[Openswan Users] OpenSwan + xl2tpd not working
Pete Mitchell
Ghostryder at gmx.de
Wed Aug 18 08:10:02 EDT 2010
Hi,
a small status update (I think I'm quite close to the final solution :-/):
I've upgraded to openswan-2.6.28. I've successfully connected to the server from my iPhone using L2TP as VPN. However, the connection from a Windows XP SP3 machine using the internal VPN client still fails. The l2tpd is still not getting any requests. When using the iPhone I can nicely see how the xl2tpd responds to the requests but for the XP machine nothing at all happens.
The tunnel is established successfully as I'm getting the messages in /var/log/auth.log. But as I said xl2tpd is not fired up, for whatever reason.
I have tried so many things without any success, so I'm really hoping that anyone of you could HELP me!
Here's the most important configs:
cat /etc/ipsec.conf
--------------------------------------------------------------------------
# /etc/ipsec.conf - Openswan IPsec configuration file
config setup
interfaces=%defaultroute
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
oe=off
protostack=netkey
include /etc/ipsec.d/l2tp-psk.conf
--------------------------------------------------------------------------
cat /etc/ipsec.d/l2tp-psk.conf
--------------------------------------------------------------------------
conn FIRST_TEST
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
type=transport
ike=aes128-sha-modp1536,aes128-sha-modp1024,aes128-md5-modp1536,aes128-m d5-modp1024,3des-sha-modp1536,3des-sha-modp1024,3des-md5-modp1536,3des-md5-modp1 024
esp=aes128-sha1,aes128-md5,3des-sha1,3des-md5
left=%defaultroute
leftnexthop=%defaultroute
leftprotoport=udp/l2tp
right=%any
rightprotoport=udp/0
rightnexthop=%defaultroute
--------------------------------------------------------------------------
cat /etc/xl2tpd.d/xl2tpd.conf
--------------------------------------------------------------------------
[global]
ipsec saref = yes
listen-addr = 192.168.0.22
port = 1701
debug avp = yes
debug network = yes
debug packet = yes
debug state = yes
debug tunnel = yes
[lns default]
ip range = 192.168.0.100-192.168.0.105
local ip = 192.168.0.99
;require chap = yes
;refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile= /etc/ppp/options.xl2tpd
length bit = yes
--------------------------------------------------------------------------
cat /etc/ppp/options.xl2tpd
--------------------------------------------------------------------------
# /etc/ppp/options
asyncmap 0
auth
crtscts
lock
hide-password
modem
mru 1280
mtu 1280
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
noipx
--------------------------------------------------------------------------
The problem can't be related to the firewall as it is down on the VPN server machine, and the connection works fine from the iPhone...
Thanks for ANY support in advance!!!
Regards,
g.
-------- Original-Nachricht --------
> Datum: Wed, 18 Aug 2010 08:52:59 +0200
> Von: "Pete Mitchell" <Ghostryder at gmx.de>
> An: "Willie Gillespie" <wgillespie+openswan at es2eng.com>
> CC: users at openswan.org
> Betreff: Re: [Openswan Users] OpenSwan + xl2tpd not working
> Hi Willie!
>
> Thanks for the comment!
>
> I've added the firewall rule although there isn't any firewall operating
> at the server currently... I'm completely stuck. xl2tpd is listening on
> address 192.168.0.22/1701 but doesn't get any requests at all :-(.
>
> Are there any other tests that I could do to find the fault?
>
> Regards,
> g.
>
> -------- Original-Nachricht --------
> > Datum: Thu, 5 Aug 2010 15:05:54 -0600 (MDT)
> > Von: "Willie Gillespie" <wgillespie+openswan at es2eng.com>
> > An: ghostryder at gmx.de
> > CC: users at openswan.org
> > Betreff: Re: [Openswan Users] OpenSwan + xl2tpd not working
>
> > I guess I should clarify:
> > Openswan seems to be working fine in your case.
> > In xltpd.conf, listen-addr should still be 192.168.0.22.
> > So for some reason the traffic is not making it there. Do you have a
> > firewall rule that allows access to xl2tpd?
> > Perhaps something like:
> > -A INPUT -m policy --pol ipsec --dir in -p udp --dport 1701 -j ACCEPT
> > (only accept traffic to xl2tpd if it's come in through an IPsec tunnel
> > first)
> >
> > -----Original Message-----
> > From: "Willie Gillespie" <wgillespie+openswan at es2eng.com>
> > Sent: Thursday, August 5, 2010 2:59pm
> > To: Ghostryder at gmx.de
> > Cc: users at openswan.org
> > Subject: Re: [Openswan Users] OpenSwan + xl2tpd not working
> >
> > You shouldn't forward port 1701 on the NAT device or it will allow L2TP
> to
> > work without being inside an IPsec tunnel. Instead the traffic should
> be
> > decoded on the Openswan box (sounds like your tunnel is fine) and just
> go
> > to the localhost.
> >
> > This document may help you as well:
> >
> http://www.rootmanager.com/ubuntu-ipsec-l2tp-windows-domain-auth/setting-up-openswan-xl2tpd-with-native-windows-clients.html
> >
> > Willie
> >
> > -----Original Message-----
> > From: Ghostryder at gmx.de
> > Sent: Thursday, August 5, 2010 3:09am
> > To: users at openswan.org
> > Subject: [Openswan Users] OpenSwan + xl2tpd not working
> >
> > Hi all,
> >
> > I'm trying to set up a VPN server using OpenSwan. For the configuration
> > process I've used
> >
> > http://www.jacco2.dds.nl/networking/openswan-l2tp.html
> >
> > The server is running an Ubuntu system with Kernel 2.6.32. I've used
> > xl2tpd again as described in the link above. It is worth mentioning that
> the VPN
> > server is behind a NAT device (DSL router).
> >
> > I've tried to connect from a Windows XP client and it seems that the
> IPSec
> > is running fine as I'm getting the message "STATE_QUICK_R2: IPsec SA
> > established transport mode". However, xl2tpd is just doing nothing. I've
> started
> > the service using "xl2tpd -D" and it tells me that it's listening on
> > 192.168.0.22/1701 which is the IP address of the VPN server behind NAT,
> so all
> > fine. But even if the XP client tries "officially" to connect there
> happens
> > nothing... I've tried various things but I have no clue why there is no
> > traffic... On the firewall of the NAT device the ports 500, 4500 and
> 1701 are
> > forwarded to 192.168.0.22.
> >
> > Has anyone got an idea what could be the problem?
> >
> > Thanks in advance!
> > Regards, hg
> >
> >
> > --
> > GRATIS für alle GMX-Mitglieder: Die maxdome Movie-FLAT!
> > Jetzt freischalten unter http://portal.gmx.net/de/go/maxdome01
> > _______________________________________________
> > Users at openswan.org
> > http://lists.openswan.org/mailman/listinfo/users
> > Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> > Building and Integrating Virtual Private Networks with Openswan:
> > http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> >
> >
> > _______________________________________________
> > Users at openswan.org
> > http://lists.openswan.org/mailman/listinfo/users
> > Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> > Building and Integrating Virtual Private Networks with Openswan:
> > http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> >
> >
>
> --
> GMX DSL SOMMER-SPECIAL: Surf & Phone Flat 16.000 für nur 19,99 ¿/mtl.!*
> http://portal.gmx.net/de/go/dsl
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
--
GRATIS für alle GMX-Mitglieder: Die maxdome Movie-FLAT!
Jetzt freischalten unter http://portal.gmx.net/de/go/maxdome
More information about the Users
mailing list