| View previous topic :: View next topic |
| Author |
Message |
Duco Ergo Sum
Apprentice
Joined: 06 Dec 2005
Posts: 154
Location: Winsford
|
 Posted: Mon Aug 18, 2014 8:56 am Post subject: VPN Client not connecting [SOLVED] |
 |
|
Hi there,
For the past week and a bit I have been trying to connect to my office VPN, without success. The instructions for connecting assume the client is a Windows 7 system.
The vpn is "IPSec (L2TP/IPSEC)" using a Pre-Shared Key.
For the purpose of this post I will use faux details and values:
gateway: vpn.office.com
PSK: vpn-office-com
username: your-login-username
password: your-login-password
domain (optional): office-name
What I have tried so far, includes:
compiled every IPSEC kernel module -> No appreciable difference.
KVPN -> Gives an error racoon config error and then a long list of other debug info which as it is security related I don't want post indiscriminately.
VPNC -> reports "No responce from target"
Cisco and regular UPD
I have tried setting various ports to use, 47, 50, 51, 443, 500, 1701, 1723, 10000
Strongswan -> the demon starts but I cannot find evidence of a connection
ipsec.conf and ipsec.secret configured for the above details respectively.
I can only guess that this isn't a firewall issue as a colleague who already connects to the vpn can only do so using a virtual machine running Windows 7. My colleague says this is because of
firewall and routing issues from his Linux desktop. My assertion being that the virtual machines has to pass through the host and any other firewall in his network.
Please help...
Last edited by Duco Ergo Sum on Tue Oct 14, 2014 12:11 am; edited 1 time in total |
|
| Back to top |
|
 |
salahx
Guru
Joined: 12 Mar 2005
Posts: 530
|
| Posted: Tue Aug 19, 2014 8:56 pm Post subject: |
|
|
| I wrote a Gentoo wiki article covering setting up the server side of it: https://wiki.gentoo.org/wiki/IPsec_L2TP_VPN_server . Because all the protocols (ipsec, lt2p and pppd) are peer-to-peer, configuring it on the client side has a lot of similarities. |
|
| Back to top |
|
|
Duco Ergo Sum
Apprentice
Joined: 06 Dec 2005
Posts: 154
Location: Winsford
|
| Posted: Thu Aug 21, 2014 7:59 am Post subject: |
|
|
Thank you.
I think what I need is the "Ipsec ID" (group id/name) parameter. I have a working Windows system now so I'll interrogate that. |
|
| Back to top |
|
|
Duco Ergo Sum
Apprentice
Joined: 06 Dec 2005
Posts: 154
Location: Winsford
|
| Posted: Mon Aug 25, 2014 10:20 pm Post subject: |
|
|
This is really frustrating.
I now have:
- VPNC which times out without much indication of anything happening.
- StrongSwan which starts but I don't see any sign of a VPN nor have I found a way to test it.
- OpenL2TP which I've had to install an overlay (booboo) to get. This doesn't seem to be able to initiate sessions, tunnel id not found, while tunnel show - shows the tunnel I configured.
- NetworkManager seems to allow a sub-set of functionality in its configuration of different sub-systems but it protests that its unable to find an agent when I try to start a session.
Additionally, I've experimented with Windows. The initial setup is tricky but the VPN works. No additional information needed. With security in mind I'm sure, they've hidden the config details from prying eyes thus thwarting my plan to find the IP Sec ID there.
I am beginning to question if it this is a propriety MS VPN implementation or could my system be just missing one little screw somewhere?
I have read the IPsec L2TP VPN server wiki page and attempted to adapt its wisdom to my needs but unfortunately unsuccessfully.
Please tell me how I can test a VPN connection, just to see if it exists?
--
You know you really need help when the voices tell you that you're becoming obsessed! |
|
| Back to top |
|
|
salahx
Guru
Joined: 12 Mar 2005
Posts: 530
|
| Posted: Wed Aug 27, 2014 3:39 am Post subject: |
|
|
The first, and most dificult layer, is the ipsec layer. Here's a simple config file you can adapt. AS the wiki page show, uncomment the "include" line at the very bottom of /etc/ipsec.conf and create a /etc/ipsec.d/office.vpn.com.conf with content similar to the following:
| Code: |
conn vpnclient
type=transport
authby=secret
pfs=no
rekey=no
left=%defaultroute
leftprotoport=udp/l2tp
right=vpn.office.com
rightprotoport=udp/l2tp
auto=add
|
Don't forgot to create a /etc/ipsec.d/office.vpn.com.secret file too:
| Code: |
vpn.office.com %any : PSK "vpn-office-com"
|
Then start the ipsec service, and bring up your connection with "ipsec auto --up vpnclient" If you get a line in the log similar to "STATE_QUICK_I2: Sent QI2, IPsec SA established...." then you have ipsec connectivity.
ipsec is the hard part. Once you've got that, the l2tp tunnel is much simpler. |
|
| Back to top |
|
|
Duco Ergo Sum
Apprentice
Joined: 06 Dec 2005
Posts: 154
Location: Winsford
|
| Posted: Thu Aug 28, 2014 12:48 am Post subject: |
|
|
Hi Salahx,
Thanks for again answering, I am very grateful.
