Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
VPN Client not connecting [SOLVED]
View unanswered posts
View posts from last 24 hours

Goto page Previous  1, 2, 3, 4, 5  Next  
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Duco Ergo Sum
Apprentice
Apprentice


Joined: 06 Dec 2005
Posts: 153
Location: Winsford

PostPosted: Sat Sep 06, 2014 8:48 pm    Post subject: Reply with quote

Well I'm stymied. I have upgraded xl2tpd to 1.3.6 and still no change. I must thank you for all your help. Sadly I'm going have to take this machine off line for a while. I'm not sure how long I hope to get back on line soon and working on this soon. So close but so far!

Again thank you and I'll be back here as soon as I can. I see myself living with out a PC for long... not happily anyway.

All the best.
Back to top
View user's profile Send private message
Duco Ergo Sum
Apprentice
Apprentice


Joined: 06 Dec 2005
Posts: 153
Location: Winsford

PostPosted: Mon Sep 22, 2014 1:05 am    Post subject: Reply with quote

Hi,

I have my PC back.

Prior to my hiatus, I suspect that I may have been the architect of my PPP problems. Once we got IPSEC working, thought it'd be a good idea to set iptables rules to block all l2tp connection outside the ipsec layer and thus used:

Code:

root # iptables -t filter -A INPUT -p udp -m policy --dir in --pol ipsec -m udp --dport l2tp -j ACCEPT
root # iptables -t filter -A INPUT -p udp -m udp --dport l2tp -j REJECT --reject-with icmp-port-unreachable
root # iptables -t filter -A OUTPUT -p udp -m policy --dir out --pol ipsec -m udp --sport l2tp -j ACCEPT
root # iptables -t filter -A OUTPUT -p udp -m udp --sport l2tp -j REJECT --reject-with icmp-port-unreachable


Certainly, it looks like something is blocking traffic over the PPP connection. My guess is that the firewall closes the connection after a period of disuse.

Code:

# ifconfig
bond0: flags=5123<UP,BROADCAST,MASTER,MULTICAST>  mtu 1500
        ether f2:ef:56:31:d0:d6  txqueuelen 0  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eno1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 1.2.3.4  netmask 255.255.255.0  broadcast 10.1.1.255
        inet6 fe80::ca60:ff:fecc:4614  prefixlen 64  scopeid 0x20<link>
        ether c8:60:00:cc:46:14  txqueuelen 1000  (Ethernet)
        RX packets 11959  bytes 13352142 (12.7 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 10046  bytes 1272844 (1.2 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device interrupt 20  memory #x########-########

enp59s0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        ether c8:60:00:cc:49:fc  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device interrupt 19  memory #x########-######## 

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 0  (Local Loopback)
        RX packets 40  bytes 16841 (16.4 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 40  bytes 16841 (16.4 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ppp0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 125.64.27.8  netmask 255.255.255.255  destination 17.11.7.5
        ppp  txqueuelen 3  (Point-to-Point Protocol)
        RX packets 4  bytes 34 (34.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 4  bytes 40 (40.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

# ping 3.5.8.13
PING 3.5.8.13 (3.5.8.13) 56(84) bytes of data.
^C
--- 3.5.8.13 ping statistics ---
8 packets transmitted, 0 received, 100% packet loss, time 6999ms

# ifconfig
bond0: flags=5123<UP,BROADCAST,MASTER,MULTICAST>  mtu 1500
        ether f2:ef:56:31:d0:d6  txqueuelen 0  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eno1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 1.2.3.4  netmask 255.255.255.0  broadcast 10.1.1.255
        inet6 fe80::ca60:ff:fecc:4614  prefixlen 64  scopeid 0x20<link>
        ether c8:60:00:cc:46:14  txqueuelen 1000  (Ethernet)
        RX packets 11968  bytes 13352958 (12.7 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 10063  bytes 1274476 (1.2 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device interrupt 20  memory #x########-########

enp59s0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        ether c8:60:00:cc:49:fc  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device interrupt 19  memory #x########-######## 

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 0  (Local Loopback)
        RX packets 40  bytes 16841 (16.4 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 40  bytes 16841 (16.4 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ppp0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 125.64.27.8  netmask 255.255.255.255  destination 17.11.7.5
        ppp  txqueuelen 3  (Point-to-Point Protocol)
        RX packets 4  bytes 34 (34.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 19  bytes 8917 (8.7 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0


Yet, there appear to be no rules set:

Code:

# iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination


This assertion is corroborated by:

Code:

# iptables -t filter -C INPUT -p udp -m policy --dir in --pol ipsec -m udp --dport l2tp -j ACCEPT
iptables: Bad rule (does a matching rule exist in that chain?).
# iptables -t filter -C INPUT -p udp -m udp --dport l2tp -j REJECT --reject-with icmp-port-unreachable
iptables: No chain/target/match by that name.
# iptables -t filter -C OUTPUT -p udp -m policy --dir out --pol ipsec -m udp --sport l2tp -j ACCEPT
iptables: Bad rule (does a matching rule exist in that chain?).
# iptables -t filter -C OUTPUT -p udp -m udp --sport l2tp -j REJECT --reject-with icmp-port-unreachable
iptables: No chain/target/match by that name.
Back to top
View user's profile Send private message
salahx
Guru
Guru


Joined: 12 Mar 2005
Posts: 437

PostPosted: Mon Sep 22, 2014 7:42 am    Post subject: Reply with quote

Strange because my iptables rules work (both client and server):
Code:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            policy match dir in pol ipsec udp dpt:1701
REJECT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:1701 reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            policy match dir out pol ipsec udp spt:1701
REJECT     udp  --  0.0.0.0/0            0.0.0.0/0            udp spt:1701 reject-with icmp-port-unreachable


But I don 't think the firewall has anything to do it, otherwise no l2tp packets would pass at all, and we'd never reach the ppp phase. My best guess is the ppp interface is being misconfigured somehow, conflicting with another interface/route (since my machine has the same behavior when that happens. I'm guessing its a routing issue. I do see the ppp packet count increasing after you ping, so that's a good sign.

