[Openswan Users] OpenSWAN + xl2tpd failing tunnel transmission

Jim Lake jlake at boingo.com
Mon Apr 18 17:05:09 EDT 2011 

Updated configs, same results.

Any more ideas? :)

Thanks!

----
xl2tpd -D
-----
xl2tpd[28444]: IPsec SAref does not work with L2TP kernel mode yet, enabling forceuserspace=yes
xl2tpd[28444]: setsockopt recvref[22]: Protocol not available
xl2tpd[28444]: This binary does not support kernel L2TP.
xl2tpd[28444]: xl2tpd version xl2tpd-1.2.8 started on vpn-test PID:28444
xl2tpd[28444]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
xl2tpd[28444]: Forked by Scott Balmos and David Stipp, (C) 2001
xl2tpd[28444]: Inherited by Jeff McAdams, (C) 2002
xl2tpd[28444]: Forked again by Xelerance (www.xelerance.com) (C) 2006
xl2tpd[28444]: Listening on IP address 10.170.91.102, port 1701
xl2tpd[28444]: network_thread: recv packet from 204.147.92.175, size = 60, tunnel = 0, call = 0 ref=0 refhim=0
xl2tpd[28444]: get_call: allocating new tunnel for host 204.147.92.175, port 61031.
xl2tpd[28444]: handle_avps: handling avp's for tunnel 63055, call 0
xl2tpd[28444]: message_type_avp: message type 1 (Start-Control-Connection-Request)
xl2tpd[28444]: protocol_version_avp: peer is using version 1, revision 0.
xl2tpd[28444]: framing_caps_avp: supported peer frames: async sync
xl2tpd[28444]: hostname_avp: peer reports hostname ''
xl2tpd[28444]: assigned_tunnel_avp: using peer's tunnel 15
xl2tpd[28444]: receive_window_size_avp: peer wants RWS of 4.  Will use flow control.
xl2tpd[28444]: control_finish: message type is Start-Control-Connection-Request(1).  Tunnel is 15, call is 0.
xl2tpd[28444]: control_finish: sending SCCRP
xl2tpd[28444]: network_thread: recv packet from 204.147.92.175, size = 60, tunnel = 0, call = 0 ref=0 refhim=0
xl2tpd[28444]: get_call: allocating new tunnel for host 204.147.92.175, port 61031.
xl2tpd[28444]: handle_avps: handling avp's for tunnel 46315, call 0
xl2tpd[28444]: message_type_avp: message type 1 (Start-Control-Connection-Request)
xl2tpd[28444]: protocol_version_avp: peer is using version 1, revision 0.
xl2tpd[28444]: framing_caps_avp: supported peer frames: async sync
xl2tpd[28444]: hostname_avp: peer reports hostname ''
xl2tpd[28444]: assigned_tunnel_avp: using peer's tunnel 15
xl2tpd[28444]: receive_window_size_avp: peer wants RWS of 4.  Will use flow control.
xl2tpd[28444]: control_finish: message type is Start-Control-Connection-Request(1).  Tunnel is 15, call is 0.
xl2tpd[28444]: control_finish: Peer requested tunnel 15 twice, ignoring second one.
xl2tpd[28444]: build_fdset: closing down tunnel 46315
xl2tpd[28444]: network_thread: recv packet from 204.147.92.175, size = 60, tunnel = 0, call = 0 ref=0 refhim=0
xl2tpd[28444]: get_call: allocating new tunnel for host 204.147.92.175, port 61031.
xl2tpd[28444]: handle_avps: handling avp's for tunnel 40788, call 28398
xl2tpd[28444]: message_type_avp: message type 1 (Start-Control-Connection-Request)
xl2tpd[28444]: protocol_version_avp: peer is using version 1, revision 0.
xl2tpd[28444]: framing_caps_avp: supported peer frames: async sync
xl2tpd[28444]: hostname_avp: peer reports hostname ''
xl2tpd[28444]: assigned_tunnel_avp: using peer's tunnel 15
xl2tpd[28444]: receive_window_size_avp: peer wants RWS of 4.  Will use flow control.
xl2tpd[28444]: control_finish: message type is Start-Control-Connection-Request(1).  Tunnel is 15, call is 0.
xl2tpd[28444]: control_finish: Peer requested tunnel 15 twice, ignoring second one.
xl2tpd[28444]: build_fdset: closing down tunnel 40788
xl2tpd[28444]: network_thread: select timeout
xl2tpd[28444]: network_thread: select timeout
xl2tpd[28444]: network_thread: select timeout
xl2tpd[28444]: network_thread: select timeout
xl2tpd[28444]: network_thread: recv packet from 204.147.92.175, size = 60, tunnel = 0, call = 0 ref=0 refhim=0
xl2tpd[28444]: get_call: allocating new tunnel for host 204.147.92.175, port 61031.
xl2tpd[28444]: handle_avps: handling avp's for tunnel 22314, call 21624
xl2tpd[28444]: message_type_avp: message type 1 (Start-Control-Connection-Request)
xl2tpd[28444]: protocol_version_avp: peer is using version 1, revision 0.
xl2tpd[28444]: framing_caps_avp: supported peer frames: async sync
xl2tpd[28444]: hostname_avp: peer reports hostname ''
xl2tpd[28444]: assigned_tunnel_avp: using peer's tunnel 15
xl2tpd[28444]: receive_window_size_avp: peer wants RWS of 4.  Will use flow control.
xl2tpd[28444]: control_finish: message type is Start-Control-Connection-Request(1).  Tunnel is 15, call is 0.
xl2tpd[28444]: control_finish: Peer requested tunnel 15 twice, ignoring second one.
xl2tpd[28444]: build_fdset: closing down tunnel 22314
xl2tpd[28444]: network_thread: select timeout
xl2tpd[28444]: Maximum retries exceeded for tunnel 63055.  Closing.
xl2tpd[28444]: network_thread: recv packet from 204.147.92.175, size = 60, tunnel = 0, call = 0 ref=0 refhim=0
xl2tpd[28444]: get_call: allocating new tunnel for host 204.147.92.175, port 61031.
xl2tpd[28444]: handle_avps: handling avp's for tunnel 27969, call 0
xl2tpd[28444]: message_type_avp: message type 1 (Start-Control-Connection-Request)
xl2tpd[28444]: protocol_version_avp: peer is using version 1, revision 0.
xl2tpd[28444]: framing_caps_avp: supported peer frames: async sync
xl2tpd[28444]: hostname_avp: peer reports hostname ''
xl2tpd[28444]: assigned_tunnel_avp: using peer's tunnel 15
xl2tpd[28444]: receive_window_size_avp: peer wants RWS of 4.  Will use flow control.
xl2tpd[28444]: control_finish: message type is Start-Control-Connection-Request(1).  Tunnel is 15, call is 0.
xl2tpd[28444]: control_finish: Peer requested tunnel 15 twice, ignoring second one.
xl2tpd[28444]: build_fdset: closing down tunnel 27969
xl2tpd[28444]: build_fdset: closing down tunnel 63055
xl2tpd[28444]: Connection 15 closed to 204.147.92.175, port 61031 (Timeout)
xl2tpd[28444]: network_thread: select timeout
xl2tpd[28444]: network_thread: select timeout
xl2tpd[28444]: network_thread: select timeout
xl2tpd[28444]: network_thread: select timeout
xl2tpd[28444]: network_thread: select timeout
xl2tpd[28444]: network_thread: recv packet from 204.147.92.175, size = 60, tunnel = 0, call = 0 ref=0 refhim=0
xl2tpd[28444]: get_call: allocating new tunnel for host 204.147.92.175, port 61031.
xl2tpd[28444]: handle_avps: handling avp's for tunnel 22314, call 21624
xl2tpd[28444]: message_type_avp: message type 1 (Start-Control-Connection-Request)
xl2tpd[28444]: protocol_version_avp: peer is using version 1, revision 0.
xl2tpd[28444]: framing_caps_avp: supported peer frames: async sync
xl2tpd[28444]: hostname_avp: peer reports hostname ''
xl2tpd[28444]: assigned_tunnel_avp: using peer's tunnel 15
xl2tpd[28444]: receive_window_size_avp: peer wants RWS of 4.  Will use flow control.
xl2tpd[28444]: control_finish: message type is Start-Control-Connection-Request(1).  Tunnel is 15, call is 0.
xl2tpd[28444]: control_finish: Peer requested tunnel 15 twice, ignoring second one.
xl2tpd[28444]: build_fdset: closing down tunnel 22314
xl2tpd[28444]: network_thread: select timeout
xl2tpd[28444]: Maximum retries exceeded for tunnel 63055.  Closing.
xl2tpd[28444]: network_thread: recv packet from 204.147.92.175, size = 60, tunnel = 0, call = 0 ref=0 refhim=0
xl2tpd[28444]: get_call: allocating new tunnel for host 204.147.92.175, port 61031.
xl2tpd[28444]: handle_avps: handling avp's for tunnel 27969, call 0
xl2tpd[28444]: message_type_avp: message type 1 (Start-Control-Connection-Request)
xl2tpd[28444]: protocol_version_avp: peer is using version 1, revision 0.
xl2tpd[28444]: framing_caps_avp: supported peer frames: async sync
xl2tpd[28444]: hostname_avp: peer reports hostname ''
xl2tpd[28444]: assigned_tunnel_avp: using peer's tunnel 15
xl2tpd[28444]: receive_window_size_avp: peer wants RWS of 4.  Will use flow control.
xl2tpd[28444]: control_finish: message type is Start-Control-Connection-Request(1).  Tunnel is 15, call is 0.
xl2tpd[28444]: control_finish: Peer requested tunnel 15 twice, ignoring second one.
xl2tpd[28444]: build_fdset: closing down tunnel 27969
xl2tpd[28444]: build_fdset: closing down tunnel 63055
xl2tpd[28444]: Connection 15 closed to 204.147.92.175, port 61031 (Timeout)
xl2tpd[28444]: network_thread: select timeout
xl2tpd[28444]: network_thread: select timeout
xl2tpd[28444]: network_thread: select timeout
xl2tpd[28444]: network_thread: select timeout
xl2tpd[28444]: network_thread: select timeout
xl2tpd[28444]: Unable to deliver closing message for tunnel 63055. Destroying anyway.
xl2tpd[28444]: network_thread: select returned error 4 (Interrupted system call)
xl2tpd[28444]: death_handler: Fatal signal 2 received




-----

Updated configs
-----

ipsec.conf
-----
config setup
         nat_traversal=yes
         virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!10.170.90.0/23,%v4:!172.16.1.0/24
         oe=off
         protostack=netkey
#         nhelpers=0

conn L2TP
         authby=secret
         auto=add
         pfs=no
         type=transport
         rekey=no
         left=10.170.91.102
         leftid=50.18.124.10
         leftnexthop=%defaultroute
         leftprotoport=17/1701
         right=%any
         rightsubnet=vhost:%priv,%no,%all
         rightprotoport=17/%any
         forceencaps=yes

----
xl2tpd.conf
----
[global]
listen-addr = 10.170.91.102
ipsec saref = no
debug tunnel = yes
debug avp = yes
debug network = yes
debug state = yes

[lns default]
ip range = 172.16.1.100-172.16.1.200
local ip = 172.16.1.1
refuse chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
----
options.xl2tpd
----
ipcp-accept-local
ipcp-accept-remote
noccp
auth
#crtscts
idle 1800
mtu 1200
mru 1200
nodefaultroute
debug
dump
lock
proxyarp
name l2tpd
connect-delay 5000
ms-dns 4.2.2.1
----

Jim Lake

________________________________________
From: Paul Wouters [paul at xelerance.com]
Sent: Monday, April 18, 2011 1:38 PM
To: Jim Lake
Cc: users at openswan.org
Subject: Re: [Openswan Users] OpenSWAN + xl2tpd failing tunnel transmission

On Mon, 18 Apr 2011, Jim Lake wrote:

> As far as I can tell, my IPSec is coming up fine.  The xl2tpd, though, can't seem to get a tunnel up and going.  I have no idea what's wrong.

> # basic configuration
> config setup
>          nat_traversal=yes
>          virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16

You should exclude the range used by your NATed server here (10.170.91.0/24 ?)

> conn L2TP
>          authby=secret
>          auto=add
>          pfs=no
>          type=transport
>          rekey=no
>
>          left=10.170.91.102
>          leftid=50.18.124.10
>          leftnexthop=%defaultroute
>          leftprotoport=17/1701
>
>          right=%any
>          rightsubnet=vhost:%priv,%no,%all
>          rightprotoport=17/0
>          forceencaps=yes

I hope you don't have actual blanc lines there? That would mess things up.
Use rightprotoport=17/%any

> ----
> xl2tpd.conf
> ----
> [global]
> ipsec saref = no
> debug tunnel = yes
> debug avp = yes
> debug network = yes
> debug state = yes

Explicitely specify the listen-addr address in [global] in xl2tpd.conf? I
think you want:

   listen-addr = 10.170.91.102

> [lns default]
> ip range = 172.16.1.100-172.16.1.200
> local ip = 172.16.1.1

These should then also be excluded from virtual_private=

> mtu 1410
> mru 1410

Note most clients use an mtu/mru of 1200 for L2TP.

Paul

More information about the Users mailing list