<html dir="ltr">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" id="owaParaStyle"></style>
</head>
<body fpstyle="1" ocsi="0">
<div style="direction: ltr;font-family: Tahoma;color: #000000;font-size: 10pt;"><br>
<div>Hey All,</div>
<div><br>
</div>
<div>I've been working on this for quite a few days now, with a bunch of different configurations with very little luck. Can someone tell me when I'm doing wrong?</div>
<div><br>
</div>
<div>It's a basic ipsec + l2tp tunnel setup. Server behind 1-to-1 NAT, client behind NAT. Using NAT-T, all UDP ports on the server wide open. Server is Ubuntu 10.04, client is Mac (same behavior on windows and iphone as far as I can tell).</div>
<div><br>
</div>
<div>As far as I can tell, my IPSec is coming up fine. The xl2tpd, though, can't seem to get a tunnel up and going. I have no idea what's wrong.</div>
<div><br>
</div>
<div>Anyone help me out?</div>
<div><br>
</div>
<div>Thanks!</div>
<div><br>
</div>
<div>Jim Lake</div>
<div><br>
</div>
<div>----</div>
<div>From xl2tpd -D</div>
<div>----</div>
<div>
<div>xl2tpd[28084]: IPsec SAref does not work with L2TP kernel mode yet, enabling forceuserspace=yes</div>
<div>xl2tpd[28084]: setsockopt recvref[22]: Protocol not available</div>
<div>xl2tpd[28084]: This binary does not support kernel L2TP.</div>
<div>xl2tpd[28084]: xl2tpd version xl2tpd-1.2.8 started on vpn-test PID:28084</div>
<div>xl2tpd[28084]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.</div>
<div>xl2tpd[28084]: Forked by Scott Balmos and David Stipp, (C) 2001</div>
<div>xl2tpd[28084]: Inherited by Jeff McAdams, (C) 2002</div>
<div>xl2tpd[28084]: Forked again by Xelerance (www.xelerance.com) (C) 2006</div>
<div>xl2tpd[28084]: Listening on IP address 0.0.0.0, port 1701</div>
<div>xl2tpd[28084]: network_thread: recv packet from 204.147.92.175, size = 60, tunnel = 0, call = 0 ref=0 refhim=0</div>
<div>xl2tpd[28084]: get_call: allocating new tunnel for host 204.147.92.175, port 49911.</div>
<div>xl2tpd[28084]: handle_avps: handling avp's for tunnel 26590, call 0</div>
<div>xl2tpd[28084]: message_type_avp: message type 1 (Start-Control-Connection-Request)</div>
<div>xl2tpd[28084]: protocol_version_avp: peer is using version 1, revision 0.</div>
<div>xl2tpd[28084]: framing_caps_avp: supported peer frames: async sync</div>
<div>xl2tpd[28084]: hostname_avp: peer reports hostname ''</div>
<div>xl2tpd[28084]: assigned_tunnel_avp: using peer's tunnel 12</div>
<div>xl2tpd[28084]: receive_window_size_avp: peer wants RWS of 4. Will use flow control.</div>
<div>xl2tpd[28084]: control_finish: message type is Start-Control-Connection-Request(1). Tunnel is 12, call is 0.</div>
<div>xl2tpd[28084]: control_finish: sending SCCRP</div>
<div>xl2tpd[28084]: network_thread: recv packet from 204.147.92.175, size = 60, tunnel = 0, call = 0 ref=0 refhim=0</div>
<div>xl2tpd[28084]: get_call: allocating new tunnel for host 204.147.92.175, port 49911.</div>
<div>xl2tpd[28084]: handle_avps: handling avp's for tunnel 7777, call 0</div>
<div>xl2tpd[28084]: message_type_avp: message type 1 (Start-Control-Connection-Request)</div>
<div>xl2tpd[28084]: protocol_version_avp: peer is using version 1, revision 0.</div>
<div>xl2tpd[28084]: framing_caps_avp: supported peer frames: async sync</div>
<div>xl2tpd[28084]: hostname_avp: peer reports hostname ''</div>
<div>xl2tpd[28084]: assigned_tunnel_avp: using peer's tunnel 12</div>
<div>xl2tpd[28084]: receive_window_size_avp: peer wants RWS of 4. Will use flow control.</div>
<div>xl2tpd[28084]: control_finish: message type is Start-Control-Connection-Request(1). Tunnel is 12, call is 0.</div>
