Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
VPN Client not connecting [SOLVED]
View unanswered posts
View posts from last 24 hours

Goto page 1, 2, 3, 4, 5  Next  
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Duco Ergo Sum
Apprentice
Apprentice


Joined: 06 Dec 2005
Posts: 153
Location: Winsford

PostPosted: Mon Aug 18, 2014 8:56 am    Post subject: VPN Client not connecting [SOLVED] Reply with quote

Hi there,

For the past week and a bit I have been trying to connect to my office VPN, without success. The instructions for connecting assume the client is a Windows 7 system.

The vpn is "IPSec (L2TP/IPSEC)" using a Pre-Shared Key.

For the purpose of this post I will use faux details and values:

gateway: vpn.office.com
PSK: vpn-office-com
username: your-login-username
password: your-login-password
domain (optional): office-name

What I have tried so far, includes:

compiled every IPSEC kernel module -> No appreciable difference.

KVPN -> Gives an error racoon config error and then a long list of other debug info which as it is security related I don't want post indiscriminately.

VPNC -> reports "No responce from target"
Cisco and regular UPD
I have tried setting various ports to use, 47, 50, 51, 443, 500, 1701, 1723, 10000

Strongswan -> the demon starts but I cannot find evidence of a connection
ipsec.conf and ipsec.secret configured for the above details respectively.


I can only guess that this isn't a firewall issue as a colleague who already connects to the vpn can only do so using a virtual machine running Windows 7. My colleague says this is because of
firewall and routing issues from his Linux desktop. My assertion being that the virtual machines has to pass through the host and any other firewall in his network.

Please help...


Last edited by Duco Ergo Sum on Tue Oct 14, 2014 12:11 am; edited 1 time in total
Back to top
View user's profile Send private message
salahx
Guru
Guru


Joined: 12 Mar 2005
Posts: 437

PostPosted: Tue Aug 19, 2014 8:56 pm    Post subject: Reply with quote

I wrote a Gentoo wiki article covering setting up the server side of it: https://wiki.gentoo.org/wiki/IPsec_L2TP_VPN_server . Because all the protocols (ipsec, lt2p and pppd) are peer-to-peer, configuring it on the client side has a lot of similarities.
Back to top
View user's profile Send private message
Duco Ergo Sum
Apprentice
Apprentice


Joined: 06 Dec 2005
Posts: 153
Location: Winsford

PostPosted: Thu Aug 21, 2014 7:59 am    Post subject: Reply with quote

Thank you.

I think what I need is the "Ipsec ID" (group id/name) parameter. I have a working Windows system now so I'll interrogate that.
Back to top
View user's profile Send private message
Duco Ergo Sum
Apprentice
Apprentice


Joined: 06 Dec 2005
Posts: 153
Location: Winsford

PostPosted: Mon Aug 25, 2014 10:20 pm    Post subject: Reply with quote

This is really frustrating.

I now have:

  • VPNC which times out without much indication of anything happening.
  • StrongSwan which starts but I don't see any sign of a VPN nor have I found a way to test it.
  • OpenL2TP which I've had to install an overlay (booboo) to get. This doesn't seem to be able to initiate sessions, tunnel id not found, while tunnel show - shows the tunnel I configured.
  • NetworkManager seems to allow a sub-set of functionality in its configuration of different sub-systems but it protests that its unable to find an agent when I try to start a session.


Additionally, I've experimented with Windows. The initial setup is tricky but the VPN works. No additional information needed. With security in mind I'm sure, they've hidden the config details from prying eyes thus thwarting my plan to find the IP Sec ID there.

I am beginning to question if it this is a propriety MS VPN implementation or could my system be just missing one little screw somewhere?

I have read the IPsec L2TP VPN server wiki page and attempted to adapt its wisdom to my needs but unfortunately unsuccessfully.

Please tell me how I can test a VPN connection, just to see if it exists?


--
You know you really need help when the voices tell you that you're becoming obsessed!
Back to top
View user's profile Send private message
salahx
Guru
Guru


Joined: 12 Mar 2005
Posts: 437

PostPosted: Wed Aug 27, 2014 3:39 am    Post subject: Reply with quote

The first, and most dificult layer, is the ipsec layer. Here's a simple config file you can adapt. AS the wiki page show, uncomment the "include" line at the very bottom of /etc/ipsec.conf and create a /etc/ipsec.d/office.vpn.com.conf with content similar to the following:
Code:

conn vpnclient
        type=transport
        authby=secret
        pfs=no
        rekey=no
        left=%defaultroute
        leftprotoport=udp/l2tp
        right=vpn.office.com
        rightprotoport=udp/l2tp
        auto=add


Don't forgot to create a /etc/ipsec.d/office.vpn.com.secret file too:
Code:

vpn.office.com %any : PSK "vpn-office-com"


Then start the ipsec service, and bring up your connection with "ipsec auto --up vpnclient" If you get a line in the log similar to "STATE_QUICK_I2: Sent QI2, IPsec SA established...." then you have ipsec connectivity.

ipsec is the hard part. Once you've got that, the l2tp tunnel is much simpler.
Back to top
View user's profile Send private message
Duco Ergo Sum
Apprentice
Apprentice


Joined: 06 Dec 2005
Posts: 153
Location: Winsford

PostPosted: Thu Aug 28, 2014 12:48 am    Post subject: Reply with quote

Hi Salahx,

Thanks for again answering, I am very grateful.

The command 'ipsec up vpnclient' has been most illustrative. StrongSwan doesn't get a response from the office network either.

