[Openswan Users] Cannot connect to L2TP/IPSec VPN (OpenSwan, xl2tpd, Ubuntu)

Patrick Naubert patrickn at xelerance.com
Tue Jan 13 17:05:36 EST 2015


Rescued from the Spam bucket.  Please remember to subscribe to the mailing list before posting to it.

Date: January 9, 2015 at 3:40:01 AM GMT-5
Subject: Cannot connect to L2TP/IPSec VPN (OpenSwan, xl2tpd, Ubuntu)
From: Luke Chai <huijin.mrd at gmail.com>
To: users at lists.openswan.org


Hi,

I'm using OpenSwan & xL2tpd to build a VPN server and both of them can be started properly.
But I cannot connect from PC. It will try to connect, then failed after some time. (l2tp-vpn server did not respond...)
As the syslog is not updating while connecting, seems like OpenSwan IPSec isn't passing the traffic to xl2tpd.

The IPSec log looks OK as below.

pluto[1499]: packet from 121.204.130.139:500 <http://121.204.130.139:500/>: received Vendor ID payload [RFC 3947] method set to=115 
pluto[1499]: packet from 121.204.130.139:500 <http://121.204.130.139:500/>: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] meth=114, but already using method 115
pluto[1499]: packet from 121.204.130.139:500 <http://121.204.130.139:500/>: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-08] meth=113, but already using method 115
pluto[1499]: packet from 121.204.130.139:500 <http://121.204.130.139:500/>: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-07] meth=112, but already using method 115
pluto[1499]: packet from 121.204.130.139:500 <http://121.204.130.139:500/>: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-06] meth=111, but already using method 115
pluto[1499]: packet from 121.204.130.139:500 <http://121.204.130.139:500/>: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-05] meth=110, but already using method 115
pluto[1499]: packet from 121.204.130.139:500 <http://121.204.130.139:500/>: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-04] meth=109, but already using method 115
pluto[1499]: packet from 121.204.130.139:500 <http://121.204.130.139:500/>: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 115
pluto[1499]: packet from 121.204.130.139:500 <http://121.204.130.139:500/>: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 115
pluto[1499]: packet from 121.204.130.139:500 <http://121.204.130.139:500/>: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02n] meth=106, but already using method 115
pluto[1499]: packet from 121.204.130.139:500 <http://121.204.130.139:500/>: ignoring Vendor ID payload [FRAGMENTATION 80000000]
pluto[1499]: packet from 121.204.130.139:500 <http://121.204.130.139:500/>: received Vendor ID payload [Dead Peer Detection]
pluto[1499]: "L2TP-PSK-NAT"[1] 121.204.130.139 #2: responding to Main Mode from unknown peer 121.204.130.139
pluto[1499]: "L2TP-PSK-NAT"[1] 121.204.130.139 #2: transition from state STATEMAINR0 to state STATEMAINR1
pluto[1499]: "L2TP-PSK-NAT"[1] 121.204.130.139 #2: STATEMAINR1: sent MR1, expecting MI2
pluto[1499]: "L2TP-PSK-NAT"[1] 121.204.130.139 #2: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): peer is NATed
pluto[1499]: "L2TP-PSK-NAT"[1] 121.204.130.139 #2: transition from state STATEMAINR1 to state STATEMAINR2
pluto[1499]: "L2TP-PSK-NAT"[1] 121.204.130.139 #2: STATEMAINR2: sent MR2, expecting MI3
pluto[1499]: "L2TP-PSK-NAT"[1] 121.204.130.139 #2: ignoring informational payload, type IPSECINITIALCONTACT msgid=00000000
pluto[1499]: "L2TP-PSK-NAT"[1] 121.204.130.139 #2: Main mode peer ID is IDIPV4ADDR: '192.168.0.105'
pluto[1499]: "L2TP-PSK-NAT"[1] 121.204.130.139 #2: switched from "L2TP-PSK-NAT" to "L2TP-PSK-NAT"
pluto[1499]: "L2TP-PSK-NAT"[2] 121.204.130.139 #2: transition from state STATEMAINR2 to state STATEMAINR3
pluto[1499]: "L2TP-PSK-NAT"[2] 121.204.130.139 #2: new NAT mapping for #2, was 121.204.130.139:500 <http://121.204.130.139:500/>, now 121.204.130.139:4500 <http://121.204.130.139:4500/>
pluto[1499]: "L2TP-PSK-NAT"[2] 121.204.130.139 #2: STATEMAINR3: sent MR3, ISAKMP SA established {auth=OAKLEYPRESHAREDKEY cipher=aes256 prf=oakleysha group=modp1024}
pluto[1499]: "L2TP-PSK-NAT"[2] 121.204.130.139 #2: Dead Peer Detection (RFC 3706): enabled
pluto[1499]: "L2TP-PSK-NAT"[2] 121.204.130.139 #2: the peer proposed: 104.236.82.206/32:17/1701 <http://104.236.82.206/32:17/1701> -> 192.168.0.105/32:17/0 <http://192.168.0.105/32:17/0>
pluto[1499]: "L2TP-PSK-NAT"[2] 121.204.130.139 #2: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
pluto[1499]: "L2TP-PSK-NAT"[2] 121.204.130.139 #3: responding to Quick Mode proposal {msgid:deb619d7}
pluto[1499]: "L2TP-PSK-NAT"[2] 121.204.130.139 #3: us: 104.236.82.206<104.236.82.206>:17/1701
pluto[1499]: "L2TP-PSK-NAT"[2] 121.204.130.139 #3: them: 121.204.130.139[192.168.0.105]:17/51822===192.168.0.105/32 <http://192.168.0.105/32>
pluto[1499]: "L2TP-PSK-NAT"[2] 121.204.130.139 #3: transition from state STATEQUICKR0 to state STATEQUICKR1
pluto[1499]: "L2TP-PSK-NAT"[2] 121.204.130.139 #3: STATEQUICKR1: sent QR1, inbound IPsec SA installed, expecting QI2
pluto[1499]: "L2TP-PSK-NAT"[2] 121.204.130.139 #3: Dead Peer Detection (RFC 3706): enabled
pluto[1499]: "L2TP-PSK-NAT"[2] 121.204.130.139 #3: transition from state STATEQUICKR1 to state STATEQUICKR2
pluto[1499]: "L2TP-PSK-NAT"[2] 121.204.130.139 #3: STATEQUICKR2: IPsec SA established transport mode {ESP=>0x08baca35 <0x761f15da xfrm=AES256-HMAC_SHA1 NATOA=192.168.0.105 NATD=121.204.130.139:4500 <http://121.204.130.139:4500/> DPD=enabled}

