[Openswan Users] Trouble with OpenSwan and xl2tpd

Pascal Fuks Pascal at financial-art.be
Mon Jan 10 04:22:59 EST 2011


Hello,
I'm trying to set up a tunnel from an iPad to a Linux Box xl2tpd server (attached to the network)
 - Debian 5.0.7
 - kernel 2.6.26-2-xen-amd64
 - self compiled version of Linux Openswan 2.6.32 (klips)
 - self compiled version 1.2.7 of xl2tpd (but strangely reporting xl2tpd version xl2tpd-1.2.6)
 - debian pppd version 2.4.4
 - eth0 = mypublicip (X.y.z.a)
 - dummy0 = myprivateip (10.31.135.254) - testbox

Ipsec tunnel is up without any trouble…. (so ipsec.secrets is ok)
But l2tp never worked


**************
/etc/ipsec.conf
**************
config setup
interfaces="%defaultroute"
protostack=klips
OE=off
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.31.135.0/24
interfaces="ipsec0=eth0"

conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=X.y.z.a
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
forceencaps=yes
dpddelay=40
dpdtimeout=130
dpdaction=clear


**************
/etc/ipsec.secrets
**************
X.y.z.a %any : PSK "AVerySecretPassword"

**************
/etc/xl2tpd/xl2tpd.conf
**************
[global]
debug tunnel = yes
debug network = yes
debug state = yes
debug avp = yes

[lns default]
ip range = 10.31.135.2-10.31.135.250
local ip = 10.31.135.1
require chap = yes
refuse pap = yes
require authentication = yes
name = l2tpsvr
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

**************
/etc/ppp/options.xl2tpd
**************
ipcp-accept-local
ipcp-accept-remote
ms-dns  81.92.x.y
ms-dns  81.92.a.b
noccp
auth
crtscts
idle 1800
mtu 1200
mru 1200
nodefaultroute
debug
lock
proxyarp
connect-delay 5000