Code:

initiating IKE_SA vpn.office.com[1] to 17.11.7.5
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (996 bytes)
received packet: from 17.11.7.5[500] to 1.2.3.4[500] (68 bytes)
ignoring INFORMATIONAL_V1 IKEv1 exchange on IKEv2 SA
retransmit 1 of request with message ID 0
sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (996 bytes)
received packet: from 17.11.7.5[500] to 1.2.3.4[500] (68 bytes)
ignoring INFORMATIONAL_V1 IKEv1 exchange on IKEv2 SA
retransmit 2 of request with message ID 0
sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (996 bytes)
received packet: from 17.11.7.5[500] to 1.2.3.4[500] (68 bytes)
ignoring INFORMATIONAL_V1 IKEv1 exchange on IKEv2 SA
retransmit 3 of request with message ID 0
sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (996 bytes)
received packet: from 17.11.7.5[500] to 1.2.3.4[500] (68 bytes)
ignoring INFORMATIONAL_V1 IKEv1 exchange on IKEv2 SA

[  ...  ]

giving up after 5 retransmits


So now both VPNC and StrongSwan time out.

Food for thought.
Back to top
View user's profile Send private message
salahx
Guru
Guru


Joined: 12 Mar 2005
Posts: 437

PostPosted: Thu Aug 28, 2014 6:53 am    Post subject: Reply with quote

Its seeing SOMETHING on the other side, its just having trouble negotiating with it. It appears its trying to negoitate an IKEv2 connection, but we want IKEv1.

So lets tweak the config a bit:
Code:

conn vpnclient
        keyexchange=ikev1
        type=transport
        authby=secret
        pfs=no
        rekey=no
        left=%defaultroute
        leftprotoport=udp/l2tp
        right=vpn.office.com
        rightprotoport=udp/l2tp
        auto=add
Back to top
View user's profile Send private message
Duco Ergo Sum
Apprentice
Apprentice


Joined: 06 Dec 2005
Posts: 153
Location: Winsford

PostPosted: Thu Aug 28, 2014 8:49 am    Post subject: Reply with quote

Thanks.

We're making progress, new response message:

Code:

ipsec up vpn.office.com
initiating Main Mode IKE_SA vpn.office.com[1] to 17.11.7.5
generating ID_PROT request 0 [ SA V V V V ]
sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (220 bytes)
received packet: from 17.11.7.5[500] to 1.2.3.4[500] (160 bytes)
parsed INFORMATIONAL_V1 request 0 [ N(NO_PROP) ]
received NO_PROPOSAL_CHOSEN error notify
establishing connection 'vpn.office.com' failed


My installed version of StrongSwan does not support the
Code:
psf=no
key word. Therefore this is what my config looks like at the moment:

Code:

conn vpn.office.com
        keyexchange=ikev1
        type=transport
        authby=secret
        esp=des-sha1-modp1024
        rekey=no
        left=%defaultroute
        leftprotoport=udp/l2tp
        right=vpn.office.com
        rightprotoport=udp/l2tp
        auto=add
Back to top
View user's profile Send private message
Duco Ergo Sum
Apprentice
Apprentice


Joined: 06 Dec 2005
Posts: 153
Location: Winsford

PostPosted: Thu Aug 28, 2014 9:12 am    Post subject: Reply with quote

Looking in Windows

Control Panel - Administrative Tools - Windows Firewall with Advanced Security - Windows Firewall Properites (IPsec Settings) - Customize IPsec Defaults (Key exchange (Main Mode) - Advanced [Customize]) - Customize Advanced Key Exchange Settings

Code:

Security methods:
Integrity       Encryption          Key exchange algorithm
SHA-1          AES-CBC 128     Diffie-Hellman Group 2 (default)
SHA-1          3DES                 Diffie-Hellman Group 2


I'm off to work now but will experiment with these values when I get back.
Back to top
View user's profile Send private message
salahx
Guru
Guru


Joined: 12 Mar 2005
Posts: 437

PostPosted: Thu Aug 28, 2014 4:14 pm    Post subject: Reply with quote

Its "pfs=no" not "psf=no". It doesn't matter anyway because the command is ignored under strongSwan and "no" is the default. You shouldn't need the "esp=des-sha1-modp1024" as it should choose the correct method during proposition process. In fact that will negotate PFS which is NOT what you want - Microsoft's IKEv1 daemon doesn't support PFS.

Note that Windows has TWO implementations of ipsec: the IKEv1 one used for l2tp tunnel, and and IKEv2 one which is controlled via the ipsec snap-in. The windows Firewall and other ipsec settings refer to the latter, but we want to use the former.
Back to top
View user's profile Send private message
Duco Ergo Sum
Apprentice
Apprentice


Joined: 06 Dec 2005
Posts: 153
Location: Winsford

PostPosted: Fri Aug 29, 2014 12:04 am    Post subject: Reply with quote

Apologies, "psf" was a typo.

However, now mater how I try to configure the pfs option, I get the same result.

