[Openswan Users] unencrypted l2tp packets

Ben Willmore bwillmore at berkeley.edu
Sat Feb 11 22:43:46 CET 2006 

Jacco, Paul,

Thanks for your help! I finally got there.

In case it helps anyone else, a summary of my efforts is below.

Thanks again,

Ben

-----------------------

The debian-special pre0.70 l2tpd that comes standard with ubuntu5.04
is compatible with the default Mac OS X 10.4.4 VPN client using PSKs,
using NAT-T at both ends.  [It's lucky because I had trouble getting
the l2tpds that I compiled myself to speak to the pppd, getting stdin
is not a tty errors].

My guess is that the OpenSwan that comes with ubuntu5.04 (openswan
2.3.0-2) is also fine with 10.4.4 -- it certainly seemed to accept the
headers without complaint. But the Mac seemed to be sending 'RFC 3947'
first -- perhaps Apple are finally conforming to the standard?

Feb 11 22:01:42 lithium pluto[17099]: packet from xx.xx.xx.xx:500:
received Vendor ID payload [RFC 3947] method set to=109
Feb 11 22:01:42 lithium pluto[17099]: packet from xx.xx.xx.xx:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] method set
to=110
Feb 11 22:01:42 lithium pluto[17099]: packet from xx.xx.xx.xx:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107,
but already using method 110

The error I got repeatedly from l2tpd:

Feb 10 14:38:02 lithium l2tpd[29354]: ourtid = 54641, entropy_buf = d571
Feb 10 14:38:02 lithium l2tpd[29354]: check_control: control, cid = 0,
Ns = 0, Nr = 0
Feb 10 14:38:02 lithium l2tpd[29354]: handle_avps: handling avp's for
tunnel 54641, call 0
Feb 10 14:38:02 lithium l2tpd[29354]: message_type_avp: message type 1
(Start-Control-Connection-Request)
Feb 10 14:38:02 lithium l2tpd[29354]: protocol_version_avp: peer is
using version 1, revision 0.
Feb 10 14:38:02 lithium l2tpd[29354]: framing_caps_avp: supported peer
frames:async sync
Feb 10 14:38:02 lithium l2tpd[29354]: hostname_avp: peer reports hostname ''
Feb 10 14:38:02 lithium l2tpd[29354]: assigned_tunnel_avp: using
peer's tunnel 173
Feb 10 14:38:02 lithium l2tpd[29354]: receive_window_size_avp: peer
wants RWS of 4.  Will use flow control.
..endless repeat...

... was (in my case) not directly related to the configuration files. 
restarting ipsec/l2tpd/networking and waiting a few moments often
cleared it.  I think a connection was left over from the previous
attempt, and was preventing a new one being made.  However, once I got
all the settings right I did not seen this error again.

Here are my final configuration files.  192.168.2.9 is the gateway
machine.  The NAT router forwards ports 500 and 4500 to this machine. 
192.168.2.1 is the default route. 192.168.2.203 is a new IP assigned
to the pppd.

ipsec.conf:  Major issue here was getting left= and leftnexthop=
correct.  For my setup, left=the VPN gateway's IP, and leftnexthop=the
default route for the subnet.  Wrong values here (e.g.
left=%defaultroute) still allowed a connection to be set up without
errors, but I could not ping across the ppp connection.  For the
initial connection to be set up, some matching is done -- the values
in the left= and right= need to exactly match those pluto reports it's
trying to match -- BUT the leftsubnet= and rightsubnet= were not
needed in my case.

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        # klipsdebug=none
        #plutodebug="all"
        nat_traversal="yes"
        virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.1.0/24,%v4:!192.168.2.0/24

conn L2TP-PSK
  type=transport
  authby=secret
  pfs=no
  rekey=no
  keyingtries=3
  left=192.168.2.9
  leftnexthop=192.168.2.1
  leftprotoport=17/1701
  right=%any
  rightsubnet=vhost:%no,%priv
  rightprotoport=17/%any
  auto=add

l2tpd.conf: Major issue here was that 'local ip' is not the IP of the
gateway, but  a new address to be assigned to the ppp interface:

[global]                                ; Global parameters:
port = 1701                             ; * Bind to port 1701

[lns default]
ip range = 192.168.2.204-192.168.2.214
local ip = 192.168.2.203
require chap = yes
refuse pap = yes
require authentication = yes
name = Test
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd
length bit = yes

More information about the Users mailing list