Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
IPSec timing out?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
The_Great_Sephiroth
Veteran
Veteran


Joined: 03 Oct 2014
Posts: 1396
Location: Fayetteville, NC, USA

PostPosted: Sat Oct 31, 2015 3:20 pm    Post subject: IPSec timing out? Reply with quote

I went ahead and created a dedicated VPN server (Openswan, xl2tpd) and configured it, but I am having trouble making it work. There is no firewall on my laptop or the server during this testing, so I can rule those out. The server has a public interface which I am connecting to and an internal one. My client is behind a NAT router. I am not sure about a few settings in NetworkManager for Openswan, and I am fairly sure that is where my problem lies.

Client log:
Code:

Oct 31 11:06:37 laptop01 NetworkManager[3466]: <info>  Starting VPN service 'openswan'...
Oct 31 11:06:37 laptop01 NetworkManager[3466]: <info>  VPN service 'openswan' started (org.freedesktop.NetworkManager.openswan), PID 5663
Oct 31 11:06:37 laptop01 NetworkManager[3466]: <info>  VPN service 'openswan' appeared; activating connections
Oct 31 11:06:37 laptop01 NetworkManager[3466]: <info>  VPN plugin state changed: init (1)
Oct 31 11:06:40 laptop01 NetworkManager[3466]: <info>  VPN plugin state changed: starting (3)
Oct 31 11:06:40 laptop01 NetworkManager[3466]: <info>  VPN connection 'Reach Technology FP - L2TP' (Connect) reply received.
Oct 31 11:06:41 laptop01 pluto[5818]: NSS DB directory: sql:/etc/ipsec.d
Oct 31 11:06:41 laptop01 pluto[5818]: NSS initialized
Oct 31 11:06:41 laptop01 pluto[5818]: libcap-ng support [disabled]
Oct 31 11:06:41 laptop01 pluto[5818]: FIPS HMAC integrity support [disabled]
Oct 31 11:06:41 laptop01 pluto[5818]: Linux audit support [disabled]
Oct 31 11:06:41 laptop01 pluto[5818]: Starting Pluto (Libreswan Version 3.15 XFRM(netkey) KLIPS NSS XAUTH_PAM NETWORKMANAGER CURL(non-NSS) LDAP(non-NSS)) pid:5818
Oct 31 11:06:41 laptop01 pluto[5818]: core dump dir: /var/run/pluto/
Oct 31 11:06:41 laptop01 pluto[5818]: secrets file: /etc/ipsec.secrets
Oct 31 11:06:41 laptop01 pluto[5818]: leak-detective disabled
Oct 31 11:06:41 laptop01 pluto[5818]: NSS crypto [enabled]
Oct 31 11:06:41 laptop01 pluto[5818]: XAUTH PAM support [enabled]
Oct 31 11:06:41 laptop01 pluto[5818]:    NAT-Traversal support  [enabled]
Oct 31 11:06:41 laptop01 pluto[5818]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok
Oct 31 11:06:41 laptop01 pluto[5818]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok
Oct 31 11:06:41 laptop01 pluto[5818]: ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok
Oct 31 11:06:41 laptop01 pluto[5818]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok
Oct 31 11:06:41 laptop01 pluto[5818]: ike_alg_register_enc(): Activating OAKLEY_AES_CTR: Ok
Oct 31 11:06:41 laptop01 pluto[5818]: ike_alg_register_enc(): Activating OAKLEY_AES_GCM_A: Ok
Oct 31 11:06:41 laptop01 pluto[5818]: ike_alg_register_enc(): Activating OAKLEY_AES_GCM_B: Ok
Oct 31 11:06:41 laptop01 pluto[5818]: ike_alg_register_enc(): Activating OAKLEY_AES_GCM_C: Ok
Oct 31 11:06:41 laptop01 pluto[5818]: ike_alg_register_hash(): Activating DISABLED-OAKLEY_AES_XCBC: Ok
Oct 31 11:06:41 laptop01 pluto[5818]: ike_alg_register_enc(): Activating OAKLEY_CAMELLIA_CBC: Ok
Oct 31 11:06:41 laptop01 pluto[5818]: ike_alg_register_enc(): Activating OAKLEY_CAMELLIA_CTR: Ok
Oct 31 11:06:41 laptop01 pluto[5818]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok
Oct 31 11:06:41 laptop01 pluto[5818]: ike_alg_register_hash(): Activating OAKLEY_SHA2_384: Ok
Oct 31 11:06:41 laptop01 pluto[5818]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok
Oct 31 11:06:41 laptop01 pluto[5818]: starting up 1 crypto helpers
Oct 31 11:06:41 laptop01 pluto[5818]: started thread for crypto helper 0 (master fd 11)
Oct 31 11:06:41 laptop01 pluto[5818]: Using Linux XFRM/NETKEY IPsec interface code on 3.18.16-gentoo
Oct 31 11:06:41 laptop01 pluto[5818]: ike_alg_register_enc(): Activating aes_ccm_8: Ok
Oct 31 11:06:41 laptop01 pluto[5818]: ike_alg_register_enc(): Activating aes_ccm_12: Ok
Oct 31 11:06:41 laptop01 pluto[5818]: ike_alg_register_enc(): Activating aes_ccm_16: Ok
Oct 31 11:06:41 laptop01 pluto[5818]: | certificate not loaded for this end
Oct 31 11:06:41 laptop01 pluto[5818]: | certificate not loaded for this end
Oct 31 11:06:41 laptop01 pluto[5818]: added connection description "0e2053f6-4a04-405a-a8ef-e19ed9acff62"
Oct 31 11:06:41 laptop01 pluto[5818]: listening for IKE messages
Oct 31 11:06:41 laptop01 pluto[5818]: adding interface enp0s25/enp0s25 10.0.4.101:500
Oct 31 11:06:41 laptop01 pluto[5818]: adding interface enp0s25/enp0s25 10.0.4.101:4500
Oct 31 11:06:41 laptop01 pluto[5818]: adding interface lo/lo 127.0.0.1:500
Oct 31 11:06:41 laptop01 pluto[5818]: adding interface lo/lo 127.0.0.1:4500
Oct 31 11:06:41 laptop01 pluto[5818]: adding interface lo/lo ::1:500
Oct 31 11:06:41 laptop01 pluto[5818]: | setup callback for interface lo:500 fd 23
Oct 31 11:06:41 laptop01 pluto[5818]: | setup callback for interface lo:4500 fd 22
Oct 31 11:06:41 laptop01 pluto[5818]: | setup callback for interface lo:500 fd 21