Code:

parsed INFORMATIONAL_V1 request 0 [ N(NO_PROP) ]                                                                   
received NO_PROPOSAL_CHOSEN error notify
establishing connection 'vpn.office.com' failed
Back to top
View user's profile Send private message
salahx
Guru
Guru


Joined: 12 Mar 2005
Posts: 437

PostPosted: Fri Aug 29, 2014 12:14 am    Post subject: Reply with quote

pfs option is ignored in strongSwan anyway. But that "esp" line has to be removed, because i know its wrong. If the server STILL won't accept any proposals offered by strongswan, even without the "esp" line there an "ike-scan" package in portage that should give some information on what proposals the gateway will accept.
Back to top
View user's profile Send private message
Duco Ergo Sum
Apprentice
Apprentice


Joined: 06 Dec 2005
Posts: 153
Location: Winsford

PostPosted: Fri Aug 29, 2014 8:45 am    Post subject: Reply with quote

Hi,

I have used IKE-Scan which prompted me to change my Config as below and this has generated the follow information.

ike-scan output
Code:

ike-scan --verbose vpn.office.com
DEBUG: pkt len=336 bytes, bandwidth=56000 bps, int=52000 us
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
17.11.7.5  Main Mode Handshake returned HDR=(CKY-R=[Available On Request]) SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
VID=[Available On Request] (IKE Fragmentation)

Ending ike-scan 1.9: 1 hosts scanned in 0.037 seconds (27.14 hosts/sec).  1 returned handshake; 0 returned notify



New Config
Code:

conn vpn.office.com
        keyexchange=ikev1
        type=transport
        authby=secret
        ike=3des-sha1-modp1024
        rekey=no
        left=%defaultroute
        leftprotoport=udp/l2tp
        right=vpn.office.com
        rightprotoport=udp/l2tp
        auto=add


ipsec output
Code:

ipsec up vpn.office.com
initiating Main Mode IKE_SA vpn.office.com[3] to 17.11.7.5
generating ID_PROT request 0 [ SA V V V V ]
sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (184 bytes)
received packet: from 17.11.7.5[500] to 1.2.3.4[500] (116 bytes)
parsed ID_PROT response 0 [ SA V V ]
received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
received FRAGMENTATION vendor ID
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (244 bytes)
received packet: from 17.11.7.5[500] to 1.2.3.4[500] (304 bytes)
parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]
received Cisco Unity vendor ID
received XAuth vendor ID
received unknown vendor ID: [Available On Request]
received unknown vendor ID: [Available On Request]
generating INFORMATIONAL_V1 request [Available On Request] [ N(INVAL_KE) ]
sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (56 bytes)
establishing connection 'vpn.office.com' failed



Charon Log
Code:

Aug 29 09:14:39 sveta charon: 02[CFG] received stroke: initiate 'vpn.office.com'
Aug 29 09:14:39 sveta charon: 13[IKE] initiating Main Mode IKE_SA vpn.office.com[3] to 17.11.7.5
Aug 29 09:14:39 sveta charon: 13[IKE] initiating Main Mode IKE_SA vpn.office.com[3] to 17.11.7.5
Aug 29 09:14:39 sveta charon: 13[ENC] generating ID_PROT request 0 [ SA V V V V ]
Aug 29 09:14:39 sveta charon: 13[NET] sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (184 bytes)
Aug 29 09:14:39 sveta charon: 06[NET] received packet: from 17.11.7.5[500] to 1.2.3.4[500] (116 bytes)
Aug 29 09:14:39 sveta charon: 06[ENC] parsed ID_PROT response 0 [ SA V V ]
Aug 29 09:14:39 sveta charon: 06[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Aug 29 09:14:39 sveta charon: 06[IKE] received FRAGMENTATION vendor ID
Aug 29 09:14:39 sveta charon: 06[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
Aug 29 09:14:39 sveta charon: 06[NET] sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (244 bytes)
Aug 29 09:14:40 sveta charon: 05[NET] received packet: from 17.11.7.5[500] to 1.2.3.4[500] (304 bytes)
Aug 29 09:14:40 sveta charon: 05[ENC] parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]
Aug 29 09:14:40 sveta charon: 05[IKE] received Cisco Unity vendor ID
Aug 29 09:14:40 sveta charon: 05[IKE] received XAuth vendor ID
Aug 29 09:14:40 sveta charon: 05[ENC] received unknown vendor ID: [Available On Request]
Aug 29 09:14:40 sveta charon: 05[ENC] received unknown vendor ID: [Available On Request]
Aug 29 09:14:40 sveta charon: 05[ENC] generating INFORMATIONAL_V1 request [Available On Request] [ N(INVAL_KE) ]
Aug 29 09:14:40 sveta charon: 05[NET] sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (56 bytes)
Back to top
View user's profile Send private message
salahx
Guru
Guru


Joined: 12 Mar 2005
Posts: 437

PostPosted: Fri Aug 29, 2014 3:12 pm    Post subject: Reply with quote

OK now its accepting the proposal but its having problem with the PSK. It probably has to do with how the VPN server is ideifying itself. So lets change the secrets file to
Code:
 : PSK "vpn-office-com"

This will make strongSwan use the key for all connections.
Back to top
View user's profile Send private message
Duco Ergo Sum
Apprentice
Apprentice


Joined: 06 Dec 2005
Posts: 153
Location: Winsford

PostPosted: Fri Aug 29, 2014 9:51 pm    Post subject: Reply with quote

Awesome! Thank you!

Code:

ipsec up vpn.office.com
initiating Main Mode IKE_SA vpn.office.com[1] to 17.11.7.5
generating ID_PROT request 0 [ SA V V V V ]
sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (184 bytes)
received packet: from 17.11.7.5[500] to 1.2.3.4[500] (116 bytes)
parsed ID_PROT response 0 [ SA V V ]
received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
received FRAGMENTATION vendor ID
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (244 bytes)
received packet: from 17.11.7.5[500] to 1.2.3.4[500] (304 bytes)
parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]
received Cisco Unity vendor ID
received XAuth vendor ID
received unknown vendor ID: [Available On Request]
received unknown vendor ID: [Available On Request]
local host is behind NAT, sending keep alives
generating ID_PROT request 0 [ ID HASH ]
sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (68 bytes)
received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes)
parsed ID_PROT response 0 [ ID HASH V ]
received DPD vendor ID
IDir '17.11.7.5' does not match to 'vpn.office.com'
deleting IKE_SA vpn.office.com[1] between 1.2.3.4[1.2.3.4]...17.11.7.5[%any]
sending DELETE for IKE_SA vpn.office.com[1]
generating INFORMATIONAL_V1 request [Available On Request] [ HASH D ]
sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (84 bytes)
connection 'vpn.office.com' established successfully


I have pinged my office PC and did not get any returned packets. I haven't attempted to set up the L2TP layer yet but your guide says that is comparatively easy.

