<div dir="ltr">Hi<div><br></div><div>I'm trying to configure an Ubuntu client to establish an IPSec/L2TP VPN connection to a Check Point appliance. The appliance has been configured and tested with a Windows client. I have limited flexibility on what I can change configuration-wise on the appliance.</div>
<div><br></div><div>The Ubuntu client is running on Amazon EC2 for testing purposes and I've configured the Amazon security to allow all TCP, UDP and ICMP packets in and out between that host and the Check Point appliance.</div>
<div><br></div><div>The IPSec tunnel seems to be being set up correctly - it is the L2TP bit I'm having trouble with, in that when I try to get the L2TP tunnel up, xl2tpd reports it is trying to establish a connection but it isn't getting a reply. If I compare the Check Point logs, I can see that when the Windows client connects, there is an extra bit of communication going on that the Ubuntu client isn't doing.</div>
<div><br></div><div>This is the log entry that a Windows client connection has but the Ubuntu client doesn't:</div><div><br></div><div><div>Action: Key Install<br></div><div>Source: <span class="" style="white-space:pre"> <Windows client IP address></span></div>
<div>Destination: <span class="" style="white-space:pre"> <CP appliance IP address></span></div><div>User: <span class="" style="white-space:pre"> </span><L2TP_machine_user></div>
<div>Information: <span class="" style="white-space:pre"> </span>IKE: Quick Mode Sent Notification: Responder Lifetime</div><div>Source Key ID: <span class="" style="white-space:pre"> <value></span></div>
<div>Destination Key ID: <span class="" style="white-space:pre"> <value></span></div><div>Encryption Scheme: <span class="" style="white-space:pre"> </span>IKE</div><div>IKE Initiator Cookie: <span class="" style="white-space:pre"> <value></span></div>
<div>IKE Responder Cookie: <span class="" style="white-space:pre"> </span>f<value></div><div>IKE Phase2 Message ID:<span class="" style="white-space:pre"> </span>00000001</div><div>VPN Peer Gateway: <span class="" style="white-space:pre"> <Windows client IP address></span></div>
<div></div></div><div><br></div><div>Now, that doesn't translate to actual packets :-) Unfortunately, I've been trying to decode the encrypted packets to better understand what is going on here and failing.</div><div>
<br></div><div>Here is /etc/ipsec,conf:</div><div><br></div><div><div>config setup</div><div> dumpdir=/var/run/pluto/</div><div> nat_traversal=yes</div><div> virtual_private=%v4:<a href="http://172.24.0.0/16,%v4:192.168.0.0/16">172.24.0.0/16,%v4:192.168.0.0/16</a></div>
<div> oe=off</div><div> protostack=netkey</div><div> plutoopts="--interface=eth0"</div><div><br></div><div>conn L2TP-PSK</div><div> authby=secret</div><div> pfs=no</div><div> auto=add</div><div>
keyingtries=3</div><div> dpddelay=30</div><div> dpdtimeout=120</div><div> dpdaction=clear</div><div> rekey=yes</div><div> ikelifetime=8h</div><div> keylife=1h</div><div> type=transport</div><div> left=%defaultroute</div>
<div> leftnexthop=%defaultroute</div><div> leftprotoport=17/1701</div><div> right=213.122.173.130</div><div> rightid=192.168.254.1</div></div><div><br></div><div>Here is /etc/xl2tpd/xl2tpd.conf:</div><div><br>
</div><div><div>[lac vpn-connection]</div><div>lns = 213.122.173.130</div><div>refuse chap = yes</div><div>require pap = yes</div><div>require authentication = yes</div><div>name = <username></div><div>ppp debug = yes</div>
<div>pppoptfile = /etc/ppp/options.l2tpd.client</div><div>length bit = yes</div></div><div><br></div><div>Here is /etc/ppp/options.l2tpd.client:</div><div><br></div><div><div>ipcp-accept-local</div><div>ipcp-accept-remote</div>
<div>refuse-eap</div><div>refuse-mschap-v2</div><div>require-pap</div><div>noccp</div><div>noauth</div><div>idle 1800</div><div>defaultroute</div><div>usepeerdns</div><div>debug</div><div>lock</div><div>connect-delay 5000</div>
<div>name <username></div><div>password <password></div></div><div><br></div><div>Remember at the beginning that I said I couldn't really change much at the Check Point end? One of the things I *have* to use is PAP. Unfortunately, there don't seem to be any examples of PAP being used so that is possibly one of the areas where I've got a problem ...</div>
<div><br></div><div>Any suggestions gratefully received :-)</div><div><br></div><div>Regards</div><div><br></div><div>Philip</div><div><br></div></div>