[Openswan Users] Disconnect issue for http requests

Richard Cox conardcox at gmail.com
Wed Oct 31 15:41:27 EDT 2007


Hello,
	I'm new to the list, since I just installed Openswan/xl2tpd a few days ago so I can access my home 
system with my windows mobile 6 phone, using IPSEC/l2tp.  I've actually got it working (mostly) in that 
I can connnect, start an ssh session (with pocket putty) and do simple things.  There are, however, 2 
issues that I'm running into that I need some help with.  1)  I lose the connection frequently (this may 
be my mobile phone data connection) and 2)  every time I try to access the httpd server on my host 
system, the connection immedidately terminates.  

  The http access issue is the most puzzling to me.  My immediate suspicion was that I had general
MTU issues, but having played with various combinations of MTU settings on both the ppp side and
the eth device on the Gentoo host, it seems to make no difference.  This is what it looks like when I make
and http request (pocket I.E. explorer from the mobile phone).  It does seem that when the 
connection is lost, the Win 6 mobile phone is initiating the disconnect, or that's what I'm coming 
away with from this log:

Oct 31 15:31:55 gipper pppd[26516]: Script /etc/ppp/ip-up started (pid 26519)
Oct 31 15:31:55 gipper pppd[26516]: Script /etc/ppp/ip-up finished (pid 26519), status = 0x0
Oct 31 15:31:55 gipper xl2tpd[14493]: network_thread: recv packet from XXX.XXX.XXX.XXX, size = 284, tunnel = 51980, call = 11292 ref=0 refhim=0
Oct 31 15:31:56 gipper xl2tpd[14493]: network_thread: recv packet from XXX.XXX.XXX.XXX, size = 284, tunnel = 51980, call = 11292 ref=0 refhim=0
Oct 31 15:31:57 gipper xl2tpd[14493]: network_thread: recv packet from XXX.XXX.XXX.XXX, size = 284, tunnel = 51980, call = 11292 ref=0 refhim=0
Oct 31 15:31:57 gipper pppd[26516]: sent [CCP ConfReq id=0x1 <deflate 15> <deflate(old#) 15> <bsd v1 15>]
Oct 31 15:31:57 gipper xl2tpd[14493]: network_thread: recv packet from XXX.XXX.XXX.XXX, size = 25, tunnel = 51980, call = 11292 ref=0 refhim=0
Oct 31 15:31:57 gipper pppd[26516]: rcvd [CCP ConfRej id=0x1 <deflate 15> <deflate(old#) 15> <bsd v1 15>]
Oct 31 15:31:57 gipper pppd[26516]: sent [CCP ConfReq id=0x2]
Oct 31 15:31:58 gipper xl2tpd[14493]: network_thread: recv packet from XXX.XXX.XXX.XXX, size = 20, tunnel = 51980, call = 11292 ref=0 refhim=0
Oct 31 15:31:58 gipper pppd[26516]: rcvd [CCP ConfNak id=0x2 <mppe -H -M -S -L -D +C>]
Oct 31 15:31:58 gipper pppd[26516]: sent [CCP ConfReq id=0x3]
Oct 31 15:31:58 gipper xl2tpd[14493]: network_thread: recv packet from XXX.XXX.XXX.XXX, size = 14, tunnel = 51980, call = 11292 ref=0 refhim=0
Oct 31 15:31:58 gipper pppd[26516]: rcvd [CCP ConfAck id=0x3]
Oct 31 15:32:00 gipper xl2tpd[14493]: network_thread: recv packet from XXX.XXX.XXX.XXX, size = 87, tunnel = 51980, call = 11292 ref=0 refhim=0
Oct 31 15:32:36 gipper xl2tpd[14493]: network_thread: recv packet from XXX.XXX.XXX.XXX, size = 16, tunnel = 51980, call = 11292 ref=0 refhim=0
Oct 31 15:32:36 gipper pppd[26516]: rcvd [LCP TermReq id=0x1]
Oct 31 15:32:36 gipper pppd[26516]: LCP terminated by peer
Oct 31 15:32:36 gipper pppd[26516]: Connect time 0.7 minutes.
Oct 31 15:32:36 gipper pppd[26516]: Sent 23 bytes, received 932 bytes.
Oct 31 15:32:36 gipper pppd[26516]: Script /etc/ppp/ip-down started (pid 26520)
Oct 31 15:32:36 gipper pppd[26516]: sent [LCP TermAck id=0x1]
Oct 31 15:32:36 gipper pppd[26516]: Script /etc/ppp/ip-down finished (pid 26520), status = 0x0
Oct 31 15:32:36 gipper xl2tpd[14493]: network_thread: recv packet from XXX.XXX.XXX.XXX, size = 38, tunnel = 51980, call = 11292 ref=0 refhim=0
Oct 31 15:32:36 gipper xl2tpd[14493]: handle_avps: handling avp's for tunnel 51980, call 11292
Oct 31 15:32:36 gipper xl2tpd[14493]: message_type_avp: message type 14 (Call-Disconnect-Notify)
Oct 31 15:32:36 gipper xl2tpd[14493]: result_code_avp: peer closing for reason 3 (Control channel already exists), error = 0 ()
Oct 31 15:32:36 gipper xl2tpd[14493]: assigned_call_avp: using peer's call 1
Oct 31 15:32:36 gipper xl2tpd[14493]: control_finish: message type is Call-Disconnect-Notify(14).  Tunnel is 4, call is 1.
Oct 31 15:32:36 gipper xl2tpd[14493]: control_finish: Connection closed to XXX.XXX.XXX.XXX, serial 0 ()
Oct 31 15:32:36 gipper xl2tpd[14493]: Untrustingly terminating pppd: sending KILL signal to pid 26516
Oct 31 15:32:36 gipper xl2tpd[14493]: pppd 26516 successfully terminated
Oct 31 15:32:36 gipper xl2tpd[14493]: network_thread: recv packet from XXX.XXX.XXX.XXX, size = 38, tunnel = 51980, call = 0 ref=0 refhim=0
Oct 31 15:32:36 gipper xl2tpd[14493]: handle_avps: handling avp's for tunnel 51980, call 39134
Oct 31 15:32:36 gipper xl2tpd[14493]: message_type_avp: message type 4 (Stop-Control-Connection-Notification)
Oct 31 15:32:36 gipper xl2tpd[14493]: assigned_tunnel_avp: using peer's tunnel 4
Oct 31 15:32:36 gipper xl2tpd[14493]: result_code_avp: peer closing for reason 6 (Requester is being shut down), error = 0 ()
Oct 31 15:32:36 gipper xl2tpd[14493]: control_finish: message type is Stop-Control-Connection-Notification(4).  Tunnel is 4, call is 0.
Oct 31 15:32:36 gipper xl2tpd[14493]: control_finish: Connection closed to XXX.XXX.XXX.XXX, port 1701 (), Local: 51980, Remote: 4
Oct 31 15:32:36 gipper xl2tpd[14493]: build_fdset: closing down tunnel 51980
 