These lines though do worry me:

Code:

IDir '17.11.7.5' does not match to 'vpn.office.com'
deleting IKE_SA vpn.office.com[1] between 1.2.3.4[1.2.3.4]...17.11.7.5[%any]
sending DELETE for IKE_SA vpn.office.com[1]
Back to top
View user's profile Send private message
salahx
Guru
Guru


Joined: 12 Mar 2005
Posts: 437

PostPosted: Fri Aug 29, 2014 11:03 pm    Post subject: Reply with quote

Were almost there, but were not there yet. This goes back with "how the server is identifty itself" problem with the PSK: Instead of identify itself via its name (vpn.example.com), it does so by its IP address (17.11.7.5).

We just need to make one tweak:
Code:

conn vpn.office.com
        keyexchange=ikev1
        type=transport
        authby=secret
        ike=3des-sha1-modp1024
        rekey=no
        left=%defaultroute
        leftprotoport=udp/l2tp
        right=vpn.office.com
        rightprotoport=udp/l2tp
        rightid=17.11.7.5
        auto=add


Or failing that, change the value of "right=" from "vpn.office.com" to "17.11.7.5" instead. Note you still can't do anything with the connection yet, as only L2TP packets will be passed across the ipsec link (thus you cannot ping anything across the link).
Back to top
View user's profile Send private message
Duco Ergo Sum
Apprentice
Apprentice


Joined: 06 Dec 2005
Posts: 153
Location: Winsford

PostPosted: Sat Aug 30, 2014 5:21 pm    Post subject: Reply with quote

Perfect, next step L2TP!

Code:

ipsec up vpn.office.com
initiating Main Mode IKE_SA vpn.office.com[1] to 17.11.7.5                                                 
generating ID_PROT request 0 [ SA V V V V ]                                                                       
sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (184 bytes)                                             
received packet: from 17.11.7.5[500] to 1.2.3.4[500] (116 bytes)                                             
parsed ID_PROT response 0 [ SA V V ]                                                                               
received draft-ietf-ipsec-nat-t-ike-02\n vendor ID                                                                 
received FRAGMENTATION vendor ID                                                                                   
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]                                                                 
sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (244 bytes)                                             
received packet: from 17.11.7.5[500] to 1.2.3.4[500] (304 bytes)                                             
parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]                                                           
received Cisco Unity vendor ID                                                                                     
received XAuth vendor ID                                                                                           
received unknown vendor ID: [Available On Request]                                       
received unknown vendor ID: [Available On Request]                                       
local host is behind NAT, sending keep alives                                                                     
generating ID_PROT request 0 [ ID HASH ]                                                                           
sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (68 bytes)                                             
received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes)                                           
parsed ID_PROT response 0 [ ID HASH V ]                                                                           
received DPD vendor ID                                                                                             
IKE_SA vpn.office.com[1] established between 1.2.3.4[1.2.3.4]...17.11.7.5[17.11.7.5]               
generating QUICK_MODE request [Available On Request] [ HASH SA No ID ID NAT-OA NAT-OA ]                                       
sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (220 bytes)                                           
received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (180 bytes)                                           
parsed QUICK_MODE response [Available On Request] [ HASH SA No ID ID N((24576)) NAT-OA ]                                       
received 28800s lifetime, configured 0s                                                                           
CHILD_SA vpn.office.com{1} established with SPIs [Available On Request] [Available On Request] and TS 1.2.3.4/32[udp/l2tp] === 17.11.7.5/32[udp/l2tp]                                                   
                                           
connection 'vpn.office.com' established successfully


Thank you. I expect as soon as I try L2TP I'll be back here confused as ever. Either way, I'll report back.
Back to top
View user's profile Send private message
Duco Ergo Sum
Apprentice
Apprentice


Joined: 06 Dec 2005
Posts: 153
Location: Winsford

PostPosted: Sat Aug 30, 2014 10:04 pm    Post subject: Reply with quote

I thought this might happen.

/etc/xl2tp/xl2tpd.conf
Code:

[global]                                                                ; Global parameters:
port = 1701                                                     ; * Bind to port 1701
; auth file = /etc/l2tpd/l2tp-secrets   ; * Where our challenge secrets are
access control = no                                     ; * Refuse connections without IP match
; rand source = dev                     ; Source for entropy for random
;                                       ; numbers, options are:
;                                       ; dev - reads of /dev/urandom
;                                       ; sys - uses rand()
;                                       ; egd - reads from egd socket
;                                       ; egd is not yet implemented
;
[lns default]                                                   ; Our fallthrough LNS definition
; ip range = 192.168.0.1-192.168.0.20   ; * Allocate from this IP range
; ip range = lac1-lac2                                  ; * And anything from lac1 to lac2's IP
; lac = 192.168.1.4 - 192.168.1.8               ; * These can connect as LAC's
; no lac = untrusted.marko.net                  ; * This guy can't connect
; hidden bit = no                                               ; * Use hidden AVP's?
local ip = 1.2.3.4                             ; * Our local IP to use
; refuse authentication = no                    ; * Refuse authentication altogether
require authentication = yes                    ; * Require peer to authenticate
unix authentication = no                                ; * Use /etc/passwd for auth.
name = vpn.office.com                                                ; * Report this as our hostname
pppoptfile = /etc/ppp/options.l2tpd         ; * ppp options file