<div>xl2tpd[28084]: control_finish: Peer requested tunnel 12 twice, ignoring second one.</div>
<div>xl2tpd[28084]: build_fdset: closing down tunnel 7777</div>
</div>
<div>
<div>xl2tpd[28084]: network_thread: recv packet from 204.147.92.175, size = 60, tunnel = 0, call = 0 ref=0 refhim=0</div>
<div>xl2tpd[28084]: get_call: allocating new tunnel for host 204.147.92.175, port 49911.</div>
<div>xl2tpd[28084]: handle_avps: handling avp's for tunnel 52152, call 48548</div>
<div>xl2tpd[28084]: message_type_avp: message type 1 (Start-Control-Connection-Request)</div>
<div>xl2tpd[28084]: protocol_version_avp: peer is using version 1, revision 0.</div>
<div>xl2tpd[28084]: framing_caps_avp: supported peer frames: async sync</div>
<div>xl2tpd[28084]: hostname_avp: peer reports hostname ''</div>
<div>xl2tpd[28084]: assigned_tunnel_avp: using peer's tunnel 12</div>
<div>xl2tpd[28084]: receive_window_size_avp: peer wants RWS of 4. Will use flow control.</div>
<div>xl2tpd[28084]: control_finish: message type is Start-Control-Connection-Request(1). Tunnel is 12, call is 0.</div>
<div>xl2tpd[28084]: control_finish: Peer requested tunnel 12 twice, ignoring second one.</div>
<div>xl2tpd[28084]: build_fdset: closing down tunnel 52152</div>
<div>xl2tpd[28084]: network_thread: select timeout</div>
<div>xl2tpd[28084]: network_thread: select timeout</div>
<div>xl2tpd[28084]: network_thread: select timeout</div>
<div>xl2tpd[28084]: network_thread: select timeout</div>
<div>xl2tpd[28084]: network_thread: recv packet from 204.147.92.175, size = 60, tunnel = 0, call = 0 ref=0 refhim=0</div>
<div>xl2tpd[28084]: get_call: allocating new tunnel for host 204.147.92.175, port 49911.</div>
<div>xl2tpd[28084]: handle_avps: handling avp's for tunnel 36706, call 35480</div>
<div>xl2tpd[28084]: message_type_avp: message type 1 (Start-Control-Connection-Request)</div>
<div>xl2tpd[28084]: protocol_version_avp: peer is using version 1, revision 0.</div>
<div>xl2tpd[28084]: framing_caps_avp: supported peer frames: async sync</div>
<div>xl2tpd[28084]: hostname_avp: peer reports hostname ''</div>
<div>xl2tpd[28084]: assigned_tunnel_avp: using peer's tunnel 12</div>
<div>xl2tpd[28084]: receive_window_size_avp: peer wants RWS of 4. Will use flow control.</div>
<div>xl2tpd[28084]: control_finish: message type is Start-Control-Connection-Request(1). Tunnel is 12, call is 0.</div>
<div>xl2tpd[28084]: control_finish: Peer requested tunnel 12 twice, ignoring second one.</div>
<div>xl2tpd[28084]: build_fdset: closing down tunnel 36706</div>
<div>xl2tpd[28084]: network_thread: select timeout</div>
</div>
<div>
<div>xl2tpd[28084]: Maximum retries exceeded for tunnel 26590. Closing.</div>
<div>xl2tpd[28084]: network_thread: recv packet from 204.147.92.175, size = 60, tunnel = 0, call = 0 ref=0 refhim=0</div>
<div>xl2tpd[28084]: get_call: allocating new tunnel for host 204.147.92.175, port 49911.</div>
<div>xl2tpd[28084]: handle_avps: handling avp's for tunnel 43061, call 0</div>
<div>xl2tpd[28084]: message_type_avp: message type 1 (Start-Control-Connection-Request)</div>
<div>xl2tpd[28084]: protocol_version_avp: peer is using version 1, revision 0.</div>
<div>xl2tpd[28084]: framing_caps_avp: supported peer frames: async sync</div>
<div>xl2tpd[28084]: hostname_avp: peer reports hostname ''</div>
<div>xl2tpd[28084]: assigned_tunnel_avp: using peer's tunnel 12</div>
<div>xl2tpd[28084]: receive_window_size_avp: peer wants RWS of 4. Will use flow control.</div>
<div>xl2tpd[28084]: control_finish: message type is Start-Control-Connection-Request(1). Tunnel is 12, call is 0.</div>
<div>xl2tpd[28084]: control_finish: Peer requested tunnel 12 twice, ignoring second one.</div>
<div>xl2tpd[28084]: build_fdset: closing down tunnel 43061</div>
<div>xl2tpd[28084]: build_fdset: closing down tunnel 26590</div>
<div>xl2tpd[28084]: Connection 12 closed to 204.147.92.175, port 49911 (Timeout)</div>
<div>xl2tpd[28084]: network_thread: select timeout</div>
<div>xl2tpd[28084]: network_thread: select timeout</div>
<div>xl2tpd[28084]: network_thread: select timeout</div>
<div>xl2tpd[28084]: network_thread: select timeout</div>
<div>xl2tpd[28084]: network_thread: select timeout</div>
<div>xl2tpd[28084]: Unable to deliver closing message for tunnel 26590. Destroying anyway.</div>
<div><br>
</div>
</div>
<div>---</div>
<div>From client:</div>
<div>---</div>
<div>
<div>4/18/11 1:02:19 PM<span class="Apple-tab-span" style="white-space:pre"> </span>
pppd[15938]<span class="Apple-tab-span" style="white-space:pre"> </span>IPSec connection started</div>
<div>4/18/11 1:02:19 PM<span class="Apple-tab-span" style="white-space:pre"> </span>
racoon[15917]<span class="Apple-tab-span" style="white-space:pre"> </span>Connecting.</div>
<div>4/18/11 1:02:19 PM<span class="Apple-tab-span" style="white-space:pre"> </span>
racoon[15917]<span class="Apple-tab-span" style="white-space:pre"> </span>IKE Packet: transmit success. (Initiator, Main-Mode message 1).</div>
<div>4/18/11 1:02:19 PM<span class="Apple-tab-span" style="white-space:pre"> </span>
racoon[15917]<span class="Apple-tab-span" style="white-space:pre"> </span>IKE Packet: receive success. (Initiator, Main-Mode message 2).</div>
<div>4/18/11 1:02:19 PM<span class="Apple-tab-span" style="white-space:pre"> </span>
racoon[15917]<span class="Apple-tab-span" style="white-space:pre"> </span>IKE Packet: transmit success. (Initiator, Main-Mode message 3).</div>
<div>4/18/11 1:02:19 PM<span class="Apple-tab-span" style="white-space:pre"> </span>
racoon[15917]<span class="Apple-tab-span" style="white-space:pre"> </span>IKE Packet: receive success. (Initiator, Main-Mode message 4).</div>
<div>4/18/11 1:02:19 PM<span class="Apple-tab-span" style="white-space:pre"> </span>
racoon[15917]<span class="Apple-tab-span" style="white-space:pre"> </span>IKE Packet: transmit success. (Initiator, Main-Mode message 5).</div>
<div>4/18/11 1:02:19 PM<span class="Apple-tab-span" style="white-space:pre"> </span>
racoon[15917]<span class="Apple-tab-span" style="white-space:pre"> </span>IKEv1 Phase1 AUTH: success. (Initiator, Main-Mode Message 6).</div>
<div>4/18/11 1:02:19 PM<span class="Apple-tab-span" style="white-space:pre"> </span>
racoon[15917]<span class="Apple-tab-span" style="white-space:pre"> </span>IKE Packet: receive success. (Initiator, Main-Mode message 6).</div>
<div>4/18/11 1:02:19 PM<span class="Apple-tab-span" style="white-space:pre"> </span>
racoon[15917]<span class="Apple-tab-span" style="white-space:pre"> </span>IKEv1 Phase1 Initiator: success. (Initiator, Main-Mode).</div>
<div>4/18/11 1:02:19 PM<span class="Apple-tab-span" style="white-space:pre"> </span>
racoon[15917]<span class="Apple-tab-span" style="white-space:pre"> </span>IKE Packet: transmit success. (Information message).</div>
<div>4/18/11 1:02:19 PM<span class="Apple-tab-span" style="white-space:pre"> </span>
racoon[15917]<span class="Apple-tab-span" style="white-space:pre"> </span>IKEv1 Information-Notice: transmit success. (ISAKMP-SA).</div>
<div>4/18/11 1:02:20 PM<span class="Apple-tab-span" style="white-space:pre"> </span>
racoon[15917]<span class="Apple-tab-span" style="white-space:pre"> </span>IKE Packet: transmit success. (Initiator, Quick-Mode message 1).</div>