The command 'ipsec up vpnclient' has been most illustrative. StrongSwan doesn't get a response from the office network either.
| Code: |
initiating IKE_SA vpn.office.com[1] to 17.11.7.5
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (996 bytes)
received packet: from 17.11.7.5[500] to 1.2.3.4[500] (68 bytes)
ignoring INFORMATIONAL_V1 IKEv1 exchange on IKEv2 SA
retransmit 1 of request with message ID 0
sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (996 bytes)
received packet: from 17.11.7.5[500] to 1.2.3.4[500] (68 bytes)
ignoring INFORMATIONAL_V1 IKEv1 exchange on IKEv2 SA
retransmit 2 of request with message ID 0
sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (996 bytes)
received packet: from 17.11.7.5[500] to 1.2.3.4[500] (68 bytes)
ignoring INFORMATIONAL_V1 IKEv1 exchange on IKEv2 SA
retransmit 3 of request with message ID 0
sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (996 bytes)
received packet: from 17.11.7.5[500] to 1.2.3.4[500] (68 bytes)
ignoring INFORMATIONAL_V1 IKEv1 exchange on IKEv2 SA
[ ... ]
giving up after 5 retransmits
|
So now both VPNC and StrongSwan time out.
Food for thought. |
|
| Back to top |
|
|
salahx
Guru
Joined: 12 Mar 2005
Posts: 530
|
| Posted: Thu Aug 28, 2014 6:53 am Post subject: |
|
|
Its seeing SOMETHING on the other side, its just having trouble negotiating with it. It appears its trying to negoitate an IKEv2 connection, but we want IKEv1.
So lets tweak the config a bit:
| Code: |
conn vpnclient
keyexchange=ikev1
type=transport
authby=secret
pfs=no
rekey=no
left=%defaultroute
leftprotoport=udp/l2tp
right=vpn.office.com
rightprotoport=udp/l2tp
auto=add
|
|
|
| Back to top |
|
|
Duco Ergo Sum
Apprentice
Joined: 06 Dec 2005
Posts: 154
Location: Winsford
|
| Posted: Thu Aug 28, 2014 8:49 am Post subject: |
|
|
Thanks.
We're making progress, new response message:
| Code: |
ipsec up vpn.office.com
initiating Main Mode IKE_SA vpn.office.com[1] to 17.11.7.5
generating ID_PROT request 0 [ SA V V V V ]
sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (220 bytes)
received packet: from 17.11.7.5[500] to 1.2.3.4[500] (160 bytes)
parsed INFORMATIONAL_V1 request 0 [ N(NO_PROP) ]
received NO_PROPOSAL_CHOSEN error notify
establishing connection 'vpn.office.com' failed
|
My installed version of StrongSwan does not support the key word. Therefore this is what my config looks like at the moment:
| Code: |
conn vpn.office.com
keyexchange=ikev1
type=transport
authby=secret
esp=des-sha1-modp1024
rekey=no
left=%defaultroute
leftprotoport=udp/l2tp
right=vpn.office.com
rightprotoport=udp/l2tp
auto=add
|
|
|
| Back to top |
|
|
Duco Ergo Sum
Apprentice
Joined: 06 Dec 2005
Posts: 154
Location: Winsford
|
| Posted: Thu Aug 28, 2014 9:12 am Post subject: |
|
|
Looking in Windows
Control Panel - Administrative Tools - Windows Firewall with Advanced Security - Windows Firewall Properites (IPsec Settings) - Customize IPsec Defaults (Key exchange (Main Mode) - Advanced [Customize]) - Customize Advanced Key Exchange Settings
| Code: |
Security methods:
Integrity Encryption Key exchange algorithm
SHA-1 AES-CBC 128 Diffie-Hellman Group 2 (default)
SHA-1 3DES Diffie-Hellman Group 2
|
I'm off to work now but will experiment with these values when I get back. |
|
| Back to top |
|
|
salahx
Guru
Joined: 12 Mar 2005
Posts: 530
|
| Posted: Thu Aug 28, 2014 4:14 pm Post subject: |
|
|
Its "pfs=no" not "psf=no". It doesn't matter anyway because the command is ignored under strongSwan and "no" is the default. You shouldn't need the "esp=des-sha1-modp1024" as it should choose the correct method during proposition process. In fact that will negotate PFS which is NOT what you want - Microsoft's IKEv1 daemon doesn't support PFS.
Note that Windows has TWO implementations of ipsec: the IKEv1 one used for l2tp tunnel, and and IKEv2 one which is controlled via the ipsec snap-in. The windows Firewall and other ipsec settings refer to the latter, but we want to use the former. |
|
| Back to top |
|
|
Duco Ergo Sum
Apprentice
Joined: 06 Dec 2005
Posts: 154
Location: Winsford
|
| Posted: Fri Aug 29, 2014 12:04 am Post subject: |
|
|
Apologies, "psf" was a typo.
However, now mater how I try to configure the pfs option, I get the same result.
| Code: |
parsed INFORMATIONAL_V1 request 0 [ N(NO_PROP) ]
received NO_PROPOSAL_CHOSEN error notify
establishing connection 'vpn.office.com' failed
|
|
|
| Back to top |
|
|
salahx
Guru
Joined: 12 Mar 2005
Posts: 530
|
| Posted: Fri Aug 29, 2014 12:14 am Post subject: |
|
|
| pfs option is ignored in strongSwan anyway. But that "esp" line has to be removed, because i know its wrong. If the server STILL won't accept any proposals offered by strongswan, even without the "esp" line there an "ike-scan" package in portage that should give some information on what proposals the gateway will accept. |
|
| Back to top |
|
|
Duco Ergo Sum
Apprentice
Joined: 06 Dec 2005
Posts: 154
Location: Winsford
|
| Posted: Fri Aug 29, 2014 8:45 am Post subject: |
|
|
Hi,
I have used IKE-Scan which prompted me to change my Config as below and this has generated the follow information.