One thing to try is "Ip route" to print out he routing table. It should have line like this:
Code:

10.137.219.1 dev ppp0  proto kernel  scope link  src 172.21.118.2

Which, for my test, 10.137.219.1 was the other end of the ppp connection, and 172.21.118.2 was the ip assigned by the server.
Back to top
View user's profile Send private message
Duco Ergo Sum
Apprentice
Apprentice


Joined: 06 Dec 2005
Posts: 153
Location: Winsford

PostPosted: Mon Sep 22, 2014 8:36 am    Post subject: Reply with quote

Thanks,

Code:

# ip route
default via 10.1.1.### dev eno1  proto static                                                                     
default via 10.1.1.### dev eno1  metric 7                                                                         
10.1.1.###/24 dev eno1  proto kernel  scope link  src 1.2.3.4  metric 1                                             
17.11.7.5 dev ppp0  proto kernel  scope link  src 125.64.27.8                                                 
127.0.0.0/8 dev lo  scope host                                                                                     
127.0.0.0/8 via 127.0.0.1 dev lo


Which 17.11.7.5 is the other end of the ppp connection and 125.64.27.8 was the ip assigned by the server. The ppp line here seems to be the same as yours.
Back to top
View user's profile Send private message
salahx
Guru
Guru


Joined: 12 Mar 2005
Posts: 437

PostPosted: Mon Sep 22, 2014 10:50 pm    Post subject: Reply with quote

Ok so its not a routingh problem. Since its been a while, the latest output of xl2tpd/pppd would be helpful to determine if we're dealing with the same problem. I'll also adjust my simulation at home to make the VM i created for that have a similar network setup to yours to see if that's what's causing it.
Back to top
View user's profile Send private message
Duco Ergo Sum
Apprentice
Apprentice


Joined: 06 Dec 2005
Posts: 153
Location: Winsford

PostPosted: Tue Sep 23, 2014 12:02 am    Post subject: Reply with quote

Hi

Thanks for persevering with me. Here is a copy of the logs and the output:


Code:

Sep 23 00:28:54 sveta xl2tpd[4113]: Connecting to host vpn.office.com, port 1701
Sep 23 00:28:54 sveta xl2tpd[4113]: Connection established to 17.11.7.5, 1701.  Local: 59263, Remote: 7959 (ref=0/0).
Sep 23 00:28:54 sveta xl2tpd[4113]: Calling on tunnel 59263
Sep 23 00:28:54 sveta xl2tpd[4113]: Call established with 17.11.7.5, Local: 15862, Remote: 7832, Serial: 1 (ref=0/0)
Sep 23 00:28:54 sveta xl2tpd[4113]: start_pppd: I'm running:
Sep 23 00:28:54 sveta xl2tpd[4113]: "/usr/sbin/pppd"
Sep 23 00:28:54 sveta xl2tpd[4113]: "passive"
Sep 23 00:28:54 sveta xl2tpd[4113]: "nodetach"
Sep 23 00:28:54 sveta xl2tpd[4113]: ":"
Sep 23 00:28:54 sveta xl2tpd[4113]: "name"
Sep 23 00:28:54 sveta xl2tpd[4113]: "user-name"
Sep 23 00:28:54 sveta xl2tpd[4113]: "debug"
Sep 23 00:28:54 sveta xl2tpd[4113]: "plugin"
Sep 23 00:28:54 sveta xl2tpd[4113]: "passwordfd.so"
Sep 23 00:28:54 sveta xl2tpd[4113]: "passwordfd"
Sep 23 00:28:54 sveta xl2tpd[4113]: "8"
Sep 23 00:28:54 sveta xl2tpd[4113]: "file"
Sep 23 00:28:54 sveta xl2tpd[4113]: "/etc/ppp/options.xl2tpd.client"
Sep 23 00:28:54 sveta xl2tpd[4113]: "plugin"
Sep 23 00:28:54 sveta xl2tpd[4113]: "pppol2tp.so"
Sep 23 00:28:54 sveta xl2tpd[4113]: "pppol2tp"
Sep 23 00:28:54 sveta xl2tpd[4113]: "9"
Sep 23 00:28:54 sveta pppd[4151]: Plugin passwordfd.so loaded.
Sep 23 00:28:54 sveta pppd[4151]: Plugin pppol2tp.so loaded.
Sep 23 00:28:54 sveta pppd[4151]: pppd 2.4.7 started by [HIDDEN], uid 0
Sep 23 00:28:54 sveta pppd[4151]: using channel 1
Sep 23 00:28:54 sveta pppd[4151]: Using interface ppp0
Sep 23 00:28:54 sveta pppd[4151]: Connect: ppp0 <-->
Sep 23 00:28:54 sveta pppd[4151]: PPPoL2TP options: debugmask 0
Sep 23 00:28:54 sveta pppd[4151]: sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic [HIDDEN]>]
Sep 23 00:28:54 sveta NetworkManager[2671]: <warn> /sys/devices/virtual/net/ppp0: couldn't determine device driver; ignoring...
Sep 23 00:28:54 sveta pppd[4151]: rcvd [LCP ConfReq id=0x1 <auth chap MS-v2> <magic [HIDDEN]>]
Sep 23 00:28:54 sveta pppd[4151]: sent [LCP ConfAck id=0x1 <auth chap MS-v2> <magic [HIDDEN]>]
Sep 23 00:28:54 sveta pppd[4151]: rcvd [LCP ConfRej id=0x1 <asyncmap 0x0>]
Sep 23 00:28:54 sveta pppd[4151]: sent [LCP ConfReq id=0x2 <magic [HIDDEN]>]
Sep 23 00:28:54 sveta pppd[4151]: rcvd [LCP ConfAck id=0x2 <magic [HIDDEN]>]
Sep 23 00:28:54 sveta pppd[4151]: PPPoL2TP options: debugmask 0
Sep 23 00:28:54 sveta pppd[4151]: rcvd [CHAP Challenge id=0x1 <[HIDDEN]>, name = ""]
Sep 23 00:28:54 sveta pppd[4151]: added response cache entry 0
Sep 23 00:28:54 sveta pppd[4151]: sent [CHAP Response id=0x1 <[HIDDEN]>, name = "user-name"]
Sep 23 00:28:56 sveta pppd[4151]: rcvd [CHAP Success id=0x1 "S=[HIDDEN]"]
Sep 23 00:28:56 sveta pppd[4151]: response found in cache (entry 0)
Sep 23 00:28:56 sveta pppd[4151]: CHAP authentication succeeded
Sep 23 00:28:56 sveta pppd[4151]: sent [IPCP ConfReq id=0x1 <addr 0.0.0.0>]
Sep 23 00:28:56 sveta pppd[4151]: rcvd [IPCP TermAck id=0x1]
Sep 23 00:28:59 sveta pppd[4151]: sent [IPCP ConfReq id=0x1 <addr 0.0.0.0>]
Sep 23 00:28:59 sveta pppd[4151]: rcvd [IPCP ConfReq id=0x1 <addr 17.11.7.5>]
Sep 23 00:28:59 sveta pppd[4151]: sent [IPCP ConfAck id=0x1 <addr 17.11.7.5>]
Sep 23 00:28:59 sveta pppd[4151]: rcvd [IPCP ConfNak id=0x1 <addr 125.64.27.8>]
Sep 23 00:28:59 sveta pppd[4151]: sent [IPCP ConfReq id=0x2 <addr 125.64.27.8>]
Sep 23 00:28:59 sveta pppd[4151]: rcvd [IPCP ConfAck id=0x2 <addr 125.64.27.8>]
Sep 23 00:28:59 sveta charon: 04[KNL] 125.64.27.8 appeared on ppp0
Sep 23 00:28:59 sveta pppd[4151]: local  IP address 125.64.27.8
Sep 23 00:28:59 sveta pppd[4151]: remote IP address 17.11.7.5
Sep 23 00:28:59 sveta charon: 12[KNL] 125.64.27.8 disappeared from ppp0
Sep 23 00:28:59 sveta charon: 14[KNL] 125.64.27.8 appeared on ppp0
Sep 23 00:28:59 sveta pppd[4151]: Script /etc/ppp/ip-up started (pid 4155)
Sep 23 00:28:59 sveta charon: 10[KNL] interface ppp0 activated
Sep 23 00:28:59 sveta pppd[4151]: Script /etc/ppp/ip-up finished (pid 4155), status = 0x0
Sep 23 00:29:18 sveta charon: 14[IKE] sending keep alive to 17.11.7.5[4500]
Sep 23 00:29:38 sveta charon: 12[IKE] sending keep alive to 17.11.7.5[4500]
Sep 23 00:29:44 sveta su[4166]: Successful su for root by [HIDDEN]
Sep 23 00:29:44 sveta su[4166]: + /dev/pts/2 [HIDDEN]:root
Sep 23 00:29:44 sveta su[4166]: pam_unix(su:session): session opened for user root by [HIDDEN](uid=1000)
Sep 23 00:29:58 sveta charon: 10[IKE] sending keep alive to 17.11.7.5[4500]
Sep 23 00:29:59 sveta xl2tpd[4113]: Maximum retries exceeded for tunnel 59263.  Closing.
Sep 23 00:29:59 sveta xl2tpd[4113]: Terminating pppd: sending TERM signal to pid 4151
Sep 23 00:29:59 sveta xl2tpd[4113]: Connection 7959 closed to 17.11.7.5, port 1701 (Timeout)
Sep 23 00:29:59 sveta pppd[4151]: Terminating on signal 15
Sep 23 00:29:59 sveta pppd[4151]: Connect time 1.0 minutes.
Sep 23 00:29:59 sveta pppd[4151]: Sent 81712 bytes, received 0 bytes.
Sep 23 00:29:59 sveta charon: 05[KNL] interface ppp0 deactivated
Sep 23 00:29:59 sveta charon: 07[KNL] 125.64.27.8 disappeared from ppp0
Sep 23 00:29:59 sveta pppd[4151]: Script /etc/ppp/ip-down started (pid 4177)
Sep 23 00:29:59 sveta pppd[4151]: PPPoL2TP options: debugmask 0
Sep 23 00:29:59 sveta pppd[4151]: sent [LCP TermReq id=0x3 "User request"]
Sep 23 00:29:59 sveta pppd[4151]: Script /etc/ppp/ip-down finished (pid 4177), status = 0x0
Sep 23 00:30:01 sveta cron[4179]: (root) CMD (test -x /usr/sbin/run-crons && /usr/sbin/run-crons)
Sep 23 00:30:02 sveta pppd[4151]: sent [LCP TermReq id=0x4 "User request"]
Sep 23 00:30:04 sveta xl2tpd[4113]: Unable to deliver closing message for tunnel 59263. Destroying anyway.
Sep 23 00:30:05 sveta pppd[4151]: Connection terminated.
Sep 23 00:30:05 sveta charon: 04[KNL] interface ppp0 deleted
Sep 23 00:30:05 sveta avahi-daemon[2998]: Withdrawing workstation service for ppp0.
Sep 23 00:30:05 sveta pppd[4151]: Modem hangup
Sep 23 00:30:05 sveta pppd[4151]: Exit.
Sep 23 00:30:23 sveta charon: 05[IKE] sending keep alive to 17.11.7.5[4500]
Sep 23 00:30:43 sveta charon: 14[IKE] sending keep alive to 17.11.7.5[4500]


