[Openswan Users] xl2tpd never receiving or replying to packets

Rob Emanuele rje at shoreis.com
Sat Jun 8 23:08:54 UTC 2013 

So I can get this working without a NAT connection (commented out below). 
Why would the L2TP-PSK-NAT connection not pass packets to xl2tpd?

Thank you,

Rob

==== ipsec.conf ====
# /etc/ipsec.conf - Openswan IPsec configuration file

# This file:  /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5


version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # Do not set debug options to debug configuration issues!
        # plutodebug / klipsdebug = "all", "none" or a combation from
below:
        # "raw crypt parsing emitting control klips pfkey natt x509 dpd
private"
        # eg:
        #plutodebug="all"
        # Again: only enable plutodebug or klipsdebug when asked by a
developer
        #
        # enable to get logs per-peer
        # plutoopts="--perpeerlog"
        #
        # Enable core dumps (might require system changes, like ulimit -C)
# This is required for abrtd to work properly
        # Note: incorrect SElinux policies might prevent pluto writing the
core
        dumpdir=/var/run/pluto/
        #
        # NAT-TRAVERSAL support, see README.NAT-Traversal
        nat_traversal=yes
        # exclude networks used on server side by adding %v4:!a.b.c.0/24 #
It seems that T-Mobile in the US and Rogers/Fido in Canada are #
using 25/8 as "private" address space on their 3G network. # This
range has not been announced via BGP (at least upto
2010-12-21)
        #
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:!10.10.9.0/24,%v4:!10.10.10.0/24,%v4:!192.168.113.0/24
# OE is now off by default. Uncomment and change to on, to enable.
oe=off
        # which IPsec stack to use. auto will try netkey, then klips then
mast
        protostack=netkey
        # Use this to log to a file, or disable logging on embedded
systems (like openwrt)
        #plutostderrlog=/dev/null

# Add connections here

#conn L2TP-PSK-NAT
#       rightsubnet=vhost:%priv
#       also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
        authby=secret
        pfs=no
        auto=add
        keyingtries=3
        rekey=no
        #Apple iOS doesn't send delete notify so we need dead peer
detection
        # to detect vanishing clients
        dpddelay=30
        dpdtimeout=120
        dpdaction=clear
        # Set ikelifetime and keylife to same defaults windows has
ikelifetime=8h
        keylife=1h
        type=transport
        # Replace IP address with your local IP (private, behind NAT IP is
okay as well)
        #left=192.168.113.252
        #left=%defaultroute
        left=OUR_EXTERNAL_IP
        # For updated Windows 2000/XP clients,
        # to support old clients as well, use leftprotoport=17/%any
leftprotoport=17/1701
        right=%any
        rightprotoport=17/%any
        #force all to be nat'ed. because of iOS
        forceencaps=yes



==== xl2tpd.conf ====
[global]

[lns default]
ip range = 192.168.113.176-192.168.113.200
local ip = 192.168.113.252
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPNserver2
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes



> no it is ikev1
> sent from a tiny device
> On 2013-06-08, at 15:10, Thomas York <straterra at fuhell.com> wrote:
>> That requires IKEv2, right? I looked at that until I noticed that
XP/ios
>> support was lacking.
>> On Jun 8, 2013 5:19 AM, "Leto" <letoams at gmail.com> wrote:
>>> try using xauth/mode config and avoid l2tp so you don't need saref.
libreswan and strongswan support it. I am working on the libreswan doc
site, so bug me in a few days
>>> sent from a tiny device
>>> On 2013-06-08, at 3:17, Thomas York <straterra at fuhell.com> wrote:
>>>> Try running a strace on xl2tpd while connecting. If it's the same
issue I've seen, you should see errors with every packet. I've only
seen this with Debian and Ubuntu with SARef. However, it works
perfectly for me on RHEL.
>>>> Unfortunately, I haven't been able to find a fix. I was told to ask
the mailing list, but haven't gotten around to it.
>>>> -Thomas York
>>>> On Jun 7, 2013 6:36 PM, "Rob Emanuele" <rje at shoreis.com> wrote:
>>>>> Greetings,
>>>>> I'm trying to set up a new ipsec/l2tp vpn server on Ubuntu 13.04.  They
>>>>> have an FC5 system that they want to upgrade since it has a NAT-T
bug
>>>>> where two clients behind the same NAT address cannot connect
simultaneously.  We never see any log messages that log data into
xl2tpd.
>>>>> We do see an ipsec SA established.  We do see ESP data coming into
the box
>>>>> with tcpdump.
>>>>> I'm wondering if my kernel isn't passing the data to xl2tpd
correctly
>>>>> or
>>>>> at all.  Would you guys have any suggestions for debugging it
further?  Do
>>>>> we need any particular sysctl settings other than ipv4 forwarding?
Notes on our set up below.
>>>>> Thank you,
>>>>> Rob
>>>>> Versions:
>>>>> Linux vpnserver2 3.8.0-23-generic #34-Ubuntu SMP Wed May 29 20:24:54
UTC
>>>>> 2013 i686 i686 i686 GNU/Linux
>>>>> xl2tpd  1.3.1+dfsg-1
>>>>> openswan 1:2.6.38-1
>>>>> ipsec.conf ===========
>>>>> config setup
>>>>>     nat_traversal=yes
>>>>>     virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
#contains the networks that are allowed as subnet= for the
remote
>>>>> client. In other words, the address ranges that may live behind a
NAT
>>>>> router through which a client connects.
>>>>>     oe=off
>>>>>     protostack=netkey
>>>>> conn L2TP-PSK-NAT
>>>>>     rightsubnet=vhost:%priv
>>>>>     also=L2TP-PSK-noNAT
>>>>> conn L2TP-PSK-noNAT
>>>>>     authby=secret
>>>>>     pfs=no
>>>>>     auto=add
>>>>>     keyingtries=3
>>>>>     rekey=no
>>>>>     # Apple iOS doesn't send delete notify so we need dead peer
>>>>> detection
>>>>>     # to detect vanishing clients
>>>>>     dpddelay=30
>>>>>     dpdtimeout=120
>>>>>     dpdaction=clear
>>>>>     # Set ikelifetime and keylife to same defaults windows has
ikelifetime=8h
>>>>>     keylife=1h
>>>>>     type=transport
>>>>>     # Replace IP address with your local IP (private, behind NAT IP
>>>>> is
>>>>> okay as well)
>>>>>     left=<OUR EXTERNAL IP>
>>>>>     # For updated Windows 2000/XP clients,
>>>>>     # to support old clients as well, use leftprotoport=17/%any
leftprotoport=17/1701
>>>>>     right=%any
>>>>>     rightprotoport=17/%any
>>>>>     #force all to be nat'ed. because of iOS
>>>>>     forceencaps=yes
>>>>> xl2tpd.conf ===========
>>>>> [lns default]
>>>>> ip range = 192.168.113.176-192.168.113.200
>>>>> local ip = 192.168.113.252
>>>>> require chap = yes
>>>>> refuse pap = yes
>>>>> require authentication = yes
>>>>> name = LinuxVPNserver2
>>>>> ppp debug = yes
>>>>> pppoptfile = /etc/ppp/options.xl2tpd
>>>>> length bit = yes
>>>>> _______________________________________________
>>>>> Users at lists.openswan.org
>>>>> https://lists.openswan.org/mailman/listinfo/users
>>>>> Micropayments:
>>>>> https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>>>>> Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>>> _______________________________________________
>>>> Users at lists.openswan.org
>>>> https://lists.openswan.org/mailman/listinfo/users
>>>> Micropayments:
>>>> https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>>>> Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

More information about the Users mailing list