/etc/ppp/options.l2tpd
Code:

noccp
auth
crtscts
mtu 1410
mru 1410
nodefaultroute
lock
proxyarp
silent


I started xl2tpd with: /etc/init.d/xl2tpd start

Then nothing, I'm sure I'm missing something this is a client after all and your instructions are for a server. So close!
Back to top
View user's profile Send private message
salahx
Guru
Guru


Joined: 12 Mar 2005
Posts: 437

PostPosted: Sun Aug 31, 2014 8:46 am    Post subject: Reply with quote

Configuring an l2tp the client is a different that the server - thakfully client side is even easier:

The /etc/xl2tpd/xl2tpd.conf is even simpler then the server one:
Code:

[lac vpnclient]
lns = vpn.office.com
pppoptfile = /etc/ppp/options.xl2tpd.client


You may not need the /etc/ppp/options.xl2tpd.client file (in which case comment that line out), but if you do, here's one that should work:
Code:

ipcp-accept-local
ipcp-accept-remote
refuse-eap
require-mschap-v2
noccp
noauth
mtu 1410
mru 1410
nodefaultroute
usepeerdns
lock
#debug


Start up the xl2tpd service, then initiate a connection:
Code:
xl2tpd-control connect vpnclient OFFICE-NAME\\your-login-username your-login-password


Note TWO backslashes (the OFFICE-NAME\\ part may be optinal)

xl2tpd may fail with " open_controlfd: Unable to open /var/run/xl2tpd/l2tp-control for reading". If you run across this, just do a "mkdir /var/run/xl2tpd"

Note that xl2tpd-control will always just return "00 OK", to actually see if it works, you need to check the system logs.
Back to top
View user's profile Send private message
Duco Ergo Sum
Apprentice
Apprentice


Joined: 06 Dec 2005
Posts: 153
Location: Winsford

PostPosted: Sun Aug 31, 2014 11:58 pm    Post subject: Reply with quote

Hi,

I have now tried a number of variations on a theme. Mostly where vpn.office.com could mean the url vpn.office.com or the ipsec connection name VPN.OFFICE.COM, capitalise to emphasis the distinciton
of these two roles. Also with and without OFFICE-NAME\\login-name login-password and in combination with including excluding options.xl2tpd.client.


/etc/xl2tpd/xl2tpd.conf
Code:

[lac vpnclient]
lns = vpn.office.com
pppoptfile = /etc/ppp/options.xl2tpd.client




/etc/ppp/options.xl2tpd.client
Code:

ipcp-accept-local
ipcp-accept-remote
refuse-eap
require-mschap-v2
noccp
noauth
mtu 1410
mru 1410
nodefaultroute
usepeerdns
lock




Code:

xl2tpd-control connect vpnclient OFFICE-NAME\\your-login-username your-login-password



Code:

Sep  1 00:39:58 sveta xl2tpd[4845]: Connecting to host vpn.office.com, port 1701
Sep  1 00:40:01 sveta cron[4865]: (OhCaptian) CMD (test -x /usr/sbin/run-crons && /usr/sbin/run-crons)
Sep  1 00:40:03 sveta xl2tpd[4845]: Maximum retries exceeded for tunnel 16278.  Closing.
Sep  1 00:40:03 sveta xl2tpd[4845]: Connection 0 closed to 17.11.7.5, port 1701 (Timeout)
Sep  1 00:40:08 sveta xl2tpd[4845]: Unable to deliver closing message for tunnel 16278. Destroying anyway.



If I get the opportunity, I will be more methodical in the morning.
Back to top
View user's profile Send private message
salahx
Guru
Guru


Joined: 12 Mar 2005
Posts: 437

PostPosted: Mon Sep 01, 2014 4:02 am    Post subject: Reply with quote

xl2tpd and strongswan are unconnect, thus the "lns" value in the LAC section is just the server's domain name or IP address. In this case though, its not seeing the L2TP LNS (server) on the other side . This usually means the ipsec tunnel is down. Check and restart the tunnel if needed.

To see if data is going over the tunnel:
Code:
tcpdump proto 50
You won't see anything cross the tunnel until xl2tpd-connect is started. You should see packets going in both directions. If not, either the tunnel is down, strongSwan is configured wrong or something (like a local firewall) is getting in the way.
In contrast, no l2tp packets should seen in the clear:
Code:
tcpdump udp port 1701
This command should produce NO output when xl2tpd-connect is invoked. If it does either the tunnel is down, or strongSwan is configured wrong.
Back to top
View user's profile Send private message
Duco Ergo Sum
Apprentice
Apprentice


Joined: 06 Dec 2005
Posts: 153
Location: Winsford

PostPosted: Tue Sep 02, 2014 9:09 am    Post subject: Reply with quote

Hi,

I have tried variety configurations of xl2tp. Just to add to the confusion my mobo has two lan ports and wifi, I fear now this feature is coming back to confuse me and my set-up. 'eno1' is the lan port which is would be eth0 and is currently the only operational network connection in this machine.

It appears that tcpdump is looking at 'bond0' and then not finding anything. Could xl2tp be doing the same?

tcpdump -i eno1 produces the same output as below.