ike-scan output
| Code: |
ike-scan --verbose vpn.office.com
DEBUG: pkt len=336 bytes, bandwidth=56000 bps, int=52000 us
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
17.11.7.5 Main Mode Handshake returned HDR=(CKY-R=[Available On Request]) SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
VID=[Available On Request] (IKE Fragmentation)
Ending ike-scan 1.9: 1 hosts scanned in 0.037 seconds (27.14 hosts/sec). 1 returned handshake; 0 returned notify
|
New Config
| Code: |
conn vpn.office.com
keyexchange=ikev1
type=transport
authby=secret
ike=3des-sha1-modp1024
rekey=no
left=%defaultroute
leftprotoport=udp/l2tp
right=vpn.office.com
rightprotoport=udp/l2tp
auto=add
|
ipsec output
| Code: |
ipsec up vpn.office.com
initiating Main Mode IKE_SA vpn.office.com[3] to 17.11.7.5
generating ID_PROT request 0 [ SA V V V V ]
sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (184 bytes)
received packet: from 17.11.7.5[500] to 1.2.3.4[500] (116 bytes)
parsed ID_PROT response 0 [ SA V V ]
received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
received FRAGMENTATION vendor ID
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (244 bytes)
received packet: from 17.11.7.5[500] to 1.2.3.4[500] (304 bytes)
parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]
received Cisco Unity vendor ID
received XAuth vendor ID
received unknown vendor ID: [Available On Request]
received unknown vendor ID: [Available On Request]
generating INFORMATIONAL_V1 request [Available On Request] [ N(INVAL_KE) ]
sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (56 bytes)
establishing connection 'vpn.office.com' failed
|
Charon Log
| Code: |
Aug 29 09:14:39 sveta charon: 02[CFG] received stroke: initiate 'vpn.office.com'
Aug 29 09:14:39 sveta charon: 13[IKE] initiating Main Mode IKE_SA vpn.office.com[3] to 17.11.7.5
Aug 29 09:14:39 sveta charon: 13[IKE] initiating Main Mode IKE_SA vpn.office.com[3] to 17.11.7.5
Aug 29 09:14:39 sveta charon: 13[ENC] generating ID_PROT request 0 [ SA V V V V ]
Aug 29 09:14:39 sveta charon: 13[NET] sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (184 bytes)
Aug 29 09:14:39 sveta charon: 06[NET] received packet: from 17.11.7.5[500] to 1.2.3.4[500] (116 bytes)
Aug 29 09:14:39 sveta charon: 06[ENC] parsed ID_PROT response 0 [ SA V V ]
Aug 29 09:14:39 sveta charon: 06[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Aug 29 09:14:39 sveta charon: 06[IKE] received FRAGMENTATION vendor ID
Aug 29 09:14:39 sveta charon: 06[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
Aug 29 09:14:39 sveta charon: 06[NET] sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (244 bytes)
Aug 29 09:14:40 sveta charon: 05[NET] received packet: from 17.11.7.5[500] to 1.2.3.4[500] (304 bytes)
Aug 29 09:14:40 sveta charon: 05[ENC] parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]
Aug 29 09:14:40 sveta charon: 05[IKE] received Cisco Unity vendor ID
Aug 29 09:14:40 sveta charon: 05[IKE] received XAuth vendor ID
Aug 29 09:14:40 sveta charon: 05[ENC] received unknown vendor ID: [Available On Request]
Aug 29 09:14:40 sveta charon: 05[ENC] received unknown vendor ID: [Available On Request]
Aug 29 09:14:40 sveta charon: 05[ENC] generating INFORMATIONAL_V1 request [Available On Request] [ N(INVAL_KE) ]
Aug 29 09:14:40 sveta charon: 05[NET] sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (56 bytes)
|
|
|
| Back to top |
|
|
salahx
Guru
Joined: 12 Mar 2005
Posts: 530
|
| Posted: Fri Aug 29, 2014 3:12 pm Post subject: |
|
|
OK now its accepting the proposal but its having problem with the PSK. It probably has to do with how the VPN server is ideifying itself. So lets change the secrets file to
| Code: | | : PSK "vpn-office-com" |
This will make strongSwan use the key for all connections. |
|
| Back to top |
|
|
Duco Ergo Sum
Apprentice
Joined: 06 Dec 2005
Posts: 154
Location: Winsford
|
| Posted: Fri Aug 29, 2014 9:51 pm Post subject: |
|
|
Awesome! Thank you!
| Code: |
ipsec up vpn.office.com
initiating Main Mode IKE_SA vpn.office.com[1] to 17.11.7.5
generating ID_PROT request 0 [ SA V V V V ]
sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (184 bytes)
received packet: from 17.11.7.5[500] to 1.2.3.4[500] (116 bytes)
parsed ID_PROT response 0 [ SA V V ]
received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
received FRAGMENTATION vendor ID
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (244 bytes)
received packet: from 17.11.7.5[500] to 1.2.3.4[500] (304 bytes)
parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]
received Cisco Unity vendor ID
received XAuth vendor ID
received unknown vendor ID: [Available On Request]
received unknown vendor ID: [Available On Request]
local host is behind NAT, sending keep alives
generating ID_PROT request 0 [ ID HASH ]
sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (68 bytes)
received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes)
parsed ID_PROT response 0 [ ID HASH V ]
received DPD vendor ID
IDir '17.11.7.5' does not match to 'vpn.office.com'
deleting IKE_SA vpn.office.com[1] between 1.2.3.4[1.2.3.4]...17.11.7.5[%any]
sending DELETE for IKE_SA vpn.office.com[1]
generating INFORMATIONAL_V1 request [Available On Request] [ HASH D ]
sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (84 bytes)
connection 'vpn.office.com' established successfully
|
I have pinged my office PC and did not get any returned packets. I haven't attempted to set up the L2TP layer yet but your guide says that is comparatively easy.
These lines though do worry me:
| Code: |
IDir '17.11.7.5' does not match to 'vpn.office.com'
deleting IKE_SA vpn.office.com[1] between 1.2.3.4[1.2.3.4]...17.11.7.5[%any]
sending DELETE for IKE_SA vpn.office.com[1]
|
|
|
| Back to top |
|
|
salahx
Guru
Joined: 12 Mar 2005
Posts: 530
|
| Posted: Fri Aug 29, 2014 11:03 pm Post subject: |
|
|
Were almost there, but were not there yet. This goes back with "how the server is identifty itself" problem with the PSK: Instead of identify itself via its name (vpn.example.com), it does so by its IP address (17.11.7.5).
We just need to make one tweak:
| Code: |
conn vpn.office.com
keyexchange=ikev1
type=transport
authby=secret
ike=3des-sha1-modp1024
rekey=no
left=%defaultroute
leftprotoport=udp/l2tp
right=vpn.office.com
rightprotoport=udp/l2tp
rightid=17.11.7.5
auto=add
|
Or failing that, change the value of "right=" from "vpn.office.com" to "17.11.7.5" instead. Note you still can't do anything with the connection yet, as only L2TP packets will be passed across the ipsec link (thus you cannot ping anything across the link). |
|
| Back to top |
|
|
Duco Ergo Sum
Apprentice
Joined: 06 Dec 2005
Posts: 154
Location: Winsford
|
| Posted: Sat Aug 30, 2014 5:21 pm Post subject: |
|
|
Perfect, next step L2TP!
| Code: |
ipsec up vpn.office.com
initiating Main Mode IKE_SA vpn.office.com[1] to 17.11.7.5
generating ID_PROT request 0 [ SA V V V V ]
sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (184 bytes)
received packet: from 17.11.7.5[500] to 1.2.3.4[500] (116 bytes)
parsed ID_PROT response 0 [ SA V V ]
received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
received FRAGMENTATION vendor ID
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (244 bytes)
received packet: from 17.11.7.5[500] to 1.2.3.4[500] (304 bytes)
parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]
received Cisco Unity vendor ID
received XAuth vendor ID
received unknown vendor ID: [Available On Request]
received unknown vendor ID: [Available On Request]
local host is behind NAT, sending keep alives
generating ID_PROT request 0 [ ID HASH ]
sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (68 bytes)
received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes)
parsed ID_PROT response 0 [ ID HASH V ]
received DPD vendor ID
IKE_SA vpn.office.com[1] established between 1.2.3.4[1.2.3.4]...17.11.7.5[17.11.7.5]
generating QUICK_MODE request [Available On Request] [ HASH SA No ID ID NAT-OA NAT-OA ]
sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (220 bytes)
received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (180 bytes)
parsed QUICK_MODE response [Available On Request] [ HASH SA No ID ID N((24576)) NAT-OA ]
received 28800s lifetime, configured 0s
CHILD_SA vpn.office.com{1} established with SPIs [Available On Request] [Available On Request] and TS 1.2.3.4/32[udp/l2tp] === 17.11.7.5/32[udp/l2tp]
connection 'vpn.office.com' established successfully
|
Thank you. I expect as soon as I try L2TP I'll be back here confused as ever. Either way, I'll report back. |
|
| Back to top |
|
|
Duco Ergo Sum
Apprentice
Joined: 06 Dec 2005
Posts: 154
Location: Winsford
|
| Posted: Sat Aug 30, 2014 10:04 pm Post subject: |
|
|
I thought this might happen.
/etc/xl2tp/xl2tpd.conf
| Code: |
[global] ; Global parameters:
port = 1701 ; * Bind to port 1701
; auth file = /etc/l2tpd/l2tp-secrets ; * Where our challenge secrets are
access control = no ; * Refuse connections without IP match
; rand source = dev ; Source for entropy for random
; ; numbers, options are:
; ; dev - reads of /dev/urandom
; ; sys - uses rand()
; ; egd - reads from egd socket
; ; egd is not yet implemented
;
[lns default] ; Our fallthrough LNS definition
; ip range = 192.168.0.1-192.168.0.20 ; * Allocate from this IP range
; ip range = lac1-lac2 ; * And anything from lac1 to lac2's IP
; lac = 192.168.1.4 - 192.168.1.8 ; * These can connect as LAC's
; no lac = untrusted.marko.net ; * This guy can't connect
; hidden bit = no ; * Use hidden AVP's?
local ip = 1.2.3.4 ; * Our local IP to use
; refuse authentication = no ; * Refuse authentication altogether
require authentication = yes ; * Require peer to authenticate
unix authentication = no ; * Use /etc/passwd for auth.
name = vpn.office.com ; * Report this as our hostname
pppoptfile = /etc/ppp/options.l2tpd ; * ppp options file
|
/etc/ppp/options.l2tpd
| Code: |
noccp
auth
crtscts
mtu 1410
mru 1410
nodefaultroute
lock
proxyarp
silent
|
I started xl2tpd with: /etc/init.d/xl2tpd start
Then nothing, I'm sure I'm missing something this is a client after all and your instructions are for a server. So close! |
|
| Back to top |
|
|
salahx
Guru
Joined: 12 Mar 2005
Posts: 530
|
| Posted: Sun Aug 31, 2014 8:46 am Post subject: |
|
|
Configuring an l2tp the client is a different that the server - thakfully client side is even easier:
The /etc/xl2tpd/xl2tpd.conf is even simpler then the server one:
| Code: |
[lac vpnclient]
lns = vpn.office.com
pppoptfile = /etc/ppp/options.xl2tpd.client
|
You may not need the /etc/ppp/options.xl2tpd.client file (in which case comment that line out), but if you do, here's one that should work:
| Code: |
ipcp-accept-local
ipcp-accept-remote
refuse-eap
require-mschap-v2
noccp
noauth
mtu 1410
mru 1410
nodefaultroute
usepeerdns
lock
#debug
|
Start up the xl2tpd service, then initiate a connection:
| Code: | | xl2tpd-control connect vpnclient OFFICE-NAME\\your-login-username your-login-password |
Note TWO backslashes (the OFFICE-NAME\\ part may be optinal)
xl2tpd may fail with " open_controlfd: Unable to open /var/run/xl2tpd/l2tp-control for reading". If you run across this, just do a "mkdir /var/run/xl2tpd"
Note that xl2tpd-control will always just return "00 OK", to actually see if it works, you need to check the system logs. |
|
| Back to top |
|
|
Duco Ergo Sum
Apprentice
Joined: 06 Dec 2005
Posts: 154
Location: Winsford
|
| Posted: Sun Aug 31, 2014 11:58 pm Post subject: |
|
|
Hi,
I have now tried a number of variations on a theme. Mostly where vpn.office.com could mean the url vpn.office.com or the ipsec connection name VPN.OFFICE.COM, capitalise to emphasis the distinciton
of these two roles. Also with and without OFFICE-NAME\\login-name login-password and in combination with including excluding options.xl2tpd.client.
/etc/xl2tpd/xl2tpd.conf
| Code: |
[lac vpnclient]
lns = vpn.office.com
pppoptfile = /etc/ppp/options.xl2tpd.client
|
/etc/ppp/options.xl2tpd.client
| Code: |
ipcp-accept-local
ipcp-accept-remote
refuse-eap
require-mschap-v2
noccp
noauth
mtu 1410
mru 1410
nodefaultroute
usepeerdns
lock
|
| Code: |
xl2tpd-control connect vpnclient OFFICE-NAME\\your-login-username your-login-password
|
| Code: |
Sep 1 00:39:58 sveta xl2tpd[4845]: Connecting to host vpn.office.com, port 1701
Sep 1 00:40:01 sveta cron[4865]: (OhCaptian) CMD (test -x /usr/sbin/run-crons && /usr/sbin/run-crons)
Sep 1 00:40:03 sveta xl2tpd[4845]: Maximum retries exceeded for tunnel 16278. Closing.
Sep 1 00:40:03 sveta xl2tpd[4845]: Connection 0 closed to 17.11.7.5, port 1701 (Timeout)
Sep 1 00:40:08 sveta xl2tpd[4845]: Unable to deliver closing message for tunnel 16278. Destroying anyway.
|
If I get the opportunity, I will be more methodical in the morning. |
|
| Back to top |
|
|
salahx
Guru
Joined: 12 Mar 2005
Posts: 530
|
| Posted: Mon Sep 01, 2014 4:02 am Post subject: |
|
|
xl2tpd and strongswan are unconnect, thus the "lns" value in the LAC section is just the server's domain name or IP address. In this case though, its not seeing the L2TP LNS (server) on the other side . This usually means the ipsec tunnel is down. Check and restart the tunnel if needed.
To see if data is going over the tunnel: You won't see anything cross the tunnel until xl2tpd-connect is started. You should see packets going in both directions. If not, either the tunnel is down, strongSwan is configured wrong or something (like a local firewall) is getting in the way.
In contrast, no l2tp packets should seen in the clear: | Code: | | tcpdump udp port 1701 |
This command should produce NO output when xl2tpd-connect is invoked. If it does either the tunnel is down, or strongSwan is configured wrong. |
|
| Back to top |
|
|
Duco Ergo Sum
Apprentice
Joined: 06 Dec 2005
Posts: 154
Location: Winsford
|
| Posted: Tue Sep 02, 2014 9:09 am Post subject: |
|
|
Hi,
I have tried variety configurations of xl2tp. Just to add to the confusion my mobo has two lan ports and wifi, I fear now this feature is coming back to confuse me and my set-up. 'eno1' is the lan port which is would be eth0 and is currently the only operational network connection in this machine.
It appears that tcpdump is looking at 'bond0' and then not finding anything. Could xl2tp be doing the same?
tcpdump -i eno1 produces the same output as below.
Make connection
| Code: |
# xl2tpd-control connect vpnclient vpn.office.com\\Uname Upassword
00 OK
|
Test proto 50
| Code: |
# tcpdump proto 50
tcpdump: WARNING: bond0: no IPv4 address assigned
error : ret -1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on bond0, link-type EN10MB (Ethernet), capture size 65535 bytes
0 packets captured
0 packets received by filter
0 packets dropped by kernel
|
Test udp port 1701
| Code: |
# tcpdump udp port 1701
tcpdump: WARNING: bond0: no IPv4 address assigned
error : ret -1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on bond0, link-type EN10MB (Ethernet), capture size 65535 bytes
0 packets captured
0 packets received by filter
0 packets dropped by kernel
|
Some network devices
| Code: |
# ifconfig
bond0: flags=5123<UP,BROADCAST,MASTER,MULTICAST> mtu 1500
ether ce:71:b2:5a:c2:1d txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eno1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 1.2.3.4 netmask 255.255.255.0 broadcast 10.1.1.255
inet6 fd00::ca60:ff:fecc:4614 prefixlen 64 scopeid 0x0<global>
inet6 fe80::ca60:ff:fecc:4614 prefixlen 64 scopeid 0x20<link>
ether c8:60:00:cc:46:14 txqueuelen 1000 (Ethernet)
RX packets 14060 bytes 14971920 (14.2 MiB)
RX errors 0 dropped 3 overruns 0 frame 0
TX packets 10353 bytes 1465328 (1.3 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 20 memory #x########-########
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 0 (Local Loopback)
RX packets 40 bytes 16841 (16.4 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 40 bytes 16841 (16.4 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
|
Log
| Code: |
Sep 2 08:55:31 sveta xl2tpd[4128]: xl2tpd version xl2tpd-1.3.1 started on sveta PID:4128
Sep 2 08:55:31 sveta xl2tpd[4128]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
Sep 2 08:55:31 sveta xl2tpd[4128]: Forked by Scott Balmos and David Stipp, (C) 2001
Sep 2 08:55:31 sveta xl2tpd[4128]: Inherited by Jeff McAdams, (C) 2002
Sep 2 08:55:31 sveta xl2tpd[4128]: Forked again by Xelerance (www.xelerance.com) (C) 2006
Sep 2 08:55:31 sveta xl2tpd[4128]: Listening on IP address 0.0.0.0, port 1701
Sep 2 08:55:37 sveta charon: 09[IKE] sending keep alive to 17.11.7.5[4500]
Sep 2 08:55:49 sveta charon: 10[NET] received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes)
Sep 2 08:55:49 sveta charon: 10[ENC] parsed INFORMATIONAL_V1 request [Available On Request] [ HASH N(DPD) ]
Sep 2 08:55:49 sveta charon: 10[ENC] generating INFORMATIONAL_V1 request [Available On Request] [ HASH N(DPD_ACK) ]
Sep 2 08:55:49 sveta charon: 10[NET] sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (92 bytes)
Sep 2 08:55:59 sveta xl2tpd[4128]: Connecting to host vpn.office.com, port 1701
Sep 2 08:55:59 sveta xl2tpd[4128]: Connection established to 17.11.7.5, 1701. Local: [Available On Request], Remote: [Available On Request] (ref=0/0).
Sep 2 08:55:59 sveta xl2tpd[4128]: Calling on tunnel [Available On Request]
Sep 2 08:55:59 sveta xl2tpd[4128]: Call established with 17.11.7.5, Local: [Available On Request], Remote: [Available On Request], Serial: 1 (ref=0/0)
Sep 2 08:55:59 sveta xl2tpd[4128]: start_pppd: I'm running:
Sep 2 08:55:59 sveta xl2tpd[4128]: "/usr/sbin/pppd"
Sep 2 08:55:59 sveta xl2tpd[4128]: "passive"
Sep 2 08:55:59 sveta xl2tpd[4128]: "nodetach"
Sep 2 08:55:59 sveta xl2tpd[4128]: ":"
Sep 2 08:55:59 sveta xl2tpd[4128]: "name"
Sep 2 08:55:59 sveta xl2tpd[4128]: "vpn.office.com\Uname"
Sep 2 08:55:59 sveta xl2tpd[4128]: "plugin"
Sep 2 08:55:59 sveta xl2tpd[4128]: "passwordfd.so"
Sep 2 08:55:59 sveta xl2tpd[4128]: "passwordfd"
Sep 2 08:55:59 sveta xl2tpd[4128]: "8"
Sep 2 08:55:59 sveta xl2tpd[4128]: "file"
Sep 2 08:55:59 sveta xl2tpd[4128]: "/etc/ppp/options.l2tpd.lns"
Sep 2 08:55:59 sveta xl2tpd[4128]: "ipparam"
Sep 2 08:55:59 sveta xl2tpd[4128]: "17.11.7.5"
Sep 2 08:55:59 sveta xl2tpd[4128]: "plugin"
Sep 2 08:55:59 sveta xl2tpd[4128]: "pppol2tp.so"
Sep 2 08:55:59 sveta xl2tpd[4128]: "pppol2tp"
Sep 2 08:55:59 sveta xl2tpd[4128]: "9"
Sep 2 08:55:59 sveta pppd[4138]: Plugin passwordfd.so loaded.
Sep 2 08:55:59 sveta pppd[4138]: Can't open options file /etc/ppp/options.l2tpd.lns: No such file or directory
Sep 2 08:55:59 sveta xl2tpd[4128]: child_handler : pppd exited for call [Available On Request] with code 2
Sep 2 08:55:59 sveta xl2tpd[4128]: call_close: Call [Available On Request] to 17.11.7.5 disconnected
Sep 2 08:55:59 sveta xl2tpd[4128]: Terminating pppd: sending TERM signal to pid 4138
Sep 2 08:55:59 sveta xl2tpd[4128]: get_call: can't find call [Available On Request] in tunnel [Available On Request]
(ref=0/0)
Sep 2 08:55:59 sveta xl2tpd[4128]: get_call: can't find call [Available On Request] in tunnel [Available On Request]
(ref=0/0)
Sep 2 08:55:59 sveta xl2tpd[4128]: check_control: Received out of order control packet on tunnel [Available On Request] (got 3, expected 4)
Sep 2 08:55:59 sveta xl2tpd[4128]: handle_packet: bad control packet!
Sep 2 08:55:59 sveta charon: 13[NET] received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (68 bytes)
Sep 2 08:55:59 sveta charon: 13[ENC] parsed INFORMATIONAL_V1 request [Available On Request] [ HASH D ]
Sep 2 08:55:59 sveta charon: 13[IKE] received DELETE for ESP CHILD_SA with SPI ca6241bf
Sep 2 08:55:59 sveta charon: 13[IKE] closing CHILD_SA VPN.OFFICE.COM{1} with SPIs [Available On Request] (318 bytes) [Available On Request] (398 bytes) and TS 1.2.3.4/32[udp/l2tp] ===
17.11.7.5/32[udp/l2tp]
Sep 2 08:55:59 sveta charon: 13[IKE] closing CHILD_SA VPN.OFFICE.COM{1} with SPIs [Available On Request] (318 bytes) [Available On Request] (398 bytes) and TS 1.2.3.4/32[udp/l2tp] ===
17.11.7.5/32[udp/l2tp]
Sep 2 08:55:59 sveta charon: 08[NET] received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes)
Sep 2 08:55:59 sveta charon: 08[ENC] parsed INFORMATIONAL_V1 request [Available On Request] [ HASH D ]
Sep 2 08:55:59 sveta charon: 08[IKE] received DELETE for IKE_SA VPN.OFFICE.COM[1]
Sep 2 08:55:59 sveta charon: 08[IKE] deleting IKE_SA VPN.OFFICE.COM[1] between 1.2.3.4[1.2.3.4]...17.11.7.5[17.11.7.5]
Sep 2 08:55:59 sveta charon: 08[IKE] deleting IKE_SA VPN.OFFICE.COM[1] between 1.2.3.4[1.2.3.4]...17.11.7.5[17.11.7.5]
Sep 2 08:56:21 sveta kernel: [ 387.050043] device bond0 entered promiscuous mode
Sep 2 08:56:41 sveta kernel: [ 406.710209] device bond0 left promiscuous mode
Sep 2 08:56:51 sveta kernel: [ 417.080010] device bond0 entered promiscuous mode
Sep 2 08:57:04 sveta xl2tpd[4128]: Maximum retries exceeded for tunnel [Available On Request]. Closing.
Sep 2 08:57:04 sveta xl2tpd[4128]: Connection [Available On Request] closed to 17.11.7.5, port 1701 (Timeout)
Sep 2 08:57:09 sveta xl2tpd[4128]: Unable to deliver closing message for tunnel [Available On Request]. Destroying anyway.
Sep 2 08:57:11 sveta kernel: [ 436.160583] device bond0 left promiscuous mode
Sep 2 08:57:15 sveta kernel: [ 441.038056] device bond0 entered promiscuous mode
Sep 2 08:57:21 sveta kernel: [ 446.590475] device bond0 left promiscuous mode
Sep 2 08:57:36 sveta kernel: [ 461.822270] device bond0 entered promiscuous mode
Sep 2 08:57:54 sveta kernel: [ 479.973547] device bond0 left promiscuous mode
Sep 2 08:58:06 sveta kernel: [ 491.341755] device bond0 entered promiscuous mode
Sep 2 08:58:13 sveta kernel: [ 498.971002] device bond0 left promiscuous mode
|
|
|
| Back to top |
|
|
salahx
Guru
Joined: 12 Mar 2005
Posts: 530
|
| Posted: Tue Sep 02, 2014 5:01 pm Post subject: |
|
|
We're making progress. According to the log, it seeing the l2tp server on the other end. That means the ipsec is up and configurated properly, and traffic is flowing across it..Now the problem is pppd. pppd is getting some extraneous options from somewhere. Namely, the nonexistent "/etc/ppp/options.l2tpd.lns" is causing pppd to exit. However it shouldn't even be looking for that.
Very little configuration should be needed on the l2tp side,, but there may be one tweak we need:
| Code: |
[lac vpnclient]
lns = vpn.office.com
pppoptfile = /etc/ppp/options.xl2tpd.client
name = your-login-username
|
Some Cisco access concentrators need the "name" thing, but normally, its not needed. However, adding it won't hurt. Everything else in /etc/xl2tpd/xl2tpd.conf should be gone or commented out. |
|
| Back to top |
|
|
Duco Ergo Sum
Apprentice
Joined: 06 Dec 2005
Posts: 154
Location: Winsford
|
| Posted: Wed Sep 03, 2014 12:41 am Post subject: |
|
|
I discovered a typo in the /etc/ppp/options.xl2tpd.client path namely the missing 'x'. Also I have added the user name as you have advised and no joy.
| Code: |
[lac vpnclient]
lns = vpn.office.com
pppoptfile = /etc/ppp/options.[b]x[/b]l2tpd.client
name = Uname
|
pppoptfile = /etc/ppp/options.xl2tpd.client
| Code: |
ipcp-accept-local
ipcp-accept-remote
refuse-eap
require-mschap-v2
noccp
noauth
mtu 1410
mru 1410
nodefaultroute
usepeerdns
lock
|
Using a sparse xl2tpd.conf no comments just the config we need the following log entry is produced.
| Code: |
Sep 3 01:28:26 sveta xl2tpd[4750]: setsockopt recvref[30]: Protocol not available
Sep 3 01:28:26 sveta xl2tpd[4750]: Using l2tp kernel support.
