[SOLVED] ubuntu 11.04 + openswan U2.6.28 = kernel crash?

lesca · 04-16-2012, 09:07 PM

Hello,

Please help me figure out how this happens...

1. Environment:
Ubuntu 11.04 Server + Linux Kernel 3.0.0-12-generic-pae + OpenSwan 2.6.28 + xl2tpd-1.2.8

Event:
When Win7 or iPhone try to connect to server over L2TP, the server fails. What I got is like this:
http://lesca.me/blog/wp-content/uplo...2/04/crash.jpg

Note:
The win7 client is in the same LAN.

2. ipsec.conf (almost the same like /etc/ipsec.d/examples/l2tp-psk.conf )

Code:

config setup
    nat_traversal=yes
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.1.0/24,%v4:!192.168.0.0/24
    oe=off
    protostack=netkey

conn L2TP-PSK-NAT
    rightsubnet=vhost:%priv
    also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
    authby=secret
    pfs=no
    auto=add
    keyingtries=3
    rekey=no
    ikelifetime=8h
    keylife=1h
    type=transport
    left=192.168.1.120
    leftprotoport=17/1701
    right=%any
    rightprotoport=17/%any
    dpddelay=30
    dpdtimeout=120
    dpdaction=clear

3. /etc/xl2tpd/xl2tpd.conf

Code:

[global]
ipsec saref = no

[lns default]
local ip = 10.10.20.1
ip range = 10.10.20.100-10.10.20.254
require chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

4. /etc/ppp/options.xl2tpd

Code:

refuse-mschap-v2
refuse-mschap
ms-dns 8.8.8.8
asyncmap 0
auth
lock
hide-password
local
#debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4

lesca · 04-18-2012, 01:39 AM

I re-build my OS back to Ubuntu 10.04 server. The same configuration file works fine now!
I am more sure that openswan doesn't support linux kernel 3.0
My current kernel version is 2.6.32

I'll do more research, and will post here later.

lesca · 04-24-2012, 01:47 AM

Move to 10.04 do solve something, but the openswan 2.6.23 in Ubuntu repository has many bugs.

Users need to update to at least 2.6.24, in my case is 2.6.27. The latest version is 2.6.28, you can find it from here: http://download.openswan.org/openswan/

you can still use apt-get to install higher version:

Code:

apt-get install python-software-properties
add-apt-repository ppa:openswan/ppa
apt-get update
apt-get install openswan

You can find more information on my blog (Chinese):
http://lesca.me/blog/2012/04/24/how-...sec-on-ubuntu/