l2tp:/usr/src/xl2tpd-1.2.7# xl2tpd -D
xl2tpd[5300]: setsockopt recvref[22]: Protocol not available
xl2tpd[5300]: This binary does not support kernel L2TP.
xl2tpd[5300]: xl2tpd version xl2tpd-1.2.6 started on l2tp.financialart.be PID:5300
xl2tpd[5300]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
xl2tpd[5300]: Forked by Scott Balmos and David Stipp, (C) 2001
xl2tpd[5300]: Inherited by Jeff McAdams, (C) 2002
xl2tpd[5300]: Forked again by Xelerance (www.xelerance.com) (C) 2006
xl2tpd[5300]: Listening on IP address 0.0.0.0, port 1701
xl2tpd[5300]: network_thread: recv packet from 109.129.28.162, size = 60, tunnel = 0, call = 0 ref=0 refhim=0
xl2tpd[5300]: get_call: allocating new tunnel for host 109.129.28.162, port 50750.
xl2tpd[5300]: handle_avps: handling avp's for tunnel 40687, call 0
xl2tpd[5300]: message_type_avp: message type 1 (Start-Control-Connection-Request)
xl2tpd[5300]: protocol_version_avp: peer is using version 1, revision 0.
xl2tpd[5300]: framing_caps_avp: supported peer frames: async sync
xl2tpd[5300]: hostname_avp: peer reports hostname ''
xl2tpd[5300]: assigned_tunnel_avp: using peer's tunnel 76
xl2tpd[5300]: receive_window_size_avp: peer wants RWS of 4.  Will use flow control.
xl2tpd[5300]: control_finish: message type is Start-Control-Connection-Request(1).  Tunnel is 76, call is 0.
xl2tpd[5300]: control_finish: sending SCCRP
xl2tpd[5300]: network_thread: recv packet from 109.129.28.162, size = 60, tunnel = 0, call = 0 ref=0 refhim=0
xl2tpd[5300]: get_call: allocating new tunnel for host 109.129.28.162, port 50750.
xl2tpd[5300]: handle_avps: handling avp's for tunnel 21206, call 0
xl2tpd[5300]: message_type_avp: message type 1 (Start-Control-Connection-Request)
xl2tpd[5300]: protocol_version_avp: peer is using version 1, revision 0.
xl2tpd[5300]: framing_caps_avp: supported peer frames: async sync
xl2tpd[5300]: hostname_avp: peer reports hostname ''
xl2tpd[5300]: assigned_tunnel_avp: using peer's tunnel 76
xl2tpd[5300]: receive_window_size_avp: peer wants RWS of 4.  Will use flow control.
xl2tpd[5300]: control_finish: message type is Start-Control-Connection-Request(1).  Tunnel is 76, call is 0.
xl2tpd[5300]: control_finish: Peer requested tunnel 76 twice, ignoring second one.
xl2tpd[5300]: build_fdset: closing down tunnel 21206
xl2tpd[5300]: network_thread: recv packet from 109.129.28.162, size = 60, tunnel = 0, call = 0 ref=0 refhim=0
xl2tpd[5300]: get_call: allocating new tunnel for host 109.129.28.162, port 50750.
xl2tpd[5300]: handle_avps: handling avp's for tunnel 16811, call 58064
xl2tpd[5300]: message_type_avp: message type 1 (Start-Control-Connection-Request)
xl2tpd[5300]: protocol_version_avp: peer is using version 1, revision 0.
xl2tpd[5300]: framing_caps_avp: supported peer frames: async sync
xl2tpd[5300]: hostname_avp: peer reports hostname ''
xl2tpd[5300]: assigned_tunnel_avp: using peer's tunnel 76
xl2tpd[5300]: receive_window_size_avp: peer wants RWS of 4.  Will use flow control.
xl2tpd[5300]: control_finish: message type is Start-Control-Connection-Request(1).  Tunnel is 76, call is 0.
xl2tpd[5300]: control_finish: Peer requested tunnel 76 twice, ignoring second one.
xl2tpd[5300]: build_fdset: closing down tunnel 16811
xl2tpd[5300]: network_thread: select timeout
xl2tpd[5300]: network_thread: select timeout
xl2tpd[5300]: network_thread: select timeout
xl2tpd[5300]: network_thread: select timeout
xl2tpd[5300]: network_thread: select timeout
xl2tpd[5300]: network_thread: recv packet from 109.129.28.162, size = 60, tunnel = 0, call = 0 ref=0 refhim=0
xl2tpd[5300]: get_call: allocating new tunnel for host 109.129.28.162, port 50750.
xl2tpd[5300]: handle_avps: handling avp's for tunnel 54191, call 56833
xl2tpd[5300]: message_type_avp: message type 1 (Start-Control-Connection-Request)
xl2tpd[5300]: protocol_version_avp: peer is using version 1, revision 0.
xl2tpd[5300]: framing_caps_avp: supported peer frames: async sync
