LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Setting up L2TP over IPSec VPN server under CentOS 5.3 (https://www.linuxquestions.org/questions/linux-networking-3/setting-up-l2tp-over-ipsec-vpn-server-under-centos-5-3-a-755432/)

fantasygoat 09-15-2009 03:03 PM
Setting up L2TP over IPSec VPN server under CentOS 5.3
 
I've been banging my head against this problem for almost a week now without much success.

What I want is a VPN server running L2TP over IPSec using a PSK to allow Windows XP and Mac OSX clients to connect and allow access to our local network.

I've put a box with two interfaces, one inside the private LAN and one with live IP. I'm using OpenSWAN and xl2tp.

I got it working using all internal IPs, but once I moved the config to the live IPs it stopped working.

From my OSX box at home I seem to be able to establish IPSec:

Sep 15 15:47:34 gateway pluto[6849]: "L2TP-PSK"[2] [remote IP address] #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Sep 15 15:47:34 gateway pluto[6849]: "L2TP-PSK"[2] [remote IP address] #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Sep 15 15:47:34 gateway pluto[6849]: "L2TP-PSK"[2] [remote IP address] #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Sep 15 15:47:34 gateway pluto[6849]: "L2TP-PSK"[2] [remote IP address] #2: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP/NAT=>0x0dca8d83 <0x8c0b136e xfrm=AES_128-HMAC_SHA1 NATOA=<invalid> NATD=<invalid>:4500 DPD=enabled}

But it disconnects and I get the following error:

Sep 15 15:47:41 gateway xl2tpd[6157]: Maximum retries exceeded for tunnel 16877. Closing.
Sep 15 15:47:48 gateway xl2tpd[6157]: Connection 10 closed to [home IP address], port 51077 (Timeout)

Here's my config files:

/etc/ipsec.conf

Quote:
version 2.0

config setup
protostack=netkey
interfaces=%defaultroute
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16

conn %default
authby=secret

conn L2TP-PSK
authby=secret
rekey=no
keyingtries=3
left=[the external IP]
leftnexthop=192.168.1.1
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
rightsubnet=vhost:%no,%priv
forceencaps=yes
pfs=no
auto=add
/etc/xl2tpd/xl2tpd.conf

Quote:
[lns default]
ip range = 192.168.10.200-192.168.10.254
local ip = 192.168.10.199
refuse pap = yes
require authentication = yes
name = gateway
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
/etc/ppp/options.xl2tpd

Quote:
name *
debug
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
ms-dns [our internal DNS]
proxyarp
lock
nobsdcomp
novj
novjccomp
nologfd
auth
nodefaultroute
plugin winbind.so
ntlm_auth-helper "/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1"
Any pointers on how to get this thing running would be much appreciated.

OdinnBurkni 09-23-2009 06:57 PM
IPsec
 
Not sure but I think LeftNextHop should be your internet gateway. Like... your IP is 22.22.22.22 and your external gateway is 22.22.22.254 then that should be your leftnexthop, I think...

fantasygoat 09-25-2009 06:33 AM
Actually, it turned out to be a problem with Openswan. The current version is 2.6.x, which is what was installed by default from RPMForge. However, there is a bug in 2.6.x that causes L2TP to fail.

Downgrading Openswan to 2.4.15 fixed the problem.

OdinnBurkni 09-25-2009 07:03 AM
OpenSwan problem
 
Thank you for sharing this with us. I'm sure many others have had similiar problems without figuring out why the he.. it doesn't work.

Randeep 06-18-2011 07:45 AM
Here is a nice link on how to set xl2tpd vps
It worked for me.

http://helpinlinux.blogspot.com/2011...-l2tp-vpn.html

linuxexplore 10-04-2012 04:08 PM
L2TP VPN server configuration on Linux, specially CentOS, check the following links.
Using xl2tpd application: http://linuxexplore.com/how-tos/l2tp-vpn-using-xl2tpd/
Using rpl2tpd application: http://linuxexplore.com/how-tos/l2tp...sing-rp-l2tpd/
Really useful, i wrote them for implementation, may be helpful for you too.

Thanks,
Linux Explore | Exploring the Linux World :-)

amirn 01-12-2016 03:41 AM
Hi
there is a nice example in this blog for L2TP over IPSec, you can download the config example and test it


All times are GMT -5. The time now is 11:32 PM.