But in /var/log/syslog there's nothing except the log of start-up, it never move.

 Jan  9 00:10:11 VPN ipsec_setup: Stopping Openswan IPsec...
 Jan  9 00:10:12 VPN kernel: [83909.844439] NET: Unregistered protocol family 15
 Jan  9 00:10:12 VPN ipsec_setup: ...Openswan IPsec stopped
 Jan  9 00:10:12 VPN kernel: [83909.880773] NET: Registered protocol family 15
 Jan  9 00:10:12 VPN ipsec_setup: Starting Openswan IPsec U2.6.38/K3.13.0-37-generic...
 Jan  9 00:10:12 VPN ipsec_setup: Using NETKEY(XFRM) stack
 Jan  9 00:10:12 VPN kernel: [83909.946916] Initializing XFRM netlink socket
 Jan  9 00:10:12 VPN kernel: [83909.974072] AVX2 instructions are not detected.
 Jan  9 00:10:12 VPN kernel: [83909.987585] AVX2 or AES-NI instructions are not detected.
 Jan  9 00:10:12 VPN ipsec_setup: ...Openswan IPsec started
 Jan  9 00:10:12 VPN ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
 Jan  9 00:10:12 VPN pluto: adjusting ipsec.d to /etc/ipsec.d
 Jan  9 00:10:12 VPN ipsec__plutorun: 002 added connection description "L2TP-PSK-NAT"
 Jan  9 00:10:12 VPN ipsec__plutorun: 002 added connection description "L2TP-PSK-noNAT"
 Jan  9 00:10:18 VPN xl2tpd[30940]: network_thread: select returned error 4 (Interrupted system call)
 Jan  9 00:10:18 VPN xl2tpd[30940]: death_handler: Fatal signal 15 received
 Jan  9 00:10:19 VPN xl2tpd[31214]: Enabling IPsec SAref processing for L2TP transport mode SAs
 Jan  9 00:10:19 VPN xl2tpd[31214]: IPsec SAref does not work with L2TP kernel mode yet, enabling force userspace=yes
 Jan  9 00:10:19 VPN xl2tpd[31214]: setsockopt recvref[30]: Protocol not available
 Jan  9 00:10:19 VPN xl2tpd[31214]: This binary does not support kernel L2TP.
 Jan  9 00:10:19 VPN xl2tpd[31215]: xl2tpd version xl2tpd-1.3.6 started on VPN PID:31215
 Jan  9 00:10:19 VPN xl2tpd[31215]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
 Jan  9 00:10:19 VPN xl2tpd[31215]: Forked by Scott Balmos and David Stipp, (C) 2001
 Jan  9 00:10:19 VPN xl2tpd[31215]: Inherited by Jeff McAdams, (C) 2002
 Jan  9 00:10:19 VPN xl2tpd[31215]: Forked again by Xelerance (www.xelerance.com <http://www.xelerance.com/>) (C) 2006
 Jan  9 00:10:19 VPN xl2tpd[31215]: Listening on IP address 0.0.0.0, port 1701

