Strongswan, Instant D/C...

Message

ShiroiKuma · Post by **ShiroiKuma** » Tue Mar 10, 2015 2:45 pm

I've followed the guide at http://wiki.gentoo.org/wiki/IPsec_L2TP_VPN_server and opted for Strongswan and xl2tpd.

I'm just trying to create a fairly simple VPN solution (one that doesn't require GRE passthrough) for my homenetwork. However to test it first I thought I should try it from an internal machine. The following is the output when attempting to connect to the VPN server from a Windows 2012 Server. The VPN server is 192.168.11.10 and the Windows Server is 192.168.11.101.

Mar 10 23:29:25 pi1 charon: 06[NET] received packet: from 192.168.11.101[500] to 192.168.11.10[500] (408 bytes)
Mar 10 23:29:25 pi1 charon: 06[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ]
Mar 10 23:29:25 pi1 charon: 06[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:499a:1c:5b:2a:51:00:00:00:01
Mar 10 23:29:25 pi1 charon: 06[IKE] received MS NT5 ISAKMPOAKLEY vendor ID
Mar 10 23:29:25 pi1 charon: 06[IKE] received NAT-T (RFC 3947) vendor ID
Mar 10 23:29:25 pi1 charon: 06[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Mar 10 23:29:25 pi1 charon: 06[IKE] received FRAGMENTATION vendor ID
Mar 10 23:29:25 pi1 charon: 06[ENC] received unknown vendor ID: fb:1d:e3f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
Mar 10 23:29:25 pi1 charon: 06[ENC] received unknown vendor ID: 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19
Mar 10 23:29:25 pi1 charon: 06[ENC] received unknown vendor ID: e3:a5:96:6a:76:37:9f:e7:07:22:82:31:e5:ce:86:52
Mar 10 23:29:25 pi1 charon: 06[IKE] 192.168.11.101 is initiating a Main Mode IKE_SA
Mar 10 23:29:25 pi1 charon: 06[IKE] 192.168.11.101 is initiating a Main Mode IKE_SA
Mar 10 23:29:25 pi1 charon: 06[ENC] generating ID_PROT response 0 [ SA V V V ]
Mar 10 23:29:25 pi1 charon: 06[NET] sending packet: from 192.168.11.10[500] to 192.168.11.101[500] (136 bytes)
Mar 10 23:29:25 pi1 charon: 07[NET] received packet: from 192.168.11.101[500] to 192.168.11.10[500] (228 bytes)
Mar 10 23:29:25 pi1 charon: 07[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Mar 10 23:29:26 pi1 charon: 07[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
Mar 10 23:29:26 pi1 charon: 07[NET] sending packet: from 192.168.11.10[500] to 192.168.11.101[500] (212 bytes)
Mar 10 23:29:26 pi1 charon: 08[NET] received packet: from 192.168.11.101[500] to 192.168.11.10[500] (76 bytes)
Mar 10 23:29:26 pi1 charon: 08[ENC] parsed ID_PROT request 0 [ ID HASH ]
Mar 10 23:29:26 pi1 charon: 08[CFG] looking for pre-shared key peer configs matching 192.168.11.10...192.168.11.101[192.168.11.101]
Mar 10 23:29:26 pi1 charon: 08[CFG] selected peer config "vpnserver"
Mar 10 23:29:26 pi1 charon: 08[IKE] IKE_SA vpnserver[1] established between 192.168.11.10[vpn.sk.co.uk]...192.168.11.101[192.168.11.101]
Mar 10 23:29:26 pi1 charon: 08[IKE] IKE_SA vpnserver[1] established between 192.168.11.10[vpn.sk.co.uk]...192.168.11.101[192.168.11.101]
Mar 10 23:29:26 pi1 charon: 08[ENC] generating ID_PROT response 0 [ ID HASH ]
Mar 10 23:29:26 pi1 charon: 08[NET] sending packet: from 192.168.11.10[500] to 192.168.11.101[500] (92 bytes)
Mar 10 23:29:26 pi1 charon: 10[NET] received packet: from 192.168.11.101[500] to 192.168.11.10[500] (412 bytes)
Mar 10 23:29:26 pi1 charon: 10[ENC] parsed QUICK_MODE request 1 [ HASH SA No ID ID ]
Mar 10 23:29:26 pi1 charon: 10[IKE] received 3600s lifetime, configured 0s
Mar 10 23:29:26 pi1 charon: 10[IKE] received 250000000 lifebytes, configured 0
Mar 10 23:29:26 pi1 charon: 10[ENC] generating QUICK_MODE response 1 [ HASH SA No ID ID ]
Mar 10 23:29:26 pi1 charon: 10[NET] sending packet: from 192.168.11.10[500] to 192.168.11.101[500] (188 bytes)
Mar 10 23:29:26 pi1 charon: 11[NET] received packet: from 192.168.11.101[500] to 192.168.11.10[500] (60 bytes)
Mar 10 23:29:26 pi1 charon: 11[ENC] parsed QUICK_MODE request 1 [ HASH ]
Mar 10 23:29:26 pi1 charon: 11[IKE] CHILD_SA vpnserver{1} established with SPIs c4cc3b9b_i e7fab2f6_o and TS 192.168.11.10/32[udp/l2tp] === 192.168.11.101/32[udp/l2tp]
Mar 10 23:29:26 pi1 charon: 11[IKE] CHILD_SA vpnserver{1} established with SPIs c4cc3b9b_i e7fab2f6_o and TS 192.168.11.10/32[udp/l2tp] === 192.168.11.101/32[udp/l2tp]
Mar 10 23:29:27 pi1 xl2tpd[2318]: Connection established to 192.168.11.101, 1701. Local: 9531, Remote: 5 (ref=0/0). LNS session is 'default'
Mar 10 23:29:27 pi1 xl2tpd[2318]: check_control: Received out of order control packet on tunnel 5 (got 3, expected 2)
Mar 10 23:29:27 pi1 xl2tpd[2318]: handle_packet: bad control packet!
Mar 10 23:29:27 pi1 xl2tpd[2318]: result_code_avp: result code not appropriate for Incoming-Call-Request. Ignoring.
Mar 10 23:29:27 pi1 xl2tpd[2318]: start_pppd: I'm running:
Mar 10 23:29:27 pi1 xl2tpd[2318]: "/usr/sbin/pppd"
Mar 10 23:29:27 pi1 xl2tpd[2318]: "passive"
Mar 10 23:29:27 pi1 xl2tpd[2318]: "nodetach"
Mar 10 23:29:27 pi1 xl2tpd[2318]: "192.168.11.10:192.168.10.200"
Mar 10 23:29:27 pi1 xl2tpd[2318]: "auth"
Mar 10 23:29:27 pi1 xl2tpd[2318]: "name"
Mar 10 23:29:27 pi1 xl2tpd[2318]: "LinuxVPN"
Mar 10 23:29:27 pi1 xl2tpd[2318]: "file"
Mar 10 23:29:27 pi1 xl2tpd[2318]: "/etc/ppp/options.xl2tpd"
Mar 10 23:29:27 pi1 xl2tpd[2318]: "plugin"
Mar 10 23:29:27 pi1 xl2tpd[2318]: "pppol2tp.so"
Mar 10 23:29:27 pi1 xl2tpd[2318]: "pppol2tp"
Mar 10 23:29:27 pi1 xl2tpd[2318]: "8"
Mar 10 23:29:27 pi1 xl2tpd[2318]: "pppol2tp_lns_mode"
Mar 10 23:29:27 pi1 xl2tpd[2318]: "pppol2tp_tunnel_id"
Mar 10 23:29:27 pi1 xl2tpd[2318]: "9531"
Mar 10 23:29:27 pi1 xl2tpd[2318]: "pppol2tp_session_id"
Mar 10 23:29:27 pi1 xl2tpd[2318]: "65014"
Mar 10 23:29:27 pi1 xl2tpd[2318]: Call established with 192.168.11.101, Local: 65014, Remote: 1, Serial: 0
Mar 10 23:29:27 pi1 xl2tpd[2318]: write_packet: tty is not open yet.
Mar 10 23:29:27 pi1 pppd[2332]: Plugin pppol2tp.so loaded.
Mar 10 23:29:27 pi1 pppd[2332]: pppd 2.4.7 started by root, uid 0
Mar 10 23:29:27 pi1 pppd[2332]: Using interface ppp0
Mar 10 23:29:27 pi1 pppd[2332]: Connect: ppp0 <-->
Mar 10 23:29:27 pi1 pppd[2332]: Overriding mtu 1500 to 1410
Mar 10 23:29:27 pi1 pppd[2332]: Overriding mru 1500 to mtu value 1410
Mar 10 23:29:29 pi1 xl2tpd[2318]: control_finish: Connection closed to 192.168.11.101, serial 0 ()
Mar 10 23:29:29 pi1 xl2tpd[2318]: Terminating pppd: sending TERM signal to pid 2332
Mar 10 23:29:29 pi1 xl2tpd[2318]: control_finish: Connection closed to 192.168.11.101, port 1701 (), Local: 9531, Remote: 5
Mar 10 23:29:29 pi1 pppd[2332]: Terminating on signal 15
Mar 10 23:29:29 pi1 charon: 15[NET] received packet: from 192.168.11.101[500] to 192.168.11.10[500] (76 bytes)
Mar 10 23:29:29 pi1 charon: 15[ENC] parsed INFORMATIONAL_V1 request 1163998754 [ HASH D ]
Mar 10 23:29:29 pi1 charon: 15[IKE] received DELETE for ESP CHILD_SA with SPI e7fab2f6
Mar 10 23:29:29 pi1 charon: 15[IKE] closing CHILD_SA vpnserver{1} with SPIs c4cc3b9b_i (834 bytes) e7fab2f6_o (781 bytes) and TS 192.168.11.10/32[udp/l2tp] === 192.168.11.101/32[udp/l2tp]
Mar 10 23:29:29 pi1 charon: 15[IKE] closing CHILD_SA vpnserver{1} with SPIs c4cc3b9b_i (834 bytes) e7fab2f6_o (781 bytes) and TS 192.168.11.10/32[udp/l2tp] === 192.168.11.101/32[udp/l2tp]
Mar 10 23:29:29 pi1 charon: 16[NET] received packet: from 192.168.11.101[500] to 192.168.11.10[500] (92 bytes)
Mar 10 23:29:29 pi1 charon: 16[ENC] parsed INFORMATIONAL_V1 request 1943653299 [ HASH D ]
Mar 10 23:29:29 pi1 charon: 16[IKE] received DELETE for IKE_SA vpnserver[1]
Mar 10 23:29:29 pi1 charon: 16[IKE] deleting IKE_SA vpnserver[1] between 192.168.11.10[vpn.sk.co.uk]...192.168.11.101[192.168.11.101]
Mar 10 23:29:29 pi1 charon: 16[IKE] deleting IKE_SA vpnserver[1] between 192.168.11.10[vpn.sk.co.uk]...192.168.11.101[192.168.11.101]
Mar 10 23:29:35 pi1 pppd[2332]: Connection terminated.
Mar 10 23:29:35 pi1 charon: 06[KNL] interface ppp0 deleted
Mar 10 23:29:35 pi1 pppd[2332]: Modem hangup
Mar 10 23:29:35 pi1 pppd[2332]: Exit.

I'm not running iptables at all on the VPN server, minimizing points of failure for now.

The following files may be relevant

/etc/ipsec.conf

Code: Select all

conn vpnserver
        type=transport
        authby=secret
        rekey=no
        keyingtries=1
        left=%any
        leftprotoport=udp/l2tp
        leftid=@vpn.sk.co.uk
        right=%any
        rightprotoport=udp/%any
        auto=add

/etc/ppp/options.xl2tpd

Code: Select all

noccp
noauth
crtscts
mtu 1410
mru 1410
nodefaultroute
lock
proxyarp
silent

and lastly
/etc/xl2tpd/xl2tpd.conf

Code: Select all

[global]
port = 1701
access control = no

[lns default]
ip range = 192.168.10.200-192.168.10.205
local ip = 192.168.11.10
require authentication = yes
name = LinuxVPN
pppoptfile = /etc/ppp/options.xl2tpd

I'm not sure where to start looking into this problem, would any other files assist at all? Any help is appreciated.

I tried PPTP first but my ISP blocks GRE. So now I'm trying L2TP.

ShiroiKuma · Post by **ShiroiKuma** » Wed Mar 11, 2015 2:13 am

With a bit of luck I got it working slightly.

I altered /etc/ppp/options.xl2tpd and swapped noauth for auth. I thought noauth would be better for getting it tested, but apparently not. Once I did that I started getting Error 850 regarding unsupported encryption in the Windows Server.

For that, I just had to explicitly allow MS-CHAP v2 as it's disabled by default. Now my VPN clients can connect to my network okay and even my iPhone can VPN in.

The only missing feature now, is allowing my VPN clients to access the internet through the VPN.