[Openswan Users] OpenSWAN + xl2tpd failing tunnel transmission

Jim Lake jlake at boingo.com
Mon Apr 18 16:07:14 EDT 2011


Hey All,

I've been working on this for quite a few days now, with a bunch of different configurations with very little luck.  Can someone tell me when I'm doing wrong?

It's a basic ipsec + l2tp tunnel setup.  Server behind 1-to-1 NAT, client behind NAT.  Using NAT-T, all UDP ports on the server wide open.  Server is Ubuntu 10.04, client is Mac (same behavior on windows and iphone as far as I can tell).

As far as I can tell, my IPSec is coming up fine.  The xl2tpd, though, can't seem to get a tunnel up and going.  I have no idea what's wrong.

Anyone help me out?

Thanks!

Jim Lake

----
>From xl2tpd -D
----
xl2tpd[28084]: IPsec SAref does not work with L2TP kernel mode yet, enabling forceuserspace=yes
xl2tpd[28084]: setsockopt recvref[22]: Protocol not available
xl2tpd[28084]: This binary does not support kernel L2TP.
xl2tpd[28084]: xl2tpd version xl2tpd-1.2.8 started on vpn-test PID:28084
xl2tpd[28084]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
xl2tpd[28084]: Forked by Scott Balmos and David Stipp, (C) 2001
xl2tpd[28084]: Inherited by Jeff McAdams, (C) 2002
xl2tpd[28084]: Forked again by Xelerance (www.xelerance.com) (C) 2006
xl2tpd[28084]: Listening on IP address 0.0.0.0, port 1701
xl2tpd[28084]: network_thread: recv packet from 204.147.92.175, size = 60, tunnel = 0, call = 0 ref=0 refhim=0
xl2tpd[28084]: get_call: allocating new tunnel for host 204.147.92.175, port 49911.
xl2tpd[28084]: handle_avps: handling avp's for tunnel 26590, call 0
xl2tpd[28084]: message_type_avp: message type 1 (Start-Control-Connection-Request)
xl2tpd[28084]: protocol_version_avp: peer is using version 1, revision 0.
xl2tpd[28084]: framing_caps_avp: supported peer frames: async sync
xl2tpd[28084]: hostname_avp: peer reports hostname ''
xl2tpd[28084]: assigned_tunnel_avp: using peer's tunnel 12
xl2tpd[28084]: receive_window_size_avp: peer wants RWS of 4.  Will use flow control.
xl2tpd[28084]: control_finish: message type is Start-Control-Connection-Request(1).  Tunnel is 12, call is 0.
xl2tpd[28084]: control_finish: sending SCCRP
xl2tpd[28084]: network_thread: recv packet from 204.147.92.175, size = 60, tunnel = 0, call = 0 ref=0 refhim=0
xl2tpd[28084]: get_call: allocating new tunnel for host 204.147.92.175, port 49911.
xl2tpd[28084]: handle_avps: handling avp's for tunnel 7777, call 0
xl2tpd[28084]: message_type_avp: message type 1 (Start-Control-Connection-Request)
xl2tpd[28084]: protocol_version_avp: peer is using version 1, revision 0.
xl2tpd[28084]: framing_caps_avp: supported peer frames: async sync
xl2tpd[28084]: hostname_avp: peer reports hostname ''
xl2tpd[28084]: assigned_tunnel_avp: using peer's tunnel 12
xl2tpd[28084]: receive_window_size_avp: peer wants RWS of 4.  Will use flow control.
xl2tpd[28084]: control_finish: message type is Start-Control-Connection-Request(1).  Tunnel is 12, call is 0.
xl2tpd[28084]: control_finish: Peer requested tunnel 12 twice, ignoring second one.
xl2tpd[28084]: build_fdset: closing down tunnel 7777
xl2tpd[28084]: network_thread: recv packet from 204.147.92.175, size = 60, tunnel = 0, call = 0 ref=0 refhim=0
xl2tpd[28084]: get_call: allocating new tunnel for host 204.147.92.175, port 49911.
xl2tpd[28084]: handle_avps: handling avp's for tunnel 52152, call 48548
xl2tpd[28084]: message_type_avp: message type 1 (Start-Control-Connection-Request)
xl2tpd[28084]: protocol_version_avp: peer is using version 1, revision 0.
xl2tpd[28084]: framing_caps_avp: supported peer frames: async sync
xl2tpd[28084]: hostname_avp: peer reports hostname ''
xl2tpd[28084]: assigned_tunnel_avp: using peer's tunnel 12
xl2tpd[28084]: receive_window_size_avp: peer wants RWS of 4.  Will use flow control.
xl2tpd[28084]: control_finish: message type is Start-Control-Connection-Request(1).  Tunnel is 12, call is 0.
xl2tpd[28084]: control_finish: Peer requested tunnel 12 twice, ignoring second one.
xl2tpd[28084]: build_fdset: closing down tunnel 52152
xl2tpd[28084]: network_thread: select timeout
xl2tpd[28084]: network_thread: select timeout
xl2tpd[28084]: network_thread: select timeout
xl2tpd[28084]: network_thread: select timeout
xl2tpd[28084]: network_thread: recv packet from 204.147.92.175, size = 60, tunnel = 0, call = 0 ref=0 refhim=0
xl2tpd[28084]: get_call: allocating new tunnel for host 204.147.92.175, port 49911.
xl2tpd[28084]: handle_avps: handling avp's for tunnel 36706, call 35480
xl2tpd[28084]: message_type_avp: message type 1 (Start-Control-Connection-Request)
xl2tpd[28084]: protocol_version_avp: peer is using version 1, revision 0.
xl2tpd[28084]: framing_caps_avp: supported peer frames: async sync
xl2tpd[28084]: hostname_avp: peer reports hostname ''
xl2tpd[28084]: assigned_tunnel_avp: using peer's tunnel 12
xl2tpd[28084]: receive_window_size_avp: peer wants RWS of 4.  Will use flow control.
xl2tpd[28084]: control_finish: message type is Start-Control-Connection-Request(1).  Tunnel is 12, call is 0.
xl2tpd[28084]: control_finish: Peer requested tunnel 12 twice, ignoring second one.
xl2tpd[28084]: build_fdset: closing down tunnel 36706
xl2tpd[28084]: network_thread: select timeout
xl2tpd[28084]: Maximum retries exceeded for tunnel 26590.  Closing.
xl2tpd[28084]: network_thread: recv packet from 204.147.92.175, size = 60, tunnel = 0, call = 0 ref=0 refhim=0
xl2tpd[28084]: get_call: allocating new tunnel for host 204.147.92.175, port 49911.
xl2tpd[28084]: handle_avps: handling avp's for tunnel 43061, call 0
xl2tpd[28084]: message_type_avp: message type 1 (Start-Control-Connection-Request)
xl2tpd[28084]: protocol_version_avp: peer is using version 1, revision 0.
xl2tpd[28084]: framing_caps_avp: supported peer frames: async sync
xl2tpd[28084]: hostname_avp: peer reports hostname ''
xl2tpd[28084]: assigned_tunnel_avp: using peer's tunnel 12
xl2tpd[28084]: receive_window_size_avp: peer wants RWS of 4.  Will use flow control.
xl2tpd[28084]: control_finish: message type is Start-Control-Connection-Request(1).  Tunnel is 12, call is 0.
xl2tpd[28084]: control_finish: Peer requested tunnel 12 twice, ignoring second one.
xl2tpd[28084]: build_fdset: closing down tunnel 43061
xl2tpd[28084]: build_fdset: closing down tunnel 26590
xl2tpd[28084]: Connection 12 closed to 204.147.92.175, port 49911 (Timeout)
xl2tpd[28084]: network_thread: select timeout
xl2tpd[28084]: network_thread: select timeout
xl2tpd[28084]: network_thread: select timeout
xl2tpd[28084]: network_thread: select timeout
xl2tpd[28084]: network_thread: select timeout
xl2tpd[28084]: Unable to deliver closing message for tunnel 26590. Destroying anyway.

---
>From client:
---
4/18/11 1:02:19 PM pppd[15938] IPSec connection started
4/18/11 1:02:19 PM racoon[15917] Connecting.
4/18/11 1:02:19 PM racoon[15917] IKE Packet: transmit success. (Initiator, Main-Mode message 1).
4/18/11 1:02:19 PM racoon[15917] IKE Packet: receive success. (Initiator, Main-Mode message 2).
4/18/11 1:02:19 PM racoon[15917] IKE Packet: transmit success. (Initiator, Main-Mode message 3).
4/18/11 1:02:19 PM racoon[15917] IKE Packet: receive success. (Initiator, Main-Mode message 4).
4/18/11 1:02:19 PM racoon[15917] IKE Packet: transmit success. (Initiator, Main-Mode message 5).
4/18/11 1:02:19 PM racoon[15917] IKEv1 Phase1 AUTH: success. (Initiator, Main-Mode Message 6).
4/18/11 1:02:19 PM racoon[15917] IKE Packet: receive success. (Initiator, Main-Mode message 6).
4/18/11 1:02:19 PM racoon[15917] IKEv1 Phase1 Initiator: success. (Initiator, Main-Mode).
4/18/11 1:02:19 PM racoon[15917] IKE Packet: transmit success. (Information message).
4/18/11 1:02:19 PM racoon[15917] IKEv1 Information-Notice: transmit success. (ISAKMP-SA).
4/18/11 1:02:20 PM racoon[15917] IKE Packet: transmit success. (Initiator, Quick-Mode message 1).
4/18/11 1:02:20 PM racoon[15917] IKE Packet: receive success. (Initiator, Quick-Mode message 2).
4/18/11 1:02:20 PM racoon[15917] IKE Packet: transmit success. (Initiator, Quick-Mode message 3).
4/18/11 1:02:20 PM racoon[15917] IKEv1 Phase2 Initiator: success. (Initiator, Quick-Mode).
4/18/11 1:02:20 PM pppd[15938] IPSec connection established
4/18/11 1:02:40 PM pppd[15938] L2TP cannot connect to the server
4/18/11 1:02:40 PM racoon[15917] IKE Packet: transmit success. (Information message).
4/18/11 1:02:40 PM racoon[15917] IKEv1 Information-Notice: transmit success. (Delete IPSEC-SA).
4/18/11 1:02:40 PM racoon[15917] IKE Packet: transmit success. (Information message).
4/18/11 1:02:40 PM racoon[15917] IKEv1 Information-Notice: transmit success. (Delete ISAKMP-SA).


>From auth.log:
----
Apr 18 19:59:09 ip-10-170-91-102 pluto[28026]: "L2TP"[1] 204.147.92.175 #1: responding to Main Mode from unknown peer 204.147.92.175
Apr 18 19:59:09 ip-10-170-91-102 pluto[28026]: "L2TP"[1] 204.147.92.175 #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Apr 18 19:59:09 ip-10-170-91-102 pluto[28026]: "L2TP"[1] 204.147.92.175 #1: STATE_MAIN_R1: sent MR1, expecting MI2
Apr 18 19:59:09 ip-10-170-91-102 pluto[28026]: "L2TP"[1] 204.147.92.175 #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): both are NATed
Apr 18 19:59:09 ip-10-170-91-102 pluto[28026]: "L2TP"[1] 204.147.92.175 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Apr 18 19:59:09 ip-10-170-91-102 pluto[28026]: "L2TP"[1] 204.147.92.175 #1: STATE_MAIN_R2: sent MR2, expecting MI3
Apr 18 19:59:09 ip-10-170-91-102 pluto[28026]: "L2TP"[1] 204.147.92.175 #1: Main mode peer ID is ID_IPV4_ADDR: '10.7.7.178'
Apr 18 19:59:09 ip-10-170-91-102 pluto[28026]: "L2TP"[1] 204.147.92.175 #1: switched from "L2TP" to "L2TP"
Apr 18 19:59:09 ip-10-170-91-102 pluto[28026]: "L2TP"[2] 204.147.92.175 #1: deleting connection "L2TP" instance with peer 204.147.92.175 {isakmp=#0/ipsec=#0}
Apr 18 19:59:09 ip-10-170-91-102 pluto[28026]: "L2TP"[2] 204.147.92.175 #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Apr 18 19:59:09 ip-10-170-91-102 pluto[28026]: "L2TP"[2] 204.147.92.175 #1: new NAT mapping for #1, was 204.147.92.175:500, now 204.147.92.175:4500
Apr 18 19:59:09 ip-10-170-91-102 pluto[28026]: "L2TP"[2] 204.147.92.175 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
Apr 18 19:59:09 ip-10-170-91-102 pluto[28026]: "L2TP"[2] 204.147.92.175 #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
Apr 18 19:59:09 ip-10-170-91-102 pluto[28026]: "L2TP"[2] 204.147.92.175 #1: received and ignored informational message
Apr 18 19:59:10 ip-10-170-91-102 pluto[28026]: "L2TP"[2] 204.147.92.175 #1: the peer proposed: 50.18.124.10/32:17/1701 -> 10.7.7.178/32:17/0
Apr 18 19:59:10 ip-10-170-91-102 pluto[28026]: "L2TP"[2] 204.147.92.175 #2: responding to Quick Mode proposal {msgid:23c0fdc5}
Apr 18 19:59:10 ip-10-170-91-102 pluto[28026]: "L2TP"[2] 204.147.92.175 #2:     us: 10.170.91.102<10.170.91.102>[50.18.124.10,+S=C]:17/1701---10.170.90.1
Apr 18 19:59:10 ip-10-170-91-102 pluto[28026]: "L2TP"[2] 204.147.92.175 #2:   them: 204.147.92.175[10.7.7.178,+S=C]:17/0===10.7.7.178/32
Apr 18 19:59:10 ip-10-170-91-102 pluto[28026]: "L2TP"[2] 204.147.92.175 #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Apr 18 19:59:10 ip-10-170-91-102 pluto[28026]: "L2TP"[2] 204.147.92.175 #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Apr 18 19:59:10 ip-10-170-91-102 pluto[28026]: "L2TP"[2] 204.147.92.175 #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Apr 18 19:59:10 ip-10-170-91-102 pluto[28026]: "L2TP"[2] 204.147.92.175 #2: STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0x0950fbf7 <0xa1d4b208 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=204.147.92.175:4500 DPD=none}
----

Config files.

----
ipsec.conf
----
version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
         nat_traversal=yes
         virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
         oe=off
         protostack=netkey
#         nhelpers=0

conn L2TP
         authby=secret
         auto=add
         pfs=no
         type=transport
         rekey=no

         left=10.170.91.102
         leftid=50.18.124.10
         leftnexthop=%defaultroute
         leftprotoport=17/1701

         right=%any
         rightsubnet=vhost:%priv,%no,%all
         rightprotoport=17/0
         forceencaps=yes

----
xl2tpd.conf
----
[global]
ipsec saref = no
debug tunnel = yes
debug avp = yes
debug network = yes
debug state = yes

[lns default]
ip range = 172.16.1.100-172.16.1.200
local ip = 172.16.1.1
refuse chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
----
options.xl2tpd
----
ipcp-accept-local
ipcp-accept-remote
noccp
auth
#crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
dump
lock
proxyarp
name l2tpd
connect-delay 5000
ms-dns 4.2.2.1
----
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110418/28fe7b41/attachment-0001.html 


More information about the Users mailing list