strongvpn.com/forum/viewtopic.php?id=1093

srijivdimri 08-26-2013 01:24 AM

Hi ,

Thanks for your valuable input. I was not sure abuout the type of authentication being used for us by the company. While reseaching, found this from Meraki website

"The xl2tp package does not send user credentials properly to the MX when using Meraki Cloud Controller authentication, and this causes the authentication request to fail. Active Directory or RADIUS authentication can be used instead for successful authentication."

As soon as we changes it to Rasius authentication, we are able to connect just fine.

Cheers!!!

rootboy 08-26-2013 09:18 PM

Great, hopefully your IT department is more responsive than ours. ;>


All times are GMT -5. The time now is 06:36 AM.