[Openswan Users] MacOSX 10.4.8/OpenSWAN 2.4.7/xltpd 1.1.06

Pepijn Oomen oomen at piprograms.com
Mon Jan 15 13:17:12 EST 2007 

Can anyone confirm if the following is working, or not? Or maybe give me
any hints on how to solve this?

Software being used:

Debian 3.1 (Sarge), Linux 2.4.27-3-686 #1 Wed Feb 8 12:40:33 UTC 2006
i686 GNU/Linux
OpenSWAN 2.4.7 (build from 1:2.4.6+dfsg.2-1 with sbuild against Sarge)
xltpd 1.1.0.6 (build based on 0.70-pre20031121-2.1)
ppp 2.4.3-20050321+2sarge1

I have everything working, but after one hour the connection is lost:

xl2tpd[30892]: Maximum retries exceeded for tunnel 46663.  Closing.

Just before this, the actual IPSEC connection is succesfully renewed, so
it seems to me like this is a timing issue in the xl2tpd code. The funny
thing is that this behavior is not 100% reproducable. Sometimes the
connection survives the first hour and then it usually survives the next
rekey-ings as well. The same behaviour is seen on multiple MacOSX
machines (with both failure and success, but most often failure after
one hour.

One thing that might be related is the following at about T+50min:

Jan 15 17:53:23 viking2 pluto[29559]: "l2tp"[63] 195.159.157.158 #70:
NAT-Traversal: received 2 NAT-OA. using first, ignoring others
Jan 15 17:53:23 viking2 pluto[29559]: "l2tp"[63] 195.159.157.158 #70:
responding to Quick Mode {msgid:bf6aa332}
Jan 15 17:53:23 viking2 pluto[29559]: "l2tp"[63] 195.159.157.158 #70:
cannot install eroute -- it is in use for "l2tp"[62] 195.159.1
57.158 #68

until this connection (#70) is taken down. This was reportedly causing
problems and fixed (ref. http://bugs.xelerance.com/view.php?id=450)

Relevant serverside configuration:

/etc/ipsec.conf

version 2
config setup
  nat_traversal=yes
  virtual_private=%v4:192.168.0.0/16

conn %default
  authby=rsasig
  pfs=no
  rekey=no
  keyingtries=3
  type=transport
  leftrsasigkey=%cert
  leftcert=vpn.pem
  left=x.x.x.x
  leftnexthop=x.x.x.y
  leftprotoport=17/1701

conn l2tp
  auto=add
  rightrsasigkey=%cert
  right=%any
  rightprotoport=17/%any
  rightsubnet=vhost:%no,%priv

/etc/xl2tpd/xl2tpd.conf

[global]
listen-addr = x.x.x.x

[lns default]
ip range = 172.16.16.100-172.16.16.199
local ip = 172.16.16.254
require pap = yes
refuse chap = yes
require authentication = yes
name = viking2
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd.dhcp
length bit = yes

/etc/ppp/options.l2tpd.dhcp

lock
crtscts
auth
require-pap
refuse-chap
refuse-mschap
refuse-mschap-v2
login
mtu 1400
mru 1400
proxyarp
nodefaultroute
ms-dns 172.16.16.19
ipcp-accept-local
plugin dhcpc.so
dhcp-interface eth1

More information about the Users mailing list