Code:

# ifconfig
bond0: flags=5123<UP,BROADCAST,MASTER,MULTICAST>  mtu 1500
        ether 1e:42:13:cb:10:e4  txqueuelen 0  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eno1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 1.2.3.4  netmask 255.255.255.0  broadcast 10.1.1.255
        inet6 fe80::ca60:ff:fecc:4614  prefixlen 64  scopeid 0x20<link>
        ether c8:60:00:cc:46:14  txqueuelen 1000  (Ethernet)
        RX packets 49917  bytes 62529540 (59.6 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 33988  bytes 3338778 (3.1 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device interrupt 20  memory #x########-######## 

enp59s0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        ether c8:60:00:cc:49:fc  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device interrupt 19  memory #x########-######## 

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 0  (Local Loopback)
        RX packets 41  bytes 16913 (16.5 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 41  bytes 16913 (16.5 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0                                                 
                                                                                                                   
sveta [HIDDEN] # ipsec up VPN.OFFICE.COM && xl2tpd-control connect vpnclient user-name password   
initiating Main Mode IKE_SA VPN.OFFICE.COM[1] to 17.11.7.5                                                 
generating ID_PROT request 0 [ SA V V V V ]                                                                       
sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (184 bytes)                                             
received packet: from 17.11.7.5[500] to 1.2.3.4[500] (116 bytes)                                             
parsed ID_PROT response 0 [ SA V V ]                                                                               
received draft-ietf-ipsec-nat-t-ike-02\n vendor ID                                                                 
received FRAGMENTATION vendor ID                                                                                   
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]                                                                 
sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (244 bytes)                                             
received packet: from 17.11.7.5[500] to 1.2.3.4[500] (304 bytes)                                             
parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]                                                           
received Cisco Unity vendor ID                                                                                     
received XAuth vendor ID                                                                                           
received unknown vendor ID: [HIDDEN]                                       
received unknown vendor ID: [HIDDEN]                                       
local host is behind NAT, sending keep alives                                                                     
generating ID_PROT request 0 [ ID HASH ]                                                                           
sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (68 bytes)                                             
received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes)                                           
parsed ID_PROT response 0 [ ID HASH V ]                                                                           
received DPD vendor ID                                                                                             
IKE_SA VPN.OFFICE.COM[1] established between 1.2.3.4[1.2.3.4]...17.11.7.5[17.11.7.5]               
generating QUICK_MODE request [HIDDEN] [ HASH SA No ID ID NAT-OA NAT-OA ]                                       
sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (220 bytes)                                           
received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (180 bytes)                                           
parsed QUICK_MODE response [HIDDEN] [ HASH SA No ID ID N((24576)) NAT-OA ]                                       
received 28800s lifetime, configured 0s                                                                           
CHILD_SA VPN.OFFICE.COM{1} established with SPIs [HIDDEN] [HIDDEN] and TS 1.2.3.4/32[udp/l2tp] === 17.11.7.5/32[udp/l2tp]                                                                                               
generating QUICK_MODE request [HIDDEN] [ HASH ]                                                                 
connection 'VPN.OFFICE.COM' established successfully                                                           
00 OK                                                                                                             
sveta [HIDDEN] # ifconfig
bond0: flags=5123<UP,BROADCAST,MASTER,MULTICAST>  mtu 1500                                                         
        ether 1e:42:13:cb:10:e4  txqueuelen 0  (Ethernet)                                                         
        RX packets 0  bytes 0 (0.0 B)                                                                             
        RX errors 0  dropped 0  overruns 0  frame 0                                                               
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eno1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 1.2.3.4  netmask 255.255.255.0  broadcast 10.1.1.255
        inet6 fe80::ca60:ff:fecc:4614  prefixlen 64  scopeid 0x20<link>
        ether c8:60:00:cc:46:14  txqueuelen 1000  (Ethernet)
        RX packets 49939  bytes 62532463 (59.6 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 34010  bytes 3341695 (3.1 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device interrupt 20  memory #x########-######## 

enp59s0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        ether c8:60:00:cc:49:fc  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device interrupt 19  memory #x########-######## 

