[Openswan Users] Openswan + xl2tpd + Sonicwall

Petteri Heinonen petteri.j.heinonen at kolumbus.fi
Thu Nov 12 12:22:28 EST 2009 

Hello list users.

I have been struggling with this Sonicwall + Openswan combo for some 
time now, and frustration begins to raise it's ugly head. I'll first try 
to describe the configuration I have in hand. In our company we use 
Sonicwall as the VPN solution. Windows clients use Sonicwall's own VPN 
client, and now the same functionality would be needed for Linux 
clients. On Sonicwall side, one VLAN with it's own address block is used 
for VPN clients; Windows clients get an address from that block via DHCP 
over IPSec. If I have understood correctly, Openswan does not support 
DHCP over IPSec, and thus L2TP + PPP would be needed.

The current situation is that IPSec transport tunnel opens up ok (see 
logs below). However, when I try to open L2TP connection, xl2tpd tries 
to connect, but ends with error message:

Nov 12 19:08:59 ltft-localit xl2tpd[11058]: Maximum retries exceeded for 
tunnel 29592.  Closing.

I have monitored the traffic using tshark. From there I can see that 
some data is indeed sent over the transport tunnel to server side, but 
no replies whatsoever are coming back.

Below are some configuration details and logs about the situation. Any 
help would be greatly appreciated.

Regards, Petteri Heinonen

ipsec.conf:

config setup
        protostack=netkey
        interfaces=%defaultroute
conn L2TP-PSK-CLIENT
     connaddrfamily=ipv4
     type=transport
     authby=secret
     leftid=@GroupVPN
     left=%defaultroute
     rekey=yes
     keyingtries=3
     pfs=no
     leftprotoport=17/1701
     rightid=@<SONICWALLIDHERE>
     right=<Sonicwall public IP>
     rightprotoport=17/1701
     auto=add

ipsec log when started and transport tunnel opened:

Nov 12 19:14:05 ltft-localit ipsec__plutorun: Starting Pluto subsystem...
Nov 12 19:14:05 ltft-localit pluto[11548]: Starting Pluto (Openswan 
Version 2.6.22; Vendor ID OElj@]rTMBuM) pid:11548
Nov 12 19:14:05 ltft-localit pluto[11548]: Setting NAT-Traversal 
port-4500 floating to off
Nov 12 19:14:05 ltft-localit pluto[11548]:    port floating activation 
criteria nat_t=0/port_float=1
Nov 12 19:14:05 ltft-localit pluto[11548]:    including NAT-Traversal 
patch (Version 0.6c) [disabled]
Nov 12 19:14:05 ltft-localit pluto[11548]: using /dev/urandom as source 
of random entropy
Nov 12 19:14:05 ltft-localit pluto[11548]: ike_alg_register_enc(): 
Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
Nov 12 19:14:05 ltft-localit pluto[11548]: ike_alg_register_enc(): 
Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
Nov 12 19:14:05 ltft-localit pluto[11548]: ike_alg_register_enc(): 
Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
Nov 12 19:14:05 ltft-localit pluto[11548]: ike_alg_register_enc(): 
Activating OAKLEY_AES_CBC: Ok (ret=0)
Nov 12 19:14:05 ltft-localit pluto[11548]: ike_alg_register_enc(): 
Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
Nov 12 19:14:05 ltft-localit pluto[11548]: ike_alg_register_hash(): 
Activating OAKLEY_SHA2_512: Ok (ret=0)
Nov 12 19:14:05 ltft-localit pluto[11548]: ike_alg_register_hash(): 
Activating OAKLEY_SHA2_256: Ok (ret=0)
Nov 12 19:14:05 ltft-localit pluto[11548]: starting up 1 cryptographic 
helpers
Nov 12 19:14:05 ltft-localit pluto[11548]: started helper pid=11553 (fd:7)
Nov 12 19:14:05 ltft-localit pluto[11548]: Using Linux 2.6 IPsec 
interface code on 2.6.31-14-generic (experimental code)
Nov 12 19:14:05 ltft-localit pluto[11553]: using /dev/urandom as source 
of random entropy
Nov 12 19:14:05 ltft-localit pluto[11548]: ike_alg_register_enc(): 
WARNING: enc alg=0 not found in constants.c:oakley_enc_names
Nov 12 19:14:05 ltft-localit pluto[11548]: ike_alg_register_enc(): 
Activating <NULL>: Ok (ret=0)
Nov 12 19:14:05 ltft-localit pluto[11548]: ike_alg_register_enc(): 
WARNING: enc alg=0 not found in constants.c:oakley_enc_names
Nov 12 19:14:05 ltft-localit pluto[11548]: ike_alg_add(): ERROR: 
Algorithm already exists
Nov 12 19:14:05 ltft-localit pluto[11548]: ike_alg_register_enc(): 
Activating <NULL>: FAILED (ret=-17)
Nov 12 19:14:05 ltft-localit pluto[11548]: ike_alg_register_enc(): 
WARNING: enc alg=0 not found in constants.c:oakley_enc_names
Nov 12 19:14:05 ltft-localit pluto[11548]: ike_alg_add(): ERROR: 
Algorithm already exists
Nov 12 19:14:05 ltft-localit pluto[11548]: ike_alg_register_enc(): 
Activating <NULL>: FAILED (ret=-17)
Nov 12 19:14:05 ltft-localit pluto[11548]: ike_alg_register_enc(): 
WARNING: enc alg=0 not found in constants.c:oakley_enc_names
Nov 12 19:14:05 ltft-localit pluto[11548]: ike_alg_add(): ERROR: 
Algorithm already exists
Nov 12 19:14:05 ltft-localit pluto[11548]: ike_alg_register_enc(): 
Activating <NULL>: FAILED (ret=-17)
Nov 12 19:14:05 ltft-localit pluto[11548]: ike_alg_register_enc(): 
WARNING: enc alg=0 not found in constants.c:oakley_enc_names
Nov 12 19:14:05 ltft-localit pluto[11548]: ike_alg_add(): ERROR: 
Algorithm already exists
Nov 12 19:14:05 ltft-localit pluto[11548]: ike_alg_register_enc(): 
Activating <NULL>: FAILED (ret=-17)
Nov 12 19:14:05 ltft-localit pluto[11548]: ike_alg_register_enc(): 
WARNING: enc alg=0 not found in constants.c:oakley_enc_names
Nov 12 19:14:05 ltft-localit pluto[11548]: ike_alg_add(): ERROR: 
Algorithm already exists
Nov 12 19:14:05 ltft-localit pluto[11548]: ike_alg_register_enc(): 
Activating <NULL>: FAILED (ret=-17)
Nov 12 19:14:05 ltft-localit pluto[11548]: Changed path to directory 
'/etc/ipsec.d/cacerts'
Nov 12 19:14:05 ltft-localit pluto[11548]: Changed path to directory 
'/etc/ipsec.d/aacerts'
Nov 12 19:14:05 ltft-localit pluto[11548]: Changed path to directory 
'/etc/ipsec.d/ocspcerts'
Nov 12 19:14:05 ltft-localit pluto[11548]: Changing to directory 
'/etc/ipsec.d/crls'
Nov 12 19:14:05 ltft-localit pluto[11548]:   Warning: empty directory
Nov 12 19:14:05 ltft-localit pluto[11548]: added connection description 
"L2TP-PSK-CLIENT"
Nov 12 19:14:05 ltft-localit pluto[11548]: listening for IKE messages
Nov 12 19:14:05 ltft-localit pluto[11548]: adding interface eth0/eth0 
192.168.1.62:500
Nov 12 19:14:05 ltft-localit pluto[11548]: adding interface lo/lo 
127.0.0.1:500
Nov 12 19:14:05 ltft-localit pluto[11548]: adding interface lo/lo ::1:500
Nov 12 19:14:05 ltft-localit pluto[11548]: loading secrets from 
"/etc/ipsec.secrets"
Nov 12 19:14:11 ltft-localit pluto[11548]: "L2TP-PSK-CLIENT" #1: 
initiating Main Mode
Nov 12 19:14:11 ltft-localit pluto[11548]: "L2TP-PSK-CLIENT" #1: 
ignoring unknown Vendor ID payload [5b362bc820f60006]
Nov 12 19:14:11 ltft-localit pluto[11548]: "L2TP-PSK-CLIENT" #1: 
transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Nov 12 19:14:11 ltft-localit pluto[11548]: "L2TP-PSK-CLIENT" #1: 
STATE_MAIN_I2: sent MI2, expecting MR2
Nov 12 19:14:11 ltft-localit pluto[11548]: "L2TP-PSK-CLIENT" #1: 
ignoring Vendor ID payload [Sonicwall 1 (TZ 170 Standard?)]
Nov 12 19:14:11 ltft-localit pluto[11548]: "L2TP-PSK-CLIENT" #1: 
received Vendor ID payload [XAUTH]
Nov 12 19:14:11 ltft-localit pluto[11548]: "L2TP-PSK-CLIENT" #1: 
received Vendor ID payload [Dead Peer Detection]
Nov 12 19:14:11 ltft-localit pluto[11548]: "L2TP-PSK-CLIENT" #1: 
transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Nov 12 19:14:11 ltft-localit pluto[11548]: "L2TP-PSK-CLIENT" #1: 
STATE_MAIN_I3: sent MI3, expecting MR3
Nov 12 19:14:11 ltft-localit pluto[11548]: "L2TP-PSK-CLIENT" #1: 
ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
Nov 12 19:14:11 ltft-localit pluto[11548]: "L2TP-PSK-CLIENT" #1: Main 
mode peer ID is ID_FQDN: '@<SONICWALLIDHERE>'
Nov 12 19:14:11 ltft-localit pluto[11548]: "L2TP-PSK-CLIENT" #1: 
transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Nov 12 19:14:11 ltft-localit pluto[11548]: "L2TP-PSK-CLIENT" #1: 
STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY 
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
Nov 12 19:14:11 ltft-localit pluto[11548]: "L2TP-PSK-CLIENT" #2: 
initiating Quick Mode PSK+ENCRYPT+UP+IKEv2ALLOW {using isakmp#1 
msgid:5cde7883 proposal=defaults pfsgroup=no-pfs}
Nov 12 19:14:11 ltft-localit pluto[11548]: "L2TP-PSK-CLIENT" #2: 
ignoring informational payload, type IPSEC_RESPONDER_LIFETIME msgid=5cde7883
Nov 12 19:14:11 ltft-localit pluto[11548]: "L2TP-PSK-CLIENT" #2: 
transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Nov 12 19:14:11 ltft-localit pluto[11548]: "L2TP-PSK-CLIENT" #2: 
STATE_QUICK_I2: sent QI2, IPsec SA established transport mode 
{ESP=>0x8c4ea8a3 <0x2f3ba339 xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none 
DPD=none}

xl2tpd.conf:

[lac L2TPserver]
lns = <SONICWALL PUBLIC IP>
require chap = yes
refuse pap = yes
require authentication = yes
; Name should be the same as the username in the PPP authentication!
name = <myusername>
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd.client
length bit = yes

/etc/ppp/options.l2tpd.client:

ipcp-accept-local
ipcp-accept-remote
refuse-eap
noccp
noauth
crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
lock
#proxyarp
connect-delay 5000

x2lptd log when trying to open a connection:

Nov 12 19:19:48 ltft-localit xl2tpd[11629]: setsockopt recvref[22]: 
Protocol not available
Nov 12 19:19:48 ltft-localit xl2tpd[11629]: This binary does not support 
kernel L2TP.
Nov 12 19:19:48 ltft-localit xl2tpd[11630]: xl2tpd version xl2tpd-1.2.4 
started on ltft-localit PID:11630
Nov 12 19:19:48 ltft-localit xl2tpd[11630]: Written by Mark Spencer, 
Copyright (C) 1998, Adtran, Inc.
Nov 12 19:19:48 ltft-localit xl2tpd[11630]: Forked by Scott Balmos and 
David Stipp, (C) 2001
Nov 12 19:19:48 ltft-localit xl2tpd[11630]: Inherited by Jeff McAdams, 
(C) 2002
Nov 12 19:19:48 ltft-localit xl2tpd[11630]: Forked again by Xelerance 
(www.xelerance.com) (C) 2006
Nov 12 19:19:48 ltft-localit xl2tpd[11630]: Listening on IP address 
0.0.0.0, port 1701
Nov 12 19:19:49 ltft-localit wpa_supplicant[1221]: CTRL-EVENT-SCAN-RESULTS
Nov 12 19:20:00 ltft-localit xl2tpd[11630]: Connecting to host 
<sonicwallip>, port 1701
Nov 12 19:20:05 ltft-localit xl2tpd[11630]: Maximum retries exceeded for 
tunnel 54950.  Closing.

More information about the Users mailing list