LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 08-23-2013, 06:38 AM   #1
srijivdimri
Member
 
Registered: Jun 2013
Location: India.
Posts: 35

Rep: Reputation: Disabled
Issues connecting Ubuntu Machine using L2TP over Ipsec.


Hello Experts.

I am facing some issues with the L2TP Over Ipsec connections using Ubuntu as a client.
Server--Meraki
Client--Ubuntu 12.04LTS

I followed the Meraki guide for the set-up--https://kb.meraki.com/knowledge_base/linux---ubuntu-client-vpn

I installed the required packages-l2tp-ipsec-vpn. Did the set-up using the GUI--Entered the server ip, pre-shared key, PPP protocol as PAP, but somehow now able to connect. It comes up with an error message
Aug 23 16:18:30.181 ipsec_setup: Stopping Openswan IPsec...
Aug 23 16:18:31.679 xl2tpd[8284]: death_handler: Fatal signal 15 received
Aug 23 16:18:31.680 Stopping xl2tpd: xl2tpd.
Aug 23 16:18:31.702 ipsec_setup: Starting Openswan IPsec U2.6.37/K3.0.0-32-generic...
Aug 23 16:18:31.997 ipsec__plutorun: Starting Pluto subsystem...
Aug 23 16:18:32.004 ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
Aug 23 16:18:32.009 recvref[30]: Protocol not available
Aug 23 16:18:32.010 xl2tpd[8588]: This binary does not support kernel L2TP.
Aug 23 16:18:32.010 xl2tpd[8590]: xl2tpd version xl2tpd-1.3.1 started on w2w-illuminati PID:8590
Aug 23 16:18:32.012 xl2tpd[8590]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
Aug 23 16:18:32.012 xl2tpd[8590]: Forked by Scott Balmos and David Stipp, (C) 2001
Aug 23 16:18:32.013 xl2tpd[8590]: Inherited by Jeff McAdams, (C) 2002
Aug 23 16:18:32.013 xl2tpd[8590]: Forked again by Xelerance (www.xelerance.com) (C) 2006
Aug 23 16:18:32.013 xl2tpd[8590]: Listening on IP address 0.0.0.0, port 1701
Aug 23 16:18:32.013 Starting xl2tpd: xl2tpd.
Aug 23 16:18:32.050 ipsec__plutorun: 002 added connection description "US-L2TP-IPsec."
Aug 23 16:19:42.917 104 "US-L2TP-IPsec." #1: STATE_MAIN_I1: initiate
Aug 23 16:19:42.917 003 "US-L2TP-IPsec." #1: received Vendor ID payload [RFC 3947] method set to=109
Aug 23 16:19:42.917 003 "US-L2TP-IPsec." #1: received Vendor ID payload [Dead Peer Detection]
Aug 23 16:19:42.918 106 "US-L2TP-IPsec." #1: STATE_MAIN_I2: sent MI2, expecting MR2
Aug 23 16:19:42.918 003 "US-L2TP-IPsec." #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): i am NATed
Aug 23 16:19:42.918 108 "US-L2TP-IPsec." #1: STATE_MAIN_I3: sent MI3, expecting MR3
Aug 23 16:19:42.919 004 "US-L2TP-IPsec." #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
Aug 23 16:19:42.919 117 "US-L2TP-IPsec." #2: STATE_QUICK_I1: initiate
Aug 23 16:19:42.919 003 "US-L2TP-IPsec." #2: byte 7 of ISAKMP NAT-OA Payload must be zero, but is not
Aug 23 16:19:42.919 003 "US-L2TP-IPsec." #2: malformed payload in packet