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 0  (Local Loopback)
        RX packets 41  bytes 16913 (16.5 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 41  bytes 16913 (16.5 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ppp0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 125.64.27.8  netmask 255.255.255.255  destination 17.11.7.5
        ppp  txqueuelen 3  (Point-to-Point Protocol)
        RX packets 4  bytes 34 (34.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 4  bytes 40 (40.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

sveta [HIDDEN] # ping 3.5.8.13
PING 3.5.8.13 (3.5.8.13) 56(84) bytes of data.
^C
--- 3.5.8.13 ping statistics ---
10 packets transmitted, 0 received, 100% packet loss, time 8999ms

sveta [HIDDEN] # ifconfig
bond0: flags=5123<UP,BROADCAST,MASTER,MULTICAST>  mtu 1500
        ether 1e:42:13:cb:10:e4  txqueuelen 0  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eno1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 1.2.3.4  netmask 255.255.255.0  broadcast 10.1.1.255
        inet6 fe80::ca60:ff:fecc:4614  prefixlen 64  scopeid 0x20<link>
        ether c8:60:00:cc:46:14  txqueuelen 1000  (Ethernet)
        RX packets 49948  bytes 62533051 (59.6 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 34023  bytes 3342919 (3.1 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device interrupt 20  memory #x########-######## 

enp59s0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        ether c8:60:00:cc:49:fc  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device interrupt 19  memory #x########-######## 

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 0  (Local Loopback)
        RX packets 41  bytes 16913 (16.5 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 41  bytes 16913 (16.5 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ppp0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 125.64.27.8  netmask 255.255.255.255  destination 17.11.7.5
        ppp  txqueuelen 3  (Point-to-Point Protocol)
        RX packets 4  bytes 34 (34.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 19  bytes 8917 (8.7 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
Back to top
View user's profile Send private message
Duco Ergo Sum
Apprentice
Apprentice


Joined: 06 Dec 2005
Posts: 153
Location: Winsford

PostPosted: Tue Sep 23, 2014 7:54 am    Post subject: Reply with quote

The only other information I can think of which might be pertinent is that my system has at least three NICs.

The first appears as eno0

The second and third are not used. One of these is Wifi.
Back to top
View user's profile Send private message
salahx
Guru
Guru


Joined: 12 Mar 2005
Posts: 437

PostPosted: Tue Sep 23, 2014 8:30 am    Post subject: Reply with quote

Well, after running a few simulation, I can't get it to disconnect, even with a similar network setup. Looking at the logs, the problems appears to be at the l2tp layer - soon after the connection the connection, the other side of the tunnel stops responding and the l2tp connection gets dropped. Since we know ipsec works and ppp seems fine, i'm beginning to think the problem here is l2tp.

There is an (undocumented) option to turn off kernel l2tp for xl2tp:
Code:

[global]
force userspace = yes


If this doesn't work, then the next step is to try a different l2tp implementation. There 2 others: rp-l2tp and openl2tp. The former is in portage, but dated. The latter is much newer but its not in portage, and i've never used it.. Neither is as convenient as xl2tpd.
Back to top
View user's profile Send private message
Duco Ergo Sum
Apprentice
Apprentice


Joined: 06 Dec 2005
Posts: 153
Location: Winsford

PostPosted: Tue Sep 23, 2014 9:31 am    Post subject: Reply with quote

Hi,

When I set:

Code:

[global]
force userspace = yes


xl2tpd fails.

Code:

# /etc/init.d/xl2tpd restart
 * Starting xl2tpd ...
 * start-stop-daemon: failed to start `/usr/sbin/xl2tpd'
 * Failed to start xl2tpd                                                                                    [ !! ]
 * ERROR: xl2tpd failed to start


I am able to emerge both rp-l2tp and openl2tp. The latter is available via an overlay [booboo].
Back to top
View user's profile Send private message
salahx
Guru
Guru


Joined: 12 Mar 2005
Posts: 437

PostPosted: Wed Sep 24, 2014 6:48 am    Post subject: Reply with quote

It shouldn't give that error. It works for me. Check the syntax of your xl2tpd.conf file. Its gonna be a day or so before i can setup another l2tp client as the Gentoo webservers are down:

It should look something like this:
Code:

[global]
force userspace = yes

[lac vpnclient]
lns = vpn.office.com
pppoptfile = /etc/ppp/options.xl2tpd.client
name = user-name
ppp debug = yes
length bit = yes
Back to top
View user's profile Send private message
Duco Ergo Sum
Apprentice
Apprentice


Joined: 06 Dec 2005
Posts: 153
Location: Winsford

PostPosted: Wed Sep 24, 2014 7:32 am    Post subject: Reply with quote

You're right.

When I copied and pasted to the config file, I missed the '[global]' statement. I was in a rush. Apologies.

Testing again now with the correct syntax. xl2tpd does run but there is no change. The logs are identical.

This might be infomative - http://serverfault.com/questions/550377/strongswan-xl2tpd-client-timeout-between-2-5-minutes
Back to top
View user's profile Send private message
salahx
Guru
Guru


Joined: 12 Mar 2005
Posts: 437

PostPosted: Thu Sep 25, 2014 6:39 am    Post subject: Reply with quote

Oki then lets try it with openl2tp then. You'll need the "rpc" USE Flag set as well. If you as using systemd, grab its unit file. Systemd users are need to start rpcbind manually. Either way, start the openl2tpd service.

Once the service is started, run the "l2tpconfig" utility:

Code:
l2tp> system modify deny_remote_tunnel_creates=yes
l2tp> tunnel profile create dest_ipaddr=vpn.office.com
Created tunnel 47743
l2tp> tunnel show tunnel_id=47743
l2tp> session create tunnel_id=47743 user_name=your-login-username user_password=your-login-password
Created session 47743/20183
l2tp> session show tunnel_id=47743 session_id=20183


The tunnel and session ids are generated randomly. Note the "session show" discloses the username and password

To disconnect:
Code:
session delete tunnel_id=47743 session_id=20183
tunnel delete tunnel_id=47743
Back to top
View user's profile Send private message
Duco Ergo Sum
Apprentice
Apprentice


Joined: 06 Dec 2005
Posts: 153
Location: Winsford

PostPosted: Thu Sep 25, 2014 8:39 am    Post subject: Reply with quote

A quick update:

# l2tpconfig
Code:

localhost: RPC: Program not registered


I think this may be due to the order in which I attempted to run these programs, l2tpconfig then rpcbind. I'll find out after work.
Back to top
View user's profile Send private message
Duco Ergo Sum
Apprentice
Apprentice


Joined: 06 Dec 2005
Posts: 153
Location: Winsford

PostPosted: Fri Sep 26, 2014 11:27 pm    Post subject: Reply with quote

Hi

I have attempted to follow your example as closely as possible however still fail to get a connection or even a ppp0 interface.

Code:

l2tp> tunnel create profile_name="VPN.OFFICE.COM" tunnel_name="VPN.OFFICE.COM" dest_ipaddr=vpn.office.com
Created tunnel 30242
l2tp> tunnel show tunnel_id=30242
Tunnel 30242, from 1.2.3.4 to 17.11.7.5:-
  state: CLOSING
  created at:  Sep 26 20:41:01 2014
  created by admin: YES, tunnel mode: LAC
  peer tunnel id: 0, host name: NOT SET
  UDP ports: local 59310, peer 1701
  authorization mode: NONE, hide AVPs: OFF, allow PPP proxy: OFF
  session limit: 0, session count: 0
  tunnel profile: "VPN.OFFICE.COM", peer profile: default
  session profile: default, ppp profile: default
  hello timeout: 60, retry timeout: 1, idle timeout: 0
  rx window size: 10, tx window size: 10, max retries: 5
  use udp checksums: ON
  do pmtu discovery: OFF, mtu: 1460
  framing capability: SYNC ASYNC, bearer capability: DIGITAL ANALOG
  use tiebreaker: OFF
  trace flags: NONE
  peer protocol version: 0.0, firmware 0
  peer framing capability: NONE
  peer bearer capability: NONE
  peer rx window size: 0
  Transport status:-
    ns/nr: 1/0, peer 0/0
    cwnd: 1, ssthresh: 1, congpkt_acc: 0
  Transport statistics:-
    out-of-sequence control/data discards: 0/0
    zlbs tx/txfail/rx: 0/0/0
    retransmits: 6, duplicate pkt discards: 0, data pkt discards: 0
    hellos tx/txfail/rx: 0/0/0
    control rx packets: 0, rx bytes: 0
    control tx packets: 6, tx bytes: 834
    data rx packets: 0, rx bytes: 0, rx errors: 0
    data tx packets: 0, tx bytes: 0, tx errors: 0
    establish retries: 0

l2tp> session create user_name=USER user_password=PASSWORD tunnel_name="VPN.OFFICE.COM"
Created session 30242/42553

l2tp> session show tunnel_name="VPN.OFFICE.COM" session_id=42553
Session 42553 on tunnel 30242:-
  type: LAC Incoming Call, state: WAITTUNNEL
  created at:  Sep 26 20:41:22 2014
  created by admin: YES
  ppp user name: USER
  ppp user password: PASSWORD
  data sequencing required: OFF
  use data sequence numbers: OFF
  trace flags: NONE
  framing types: SYNC ASYNC
  bearer types: DIGITAL ANALOG
  call serial number: 3
  connect speed: 1000000
  use ppp proxy: NO

  Peer configuration data:-
    data sequencing required: OFF
    framing types:
    bearer types:
    call serial number: 3
  data rx packets: 0, rx bytes: 0, rx errors: 0
  data tx packets: 0, tx bytes: 0, tx errors: 0

l2tp> tunnel show tunnel_name="VPN.OFFICE.COM"
Tunnel 30242, from 1.2.3.4 to 17.11.7.5:-
  state: CLOSING
  created at:  Sep 26 20:41:01 2014
  created by admin: YES, tunnel mode: LAC
  peer tunnel id: 0, host name: NOT SET
  UDP ports: local 59310, peer 1701
  authorization mode: NONE, hide AVPs: OFF, allow PPP proxy: OFF
  session limit: 0, session count: 1
  tunnel profile: "VPN.OFFICE.COM", peer profile: default
  session profile: default, ppp profile: default
  hello timeout: 60, retry timeout: 1, idle timeout: 0
  rx window size: 10, tx window size: 10, max retries: 5
  use udp checksums: ON
  do pmtu discovery: OFF, mtu: 1460
  framing capability: SYNC ASYNC, bearer capability: DIGITAL ANALOG
  use tiebreaker: OFF
  trace flags: NONE
  peer protocol version: 0.0, firmware 0
  peer framing capability: NONE
  peer bearer capability: NONE
  peer rx window size: 0
  Transport status:-
    ns/nr: 1/0, peer 0/0
    cwnd: 1, ssthresh: 1, congpkt_acc: 0
  Transport statistics:-
    out-of-sequence control/data discards: 0/0
    zlbs tx/txfail/rx: 0/0/0
    retransmits: 6, duplicate pkt discards: 0, data pkt discards: 0
    hellos tx/txfail/rx: 0/0/0
    control rx packets: 0, rx bytes: 0
    control tx packets: 6, tx bytes: 834
    data rx packets: 0, rx bytes: 0, rx errors: 0
    data tx packets: 0, tx bytes: 0, tx errors: 0
    establish retries: 0


The tunnel option persist=yes doesn't help either.
Back to top
View user's profile Send private message
salahx
Guru
Guru


Joined: 12 Mar 2005
Posts: 437

PostPosted: Sat Sep 27, 2014 1:25 am    Post subject: Reply with quote

It appears the ipsec connection is down. Bring back up the ipsec connection and try again.
Back to top
View user's profile Send private message
Duco Ergo Sum
Apprentice
Apprentice


Joined: 06 Dec 2005
Posts: 153
Location: Winsford

PostPosted: Sat Sep 27, 2014 10:35 pm    Post subject: Reply with quote

The IPsec appears to remain up:

Code:

# ipsec statusall
Status of IKE charon daemon (strongSwan 5.1.3, Linux 3.14.14-gentoo, x86_64):
  uptime: 72 minutes, since Sep 27 22:10:49 2014
  malloc: sbrk [HIDDEN], mmap 0, used [HIDDEN], free [HIDDEN]
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 1
  loaded plugins: charon curl ldap mysql sqlite aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default farp stroke updown eap-identity eap-sim eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls xauth-generic dhcp
Listening IP addresses:
  1.2.3.4
Connections:
Xerox-XLS-Telford:  %any...vpn.office.com  IKEv1
Xerox-XLS-Telford:   local:  [1.2.3.4] uses pre-shared key authentication
Xerox-XLS-Telford:   remote: [17.11.7.5] uses pre-shared key authentication
Xerox-XLS-Telford:   child:  dynamic[udp/l2tp] === dynamic[udp/l2tp] TRANSPORT
Security Associations (1 up, 0 connecting):
Xerox-XLS-Telford[1]: ESTABLISHED 72 minutes ago, 1.2.3.4[1.2.3.4]...17.11.7.5[17.11.7.5]
Xerox-XLS-Telford[1]: IKEv1 SPIs: [HIDDEN]* [HIDDEN], rekeying disabled
Xerox-XLS-Telford[1]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Xerox-XLS-Telford{1}:  INSTALLED, TRANSPORT, ESP in UDP SPIs: [HIDDEN] [HIDDEN]
Xerox-XLS-Telford{1}:  3DES_CBC/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying disabled
Xerox-XLS-Telford{1}:   1.2.3.4/32[udp/l2tp] === 17.11.7.5/32[udp/l2tp]


Yet, I'm still missing something.
Code:

l2tp> tunnel create tunnel_name="VPN.OFFICE.COM" dest_ipaddr=vpn.office.comCreated tunnel 28351
l2tp> session create session_name="VPN.OFFICE.COM" user_name=USER_NAME user_password=USER_PASSWORD tunnel_name="VPN.OFFICE.COM"
Created session 15597 on tunnel "VPN.OFFICE.COM"
l2tp> session show tunnel_name="VPN.OFFICE.COM" session_name="VPN.OFFICE.COM"
Session 15597 on tunnel 28351:-
  type: LAC Incoming Call, state: WAITTUNNEL
  created at:  Sep 27 23:23:24 2014
  administrative name: "VPN.OFFICE.COM"
  created by admin: YES
  ppp user name: USER_NAME
  ppp user password: USER_PASSWORD
  data sequencing required: OFF
  use data sequence numbers: OFF
  trace flags: NONE
  framing types: SYNC ASYNC
  bearer types: DIGITAL ANALOG
  call serial number: 4
  connect speed: 1000000
  use ppp proxy: NO

  Peer configuration data:-
    data sequencing required: OFF
    framing types:
    bearer types:
    call serial number: 4
  data rx packets: 0, rx bytes: 0, rx errors: 0
  data tx packets: 0, tx bytes: 0, tx errors: 0


In the Openl2tp documentation it says that StrongSwan can do l2tp also. I can not see any configuration info in the StrongSwan documentation.
Back to top
View user's profile Send private message
salahx
Guru
Guru


Joined: 12 Mar 2005
Posts: 437

PostPosted: Sat Sep 27, 2014 11:23 pm    Post subject: Reply with quote

StrongSwan doesn't do lt2tp (It has a NetworkManager plugin but only for IKEv2). Lets make sure the tunnel is getting established. AFter you create the tunnel, before the session, do a "show tunnel ..." command verify the tunnel sayas ESTABLISHED. IF not, we need to debug the tunnel first.
Back to top
View user's profile Send private message
Duco Ergo Sum
Apprentice
Apprentice


Joined: 06 Dec 2005
Posts: 153
Location: Winsford

PostPosted: Sun Sep 28, 2014 12:09 am    Post subject: Reply with quote

Unfortunately, I don't seem to be able to establish a tunnel.

Code:

l2tp> tunnel create tunnel_name="VPN.OFFICE.COM" dest_ipaddr=vpn.office.com
Created tunnel 56457
l2tp> show tunnel tunnel_name="VPN.OFFICE.COM"
Error at or near 'show'
l2tp> show tunnel tunnel_id=56457
Error at or near 'show'


Code:

l2tp> tunnel create tunnel_name="VPN.OFFICE.COM"" dest_ipaddr=17.11.7.5                                     
Created tunnel 7747                                                                                               
l2tp> show tunnel tunnel_name="VPN.OFFICE.COM""                     
Error at or near 'show'                                                                                           
l2tp> show tunnel tunnel_id=7747                                     
Error at or near 'show'
Back to top
View user's profile Send private message
salahx
Guru
Guru


Joined: 12 Mar 2005
Posts: 437

PostPosted: Sun Sep 28, 2014 12:19 am    Post subject: Reply with quote

May bad. Its "tunnel show .... " not "show tunnel ..." (There's a "tunnel list" command as well, to see all the open tunnels).
Back to top
View user's profile Send private message
salahx
Guru
Guru


Joined: 12 Mar 2005
Posts: 437

PostPosted: Sun Sep 28, 2014 4:55 am    Post subject: Reply with quote

Actually, I notice above in the status no traffic was flowing over the ipsec connection. The same thing happens here too - Once I put up the l2tp firewall, it stopped working. It turns out openl2tp works differenty with respect to the source port. xl2tps used port 1701, but openl2tp chooses a random one. The ipsec rule we have set up only work when both the source AND destination ports are 1701.

So at this point, we can fix this one of 2 ways:

1) Adjust your ipsec connection:

Code:

conn vpn.office.com
        keyexchange=ikev1
        type=transport
        authby=secret
        ike=3des-sha1-modp1024
        rekey=no
        left=%defaultroute
        leftprotoport=udp/%any
        right=vpn.office.com
        rightprotoport=udp/l2tp
        rightid=17.11.7.5
        auto=add


Reload strongswan and reconnect. After connecting you'll see a subtle change: "CHILD_SA vpn.office.com{1} established with SPIs...TS 1.2.3.4/32[udp] === 17.11.7.5/32[udp/l2tp]". Note that the server might adjust this - in that this won't work and we'll have to try #2. The advantage being we're not restricted to 1 tunnel per connection like Windows.

2) Bind to port 1701 on the client side:

Code:

l2tp> tunnel tunnel create tunnel_name="VPN.OFFICE.COM"" dest_ipaddr=vpn.office.com  our_udp_port=1701


This is the way Windows does it.
Back to top
View user's profile Send private message
Duco Ergo Sum
Apprentice
Apprentice


Joined: 06 Dec 2005
Posts: 153
Location: Winsford

PostPosted: Sun Sep 28, 2014 7:35 am    Post subject: Reply with quote

Old IPsec connection
Code:

# ipsec up VPN.OFFICE.COM
initiating Main Mode IKE_SA VPN.OFFICE.COM[1] to 17.11.7.5
generating ID_PROT request 0 [ SA V V V V ]
sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (184 bytes)
received packet: from 17.11.7.5[500] to 1.2.3.4[500] (116 bytes)
parsed ID_PROT response 0 [ SA V V ]
received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
received FRAGMENTATION vendor ID
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (244 bytes)
received packet: from 17.11.7.5[500] to 1.2.3.4[500] (304 bytes)
parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]
received Cisco Unity vendor ID
received XAuth vendor ID
received unknown vendor ID: [HIDDEN]
received unknown vendor ID: [HIDDEN]
local host is behind NAT, sending keep alives
generating ID_PROT request 0 [ ID HASH ]
sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (68 bytes)
received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes)
parsed ID_PROT response 0 [ ID HASH V ]
received DPD vendor ID
IKE_SA VPN.OFFICE.COM[1] established between 1.2.3.4[1.2.3.4]...17.11.7.5[17.11.7.5]
generating QUICK_MODE request [HIDDEN] [ HASH SA No ID ID NAT-OA NAT-OA ]
sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (220 bytes)
received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (180 bytes)
parsed QUICK_MODE response [HIDDEN] [ HASH SA No ID ID N((24576)) NAT-OA ]
received 28800s lifetime, configured 0s
CHILD_SA VPN.OFFICE.COM{1} established with SPIs [HIDDEN] [HIDDEN] and TS 1.2.3.4/32[udp/l2tp] === 17.11.7.5/32[udp/l2tp]
connection 'VPN.OFFICE.COM' established successfully

l2tp> tunnel create tunnel_name="VPN OFFICE COM" dest_ipaddr=vpn.office.com
Created tunnel 24778
l2tp> tunnel show tunnel_name="VPN OFFICE COM"
Tunnel 24778, from 1.2.3.4 to 17.11.7.5:-
  state: CLOSING
  created at:  Sep 28 08:17:16 2014
  administrative name: '"VPN OFFICE COM"'                                                                       
  created by admin: YES, tunnel mode: LAC                                                                         
  peer tunnel id: 0, host name: NOT SET                                                                           
  UDP ports: local 37846, peer 1701                                                                               
  authorization mode: NONE, hide AVPs: OFF, allow PPP proxy: OFF                                                   
  session limit: 0, session count: 0                                                                               
  tunnel profile: default, peer profile: default                                                                   
  session profile: default, ppp profile: default                                                                   
  hello timeout: 60, retry timeout: 1, idle timeout: 0                                                             
  rx window size: 10, tx window size: 10, max retries: 5                                                           
  use udp checksums: ON                                                                                           
  do pmtu discovery: OFF, mtu: 1460                                                                               
  framing capability: SYNC ASYNC, bearer capability: DIGITAL ANALOG                                               
  use tiebreaker: OFF                                                                                             
  trace flags: NONE                                                                                               
  peer protocol version: 0.0, firmware 0                                                                           
  peer framing capability: NONE                                                                                   
  peer bearer capability: NONE                                                                                     
  peer rx window size: 0                                                                                           
  Transport status:-                                                                                               
    ns/nr: 1/0, peer 0/0                                                                                           
    cwnd: 1, ssthresh: 1, congpkt_acc: 0                                                                           
  Transport statistics:-                                                                                           
    out-of-sequence control/data discards: 0/0                                                                     
    zlbs tx/txfail/rx: 0/0/0                                                                                       
    retransmits: 6, duplicate pkt discards: 0, data pkt discards: 0                                               
    hellos tx/txfail/rx: 0/0/0                                                                                     
    control rx packets: 0, rx bytes: 0                                                                             
    control tx packets: 6, tx bytes: 834                                                                           
    data rx packets: 0, rx bytes: 0, rx errors: 0                                                                 
    data tx packets: 0, tx bytes: 0, tx errors: 0                                                                 
    establish retries: 0



New IPsec connection
Code:

# ipsec up VPN.OFFICE.COM
initiating Main Mode IKE_SA VPN.OFFICE.COM[1] to 17.11.7.5                                                 
generating ID_PROT request 0 [ SA V V V V ]                                                                       
sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (184 bytes)                                             
received packet: from 17.11.7.5[500] to 1.2.3.4[500] (116 bytes)                                             
parsed ID_PROT response 0 [ SA V V ]                                                                               
received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
received FRAGMENTATION vendor ID
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (244 bytes)
received packet: from 17.11.7.5[500] to 1.2.3.4[500] (304 bytes)
parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]
received Cisco Unity vendor ID
received XAuth vendor ID
received unknown vendor ID: [HIDDEN]
received unknown vendor ID: [HIDDEN]
local host is behind NAT, sending keep alives
generating ID_PROT request 0 [ ID HASH ]
sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (68 bytes)
received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes)
parsed ID_PROT response 0 [ ID HASH V ]
received DPD vendor ID
IKE_SA VPN.OFFICE.COM[1] established between 1.2.3.4[1.2.3.4]...17.11.7.5[17.11.7.5]
generating QUICK_MODE request [HIDDEN] [ HASH SA No ID ID NAT-OA NAT-OA ]
sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (220 bytes)
received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (180 bytes)
parsed QUICK_MODE response [HIDDEN] [ HASH SA No ID ID N((24576)) NAT-OA ]
received 28800s lifetime, configured 0s
CHILD_SA VPN.OFFICE.COM{1} established with SPIs [HIDDEN] [HIDDEN] and TS 1.2.3.4/32[udp/l2tp] === 17.11.7.5/32[udp/l2tp]
generating QUICK_MODE request [HIDDEN] [ HASH ]
connection 'VPN.OFFICE.COM' established successfully


l2tp> tunnel create tunnel_name="VPN OFFICE COM" dest_ipaddr=vpn.office.com                               
Created tunnel 10765                                                                                               
l2tp> tunnel show tunnel_name="VPN OFFICE COM"                               
Tunnel 10765, from 1.2.3.4 to 17.11.7.5:-                                                                   
  state: WAITCTLREPLY                                                                                             
  created at:  Sep 28 08:22:52 2014                                                                               
  administrative name: '"VPN OFFICE COM"'                                                                       
  created by admin: YES, tunnel mode: LAC                                                                         
  peer tunnel id: 0, host name: NOT SET
  UDP ports: local 49627, peer 1701
  authorization mode: NONE, hide AVPs: OFF, allow PPP proxy: OFF
  session limit: 0, session count: 0
  tunnel profile: default, peer profile: default
  session profile: default, ppp profile: default
  hello timeout: 60, retry timeout: 1, idle timeout: 0
  rx window size: 10, tx window size: 10, max retries: 5
  use udp checksums: ON
  do pmtu discovery: OFF, mtu: 1460
  framing capability: SYNC ASYNC, bearer capability: DIGITAL ANALOG
  use tiebreaker: OFF
  trace flags: NONE
  peer protocol version: 0.0, firmware 0
  peer framing capability: NONE
  peer bearer capability: NONE
  peer rx window size: 0
  Transport status:-
    ns/nr: 1/0, peer 0/0
    cwnd: 1, ssthresh: 0, congpkt_acc: 0
  Transport statistics:-
    out-of-sequence control/data discards: 0/0
    zlbs tx/txfail/rx: 0/0/0
    retransmits: 0, duplicate pkt discards: 0, data pkt discards: 0
    hellos tx/txfail/rx: 0/0/0
    control rx packets: 0, rx bytes: 0
    control tx packets: 1, tx bytes: 139
    data rx packets: 0, rx bytes: 0, rx errors: 0
    data tx packets: 0, tx bytes: 0, tx errors: 0
    establish retries: 0
l2tp> session create session_name="VPN OFFICE COM" user_name=USER_NAME user_password=USER_PASSWORD tunnel_name="VPN OFFICE COM"
Created session 45480 on tunnel "VPN OFFICE COM"
l2tp> session show tunnel_name="VPN OFFICE COM" session_name="VPN OFFICE COM"
Session 45480 on tunnel 10765:-
  type: LAC Incoming Call, state: WAITTUNNEL
  created at:  Sep 28 08:23:09 2014
  administrative name: "VPN OFFICE COM"
  created by admin: YES
  ppp user name: USER_NAME
  ppp user password: USER_PASSWORD
  data sequencing required: OFF
  use data sequence numbers: OFF
  trace flags: NONE
  framing types: SYNC ASYNC
  bearer types: DIGITAL ANALOG
  call serial number: 1
  connect speed: 1000000
  use ppp proxy: NO

