[Openswan Users] L2TP problem... I think
Andrew Tolboe
tolboe at reaction-eng.com
Thu Feb 28 20:01:32 EST 2008
I have a L2TP/IPSEC VPN that I'm trying to setup thats on our
firewall/gateway. The ip address of the gateway is ***.***.103.174 and
we have a number of public ip addresses. The VPN works fine as long as
I'm on the same subnet as above (another one of our public IP
addresses), so I'm outside the firewall but still within our public ip
address subnet. But as soon as I go farther then that (like at home)
the VPN stops working.
At one point I tested the VPN with CHAP authentication (before I tried
to setup pppd to connect to a radius server) and it worked from
off-site. However, once that radius stuff was setup it only worked from
with in our public subnet. I have since tried disabling the radius
server stuff and going back to the CHAP and I still get the same results.
On the client everything connects and seams to work, however; if you
look at packets sent it quickly goes into the 10,000 range with only 250
received (tunnel lost?) and the tunnel drops.
Here are the logs from the server for l2tpd
Feb 27 22:21:39 firewall l2tpd[22760]: ourtid = 11517, entropy_buf = 2cfd
Feb 27 22:21:39 firewall l2tpd[22760]: check_control: control, cid = 0,
Ns = 0, Nr = 0
Feb 27 22:21:39 firewall l2tpd[22760]: handle_avps: handling avp's for
tunnel 11517, call 0
Feb 27 22:21:39 firewall l2tpd[22760]: message_type_avp: message type 1
(Start-Control-Connection-Request)
Feb 27 22:21:39 firewall l2tpd[22760]: protocol_version_avp: peer is
using version 1, revision 0.
Feb 27 22:21:39 firewall l2tpd[22760]: framing_caps_avp: supported peer
frames: sync
Feb 27 22:21:39 firewall l2tpd[22760]: bearer_caps_avp: supported peer
bearers:
Feb 27 22:21:39 firewall l2tpd[22760]: firmware_rev_avp: peer reports
firmware version 1280 (0x0500)
Feb 27 22:21:39 firewall l2tpd[22760]: hostname_avp: peer reports
hostname 'greifswald'
Feb 27 22:21:39 firewall l2tpd[22760]: vendor_avp: peer reports vendor
'Microsoft'
Feb 27 22:21:39 firewall l2tpd[22760]: assigned_tunnel_avp: using peer's
tunnel 2
Feb 27 22:21:39 firewall l2tpd[22760]: receive_window_size_avp: peer
wants RWS of 8. Will use flow control.
Feb 27 22:21:40 firewall l2tpd[22760]: ourtid = 48408, entropy_buf = bd18
Feb 27 22:21:40 firewall l2tpd[22760]: check_control: control, cid = 0,
Ns = 0, Nr = 0
Feb 27 22:21:40 firewall l2tpd[22760]: handle_avps: handling avp's for
tunnel 48408, call 0
Feb 27 22:21:40 firewall l2tpd[22760]: message_type_avp: message type 1
(Start-Control-Connection-Request)
Feb 27 22:21:40 firewall l2tpd[22760]: protocol_version_avp: peer is
using version 1, revision 0.
Feb 27 22:21:40 firewall l2tpd[22760]: framing_caps_avp: supported peer
frames: sync
Feb 27 22:21:40 firewall l2tpd[22760]: bearer_caps_avp: supported peer
bearers:
Feb 27 22:21:40 firewall l2tpd[22760]: firmware_rev_avp: peer reports
firmware version 1280 (0x0500)
Feb 27 22:21:40 firewall l2tpd[22760]: hostname_avp: peer reports
hostname 'greifswald'
Feb 27 22:21:40 firewall l2tpd[22760]: vendor_avp: peer reports vendor
'Microsoft'
Feb 27 22:21:40 firewall l2tpd[22760]: assigned_tunnel_avp: using peer's
tunnel 2
Feb 27 22:21:40 firewall l2tpd[22760]: receive_window_size_avp: peer
wants RWS of 8. Will use flow control.
