View previous topic :: View next topic |
Author |
Message |
Duco Ergo Sum Apprentice
Joined: 06 Dec 2005 Posts: 154 Location: Winsford
|
Posted: Sat Sep 06, 2014 8:48 pm Post subject: |
|
|
Well I'm stymied. I have upgraded xl2tpd to 1.3.6 and still no change. I must thank you for all your help. Sadly I'm going have to take this machine off line for a while. I'm not sure how long I hope to get back on line soon and working on this soon. So close but so far!
Again thank you and I'll be back here as soon as I can. I see myself living with out a PC for long... not happily anyway.
All the best. |
|
Back to top |
|
|
Duco Ergo Sum Apprentice
Joined: 06 Dec 2005 Posts: 154 Location: Winsford
|
Posted: Mon Sep 22, 2014 1:05 am Post subject: |
|
|
Hi,
I have my PC back.
Prior to my hiatus, I suspect that I may have been the architect of my PPP problems. Once we got IPSEC working, thought it'd be a good idea to set iptables rules to block all l2tp connection outside the ipsec layer and thus used:
Code: |
root # iptables -t filter -A INPUT -p udp -m policy --dir in --pol ipsec -m udp --dport l2tp -j ACCEPT
root # iptables -t filter -A INPUT -p udp -m udp --dport l2tp -j REJECT --reject-with icmp-port-unreachable
root # iptables -t filter -A OUTPUT -p udp -m policy --dir out --pol ipsec -m udp --sport l2tp -j ACCEPT
root # iptables -t filter -A OUTPUT -p udp -m udp --sport l2tp -j REJECT --reject-with icmp-port-unreachable
|
Certainly, it looks like something is blocking traffic over the PPP connection. My guess is that the firewall closes the connection after a period of disuse.
Code: |
# ifconfig
bond0: flags=5123<UP,BROADCAST,MASTER,MULTICAST> mtu 1500
ether f2:ef:56:31:d0:d6 txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eno1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 1.2.3.4 netmask 255.255.255.0 broadcast 10.1.1.255
inet6 fe80::ca60:ff:fecc:4614 prefixlen 64 scopeid 0x20<link>
ether c8:60:00:cc:46:14 txqueuelen 1000 (Ethernet)
RX packets 11959 bytes 13352142 (12.7 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 10046 bytes 1272844 (1.2 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 20 memory #x########-########
enp59s0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
ether c8:60:00:cc:49:fc txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 19 memory #x########-########
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 0 (Local Loopback)
RX packets 40 bytes 16841 (16.4 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 40 bytes 16841 (16.4 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ppp0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 125.64.27.8 netmask 255.255.255.255 destination 17.11.7.5
ppp txqueuelen 3 (Point-to-Point Protocol)
RX packets 4 bytes 34 (34.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 4 bytes 40 (40.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
# ping 3.5.8.13
PING 3.5.8.13 (3.5.8.13) 56(84) bytes of data.
^C
--- 3.5.8.13 ping statistics ---
8 packets transmitted, 0 received, 100% packet loss, time 6999ms
# ifconfig
bond0: flags=5123<UP,BROADCAST,MASTER,MULTICAST> mtu 1500
ether f2:ef:56:31:d0:d6 txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eno1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 1.2.3.4 netmask 255.255.255.0 broadcast 10.1.1.255
inet6 fe80::ca60:ff:fecc:4614 prefixlen 64 scopeid 0x20<link>
ether c8:60:00:cc:46:14 txqueuelen 1000 (Ethernet)
RX packets 11968 bytes 13352958 (12.7 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 10063 bytes 1274476 (1.2 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 20 memory #x########-########
enp59s0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
ether c8:60:00:cc:49:fc txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 19 memory #x########-########
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 0 (Local Loopback)
RX packets 40 bytes 16841 (16.4 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 40 bytes 16841 (16.4 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ppp0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 125.64.27.8 netmask 255.255.255.255 destination 17.11.7.5
ppp txqueuelen 3 (Point-to-Point Protocol)
RX packets 4 bytes 34 (34.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 19 bytes 8917 (8.7 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
|
Yet, there appear to be no rules set:
Code: |
# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
|
This assertion is corroborated by:
Code: |
# iptables -t filter -C INPUT -p udp -m policy --dir in --pol ipsec -m udp --dport l2tp -j ACCEPT
iptables: Bad rule (does a matching rule exist in that chain?).
# iptables -t filter -C INPUT -p udp -m udp --dport l2tp -j REJECT --reject-with icmp-port-unreachable
iptables: No chain/target/match by that name.
# iptables -t filter -C OUTPUT -p udp -m policy --dir out --pol ipsec -m udp --sport l2tp -j ACCEPT
iptables: Bad rule (does a matching rule exist in that chain?).
# iptables -t filter -C OUTPUT -p udp -m udp --sport l2tp -j REJECT --reject-with icmp-port-unreachable
iptables: No chain/target/match by that name.
|
|
|
Back to top |
|
|
salahx Guru
Joined: 12 Mar 2005 Posts: 530
|
Posted: Mon Sep 22, 2014 7:42 am Post subject: |
|
|
Strange because my iptables rules work (both client and server):
Code: |
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 policy match dir in pol ipsec udp dpt:1701
REJECT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1701 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 policy match dir out pol ipsec udp spt:1701
REJECT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:1701 reject-with icmp-port-unreachable
|
But I don 't think the firewall has anything to do it, otherwise no l2tp packets would pass at all, and we'd never reach the ppp phase. My best guess is the ppp interface is being misconfigured somehow, conflicting with another interface/route (since my machine has the same behavior when that happens. I'm guessing its a routing issue. I do see the ppp packet count increasing after you ping, so that's a good sign.
One thing to try is "Ip route" to print out he routing table. It should have line like this:
Code: |
10.137.219.1 dev ppp0 proto kernel scope link src 172.21.118.2
|
Which, for my test, 10.137.219.1 was the other end of the ppp connection, and 172.21.118.2 was the ip assigned by the server. |
|
Back to top |
|
|
Duco Ergo Sum Apprentice
Joined: 06 Dec 2005 Posts: 154 Location: Winsford
|
Posted: Mon Sep 22, 2014 8:36 am Post subject: |
|
|
Thanks,
Code: |
# ip route
default via 10.1.1.### dev eno1 proto static
default via 10.1.1.### dev eno1 metric 7
10.1.1.###/24 dev eno1 proto kernel scope link src 1.2.3.4 metric 1
17.11.7.5 dev ppp0 proto kernel scope link src 125.64.27.8
127.0.0.0/8 dev lo scope host
127.0.0.0/8 via 127.0.0.1 dev lo
|
Which 17.11.7.5 is the other end of the ppp connection and 125.64.27.8 was the ip assigned by the server. The ppp line here seems to be the same as yours. |
|
Back to top |
|
|
salahx Guru
Joined: 12 Mar 2005 Posts: 530
|
Posted: Mon Sep 22, 2014 10:50 pm Post subject: |
|
|
Ok so its not a routingh problem. Since its been a while, the latest output of xl2tpd/pppd would be helpful to determine if we're dealing with the same problem. I'll also adjust my simulation at home to make the VM i created for that have a similar network setup to yours to see if that's what's causing it. |
|
Back to top |
|
|
Duco Ergo Sum Apprentice
Joined: 06 Dec 2005 Posts: 154 Location: Winsford
|
Posted: Tue Sep 23, 2014 12:02 am Post subject: |
|
|
Hi
Thanks for persevering with me. Here is a copy of the logs and the output:
Code: |
Sep 23 00:28:54 sveta xl2tpd[4113]: Connecting to host vpn.office.com, port 1701
Sep 23 00:28:54 sveta xl2tpd[4113]: Connection established to 17.11.7.5, 1701. Local: 59263, Remote: 7959 (ref=0/0).
