[Openswan Users] Setting up for IPSEC / L2TP VPN Server under Red Hat

Jeremy Wilson jeremy.wilson at polarmobile.com
Tue Sep 22 11:56:51 EDT 2009 

I'm trying to get an Openswan / xl2tpd system up and running but I have 
hit a roadblock.  I can establish the IPSec tunnel but xl2tpd times out 
after the handoff:

Sep 22 11:40:52 gateway pluto[2632]: "L2TP-PSK"[5] [remote client] #8: 
STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0x0eb7ccac 
<0x0f8dc155 xfrm=AES_128-HMAC_SHA1 NATOA=<invalid> NATD=<invalid>:4500 
DPD=enabled}

Then some debug output from xl2tpd:

Sep 22 11:40:54 gateway xl2tpd[3956]: ourtid = 52617, entropy_buf = cd89
Sep 22 11:40:54 gateway xl2tpd[3956]: check_control: control, cid = 0, 
Ns = 0, Nr = 0
Sep 22 11:40:54 gateway xl2tpd[3956]: control_finish: Peer requested 
tunnel 4 twice, ignoring second one.
Sep 22 11:40:55 gateway xl2tpd[3956]: ourtid = 50246, entropy_buf = c446
Sep 22 11:40:55 gateway xl2tpd[3956]: ourcid = 24258, entropy_buf = 5ec2
Sep 22 11:40:55 gateway xl2tpd[3956]: check_control: control, cid = 0, 
Ns = 0, Nr = 0
Sep 22 11:40:55 gateway xl2tpd[3956]: control_finish: Peer requested 
tunnel 4 twice, ignoring second one.
Sep 22 11:40:59 gateway xl2tpd[3956]: ourtid = 36492, entropy_buf = 8e8c
Sep 22 11:40:59 gateway xl2tpd[3956]: ourcid = 46731, entropy_buf = b68b
Sep 22 11:40:59 gateway xl2tpd[3956]: check_control: control, cid = 0, 
Ns = 0, Nr = 0
Sep 22 11:40:59 gateway xl2tpd[3956]: control_finish: Peer requested 
tunnel 4 twice, ignoring second one.
Sep 22 11:40:59 gateway xl2tpd[3956]: Maximum retries exceeded for 
tunnel 61355.  Closing.
Sep 22 11:41:07 gateway xl2tpd[3956]: ourtid = 20443, entropy_buf = 4fdb
Sep 22 11:41:07 gateway xl2tpd[3956]: check_control: control, cid = 0, 
Ns = 0, Nr = 0
Sep 22 11:41:07 gateway xl2tpd[3956]: control_finish: Peer requested 
tunnel 4 twice, ignoring second one.
Sep 22 11:41:07 gateway xl2tpd[3956]: Connection 4 closed to [remote 
IP], port 49925 (Timeout)

here's my /etc/ipsec.conf file:

config setup
   nat_traversal=yes
   virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16

# Settings common to all connections
conn %default
   left=[external IP of gateway]
   right=%any
   rightprotoport=17/%any
   rightsubnet=vhost:%no,%priv
   authby=secret
   pfs=no

# For Vista/XP SP2/Mac OS X
conn L2TP-PSK
   leftprotoport=17/1701
   auto=add

# For legacy Win2000/XP SP1 systems
conn L2TP-PSK-WIN2k
   leftprotoport=17/0
   auto=add

here's my /etc/xl2tpd/xl2tpd.conf file:

[global]
   port = 1701

[lns default]
   ip range = 192.168.1.200-250
   local ip = 192.168.1.103
   require authentication = yes
   pppoptfile = /etc/ppp/options.xl2tpd


All I want is to allow stock Mac OSX and Windows clients to connect to 
the VPN server and have them be on the local network.  I previous got 
PPTP working just fine but now they want greater security.

Any help appreciated!

More information about the Users mailing list