IPSec verify successfully.

Checking your system to see if IPsec got installed and started correctly:
 Version check and ipsec on-path                                 [OK]
 Linux Openswan U2.6.38/K3.13.0-37-generic (netkey)
 Checking for IPsec support in kernel                            [OK]
  SAref kernel support                                           [N/A]
  NETKEY:  Testing XFRM related proc values                      [OK]
         [OK]
         [OK]
 Checking that pluto is running                                  [OK]
  Pluto listening for IKE on udp 500                             [OK]
  Pluto listening for NAT-T on udp 4500                          [OK]
 Checking for 'ip' command                                       [OK]
 Checking /bin/sh is not /bin/dash                               [WARNING]
 Checking for 'iptables' command                                 [OK]
 Opportunistic Encryption Support                                [DISABLED]
"iptables -t nat -L"

 Chain PREROUTING (policy ACCEPT)
 target     prot opt source               destination

 Chain INPUT (policy ACCEPT)
 target     prot opt source               destination

 Chain OUTPUT (policy ACCEPT)
 target     prot opt source               destination

 Chain POSTROUTING (policy ACCEPT)
 target     prot opt source               destination
 MASQUERADE  all  --  anywhere             anywhere
 MASQUERADE  all  --  anywhere             anywhere
egrep -v '^[[:space:]]*(#|$)' /etc/ipsec.conf
version 2.0     # conforms to second version of ipsec.conf specification
config setup
        dumpdir=/var/run/pluto/
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10 <http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10>
        oe=off
        protostack=netkey
        plutostderrlog=/var/log/pluto.log
        force_keepalive=yes
        keep_alive=60
conn L2TP-PSK-NAT
        rightsubnet=vhost:%priv
        also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
        authby=secret
        pfs=no
        auto=add
        keyingtries=3
        ikelifetime=8h
        keylife=1h
        ike=aes256-sha1,aes128-sha1,3des-sha1
        phase2alg=aes256-sha1,aes128-sha1,3des-sha1
        type=transport
        left=104.236.82.206
        leftprotoport=17/1701
        right=%any
        rightprotoport=17/%any
        dpddelay=40
        dpdtimeout=130
        dpdaction=clear
        forceencaps=yes
cat /etc/ppp/options.xl2tpd
require-mschap-v2
ms-dns 8.8.8.8
ms-dns 8.8.4.4
asyncmap 0
auth
mtu 1200
mru 1000
crtscts
lock
hide-password
modem
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
grep -v '^;' /etc/xl2tpd/xl2tpd.conf
[global]                                                                ; Global parameters:
ipsec saref = yes
debug avp = yes
debug network = yes
debug packet = yes
debug state = yes
debug tunnel = yes
[lns default]                                                   ; Our fallthrough LNS definition
ip range = 172.16.1.30-172.16.1.100     ; * Allocate from this IP range
local ip = 172.16.1.1                   ; * local IP to use
length bit = yes                                                ; * Use length bit in payload?
refuse pap = yes                                                ; * Refuse PAP authentication
refuse chap = yes                                               ; * Refuse CHAP authentication
require authentication = yes                    ; * Require peer to authenticate
ppp debug = yes                                                 ; * Turn on PPP debugging
pppoptfile = /etc/ppp/options.l2tpd     ; * ppp options file

If I miss something? Any advise?
Thanks in advance.

BR,
Luke



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20150113/eec9abd7/attachment-0001.html>


More information about the Users mailing list