Sep 23 00:28:54 sveta xl2tpd[4113]: Calling on tunnel 59263
Sep 23 00:28:54 sveta xl2tpd[4113]: Call established with 17.11.7.5, Local: 15862, Remote: 7832, Serial: 1 (ref=0/0)
Sep 23 00:28:54 sveta xl2tpd[4113]: start_pppd: I'm running:
Sep 23 00:28:54 sveta xl2tpd[4113]: "/usr/sbin/pppd"
Sep 23 00:28:54 sveta xl2tpd[4113]: "passive"
Sep 23 00:28:54 sveta xl2tpd[4113]: "nodetach"
Sep 23 00:28:54 sveta xl2tpd[4113]: ":"
Sep 23 00:28:54 sveta xl2tpd[4113]: "name"
Sep 23 00:28:54 sveta xl2tpd[4113]: "user-name"
Sep 23 00:28:54 sveta xl2tpd[4113]: "debug"
Sep 23 00:28:54 sveta xl2tpd[4113]: "plugin"
Sep 23 00:28:54 sveta xl2tpd[4113]: "passwordfd.so"
Sep 23 00:28:54 sveta xl2tpd[4113]: "passwordfd"
Sep 23 00:28:54 sveta xl2tpd[4113]: "8"
Sep 23 00:28:54 sveta xl2tpd[4113]: "file"
Sep 23 00:28:54 sveta xl2tpd[4113]: "/etc/ppp/options.xl2tpd.client"
Sep 23 00:28:54 sveta xl2tpd[4113]: "plugin"
Sep 23 00:28:54 sveta xl2tpd[4113]: "pppol2tp.so"
Sep 23 00:28:54 sveta xl2tpd[4113]: "pppol2tp"
Sep 23 00:28:54 sveta xl2tpd[4113]: "9"
Sep 23 00:28:54 sveta pppd[4151]: Plugin passwordfd.so loaded.
Sep 23 00:28:54 sveta pppd[4151]: Plugin pppol2tp.so loaded.
Sep 23 00:28:54 sveta pppd[4151]: pppd 2.4.7 started by [HIDDEN], uid 0
Sep 23 00:28:54 sveta pppd[4151]: using channel 1
Sep 23 00:28:54 sveta pppd[4151]: Using interface ppp0
Sep 23 00:28:54 sveta pppd[4151]: Connect: ppp0 <-->
Sep 23 00:28:54 sveta pppd[4151]: PPPoL2TP options: debugmask 0
Sep 23 00:28:54 sveta pppd[4151]: sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic [HIDDEN]>]
Sep 23 00:28:54 sveta NetworkManager[2671]: <warn> /sys/devices/virtual/net/ppp0: couldn't determine device driver; ignoring...
Sep 23 00:28:54 sveta pppd[4151]: rcvd [LCP ConfReq id=0x1 <auth chap MS-v2> <magic [HIDDEN]>]
Sep 23 00:28:54 sveta pppd[4151]: sent [LCP ConfAck id=0x1 <auth chap MS-v2> <magic [HIDDEN]>]
Sep 23 00:28:54 sveta pppd[4151]: rcvd [LCP ConfRej id=0x1 <asyncmap 0x0>]
Sep 23 00:28:54 sveta pppd[4151]: sent [LCP ConfReq id=0x2 <magic [HIDDEN]>]
Sep 23 00:28:54 sveta pppd[4151]: rcvd [LCP ConfAck id=0x2 <magic [HIDDEN]>]
Sep 23 00:28:54 sveta pppd[4151]: PPPoL2TP options: debugmask 0
Sep 23 00:28:54 sveta pppd[4151]: rcvd [CHAP Challenge id=0x1 <[HIDDEN]>, name = ""]
Sep 23 00:28:54 sveta pppd[4151]: added response cache entry 0
Sep 23 00:28:54 sveta pppd[4151]: sent [CHAP Response id=0x1 <[HIDDEN]>, name = "user-name"]
Sep 23 00:28:56 sveta pppd[4151]: rcvd [CHAP Success id=0x1 "S=[HIDDEN]"]
Sep 23 00:28:56 sveta pppd[4151]: response found in cache (entry 0)
Sep 23 00:28:56 sveta pppd[4151]: CHAP authentication succeeded
Sep 23 00:28:56 sveta pppd[4151]: sent [IPCP ConfReq id=0x1 <addr 0.0.0.0>]
Sep 23 00:28:56 sveta pppd[4151]: rcvd [IPCP TermAck id=0x1]
Sep 23 00:28:59 sveta pppd[4151]: sent [IPCP ConfReq id=0x1 <addr 0.0.0.0>]
Sep 23 00:28:59 sveta pppd[4151]: rcvd [IPCP ConfReq id=0x1 <addr 17.11.7.5>]
Sep 23 00:28:59 sveta pppd[4151]: sent [IPCP ConfAck id=0x1 <addr 17.11.7.5>]
Sep 23 00:28:59 sveta pppd[4151]: rcvd [IPCP ConfNak id=0x1 <addr 125.64.27.8>]
Sep 23 00:28:59 sveta pppd[4151]: sent [IPCP ConfReq id=0x2 <addr 125.64.27.8>]
Sep 23 00:28:59 sveta pppd[4151]: rcvd [IPCP ConfAck id=0x2 <addr 125.64.27.8>]
Sep 23 00:28:59 sveta charon: 04[KNL] 125.64.27.8 appeared on ppp0
Sep 23 00:28:59 sveta pppd[4151]: local IP address 125.64.27.8
Sep 23 00:28:59 sveta pppd[4151]: remote IP address 17.11.7.5
Sep 23 00:28:59 sveta charon: 12[KNL] 125.64.27.8 disappeared from ppp0
Sep 23 00:28:59 sveta charon: 14[KNL] 125.64.27.8 appeared on ppp0
Sep 23 00:28:59 sveta pppd[4151]: Script /etc/ppp/ip-up started (pid 4155)
Sep 23 00:28:59 sveta charon: 10[KNL] interface ppp0 activated
Sep 23 00:28:59 sveta pppd[4151]: Script /etc/ppp/ip-up finished (pid 4155), status = 0x0
Sep 23 00:29:18 sveta charon: 14[IKE] sending keep alive to 17.11.7.5[4500]
Sep 23 00:29:38 sveta charon: 12[IKE] sending keep alive to 17.11.7.5[4500]
Sep 23 00:29:44 sveta su[4166]: Successful su for root by [HIDDEN]
Sep 23 00:29:44 sveta su[4166]: + /dev/pts/2 [HIDDEN]:root
Sep 23 00:29:44 sveta su[4166]: pam_unix(su:session): session opened for user root by [HIDDEN](uid=1000)
Sep 23 00:29:58 sveta charon: 10[IKE] sending keep alive to 17.11.7.5[4500]
Sep 23 00:29:59 sveta xl2tpd[4113]: Maximum retries exceeded for tunnel 59263. Closing.
