[Openswan Users] L2TP/IPsec on Ubuntu for OS X clients, only IPsec works

Riobard yaogzhan at gmail.com
Thu Apr 29 22:28:28 EDT 2010 

Hi,

I'm trying to setup L2TP/IPsec on a Ubuntu 9.04 server to accept VPN connections from OS X and iPhone clients. I have both `openswan` (2.6.22) and `xl2tpd` (1.2.4) installed. IPsec seems to work, but L2TP does not. In fact, even if I turn on `debug` for xl2tpd, there is nothing in /var/log/debug. I guess there must be some options I missed to activate L2TP, but I spent 3 days googling around the web without any success. Can you please help? Thanks very much! 

- Rio


Here is the log from the Ubuntu server's /var/log/auth.log 
-------------------------------------------------------------
Apr 30 02:17:48 flexo pluto[6765]: packet from 62.214.194.142:500: received Vendor ID payload [RFC 3947] method set to=109 
Apr 30 02:17:48 flexo pluto[6765]: packet from 62.214.194.142:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] method set to=110 
Apr 30 02:17:48 flexo pluto[6765]: packet from 62.214.194.142:500: ignoring unknown Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
Apr 30 02:17:48 flexo pluto[6765]: packet from 62.214.194.142:500: ignoring unknown Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
Apr 30 02:17:48 flexo pluto[6765]: packet from 62.214.194.142:500: ignoring unknown Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
Apr 30 02:17:48 flexo pluto[6765]: packet from 62.214.194.142:500: ignoring unknown Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
Apr 30 02:17:48 flexo pluto[6765]: packet from 62.214.194.142:500: ignoring unknown Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
Apr 30 02:17:48 flexo pluto[6765]: packet from 62.214.194.142:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 110
Apr 30 02:17:48 flexo pluto[6765]: packet from 62.214.194.142:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 110
Apr 30 02:17:48 flexo pluto[6765]: packet from 62.214.194.142:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 110
Apr 30 02:17:48 flexo pluto[6765]: packet from 62.214.194.142:500: received Vendor ID payload [Dead Peer Detection]
Apr 30 02:17:48 flexo pluto[6765]: "L2TP-PSK-NAT"[2] 62.214.194.142 #10: responding to Main Mode from unknown peer 62.214.194.142
Apr 30 02:17:48 flexo pluto[6765]: "L2TP-PSK-NAT"[2] 62.214.194.142 #10: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Apr 30 02:17:48 flexo pluto[6765]: "L2TP-PSK-NAT"[2] 62.214.194.142 #10: STATE_MAIN_R1: sent MR1, expecting MI2
Apr 30 02:17:48 flexo pluto[6765]: "L2TP-PSK-NAT"[2] 62.214.194.142 #10: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): peer is NATed
Apr 30 02:17:48 flexo pluto[6765]: "L2TP-PSK-NAT"[2] 62.214.194.142 #10: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Apr 30 02:17:48 flexo pluto[6765]: "L2TP-PSK-NAT"[2] 62.214.194.142 #10: STATE_MAIN_R2: sent MR2, expecting MI3
Apr 30 02:17:52 flexo pluto[6765]: "L2TP-PSK-NAT"[2] 62.214.194.142 #10: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.100'
Apr 30 02:17:52 flexo pluto[6765]: "L2TP-PSK-NAT"[2] 62.214.194.142 #10: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Apr 30 02:17:52 flexo pluto[6765]: "L2TP-PSK-NAT"[2] 62.214.194.142 #10: new NAT mapping for #10, was 62.214.194.142:500, now 62.214.194.142:4500
Apr 30 02:17:52 flexo pluto[6765]: "L2TP-PSK-NAT"[2] 62.214.194.142 #10: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
Apr 30 02:17:52 flexo pluto[6765]: "L2TP-PSK-NAT"[2] 62.214.194.142 #10: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
Apr 30 02:17:52 flexo pluto[6765]: "L2TP-PSK-NAT"[2] 62.214.194.142 #10: received and ignored informational message
Apr 30 02:17:52 flexo pluto[6765]: "L2TP-PSK-NAT"[2] 62.214.194.142 #10: the peer proposed: 72.13.95.18/32:17/1701 -> 192.168.1.100/32:17/52074
Apr 30 02:17:52 flexo pluto[6765]: "L2TP-PSK-NAT"[6] 62.214.194.142 #11: responding to Quick Mode proposal {msgid:19e4dfaa}
Apr 30 02:17:52 flexo pluto[6765]: "L2TP-PSK-NAT"[6] 62.214.194.142 #11:     us: 72.13.95.18<72.13.95.18>[+S=C]:17/1701
Apr 30 02:17:52 flexo pluto[6765]: "L2TP-PSK-NAT"[6] 62.214.194.142 #11:   them: 62.214.194.142[192.168.1.100,+S=C]:17/59276===192.168.1.100/32
Apr 30 02:17:52 flexo pluto[6765]: "L2TP-PSK-NAT"[6] 62.214.194.142 #11: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Apr 30 02:17:52 flexo pluto[6765]: "L2TP-PSK-NAT"[6] 62.214.194.142 #11: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Apr 30 02:17:52 flexo pluto[6765]: "L2TP-PSK-NAT"[6] 62.214.194.142 #11: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Apr 30 02:17:52 flexo pluto[6765]: "L2TP-PSK-NAT"[6] 62.214.194.142 #11: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0x093e09b6 <0x03044bf7 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=62.214.194.142:4500 DPD=none}
Apr 30 02:18:12 flexo pluto[6765]: "L2TP-PSK-NAT"[2] 62.214.194.142 #10: received Delete SA(0x093e09b6) payload: deleting IPSEC State #11
Apr 30 02:18:12 flexo pluto[6765]: "L2TP-PSK-NAT"[2] 62.214.194.142 #10: deleting connection "L2TP-PSK-NAT" instance with peer 62.214.194.142 {isakmp=#0/ipsec=#0}
Apr 30 02:18:12 flexo pluto[6765]: "L2TP-PSK-NAT"[2] 62.214.194.142 #10: received and ignored informational message
Apr 30 02:18:12 flexo pluto[6765]: "L2TP-PSK-NAT"[2] 62.214.194.142 #10: received Delete SA payload: deleting ISAKMP State #10
Apr 30 02:18:12 flexo pluto[6765]: packet from 62.214.194.142:4500: received and ignored informational message
-------------------------------------------------------------

Here is the log from the an OS X client's /var/log/system.log
Apr 30 04:17:48 bender pppd[1738]: pppd 2.4.2 (Apple version 412.0.10) started by rio, uid 501
Apr 30 04:17:48 bender pppd[1738]: L2TP connecting to server 'vpn.riobard.com' (72.13.95.18)...
Apr 30 04:17:48 bender pppd[1738]: IPSec connection started
Apr 30 04:17:48 bender racoon[1739]: Connecting.
Apr 30 04:17:48 bender racoon[1739]: IKE Packet: transmit success. (Initiator, Main-Mode message 1).
Apr 30 04:17:48 bender racoon[1739]: IKE Packet: receive success. (Initiator, Main-Mode message 2).
Apr 30 04:17:48 bender racoon[1739]: IKE Packet: transmit success. (Initiator, Main-Mode message 3).
Apr 30 04:17:48 bender racoon[1739]: IKE Packet: receive success. (Initiator, Main-Mode message 4).
Apr 30 04:17:48 bender racoon[1739]: IKE Packet: transmit success. (Initiator, Main-Mode message 5).
Apr 30 04:17:51 bender racoon[1739]: IKE Packet: transmit success. (Phase1 Retransmit).
Apr 30 04:17:52 bender racoon[1739]: IKEv1 Phase1 AUTH: success. (Initiator, Main-Mode Message 6).
Apr 30 04:17:52 bender racoon[1739]: IKE Packet: receive success. (Initiator, Main-Mode message 6).
Apr 30 04:17:52 bender racoon[1739]: IKEv1 Phase1 Initiator: success. (Initiator, Main-Mode).
Apr 30 04:17:52 bender racoon[1739]: IKE Packet: transmit success. (Information message).
Apr 30 04:17:52 bender racoon[1739]: IKEv1 Information-Notice: transmit success. (ISAKMP-SA).
Apr 30 04:17:52 bender racoon[1739]: IKE Packet: transmit success. (Initiator, Quick-Mode message 1).
Apr 30 04:17:52 bender racoon[1739]: IKE Packet: receive success. (Initiator, Quick-Mode message 2).
Apr 30 04:17:52 bender racoon[1739]: IKE Packet: transmit success. (Initiator, Quick-Mode message 3).
Apr 30 04:17:52 bender racoon[1739]: IKEv1 Phase2 Initiator: success. (Initiator, Quick-Mode).
Apr 30 04:17:52 bender racoon[1739]: Connected.
Apr 30 04:17:52 bender pppd[1738]: IPSec connection established
Apr 30 04:18:12 bender pppd[1738]: L2TP cannot connect to the server
Apr 30 04:18:12 bender racoon[1739]: IKE Packet: transmit success. (Information message).
Apr 30 04:18:12 bender racoon[1739]: IKEv1 Information-Notice: transmit success. (Delete IPSEC-SA).
Apr 30 04:18:12 bender racoon[1739]: IKE Packet: transmit success. (Information message).
Apr 30 04:18:12 bender racoon[1739]: IKEv1 Information-Notice: transmit success. (Delete ISAKMP-SA).
Apr 30 04:18:12 bender racoon[1739]: Disconnecting. (Connection was up for, 20.014083 seconds).
Apr 30 04:18:12 bender configd[1412]: SCNCController: Disconnecting. (Connection tried to negotiate for, 24 seconds).
---------------------------------------------------------


openswan config file /etc/ipsec.conf
-----------------------------------------------------------
conn L2TP-PSK-NAT
        rightsubnet=vhost:%priv
        also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
        authby=secret
        pfs=no
        auto=add
        keyingtries=3
        rekey=no
        ikelifetime=8h
        keylife=1h
        type=transport
        left=72.13.95.18     # my server ip
        leftprotoport=17/1701
        right=%any
        rightprotoport=17/%any
---------------------------------------------------------



xl2tpd config file /etc/xl2tpd/xl2tpd.conf
-----------------------------------------
[global]
ipsec saref = yes

[lns default]
ip range = 10.1.2.2-10.1.2.255
local ip = 10.1.2.1
;require chap = yes
refuse chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
-------------------------------------------




pppd config file /etc/ppp/options.xl2tpd
---------------------------------------------------
require-mschap-v2
ms-dns 192.168.0.31
asyncmap 0
auth
crtscts
lock
hide-password
modem
debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
--------------------------------------

More information about the Users mailing list