Feb 27 22:21:40 firewall l2tpd[22760]: control_finish: Peer requested
tunnel 2 twice, ignoring second one.
Feb 27 22:21:40 firewall l2tpd[22760]: check_control: control, cid = 0,
Ns = 1, Nr = 1
Feb 27 22:21:40 firewall l2tpd[22760]: handle_avps: handling avp's for
tunnel 11517, call 0
Feb 27 22:21:40 firewall l2tpd[22760]: message_type_avp: message type 3
(Start-Control-Connection-Connected)
Feb 27 22:21:40 firewall l2tpd[22760]: check_control: control, cid = 0,
Ns = 2, Nr = 1
Feb 27 22:21:40 firewall l2tpd[22760]: handle_avps: handling avp's for
tunnel 11517, call 0
Feb 27 22:21:40 firewall l2tpd[22760]: message_type_avp: message type 10
(Incoming-Call-Request)
Feb 27 22:21:40 firewall l2tpd[22760]: message_type_avp: new incoming call
Feb 27 22:21:40 firewall l2tpd[22760]: ourcid = 31722, entropy_buf = 7bea
Feb 27 22:21:40 firewall l2tpd[22760]: assigned_session_avp: assigned
session id: 1
Feb 27 22:21:40 firewall l2tpd[22760]: call_serno_avp: serial number is 0
Feb 27 22:21:40 firewall l2tpd[22760]: bearer_type_avp: peer bears: analog
Feb 27 22:21:40 firewall l2tpd[22760]: check_control: control, cid = 0,
Ns = 3, Nr = 1
Feb 27 22:21:40 firewall l2tpd[22760]: check_control: control, cid = 1,
Ns = 3, Nr = 2
Feb 27 22:21:40 firewall l2tpd[22760]: handle_avps: handling avp's for
tunnel 11517, call 31722
Feb 27 22:21:40 firewall l2tpd[22760]: message_type_avp: message type 12
(Incoming-Call-Connected)
Feb 27 22:21:40 firewall l2tpd[22760]: tx_speed_avp: transmit baud rate
is 54000000
Feb 27 22:21:40 firewall l2tpd[22760]: frame_type_avp: peer uses:sync frames
Feb 27 22:21:40 firewall l2tpd[22760]: ignore_avp : Ignoring AVP
Feb 27 22:21:40 firewall l2tpd[22760]: start_pppd: I'm running:
Feb 27 22:21:40 firewall l2tpd[22760]: "/usr/sbin/pppd"
Feb 27 22:21:40 firewall l2tpd[22760]: "passive"
Feb 27 22:21:40 firewall l2tpd[22760]: "nodetach"
Feb 27 22:21:40 firewall l2tpd[22760]: "192.168.0.3:192.168.0.248"
Feb 27 22:21:40 firewall l2tpd[22760]: "debug"
Feb 27 22:21:40 firewall l2tpd[22760]: "file"
Feb 27 22:21:40 firewall l2tpd[22760]: "/etc/ppp/options.l2tpd"
Feb 27 22:21:40 firewall l2tpd[22760]:
Feb 27 22:21:40 firewall pppd[22773]: using channel 86
Feb 27 22:21:40 firewall pppd[22773]: sent [LCP ConfReq id=0x1 <mru
1400> <asyncmap 0x0> <auth chap MS-v2> <magic 0xc10bbb12> <pcomp> <accomp>]
Feb 27 22:21:40 firewall pppd[22773]: rcvd [LCP ConfReq id=0x0 <mru
1400> <magic 0x582f12a4> <pcomp> <accomp> <callback CBCP>]
Feb 27 22:21:40 firewall pppd[22773]: sent [LCP ConfRej id=0x0 <callback
CBCP>]
Feb 27 22:21:40 firewall pppd[22773]: rcvd [LCP ConfAck id=0x1 <mru
1400> <asyncmap 0x0> <auth chap MS-v2> <magic 0xc10bbb12> <pcomp> <accomp>]
Feb 27 22:21:40 firewall pppd[22773]: rcvd [LCP ConfReq id=0x1 <mru
1400> <magic 0x582f12a4> <pcomp> <accomp>]
Feb 27 22:21:40 firewall pppd[22773]: sent [LCP ConfAck id=0x1 <mru
1400> <magic 0x582f12a4> <pcomp> <accomp>]
Feb 27 22:21:40 firewall pppd[22773]: sent [LCP EchoReq id=0x0
magic=0xc10bbb12]
Feb 27 22:21:40 firewall pppd[22773]: sent [CHAP Challenge id=0x15
<cfd4cbc8b0e7efc0d468963884ba4b63>, name = "gateway"]
Feb 27 22:21:40 firewall pppd[22773]: rcvd [LCP Ident id=0x2
magic=0x582f12a4 "MSRASV5.10"]
Feb 27 22:21:40 firewall pppd[22773]: rcvd [LCP Ident id=0x3
magic=0x582f12a4 "MSRAS-0-GREIFSWALD"]
Feb 27 22:21:40 firewall pppd[22773]: rcvd [LCP EchoRep id=0x0
magic=0x582f12a4]
Feb 27 22:21:40 firewall pppd[22773]: rcvd [CHAP Response id=0x15
<xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>,
name = "*****"]
Feb 27 22:21:40 firewall pppd[22773]: sent [CHAP Success id=0x15
"S=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"]
Feb 27 22:21:40 firewall pppd[22773]: sent [CCP ConfReq id=0x1 <deflate
15> <deflate(old#) 15> <bsd v1 15>]
Feb 27 22:21:40 firewall pppd[22773]: sent [IPCP ConfReq id=0x1
<compress VJ 0f 01> <addr 192.168.0.3>]
Feb 27 22:21:40 firewall pppd[22773]: rcvd [CCP ConfReq id=0x4 <mppe +H
-M -S -L -D +C>]
Feb 27 22:21:40 firewall pppd[22773]: sent [CCP ConfRej id=0x4 <mppe +H
-M -S -L -D +C>]
Feb 27 22:21:40 firewall pppd[22773]: rcvd [IPCP ConfReq id=0x5 <addr
0.0.0.0> <ms-dns1 0.0.0.0> <ms-wins 0.0.0.0> <ms-dns3 0.0.0.0> <ms-wins
0.0.0.0>]
Feb 27 22:21:40 firewall pppd[22773]: sent [IPCP ConfNak id=0x5 <addr
192.168.0.248> <ms-dns1 192.168.0.6> <ms-wins 192.168.0.6> <ms-dns3
192.168.0.5> <ms-wins 192.168.0.6>]
Feb 27 22:21:40 firewall pppd[22773]: rcvd [CCP ConfRej id=0x1 <deflate
15> <deflate(old#) 15> <bsd v1 15>]
Feb 27 22:21:40 firewall pppd[22773]: sent [CCP ConfReq id=0x2]
Feb 27 22:21:40 firewall pppd[22773]: rcvd [IPCP ConfRej id=0x1
<compress VJ 0f 01>]
Feb 27 22:21:40 firewall pppd[22773]: sent [IPCP ConfReq id=0x2 <addr
192.168.0.3>]
Feb 27 22:21:40 firewall pppd[22773]: rcvd [CCP TermReq
id=0x6"X/\022\37777777644\000<\37777777715t\000\000\002\37777777734"]
Feb 27 22:21:40 firewall pppd[22773]: sent [CCP TermAck id=0x6]
Feb 27 22:21:40 firewall pppd[22773]: rcvd [IPCP ConfReq id=0x7 <addr
192.168.0.248> <ms-dns1 192.168.0.6> <ms-wins 192.168.0.6> <ms-dns3
192.168.0.5> <ms-wins 192.168.0.6>]
Feb 27 22:21:40 firewall pppd[22773]: sent [IPCP ConfAck id=0x7 <addr