Oct 31 11:06:41 laptop01 pluto[5818]: | setup callback for interface enp0s25:4500 fd 20
Oct 31 11:06:41 laptop01 pluto[5818]: | setup callback for interface enp0s25:500 fd 18
Oct 31 11:06:41 laptop01 pluto[5818]: loading secrets from "/etc/ipsec.secrets"
Oct 31 11:06:41 laptop01 pluto[5818]: loading secrets from "/etc/ipsec.d/ipsec-0e2053f6-4a04-405a-a8ef-e19ed9acff62.secrets"
Oct 31 11:06:41 laptop01 pluto[5818]: "0e2053f6-4a04-405a-a8ef-e19ed9acff62": IKEv1 Aggressive Mode with PSK is vulnerable to dictionary attacks and is cracked on large scale by TLA's
Oct 31 11:06:41 laptop01 pluto[5818]: "0e2053f6-4a04-405a-a8ef-e19ed9acff62" #1: multiple DH groups in aggressive mode can cause interop failure
Oct 31 11:06:41 laptop01 pluto[5818]: "0e2053f6-4a04-405a-a8ef-e19ed9acff62" #1: Deleting previous proposal in the hopes of selecting DH 2 or DH 5
Oct 31 11:06:41 laptop01 pluto[5818]: "0e2053f6-4a04-405a-a8ef-e19ed9acff62" #1: transform (OAKLEY_AES_CBC,OAKLEY_SHA1,OAKLEY_GROUP_MODP1024 keylen 256) ignored.
Oct 31 11:06:41 laptop01 pluto[5818]: "0e2053f6-4a04-405a-a8ef-e19ed9acff62" #1: transform (OAKLEY_AES_CBC,OAKLEY_SHA1,OAKLEY_GROUP_MODP2048 keylen 128) ignored.
Oct 31 11:06:41 laptop01 pluto[5818]: "0e2053f6-4a04-405a-a8ef-e19ed9acff62" #1: transform (OAKLEY_AES_CBC,OAKLEY_SHA1,OAKLEY_GROUP_MODP1024 keylen 128) ignored.
Oct 31 11:06:41 laptop01 pluto[5818]: "0e2053f6-4a04-405a-a8ef-e19ed9acff62" #1: transform (OAKLEY_3DES_CBC,OAKLEY_SHA1,OAKLEY_GROUP_MODP2048 keylen 0) ignored.
Oct 31 11:06:41 laptop01 pluto[5818]: "0e2053f6-4a04-405a-a8ef-e19ed9acff62" #1: transform (OAKLEY_3DES_CBC,OAKLEY_SHA1,OAKLEY_GROUP_MODP1024 keylen 0) ignored.
Oct 31 11:06:41 laptop01 pluto[5818]: "0e2053f6-4a04-405a-a8ef-e19ed9acff62" #1: initiating Aggressive Mode #1, connection "0e2053f6-4a04-405a-a8ef-e19ed9acff62"
Oct 31 11:06:41 laptop01 pluto[5818]: "0e2053f6-4a04-405a-a8ef-e19ed9acff62" #1: multiple DH groups in aggressive mode can cause interop failure
Oct 31 11:06:41 laptop01 pluto[5818]: "0e2053f6-4a04-405a-a8ef-e19ed9acff62" #1: Deleting previous proposal in the hopes of selecting DH 2 or DH 5
Oct 31 11:06:41 laptop01 pluto[5818]: "0e2053f6-4a04-405a-a8ef-e19ed9acff62" #1: transform (OAKLEY_AES_CBC,OAKLEY_SHA1,OAKLEY_GROUP_MODP1024 keylen 256) ignored.
Oct 31 11:06:41 laptop01 pluto[5818]: "0e2053f6-4a04-405a-a8ef-e19ed9acff62" #1: transform (OAKLEY_AES_CBC,OAKLEY_SHA1,OAKLEY_GROUP_MODP2048 keylen 128) ignored.
Oct 31 11:06:41 laptop01 pluto[5818]: "0e2053f6-4a04-405a-a8ef-e19ed9acff62" #1: transform (OAKLEY_AES_CBC,OAKLEY_SHA1,OAKLEY_GROUP_MODP1024 keylen 128) ignored.
Oct 31 11:06:41 laptop01 pluto[5818]: "0e2053f6-4a04-405a-a8ef-e19ed9acff62" #1: transform (OAKLEY_3DES_CBC,OAKLEY_SHA1,OAKLEY_GROUP_MODP2048 keylen 0) ignored.
Oct 31 11:06:41 laptop01 pluto[5818]: "0e2053f6-4a04-405a-a8ef-e19ed9acff62" #1: transform (OAKLEY_3DES_CBC,OAKLEY_SHA1,OAKLEY_GROUP_MODP1024 keylen 0) ignored.
Oct 31 11:06:42 laptop01 pluto[5818]: listening for IKE messages
Oct 31 11:06:42 laptop01 pluto[5818]: | refresh. setup callback for interface lo:500 23
Oct 31 11:06:42 laptop01 pluto[5818]: | setup callback for interface lo:500 fd 23
Oct 31 11:06:42 laptop01 pluto[5818]: | refresh. setup callback for interface lo:4500 22
Oct 31 11:06:42 laptop01 pluto[5818]: | setup callback for interface lo:4500 fd 22
Oct 31 11:06:42 laptop01 pluto[5818]: | refresh. setup callback for interface lo:500 21
Oct 31 11:06:42 laptop01 pluto[5818]: | setup callback for interface lo:500 fd 21
Oct 31 11:06:42 laptop01 pluto[5818]: | refresh. setup callback for interface enp0s25:4500 20
Oct 31 11:06:42 laptop01 pluto[5818]: | setup callback for interface enp0s25:4500 fd 20
Oct 31 11:06:42 laptop01 pluto[5818]: | refresh. setup callback for interface enp0s25:500 18
Oct 31 11:06:42 laptop01 pluto[5818]: | setup callback for interface enp0s25:500 fd 18
Oct 31 11:06:42 laptop01 pluto[5818]: forgetting secrets
Oct 31 11:06:42 laptop01 pluto[5818]: loading secrets from "/etc/ipsec.secrets"
Oct 31 11:06:42 laptop01 pluto[5818]: loading secrets from "/etc/ipsec.d/ipsec-0e2053f6-4a04-405a-a8ef-e19ed9acff62.secrets"
Oct 31 11:07:21 laptop01 NetworkManager[3466]: <warn>  VPN connection 'Reach Technology FP - L2TP' connect timeout exceeded.
Oct 31 11:07:21 laptop01 pluto[5818]: shutting down
Oct 31 11:07:21 laptop01 pluto[5818]: forgetting secrets
Oct 31 11:07:21 laptop01 pluto[5818]: "0e2053f6-4a04-405a-a8ef-e19ed9acff62": deleting connection
Oct 31 11:07:21 laptop01 pluto[5818]: "0e2053f6-4a04-405a-a8ef-e19ed9acff62" #1: deleting state #1 (STATE_AGGR_I1)
Oct 31 11:07:21 laptop01 pluto[5818]: shutting down interface lo/lo ::1:500
Oct 31 11:07:21 laptop01 pluto[5818]: shutting down interface lo/lo 127.0.0.1:4500
Oct 31 11:07:21 laptop01 pluto[5818]: shutting down interface lo/lo 127.0.0.1:500
Oct 31 11:07:21 laptop01 pluto[5818]: shutting down interface enp0s25/enp0s25 10.0.4.101:4500
Oct 31 11:07:21 laptop01 pluto[5818]: shutting down interface enp0s25/enp0s25 10.0.4.101:500
Oct 31 11:07:41 laptop01 NetworkManager[3466]: <info>  VPN service 'openswan' disappeared


Now for the server-side settings. I may have messed up here, but I do not believe that I have.

Server /etc/ipsec.conf:
Code:

version 2

config setup
        dumpdir=/var/run/pluto/
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v6$
        protostack=netkey
        force_keepalive=yes
        keep_alive=60

conn L2TP-PSK
        authby=secret
        pfs=no
        auto=add
        keyingtries=3
        ikelifetime=8h
        keylife=1h
        ike=aes256-sha1,aes128-sha1,3des-sha1
        phase2alg=aes256-sha1,aes128-sha1,3des-sha1
        type=transport
        left=10.0.0.2
        leftprotoport=17/1701
        right=%any
        rightprotoport=17/%any
        dpddelay=10
        dpdtimeout=20
        dpdaction=clear


Server /etc/ipsec.secrest
Code:

10.0.0.2 %any: PSK "<hidden>"


Server /etc/xl2tpd/xl2tpd.conf
Code:

[global]
ipsec saref = yes
saref refinfo = 30

[lns default]
ip range = 10.0.2.201-10.0.2.250
local ip = 10.0.0.2
refuse pap = yes
require authentication = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes


Server /etc/ppp/options.xl2tpd
Code:

ms-dns 10.0.0.1
auth
mtu 1400
mru 1400
crtscts
hide-password
modem
name vpn01
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4


Server /etc/ppp/chap-secrets
Code:

testuser vpn01 password *


The server's hostname is "vpn01", the internal (LAN) IP is 10.0.0.2, and the WAN has a public IP which I will not display here for security reasons. The only thing left is to show you my client settings. I use Network Manager in KDE, so below are the fields I have filled in.

Gateway: Hostname of the VPN's WAN port. It works, I can SSH into the box this way!
Group name: vpn01 (No clue what "group name" is)
User password: The password in /etc/ppp/chap-secrets
Group password: The hex password in /etc/ipsec.secrets
User name: testuser
Phase1 algorithms: aes256-sha1,aes128-sha1,3des-sha1
Phase2 algorithms: aes256-sha1,aes128-sha1,3des-sha1
Domain: vpn01

I am not sue I even need to set "Domain" or "Group name" and am not sure what to set them to. Help?
_________________
Ever picture systemd as what runs "The Borg"?
Back to top
View user's profile Send private message
The_Great_Sephiroth
Veteran
Veteran


Joined: 03 Oct 2014
Posts: 1396
Location: Fayetteville, NC, USA

PostPosted: Mon Nov 02, 2015 2:46 pm    Post subject: Reply with quote

In case it matters, I have verified IPSec using the utility.
Code:

root@vpn01:~# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.6.37/K3.2.0-4-amd64 (netkey)
Checking for IPsec support in kernel                            [OK]
 SAref kernel support                                           [N/A]
 NETKEY:  Testing XFRM related proc values                      [OK]
        [OK]
        [OK]
Checking that pluto is running                                  [OK]
 Pluto listening for IKE on udp 500                             [OK]
 Pluto listening for NAT-T on udp 4500                          [OK]
Two or more interfaces found, checking IP forwarding            [OK]
Checking NAT and MASQUERADEing                                  [OK]
Checking for 'ip' command                                       [OK]
Checking /bin/sh is not /bin/dash                               [WARNING]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]

All appears to be good. It just keeps timing out. The only clue I have is that it is listening for IKE messages. I am checking into that now.
_________________
Ever picture systemd as what runs "The Borg"?
Back to top
View user's profile Send private message
The_Great_Sephiroth
Veteran
Veteran


Joined: 03 Oct 2014
Posts: 1396
Location: Fayetteville, NC, USA

PostPosted: Mon Nov 02, 2015 4:13 pm    Post subject: Reply with quote

I made some progress. I was using my internal LAN IP for the left setting instead of the WAN IP. Changing the left setting to the WAN IP got me farther, but has not solved the problem. It still fails to connect.
Code:

Nov  2 11:08:23 vpn01 pluto[30598]: "L2TP-PSK"[1] 9.8.7.6 #1: responding to Main Mode from unknown peer 9.8.7.6
Nov  2 11:08:23 vpn01 pluto[30598]: "L2TP-PSK"[1] 9.8.7.6 #1: OAKLEY_GROUP 20 not supported.  Attribute OAKLEY_GROUP_DESCRIPTION
Nov  2 11:08:23 vpn01 pluto[30598]: "L2TP-PSK"[1] 9.8.7.6 #1: OAKLEY_GROUP 19 not supported.  Attribute OAKLEY_GROUP_DESCRIPTION
Nov  2 11:08:23 vpn01 pluto[30598]: "L2TP-PSK"[1] 9.8.7.6 #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Nov  2 11:08:23 vpn01 pluto[30598]: "L2TP-PSK"[1] 9.8.7.6 #1: STATE_MAIN_R1: sent MR1, expecting MI2
Nov  2 11:08:24 vpn01 pluto[30598]: "L2TP-PSK"[1] 9.8.7.6 #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): peer is NATed
Nov  2 11:08:24 vpn01 pluto[30598]: "L2TP-PSK"[1] 9.8.7.6 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Nov  2 11:08:24 vpn01 pluto[30598]: "L2TP-PSK"[1] 9.8.7.6 #1: STATE_MAIN_R2: sent MR2, expecting MI3
Nov  2 11:08:24 vpn01 pluto[30598]: "L2TP-PSK"[1] 9.8.7.6 #1: Main mode peer ID is ID_IPV4_ADDR: '10.0.2.15'
Nov  2 11:08:24 vpn01 pluto[30598]: "L2TP-PSK"[1] 9.8.7.6 #1: switched from "L2TP-PSK" to "L2TP-PSK"
Nov  2 11:08:24 vpn01 pluto[30598]: "L2TP-PSK"[2] 9.8.7.6 #1: deleting connection "L2TP-PSK" instance with peer 9.8.7.6 {isakmp=#0/ipsec=#0}
Nov  2 11:08:24 vpn01 pluto[30598]: "L2TP-PSK"[2] 9.8.7.6 #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Nov  2 11:08:24 vpn01 pluto[30598]: "L2TP-PSK"[2] 9.8.7.6 #1: new NAT mapping for #1, was 9.8.7.6:44859, now 9.8.7.6:48552
Nov  2 11:08:24 vpn01 pluto[30598]: "L2TP-PSK"[2] 9.8.7.6 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp2048}
Nov  2 11:08:24 vpn01 pluto[30598]: "L2TP-PSK"[2] 9.8.7.6 #1: Dead Peer Detection (RFC 3706): not enabled because peer did not advertise it
Nov  2 11:08:24 vpn01 pluto[30598]: "L2TP-PSK"[2] 9.8.7.6 #1: the peer proposed: 108.169.144.180/32:17/1701 -> 10.0.2.15/32:17/0
Nov  2 11:08:24 vpn01 pluto[30598]: "L2TP-PSK"[2] 9.8.7.6 #1: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
Nov  2 11:08:24 vpn01 pluto[30598]: "L2TP-PSK"[2] 9.8.7.6 #2: responding to Quick Mode proposal {msgid:01000000}
Nov  2 11:08:24 vpn01 pluto[30598]: "L2TP-PSK"[2] 9.8.7.6 #2:     us: 10.0.0.0/22===108.169.144.180<108.169.144.180>[+S=C]:17/1701
Nov  2 11:08:24 vpn01 pluto[30598]: "L2TP-PSK"[2] 9.8.7.6 #2:   them: 9.8.7.6[10.0.2.15,+S=C]:17/1701
Nov  2 11:08:24 vpn01 pluto[30598]: "L2TP-PSK"[2] 9.8.7.6 #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Nov  2 11:08:24 vpn01 pluto[30598]: "L2TP-PSK"[2] 9.8.7.6 #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Nov  2 11:08:24 vpn01 pluto[30598]: "L2TP-PSK"[2] 9.8.7.6 #2: Dead Peer Detection (RFC 3706): not enabled because peer did not advertise it
Nov  2 11:08:24 vpn01 pluto[30598]: "L2TP-PSK"[2] 9.8.7.6 #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Nov  2 11:08:24 vpn01 pluto[30598]: "L2TP-PSK"[2] 9.8.7.6 #2: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0x8865c012 <0x74cb73c8 xfrm=AES_128-HMAC_SHA1 NATOA=10.0.2.15 NATD=9.8.7.6:48552 DPD=none}
Nov  2 11:08:59 vpn01 pluto[30598]: "L2TP-PSK"[2] 9.8.7.6 #1: received Delete SA(0x8865c012) payload: deleting IPSEC State #2
Nov  2 11:08:59 vpn01 pluto[30598]: "L2TP-PSK"[2] 9.8.7.6 #1: received and ignored informational message
Nov  2 11:08:59 vpn01 pluto[30598]: "L2TP-PSK"[2] 9.8.7.6 #1: received Delete SA payload: deleting ISAKMP State #1
Nov  2 11:08:59 vpn01 pluto[30598]: "L2TP-PSK"[2] 9.8.7.6: deleting connection "L2TP-PSK" instance with peer 9.8.7.6 {isakmp=#0/ipsec=#0}
Nov  2 11:08:59 vpn01 pluto[30598]: packet from 9.8.7.6:48552: received and ignored informational message

Now I have another issue. My client in this log is Windows 7. If I use Network Manager and OpenSwan, it tries to use aggressive mode, but I cannot figure out how to make it NOT use aggressive mode.
_________________
Ever picture systemd as what runs "The Borg"?
Back to top
View user's profile Send private message
The_Great_Sephiroth
Veteran
Veteran


Joined: 03 Oct 2014
Posts: 1396
Location: Fayetteville, NC, USA

PostPosted: Wed Nov 04, 2015 1:30 pm    Post subject: Reply with quote

Anybody? I am stuck at this point. I feel like I am close to having a working VPN, but it just won't work.
_________________
Ever picture systemd as what runs "The Borg"?
Back to top
View user's profile Send private message
The_Great_Sephiroth
Veteran
Veteran


Joined: 03 Oct 2014
Posts: 1396
Location: Fayetteville, NC, USA

PostPosted: Mon Nov 23, 2015 3:00 pm    Post subject: Reply with quote

Still failing here. I am supposed to have this working this week and still no go. I am lost, but I did see a message which seems odd.
Code:

Nov 23 09:48:02 laptop01 pluto[6876]: "0e2053f6-4a04-405a-a8ef-e19ed9acff62" #1: ERROR: asynchronous network error report on enp0s25 (sport=500) for message to 1.2.3.4 port 500, complainant 1.2.3.4: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
Nov 23 09:48:03 laptop01 pluto[6876]: "0e2053f6-4a04-405a-a8ef-e19ed9acff62" #1: ERROR: asynchronous network error report on enp0s25 (sport=500) for message to 1.2.3.4 port 500, complainant 1.2.3.4: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
Nov 23 09:48:05 laptop01 pluto[6876]: "0e2053f6-4a04-405a-a8ef-e19ed9acff62" #1: ERROR: asynchronous network error report on enp0s25 (sport=500) for message to 1.2.3.4 port 500, complainant 1.2.3.4: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
Nov 23 09:48:09 laptop01 pluto[6876]: "0e2053f6-4a04-405a-a8ef-e19ed9acff62" #1: ERROR: asynchronous network error report on enp0s25 (sport=500) for message to 1.2.3.4 port 500, complainant 1.2.3.4: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
Nov 23 09:48:17 laptop01 pluto[6876]: "0e2053f6-4a04-405a-a8ef-e19ed9acff62" #1: ERROR: asynchronous network error report on enp0s25 (sport=500) for message to 1.2.3.4 port 500, complainant 1.2.3.4: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
Nov 23 09:48:33 laptop01 pluto[6876]: "0e2053f6-4a04-405a-a8ef-e19ed9acff62" #1: ERROR: asynchronous network error report on enp0s25 (sport=500) for message to 1.2.3.4 port 500, complainant 1.2.3.4: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]

This is logged on my laptop (the remote client). According to the Openswan wiki, this means that the IKE daemon is not running, but ipsec IS indeed running on the server. I am just completely lost at this point. Does nobody know how to setup IPSec/L2TP? Is PPTP really the height of Linux VPN servers?

Here is my current information and configuration.

VPN Server LAN IP: 10.0.0.2/22
VPN Server WAN IP: 10.20.30.40
Default GW is the WAN default GW

/etc/ipsec.conf
Code:

version 2

config setup
        dumpdir=/var/run/pluto/
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v6:fd00::/8,%v6:fe80::/10
        protostack=klips
        force_keepalive=yes
        keep_alive=60

conn L2TP-PSK-NAT
        rightsubnet=vhost:%priv
        also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
        authby=secret
        pfs=no
        auto=add
        keyingtries=3
        ikelifetime=8h
        keylife=1h
        ike=aes256-sha1,aes128-sha1,3des-sha1
        phase2alg=aes256-sha1,aes128-sha1,3des-sha1
        type=transport
        left=10.20.30.40
        leftprotoport=17/1701
        right=%any
        rightprotoport=17/%any
        dpddelay=10
        dpdtimeout=20
        dpdaction=clear


/etc/xl2tpd/xl2tpd.conf
Code:

[global]
listen-addr = 10.0.0.2
port = 1701
ipsec saref = yes
saref refinfo = 30
force userspace = yes

[lns default]
ip range = 10.0.2.201-10.0.2.250
local ip = 10.20.30.40
require-chap = yes
refuse pap = yes
require authentication = yes
name = vpn01
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes


/etc/ppp/options.xl2tpd
Code:

ipcp-accept-local
ipcp-accept-remote
ms-dns 10.0.0.1
noccp
auth
mtu 1400
mru 1400
crtscts
nodefaultroute
lock
proxyarp
connect-delay 5000
name vpn01

Help?
_________________
Ever picture systemd as what runs "The Borg"?
Back to top
View user's profile Send private message
salahx
Guru
Guru


Joined: 12 Mar 2005
Posts: 437

PostPosted: Mon Nov 23, 2015 5:47 pm    Post subject: Reply with quote

Best way to work on this is one layer at time. I created a Gentoo wiki article IPsec L2TP VPN server that should walk you though create a n VPN server suitable for Windows clients. It covers both PSK and certificate based authentication.
Back to top
View user's profile Send private message
The_Great_Sephiroth
Veteran
Veteran


Joined: 03 Oct 2014
Posts: 1396
Location: Fayetteville, NC, USA

PostPosted: Mon Nov 23, 2015 6:45 pm    Post subject: Reply with quote

I followed it once, so I started again and followed it from scratch. No go.

Client logs
Code:

Nov 23 13:36:40 laptop01 NetworkManager[3472]: <info>  VPN connection 'Reach Technology FP - L2TP' (Connect) reply received.
Nov 23 13:36:40 laptop01 pluto[13291]: NSS DB directory: sql:/etc/ipsec.d
Nov 23 13:36:40 laptop01 pluto[13291]: NSS initialized
Nov 23 13:36:40 laptop01 pluto[13291]: libcap-ng support [disabled]
Nov 23 13:36:40 laptop01 pluto[13291]: FIPS HMAC integrity support [disabled]
Nov 23 13:36:40 laptop01 pluto[13291]: Linux audit support [disabled]
Nov 23 13:36:40 laptop01 pluto[13291]: Starting Pluto (Libreswan Version 3.15 XFRM(netkey) KLIPS NSS XAUTH_PAM NETWORKMANAGER CURL(non-NSS) LDAP(non-NSS)) pid:13291
Nov 23 13:36:40 laptop01 pluto[13291]: core dump dir: /var/run/pluto/
Nov 23 13:36:40 laptop01 pluto[13291]: secrets file: /etc/ipsec.secrets
Nov 23 13:36:40 laptop01 pluto[13291]: leak-detective disabled
Nov 23 13:36:40 laptop01 pluto[13291]: NSS crypto [enabled]
Nov 23 13:36:40 laptop01 pluto[13291]: XAUTH PAM support [enabled]
Nov 23 13:36:40 laptop01 pluto[13291]:    NAT-Traversal support  [enabled]
Nov 23 13:36:40 laptop01 pluto[13291]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok
Nov 23 13:36:40 laptop01 pluto[13291]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok
Nov 23 13:36:40 laptop01 pluto[13291]: ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok
Nov 23 13:36:40 laptop01 pluto[13291]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok
Nov 23 13:36:40 laptop01 pluto[13291]: ike_alg_register_enc(): Activating OAKLEY_AES_CTR: Ok
Nov 23 13:36:40 laptop01 pluto[13291]: ike_alg_register_enc(): Activating OAKLEY_AES_GCM_A: Ok
Nov 23 13:36:40 laptop01 pluto[13291]: ike_alg_register_enc(): Activating OAKLEY_AES_GCM_B: Ok
Nov 23 13:36:40 laptop01 pluto[13291]: ike_alg_register_enc(): Activating OAKLEY_AES_GCM_C: Ok
Nov 23 13:36:40 laptop01 pluto[13291]: ike_alg_register_hash(): Activating DISABLED-OAKLEY_AES_XCBC: Ok
Nov 23 13:36:40 laptop01 pluto[13291]: ike_alg_register_enc(): Activating OAKLEY_CAMELLIA_CBC: Ok
Nov 23 13:36:40 laptop01 pluto[13291]: ike_alg_register_enc(): Activating OAKLEY_CAMELLIA_CTR: Ok
Nov 23 13:36:40 laptop01 pluto[13291]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok
Nov 23 13:36:40 laptop01 pluto[13291]: ike_alg_register_hash(): Activating OAKLEY_SHA2_384: Ok
Nov 23 13:36:40 laptop01 pluto[13291]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok
Nov 23 13:36:40 laptop01 pluto[13291]: starting up 1 crypto helpers
Nov 23 13:36:40 laptop01 pluto[13291]: started thread for crypto helper 0 (master fd 11)
Nov 23 13:36:40 laptop01 pluto[13291]: Using Linux XFRM/NETKEY IPsec interface code on 3.18.16-gentoo
Nov 23 13:36:40 laptop01 pluto[13291]: ike_alg_register_enc(): Activating aes_ccm_8: Ok
Nov 23 13:36:40 laptop01 pluto[13291]: ike_alg_register_enc(): Activating aes_ccm_12: Ok
Nov 23 13:36:40 laptop01 pluto[13291]: ike_alg_register_enc(): Activating aes_ccm_16: Ok
Nov 23 13:36:40 laptop01 pluto[13291]: | certificate not loaded for this end
Nov 23 13:36:40 laptop01 pluto[13291]: | certificate not loaded for this end
Nov 23 13:36:40 laptop01 pluto[13291]: added connection description "0e2053f6-4a04-405a-a8ef-e19ed9acff62"
Nov 23 13:36:40 laptop01 pluto[13291]: listening for IKE messages
Nov 23 13:36:40 laptop01 pluto[13291]: adding interface enp0s25/enp0s25 10.0.4.101:500
Nov 23 13:36:40 laptop01 pluto[13291]: adding interface enp0s25/enp0s25 10.0.4.101:4500
Nov 23 13:36:40 laptop01 pluto[13291]: adding interface lo/lo 127.0.0.1:500
Nov 23 13:36:40 laptop01 pluto[13291]: adding interface lo/lo 127.0.0.1:4500
Nov 23 13:36:40 laptop01 pluto[13291]: adding interface lo/lo ::1:500
Nov 23 13:36:40 laptop01 pluto[13291]: | setup callback for interface lo:500 fd 23
Nov 23 13:36:40 laptop01 pluto[13291]: | setup callback for interface lo:4500 fd 22
Nov 23 13:36:40 laptop01 pluto[13291]: | setup callback for interface lo:500 fd 21
Nov 23 13:36:40 laptop01 pluto[13291]: | setup callback for interface enp0s25:4500 fd 20
Nov 23 13:36:40 laptop01 pluto[13291]: | setup callback for interface enp0s25:500 fd 18
Nov 23 13:36:40 laptop01 pluto[13291]: loading secrets from "/etc/ipsec.secrets"
Nov 23 13:36:40 laptop01 pluto[13291]: loading secrets from "/etc/ipsec.d/ipsec-0e2053f6-4a04-405a-a8ef-e19ed9acff62.secrets"
Nov 23 13:36:40 laptop01 pluto[13291]: loading secrets from "/etc/ipsec.d/ipsec-e5865848-2ea5-446e-ac6a-fa595d53d0a5.secrets"
Nov 23 13:36:40 laptop01 pluto[13291]: "0e2053f6-4a04-405a-a8ef-e19ed9acff62": IKEv1 Aggressive Mode with PSK is vulnerable to dictionary attacks and is cracked on large scale by TLA's
Nov 23 13:36:40 laptop01 pluto[13291]: "0e2053f6-4a04-405a-a8ef-e19ed9acff62" #1: multiple DH groups in aggressive mode can cause interop failure
Nov 23 13:36:40 laptop01 pluto[13291]: "0e2053f6-4a04-405a-a8ef-e19ed9acff62" #1: Deleting previous proposal in the hopes of selecting DH 2 or DH 5
Nov 23 13:36:40 laptop01 pluto[13291]: "0e2053f6-4a04-405a-a8ef-e19ed9acff62" #1: transform (OAKLEY_AES_CBC,OAKLEY_SHA1,OAKLEY_GROUP_MODP1024 keylen 256) ignored.
Nov 23 13:36:40 laptop01 pluto[13291]: "0e2053f6-4a04-405a-a8ef-e19ed9acff62" #1: transform (OAKLEY_AES_CBC,OAKLEY_SHA1,OAKLEY_GROUP_MODP2048 keylen 128) ignored.
Nov 23 13:36:40 laptop01 pluto[13291]: "0e2053f6-4a04-405a-a8ef-e19ed9acff62" #1: transform (OAKLEY_AES_CBC,OAKLEY_SHA1,OAKLEY_GROUP_MODP1024 keylen 128) ignored.
Nov 23 13:36:40 laptop01 pluto[13291]: "0e2053f6-4a04-405a-a8ef-e19ed9acff62" #1: transform (OAKLEY_3DES_CBC,OAKLEY_SHA1,OAKLEY_GROUP_MODP2048 keylen 0) ignored.
Nov 23 13:36:40 laptop01 pluto[13291]: "0e2053f6-4a04-405a-a8ef-e19ed9acff62" #1: transform (OAKLEY_3DES_CBC,OAKLEY_SHA1,OAKLEY_GROUP_MODP1024 keylen 0) ignored.
Nov 23 13:36:40 laptop01 pluto[13291]: "0e2053f6-4a04-405a-a8ef-e19ed9acff62" #1: initiating Aggressive Mode #1, connection "0e2053f6-4a04-405a-a8ef-e19ed9acff62"
Nov 23 13:36:40 laptop01 pluto[13291]: "0e2053f6-4a04-405a-a8ef-e19ed9acff62" #1: multiple DH groups in aggressive mode can cause interop failure
Nov 23 13:36:40 laptop01 pluto[13291]: "0e2053f6-4a04-405a-a8ef-e19ed9acff62" #1: Deleting previous proposal in the hopes of selecting DH 2 or DH 5
Nov 23 13:36:40 laptop01 pluto[13291]: "0e2053f6-4a04-405a-a8ef-e19ed9acff62" #1: transform (OAKLEY_AES_CBC,OAKLEY_SHA1,OAKLEY_GROUP_MODP1024 keylen 256) ignored.
Nov 23 13:36:40 laptop01 pluto[13291]: "0e2053f6-4a04-405a-a8ef-e19ed9acff62" #1: transform (OAKLEY_AES_CBC,OAKLEY_SHA1,OAKLEY_GROUP_MODP2048 keylen 128) ignored.
Nov 23 13:36:40 laptop01 pluto[13291]: "0e2053f6-4a04-405a-a8ef-e19ed9acff62" #1: transform (OAKLEY_AES_CBC,OAKLEY_SHA1,OAKLEY_GROUP_MODP1024 keylen 128) ignored.
Nov 23 13:36:40 laptop01 pluto[13291]: "0e2053f6-4a04-405a-a8ef-e19ed9acff62" #1: transform (OAKLEY_3DES_CBC,OAKLEY_SHA1,OAKLEY_GROUP_MODP2048 keylen 0) ignored.
Nov 23 13:36:40 laptop01 pluto[13291]: "0e2053f6-4a04-405a-a8ef-e19ed9acff62" #1: transform (OAKLEY_3DES_CBC,OAKLEY_SHA1,OAKLEY_GROUP_MODP1024 keylen 0) ignored.
Nov 23 13:36:41 laptop01 pluto[13291]: listening for IKE messages
Nov 23 13:36:41 laptop01 pluto[13291]: | refresh. setup callback for interface lo:500 23
Nov 23 13:36:41 laptop01 pluto[13291]: | setup callback for interface lo:500 fd 23
Nov 23 13:36:41 laptop01 pluto[13291]: | refresh. setup callback for interface lo:4500 22
Nov 23 13:36:41 laptop01 pluto[13291]: | setup callback for interface lo:4500 fd 22
Nov 23 13:36:41 laptop01 pluto[13291]: | refresh. setup callback for interface lo:500 21
Nov 23 13:36:41 laptop01 pluto[13291]: | setup callback for interface lo:500 fd 21
Nov 23 13:36:41 laptop01 pluto[13291]: | refresh. setup callback for interface enp0s25:4500 20
Nov 23 13:36:41 laptop01 pluto[13291]: | setup callback for interface enp0s25:4500 fd 20
Nov 23 13:36:41 laptop01 pluto[13291]: | refresh. setup callback for interface enp0s25:500 18
Nov 23 13:36:41 laptop01 pluto[13291]: | setup callback for interface enp0s25:500 fd 18
Nov 23 13:36:41 laptop01 pluto[13291]: forgetting secrets
Nov 23 13:36:41 laptop01 pluto[13291]: loading secrets from "/etc/ipsec.secrets"
Nov 23 13:36:41 laptop01 pluto[13291]: loading secrets from "/etc/ipsec.d/ipsec-0e2053f6-4a04-405a-a8ef-e19ed9acff62.secrets"
Nov 23 13:36:41 laptop01 pluto[13291]: loading secrets from "/etc/ipsec.d/ipsec-e5865848-2ea5-446e-ac6a-fa595d53d0a5.secrets"
Nov 23 13:37:20 laptop01 NetworkManager[3472]: <warn>  VPN connection 'Reach Technology FP - L2TP' connect timeout exceeded.
Nov 23 13:37:20 laptop01 pluto[13291]: shutting down
Nov 23 13:37:20 laptop01 pluto[13291]: forgetting secrets
Nov 23 13:37:20 laptop01 pluto[13291]: "0e2053f6-4a04-405a-a8ef-e19ed9acff62": deleting connection
Nov 23 13:37:20 laptop01 pluto[13291]: "0e2053f6-4a04-405a-a8ef-e19ed9acff62" #1: deleting state #1 (STATE_AGGR_I1)
Nov 23 13:37:20 laptop01 pluto[13291]: shutting down interface lo/lo ::1:500
Nov 23 13:37:20 laptop01 pluto[13291]: shutting down interface lo/lo 127.0.0.1:4500
Nov 23 13:37:20 laptop01 pluto[13291]: shutting down interface lo/lo 127.0.0.1:500
Nov 23 13:37:20 laptop01 pluto[13291]: shutting down interface enp0s25/enp0s25 10.0.4.101:4500
Nov 23 13:37:20 laptop01 pluto[13291]: shutting down interface enp0s25/enp0s25 10.0.4.101:500


Server log
Code:

Nov 23 13:36:23 vpn01 pluto[15863]: Starting Pluto (Openswan Version 2.6.37; Vendor ID OEu\134d\134jy\134\134ap) pid:15863
Nov 23 13:36:23 vpn01 pluto[15863]: LEAK_DETECTIVE support [disabled]
Nov 23 13:36:23 vpn01 pluto[15863]: OCF support for IKE [disabled]
Nov 23 13:36:23 vpn01 pluto[15863]: SAref support [disabled]: Protocol not available
Nov 23 13:36:23 vpn01 pluto[15863]: SAbind support [disabled]: Protocol not available
Nov 23 13:36:23 vpn01 pluto[15863]: NSS support [disabled]
Nov 23 13:36:23 vpn01 pluto[15863]: HAVE_STATSD notification support not compiled in
Nov 23 13:36:23 vpn01 pluto[15863]: Setting NAT-Traversal port-4500 floating to on
Nov 23 13:36:23 vpn01 pluto[15863]:    port floating activation criteria nat_t=1/port_float=1
Nov 23 13:36:23 vpn01 pluto[15863]:    NAT-Traversal support  [enabled] [Force KeepAlive]
Nov 23 13:36:23 vpn01 pluto[15863]: using /dev/urandom as source of random entropy
Nov 23 13:36:23 vpn01 pluto[15863]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Nov 23 13:36:23 vpn01 pluto[15863]: starting up 1 cryptographic helpers
Nov 23 13:36:23 vpn01 pluto[15863]: started helper pid=15865 (fd:6)
Nov 23 13:36:23 vpn01 pluto[15863]: Using Linux 2.6 IPsec interface code on 3.2.0-4-amd64 (experimental code)
Nov 23 13:36:23 vpn01 pluto[15865]: using /dev/urandom as source of random entropy
Nov 23 13:36:23 vpn01 pluto[15863]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
Nov 23 13:36:23 vpn01 pluto[15863]: ike_alg_add(): ERROR: Algorithm already exists
Nov 23 13:36:23 vpn01 pluto[15863]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)
Nov 23 13:36:23 vpn01 pluto[15863]: ike_alg_add(): ERROR: Algorithm already exists
Nov 23 13:36:23 vpn01 pluto[15863]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
Nov 23 13:36:23 vpn01 pluto[15863]: ike_alg_add(): ERROR: Algorithm already exists
Nov 23 13:36:23 vpn01 pluto[15863]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)
Nov 23 13:36:23 vpn01 pluto[15863]: ike_alg_add(): ERROR: Algorithm already exists
Nov 23 13:36:23 vpn01 pluto[15863]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)
Nov 23 13:36:23 vpn01 pluto[15863]: ike_alg_add(): ERROR: Algorithm already exists
Nov 23 13:36:23 vpn01 pluto[15863]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
Nov 23 13:36:23 vpn01 pluto[15863]: Changed path to directory '/etc/ipsec.d/cacerts'
Nov 23 13:36:23 vpn01 pluto[15863]: Changed path to directory '/etc/ipsec.d/aacerts'
Nov 23 13:36:23 vpn01 pluto[15863]: Changed path to directory '/etc/ipsec.d/ocspcerts'
Nov 23 13:36:23 vpn01 pluto[15863]: Changing to directory '/etc/ipsec.d/crls'
Nov 23 13:36:23 vpn01 pluto[15863]:   Warning: empty directory
Nov 23 13:36:23 vpn01 pluto[15863]: added connection description "L2TP-PSK-NAT"
Nov 23 13:36:23 vpn01 pluto[15863]: added connection description "L2TP-PSK-noNAT"
Nov 23 13:36:23 vpn01 pluto[15863]: listening for IKE messages
Nov 23 13:36:23 vpn01 pluto[15863]: adding interface eth1/eth1 10.20.30.40:500
Nov 23 13:36:23 vpn01 pluto[15863]: adding interface eth1/eth1 10.20.30.40:4500
Nov 23 13:36:23 vpn01 pluto[15863]: adding interface eth0/eth0 10.0.0.2:500
Nov 23 13:36:23 vpn01 pluto[15863]: adding interface eth0/eth0 10.0.0.2:4500
Nov 23 13:36:23 vpn01 pluto[15863]: adding interface lo/lo 127.0.0.1:500
Nov 23 13:36:23 vpn01 pluto[15863]: adding interface lo/lo 127.0.0.1:4500
Nov 23 13:36:23 vpn01 pluto[15863]: adding interface lo/lo ::1:500
Nov 23 13:36:23 vpn01 pluto[15863]: loading secrets from "/etc/ipsec.secrets"
Nov 23 13:36:23 vpn01 pluto[15863]: loading secrets from "/var/lib/openswan/ipsec.secrets.inc"
Nov 23 13:36:32 vpn01 sshd[15569]: Received disconnect from 1.2.3.4: 11: disconnected by user
Nov 23 13:36:32 vpn01 sshd[15569]: pam_unix(sshd:session): session closed for user root
Nov 23 13:36:40 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [Dead Peer Detection]
Nov 23 13:36:40 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [RFC 3947] method set to=109
Nov 23 13:36:40 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109
Nov 23 13:36:40 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
Nov 23 13:36:40 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
Nov 23 13:36:40 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [XAUTH]
Nov 23 13:36:40 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [Cisco-Unity]
Nov 23 13:36:40 vpn01 pluto[15863]: packet from 1.2.3.4:500: ignoring Vendor ID payload [FRAGMENTATION]
Nov 23 13:36:40 vpn01 pluto[15863]: packet from 1.2.3.4:500: initial Aggressive Mode message from 1.2.3.4 but no (wildcard) connection has been configured with policy=PSK+AGGRESSIVE
Nov 23 13:36:41 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [Dead Peer Detection]
Nov 23 13:36:41 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [RFC 3947] method set to=109
Nov 23 13:36:41 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109
Nov 23 13:36:41 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
Nov 23 13:36:41 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
Nov 23 13:36:41 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [XAUTH]
Nov 23 13:36:41 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [Cisco-Unity]
Nov 23 13:36:41 vpn01 pluto[15863]: packet from 1.2.3.4:500: ignoring Vendor ID payload [FRAGMENTATION]
Nov 23 13:36:41 vpn01 pluto[15863]: packet from 1.2.3.4:500: initial Aggressive Mode message from 1.2.3.4 but no (wildcard) connection has been configured with policy=PSK+AGGRESSIVE
Nov 23 13:36:41 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [Dead Peer Detection]
Nov 23 13:36:41 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [RFC 3947] method set to=109
Nov 23 13:36:41 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109
Nov 23 13:36:41 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
Nov 23 13:36:41 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
Nov 23 13:36:41 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [XAUTH]
Nov 23 13:36:41 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [Cisco-Unity]
Nov 23 13:36:41 vpn01 pluto[15863]: packet from 1.2.3.4:500: ignoring Vendor ID payload [FRAGMENTATION]
Nov 23 13:36:41 vpn01 pluto[15863]: packet from 1.2.3.4:500: initial Aggressive Mode message from 1.2.3.4 but no (wildcard) connection has been configured with policy=PSK+AGGRESSIVE
Nov 23 13:36:42 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [Dead Peer Detection]
Nov 23 13:36:42 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [RFC 3947] method set to=109
Nov 23 13:36:42 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109
Nov 23 13:36:42 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
Nov 23 13:36:42 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
Nov 23 13:36:42 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [XAUTH]
Nov 23 13:36:42 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [Cisco-Unity]
Nov 23 13:36:42 vpn01 pluto[15863]: packet from 1.2.3.4:500: ignoring Vendor ID payload [FRAGMENTATION]
Nov 23 13:36:42 vpn01 pluto[15863]: packet from 1.2.3.4:500: initial Aggressive Mode message from 1.2.3.4 but no (wildcard) connection has been configured with policy=PSK+AGGRESSIVE
Nov 23 13:36:44 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [Dead Peer Detection]
Nov 23 13:36:44 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [RFC 3947] method set to=109
Nov 23 13:36:44 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109
Nov 23 13:36:44 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
Nov 23 13:36:44 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
Nov 23 13:36:44 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [XAUTH]
Nov 23 13:36:44 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [Cisco-Unity]
Nov 23 13:36:44 vpn01 pluto[15863]: packet from 1.2.3.4:500: ignoring Vendor ID payload [FRAGMENTATION]
Nov 23 13:36:44 vpn01 pluto[15863]: packet from 1.2.3.4:500: initial Aggressive Mode message from 1.2.3.4 but no (wildcard) connection has been configured with policy=PSK+AGGRESSIVE
Nov 23 13:36:48 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [Dead Peer Detection]
Nov 23 13:36:48 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [RFC 3947] method set to=109
Nov 23 13:36:48 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109
Nov 23 13:36:48 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
Nov 23 13:36:48 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
Nov 23 13:36:48 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [XAUTH]
Nov 23 13:36:48 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [Cisco-Unity]
Nov 23 13:36:48 vpn01 pluto[15863]: packet from 1.2.3.4:500: ignoring Vendor ID payload [FRAGMENTATION]
Nov 23 13:36:48 vpn01 pluto[15863]: packet from 1.2.3.4:500: initial Aggressive Mode message from 1.2.3.4 but no (wildcard) connection has been configured with policy=PSK+AGGRESSIVE
Nov 23 13:36:57 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [Dead Peer Detection]
Nov 23 13:36:57 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [RFC 3947] method set to=109
Nov 23 13:36:57 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109
Nov 23 13:36:57 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
Nov 23 13:36:57 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
Nov 23 13:36:57 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [XAUTH]
Nov 23 13:36:57 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [Cisco-Unity]
Nov 23 13:36:57 vpn01 pluto[15863]: packet from 1.2.3.4:500: ignoring Vendor ID payload [FRAGMENTATION]
Nov 23 13:36:57 vpn01 pluto[15863]: packet from 1.2.3.4:500: initial Aggressive Mode message from 1.2.3.4 but no (wildcard) connection has been configured with policy=PSK+AGGRESSIVE
Nov 23 13:37:12 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [Dead Peer Detection]
Nov 23 13:37:12 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [RFC 3947] method set to=109
Nov 23 13:37:12 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109
Nov 23 13:37:12 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
Nov 23 13:37:12 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
Nov 23 13:37:12 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [XAUTH]
Nov 23 13:37:12 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [Cisco-Unity]
Nov 23 13:37:12 vpn01 pluto[15863]: packet from 1.2.3.4:500: ignoring Vendor ID payload [FRAGMENTATION]
Nov 23 13:37:12 vpn01 pluto[15863]: packet from 1.2.3.4:500: initial Aggressive Mode message from 1.2.3.4 but no (wildcard) connection has been configured with policy=PSK+AGGRESSIVE

As you can see, it just isn't working. I am just not sure what is wrong. I believe part of this is that I've become frazzled working on it for two weeks with no success.
_________________
Ever picture systemd as what runs "The Borg"?
Back to top
View user's profile Send private message
salahx
Guru
Guru


Joined: 12 Mar 2005
Posts: 437

PostPosted: Mon Nov 23, 2015 11:12 pm    Post subject: Reply with quote

Something is seriously wrong here. I think the problem here is the client, not the server. What software are you trying to connect with on the client?
Back to top
View user's profile Send private message
The_Great_Sephiroth
Veteran
Veteran


Joined: 03 Oct 2014
Posts: 1396
Location: Fayetteville, NC, USA

PostPosted: Tue Nov 24, 2015 2:13 pm    Post subject: Reply with quote

LibreS/WAN. I use KDE (no systemd) and NetworkManager to configure my stuff inside KDE. Works great so far. Also, thank you VERY much for helping me with this.
_________________
Ever picture systemd as what runs "The Borg"?
Back to top
View user's profile Send private message
salahx
Guru
Guru


Joined: 12 Mar 2005
Posts: 437

PostPosted: Tue Nov 24, 2015 10:16 pm    Post subject: Reply with quote

I think I see the mistake you've been making. The openswan plugin for NetworkManager doesn't make standard RFC-style ipsec/l2tp connection, it makes Cisco-style one (that's what that "group name" stuff is all about)

Unfortunately, there are no NetworkManager plugins for this style of connection. It has to be done "by hand"

Something like this should suffice:on the client
Code:

conn vpnclient
        left=%defaultroute
        leftprotoport=udp
        right=192.168.10.17
        rightprotoport=udp/l2tp
        type=transport
        authby=secret
        pfs=no
        rekey=no
        keyingtries=0
        auto=add


then bring it up with "ipsec auto --up vpnclient". Once you have the ipsec connection side up, you can then configure xl2tpd for teh client side, and use xl2tpd-control to connect to it.
Back to top
View user's profile Send private message
The_Great_Sephiroth
Veteran
Veteran


Joined: 03 Oct 2014
Posts: 1396
Location: Fayetteville, NC, USA

PostPosted: Wed Nov 25, 2015 1:44 pm    Post subject: Reply with quote

Not good. This needs to work for your average computer user. I can easily do as you say, but I am the administrator. The average user needs something simple. How can I create a standard, easy to use connection for both Windows and Linux clients? Note that I have been testing this in Windows 7 also, and Windows 7 gets either an 807 or an 809 and mentions the server being behind NAT, but the server is NOT behind NAT.

This is my one big complaint with Linux for the average user right now. NetworkManager is very easy to use and also very flexible, but the only STANDARD thing it supports is PPTP. I need something that works in Windows AND Linux. In Windows setting up L2TP/IPSec is cake and any idiot can use it. In Linux, nothing which has a GUI is standard.

What else can I do for a secure VPN that works with Windows 7 out of the box but is also easy to use in Linux? Why does it have to be integrated with 7? Simple! The Windows 7 clients can logon to the domain via VPN while out on the road. They simply click the "logon with VPN" button, enter their domain name and password, it connects first, pulls GPOs, and then logs onto the laptop as though they're in the office, with access to shares, printers, etc. I do not want to run two separate VPN servers at each location if possible. By two I mean one for Linux and one for Windows.

So if L2TP/IPSec is impossible in Linux, what options do I have? SSTP?
_________________
Ever picture systemd as what runs "The Borg"?
Back to top
View user's profile Send private message
salahx
Guru
Guru


Joined: 12 Mar 2005
Posts: 437

PostPosted: Wed Nov 25, 2015 9:25 pm    Post subject: Reply with quote

Openvpn might be a better choice here, then, if you need to support both kinds of clients.There's a NetworkManager openvpn client, and openvpn has a GUI client for Windows too. However openvpn doesn't use username/password, it uses certificates, so requires a PKI.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum