LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 12-07-2009, 05:42 AM   #1
thePiet
LQ Newbie
 
Registered: Dec 2009
Posts: 25

Rep: Reputation: 15
Unhappy XL2TPD over IPSEC on Debian with OS X / iPhone clients


First of all, I know there are tons of threads regarding this topic. But, after spending a nice weekend trying to fix this, I ended up starting a topic myself.

I have set up ipsec (Openswan 2.6.23) and xl2tpd (xl2tpd 1.2.4) on two Debian Squeeze boxes, using various guides on the internet:

http://nielspeen.com/blog/2009/04/li...c-osx-clients/
http://www.jacco2.dds.nl/networking/linux-l2tp.html
http://rootmanager.com/ubuntu-ipsec-...s-clients.html

Initially, I have set this up on a NAT'ed Debian box. Situation:

Box (192.168.0.1) --> Gateway (192.168.0.254) --> Internet (My Public IP)

I have configured the gateway (Linksys WRT54G) to throw all incoming traffic directly to 192.168.0.1. To be sure, I cleared the firewall at the box (iptables -F).

For as far I can see in /var/log/auth.log, an ipsec connection is set up:

Code:
*snip*
Dec  6 22:01:42 server01 pluto[29430]: "server01-nat"[14] 145.53.236.22 #14: STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0x069ea011 <0x83485a02 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=145.53.236.22:4500 DPD=none}
Code:
Dec  6 21:45:55 server01 xl2tpd[29517]: get_call: allocating new tunnel for host 145.53.236.22, port 49865.
Dec  6 21:45:57 server01 xl2tpd[29517]: build_fdset: closing down tunnel 24015
Dec  6 21:45:57 server01 xl2tpd[29517]: get_call: allocating new tunnel for host 145.53.236.22, port 49865.
Dec  6 21:45:57 server01 xl2tpd[29517]: control_finish: Peer requested tunnel 22 twice, ignoring second one.
Dec  6 21:45:57 server01 xl2tpd[29517]: build_fdset: closing down tunnel 10487
Dec  6 21:45:58 server01 xl2tpd[29517]: get_call: allocating new tunnel for host 145.53.236.22, port 49865.
Dec  6 21:45:58 server01 xl2tpd[29517]: control_finish: Peer requested tunnel 22 twice, ignoring second one.
Dec  6 21:45:58 server01 xl2tpd[29517]: build_fdset: closing down tunnel 54285
Dec  6 21:46:02 server01 xl2tpd[29517]: get_call: allocating new tunnel for host 145.53.236.22, port 49865.
Dec  6 21:46:02 server01 xl2tpd[29517]: control_finish: Peer requested tunnel 22 twice, ignoring second one.
Dec  6 21:46:02 server01 xl2tpd[29517]: build_fdset: closing down tunnel 28367
Dec  6 21:46:02 server01 xl2tpd[29517]: Maximum retries exceeded for tunnel 58798.  Closing.
Dec  6 21:46:10 server01 xl2tpd[29517]: get_call: allocating new tunnel for host 145.53.236.22, port 49865.
Dec  6 21:46:10 server01 xl2tpd[29517]: control_finish: Peer requested tunnel 22 twice, ignoring second one.
Dec  6 21:46:10 server01 xl2tpd[29517]: build_fdset: closing down tunnel 6449
Dec  6 21:46:10 server01 xl2tpd[29517]: build_fdset: closing down tunnel 58798
Dec  6 21:46:10 server01 xl2tpd[29517]: Connection 22 closed to 145.53.236.22, port 49865 (Timeout)
Dec  6 21:46:15 server01 xl2tpd[29517]: Unable to deliver closing message for tunnel 58798. Destroying anyway.
It seems like there is no traffic flowing to the other side. Suspecting my Linksys WRT54G, I have set up the same configuration at another box hanging directly to the internet, without any weird firewalls between it. But the same thing happens there too.

This is my xl2tpd.conf:

Code:
[lns default]
ip range = 192.168.0.200-192.168.0.210
local ip = 192.168.0.100
length bit = yes
require chap = yes
refuse pap = yes
require authentication = yes
name = server01
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd

[global]
debug tunnel = yes
listen-addr = 192.168.0.1
And options.xl2tpd:

Code:
ipcp-accept-local
ipcp-accept-remote
ms-dns 192.168.0.1
noccp
auth
crtscts
idle 1800
mtu 1472
mru 1472
nodefaultroute
debug
lock
proxyarp
connect-delay 5000
What am I doing wrong?
 
Old 11-01-2013, 05:19 AM   #2
amirn
LQ Newbie
 
Registered: Mar 2011
Distribution: Fedora,Ubunutu
Posts: 16

Rep: Reputation: 0
Just encountered a similar issue
ubuntu 12.04 running ipsec and xl2tpd


I'm able to connect from my OSX standard client the first time but after disconnecting (gracefully) i'm unable to connect again... here is my log snnipted

The IPSec part is fine....

Oct 31 15:33:59 ip-10-0-10-110 xl2tpd[22745]: get_call: allocating new tunnel for host 50.73.94.38, port 57997.
Oct 31 15:33:59 ip-10-0-10-110 xl2tpd[22745]: handle_avps: handling avp's for tunnel 11742, call 53123
Oct 31 15:33:59 ip-10-0-10-110 xl2tpd[22745]: message_type_avp: message type 1 (Start-Control-Connection-Request)
Oct 31 15:33:59 ip-10-0-10-110 xl2tpd[22745]: protocol_version_avp: peer is using version 1, revision 0.
Oct 31 15:33:59 ip-10-0-10-110 xl2tpd[22745]: framing_caps_avp: supported peer frames: async sync
Oct 31 15:33:59 ip-10-0-10-110 xl2tpd[22745]: hostname_avp: peer reports hostname 'saturn.local'
Oct 31 15:33:59 ip-10-0-10-110 xl2tpd[22745]: assigned_tunnel_avp: using peer's tunnel 2
Oct 31 15:33:59 ip-10-0-10-110 xl2tpd[22745]: receive_window_size_avp: peer wants RWS of 4. Will use flow control.
Oct 31 15:33:59 ip-10-0-10-110 xl2tpd[22745]: control_finish: message type is Start-Control-Connection-Request(1). Tunnel is 2, call is 0.
Oct 31 15:33:59 ip-10-0-10-110 xl2tpd[22745]: control_finish: sending SCCRP
Oct 31 15:34:01 ip-10-0-10-110 xl2tpd[22745]: get_call: allocating new tunnel for host X.X.X.X, port 57997.
Oct 31 15:34:01 ip-10-0-10-110 xl2tpd[22745]: handle_avps: handling avp's for tunnel 63455, call 63948
Oct 31 15:34:01 ip-10-0-10-110 xl2tpd[22745]: message_type_avp: message type 1 (Start-Control-Connection-Request)
Oct 31 15:34:01 ip-10-0-10-110 xl2tpd[22745]: protocol_version_avp: peer is using version 1, revision 0.
Oct 31 15:34:01 ip-10-0-10-110 xl2tpd[22745]: framing_caps_avp: supported peer frames: async sync
Oct 31 15:34:01 ip-10-0-10-110 xl2tpd[22745]: hostname_avp: peer reports hostname 'saturn.local'
Oct 31 15:34:01 ip-10-0-10-110 xl2tpd[22745]: assigned_tunnel_avp: using peer's tunnel 2
Oct 31 15:34:01 ip-10-0-10-110 xl2tpd[22745]: receive_window_size_avp: peer wants RWS of 4. Will use flow control.
Oct 31 15:34:01 ip-10-0-10-110 xl2tpd[22745]: control_finish: message type is Start-Control-Connection-Request(1). Tunnel is 2, call is 0.
Oct 31 15:34:01 ip-10-0-10-110 xl2tpd[22745]: control_finish: Peer requested tunnel 2 twice, ignoring second one.
Oct 31 15:34:01 ip-10-0-10-110 xl2tpd[22745]: build_fdset: closing down tunnel 63455
Oct 31 15:34:01 ip-10-0-10-110 xl2tpd[22745]: get_call: allocating new tunnel for host X.X.X.X, port 57997.
