[Openswan Users] Stuck getting L2TP tunnel to work with OpenSwan & xl2tpd
Philip Colmer
philip.colmer at linaro.org
Fri Aug 16 13:20:04 UTC 2013
Hi
I'm trying to configure an Ubuntu client to establish an IPSec/L2TP VPN
connection to a Check Point appliance. The appliance has been configured
and tested with a Windows client. I have limited flexibility on what I can
change configuration-wise on the appliance.
The Ubuntu client is running on Amazon EC2 for testing purposes and I've
configured the Amazon security to allow all TCP, UDP and ICMP packets in
and out between that host and the Check Point appliance.
The IPSec tunnel seems to be being set up correctly - it is the L2TP bit
I'm having trouble with, in that when I try to get the L2TP tunnel up,
xl2tpd reports it is trying to establish a connection but it isn't getting
a reply. If I compare the Check Point logs, I can see that when the Windows
client connects, there is an extra bit of communication going on that the
Ubuntu client isn't doing.
This is the log entry that a Windows client connection has but the Ubuntu
client doesn't:
Action: Key Install
Source: <Windows client IP address>
Destination: <CP appliance IP address>
User: <L2TP_machine_user>
Information: IKE: Quick Mode Sent Notification:
Responder Lifetime
Source Key ID: <value>
Destination Key ID: <value>
Encryption Scheme: IKE
IKE Initiator Cookie: <value>
IKE Responder Cookie: f<value>
IKE Phase2 Message ID: 00000001
VPN Peer Gateway: <Windows client IP address>
Now, that doesn't translate to actual packets :-) Unfortunately, I've been
trying to decode the encrypted packets to better understand what is going
on here and failing.
Here is /etc/ipsec,conf:
config setup
dumpdir=/var/run/pluto/
nat_traversal=yes
virtual_private=%v4:172.24.0.0/16,%v4:192.168.0.0/16
oe=off
protostack=netkey
plutoopts="--interface=eth0"
conn L2TP-PSK
authby=secret
pfs=no
auto=add
keyingtries=3
dpddelay=30
dpdtimeout=120
dpdaction=clear
rekey=yes
ikelifetime=8h
keylife=1h
type=transport
left=%defaultroute
leftnexthop=%defaultroute
leftprotoport=17/1701
right=213.122.173.130
rightid=192.168.254.1
Here is /etc/xl2tpd/xl2tpd.conf:
[lac vpn-connection]
lns = 213.122.173.130
refuse chap = yes
require pap = yes
require authentication = yes
name = <username>
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd.client
length bit = yes
Here is /etc/ppp/options.l2tpd.client:
ipcp-accept-local
ipcp-accept-remote
refuse-eap
refuse-mschap-v2
require-pap
noccp
noauth
idle 1800
defaultroute
usepeerdns
debug
lock
connect-delay 5000
name <username>
password <password>
Remember at the beginning that I said I couldn't really change much at the
Check Point end? One of the things I *have* to use is PAP. Unfortunately,
there don't seem to be any examples of PAP being used so that is possibly
one of the areas where I've got a problem ...
Any suggestions gratefully received :-)
Regards
Philip
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20130816/50fc49e3/attachment.html>
More information about the Users
mailing list