[Openswan Users] Stuck getting L2TP tunnel to work with OpenSwan & xl2tpd

Philip Colmer philip.colmer at linaro.org
Fri Aug 16 13:20:04 UTC 2013 

Hi

I'm trying to configure an Ubuntu client to establish an IPSec/L2TP VPN
connection to a Check Point appliance. The appliance has been configured
and tested with a Windows client. I have limited flexibility on what I can
change configuration-wise on the appliance.

The Ubuntu client is running on Amazon EC2 for testing purposes and I've
configured the Amazon security to allow all TCP, UDP and ICMP packets in
and out between that host and the Check Point appliance.

The IPSec tunnel seems to be being set up correctly - it is the L2TP bit
I'm having trouble with, in that when I try to get the L2TP tunnel up,
xl2tpd reports it is trying to establish a connection but it isn't getting
a reply. If I compare the Check Point logs, I can see that when the Windows
client connects, there is an extra bit of communication going on that the
Ubuntu client isn't doing.

This is the log entry that a Windows client connection has but the Ubuntu
client doesn't:

Action:                              Key Install
Source:                             <Windows client IP address>
Destination:                     <CP appliance IP address>
User:                                 <L2TP_machine_user>
Information:                     IKE: Quick Mode Sent Notification:
Responder Lifetime
Source Key ID:                 <value>
Destination Key ID:         <value>
Encryption Scheme:         IKE
IKE Initiator Cookie:         <value>
IKE Responder Cookie:   f<value>
IKE Phase2 Message ID: 00000001
VPN Peer Gateway:         <Windows client IP address>

Now, that doesn't translate to actual packets :-) Unfortunately, I've been
trying to decode the encrypted packets to better understand what is going
on here and failing.

Here is /etc/ipsec,conf:

config setup
    dumpdir=/var/run/pluto/
    nat_traversal=yes
    virtual_private=%v4:172.24.0.0/16,%v4:192.168.0.0/16
    oe=off
    protostack=netkey
    plutoopts="--interface=eth0"

conn L2TP-PSK
    authby=secret
    pfs=no
    auto=add
    keyingtries=3
    dpddelay=30
    dpdtimeout=120
    dpdaction=clear
    rekey=yes
    ikelifetime=8h
    keylife=1h
    type=transport
    left=%defaultroute
    leftnexthop=%defaultroute
    leftprotoport=17/1701
    right=213.122.173.130
    rightid=192.168.254.1

Here is /etc/xl2tpd/xl2tpd.conf:

[lac vpn-connection]
lns = 213.122.173.130
refuse chap = yes
require pap = yes
require authentication = yes
name = <username>
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd.client
length bit = yes

Here is /etc/ppp/options.l2tpd.client:

ipcp-accept-local
ipcp-accept-remote
refuse-eap
refuse-mschap-v2
require-pap
noccp
noauth
idle 1800
defaultroute
usepeerdns
debug
lock
connect-delay 5000
name <username>
password <password>

Remember at the beginning that I said I couldn't really change much at the
Check Point end? One of the things I *have* to use is PAP. Unfortunately,
there don't seem to be any examples of PAP being used so that is possibly
one of the areas where I've got a problem ...

Any suggestions gratefully received :-)

Regards

Philip
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20130816/50fc49e3/attachment.html>

More information about the Users mailing list