<div>4/18/11 1:02:20 PM<span class="Apple-tab-span" style="white-space:pre"> </span>
racoon[15917]<span class="Apple-tab-span" style="white-space:pre"> </span>IKE Packet: receive success. (Initiator, Quick-Mode message 2).</div>
<div>4/18/11 1:02:20 PM<span class="Apple-tab-span" style="white-space:pre"> </span>
racoon[15917]<span class="Apple-tab-span" style="white-space:pre"> </span>IKE Packet: transmit success. (Initiator, Quick-Mode message 3).</div>
<div>4/18/11 1:02:20 PM<span class="Apple-tab-span" style="white-space:pre"> </span>
racoon[15917]<span class="Apple-tab-span" style="white-space:pre"> </span>IKEv1 Phase2 Initiator: success. (Initiator, Quick-Mode).</div>
<div>4/18/11 1:02:20 PM<span class="Apple-tab-span" style="white-space:pre"> </span>
pppd[15938]<span class="Apple-tab-span" style="white-space:pre"> </span>IPSec connection established</div>
<div>4/18/11 1:02:40 PM<span class="Apple-tab-span" style="white-space:pre"> </span>
pppd[15938]<span class="Apple-tab-span" style="white-space:pre"> </span>L2TP cannot connect to the server</div>
<div>4/18/11 1:02:40 PM<span class="Apple-tab-span" style="white-space:pre"> </span>
racoon[15917]<span class="Apple-tab-span" style="white-space:pre"> </span>IKE Packet: transmit success. (Information message).</div>
<div>4/18/11 1:02:40 PM<span class="Apple-tab-span" style="white-space:pre"> </span>
racoon[15917]<span class="Apple-tab-span" style="white-space:pre"> </span>IKEv1 Information-Notice: transmit success. (Delete IPSEC-SA).</div>
<div>4/18/11 1:02:40 PM<span class="Apple-tab-span" style="white-space:pre"> </span>
racoon[15917]<span class="Apple-tab-span" style="white-space:pre"> </span>IKE Packet: transmit success. (Information message).</div>
<div>4/18/11 1:02:40 PM<span class="Apple-tab-span" style="white-space:pre"> </span>
racoon[15917]<span class="Apple-tab-span" style="white-space:pre"> </span>IKEv1 Information-Notice: transmit success. (Delete ISAKMP-SA).</div>
</div>
<div><br>
</div>
<div><br>
</div>
<div>From auth.log:</div>
<div>----</div>
<div>
<div>Apr 18 19:59:09 ip-10-170-91-102 pluto[28026]: "L2TP"[1] 204.147.92.175 #1: responding to Main Mode from unknown peer 204.147.92.175</div>
<div>Apr 18 19:59:09 ip-10-170-91-102 pluto[28026]: "L2TP"[1] 204.147.92.175 #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1</div>
<div>Apr 18 19:59:09 ip-10-170-91-102 pluto[28026]: "L2TP"[1] 204.147.92.175 #1: STATE_MAIN_R1: sent MR1, expecting MI2</div>
<div>Apr 18 19:59:09 ip-10-170-91-102 pluto[28026]: "L2TP"[1] 204.147.92.175 #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): both are NATed</div>
<div>Apr 18 19:59:09 ip-10-170-91-102 pluto[28026]: "L2TP"[1] 204.147.92.175 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2</div>
<div>Apr 18 19:59:09 ip-10-170-91-102 pluto[28026]: "L2TP"[1] 204.147.92.175 #1: STATE_MAIN_R2: sent MR2, expecting MI3</div>
<div>Apr 18 19:59:09 ip-10-170-91-102 pluto[28026]: "L2TP"[1] 204.147.92.175 #1: Main mode peer ID is ID_IPV4_ADDR: '10.7.7.178'</div>
<div>Apr 18 19:59:09 ip-10-170-91-102 pluto[28026]: "L2TP"[1] 204.147.92.175 #1: switched from "L2TP" to "L2TP"</div>
<div>Apr 18 19:59:09 ip-10-170-91-102 pluto[28026]: "L2TP"[2] 204.147.92.175 #1: deleting connection "L2TP" instance with peer 204.147.92.175 {isakmp=#0/ipsec=#0}</div>
<div>Apr 18 19:59:09 ip-10-170-91-102 pluto[28026]: "L2TP"[2] 204.147.92.175 #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3</div>
<div>Apr 18 19:59:09 ip-10-170-91-102 pluto[28026]: "L2TP"[2] 204.147.92.175 #1: new NAT mapping for #1, was 204.147.92.175:500, now 204.147.92.175:4500</div>
<div>Apr 18 19:59:09 ip-10-170-91-102 pluto[28026]: "L2TP"[2] 204.147.92.175 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}</div>
<div>Apr 18 19:59:09 ip-10-170-91-102 pluto[28026]: "L2TP"[2] 204.147.92.175 #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000</div>
<div>Apr 18 19:59:09 ip-10-170-91-102 pluto[28026]: "L2TP"[2] 204.147.92.175 #1: received and ignored informational message</div>
<div>Apr 18 19:59:10 ip-10-170-91-102 pluto[28026]: "L2TP"[2] 204.147.92.175 #1: the peer proposed: 50.18.124.10/32:17/1701 -> 10.7.7.178/32:17/0</div>
<div>Apr 18 19:59:10 ip-10-170-91-102 pluto[28026]: "L2TP"[2] 204.147.92.175 #2: responding to Quick Mode proposal {msgid:23c0fdc5}</div>
<div>Apr 18 19:59:10 ip-10-170-91-102 pluto[28026]: "L2TP"[2] 204.147.92.175 #2: us: 10.170.91.102<10.170.91.102>[50.18.124.10,+S=C]:17/1701---10.170.90.1</div>
<div>Apr 18 19:59:10 ip-10-170-91-102 pluto[28026]: "L2TP"[2] 204.147.92.175 #2: them: 204.147.92.175[10.7.7.178,+S=C]:17/0===10.7.7.178/32</div>
<div>Apr 18 19:59:10 ip-10-170-91-102 pluto[28026]: "L2TP"[2] 204.147.92.175 #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1</div>
<div>Apr 18 19:59:10 ip-10-170-91-102 pluto[28026]: "L2TP"[2] 204.147.92.175 #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2</div>
<div>Apr 18 19:59:10 ip-10-170-91-102 pluto[28026]: "L2TP"[2] 204.147.92.175 #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2</div>
<div>Apr 18 19:59:10 ip-10-170-91-102 pluto[28026]: "L2TP"[2] 204.147.92.175 #2: STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0x0950fbf7 <0xa1d4b208 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=204.147.92.175:4500 DPD=none}</div>
</div>
<div>----</div>
<div><br>
</div>
<div>Config files.</div>
<div><br>
</div>
<div>----</div>
<div>ipsec.conf</div>
<div>----</div>
<div>
<div>version 2.0 # conforms to second version of ipsec.conf specification</div>
<div><br>
</div>
<div># basic configuration</div>
<div>config setup</div>
<div> nat_traversal=yes</div>
<div> virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16</div>
<div> oe=off</div>
<div> protostack=netkey</div>
<div># nhelpers=0</div>
<div><br>
</div>
<div>conn L2TP</div>
<div> authby=secret</div>
<div> auto=add</div>
<div> pfs=no</div>
<div> type=transport</div>
<div> rekey=no</div>
<div><br>
</div>
<div> left=10.170.91.102</div>
<div> leftid=50.18.124.10</div>
<div> leftnexthop=%defaultroute</div>
<div> leftprotoport=17/1701</div>
<div><br>
</div>
<div> right=%any</div>
<div> rightsubnet=vhost:%priv,%no,%all</div>
<div> rightprotoport=17/0</div>
<div> forceencaps=yes</div>
</div>
<div><br>
</div>
<div>----</div>
<div>xl2tpd.conf</div>
<div>----</div>
<div>
<div>[global]</div>
<div>ipsec saref = no</div>
<div>debug tunnel = yes</div>
<div>debug avp = yes</div>
<div>debug network = yes</div>
<div>debug state = yes</div>
<div><br>
</div>
<div>[lns default]</div>
<div>ip range = 172.16.1.100-172.16.1.200</div>
<div>local ip = 172.16.1.1</div>
<div>refuse chap = yes</div>
<div>refuse pap = yes</div>
<div>require authentication = yes</div>
<div>ppp debug = yes</div>
<div>pppoptfile = /etc/ppp/options.xl2tpd</div>
<div>length bit = yes</div>
</div>
<div>----</div>
<div>options.xl2tpd</div>
<div>----</div>
<div>
<div>ipcp-accept-local</div>
<div>ipcp-accept-remote</div>
<div>noccp</div>
<div>auth</div>
<div>#crtscts</div>
<div>idle 1800</div>
<div>mtu 1410</div>
<div>mru 1410</div>
<div>nodefaultroute</div>
<div>debug</div>
<div>dump</div>
<div>lock</div>
<div>proxyarp</div>
<div>name l2tpd</div>
<div>connect-delay 5000</div>
<div>ms-dns 4.2.2.1</div>
</div>
<div>----</div>
</div>
</body>
</html>