192.168.0.248> <ms-dns1 192.168.0.6> <ms-wins 192.168.0.6> <ms-dns3
192.168.0.5> <ms-wins 192.168.0.6>]
Feb 27 22:21:40 firewall pppd[22773]: rcvd [IPCP ConfAck id=0x2 <addr
192.168.0.3>]
Feb 27 22:21:40 firewall pppd[22773]: Script /etc/ppp/ip-up started (pid
22777)
Feb 27 22:21:40 firewall pppd[22773]: Script /etc/ppp/ip-up finished
(pid 22777), status = 0x0
Feb 27 22:21:43 firewall pppd[22773]: sent [CCP ConfReq id=0x2]
Feb 27 22:21:58 firewall last message repeated 5 times
Feb 27 22:22:00 firewall pppd[22773]: rcvd [LCP TermReq id=0x8
"X/\022\37777777644\000<\37777777715t\000\000\000\000"]
Feb 27 22:22:00 firewall pppd[22773]: Script /etc/ppp/ip-down started
(pid 22783)
Feb 27 22:22:00 firewall pppd[22773]: sent [LCP TermAck id=0x8]
Feb 27 22:22:00 firewall pppd[22773]: Script /etc/ppp/ip-down finished
(pid 22783), status = 0x0
Feb 27 22:22:02 firewall pppd[22773]: rcvd [LCP TermReq id=0x9
"X/\022\37777777644\000<\37777777715t\000\000\000\000"]
Feb 27 22:22:02 firewall pppd[22773]: sent [LCP TermAck id=0x9]
Feb 27 22:22:03 firewall l2tpd[22760]: child_handler : pppd exited for
call 1 with code 16
Feb 27 22:22:03 firewall l2tpd[22760]: write_packet: tty is not open yet.
Feb 27 22:22:03 firewall l2tpd[22760]: write_packet: tty is not open yet.
Feb 27 22:22:04 firewall l2tpd[22760]: check_control: control, cid = 1,
Ns = 4, Nr = 2
Feb 27 22:22:04 firewall l2tpd[22760]: handle_avps: handling avp's for
tunnel 11517, call 31722
Feb 27 22:22:04 firewall l2tpd[22760]: message_type_avp: message type 14
(Call-Disconnect-Notify)
Feb 27 22:22:04 firewall l2tpd[22760]: result_code_avp: peer closing for
reason 3 (Call disconnected for administrative reasons), error = 0 ()
Feb 27 22:22:04 firewall l2tpd[22760]: assigned_session_avp: assigned
session id: 1
Feb 27 22:22:04 firewall l2tpd[22760]: control_finish: Peer tried to
disconnect without specifying call ID
Feb 27 22:22:08 firewall l2tpd[22760]: control_xmit: Maximum retries
exceeded for tunnel 11517. Closing.
Feb 27 22:22:13 firewall l2tpd[22760]: control_xmit: Unable to deliver
closing message for tunnel 11517. Destroying anyway.
Feb 27 22:22:14 firewall l2tpd[22760]: get_call:can't find tunnel 11517
Feb 27 22:22:14 firewall l2tpd[22760]: network_thread: unable to find
call or tunnel to handle packet. call = 31722, tunnel = 11517 Dumping.
Feb 27 22:22:24 firewall l2tpd[22760]: get_call:can't find tunnel 11517
Feb 27 22:22:24 firewall l2tpd[22760]: network_thread: unable to find
call or tunnel to handle packet. call = 31722, tunnel = 11517 Dumping.
And the IPSEC log
Feb 27 22:21:38 firewall pluto[22666]: packet from 155.98.80.197:500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Feb 27 22:21:38 firewall pluto[22666]: packet from 155.98.80.197:500:
ignoring Vendor ID payload [FRAGMENTATION]
Feb 27 22:21:38 firewall pluto[22666]: packet from 155.98.80.197:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set
to=106
Feb 27 22:21:38 firewall pluto[22666]: packet from 155.98.80.197:500:
ignoring Vendor ID payload [Vid-Initial-Contact]
Feb 27 22:21:38 firewall pluto[22666]: "l2tp-X.509"[1] 155.98.80.197 #1:
responding to Main Mode from unknown peer 155.98.80.197
Feb 27 22:21:38 firewall pluto[22666]: "l2tp-X.509"[1] 155.98.80.197 #1:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Feb 27 22:21:38 firewall pluto[22666]: "l2tp-X.509"[1] 155.98.80.197 #1:
STATE_MAIN_R1: sent MR1, expecting MI2
Feb 27 22:21:38 firewall pluto[22666]: "l2tp-X.509"[1] 155.98.80.197 #1:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT
detected
Feb 27 22:21:38 firewall pluto[22666]: "l2tp-X.509"[1] 155.98.80.197 #1:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Feb 27 22:21:38 firewall pluto[22666]: "l2tp-X.509"[1] 155.98.80.197 #1:
STATE_MAIN_R2: sent MR2, expecting MI3
Feb 27 22:21:38 firewall pluto[22666]: "l2tp-X.509"[1] 155.98.80.197 #1:
Main mode peer ID is ID_DER_ASN1_DN: 'C=**, ST=*, L=* O=*, CN=*, E=*'
Feb 27 22:21:38 firewall pluto[22666]: "l2tp-X.509"[1] 155.98.80.197 #1:
no crl from issuer "C=**, ST=*, L=* O=*, CN=*, E=*" found (strict=no)
Feb 27 22:21:38 firewall pluto[22666]: "l2tp-X.509"[1] 155.98.80.197 #1:
switched from "l2tp-X.509" to "l2tp-X.509"
Feb 27 22:21:38 firewall pluto[22666]: "l2tp-X.509"[2] 155.98.80.197 #1:
deleting connection "l2tp-X.509" instance with peer 155.98.80.197
{isakmp=#0/ipsec=#0}
Feb 27 22:21:38 firewall pluto[22666]: "l2tp-X.509"[2] 155.98.80.197 #1:
I am sending my cert
Feb 27 22:21:38 firewall pluto[22666]: "l2tp-X.509"[2] 155.98.80.197 #1:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Feb 27 22:21:38 firewall pluto[22666]: "l2tp-X.509"[2] 155.98.80.197 #1:
STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}
Feb 27 22:21:38 firewall pluto[22666]: "l2tp-X.509"[2] 155.98.80.197 #2:
responding to Quick Mode {msgid:6aacc4a2}
Feb 27 22:21:38 firewall pluto[22666]: "l2tp-X.509"[2] 155.98.80.197 #2:
transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Feb 27 22:21:38 firewall pluto[22666]: "l2tp-X.509"[2] 155.98.80.197 #2:
STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Feb 27 22:21:39 firewall pluto[22666]: "l2tp-X.509"[2] 155.98.80.197 #2:
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Feb 27 22:21:39 firewall pluto[22666]: "l2tp-X.509"[2] 155.98.80.197 #2:
STATE_QUICK_R2: IPsec SA established {ESP=>0x3900c97f <0xf27d3fce
xfrm=3DES_0-HMAC_MD5 NATD=none DPD=none}
Feb 27 22:22:14 firewall pluto[22666]: "l2tp-X.509"[2] 155.98.80.197 #1:
received Delete SA(0x3900c97f) payload: deleting IPSEC State #2
Feb 27 22:22:14 firewall pluto[22666]: "l2tp-X.509"[2] 155.98.80.197 #1:
received and ignored informational message
Feb 27 22:22:14 firewall pluto[22666]: "l2tp-X.509"[2] 155.98.80.197 #1:
received Delete SA payload: deleting ISAKMP State #1
Feb 27 22:22:14 firewall pluto[22666]: "l2tp-X.509"[2] 155.98.80.197:
deleting connection "l2tp-X.509" instance with peer 155.98.80.197
{isakmp=#0/ipsec=#0}
Feb 27 22:22:14 firewall pluto[22666]: packet from 155.98.80.197:500:
received and ignored informational message
Feb 27 22:22:14 firewall pluto[22666]: ERROR: asynchronous network error
report on br0 (sport=500) for message to 155.98.80.197 port 500,
complainant 166.70.103.174: No route to host [errno 113, origin ICM
P type 3 code 1 (not authenticated)]
Feb 27 22:22:14 firewall pluto[22666]: ERROR: asynchronous network error
report on br0 (sport=500) for message to 155.98.80.197 port 500,
complainant 166.70.103.174: No route to host [errno 113, origin ICM
P type 3 code 1 (not authenticated)]
IPSEC Config
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.15.2.4 2006/07/11 16:17:53 paul Exp $
# This file: /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual: ipsec.conf.5
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# plutodebug / klipsdebug = "all", "none" or a combation from below:
# "raw crypt parsing emitting control klips pfkey natt x509 private"
# eg:
# plutodebug="control parsing"
#
# Only enable klipsdebug=all if you are a developer
#
# NAT-TRAVERSAL support, see README.NAT-Traversal
nat_traversal=yes
#
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
#
# enable this if you see "failed to find any available worker"
nhelpers=0
# Add connections here
# sample VPN connections, see /etc/ipsec.d/examples/
include /etc/ipsec.d/examples/l2tp-cert.conf
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
no_oe.conf
# 'include' this file to disable Opportunistic Encryption.
# See /usr/share/doc/openswan/policygroups.html for details.
#
# RCSID $Id: no_oe.conf.in,v 1.2 2004/10/03 19:33:10 paul Exp $
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
l2tp-cert.conf
conn l2tp-X.509
#
# Configuration for one user with any type of IPsec/L2TP client
# including the updated Windows 2000/XP (MS KB Q818043), but
# excluding the non-updated Windows 2000/XP.
#
#
# Use a certificate. Disable Perfect Forward Secrecy.
#
authby=rsasig
pfs=no
auto=add
# we cannot rekey for %any, let client rekey
rekey=no
# Do not enable the line below. It is implicitely used, and
# specifying it will currently break when using nat-t.
# type=transport. See http://bugs.xelerance.com/view.php?id=466
#
left=%defaultroute
# or you can use: left=YourIPAddress
leftrsasigkey=%cert
leftcert=/etc/ipsec.d/certs/gateway.reaction-eng.com.pem
# For updated Windows 2000/XP clients,
# to support old clients as well, use leftprotoport=17/%any
leftprotoport=17/1701
#
# The remote user.
#
rightca=%same
rightrsasigkey=%cert
rightprotoport=17/1701
rightsubnet=vhost:%priv,%no
options.l2tpd
ms-dns 192.168.0.6
ms-dns 192.168.0.5ms-wins 192.168.0.6
auth
crtscts
lock
mru 1400
mtu 1400
nodetach
debug
proxyarp
ipcp-accept-local
ipcp-accept-remote
idle 1800
connect-delay 5000
nodefaultroute
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
nologfd
noccp
plugin radius.so
l2tpd.conf
[global]
; Global parameters:
listen-addr = ***.***.103.174
port = 1701 ; * Bind
to port 1701
[lns default]
ip range = 192.168.0.248 - 192.168.0.254
local ip = 192.168.0.3
name = gateway
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd
length bit = yes
Thanks for everyones time
-Andrew T.
More information about the Users
mailing list