xl2tpd[5300]: hostname_avp: peer reports hostname ''
xl2tpd[5300]: assigned_tunnel_avp: using peer's tunnel 76
xl2tpd[5300]: receive_window_size_avp: peer wants RWS of 4.  Will use flow control.
xl2tpd[5300]: control_finish: message type is Start-Control-Connection-Request(1).  Tunnel is 76, call is 0.
xl2tpd[5300]: control_finish: Peer requested tunnel 76 twice, ignoring second one.
xl2tpd[5300]: build_fdset: closing down tunnel 54191
xl2tpd[5300]: network_thread: select timeout
xl2tpd[5300]: Maximum retries exceeded for tunnel 40687.  Closing.
xl2tpd[5300]: network_thread: recv packet from 109.129.28.162, size = 60, tunnel = 0, call = 0 ref=0 refhim=0
xl2tpd[5300]: get_call: allocating new tunnel for host 109.129.28.162, port 50750.
xl2tpd[5300]: handle_avps: handling avp's for tunnel 10323, call 0
xl2tpd[5300]: message_type_avp: message type 1 (Start-Control-Connection-Request)
xl2tpd[5300]: protocol_version_avp: peer is using version 1, revision 0.
xl2tpd[5300]: framing_caps_avp: supported peer frames: async sync
xl2tpd[5300]: hostname_avp: peer reports hostname ''
xl2tpd[5300]: assigned_tunnel_avp: using peer's tunnel 76
xl2tpd[5300]: receive_window_size_avp: peer wants RWS of 4.  Will use flow control.
xl2tpd[5300]: control_finish: message type is Start-Control-Connection-Request(1).  Tunnel is 76, call is 0.
xl2tpd[5300]: control_finish: Peer requested tunnel 76 twice, ignoring second one.
xl2tpd[5300]: build_fdset: closing down tunnel 10323
xl2tpd[5300]: build_fdset: closing down tunnel 40687
xl2tpd[5300]: Connection 76 closed to 109.129.28.162, port 50750 (Timeout)
xl2tpd[5300]: network_thread: select timeout
xl2tpd[5300]: network_thread: select timeout
xl2tpd[5300]: network_thread: select timeout
xl2tpd[5300]: network_thread: select timeout
xl2tpd[5300]: network_thread: select timeout
xl2tpd[5300]: network_thread: select timeout
xl2tpd[5300]: network_thread: recv packet from 109.129.28.162, size = 60, tunnel = 0, call = 0 ref=0 refhim=0
xl2tpd[5300]: get_call: allocating new tunnel for host 109.129.28.162, port 50750.
xl2tpd[5300]: handle_avps: handling avp's for tunnel 57821, call 4499
xl2tpd[5300]: message_type_avp: message type 1 (Start-Control-Connection-Request)
xl2tpd[5300]: protocol_version_avp: peer is using version 1, revision 0.
xl2tpd[5300]: framing_caps_avp: supported peer frames: async sync
xl2tpd[5300]: hostname_avp: peer reports hostname ''
xl2tpd[5300]: assigned_tunnel_avp: using peer's tunnel 76
xl2tpd[5300]: receive_window_size_avp: peer wants RWS of 4.  Will use flow control.
xl2tpd[5300]: control_finish: message type is Start-Control-Connection-Request(1).  Tunnel is 76, call is 0.
xl2tpd[5300]: control_finish: Peer requested tunnel 76 twice, ignoring second one.
xl2tpd[5300]: build_fdset: closing down tunnel 57821
xl2tpd[5300]: network_thread: select timeout
xl2tpd[5300]: Unable to deliver closing message for tunnel 40687. Destroying anyway.
xl2tpd[5300]: network_thread: recv packet from 109.129.28.162, size = 60, tunnel = 0, call = 0 ref=0 refhim=0
xl2tpd[5300]: get_call: allocating new tunnel for host 109.129.28.162, port 50750.
xl2tpd[5300]: handle_avps: handling avp's for tunnel 16436, call 38118
xl2tpd[5300]: message_type_avp: message type 1 (Start-Control-Connection-Request)
xl2tpd[5300]: protocol_version_avp: peer is using version 1, revision 0.
xl2tpd[5300]: framing_caps_avp: supported peer frames: async sync
xl2tpd[5300]: hostname_avp: peer reports hostname ''
xl2tpd[5300]: assigned_tunnel_avp: using peer's tunnel 76
xl2tpd[5300]: receive_window_size_avp: peer wants RWS of 4.  Will use flow control.
xl2tpd[5300]: control_finish: message type is Start-Control-Connection-Request(1).  Tunnel is 76, call is 0.
xl2tpd[5300]: control_finish: Peer requested tunnel 76 twice, ignoring second one.
xl2tpd[5300]: build_fdset: closing down tunnel 16436
xl2tpd[5300]: build_fdset: closing down tunnel 40687




Jan 10 09:32:08 l2tp ipsec__plutorun: Starting Pluto subsystem...
Jan 10 09:32:08 l2tp pluto[3276]: Starting Pluto (Openswan Version 2.6.32; Vendor ID OEhyLdACecfa) pid:3276
Jan 10 09:32:08 l2tp pluto[3276]: LEAK_DETECTIVE support [disabled]
Jan 10 09:32:08 l2tp pluto[3276]: OCF support for IKE [disabled]
Jan 10 09:32:08 l2tp pluto[3276]: SAref support [disabled]: Protocol not available
Jan 10 09:32:08 l2tp pluto[3276]: SAbind support [disabled]: Protocol not available
Jan 10 09:32:08 l2tp pluto[3276]: NSS support [disabled]
Jan 10 09:32:08 l2tp pluto[3276]: HAVE_STATSD notification support not compiled in
Jan 10 09:32:08 l2tp pluto[3276]: Setting NAT-Traversal port-4500 floating to on
Jan 10 09:32:08 l2tp pluto[3276]:    port floating activation criteria nat_t=1/port_float=1
Jan 10 09:32:08 l2tp pluto[3276]:    NAT-Traversal support  [enabled]
Jan 10 09:32:08 l2tp pluto[3276]: using /dev/urandom as source of random entropy
Jan 10 09:32:08 l2tp pluto[3276]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
Jan 10 09:32:08 l2tp pluto[3276]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
Jan 10 09:32:08 l2tp pluto[3276]: ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
Jan 10 09:32:08 l2tp pluto[3276]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Jan 10 09:32:08 l2tp pluto[3276]: ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
Jan 10 09:32:08 l2tp pluto[3276]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
Jan 10 09:32:08 l2tp pluto[3276]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
Jan 10 09:32:08 l2tp pluto[3276]: no helpers will be started, all cryptographic operations will be done inline
Jan 10 09:32:08 l2tp pluto[3276]: Using KLIPS IPsec interface code on 2.6.26-2-xen-amd64
Jan 10 09:32:08 l2tp pluto[3276]: Changed path to directory '/etc/ipsec.d/cacerts'
Jan 10 09:32:08 l2tp pluto[3276]: Changed path to directory '/etc/ipsec.d/aacerts'
Jan 10 09:32:08 l2tp pluto[3276]: Changed path to directory '/etc/ipsec.d/ocspcerts'
Jan 10 09:32:08 l2tp pluto[3276]: Changing to directory '/etc/ipsec.d/crls'
Jan 10 09:32:08 l2tp pluto[3276]:   Warning: empty directory
Jan 10 09:32:08 l2tp pluto[3276]: added connection description "L2TP-PSK-NAT"
Jan 10 09:32:08 l2tp pluto[3276]: added connection description "L2TP-PSK-noNAT"
Jan 10 09:32:08 l2tp pluto[3276]: listening for IKE messages
Jan 10 09:32:08 l2tp pluto[3276]: adding interface ipsec0/eth0 81.92.226.188:500
Jan 10 09:32:08 l2tp pluto[3276]: adding interface ipsec0/eth0 81.92.226.188:4500
Jan 10 09:32:08 l2tp pluto[3276]: loading secrets from "/etc/ipsec.secrets"
Jan 10 10:10:31 l2tp pluto[3276]: packet from 109.129.28.162:500: received Vendor ID payload [RFC 3947] method set to=109
Jan 10 10:10:31 l2tp pluto[3276]: packet from 109.129.28.162:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] method set to=110
Jan 10 10:10:31 l2tp pluto[3276]: packet from 109.129.28.162:500: ignoring unknown Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
Jan 10 10:10:31 l2tp pluto[3276]: packet from 109.129.28.162:500: ignoring unknown Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
Jan 10 10:10:31 l2tp pluto[3276]: packet from 109.129.28.162:500: ignoring unknown Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
Jan 10 10:10:31 l2tp pluto[3276]: packet from 109.129.28.162:500: ignoring unknown Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
Jan 10 10:10:31 l2tp pluto[3276]: packet from 109.129.28.162:500: ignoring unknown Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
Jan 10 10:10:31 l2tp pluto[3276]: packet from 109.129.28.162:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 110
Jan 10 10:10:31 l2tp pluto[3276]: packet from 109.129.28.162:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 110
Jan 10 10:10:31 l2tp pluto[3276]: packet from 109.129.28.162:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 110
Jan 10 10:10:31 l2tp pluto[3276]: packet from 109.129.28.162:500: received Vendor ID payload [Dead Peer Detection]
Jan 10 10:10:31 l2tp pluto[3276]: "L2TP-PSK-NAT"[6] 109.129.28.162 #7: responding to Main Mode from unknown peer 109.129.28.162
Jan 10 10:10:31 l2tp pluto[3276]: "L2TP-PSK-NAT"[6] 109.129.28.162 #7: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jan 10 10:10:31 l2tp pluto[3276]: "L2TP-PSK-NAT"[6] 109.129.28.162 #7: STATE_MAIN_R1: sent MR1, expecting MI2
Jan 10 10:10:31 l2tp pluto[3276]: "L2TP-PSK-NAT"[6] 109.129.28.162 #7: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): both are NATed
Jan 10 10:10:31 l2tp pluto[3276]: "L2TP-PSK-NAT"[6] 109.129.28.162 #7: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jan 10 10:10:31 l2tp pluto[3276]: "L2TP-PSK-NAT"[6] 109.129.28.162 #7: STATE_MAIN_R2: sent MR2, expecting MI3
Jan 10 10:10:31 l2tp pluto[3276]: "L2TP-PSK-NAT"[6] 109.129.28.162 #7: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
Jan 10 10:10:31 l2tp pluto[3276]: "L2TP-PSK-NAT"[6] 109.129.28.162 #7: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.11'
Jan 10 10:10:31 l2tp pluto[3276]: "L2TP-PSK-NAT"[6] 109.129.28.162 #7: switched from "L2TP-PSK-NAT" to "L2TP-PSK-NAT"
Jan 10 10:10:31 l2tp pluto[3276]: "L2TP-PSK-NAT"[7] 109.129.28.162 #7: deleting connection "L2TP-PSK-NAT" instance with peer 109.129.28.162 {isakmp=#0/ipsec=#0}
Jan 10 10:10:31 l2tp pluto[3276]: "L2TP-PSK-NAT"[7] 109.129.28.162 #7: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jan 10 10:10:31 l2tp pluto[3276]: "L2TP-PSK-NAT"[7] 109.129.28.162 #7: new NAT mapping for #7, was 109.129.28.162:500, now 109.129.28.162:4500
Jan 10 10:10:31 l2tp pluto[3276]: "L2TP-PSK-NAT"[7] 109.129.28.162 #7: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1024}
Jan 10 10:10:31 l2tp pluto[3276]: "L2TP-PSK-NAT"[7] 109.129.28.162 #7: Dead Peer Detection (RFC 3706): enabled
Jan 10 10:10:32 l2tp pluto[3276]: "L2TP-PSK-NAT"[7] 109.129.28.162 #7: the peer proposed: 81.92.226.188/32:17/1701 -> 192.168.1.11/32:17/0
Jan 10 10:10:32 l2tp pluto[3276]: "L2TP-PSK-NAT"[7] 109.129.28.162 #8: responding to Quick Mode proposal {msgid:cbe4e6f7}
Jan 10 10:10:32 l2tp pluto[3276]: "L2TP-PSK-NAT"[7] 109.129.28.162 #8:     us: 81.92.226.188<81.92.226.188>[+S=C]:17/1701
Jan 10 10:10:32 l2tp pluto[3276]: "L2TP-PSK-NAT"[7] 109.129.28.162 #8:   them: 109.129.28.162[192.168.1.11,+S=C]:17/50750===192.168.1.11/32
Jan 10 10:10:32 l2tp pluto[3276]: "L2TP-PSK-NAT"[7] 109.129.28.162 #8: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Jan 10 10:10:32 l2tp pluto[3276]: "L2TP-PSK-NAT"[7] 109.129.28.162 #8: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Jan 10 10:10:33 l2tp pluto[3276]: "L2TP-PSK-NAT"[7] 109.129.28.162 #8: Dead Peer Detection (RFC 3706): enabled
Jan 10 10:10:33 l2tp pluto[3276]: "L2TP-PSK-NAT"[7] 109.129.28.162 #8: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Jan 10 10:10:33 l2tp pluto[3276]: "L2TP-PSK-NAT"[7] 109.129.28.162 #8: STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0x0c8ad036 <0x94f2b892 xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=109.129.28.162:4500 DPD=enabled}

Pascal Fuks
Network & Security Consultant,
CEO / Administrateur délégué,

Tel. : +32 2 387 08 00
Fax : +32 2 387 07 06
Email : pascal at financial-art.be<mailto:veronique at financialart.be>
IM: pascal at financial-art (MSN)
Free/Busy Time: http://tinyurl.com/pfukscal

<http://www.financial-art.be/>
www.financial-art.be<http://www.financial-art.be/>
Avant d’imprimer cet email, réfléchissez à l’impact sur l’environnement.  Please consider the environment before printing this mail.



**** DISCLAIMER ****

"This e-mail and any attachment thereto may contain information which is confidential and/or protected by intellectual property rights and are intended for the sole use of the recipient(s) named above. 
Any use of the information contained herein (including, but not limited to, total or partial reproduction, communication or distribution in any form) by other persons than the designated recipient(s) is prohibited. 
If you have received this e-mail in error, please notify the sender either by telephone or by e-mail and delete the material from any computer".

Thank you for your cooperation.

* This e-mail was scanned against known viruses by MDaemon-DKAV
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110110/a9ffddad/attachment-0001.html 


More information about the Users mailing list