	I'll give a quick description of my setup.  I'm using Openswan (2.4.9-r1) and xl2tpd (1.1.12) on a 
Gentoo Linux (NETWIN) host behind a NAT'ed firewall (NetGear FVX538v2), with IPSEC and lt2pd VPN 
passthru enabled.  I'm using a PSK setup for now, just to get things working.  Here's the topology of 
my layout:

         Host server                              NAT'ed Firewall                             Phone/PDA                   
        192.168.XXX.X  <------------>  192.168.XXX.Y  <-----------------> 192.168.ZZZ.N   

	Here are my configs:

[ipsec.conf]

# basic configuration
config setup
        # plutodebug / klipsdebug = "all", "none" or a combation from below:
        # "raw crypt parsing emitting control klips pfkey natt x509 private"
        # eg: plutodebug="control parsing"
        #
        # ONLY enable plutodebug=all or klipsdebug=all if you are a developer !!
        #
        # NAT-TRAVERSAL support, see README.NAT-Traversal
        nat_traversal=yes
        # virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
        virtual_private=%v4:192.168.Y.0/24,%v4:!192.168.X.0/24
        #
        # enable this if you see "failed to find any available worker"
        nhelpers=0

# Add connections here

# sample VPN connections, see /etc/ipsec.d/examples/

#Disable Opportunistic Encryption
include /etc/ipsec/ipsec.d/examples/no_oe.conf
include /etc/ipsec/ipsec.d/examples/l2tp-psk-orgWIN2KXP.conf

[l2tp-psk-orgWIN2KXP.conf]

conn l2tp-psk-orgWIN2KXP
        #
        # Configuration for one user with the non-updated Windows 2000/XP.
        #
        #
        # Use a Preshared Key. Disable Perfect Forward Secrecy.
        #
        authby=secret
        pfs=no
        auto=add
        # we cannot rekey for %any, let client rekey
        rekey=no
        # Do not enable the line below. It is implicitely used, and
        # specifying it will currently break when using nat-t.
        # type=transport. See http://bugs.xelerance.com/view.php?id=466
        #
        left=%defaultroute
        leftnexthop=%defaultroute
        # or you can use: left=YourIPAddress
        #
        # Required for original (non-updated) Windows 2000/XP clients.
        # to support new clients as well, use leftprotoport=17/%any
        leftprotoport=17/0
        #
        # The remote user.
        #
        right=%any
        rightprotoport=17/1701
        rightsubnet=vhost:%priv,%no

[xl2tpd.conf]
; l2tpd.conf
;
[global]
port = 1701
debug avp = yes
debug tunnel = yes
debug state = yes
debug network = yes
listen-addr = 0.0.0.0

[lns default]
ip range = 192.168.Y.A-192.168.Y.ZZZ
local ip = 192.168.Y.KK
hostname = my.external.dyndns.internet.name
require chap = yes
refuse pap = yes
require authentication = yes
name = fretensis
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

[ppp/options.xl2tpd]
ipcp-accept-local
ipcp-accept-remote
# ms-dns 192.168.X.Z
# noccp
auth
crtscts
idle 1800
mtu 1300
# mru 1400
+mschap-v2
nodefaultroute
debug
lock
proxyarp
connect-delay 5000
#silent
logfile /var/log/l2tpd.log

Any ideas about what to try would be appreciated

Thanks,

Richard


More information about the Users mailing list