Sep 23 00:29:59 sveta xl2tpd[4113]: Terminating pppd: sending TERM signal to pid 4151
Sep 23 00:29:59 sveta xl2tpd[4113]: Connection 7959 closed to 17.11.7.5, port 1701 (Timeout)
Sep 23 00:29:59 sveta pppd[4151]: Terminating on signal 15
Sep 23 00:29:59 sveta pppd[4151]: Connect time 1.0 minutes.
Sep 23 00:29:59 sveta pppd[4151]: Sent 81712 bytes, received 0 bytes.
Sep 23 00:29:59 sveta charon: 05[KNL] interface ppp0 deactivated
Sep 23 00:29:59 sveta charon: 07[KNL] 125.64.27.8 disappeared from ppp0
Sep 23 00:29:59 sveta pppd[4151]: Script /etc/ppp/ip-down started (pid 4177)
Sep 23 00:29:59 sveta pppd[4151]: PPPoL2TP options: debugmask 0
Sep 23 00:29:59 sveta pppd[4151]: sent [LCP TermReq id=0x3 "User request"]
Sep 23 00:29:59 sveta pppd[4151]: Script /etc/ppp/ip-down finished (pid 4177), status = 0x0
Sep 23 00:30:01 sveta cron[4179]: (root) CMD (test -x /usr/sbin/run-crons && /usr/sbin/run-crons)
Sep 23 00:30:02 sveta pppd[4151]: sent [LCP TermReq id=0x4 "User request"]
Sep 23 00:30:04 sveta xl2tpd[4113]: Unable to deliver closing message for tunnel 59263. Destroying anyway.
Sep 23 00:30:05 sveta pppd[4151]: Connection terminated.
Sep 23 00:30:05 sveta charon: 04[KNL] interface ppp0 deleted
Sep 23 00:30:05 sveta avahi-daemon[2998]: Withdrawing workstation service for ppp0.
Sep 23 00:30:05 sveta pppd[4151]: Modem hangup
Sep 23 00:30:05 sveta pppd[4151]: Exit.
Sep 23 00:30:23 sveta charon: 05[IKE] sending keep alive to 17.11.7.5[4500]
Sep 23 00:30:43 sveta charon: 14[IKE] sending keep alive to 17.11.7.5[4500]
|
Code: |
# ifconfig
bond0: flags=5123<UP,BROADCAST,MASTER,MULTICAST> mtu 1500
ether 1e:42:13:cb:10:e4 txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eno1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 1.2.3.4 netmask 255.255.255.0 broadcast 10.1.1.255
inet6 fe80::ca60:ff:fecc:4614 prefixlen 64 scopeid 0x20<link>
ether c8:60:00:cc:46:14 txqueuelen 1000 (Ethernet)
RX packets 49917 bytes 62529540 (59.6 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 33988 bytes 3338778 (3.1 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 20 memory #x########-########
enp59s0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
ether c8:60:00:cc:49:fc txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 19 memory #x########-########
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 0 (Local Loopback)
RX packets 41 bytes 16913 (16.5 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 41 bytes 16913 (16.5 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
sveta [HIDDEN] # ipsec up VPN.OFFICE.COM && xl2tpd-control connect vpnclient user-name password
initiating Main Mode IKE_SA VPN.OFFICE.COM[1] to 17.11.7.5
generating ID_PROT request 0 [ SA V V V V ]
sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (184 bytes)
received packet: from 17.11.7.5[500] to 1.2.3.4[500] (116 bytes)
parsed ID_PROT response 0 [ SA V V ]
received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
received FRAGMENTATION vendor ID
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (244 bytes)
received packet: from 17.11.7.5[500] to 1.2.3.4[500] (304 bytes)
parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]
received Cisco Unity vendor ID
received XAuth vendor ID
received unknown vendor ID: [HIDDEN]
received unknown vendor ID: [HIDDEN]
local host is behind NAT, sending keep alives
generating ID_PROT request 0 [ ID HASH ]
sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (68 bytes)
received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes)
parsed ID_PROT response 0 [ ID HASH V ]
received DPD vendor ID
IKE_SA VPN.OFFICE.COM[1] established between 1.2.3.4[1.2.3.4]...17.11.7.5[17.11.7.5]
generating QUICK_MODE request [HIDDEN] [ HASH SA No ID ID NAT-OA NAT-OA ]
sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (220 bytes)
received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (180 bytes)
parsed QUICK_MODE response [HIDDEN] [ HASH SA No ID ID N((24576)) NAT-OA ]
received 28800s lifetime, configured 0s
CHILD_SA VPN.OFFICE.COM{1} established with SPIs [HIDDEN] [HIDDEN] and TS 1.2.3.4/32[udp/l2tp] === 17.11.7.5/32[udp/l2tp]
generating QUICK_MODE request [HIDDEN] [ HASH ]
connection 'VPN.OFFICE.COM' established successfully
00 OK
sveta [HIDDEN] # ifconfig
bond0: flags=5123<UP,BROADCAST,MASTER,MULTICAST> mtu 1500
ether 1e:42:13:cb:10:e4 txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eno1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 1.2.3.4 netmask 255.255.255.0 broadcast 10.1.1.255
inet6 fe80::ca60:ff:fecc:4614 prefixlen 64 scopeid 0x20<link>
ether c8:60:00:cc:46:14 txqueuelen 1000 (Ethernet)
RX packets 49939 bytes 62532463 (59.6 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 34010 bytes 3341695 (3.1 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 20 memory #x########-########
enp59s0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
ether c8:60:00:cc:49:fc txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 19 memory #x########-########
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 0 (Local Loopback)
RX packets 41 bytes 16913 (16.5 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 41 bytes 16913 (16.5 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ppp0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 125.64.27.8 netmask 255.255.255.255 destination 17.11.7.5
ppp txqueuelen 3 (Point-to-Point Protocol)
RX packets 4 bytes 34 (34.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 4 bytes 40 (40.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
sveta [HIDDEN] # ping 3.5.8.13
PING 3.5.8.13 (3.5.8.13) 56(84) bytes of data.
^C
--- 3.5.8.13 ping statistics ---
10 packets transmitted, 0 received, 100% packet loss, time 8999ms
sveta [HIDDEN] # ifconfig
bond0: flags=5123<UP,BROADCAST,MASTER,MULTICAST> mtu 1500
ether 1e:42:13:cb:10:e4 txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eno1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 1.2.3.4 netmask 255.255.255.0 broadcast 10.1.1.255
inet6 fe80::ca60:ff:fecc:4614 prefixlen 64 scopeid 0x20<link>
ether c8:60:00:cc:46:14 txqueuelen 1000 (Ethernet)
RX packets 49948 bytes 62533051 (59.6 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 34023 bytes 3342919 (3.1 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 20 memory #x########-########
enp59s0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
ether c8:60:00:cc:49:fc txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 19 memory #x########-########
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 0 (Local Loopback)
RX packets 41 bytes 16913 (16.5 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 41 bytes 16913 (16.5 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ppp0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 125.64.27.8 netmask 255.255.255.255 destination 17.11.7.5
ppp txqueuelen 3 (Point-to-Point Protocol)
RX packets 4 bytes 34 (34.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 19 bytes 8917 (8.7 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
|
|
|
Back to top |
|
|
Duco Ergo Sum Apprentice
Joined: 06 Dec 2005 Posts: 154 Location: Winsford
|
Posted: Tue Sep 23, 2014 7:54 am Post subject: |
|
|
The only other information I can think of which might be pertinent is that my system has at least three NICs.
The first appears as eno0
The second and third are not used. One of these is Wifi. |
|
Back to top |
|
|
salahx Guru
Joined: 12 Mar 2005 Posts: 530
|
Posted: Tue Sep 23, 2014 8:30 am Post subject: |
|
|
Well, after running a few simulation, I can't get it to disconnect, even with a similar network setup. Looking at the logs, the problems appears to be at the l2tp layer - soon after the connection the connection, the other side of the tunnel stops responding and the l2tp connection gets dropped. Since we know ipsec works and ppp seems fine, i'm beginning to think the problem here is l2tp.
There is an (undocumented) option to turn off kernel l2tp for xl2tp:
Code: |
[global]
force userspace = yes
|
If this doesn't work, then the next step is to try a different l2tp implementation. There 2 others: rp-l2tp and openl2tp. The former is in portage, but dated. The latter is much newer but its not in portage, and i've never used it.. Neither is as convenient as xl2tpd. |
|
Back to top |
|
|
Duco Ergo Sum Apprentice
Joined: 06 Dec 2005 Posts: 154 Location: Winsford
|
Posted: Tue Sep 23, 2014 9:31 am Post subject: |
|
|
Hi,
When I set:
Code: |
[global]
force userspace = yes
|
xl2tpd fails.
Code: |
# /etc/init.d/xl2tpd restart
* Starting xl2tpd ...
* start-stop-daemon: failed to start `/usr/sbin/xl2tpd'
* Failed to start xl2tpd [ !! ]
* ERROR: xl2tpd failed to start
|
I am able to emerge both rp-l2tp and openl2tp. The latter is available via an overlay [booboo]. |
|
Back to top |
|
|
salahx Guru
Joined: 12 Mar 2005 Posts: 530
|
Posted: Wed Sep 24, 2014 6:48 am Post subject: |
|
|
It shouldn't give that error. It works for me. Check the syntax of your xl2tpd.conf file. Its gonna be a day or so before i can setup another l2tp client as the Gentoo webservers are down:
It should look something like this:
Code: |
[global]
force userspace = yes
[lac vpnclient]
lns = vpn.office.com
pppoptfile = /etc/ppp/options.xl2tpd.client
name = user-name
ppp debug = yes
length bit = yes
|
|
|
Back to top |
|
|
Duco Ergo Sum Apprentice
Joined: 06 Dec 2005 Posts: 154 Location: Winsford
|
|
Back to top |
|
|
salahx Guru
Joined: 12 Mar 2005 Posts: 530
|
Posted: Thu Sep 25, 2014 6:39 am Post subject: |
|
|
Oki then lets try it with openl2tp then. You'll need the "rpc" USE Flag set as well. If you as using systemd, grab its unit file. Systemd users are need to start rpcbind manually. Either way, start the openl2tpd service.
Once the service is started, run the "l2tpconfig" utility:
Code: | l2tp> system modify deny_remote_tunnel_creates=yes
l2tp> tunnel profile create dest_ipaddr=vpn.office.com
Created tunnel 47743
l2tp> tunnel show tunnel_id=47743
l2tp> session create tunnel_id=47743 user_name=your-login-username user_password=your-login-password
Created session 47743/20183
l2tp> session show tunnel_id=47743 session_id=20183
|
The tunnel and session ids are generated randomly. Note the "session show" discloses the username and password
To disconnect:
Code: | session delete tunnel_id=47743 session_id=20183
tunnel delete tunnel_id=47743
|
|
|
Back to top |
|
|
Duco Ergo Sum Apprentice
Joined: 06 Dec 2005 Posts: 154 Location: Winsford
|
Posted: Thu Sep 25, 2014 8:39 am Post subject: |
|
|
A quick update:
# l2tpconfig
Code: |
localhost: RPC: Program not registered
|
I think this may be due to the order in which I attempted to run these programs, l2tpconfig then rpcbind. I'll find out after work. |
|
Back to top |
|
|
Duco Ergo Sum Apprentice
Joined: 06 Dec 2005 Posts: 154 Location: Winsford
|
Posted: Fri Sep 26, 2014 11:27 pm Post subject: |
|
|
Hi
I have attempted to follow your example as closely as possible however still fail to get a connection or even a ppp0 interface.
Code: |
l2tp> tunnel create profile_name="VPN.OFFICE.COM" tunnel_name="VPN.OFFICE.COM" dest_ipaddr=vpn.office.com
Created tunnel 30242
l2tp> tunnel show tunnel_id=30242
Tunnel 30242, from 1.2.3.4 to 17.11.7.5:-
state: CLOSING
created at: Sep 26 20:41:01 2014
created by admin: YES, tunnel mode: LAC
peer tunnel id: 0, host name: NOT SET
UDP ports: local 59310, peer 1701
authorization mode: NONE, hide AVPs: OFF, allow PPP proxy: OFF
session limit: 0, session count: 0
tunnel profile: "VPN.OFFICE.COM", peer profile: default
session profile: default, ppp profile: default
hello timeout: 60, retry timeout: 1, idle timeout: 0
rx window size: 10, tx window size: 10, max retries: 5
use udp checksums: ON
do pmtu discovery: OFF, mtu: 1460
framing capability: SYNC ASYNC, bearer capability: DIGITAL ANALOG
use tiebreaker: OFF
trace flags: NONE
peer protocol version: 0.0, firmware 0
peer framing capability: NONE
peer bearer capability: NONE
peer rx window size: 0
Transport status:-
ns/nr: 1/0, peer 0/0
cwnd: 1, ssthresh: 1, congpkt_acc: 0
Transport statistics:-
out-of-sequence control/data discards: 0/0
zlbs tx/txfail/rx: 0/0/0
retransmits: 6, duplicate pkt discards: 0, data pkt discards: 0
hellos tx/txfail/rx: 0/0/0
control rx packets: 0, rx bytes: 0
control tx packets: 6, tx bytes: 834
data rx packets: 0, rx bytes: 0, rx errors: 0
data tx packets: 0, tx bytes: 0, tx errors: 0
establish retries: 0
l2tp> session create user_name=USER user_password=PASSWORD tunnel_name="VPN.OFFICE.COM"
Created session 30242/42553
l2tp> session show tunnel_name="VPN.OFFICE.COM" session_id=42553
Session 42553 on tunnel 30242:-
type: LAC Incoming Call, state: WAITTUNNEL
created at: Sep 26 20:41:22 2014
created by admin: YES
ppp user name: USER
ppp user password: PASSWORD
data sequencing required: OFF
use data sequence numbers: OFF
trace flags: NONE
framing types: SYNC ASYNC
bearer types: DIGITAL ANALOG
call serial number: 3
connect speed: 1000000
use ppp proxy: NO
Peer configuration data:-
data sequencing required: OFF
framing types:
bearer types:
call serial number: 3
data rx packets: 0, rx bytes: 0, rx errors: 0
data tx packets: 0, tx bytes: 0, tx errors: 0
l2tp> tunnel show tunnel_name="VPN.OFFICE.COM"
Tunnel 30242, from 1.2.3.4 to 17.11.7.5:-
state: CLOSING
created at: Sep 26 20:41:01 2014
created by admin: YES, tunnel mode: LAC
peer tunnel id: 0, host name: NOT SET
UDP ports: local 59310, peer 1701
authorization mode: NONE, hide AVPs: OFF, allow PPP proxy: OFF
session limit: 0, session count: 1
tunnel profile: "VPN.OFFICE.COM", peer profile: default
session profile: default, ppp profile: default
hello timeout: 60, retry timeout: 1, idle timeout: 0
rx window size: 10, tx window size: 10, max retries: 5
use udp checksums: ON
do pmtu discovery: OFF, mtu: 1460
framing capability: SYNC ASYNC, bearer capability: DIGITAL ANALOG
use tiebreaker: OFF
trace flags: NONE
peer protocol version: 0.0, firmware 0
peer framing capability: NONE
peer bearer capability: NONE
peer rx window size: 0
Transport status:-
ns/nr: 1/0, peer 0/0
cwnd: 1, ssthresh: 1, congpkt_acc: 0
Transport statistics:-
out-of-sequence control/data discards: 0/0
zlbs tx/txfail/rx: 0/0/0
retransmits: 6, duplicate pkt discards: 0, data pkt discards: 0
hellos tx/txfail/rx: 0/0/0
control rx packets: 0, rx bytes: 0
control tx packets: 6, tx bytes: 834
data rx packets: 0, rx bytes: 0, rx errors: 0
data tx packets: 0, tx bytes: 0, tx errors: 0
establish retries: 0
|
The tunnel option persist=yes doesn't help either. |
|
Back to top |
|
|
salahx Guru
Joined: 12 Mar 2005 Posts: 530
|
Posted: Sat Sep 27, 2014 1:25 am Post subject: |
|
|
It appears the ipsec connection is down. Bring back up the ipsec connection and try again. |
|
Back to top |
|
|
Duco Ergo Sum Apprentice
Joined: 06 Dec 2005 Posts: 154 Location: Winsford
|
Posted: Sat Sep 27, 2014 10:35 pm Post subject: |
|
|
The IPsec appears to remain up:
Code: |
# ipsec statusall
Status of IKE charon daemon (strongSwan 5.1.3, Linux 3.14.14-gentoo, x86_64):
uptime: 72 minutes, since Sep 27 22:10:49 2014
malloc: sbrk [HIDDEN], mmap 0, used [HIDDEN], free [HIDDEN]
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 1
loaded plugins: charon curl ldap mysql sqlite aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default farp stroke updown eap-identity eap-sim eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls xauth-generic dhcp
Listening IP addresses:
1.2.3.4
Connections:
Xerox-XLS-Telford: %any...vpn.office.com IKEv1
Xerox-XLS-Telford: local: [1.2.3.4] uses pre-shared key authentication
Xerox-XLS-Telford: remote: [17.11.7.5] uses pre-shared key authentication
Xerox-XLS-Telford: child: dynamic[udp/l2tp] === dynamic[udp/l2tp] TRANSPORT
Security Associations (1 up, 0 connecting):
Xerox-XLS-Telford[1]: ESTABLISHED 72 minutes ago, 1.2.3.4[1.2.3.4]...17.11.7.5[17.11.7.5]
Xerox-XLS-Telford[1]: IKEv1 SPIs: [HIDDEN]* [HIDDEN], rekeying disabled
Xerox-XLS-Telford[1]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Xerox-XLS-Telford{1}: INSTALLED, TRANSPORT, ESP in UDP SPIs: [HIDDEN] [HIDDEN]
Xerox-XLS-Telford{1}: 3DES_CBC/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying disabled
Xerox-XLS-Telford{1}: 1.2.3.4/32[udp/l2tp] === 17.11.7.5/32[udp/l2tp]
|
Yet, I'm still missing something.
Code: |
l2tp> tunnel create tunnel_name="VPN.OFFICE.COM" dest_ipaddr=vpn.office.comCreated tunnel 28351
l2tp> session create session_name="VPN.OFFICE.COM" user_name=USER_NAME user_password=USER_PASSWORD tunnel_name="VPN.OFFICE.COM"
Created session 15597 on tunnel "VPN.OFFICE.COM"
l2tp> session show tunnel_name="VPN.OFFICE.COM" session_name="VPN.OFFICE.COM"
Session 15597 on tunnel 28351:-
type: LAC Incoming Call, state: WAITTUNNEL
created at: Sep 27 23:23:24 2014
administrative name: "VPN.OFFICE.COM"
created by admin: YES
ppp user name: USER_NAME
ppp user password: USER_PASSWORD
data sequencing required: OFF
use data sequence numbers: OFF
trace flags: NONE
framing types: SYNC ASYNC
bearer types: DIGITAL ANALOG
call serial number: 4
connect speed: 1000000
use ppp proxy: NO
Peer configuration data:-
data sequencing required: OFF
framing types:
bearer types:
call serial number: 4
data rx packets: 0, rx bytes: 0, rx errors: 0
data tx packets: 0, tx bytes: 0, tx errors: 0
|
In the Openl2tp documentation it says that StrongSwan can do l2tp also. I can not see any configuration info in the StrongSwan documentation. |
|
Back to top |
|
|
salahx Guru
Joined: 12 Mar 2005 Posts: 530
|
Posted: Sat Sep 27, 2014 11:23 pm Post subject: |
|
|
StrongSwan doesn't do lt2tp (It has a NetworkManager plugin but only for IKEv2). Lets make sure the tunnel is getting established. AFter you create the tunnel, before the session, do a "show tunnel ..." command verify the tunnel sayas ESTABLISHED. IF not, we need to debug the tunnel first. |
|
Back to top |
|
|
Duco Ergo Sum Apprentice
Joined: 06 Dec 2005 Posts: 154 Location: Winsford
|
Posted: Sun Sep 28, 2014 12:09 am Post subject: |
|
|
Unfortunately, I don't seem to be able to establish a tunnel.
Code: |
l2tp> tunnel create tunnel_name="VPN.OFFICE.COM" dest_ipaddr=vpn.office.com
Created tunnel 56457
l2tp> show tunnel tunnel_name="VPN.OFFICE.COM"
Error at or near 'show'
l2tp> show tunnel tunnel_id=56457
Error at or near 'show'
|
Code: |
l2tp> tunnel create tunnel_name="VPN.OFFICE.COM"" dest_ipaddr=17.11.7.5
Created tunnel 7747
l2tp> show tunnel tunnel_name="VPN.OFFICE.COM""
Error at or near 'show'
l2tp> show tunnel tunnel_id=7747
Error at or near 'show'
|
|
|
Back to top |
|
|
salahx Guru
Joined: 12 Mar 2005 Posts: 530
|
Posted: Sun Sep 28, 2014 12:19 am Post subject: |
|
|
May bad. Its "tunnel show .... " not "show tunnel ..." (There's a "tunnel list" command as well, to see all the open tunnels). |
|
Back to top |
|
|
salahx Guru
Joined: 12 Mar 2005 Posts: 530
|
Posted: Sun Sep 28, 2014 4:55 am Post subject: |
|
|
Actually, I notice above in the status no traffic was flowing over the ipsec connection. The same thing happens here too - Once I put up the l2tp firewall, it stopped working. It turns out openl2tp works differenty with respect to the source port. xl2tps used port 1701, but openl2tp chooses a random one. The ipsec rule we have set up only work when both the source AND destination ports are 1701.
So at this point, we can fix this one of 2 ways:
1) Adjust your ipsec connection:
Code: |
conn vpn.office.com
keyexchange=ikev1
type=transport
authby=secret
ike=3des-sha1-modp1024
rekey=no
left=%defaultroute
leftprotoport=udp/%any
right=vpn.office.com
rightprotoport=udp/l2tp
rightid=17.11.7.5
auto=add
|
Reload strongswan and reconnect. After connecting you'll see a subtle change: "CHILD_SA vpn.office.com{1} established with SPIs...TS 1.2.3.4/32[udp] === 17.11.7.5/32[udp/l2tp]". Note that the server might adjust this - in that this won't work and we'll have to try #2. The advantage being we're not restricted to 1 tunnel per connection like Windows.
2) Bind to port 1701 on the client side:
Code: |
l2tp> tunnel tunnel create tunnel_name="VPN.OFFICE.COM"" dest_ipaddr=vpn.office.com our_udp_port=1701
|
This is the way Windows does it. |
|
Back to top |
|
|
Duco Ergo Sum Apprentice
Joined: 06 Dec 2005 Posts: 154 Location: Winsford
|
Posted: Sun Sep 28, 2014 7:35 am Post subject: |
|
|
Old IPsec connection
Code: |
# ipsec up VPN.OFFICE.COM
initiating Main Mode IKE_SA VPN.OFFICE.COM[1] to 17.11.7.5
generating ID_PROT request 0 [ SA V V V V ]
sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (184 bytes)
received packet: from 17.11.7.5[500] to 1.2.3.4[500] (116 bytes)
parsed ID_PROT response 0 [ SA V V ]
received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
received FRAGMENTATION vendor ID
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (244 bytes)
received packet: from 17.11.7.5[500] to 1.2.3.4[500] (304 bytes)
parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]
received Cisco Unity vendor ID
received XAuth vendor ID
received unknown vendor ID: [HIDDEN]
received unknown vendor ID: [HIDDEN]
local host is behind NAT, sending keep alives
generating ID_PROT request 0 [ ID HASH ]
sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (68 bytes)
received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes)
parsed ID_PROT response 0 [ ID HASH V ]
received DPD vendor ID
IKE_SA VPN.OFFICE.COM[1] established between 1.2.3.4[1.2.3.4]...17.11.7.5[17.11.7.5]
generating QUICK_MODE request [HIDDEN] [ HASH SA No ID ID NAT-OA NAT-OA ]
sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (220 bytes)
received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (180 bytes)
parsed QUICK_MODE response [HIDDEN] [ HASH SA No ID ID N((24576)) NAT-OA ]
received 28800s lifetime, configured 0s
CHILD_SA VPN.OFFICE.COM{1} established with SPIs [HIDDEN] [HIDDEN] and TS 1.2.3.4/32[udp/l2tp] === 17.11.7.5/32[udp/l2tp]
connection 'VPN.OFFICE.COM' established successfully
l2tp> tunnel create tunnel_name="VPN OFFICE COM" dest_ipaddr=vpn.office.com
Created tunnel 24778
l2tp> tunnel show tunnel_name="VPN OFFICE COM"
Tunnel 24778, from 1.2.3.4 to 17.11.7.5:-
state: CLOSING
created at: Sep 28 08:17:16 2014
administrative name: '"VPN OFFICE COM"'
created by admin: YES, tunnel mode: LAC
peer tunnel id: 0, host name: NOT SET
UDP ports: local 37846, peer 1701
authorization mode: NONE, hide AVPs: OFF, allow PPP proxy: OFF
session limit: 0, session count: 0
tunnel profile: default, peer profile: default
session profile: default, ppp profile: default
hello timeout: 60, retry timeout: 1, idle timeout: 0
rx window size: 10, tx window size: 10, max retries: 5
use udp checksums: ON
do pmtu discovery: OFF, mtu: 1460
framing capability: SYNC ASYNC, bearer capability: DIGITAL ANALOG
use tiebreaker: OFF
trace flags: NONE
peer protocol version: 0.0, firmware 0
peer framing capability: NONE
peer bearer capability: NONE
peer rx window size: 0
Transport status:-
ns/nr: 1/0, peer 0/0
cwnd: 1, ssthresh: 1, congpkt_acc: 0
Transport statistics:-
out-of-sequence control/data discards: 0/0
zlbs tx/txfail/rx: 0/0/0
retransmits: 6, duplicate pkt discards: 0, data pkt discards: 0
hellos tx/txfail/rx: 0/0/0
control rx packets: 0, rx bytes: 0
control tx packets: 6, tx bytes: 834
data rx packets: 0, rx bytes: 0, rx errors: 0
data tx packets: 0, tx bytes: 0, tx errors: 0
establish retries: 0
|
New IPsec connection
Code: |
# ipsec up VPN.OFFICE.COM
initiating Main Mode IKE_SA VPN.OFFICE.COM[1] to 17.11.7.5
generating ID_PROT request 0 [ SA V V V V ]
sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (184 bytes)
received packet: from 17.11.7.5[500] to 1.2.3.4[500] (116 bytes)
parsed ID_PROT response 0 [ SA V V ]
received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
received FRAGMENTATION vendor ID
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (244 bytes)
received packet: from 17.11.7.5[500] to 1.2.3.4[500] (304 bytes)
parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]
received Cisco Unity vendor ID
received XAuth vendor ID
received unknown vendor ID: [HIDDEN]
received unknown vendor ID: [HIDDEN]
local host is behind NAT, sending keep alives
generating ID_PROT request 0 [ ID HASH ]
sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (68 bytes)
received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes)
parsed ID_PROT response 0 [ ID HASH V ]
received DPD vendor ID
IKE_SA VPN.OFFICE.COM[1] established between 1.2.3.4[1.2.3.4]...17.11.7.5[17.11.7.5]
generating QUICK_MODE request [HIDDEN] [ HASH SA No ID ID NAT-OA NAT-OA ]
sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (220 bytes)
received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (180 bytes)
parsed QUICK_MODE response [HIDDEN] [ HASH SA No ID ID N((24576)) NAT-OA ]
received 28800s lifetime, configured 0s
CHILD_SA VPN.OFFICE.COM{1} established with SPIs [HIDDEN] [HIDDEN] and TS 1.2.3.4/32[udp/l2tp] === 17.11.7.5/32[udp/l2tp]
generating QUICK_MODE request [HIDDEN] [ HASH ]
connection 'VPN.OFFICE.COM' established successfully
l2tp> tunnel create tunnel_name="VPN OFFICE COM" dest_ipaddr=vpn.office.com
Created tunnel 10765
l2tp> tunnel show tunnel_name="VPN OFFICE COM"
Tunnel 10765, from 1.2.3.4 to 17.11.7.5:-
state: WAITCTLREPLY
created at: Sep 28 08:22:52 2014
administrative name: '"VPN OFFICE COM"'
created by admin: YES, tunnel mode: LAC
peer tunnel id: 0, host name: NOT SET
UDP ports: local 49627, peer 1701
authorization mode: NONE, hide AVPs: OFF, allow PPP proxy: OFF
session limit: 0, session count: 0
tunnel profile: default, peer profile: default
session profile: default, ppp profile: default
hello timeout: 60, retry timeout: 1, idle timeout: 0
rx window size: 10, tx window size: 10, max retries: 5
use udp checksums: ON
do pmtu discovery: OFF, mtu: 1460
framing capability: SYNC ASYNC, bearer capability: DIGITAL ANALOG
use tiebreaker: OFF
trace flags: NONE
peer protocol version: 0.0, firmware 0
peer framing capability: NONE
peer bearer capability: NONE
peer rx window size: 0
Transport status:-
ns/nr: 1/0, peer 0/0
cwnd: 1, ssthresh: 0, congpkt_acc: 0
Transport statistics:-
out-of-sequence control/data discards: 0/0
zlbs tx/txfail/rx: 0/0/0
retransmits: 0, duplicate pkt discards: 0, data pkt discards: 0
hellos tx/txfail/rx: 0/0/0
control rx packets: 0, rx bytes: 0
control tx packets: 1, tx bytes: 139
data rx packets: 0, rx bytes: 0, rx errors: 0
data tx packets: 0, tx bytes: 0, tx errors: 0
establish retries: 0
l2tp> session create session_name="VPN OFFICE COM" user_name=USER_NAME user_password=USER_PASSWORD tunnel_name="VPN OFFICE COM"
Created session 45480 on tunnel "VPN OFFICE COM"
l2tp> session show tunnel_name="VPN OFFICE COM" session_name="VPN OFFICE COM"
Session 45480 on tunnel 10765:-
type: LAC Incoming Call, state: WAITTUNNEL
created at: Sep 28 08:23:09 2014
administrative name: "VPN OFFICE COM"
created by admin: YES
ppp user name: USER_NAME
ppp user password: USER_PASSWORD
data sequencing required: OFF
use data sequence numbers: OFF
trace flags: NONE
framing types: SYNC ASYNC
bearer types: DIGITAL ANALOG
call serial number: 1
connect speed: 1000000
use ppp proxy: NO
Peer configuration data:-
data sequencing required: OFF
framing types:
bearer types:
call serial number: 1
data rx packets: 0, rx bytes: 0, rx errors: 0
data tx packets: 0, tx bytes: 0, tx errors: 0
|
There is one deviation from your IPsec connection:
Code: |
rightprotoport=udp/%any
|
|
|
Back to top |
|
|
salahx Guru
Joined: 12 Mar 2005 Posts: 530
|
Posted: Sun Sep 28, 2014 3:46 pm Post subject: |
|
|
Didn't work, the server modified it:
Code: |
CHILD_SA VPN.OFFICE.COM{1} established with SPIs [HIDDEN] [HIDDEN] and TS 1.2.3.4/32[udp/l2tp] === 17.11.7.5/32[udp/l2tp]
|
We'll have to go with approach #2 and bind to port 1701. |
|
Back to top |
|
|
Duco Ergo Sum Apprentice
Joined: 06 Dec 2005 Posts: 154 Location: Winsford
|
Posted: Sun Sep 28, 2014 11:00 pm Post subject: |
|
|
Looking on the bright side. We now have the Established state. Unfortunately, as far as I can tell we're getting the same behaviour as with xl2tp.
Code: |
# ipsec up VPN.OFFICE.COM
initiating Main Mode IKE_SA VPN.OFFICE.COM[1] to 17.11.7.5
generating ID_PROT request 0 [ SA V V V V ]
sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (184 bytes)
received packet: from 17.11.7.5[500] to 1.2.3.4[500] (116 bytes)
parsed ID_PROT response 0 [ SA V V ]
received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
received FRAGMENTATION vendor ID
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (244 bytes)
received packet: from 17.11.7.5[500] to 1.2.3.4[500] (304 bytes)
parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]
received Cisco Unity vendor ID
received XAuth vendor ID
received unknown vendor ID: [HIDDEN]
received unknown vendor ID: [HIDDEN]
local host is behind NAT, sending keep alives
generating ID_PROT request 0 [ ID HASH ]
sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (68 bytes)
sending retransmit 1 of request message ID 0, seq 3
sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (68 bytes)
received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes)
parsed ID_PROT response 0 [ ID HASH V ]
received DPD vendor ID
IKE_SA VPN.OFFICE.COM[1] established between 1.2.3.4[1.2.3.4]...17.11.7.5[17.11.7.5]
generating QUICK_MODE request [HIDDEN] [ HASH SA No ID ID NAT-OA NAT-OA ]
sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (220 bytes)
received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (180 bytes)
parsed QUICK_MODE response [HIDDEN] [ HASH SA No ID ID N((24576)) NAT-OA ]
received 28800s lifetime, configured 0s
CHILD_SA VPN.OFFICE.COM{1} established with SPIs [HIDDEN] [HIDDEN] and TS 1.2.3.4/32[udp/l2tp] === 17.11.7.5/32[udp/l2tp]
generating QUICK_MODE request [HIDDEN] [ HASH ]
connection 'VPN.OFFICE.COM' established successfully
sveta huoshe # l2tpconfig
l2tp> tunnel create tunnel_name="VPN OFFICE COM" dest_ipaddr=vpn.office.com our_udp_port=1701
Created tunnel 835
l2tp> tunnel show tunnel_name="VPN OFFICE COM"Tunnel 835, from 1.2.3.4 to 17.11.7.5:-
state: ESTABLISHED
created at: Sep 28 23:44:09 2014
administrative name: '"VPN OFFICE COM"'
created by admin: YES, tunnel mode: LAC
peer tunnel id: 7989, host name: NOT SET
UDP ports: local 1701, peer 1701
authorization mode: NONE, hide AVPs: OFF, allow PPP proxy: OFF
session limit: 0, session count: 0
tunnel profile: default, peer profile: default
session profile: default, ppp profile: default
hello timeout: 60, retry timeout: 1, idle timeout: 0
rx window size: 10, tx window size: 10, max retries: 5
use udp checksums: ON
do pmtu discovery: OFF, mtu: 1460
framing capability: SYNC ASYNC, bearer capability: DIGITAL ANALOG
use tiebreaker: OFF
trace flags: NONE
peer vendor name: Cisco Systems, Inc.
peer protocol version: 1.0, firmware 4384
peer framing capability: SYNC ASYNC
peer bearer capability: DIGITAL ANALOG
peer rx window size: 16
Transport status:-
ns/nr: 2/1, peer 2/1
cwnd: 3, ssthresh: 10, congpkt_acc: 0
Transport statistics:-
out-of-sequence control/data discards: 0/0
zlbs tx/txfail/rx: 1/0/1
retransmits: 0, duplicate pkt discards: 0, data pkt discards: 0
hellos tx/txfail/rx: 0/0/0
control rx packets: 2, rx bytes: 128
control tx packets: 3, tx bytes: 171
data rx packets: 0, rx bytes: 0, rx errors: 0
data tx packets: 0, tx bytes: 0, tx errors: 0
establish retries: 0
l2tp> session create session_name="VPN OFFICE COM" user_name=USER_NAME user_password=USER_PASSWORD tunnel_name="VPN OFFICE COM"
Created session 65073 on tunnel "VPN OFFICE COM"
l2tp> session show tunnel_name="VPN OFFICE COM" session_name="VPN OFFICE COM"
Session 65073 on tunnel 835:-
type: LAC Incoming Call, state: ESTABLISHED
created at: Sep 28 23:44:18 2014
administrative name: "VPN OFFICE COM"
created by admin: YES, peer session id: 7862
ppp user name: USER_NAME
ppp user password: USER_PASSWORD
ppp interface name: ppp0
data sequencing required: OFF
use data sequence numbers: OFF
trace flags: NONE
framing types: SYNC ASYNC
bearer types: DIGITAL ANALOG
call serial number: 1
connect speed: 1000000
use ppp proxy: NO
Peer configuration data:-
data sequencing required: OFF
framing types:
bearer types:
call serial number: 1
data rx packets: 9, rx bytes: 244, rx errors: 0
data tx packets: 8, tx bytes: 286, tx errors: 0
# ifconfig
bond0: flags=5123<UP,BROADCAST,MASTER,MULTICAST> mtu 1500
ether [HIDDEN] txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eno1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 1.2.3.4 netmask 255.255.255.0 broadcast 10.1.1.255
inet6 [HIDDEN] prefixlen 64 scopeid 0x20<link>
ether [HIDDEN] txqueuelen 1000 (Ethernet)
RX packets 14981 bytes 17385980 (16.5 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 10522 bytes 1389109 (1.3 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 20 memory [HIDDEN]
enp59s0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
ether [HIDDEN] txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 19 memory [HIDDEN]
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 0 (Local Loopback)
RX packets 137 bytes 43277 (42.2 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 137 bytes 43277 (42.2 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ppp0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 125.64.27.8 netmask 255.255.255.255 destination 17.11.7.5
ppp txqueuelen 3 (Point-to-Point Protocol)
RX packets 4 bytes 34 (34.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 19 bytes 8917 (8.7 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
sveta huoshe # ping 1.3.3.1
PING 1.3.3.1 (1.3.3.1) 56(84) bytes of data.
^C
--- 1.3.3.1 ping statistics ---
8 packets transmitted, 0 received, 100% packet loss, time 6999ms
|
|
|
Back to top |
|
|
salahx Guru
Joined: 12 Mar 2005 Posts: 530
|
Posted: Sun Sep 28, 2014 11:19 pm Post subject: |
|
|
OK, verify neither the session nor the tunnel go down by itself after a few seconds (The other end might time out after 15-30 minutes of idleness, so that's ok). If the tunnel stays up then its a network configuration problem.
If the tunnel is stable, try the "tracepath" and/or "traceroute" utility and see if data is crossing the tunnel. Ping the other end of the tunnel. Use the "tcpdump -i eno1 proto 50" and "tcpdump -i ppp0" and verify you see traffic (you met get the "ret: -1" thing, i get too, but it should still work) |
|
Back to top |
|
|
Duco Ergo Sum Apprentice
Joined: 06 Dec 2005 Posts: 154 Location: Winsford
|
Posted: Sun Sep 28, 2014 11:33 pm Post subject: |
|
|
No traffic pass through the tunnel and then it disappears after less than a minute. After which to create an established tunnel, I need to restart ipsec and openl2tpd. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|