[Openswan Users] IPsec/L2TP VPN on Ubuntu 10.04 using Openswan version U2.6.23/K2.6.32-24-generic and xL2TP v1.2.7

Adam Crane atcapollo at hotmail.com
Mon Oct 4 16:23:05 EDT 2010 

  Thanks Paul, this is my first attempt at IPsec client to endpoint. My 
Android client supports IPsec with PSK and also with Certification 
whilst L2TP secret seems optional.

I've amended my configs based on your comments and it now works with 
PSK. Somehow I had managed to point to options.l2tpd and not 
options.xl2tpd (which did exist and I had configured, it was a late night!)
I've also pointed to chap-secrets (again which did exist and I had 
configured, just not pointed too) and not xl2tp-secrets.

Is there any benefit of l2tp authorisation over an IPsec tunnel? it 
seems a little overkill but there must be a reason for it's existence.

For future reference and search engine crawlers below is my working 
config for:

Ubuntu 10.04
Openswan
xl2tpd 1.2.7
Google Nexus One with Android 2.2.1 using an IPsec PSK tunnel and the 
l2tp secret not enabled.

Now I need to move to using the RSA certificate... first of all how to 
install it to the phone..

###############################################################################
/etc/ipsec.conf
###############################################################################
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.16 2005/07/26 12:29:45 ken Exp $

# This file:  /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
         nat_traversal=yes
         virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
         oe=off
         protostack=netkey
         nhelpers=0

conn L2TP
         authby=secret
         auto=add
         pfs=no
         type=transport
         rekey=no

         left=192.168.1.100
         leftnexthop=192.168.1.1
         leftprotoport=17/1701

         right=%any
         rightsubnet=vhost:%no,%priv
         rightprotoport=17/1701
         forceencaps=yes


###############################################################################
/etc/xl2tpd/xl2tpd.conf
###############################################################################
[global]
ipsec saref = no
auth file = /etc/ppp/chap-secrets
port = 1701
debug tunnel = yes
debug avp = yes
debug packet = yes
debug network = yes
debug state = yes

[lns default]
ip range = 192.168.1.51-192.168.1.55
local ip = 192.168.1.50
require chap = yes
refuse pap = yes
require authentication = yes
name = Zebedee
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes


###############################################################################
/etc/ppp/chap-secrets
###############################################################################
# Secrets for authentication using CHAP
# client        server  secret                  IP addresses
*  *  "testpass"  *


###############################################################################
/etc/ppp/options.xl2tpd
###############################################################################
ipcp-accept-local
ipcp-accept-remote
noccp
auth
#crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
lock
proxyarp
connect-delay 5000
ms-dns 192.168.1.1


###############################################################################
/var/log/messages
###############################################################################
Oct  4 20:21:49 zebedee kernel: [108447.013541] NET: Unregistered 
protocol family 15
Oct  4 20:21:49 zebedee kernel: [108447.089545] NET: Registered protocol 
family 15
Oct  4 20:21:49 zebedee kernel: [108447.269106] Initializing XFRM 
netlink socket
Oct  4 20:21:49 zebedee kernel: [108447.278283] padlock: VIA PadLock not 
detected.
Oct  4 20:21:49 zebedee kernel: [108447.315785] padlock: VIA PadLock 
Hash Engine not detected.
Oct  4 20:21:49 zebedee kernel: [108447.342768] padlock: VIA PadLock not 
detected.
Oct  4 20:21:50 zebedee pluto: adjusting ipsec.d to /etc/ipsec.d

On 04/10/2010 17:14, Paul Wouters wrote:
> On Mon, 4 Oct 2010, Adam Crane wrote:
>
>> version U2.6.23/K2.6.32-24-generic and xL2TP v1.2.7.
>
> Is that kernel patched for SArefs?
>
>> I believe the IPsec tunnel forms correctly but that there is an issue
>> with the L2TP authentication, I'm a little lost now and need some
>> guidance as to how to debug and get the connection up and running.
>
>>     plutodebug="control parsing"
>>     nat_traversal=yes
>>     virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
>>     oe=off
>>     protostack=netkey
>
> You are using netkey, which does not support SArefs.
>
>> ########################################################
>> xl2tpd.conf
>> ########################################################
>> [global]
>> ipsec saref = yes
>
> While you enable sarefs here. This will not work. Disable it.
>
>> l2tp-secrets
>
> l2tp secrets are not used. That is for encrypted the l2tp tunnel, as 
> opposed
> to the IPsec tunnel. You only want to use /etc/ppp/chap-secrets or 
> other pppd
> based auth schemes (eg ldap/radius/system/pam)
>
>> options.l2tpd
>
> I strongly recommend you use an options files based on the 
> options.xl2tpd file.
>
>> # Use hardware flow control.
>> crtscts
>
> That's not right. there is no harsware
>
>> # Don't fork to become a background process.
>> nodetach
>
> That might not be very good either.
>
>> # Force MS-CHAP-v2 authentication since it is more secure than the other
>> options.
>> refuse-pap
>> refuse-chap
>> refuse-mschap
>> require-mschap-v2
>> #require-mppe
>
> I believe this does require the mppe kernel module to be loaded. 
> Commenting
> out a requirement does not make it go away :)
>
>> 192.168.1.101, Local: 40632, Remote: 1096, Serial: -934305952
>> Oct  4 09:33:55 zebedee xl2tpd[1531]: network_thread: recv packet from
>> 192.168.1.101, size = 34, tunnel = 25415, call = 40632 ref=0 refhim=0
>> Oct  4 09:33:55 zebedee xl2tpd[1531]: child_handler : pppd exited for
>> call 1096 with code 2
>
> You would want to look at the pppd logs at this point. It looks like l2tp
> auth is indeed not used (despite you setting an l2tp-secrets file), but
> you probably did not fill in the login info in /etc/ppp/chap-secrets
>
>> Oct  4 09:33:51 zebedee pluto[27098]: | ****parse IPsec DOI SIT:
>
> Please do not enable plutodebug= unless an openswan developer told you 
> to do so.
> It is for debugging code, not configurations.
>
> Paul
>
>

More information about the Users mailing list