Oct 31 15:34:01 ip-10-0-10-110 xl2tpd[22745]: handle_avps: handling avp's for tunnel 61991, call 1517
Oct 31 15:34:01 ip-10-0-10-110 xl2tpd[22745]: message_type_avp: message type 1 (Start-Control-Connection-Request)
Oct 31 15:34:01 ip-10-0-10-110 xl2tpd[22745]: protocol_version_avp: peer is using version 1, revision 0.
Oct 31 15:34:01 ip-10-0-10-110 xl2tpd[22745]: framing_caps_avp: supported peer frames: async sync
Oct 31 15:34:01 ip-10-0-10-110 xl2tpd[22745]: hostname_avp: peer reports hostname 'saturn.local'
Oct 31 15:34:01 ip-10-0-10-110 xl2tpd[22745]: assigned_tunnel_avp: using peer's tunnel 2
Oct 31 15:34:01 ip-10-0-10-110 xl2tpd[22745]: receive_window_size_avp: peer wants RWS of 4. Will use flow control.
Oct 31 15:34:01 ip-10-0-10-110 xl2tpd[22745]: control_finish: message type is Start-Control-Connection-Request(1). Tunnel is 2, call is 0.
Oct 31 15:34:01 ip-10-0-10-110 xl2tpd[22745]: control_finish: Peer requested tunnel 2 twice, ignoring second one.
Oct 31 15:34:01 ip-10-0-10-110 xl2tpd[22745]: build_fdset: closing down tunnel 61991
Oct 31 15:34:05 ip-10-0-10-110 xl2tpd[22745]: get_call: allocating new tunnel for host X.X.X.X, port 57997.
Oct 31 15:34:05 ip-10-0-10-110 xl2tpd[22745]: handle_avps: handling avp's for tunnel 64347, call 768
Oct 31 15:34:05 ip-10-0-10-110 xl2tpd[22745]: message_type_avp: message type 1 (Start-Control-Connection-Request)
Oct 31 15:34:05 ip-10-0-10-110 xl2tpd[22745]: protocol_version_avp: peer is using version 1, revision 0.
Oct 31 15:34:05 ip-10-0-10-110 xl2tpd[22745]: framing_caps_avp: supported peer frames: async sync
Oct 31 15:34:05 ip-10-0-10-110 xl2tpd[22745]: hostname_avp: peer reports hostname 'saturn.local'
Oct 31 15:34:05 ip-10-0-10-110 xl2tpd[22745]: assigned_tunnel_avp: using peer's tunnel 2
Oct 31 15:34:05 ip-10-0-10-110 xl2tpd[22745]: receive_window_size_avp: peer wants RWS of 4. Will use flow control.
Oct 31 15:34:05 ip-10-0-10-110 xl2tpd[22745]: control_finish: message type is Start-Control-Connection-Request(1). Tunnel is 2, call is 0.
Oct 31 15:34:05 ip-10-0-10-110 xl2tpd[22745]: control_finish: Peer requested tunnel 2 twice, ignoring second one.

xl2tpd config
[global]
ipsec saref = yes
listen-addr = 10.220.115.187
debug tunnel = yes
debug avp = yes
debug state = yes
[lns default]
ip range = 172.16.128.1-172.16.128.254
local ip = 172.16.128.254
require authentication = yes
name = TestVPNGW
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes


Any idea on what's wrong here?
 
  


Reply

Tags
debian, iphone, ipsec, xl2tpd


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
IPSec L2TP VPN server on Ubuntu for iPhone Apollo77 Linux - Networking 27 12-03-2010 10:27 AM
xl2tpd gives errors and disconnects garm0 Linux - Newbie 0 02-24-2009 08:31 PM
ipsec server on debian cristina_crow Linux - Networking 0 11-23-2007 03:14 AM
multiple ipsec vpn clients behind nat egarnel Linux - Networking 1 12-30-2005 06:18 PM
Using virtual ip-addresses for ipsec-clients neptunus Linux - Security 0 10-03-2004 11:50 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 11:46 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration