[Openswan Users] Disconnect issue for http requests
Richard Cox
conardcox at gmail.com
Wed Oct 31 15:41:27 EDT 2007
Hello,
I'm new to the list, since I just installed Openswan/xl2tpd a few days ago so I can access my home
system with my windows mobile 6 phone, using IPSEC/l2tp. I've actually got it working (mostly) in that
I can connnect, start an ssh session (with pocket putty) and do simple things. There are, however, 2
issues that I'm running into that I need some help with. 1) I lose the connection frequently (this may
be my mobile phone data connection) and 2) every time I try to access the httpd server on my host
system, the connection immedidately terminates.
The http access issue is the most puzzling to me. My immediate suspicion was that I had general
MTU issues, but having played with various combinations of MTU settings on both the ppp side and
the eth device on the Gentoo host, it seems to make no difference. This is what it looks like when I make
and http request (pocket I.E. explorer from the mobile phone). It does seem that when the
connection is lost, the Win 6 mobile phone is initiating the disconnect, or that's what I'm coming
away with from this log:
Oct 31 15:31:55 gipper pppd[26516]: Script /etc/ppp/ip-up started (pid 26519)
Oct 31 15:31:55 gipper pppd[26516]: Script /etc/ppp/ip-up finished (pid 26519), status = 0x0
Oct 31 15:31:55 gipper xl2tpd[14493]: network_thread: recv packet from XXX.XXX.XXX.XXX, size = 284, tunnel = 51980, call = 11292 ref=0 refhim=0
Oct 31 15:31:56 gipper xl2tpd[14493]: network_thread: recv packet from XXX.XXX.XXX.XXX, size = 284, tunnel = 51980, call = 11292 ref=0 refhim=0
Oct 31 15:31:57 gipper xl2tpd[14493]: network_thread: recv packet from XXX.XXX.XXX.XXX, size = 284, tunnel = 51980, call = 11292 ref=0 refhim=0
Oct 31 15:31:57 gipper pppd[26516]: sent [CCP ConfReq id=0x1 <deflate 15> <deflate(old#) 15> <bsd v1 15>]
Oct 31 15:31:57 gipper xl2tpd[14493]: network_thread: recv packet from XXX.XXX.XXX.XXX, size = 25, tunnel = 51980, call = 11292 ref=0 refhim=0
Oct 31 15:31:57 gipper pppd[26516]: rcvd [CCP ConfRej id=0x1 <deflate 15> <deflate(old#) 15> <bsd v1 15>]
Oct 31 15:31:57 gipper pppd[26516]: sent [CCP ConfReq id=0x2]
Oct 31 15:31:58 gipper xl2tpd[14493]: network_thread: recv packet from XXX.XXX.XXX.XXX, size = 20, tunnel = 51980, call = 11292 ref=0 refhim=0
Oct 31 15:31:58 gipper pppd[26516]: rcvd [CCP ConfNak id=0x2 <mppe -H -M -S -L -D +C>]
Oct 31 15:31:58 gipper pppd[26516]: sent [CCP ConfReq id=0x3]
Oct 31 15:31:58 gipper xl2tpd[14493]: network_thread: recv packet from XXX.XXX.XXX.XXX, size = 14, tunnel = 51980, call = 11292 ref=0 refhim=0
Oct 31 15:31:58 gipper pppd[26516]: rcvd [CCP ConfAck id=0x3]
Oct 31 15:32:00 gipper xl2tpd[14493]: network_thread: recv packet from XXX.XXX.XXX.XXX, size = 87, tunnel = 51980, call = 11292 ref=0 refhim=0
Oct 31 15:32:36 gipper xl2tpd[14493]: network_thread: recv packet from XXX.XXX.XXX.XXX, size = 16, tunnel = 51980, call = 11292 ref=0 refhim=0
Oct 31 15:32:36 gipper pppd[26516]: rcvd [LCP TermReq id=0x1]
Oct 31 15:32:36 gipper pppd[26516]: LCP terminated by peer
Oct 31 15:32:36 gipper pppd[26516]: Connect time 0.7 minutes.
Oct 31 15:32:36 gipper pppd[26516]: Sent 23 bytes, received 932 bytes.
Oct 31 15:32:36 gipper pppd[26516]: Script /etc/ppp/ip-down started (pid 26520)
Oct 31 15:32:36 gipper pppd[26516]: sent [LCP TermAck id=0x1]
Oct 31 15:32:36 gipper pppd[26516]: Script /etc/ppp/ip-down finished (pid 26520), status = 0x0
Oct 31 15:32:36 gipper xl2tpd[14493]: network_thread: recv packet from XXX.XXX.XXX.XXX, size = 38, tunnel = 51980, call = 11292 ref=0 refhim=0
Oct 31 15:32:36 gipper xl2tpd[14493]: handle_avps: handling avp's for tunnel 51980, call 11292
Oct 31 15:32:36 gipper xl2tpd[14493]: message_type_avp: message type 14 (Call-Disconnect-Notify)
Oct 31 15:32:36 gipper xl2tpd[14493]: result_code_avp: peer closing for reason 3 (Control channel already exists), error = 0 ()
Oct 31 15:32:36 gipper xl2tpd[14493]: assigned_call_avp: using peer's call 1
Oct 31 15:32:36 gipper xl2tpd[14493]: control_finish: message type is Call-Disconnect-Notify(14). Tunnel is 4, call is 1.
Oct 31 15:32:36 gipper xl2tpd[14493]: control_finish: Connection closed to XXX.XXX.XXX.XXX, serial 0 ()
Oct 31 15:32:36 gipper xl2tpd[14493]: Untrustingly terminating pppd: sending KILL signal to pid 26516
Oct 31 15:32:36 gipper xl2tpd[14493]: pppd 26516 successfully terminated
Oct 31 15:32:36 gipper xl2tpd[14493]: network_thread: recv packet from XXX.XXX.XXX.XXX, size = 38, tunnel = 51980, call = 0 ref=0 refhim=0
Oct 31 15:32:36 gipper xl2tpd[14493]: handle_avps: handling avp's for tunnel 51980, call 39134
Oct 31 15:32:36 gipper xl2tpd[14493]: message_type_avp: message type 4 (Stop-Control-Connection-Notification)
Oct 31 15:32:36 gipper xl2tpd[14493]: assigned_tunnel_avp: using peer's tunnel 4
Oct 31 15:32:36 gipper xl2tpd[14493]: result_code_avp: peer closing for reason 6 (Requester is being shut down), error = 0 ()
Oct 31 15:32:36 gipper xl2tpd[14493]: control_finish: message type is Stop-Control-Connection-Notification(4). Tunnel is 4, call is 0.
Oct 31 15:32:36 gipper xl2tpd[14493]: control_finish: Connection closed to XXX.XXX.XXX.XXX, port 1701 (), Local: 51980, Remote: 4
Oct 31 15:32:36 gipper xl2tpd[14493]: build_fdset: closing down tunnel 51980
I'll give a quick description of my setup. I'm using Openswan (2.4.9-r1) and xl2tpd (1.1.12) on a
Gentoo Linux (NETWIN) host behind a NAT'ed firewall (NetGear FVX538v2), with IPSEC and lt2pd VPN
passthru enabled. I'm using a PSK setup for now, just to get things working. Here's the topology of
my layout:
Host server NAT'ed Firewall Phone/PDA
192.168.XXX.X <------------> 192.168.XXX.Y <-----------------> 192.168.ZZZ.N
Here are my configs:
[ipsec.conf]
# basic configuration
config setup
# plutodebug / klipsdebug = "all", "none" or a combation from below:
# "raw crypt parsing emitting control klips pfkey natt x509 private"
# eg: plutodebug="control parsing"
#
# ONLY enable plutodebug=all or klipsdebug=all if you are a developer !!
#
# NAT-TRAVERSAL support, see README.NAT-Traversal
nat_traversal=yes
# virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
virtual_private=%v4:192.168.Y.0/24,%v4:!192.168.X.0/24
#
# enable this if you see "failed to find any available worker"
nhelpers=0
# Add connections here
# sample VPN connections, see /etc/ipsec.d/examples/
#Disable Opportunistic Encryption
include /etc/ipsec/ipsec.d/examples/no_oe.conf
include /etc/ipsec/ipsec.d/examples/l2tp-psk-orgWIN2KXP.conf
[l2tp-psk-orgWIN2KXP.conf]
conn l2tp-psk-orgWIN2KXP
#
# Configuration for one user with the non-updated Windows 2000/XP.
#
#
# Use a Preshared Key. Disable Perfect Forward Secrecy.
#
authby=secret
pfs=no
auto=add
# we cannot rekey for %any, let client rekey
rekey=no
# Do not enable the line below. It is implicitely used, and
# specifying it will currently break when using nat-t.
# type=transport. See http://bugs.xelerance.com/view.php?id=466
#
left=%defaultroute
leftnexthop=%defaultroute
# or you can use: left=YourIPAddress
#
# Required for original (non-updated) Windows 2000/XP clients.
# to support new clients as well, use leftprotoport=17/%any
leftprotoport=17/0
#
# The remote user.
#
right=%any
rightprotoport=17/1701
rightsubnet=vhost:%priv,%no
[xl2tpd.conf]
; l2tpd.conf
;
[global]
port = 1701
debug avp = yes
debug tunnel = yes
debug state = yes
debug network = yes
listen-addr = 0.0.0.0
[lns default]
ip range = 192.168.Y.A-192.168.Y.ZZZ
local ip = 192.168.Y.KK
hostname = my.external.dyndns.internet.name
require chap = yes
refuse pap = yes
require authentication = yes
name = fretensis
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
[ppp/options.xl2tpd]
ipcp-accept-local
ipcp-accept-remote
# ms-dns 192.168.X.Z
# noccp
auth
crtscts
idle 1800
mtu 1300
# mru 1400
+mschap-v2
nodefaultroute
debug
lock
proxyarp
connect-delay 5000
#silent
logfile /var/log/l2tpd.log
Any ideas about what to try would be appreciated
Thanks,
Richard
More information about the Users
mailing list