Make connection
Code:

# xl2tpd-control connect vpnclient vpn.office.com\\Uname Upassword
00 OK



Test proto 50
Code:

# tcpdump proto 50
tcpdump: WARNING: bond0: no IPv4 address assigned
error : ret -1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on bond0, link-type EN10MB (Ethernet), capture size 65535 bytes
0 packets captured
0 packets received by filter
0 packets dropped by kernel



Test udp port 1701
Code:

# tcpdump udp port 1701
tcpdump: WARNING: bond0: no IPv4 address assigned
error : ret -1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on bond0, link-type EN10MB (Ethernet), capture size 65535 bytes
0 packets captured
0 packets received by filter
0 packets dropped by kernel



Some network devices
Code:

# ifconfig
bond0: flags=5123<UP,BROADCAST,MASTER,MULTICAST>  mtu 1500
        ether ce:71:b2:5a:c2:1d  txqueuelen 0  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eno1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 1.2.3.4  netmask 255.255.255.0  broadcast 10.1.1.255
        inet6 fd00::ca60:ff:fecc:4614  prefixlen 64  scopeid 0x0<global>
        inet6 fe80::ca60:ff:fecc:4614  prefixlen 64  scopeid 0x20<link>
        ether c8:60:00:cc:46:14  txqueuelen 1000  (Ethernet)
        RX packets 14060  bytes 14971920 (14.2 MiB)
        RX errors 0  dropped 3  overruns 0  frame 0
        TX packets 10353  bytes 1465328 (1.3 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device interrupt 20  memory #x########-########
 

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 0  (Local Loopback)
        RX packets 40  bytes 16841 (16.4 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 40  bytes 16841 (16.4 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0



Log
Code:

Sep  2 08:55:31 sveta xl2tpd[4128]: xl2tpd version xl2tpd-1.3.1 started on sveta PID:4128
Sep  2 08:55:31 sveta xl2tpd[4128]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
Sep  2 08:55:31 sveta xl2tpd[4128]: Forked by Scott Balmos and David Stipp, (C) 2001
Sep  2 08:55:31 sveta xl2tpd[4128]: Inherited by Jeff McAdams, (C) 2002
Sep  2 08:55:31 sveta xl2tpd[4128]: Forked again by Xelerance (www.xelerance.com) (C) 2006
Sep  2 08:55:31 sveta xl2tpd[4128]: Listening on IP address 0.0.0.0, port 1701
Sep  2 08:55:37 sveta charon: 09[IKE] sending keep alive to 17.11.7.5[4500]
Sep  2 08:55:49 sveta charon: 10[NET] received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes)
Sep  2 08:55:49 sveta charon: 10[ENC] parsed INFORMATIONAL_V1 request [Available On Request] [ HASH N(DPD) ]
Sep  2 08:55:49 sveta charon: 10[ENC] generating INFORMATIONAL_V1 request [Available On Request] [ HASH N(DPD_ACK) ]
Sep  2 08:55:49 sveta charon: 10[NET] sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (92 bytes)
Sep  2 08:55:59 sveta xl2tpd[4128]: Connecting to host vpn.office.com, port 1701
Sep  2 08:55:59 sveta xl2tpd[4128]: Connection established to 17.11.7.5, 1701.  Local: [Available On Request], Remote: [Available On Request] (ref=0/0).
Sep  2 08:55:59 sveta xl2tpd[4128]: Calling on tunnel [Available On Request]
Sep  2 08:55:59 sveta xl2tpd[4128]: Call established with 17.11.7.5, Local: [Available On Request], Remote: [Available On Request], Serial: 1 (ref=0/0)
Sep  2 08:55:59 sveta xl2tpd[4128]: start_pppd: I'm running:
Sep  2 08:55:59 sveta xl2tpd[4128]: "/usr/sbin/pppd"
Sep  2 08:55:59 sveta xl2tpd[4128]: "passive"
Sep  2 08:55:59 sveta xl2tpd[4128]: "nodetach"
Sep  2 08:55:59 sveta xl2tpd[4128]: ":"
Sep  2 08:55:59 sveta xl2tpd[4128]: "name"
Sep  2 08:55:59 sveta xl2tpd[4128]: "vpn.office.com\Uname"
Sep  2 08:55:59 sveta xl2tpd[4128]: "plugin"
Sep  2 08:55:59 sveta xl2tpd[4128]: "passwordfd.so"
Sep  2 08:55:59 sveta xl2tpd[4128]: "passwordfd"
Sep  2 08:55:59 sveta xl2tpd[4128]: "8"
Sep  2 08:55:59 sveta xl2tpd[4128]: "file"
Sep  2 08:55:59 sveta xl2tpd[4128]: "/etc/ppp/options.l2tpd.lns"
Sep  2 08:55:59 sveta xl2tpd[4128]: "ipparam"
Sep  2 08:55:59 sveta xl2tpd[4128]: "17.11.7.5"
Sep  2 08:55:59 sveta xl2tpd[4128]: "plugin"
Sep  2 08:55:59 sveta xl2tpd[4128]: "pppol2tp.so"
Sep  2 08:55:59 sveta xl2tpd[4128]: "pppol2tp"
Sep  2 08:55:59 sveta xl2tpd[4128]: "9"
Sep  2 08:55:59 sveta pppd[4138]: Plugin passwordfd.so loaded.
Sep  2 08:55:59 sveta pppd[4138]: Can't open options file /etc/ppp/options.l2tpd.lns: No such file or directory
Sep  2 08:55:59 sveta xl2tpd[4128]: child_handler : pppd exited for call [Available On Request] with code 2
Sep  2 08:55:59 sveta xl2tpd[4128]: call_close: Call [Available On Request] to 17.11.7.5 disconnected
Sep  2 08:55:59 sveta xl2tpd[4128]: Terminating pppd: sending TERM signal to pid 4138
Sep  2 08:55:59 sveta xl2tpd[4128]: get_call: can't find call [Available On Request] in tunnel [Available On Request]
 (ref=0/0)
Sep  2 08:55:59 sveta xl2tpd[4128]: get_call: can't find call [Available On Request] in tunnel [Available On Request]
 (ref=0/0)
Sep  2 08:55:59 sveta xl2tpd[4128]: check_control: Received out of order control packet on tunnel [Available On Request] (got 3, expected 4)
Sep  2 08:55:59 sveta xl2tpd[4128]: handle_packet: bad control packet!
Sep  2 08:55:59 sveta charon: 13[NET] received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (68 bytes)
Sep  2 08:55:59 sveta charon: 13[ENC] parsed INFORMATIONAL_V1 request [Available On Request] [ HASH D ]
Sep  2 08:55:59 sveta charon: 13[IKE] received DELETE for ESP CHILD_SA with SPI ca6241bf
Sep  2 08:55:59 sveta charon: 13[IKE] closing CHILD_SA VPN.OFFICE.COM{1} with SPIs [Available On Request] (318 bytes) [Available On Request] (398 bytes) and TS 1.2.3.4/32[udp/l2tp] ===
17.11.7.5/32[udp/l2tp]
Sep  2 08:55:59 sveta charon: 13[IKE] closing CHILD_SA VPN.OFFICE.COM{1} with SPIs [Available On Request] (318 bytes) [Available On Request] (398 bytes) and TS 1.2.3.4/32[udp/l2tp] ===
17.11.7.5/32[udp/l2tp]
Sep  2 08:55:59 sveta charon: 08[NET] received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes)
Sep  2 08:55:59 sveta charon: 08[ENC] parsed INFORMATIONAL_V1 request [Available On Request] [ HASH D ]
Sep  2 08:55:59 sveta charon: 08[IKE] received DELETE for IKE_SA VPN.OFFICE.COM[1]
Sep  2 08:55:59 sveta charon: 08[IKE] deleting IKE_SA VPN.OFFICE.COM[1] between 1.2.3.4[1.2.3.4]...17.11.7.5[17.11.7.5]
Sep  2 08:55:59 sveta charon: 08[IKE] deleting IKE_SA VPN.OFFICE.COM[1] between 1.2.3.4[1.2.3.4]...17.11.7.5[17.11.7.5]
Sep  2 08:56:21 sveta kernel: [  387.050043] device bond0 entered promiscuous mode
Sep  2 08:56:41 sveta kernel: [  406.710209] device bond0 left promiscuous mode
Sep  2 08:56:51 sveta kernel: [  417.080010] device bond0 entered promiscuous mode
Sep  2 08:57:04 sveta xl2tpd[4128]: Maximum retries exceeded for tunnel [Available On Request].  Closing.
Sep  2 08:57:04 sveta xl2tpd[4128]: Connection [Available On Request] closed to 17.11.7.5, port 1701 (Timeout)
Sep  2 08:57:09 sveta xl2tpd[4128]: Unable to deliver closing message for tunnel [Available On Request]. Destroying anyway.
Sep  2 08:57:11 sveta kernel: [  436.160583] device bond0 left promiscuous mode
Sep  2 08:57:15 sveta kernel: [  441.038056] device bond0 entered promiscuous mode
Sep  2 08:57:21 sveta kernel: [  446.590475] device bond0 left promiscuous mode
Sep  2 08:57:36 sveta kernel: [  461.822270] device bond0 entered promiscuous mode
Sep  2 08:57:54 sveta kernel: [  479.973547] device bond0 left promiscuous mode
Sep  2 08:58:06 sveta kernel: [  491.341755] device bond0 entered promiscuous mode
Sep  2 08:58:13 sveta kernel: [  498.971002] device bond0 left promiscuous mode
Back to top
View user's profile Send private message
salahx
Guru
Guru


