[Openswan Users] L2TP traffic was not sent into IPSEC channel
Willy Chang
changwilly at gmail.com
Tue Jun 25 20:05:14 UTC 2013
Hi all,
I just installed openswan 2.6.39 and xl2tp 1.3.1 on a PPC platform which
is a IPSEC client off a VPN server running on Centos. I was able to create
IPSEC channel. But, I had difficulty to get L2TP tunnel created. It
looked L2TP traffic were unable to go though IPSEC NAT-d port.
Here is my ipsec.conf:
version 2.0 # conforms to second version of ipsec.conf specification
config setup
# virtual_private=%v4:
10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:10.0.100.0/24
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:!172.16.0.0/12
# virtual_private=%v4:0.0.0.0
nat_traversal=yes
protostack=netkey
plutostderrlog=/var/log/pluto.log
oe=no
# Replace eth0 with your network interface
plutoopts="--interface=eth0"
plutodebug=crypt
nhelpers=0
# keep_alive=600
conn L2TP-PSK
authby=secret
pfs=no
auto=add
keyingtries=3
forceencaps=yes
rekey=no
# ikelifetime=8h
# keylife=1h
type=transport
# Replace IP address with your local IP (private, behind NAT IP is okay
as well)
left=172.16.201.83
leftnexthop=%defaultroute
leftprotoport=17/1701
# Replace IP address with your VPN server's IP
right=172.16.201.199
rightprotoport=17/0
rightnexthop=%defaultroute
dpddelay=30
dpdtimeout=120
# dpdaction=clear
Here is my xl2tp.conf:
[global]
debug state = yes
debug packet = yes
debug network = yes
debug tunnel = yes
[lac vpn-connection]
lns = 172.16.201.199
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd.client
length bit = yes
Here is my options.l2tpd.client:
ipcp-accept-local
ipcp-accept-remote
#refuse-eap
#require-mschap-v2
noccp
noauth
crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
#usepeerdns
debug
lock
connect-delay 5000
name user1
password admin
Here was dump from VPN server on port 4500:
15:34:58.784391 IP 172.16.201.83.ipsec-nat-t > 172.16.201.199.ipsec-nat-t:
truncated-udplength 0
15:34:58.784398 IP 172.16.201.83.ipsec-nat-t > 172.16.201.199.ipsec-nat-t:
truncated-udplength 0
15:34:58.784400 IP 172.16.201.83.ipsec-nat-t > 172.16.201.199.ipsec-nat-t:
truncated-udplength 0
15:34:58.784402 IP 172.16.201.83.ipsec-nat-t > 172.16.201.199.ipsec-nat-t:
truncated-udplength 0
15:34:58.784405 IP 172.16.201.83.ipsec-nat-t > 172.16.201.199.ipsec-nat-t:
truncated-udplength 0
15:34:58.784407 IP 172.16.201.83.ipsec-nat-t > 172.16.201.199.ipsec-nat-t:
truncated-udplength 0
15:34:58.784409 IP 172.16.201.83.ipsec-nat-t > 172.16.201.199.ipsec-nat-t:
truncated-udplength 0
and xl2tpd had timeout on L2TP tunnel setup traffic:
2tpd[4476]: Connecting to host 172.16.201.199, port 1701
xl2tpd[4476]: control_finish: message type is (null)(0). Tunnel is 0, call
is 0.
packet dump:
HEX: { C8 02 00 6E 00 00 00 00 00 00 00 00 00 08 00 00 00 00 00 01 00 08 00
00 00 02 01 00 00 0A 00 00 00 03 00 00 00 03 00 0A 00 00 00 04 00 00 00 00
00 08 00 00 00 06 06 90 00 13 00 00 00 07 58 43 31 33 30 37 2D 31 35 35 32
34 38 00 13 00 00 00 08 78 65 6C 65 72 61 6E 63 65 2E 63 6F 6D 00 08 00 00
00 09 2F D7 00 08 00 00 00 0A 00 04 }
ASCII: { n
XC1307-155248 xelerance.com / }
xl2tpd[4476]: control_finish: sending SCCRQ
xl2tpd[4476]: network_thread: select timeout
xl2tpd[4476]: network_thread: select timeout
xl2tpd[4476]: network_thread: select timeout
xl2tpd[4476]: network_thread: select timeout
xl2tpd[4476]: network_thread: select timeout
xl2tpd[4476]: Maximum retries exceeded for tunnel 12247. Closing.
packet dump:
HEX: { C8 02 00 2D 00 00 00 00 00 01 00 00 00 08 00 00 00 00 00 04 00 08 00
00 00 09 2F D7 00 11 00 00 00 01 00 01 00 00 54 69 6D 65 6F 75 74 }
ASCII: { - / Timeout}
xl2tpd[4476]: Connection 0 closed to 172.16.201.199, port 1701 (Timeout)
xl2tpd[4476]: network_thread: select timeout
xl2tpd[4476]: network_thread: select timeout
xl2tpd[4476]: network_thread: select timeout
Any helps are appreciated.
Willy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20130625/8ba6a4c2/attachment.html>
More information about the Users
mailing list