Aug 23 16:19:42.920 010 "US-L2TP-IPsec." #2: STATE_QUICK_I1: retransmission; will wait 20s for response
Aug 23 16:19:42.920 003 "US-L2TP-IPsec." #2: byte 7 of ISAKMP NAT-OA Payload must be zero, but is not
Aug 23 16:19:42.920 003 "US-L2TP-IPsec." #2: malformed payload in packet
Aug 23 16:19:42.920 003 "US-L2TP-IPsec." #2: byte 7 of ISAKMP NAT-OA Payload must be zero, but is not
Aug 23 16:19:42.921 003 "US-L2TP-IPsec." #2: malformed payload in packet
Aug 23 16:19:42.921 003 "US-L2TP-IPsec." #2: byte 7 of ISAKMP NAT-OA Payload must be zero, but is not
Aug 23 16:19:42.921 003 "US-L2TP-IPsec." #2: malformed payload in packet
Aug 23 16:19:42.921 010 "US-L2TP-IPsec." #2: STATE_QUICK_I1: retransmission; will wait 40s for response
Aug 23 16:19:42.921 003 "US-L2TP-IPsec." #2: byte 7 of ISAKMP NAT-OA Payload must be zero, but is not
Aug 23 16:19:42.922 003 "US-L2TP-IPsec." #2: malformed payload in packet
Aug 23 16:19:42.922 031 "US-L2TP-IPsec." #2: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
Aug 23 16:19:42.922 000 "US-L2TP-IPsec." #2: starting keying attempt 2 of at most 3, but releasing whack
Aug 23 16:19:42.923 [ERROR 300] 'IPsec' failed to negotiate or establish security associations

sudo ipsec verify output:-

ati:~$ sudo ipsec verify
[sudo] password for srijiv:
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.37/K3.0.0-32-generic (netkey)
Checking for IPsec support in kernel [OK]
SAref kernel support [N/A]
NETKEY: Testing XFRM related proc values [FAILED]

Please disable /proc/sys/net/ipv4/conf/*/send_redirects
or NETKEY will cause the sending of bogus ICMP redirects!

[FAILED]

Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
or NETKEY will accept bogus ICMP redirects!

[OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Checking for 'ip' command [OK]
Checking /bin/sh is not /bin/dash [WARNING]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]

My /etc/ipsec.conf file looks like

# Manual: ipsec.conf(5)

# Created: Fri Aug 23 16:15:39 2013
# by: The L2TP IPsec VPN Manager application version 1.0.9
#
# WARNING! All changes made in this file will be lost!

version 2.0 # conforms to second version of ipsec.conf specification

config setup
# plutodebug="parsing emitting control private"
plutodebug=none
strictcrlpolicy=no
nat_traversal=yes
interfaces=%defaultroute
oe=off
# which IPsec stack to use. netkey,klips,mast,auto or none
protostack=netkey

conn %default
keyingtries=3
pfs=no
rekey=yes
type=transport
left=%defaultroute
leftprotoport=17/1701
rightprotoport=17/1701

# Add connections here.


conn US-L2TP-IPsec.
authby=secret

right=1.2.3.4
rightid=""
auto=add

Your expert advice will be highly appreciated.
Thanks in advance.
 
Old 08-24-2013, 03:00 PM   #2
rootboy
Member
 
Registered: Oct 2001
Distribution: Mint 15
Posts: 770

Rep: Reputation: 51
I see that you got this error: "Aug 23 16:18:32.010 xl2tpd[8588]: This binary does not support kernel L2TP." Maybe that's the problem?


This site runs it in kernel space, which looks like what you are setup for.

http://strongvpn.com/forum/viewtopic.php?id=1093
 
1 members found this post helpful.
Old 08-26-2013, 01:24 AM   #3
srijivdimri
Member
 
Registered: Jun 2013
Location: India.
Posts: 35

Original Poster
Rep: Reputation: Disabled
Hi ,

Thanks for your valuable input. I was not sure abuout the type of authentication being used for us by the company. While reseaching, found this from Meraki website

"The xl2tp package does not send user credentials properly to the MX when using Meraki Cloud Controller authentication, and this causes the authentication request to fail. Active Directory or RADIUS authentication can be used instead for successful authentication."

As soon as we changes it to Rasius authentication, we are able to connect just fine.

Cheers!!!
 
Old 08-26-2013, 09:18 PM   #4
rootboy
Member
 
Registered: Oct 2001
Distribution: Mint 15
Posts: 770

Rep: Reputation: 51
Great, hopefully your IT department is more responsive than ours. ;>
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Set up a IPsec/L2TP VPN with Ubuntu 12.04 with OpenSwan, xl2tpd and ppp LXer Syndicated Linux News 0 10-14-2012 12:50 PM
IPSec L2TP VPN server on Ubuntu for iPhone Apollo77 Linux - Networking 27 12-03-2010 09:27 AM
IPSEC with L2TP in linux shesha_gp Linux - Server 4 04-29-2010 09:11 AM
IPSec/L2TP mahesh_sonawane Linux - Networking 1 06-04-2007 01:32 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 11:36 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration