[Openswan Users] xl2tpd not responding - why?

Troy Telford ttelford.groups at gmail.com
Mon Sep 6 17:00:13 EDT 2010 

After doing some work with the firewall, I can get xl2tpd to respond to 
a point...

xl2tpd[24492]: control_finish: Peer requested tunnel 57 twice, ignoring 
second one.
xl2tpd[24492]: control_finish: Peer requested tunnel 57 twice, ignoring 
second one.
xl2tpd[24492]: control_finish: Peer requested tunnel 57 twice, ignoring 
second one.
xl2tpd[24492]: Maximum retries exceeded for tunnel 20342.  Closing.
xl2tpd[24492]: control_finish: Peer requested tunnel 57 twice, ignoring 
second one.
xl2tpd[24492]: Connection 57 closed to www.xxx.yyy.zzz, port 58541 (Timeout)
xl2tpd[24492]: Unable to deliver closing message for tunnel 20342. 
Destroying anyway.

On my client side (an OS X 10.6 client), I'm seeing the following:
Sep  6 14:39:09 machost racoon[6271]: Connecting.
Sep  6 14:39:09 machost racoon[6271]: IKE Packet: transmit success. 
(Initiator, Main-Mode message 1).
Sep  6 14:39:09 machost racoon[6271]: IKE Packet: receive success. 
(Initiator, Main-Mode message 2).
Sep  6 14:39:09 machost racoon[6271]: IKE Packet: transmit success. 
(Initiator, Main-Mode message 3).
Sep  6 14:39:09 machost racoon[6271]: IKE Packet: receive success. 
(Initiator, Main-Mode message 4).
Sep  6 14:39:09 machost racoon[6271]: IKE Packet: transmit success. 
(Initiator, Main-Mode message 5).
Sep  6 14:39:09 machost racoon[6271]: IKEv1 Phase1 AUTH: success. 
(Initiator, Main-Mode Message 6).
Sep  6 14:39:09 machost racoon[6271]: IKE Packet: receive success. 
(Initiator, Main-Mode message 6).
Sep  6 14:39:09 machost racoon[6271]: IKEv1 Phase1 Initiator: success. 
(Initiator, Main-Mode).
Sep  6 14:39:09 machost racoon[6271]: IKE Packet: transmit success. 
(Information message).
Sep  6 14:39:09 machost racoon[6271]: IKEv1 Information-Notice: 
transmit success. (ISAKMP-SA).
Sep  6 14:39:10 machost racoon[6271]: IKE Packet: transmit success. 
(Initiator, Quick-Mode message 1).
Sep  6 14:39:10 machost racoon[6271]: IKE Packet: receive success. 
(Initiator, Quick-Mode message 2).
Sep  6 14:39:10 machost racoon[6271]: IKE Packet: transmit success. 
(Initiator, Quick-Mode message 3).
Sep  6 14:39:10 machost racoon[6271]: IKEv1 Phase2 Initiator: success. 
(Initiator, Quick-Mode).
Sep  6 14:39:10 machost racoon[6271]: Connected.
Sep  6 14:39:30 machost racoon[6271]: IKE Packet: transmit success. 
(Information message).
Sep  6 14:39:30 machost racoon[6271]: IKEv1 Information-Notice: 
transmit success. (Delete IPSEC-SA).
Sep  6 14:39:30 machost racoon[6271]: IKE Packet: transmit success. 
(Information message).
Sep  6 14:39:30 machost racoon[6271]: IKEv1 Information-Notice: 
transmit success. (Delete ISAKMP-SA).
Sep  6 14:39:31 machost racoon[6271]: Disconnecting. (Connection was up 
for, 21.058049 seconds).

And from the ppp side (with debugging turned up)
Sep  6 14:43:22 machost pppd[6334]: pppd 2.4.2 (Apple version 412.3) 
started by ttelford, uid 501
Sep  6 14:43:22 machost pppd[6334]: L2TP connecting to server 
'pilot.pariahzero.net' (24.2.64.187)...
Sep  6 14:43:22 machost pppd[6334]: IPSec connection started
Sep  6 14:43:22 machost pppd[6334]: IPSec phase 1 client started
Sep  6 14:43:22 machost pppd[6334]: IPSec phase 1 server replied
Sep  6 14:43:23 machost pppd[6334]: IPSec phase 2 started
Sep  6 14:43:23 machost pppd[6334]: IPSec phase 2 established
Sep  6 14:43:23 machost pppd[6334]: IPSec connection established
Sep  6 14:43:23 machost pppd[6334]: L2TP sent SCCRQ
Sep  6 14:43:43 machost pppd[6334]: L2TP cannot connect to the server
Sep  6 14:43:43 machost pppd[6334]: host_gateway: write routing socket 
failed, No such process
Sep  6 14:43:43 machost pppd[6334]: Exit.

I use Shorewall for my firewall; I've got logging turned up for it as 
well - for now, I can see the following packet info:
Sep  6 14:47:36 gateway kernel: [229842.380038] 
Shorewall:vpn2fw:ACCEPT:IN=eth0 OUT= MAC=<blah> SRC=<foo> 
DST=<gateway's external IP> LEN=88 TOS=0x00 PREC=0x00 TTL=63 ID=52943 
PROTO=UDP SPT=53790 DPT=1701 LEN=68

So it looks to me like the packets are getting through to xl2tpd... but 
nothing is coming back out...

Similarly, there is no 'ppp' interface of any kind; I had gathered that 
xl2tpd would create one; nothing's happening, so I'm confused there.

Then there's a bit of confusion on my part about netkey:  From what I 
gather, if eth1 is my 'external' interface and is connected to the 
internet directly, then with netkey, any incoming IPsec is decrypted 
and re-appears on eth1 again.

If I understand that correctly, then any existing firewall rules that 
block incoming connections to eth1 would have to be re-written, or else 
the decrypted IPsec traffic would be filtered by the firewall as 
well...  right?  (or am I wrong...)

Any guidance would be appreciated...
-- 
Troy Telford

More information about the Users mailing list