[Openswan Users] IPsec/L2TP VPN on Ubuntu 10.04 using Openswan version U2.6.23/K2.6.32-24-generic and xL2TP v1.2.7

Paul Wouters paul at xelerance.com
Mon Oct 4 12:14:03 EDT 2010 

On Mon, 4 Oct 2010, Adam Crane wrote:

> version U2.6.23/K2.6.32-24-generic and xL2TP v1.2.7.

Is that kernel patched for SArefs?

> I believe the IPsec tunnel forms correctly but that there is an issue
> with the L2TP authentication, I'm a little lost now and need some
> guidance as to how to debug and get the connection up and running.

>     plutodebug="control parsing"
>     nat_traversal=yes
>     virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
>     oe=off
>     protostack=netkey

You are using netkey, which does not support SArefs.

> ########################################################
> xl2tpd.conf
> ########################################################
> [global]
> ipsec saref = yes

While you enable sarefs here. This will not work. Disable it.

> l2tp-secrets

l2tp secrets are not used. That is for encrypted the l2tp tunnel, as opposed
to the IPsec tunnel. You only want to use /etc/ppp/chap-secrets or other pppd
based auth schemes (eg ldap/radius/system/pam)

> options.l2tpd

I strongly recommend you use an options files based on the options.xl2tpd file.

> # Use hardware flow control.
> crtscts

That's not right. there is no harsware

> # Don't fork to become a background process.
> nodetach

That might not be very good either.

> # Force MS-CHAP-v2 authentication since it is more secure than the other
> options.
> refuse-pap
> refuse-chap
> refuse-mschap
> require-mschap-v2
> #require-mppe

I believe this does require the mppe kernel module to be loaded. Commenting
out a requirement does not make it go away :)

> 192.168.1.101, Local: 40632, Remote: 1096, Serial: -934305952
> Oct  4 09:33:55 zebedee xl2tpd[1531]: network_thread: recv packet from
> 192.168.1.101, size = 34, tunnel = 25415, call = 40632 ref=0 refhim=0
> Oct  4 09:33:55 zebedee xl2tpd[1531]: child_handler : pppd exited for
> call 1096 with code 2

You would want to look at the pppd logs at this point. It looks like l2tp
auth is indeed not used (despite you setting an l2tp-secrets file), but
you probably did not fill in the login info in /etc/ppp/chap-secrets

> Oct  4 09:33:51 zebedee pluto[27098]: | ****parse IPsec DOI SIT:

Please do not enable plutodebug= unless an openswan developer told you to do so.
It is for debugging code, not configurations.

Paul

More information about the Users mailing list