[Openswan Users] No L2TP after update to 2.39 (nev at itsnev.co.uk)

nev at itsnev.co.uk nev at itsnev.co.uk
Thu Aug 15 08:33:27 UTC 2013 

Hi,

Anyone got any ideas?

Tx
Nev

----------------------------------------------------------------------

Message: 1
Date: Thu, 8 Aug 2013 15:01:48 +0100
From: <nev at itsnev.co.uk>
To: <users at lists.openswan.org>
Subject: [Openswan Users] No L2TP after update to 2.39
Message-ID: <010201ce943f$d3008440$79018cc0$@itsnev.co.uk>
Content-Type: text/plain; charset="us-ascii"

Hi All,

I just upgraded from 2.38 to 2.39 and can see the IPSEC tunnel established,
but there is NOTHING being passed to XL2TPD?

Checking if IPsec got installed and started correctly:

Version check and ipsec on-path                         [OK]
Openswan U2.6.39/K2.6.32-279.11.1.el6.x86_64 (netkey)
See `ipsec --copyright' for copyright information.
Checking for IPsec support in kernel                    [OK]
NETKEY: Testing XFRM related proc values
         ICMP default/send_redirects                    [OK]
         ICMP default/accept_redirects                  [OK]
         XFRM larval drop                               [OK]
Hardware random device check                            [N/A]
Two or more interfaces found, checking IP forwarding    [OK]
Checking rp_filter                                      [OK]
Checking that pluto is running                          [OK]
Pluto listening for IKE on udp 500                     [OK]
Pluto listening for IKE on tcp 500                     [NOT IMPLEMENTED]
Pluto listening for IKE/NAT-T on udp 4500              [OK]
Pluto listening for IKE/NAT-T on tcp 4500              [NOT IMPLEMENTED]
Pluto listening for IKE on tcp 10000 (cisco)           [OK]
Checking NAT and MASQUERADEing                          [TEST INCOMPLETE]
Checking 'ip' command                                   [IP XFRM BROKEN]
Checking 'iptables' command                             [OK]

 
Aug  8 14:50:04 ssl9 pluto[27321]: packet from A.B.C.D:500: ignoring unknown
Vendor ID payload [01528bbbc00696121849ab9a1c5b2a5100000001]
Aug  8 14:50:04 ssl9 pluto[27321]: packet from A.B.C.D:500: ignoring Vendor
ID payload [MS NT5 ISAKMPOAKLEY 00000009]
Aug  8 14:50:04 ssl9 pluto[27321]: packet from A.B.C.D:500: received Vendor
ID payload [RFC 3947] method set to=115 
Aug  8 14:50:04 ssl9 pluto[27321]: packet from A.B.C.D:500: received Vendor
ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using
method 115
Aug  8 14:50:04 ssl9 pluto[27321]: packet from A.B.C.D:500: ignoring Vendor
ID payload [FRAGMENTATION]
Aug  8 14:50:04 ssl9 pluto[27321]: packet from A.B.C.D:500: ignoring Vendor
ID payload [MS-Negotiation Discovery Capable]
Aug  8 14:50:04 ssl9 pluto[27321]: packet from A.B.C.D:500: ignoring Vendor
ID payload [Vid-Initial-Contact]
Aug  8 14:50:04 ssl9 pluto[27321]: packet from A.B.C.D:500: ignoring Vendor
ID payload [IKE CGA version 1]
Aug  8 14:50:04 ssl9 pluto[27321]: "L2TP-PSK-NAT"[3] A.B.C.D #3: responding
to Main Mode from unknown peer A.B.C.D
Aug  8 14:50:04 ssl9 pluto[27321]: "L2TP-PSK-NAT"[3] A.B.C.D #3:
OAKLEY_GROUP 20 not supported.  Attribute OAKLEY_GROUP_DESCRIPTION
Aug  8 14:50:04 ssl9 pluto[27321]: "L2TP-PSK-NAT"[3] A.B.C.D #3:
OAKLEY_GROUP 19 not supported.  Attribute OAKLEY_GROUP_DESCRIPTION
Aug  8 14:50:04 ssl9 pluto[27321]: "L2TP-PSK-NAT"[3] A.B.C.D #3: transition
from state STATE_MAIN_R0 to state STATE_MAIN_R1
Aug  8 14:50:04 ssl9 pluto[27321]: "L2TP-PSK-NAT"[3] A.B.C.D #3:
STATE_MAIN_R1: sent MR1, expecting MI2
Aug  8 14:50:04 ssl9 pluto[27321]: "L2TP-PSK-NAT"[3] A.B.C.D #3:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): peer is
NATed
Aug  8 14:50:04 ssl9 pluto[27321]: "L2TP-PSK-NAT"[3] A.B.C.D #3: transition
from state STATE_MAIN_R1 to state STATE_MAIN_R2
Aug  8 14:50:04 ssl9 pluto[27321]: "L2TP-PSK-NAT"[3] A.B.C.D #3:
STATE_MAIN_R2: sent MR2, expecting MI3
Aug  8 14:50:04 ssl9 pluto[27321]: "L2TP-PSK-NAT"[3] A.B.C.D #3: Main mode
peer ID is ID_IPV4_ADDR: '192.168.1.107'
Aug  8 14:50:04 ssl9 pluto[27321]: "L2TP-PSK-NAT"[3] A.B.C.D #3: switched
from "L2TP-PSK-NAT" to "L2TP-PSK-NAT"
Aug  8 14:50:04 ssl9 pluto[27321]: "L2TP-PSK-NAT"[4] A.B.C.D #3: deleting
connection "L2TP-PSK-NAT" instance with peer A.B.C.D {isakmp=#0/ipsec=#0}
Aug  8 14:50:04 ssl9 pluto[27321]: "L2TP-PSK-NAT"[4] A.B.C.D #3: transition
from state STATE_MAIN_R2 to state STATE_MAIN_R3
Aug  8 14:50:04 ssl9 pluto[27321]: "L2TP-PSK-NAT"[4] A.B.C.D #3: new NAT
mapping for #3, was A.B.C.D:500, now A.B.C.D:44116
Aug  8 14:50:04 ssl9 pluto[27321]: "L2TP-PSK-NAT"[4] A.B.C.D #3:
STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=aes_256 prf=oakley_sha group=modp2048}
Aug  8 14:50:04 ssl9 pluto[27321]: "L2TP-PSK-NAT"[4] A.B.C.D #3: Dead Peer
Detection (RFC 3706): not enabled because peer did not advertise it
Aug  8 14:50:04 ssl9 pluto[27321]: "L2TP-PSK-NAT"[4] A.B.C.D #3: the peer
proposed: W.X.Y.Z/32:17/1701 -> 192.168.1.107/32:17/0
Aug  8 14:50:04 ssl9 pluto[27321]: "L2TP-PSK-NAT"[4] A.B.C.D #3:
NAT-Traversal: received 2 NAT-OA. using first, ignoring others
Aug  8 14:50:04 ssl9 pluto[27321]: "L2TP-PSK-NAT"[4] A.B.C.D #4: responding
to Quick Mode proposal {msgid:01000000}
Aug  8 14:50:04 ssl9 pluto[27321]: "L2TP-PSK-NAT"[4] A.B.C.D #4:     us:
W.X.Y.Z:17/1701---W.X.Y.Z
Aug  8 14:50:04 ssl9 pluto[27321]: "L2TP-PSK-NAT"[4] A.B.C.D #4:   them:
A.B.C.D[192.168.1.107]:17/1701===192.168.1.107/32
Aug  8 14:50:04 ssl9 pluto[27321]: "L2TP-PSK-NAT"[4] A.B.C.D #4: transition
from state STATE_QUICK_R0 to state STATE_QUICK_R1
Aug  8 14:50:04 ssl9 pluto[27321]: "L2TP-PSK-NAT"[4] A.B.C.D #4:
STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Aug  8 14:50:04 ssl9 pluto[27321]: "L2TP-PSK-NAT"[4] A.B.C.D #4: Dead Peer
Detection (RFC 3706): not enabled because peer did not advertise it
Aug  8 14:50:04 ssl9 pluto[27321]: "L2TP-PSK-NAT"[4] A.B.C.D #4: transition
from state STATE_QUICK_R1 to state STATE_QUICK_R2
Aug  8 14:50:04 ssl9 pluto[27321]: "L2TP-PSK-NAT"[4] A.B.C.D #4:
STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0xaf04dd26
<0xd0ed4241 xfrm=AES_128-HMAC_SHA1 NATOA=192.168.1.107 NATD=A.B.C.D:44116
DPD=none}

 

# basic configuration

config setup

        #dumpdir=/var/run/pluto/

        nat_traversal=yes

 
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:172.
19.0.0/12;%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10

        oe=off

        protostack=netkey

        nhelpers=0

 

# Add connections here

conn L2TP-PSK-NAT
        rightsubnet=vhost:%no,%priv
        also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
        authby=secret
        pfs=no
        auto=add
        keyingtries=3
        rekey=no
        ikelifetime=8h
        keylife=1h
        dpdaction=clear
        dpdtimeout=120
        dpddelay=3
        type=transport
        left=%defaultroute
        leftnexthop=W.X.Y.Z
        leftprotoport=17/1701
        right=%any
        rightprotoport=17/%any

conn passthrough-for-non-l2tp
        type=passthrough
        left=%defaultroute
        leftnexthop=W.X.Y.Z
        right=0.0.0.0
        rightsubnet=0.0.0.0/0
        auto=route


[root at ssl9 xl2tpd]# more xl2tpd.conf

[global]
;listen-addr = W.X.Y.Z
;
; requires openswan-2.5.18 or higher - Also does not yet work in combination
; with kernel mode l2tp as present in linux 2.6.23+
; ipsec saref = yes
; forceuserspace = yes
;
; debug tunnel = yes

[lns default]
ip range = 10.200.11.2-10.200.11.254
local ip = 10.200.10.1
assign ip = yes
require chap = yes
refuse pap = yes
require authentication = no
name = OpenSwanVPN
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
 
Many Thanks
Nev

More information about the Users mailing list