Sep 3 01:28:26 sveta xl2tpd[4752]: xl2tpd version xl2tpd-1.3.1 started on sveta PID:4752
Sep 3 01:28:26 sveta xl2tpd[4752]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
Sep 3 01:28:26 sveta xl2tpd[4752]: Forked by Scott Balmos and David Stipp, (C) 2001
Sep 3 01:28:26 sveta xl2tpd[4752]: Inherited by Jeff McAdams, (C) 2002
Sep 3 01:28:26 sveta xl2tpd[4752]: Forked again by Xelerance (www.xelerance.com) (C) 2006
Sep 3 01:28:26 sveta xl2tpd[4752]: Listening on IP address 0.0.0.0, port 1701
Sep 3 01:28:30 sveta xl2tpd[4752]: Connecting to host vpn.office.com, port 1701
Sep 3 01:28:35 sveta xl2tpd[4752]: Maximum retries exceeded for tunnel 41. Closing.
Sep 3 01:28:35 sveta xl2tpd[4752]: Connection 0 closed to 17.11.7.5, port 1701 (Timeout)
Sep 3 01:28:35 sveta kernel: [ 5494.780053] device eno1 entered promiscuous mode
Sep 3 01:28:39 sveta kernel: [ 5498.420761] device eno1 left promiscuous mode
Sep 3 01:28:40 sveta xl2tpd[4752]: Unable to deliver closing message for tunnel 41. Destroying anyway.
|
I have even tried swapping the [lac vpnclien]' for [lac VPN.OFFICE.COM], it only served to prove that the config is read at the start up of xl2ptd. |
|
| Back to top |
|
|
salahx
Guru
Joined: 12 Mar 2005
Posts: 530
|
| Posted: Wed Sep 03, 2014 12:58 am Post subject: |
|
|
The name used for the lac isn't important. Its not seeing the l2tp server again. Be sure the strongSwan connection is up, and try again. If it still won'r work, stop strongswan and xl2tp, in another windows do a "ip xfrm monitor", starts strongswan and xl2tpd. Connect via strongSwan and the window "ip xfrm monitor" should display some stuff. Make a connection with xl2tpd-connect and more stuff will appear in the other window (warning: this command outputs the secrets keys for the ipsec connection. The real keys have been replaced with 0's)
Something like this:
| Code: |
Updated src 192.168.10.108 dst 192.168.10.17
proto esp spi 0xc3e3e289 reqid 4 mode transport
replay-window 32
auth-trunc hmac(sha1) 0x000000000000000000000000000000000000000 96
enc cbc(aes) 0x0000000000000000000000000000000
sel src 192.168.10.108/32 dst 192.168.10.17/32
src 192.168.10.17 dst 192.168.10.108
proto esp spi 0xcdfbb1d9 reqid 4 mode transport
replay-window 32
auth-trunc hmac(sha1) 0x000000000000000000000000000000000000000 96
enc cbc(aes) 0x0000000000000000000000000000000
sel src 192.168.10.17/32 dst 192.168.10.108/32
src 192.168.10.17/32 dst 192.168.10.108/32 proto udp sport 1701 dport 1701
dir out action block priority 7936 ptype main
src 192.168.10.108/32 dst 192.168.10.17/32 proto udp sport 1701 dport 1701
dir in action block priority 7936 ptype main
Updated src 192.168.10.17/32 dst 192.168.10.108/32 proto udp sport 1701 dport 1701
dir out priority 1792 ptype main
tmpl src 0.0.0.0 dst 0.0.0.0
proto esp reqid 4 mode transport
Updated src 192.168.10.108/32 dst 192.168.10.17/32 proto udp sport 1701 dport 1701
dir in priority 1792 ptype main
tmpl src 0.0.0.0 dst 0.0.0.0
proto esp reqid 4 mode transport
Async event (0x20) timer expired
src 192.168.10.108 dst 192.168.10.17 reqid 0x4 protocol esp SPI 0xc3e3e289
Async event (0x20) timer expired
src 192.168.10.108 dst 192.168.10.17 reqid 0x4 protocol esp SPI 0xc3e3e289
Async event (0x20) timer expired
src 192.168.10.108 dst 192.168.10.17 reqid 0x4 protocol esp SPI 0xc3e3e289
Async event (0x20) timer expired
src 192.168.10.17 dst 192.168.10.108 reqid 0x4 protocol esp SPI 0xcdfbb1d9
Async event (0x10) replay update
src 192.168.10.17 dst 192.168.10.108 reqid 0x4 protocol esp SPI 0xcdfbb1d9
Async event (0x10) replay update
src 192.168.10.108 dst 192.168.10.17 reqid 0x4 protocol esp SPI 0xc3e3e289
Async event (0x10) replay update
src 192.168.10.17 dst 192.168.10.108 reqid 0x4 protocol esp SPI 0xcdfbb1d9
Async event (0x10) replay update
src 192.168.10.108 dst 192.168.10.17 reqid 0x4 protocol esp SPI 0xc3e3e289
Async event (0x10) replay update
src 192.168.10.17 dst 192.168.10.108 reqid 0x4 protocol esp SPI 0xcdfbb1d9
Async event (0x10) replay update
src 192.168.10.108 dst 192.168.10.17 reqid 0x4 protocol esp SPI 0xc3e3e289
Async event (0x10) replay update
src 192.168.10.108 dst 192.168.10.17 reqid 0x4 protocol esp SPI 0xc3e3e289
....
|
|
|
| Back to top |
|
|
|
Networking & Security