Joined: 12 Mar 2005
Posts: 437

PostPosted: Tue Sep 02, 2014 5:01 pm    Post subject: Reply with quote

We're making progress. According to the log, it seeing the l2tp server on the other end. That means the ipsec is up and configurated properly, and traffic is flowing across it..Now the problem is pppd. pppd is getting some extraneous options from somewhere. Namely, the nonexistent "/etc/ppp/options.l2tpd.lns" is causing pppd to exit. However it shouldn't even be looking for that.

Very little configuration should be needed on the l2tp side,, but there may be one tweak we need:
Code:

[lac vpnclient]
lns = vpn.office.com
pppoptfile = /etc/ppp/options.xl2tpd.client
name = your-login-username


Some Cisco access concentrators need the "name" thing, but normally, its not needed. However, adding it won't hurt. Everything else in /etc/xl2tpd/xl2tpd.conf should be gone or commented out.
Back to top
View user's profile Send private message
Duco Ergo Sum
Apprentice
Apprentice


Joined: 06 Dec 2005
Posts: 153
Location: Winsford

PostPosted: Wed Sep 03, 2014 12:41 am    Post subject: Reply with quote

I discovered a typo in the /etc/ppp/options.xl2tpd.client path namely the missing 'x'. Also I have added the user name as you have advised and no joy.


Code:

[lac vpnclient]
lns = vpn.office.com
pppoptfile = /etc/ppp/options.[b]x[/b]l2tpd.client
name = Uname



pppoptfile = /etc/ppp/options.xl2tpd.client
Code:

ipcp-accept-local
ipcp-accept-remote
refuse-eap
require-mschap-v2
noccp
noauth
mtu 1410
mru 1410
nodefaultroute
usepeerdns
lock


Using a sparse xl2tpd.conf no comments just the config we need the following log entry is produced.

Code:

Sep  3 01:28:26 sveta xl2tpd[4750]: setsockopt recvref[30]: Protocol not available
Sep  3 01:28:26 sveta xl2tpd[4750]: Using l2tp kernel support.
Sep  3 01:28:26 sveta xl2tpd[4752]: xl2tpd version xl2tpd-1.3.1 started on sveta PID:4752
Sep  3 01:28:26 sveta xl2tpd[4752]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
Sep  3 01:28:26 sveta xl2tpd[4752]: Forked by Scott Balmos and David Stipp, (C) 2001
Sep  3 01:28:26 sveta xl2tpd[4752]: Inherited by Jeff McAdams, (C) 2002
Sep  3 01:28:26 sveta xl2tpd[4752]: Forked again by Xelerance (www.xelerance.com) (C) 2006
Sep  3 01:28:26 sveta xl2tpd[4752]: Listening on IP address 0.0.0.0, port 1701
Sep  3 01:28:30 sveta xl2tpd[4752]: Connecting to host vpn.office.com, port 1701
Sep  3 01:28:35 sveta xl2tpd[4752]: Maximum retries exceeded for tunnel 41.  Closing.
Sep  3 01:28:35 sveta xl2tpd[4752]: Connection 0 closed to 17.11.7.5, port 1701 (Timeout)
Sep  3 01:28:35 sveta kernel: [ 5494.780053] device eno1 entered promiscuous mode
Sep  3 01:28:39 sveta kernel: [ 5498.420761] device eno1 left promiscuous mode
Sep  3 01:28:40 sveta xl2tpd[4752]: Unable to deliver closing message for tunnel 41. Destroying anyway.


I have even tried swapping the [lac vpnclien]' for [lac VPN.OFFICE.COM], it only served to prove that the config is read at the start up of xl2ptd.
Back to top
View user's profile Send private message
salahx
Guru
Guru


Joined: 12 Mar 2005
Posts: 437

PostPosted: Wed Sep 03, 2014 12:58 am    Post subject: Reply with quote

The name used for the lac isn't important. Its not seeing the l2tp server again. Be sure the strongSwan connection is up, and try again. If it still won'r work, stop strongswan and xl2tp, in another windows do a "ip xfrm monitor", starts strongswan and xl2tpd. Connect via strongSwan and the window "ip xfrm monitor" should display some stuff. Make a connection with xl2tpd-connect and more stuff will appear in the other window (warning: this command outputs the secrets keys for the ipsec connection. The real keys have been replaced with 0's)

Something like this:
Code:

Updated src 192.168.10.108 dst 192.168.10.17
   proto esp spi 0xc3e3e289 reqid 4 mode transport
   replay-window 32
   auth-trunc hmac(sha1) 0x000000000000000000000000000000000000000 96
   enc cbc(aes) 0x0000000000000000000000000000000
   sel src 192.168.10.108/32 dst 192.168.10.17/32
src 192.168.10.17 dst 192.168.10.108
   proto esp spi 0xcdfbb1d9 reqid 4 mode transport
   replay-window 32
   auth-trunc hmac(sha1) 0x000000000000000000000000000000000000000 96
   enc cbc(aes) 0x0000000000000000000000000000000
   sel src 192.168.10.17/32 dst 192.168.10.108/32
src 192.168.10.17/32 dst 192.168.10.108/32 proto udp sport 1701 dport 1701
   dir out action block priority 7936 ptype main
src 192.168.10.108/32 dst 192.168.10.17/32 proto udp sport 1701 dport 1701
   dir in action block priority 7936 ptype main
Updated src 192.168.10.17/32 dst 192.168.10.108/32 proto udp sport 1701 dport 1701
   dir out priority 1792 ptype main
   tmpl src 0.0.0.0 dst 0.0.0.0
      proto esp reqid 4 mode transport
Updated src 192.168.10.108/32 dst 192.168.10.17/32 proto udp sport 1701 dport 1701
   dir in priority 1792 ptype main
   tmpl src 0.0.0.0 dst 0.0.0.0
      proto esp reqid 4 mode transport
Async event  (0x20)  timer expired
   src 192.168.10.108 dst 192.168.10.17  reqid 0x4 protocol esp  SPI 0xc3e3e289
Async event  (0x20)  timer expired
   src 192.168.10.108 dst 192.168.10.17  reqid 0x4 protocol esp  SPI 0xc3e3e289
Async event  (0x20)  timer expired
   src 192.168.10.108 dst 192.168.10.17  reqid 0x4 protocol esp  SPI 0xc3e3e289
Async event  (0x20)  timer expired
   src 192.168.10.17 dst 192.168.10.108  reqid 0x4 protocol esp  SPI 0xcdfbb1d9
Async event  (0x10)  replay update
   src 192.168.10.17 dst 192.168.10.108  reqid 0x4 protocol esp  SPI 0xcdfbb1d9
Async event  (0x10)  replay update
   src 192.168.10.108 dst 192.168.10.17  reqid 0x4 protocol esp  SPI 0xc3e3e289
Async event  (0x10)  replay update
   src 192.168.10.17 dst 192.168.10.108  reqid 0x4 protocol esp  SPI 0xcdfbb1d9
Async event  (0x10)  replay update
   src 192.168.10.108 dst 192.168.10.17  reqid 0x4 protocol esp  SPI 0xc3e3e289
Async event  (0x10)  replay update
   src 192.168.10.17 dst 192.168.10.108  reqid 0x4 protocol esp  SPI 0xcdfbb1d9
Async event  (0x10)  replay update
   src 192.168.10.108 dst 192.168.10.17  reqid 0x4 protocol esp  SPI 0xc3e3e289
Async event  (0x10)  replay update
   src 192.168.10.108 dst 192.168.10.17  reqid 0x4 protocol esp  SPI 0xc3e3e289
....
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Goto page 1, 2, 3, 4, 5  Next
Page 1 of 5

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum