[Openswan Users] openswan + l2tpd + iptables problem

mechanix at debian.org mechanix at debian.org
Wed Oct 18 09:46:05 EDT 2006


On Wed, Oct 18, 2006 at 02:32:54PM +0200, Jacco de Leeuw wrote:
> 
> Filip wrote:
> 
> >plugin winbind.so
> >ntlm_auth-helper '/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1'
> 
> Is this against a Samba server? Just curious.

No, AD / Windows 2003.

> >rcvd [CCP ConfReq id=0x11 <mppe +H -M -S -L -D +C>]
> >sent [CCP ConfRej id=0x11 <mppe +H -M -S -L -D +C>]
> 
> The Windows client keeps asking for MPPE encryption. Did you configure
> the VPN Wizard to use "Advanced (custom settings)" or
> "Geavanceerd (aangepaste instellingen)"? Disable "Encryption required"
> or "Codering vereisen".

I used CMAK to build a profile with two vpn gateways defined. Is it the
setting highlighted in the attached screenshot you're referring to?

I thought that was for L2TP requiring to be used over IPSec encryption.
Ok, I read over that bit on your page it seems, you already state it
there.

However, when I use the same CMAK profile to connect to the other server,
it does not matter. See log at the end.

> Alternative, you could add "noccp" to options.ppp.l2tpd

I can't try it until this evening, but I will.

I see that there's a ppp_mppe kernel module on the non-working gateway.
I'll try loading it and adding require-mppe as well.
Actually, is there some way to have optional mppe? There's only nomppe
which is default and disables it completely AFAICT from the pppd manpage,
and require-mppe which looks like it would seem to make it mandatory.

> >Oct 18 15:24:37 scotos l2tpd[16079]: child_handler : pppd exited for call 
> >1 with code 16 Oct 18 15:24:38 scotos l2tpd[16079]: write_packet: tty is 
> >not open yet. Oct 18 15:24:41 scotos l2tpd[16079]: write_packet: tty is 
> >not open yet. Oct 18 15:24:42 scotos l2tpd[16079]: control_xmit: Maximum 
> >retries exceeded for tunnel 57393.  Closing. Oct 18 15:24:43 scotos 
> >l2tpd[16079]: get_call: can't find call 43087 in tunnel 57393 Oct 18 
> >15:24:47 scotos l2tpd[16079]: control_xmit: Unable to deliver closing 
> >message for tunnel 57393. Destroying anyway. Oct 18 15:24:48 scotos 
> >l2tpd[16079]: get_call:can't find tunnel 57393 
> 
> Hm, this is not a graceful exit of l2tpd. Are you using Debian's
> l2tpd-pre0.70?

Yes.

> I believe a number of issues have been fixed in Xelerance's version
> xl2tpd.

I may look into that if I can't get things to work; but would it help
here? I'd think not, since pppd is already being called and authenticates
the client and all.


BE gateway log (I closed the connection from the client after a successful
ping):

Oct 17 21:15:17 pluto l2tpd[21295]: start_pppd: I'm running:  
Oct 17 21:15:17 pluto l2tpd[21295]: "/usr/sbin/pppd" 
Oct 17 21:15:17 pluto l2tpd[21295]: "passive" 
Oct 17 21:15:17 pluto l2tpd[21295]: "-detach" 
Oct 17 21:15:17 pluto l2tpd[21295]: ":192.168.1.201" 
Oct 17 21:15:17 pluto l2tpd[21295]: "auth" 
Oct 17 21:15:17 pluto l2tpd[21295]: "name" 
Oct 17 21:15:17 pluto l2tpd[21295]: "pluto" 
Oct 17 21:15:17 pluto l2tpd[21295]: "debug" 
Oct 17 21:15:17 pluto l2tpd[21295]: "file" 
Oct 17 21:15:17 pluto l2tpd[21295]: "/etc/ppp/options.l2tpd" 
Oct 17 21:15:17 pluto l2tpd[21295]: "/dev/ttyp0" 
Oct 17 21:15:17 pluto l2tpd[21295]:  
Oct 17 21:15:17 pluto l2tpd[21295]: check_control: control, cid = 0, Ns = 4, Nr = 2 
Oct 17 21:15:17 pluto pppd[8508]: using channel 2454
Oct 17 21:15:17 pluto pppd[8508]: sent [LCP ConfReq id=0x1 <mru 1200> <asyncmap 0x0> <auth chap MS-v2> <magic 0x31ec0f5a> <pcomp> <accomp>]
Oct 17 21:15:17 pluto pppd[8508]: rcvd [LCP ConfReq id=0x0 <mru 1400> <magic 0x30b27fb> <pcomp> <accomp> <callback CBCP> <mrru 1614> <endpoint [local:32.73.ba.5c.47.c0.4e.92.bc.98.69.d7.cb.e7.1b.5f.00.00.00.01]>]
Oct 17 21:15:17 pluto pppd[8508]: sent [LCP ConfRej id=0x0 <callback CBCP> <mrru 1614>]
Oct 17 21:15:17 pluto pppd[8508]: rcvd [LCP ConfAck id=0x1 <mru 1200> <asyncmap 0x0> <auth chap MS-v2> <magic 0x31ec0f5a> <pcomp> <accomp>]
Oct 17 21:15:17 pluto pppd[8508]: rcvd [LCP ConfReq id=0x1 <mru 1400> <magic 0x30b27fb> <pcomp> <accomp> <endpoint [local:32.73.ba.5c.47.c0.4e.92.bc.98.69.d7.cb.e7.1b.5f.00.00.00.01]>]
Oct 17 21:15:17 pluto pppd[8508]: sent [LCP ConfAck id=0x1 <mru 1400> <magic 0x30b27fb> <pcomp> <accomp> <endpoint [local:32.73.ba.5c.47.c0.4e.92.bc.98.69.d7.cb.e7.1b.5f.00.00.00.01]>]
Oct 17 21:15:17 pluto pppd[8508]: sent [LCP EchoReq id=0x0 magic=0x31ec0f5a]
Oct 17 21:15:17 pluto pppd[8508]: sent [CHAP Challenge id=0xd3 <19d67ec65162b7fb08efa68fb211e535>, name = "pluto"]
Oct 17 21:15:17 pluto pppd[8508]: rcvd [LCP Ident id=0x2 magic=0x30b27fb "MSRASV5.10"]
Oct 17 21:15:17 pluto pppd[8508]: rcvd [LCP Ident id=0x3 magic=0x30b27fb "MSRAS-0-GANYMEDES"]
Oct 17 21:15:17 pluto pppd[8508]: rcvd [LCP EchoRep id=0x0 magic=0x30b27fb]
Oct 17 21:15:17 pluto pppd[8508]: rcvd [CHAP Response id=0xd3 <44a39ca0b8af8e7a7ee56a8493564b9d00000000000000007a5172390f745845ca7a6bca77a989bca94011b2013cbe1a00>, name = "DOMAIN\\username"]
Oct 17 21:15:18 pluto pppd[8508]: sent [CHAP Success id=0xd3 "S=CD4BB13B05CEB81D7D8BF7F465BF4D7244F613C3 M=Access granted"]
Oct 17 21:15:18 pluto pppd[8508]: sent [CCP ConfReq id=0x1 <deflate 15> <deflate(old#) 15> <bsd v1 15>]
Oct 17 21:15:18 pluto pppd[8508]: sent [IPCP ConfReq id=0x1 <compress VJ 0f 01> <addr 192.168.0.254>]
Oct 17 21:15:18 pluto pppd[8508]: rcvd [CCP ConfReq id=0x4 <mppe +H -M -S -L -D +C>]
Oct 17 21:15:18 pluto pppd[8508]: sent [CCP ConfRej id=0x4 <mppe +H -M -S -L -D +C>]
Oct 17 21:15:18 pluto pppd[8508]: rcvd [IPCP ConfReq id=0x5 <addr 0.0.0.0> <ms-dns1 0.0.0.0> <ms-wins 0.0.0.0> <ms-dns3 0.0.0.0> <ms-wins 0.0.0.0>]
Oct 17 21:15:18 pluto pppd[8508]: sent [IPCP ConfRej id=0x5 <ms-wins 0.0.0.0> <ms-wins 0.0.0.0>]
Oct 17 21:15:18 pluto pppd[8508]: rcvd [CCP ConfRej id=0x1 <deflate 15> <deflate(old#) 15> <bsd v1 15>]
Oct 17 21:15:18 pluto pppd[8508]: sent [CCP ConfReq id=0x2]
Oct 17 21:15:18 pluto pppd[8508]: rcvd [IPCP ConfRej id=0x1 <compress VJ 0f 01>]
Oct 17 21:15:18 pluto pppd[8508]: sent [IPCP ConfReq id=0x2 <addr 192.168.0.254>]
Oct 17 21:15:18 pluto pppd[8508]: rcvd [CCP TermReq id=0x6 03 0b 27 fb 00 3c cd 74 00 00 02 dc]
Oct 17 21:15:18 pluto pppd[8508]: sent [CCP TermAck id=0x6]
Oct 17 21:15:18 pluto pppd[8508]: rcvd [IPCP ConfReq id=0x7 <addr 0.0.0.0> <ms-dns1 0.0.0.0> <ms-dns3 0.0.0.0>]
Oct 17 21:15:18 pluto pppd[8508]: sent [IPCP ConfNak id=0x7 <addr 192.168.1.201> <ms-dns1 192.168.1.254> <ms-dns3 192.168.1.254>]
Oct 17 21:15:18 pluto pppd[8508]: rcvd [IPCP ConfAck id=0x2 <addr 192.168.0.254>]
Oct 17 21:15:18 pluto pppd[8508]: rcvd [IPCP ConfReq id=0x8 <addr 192.168.1.201> <ms-dns1 192.168.1.254> <ms-dns3 192.168.1.254>]
Oct 17 21:15:18 pluto pppd[8508]: sent [IPCP ConfAck id=0x8 <addr 192.168.1.201> <ms-dns1 192.168.1.254> <ms-dns3 192.168.1.254>]
Oct 17 21:15:18 pluto pppd[8508]: Script /etc/ppp/ip-up started (pid 8512)
Oct 17 21:15:18 pluto pppd[8508]: Script /etc/ppp/ip-up finished (pid 8512), status = 0x0
Oct 17 21:15:21 pluto pppd[8508]: sent [CCP ConfReq id=0x2]
Oct 17 21:15:21 pluto pppd[8508]: rcvd [CCP TermAck id=0x2]
Oct 17 21:15:21 pluto pppd[8508]: sent [CCP TermReq id=0x3"No compression negotiated"]
Oct 17 21:15:21 pluto pppd[8508]: rcvd [CCP TermAck id=0x3"No compression negotiated"]
Oct 17 21:15:38 pluto pppd[8508]: rcvd [LCP TermReq id=0x9 03 0b 27 fb 00 3c cd 74 00 00 00 00]
Oct 17 21:15:38 pluto pppd[8508]: Script /etc/ppp/ip-down started (pid 8547)
Oct 17 21:15:38 pluto pppd[8508]: sent [LCP TermAck id=0x9]
Oct 17 21:15:38 pluto l2tpd[21295]: check_control: control, cid = 1, Ns = 4, Nr = 2 
Oct 17 21:15:38 pluto l2tpd[21295]: handle_avps: handling avp's for tunnel 21895, call 58239 
Oct 17 21:15:38 pluto l2tpd[21295]: message_type_avp: message type 14 (Call-Disconnect-Notify) 
Oct 17 21:15:38 pluto l2tpd[21295]: result_code_avp: peer closing for reason 3 (Call disconnected for administrative reasons), error = 0 () 
Oct 17 21:15:38 pluto l2tpd[21295]: assigned_session_avp: assigned session id: 1 
Oct 17 21:15:38 pluto l2tpd[21295]: control_finish: Peer tried to disconnect without specifying call ID 
Oct 17 21:15:39 pluto l2tpd[21295]: check_control: control, cid = 0, Ns = 5, Nr = 2 
Oct 17 21:15:39 pluto l2tpd[21295]: handle_avps: handling avp's for tunnel 21895, call 26758 
Oct 17 21:15:39 pluto l2tpd[21295]: message_type_avp: message type 4 (Stop-Control-Connection-Notification) 
Oct 17 21:15:39 pluto l2tpd[21295]: assigned_tunnel_avp: using peer's tunnel 1 
Oct 17 21:15:39 pluto l2tpd[21295]: result_code_avp: peer closing for reason 6 (Requester is being shut down), error = 0 () 
Oct 17 21:15:39 pluto pppd[8508]: Waiting for 1 child processes...
Oct 17 21:15:39 pluto pppd[8508]:   script /etc/ppp/ip-down, pid 8547
Oct 17 21:15:39 pluto pppd[8508]: Script /etc/ppp/ip-down finished (pid 8547), status = 0x0


KR,

Filip

-- 
http://www.sysfs.be/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cmak.png
Type: application/octet-stream
Size: 12395 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20061018/38574a29/attachment.obj 


More information about the Users mailing list