  Peer configuration data:-
    data sequencing required: OFF
    framing types:
    bearer types:
    call serial number: 1
  data rx packets: 0, rx bytes: 0, rx errors: 0
  data tx packets: 0, tx bytes: 0, tx errors: 0


There is one deviation from your IPsec connection:

Code:

rightprotoport=udp/%any
Back to top
View user's profile Send private message
salahx
Guru
Guru


Joined: 12 Mar 2005
Posts: 437

PostPosted: Sun Sep 28, 2014 3:46 pm    Post subject: Reply with quote

Didn't work, the server modified it:
Code:

CHILD_SA VPN.OFFICE.COM{1} established with SPIs [HIDDEN] [HIDDEN] and TS 1.2.3.4/32[udp/l2tp] === 17.11.7.5/32[udp/l2tp]


We'll have to go with approach #2 and bind to port 1701.
Back to top
View user's profile Send private message
Duco Ergo Sum
Apprentice
Apprentice


Joined: 06 Dec 2005
Posts: 153
Location: Winsford

PostPosted: Sun Sep 28, 2014 11:00 pm    Post subject: Reply with quote

Looking on the bright side. We now have the Established state. Unfortunately, as far as I can tell we're getting the same behaviour as with xl2tp.

Code:

# ipsec up VPN.OFFICE.COM
initiating Main Mode IKE_SA VPN.OFFICE.COM[1] to 17.11.7.5
generating ID_PROT request 0 [ SA V V V V ]
sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (184 bytes)
received packet: from 17.11.7.5[500] to 1.2.3.4[500] (116 bytes)
parsed ID_PROT response 0 [ SA V V ]
received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
received FRAGMENTATION vendor ID
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (244 bytes)
received packet: from 17.11.7.5[500] to 1.2.3.4[500] (304 bytes)
parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]
received Cisco Unity vendor ID
received XAuth vendor ID
received unknown vendor ID: [HIDDEN]
received unknown vendor ID: [HIDDEN]
local host is behind NAT, sending keep alives
generating ID_PROT request 0 [ ID HASH ]
sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (68 bytes)
sending retransmit 1 of request message ID 0, seq 3
sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (68 bytes)
received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes)
parsed ID_PROT response 0 [ ID HASH V ]
received DPD vendor ID
IKE_SA VPN.OFFICE.COM[1] established between 1.2.3.4[1.2.3.4]...17.11.7.5[17.11.7.5]
generating QUICK_MODE request [HIDDEN] [ HASH SA No ID ID NAT-OA NAT-OA ]
sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (220 bytes)
received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (180 bytes)
parsed QUICK_MODE response [HIDDEN] [ HASH SA No ID ID N((24576)) NAT-OA ]
received 28800s lifetime, configured 0s
CHILD_SA VPN.OFFICE.COM{1} established with SPIs [HIDDEN] [HIDDEN] and TS 1.2.3.4/32[udp/l2tp] === 17.11.7.5/32[udp/l2tp]
generating QUICK_MODE request [HIDDEN] [ HASH ]
connection 'VPN.OFFICE.COM' established successfully
sveta huoshe # l2tpconfig
l2tp> tunnel create tunnel_name="VPN OFFICE COM" dest_ipaddr=vpn.office.com our_udp_port=1701
Created tunnel 835
l2tp> tunnel show tunnel_name="VPN OFFICE COM"Tunnel 835, from 1.2.3.4 to 17.11.7.5:-
  state: ESTABLISHED
  created at:  Sep 28 23:44:09 2014
  administrative name: '"VPN OFFICE COM"'
  created by admin: YES, tunnel mode: LAC
  peer tunnel id: 7989, host name: NOT SET
  UDP ports: local 1701, peer 1701
  authorization mode: NONE, hide AVPs: OFF, allow PPP proxy: OFF
  session limit: 0, session count: 0
  tunnel profile: default, peer profile: default
  session profile: default, ppp profile: default
  hello timeout: 60, retry timeout: 1, idle timeout: 0
  rx window size: 10, tx window size: 10, max retries: 5
  use udp checksums: ON
  do pmtu discovery: OFF, mtu: 1460
  framing capability: SYNC ASYNC, bearer capability: DIGITAL ANALOG
  use tiebreaker: OFF
  trace flags: NONE
  peer vendor name: Cisco Systems, Inc.
  peer protocol version: 1.0, firmware 4384
  peer framing capability: SYNC ASYNC
  peer bearer capability: DIGITAL ANALOG
  peer rx window size: 16
  Transport status:-
    ns/nr: 2/1, peer 2/1
    cwnd: 3, ssthresh: 10, congpkt_acc: 0
  Transport statistics:-
    out-of-sequence control/data discards: 0/0
    zlbs tx/txfail/rx: 1/0/1
    retransmits: 0, duplicate pkt discards: 0, data pkt discards: 0
    hellos tx/txfail/rx: 0/0/0
    control rx packets: 2, rx bytes: 128
    control tx packets: 3, tx bytes: 171
    data rx packets: 0, rx bytes: 0, rx errors: 0
    data tx packets: 0, tx bytes: 0, tx errors: 0
    establish retries: 0
l2tp> session create session_name="VPN OFFICE COM" user_name=USER_NAME user_password=USER_PASSWORD tunnel_name="VPN OFFICE COM"
Created session 65073 on tunnel "VPN OFFICE COM"
l2tp> session show tunnel_name="VPN OFFICE COM" session_name="VPN OFFICE COM"
Session 65073 on tunnel 835:-
  type: LAC Incoming Call, state: ESTABLISHED
  created at:  Sep 28 23:44:18 2014
  administrative name: "VPN OFFICE COM"
  created by admin: YES, peer session id: 7862
  ppp user name: USER_NAME
  ppp user password: USER_PASSWORD
  ppp interface name: ppp0
  data sequencing required: OFF
  use data sequence numbers: OFF
  trace flags: NONE
  framing types: SYNC ASYNC
  bearer types: DIGITAL ANALOG
  call serial number: 1
  connect speed: 1000000
  use ppp proxy: NO

  Peer configuration data:-
    data sequencing required: OFF
    framing types:
    bearer types:
    call serial number: 1
  data rx packets: 9, rx bytes: 244, rx errors: 0
  data tx packets: 8, tx bytes: 286, tx errors: 0

# ifconfig
bond0: flags=5123<UP,BROADCAST,MASTER,MULTICAST>  mtu 1500
        ether [HIDDEN]  txqueuelen 0  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eno1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 1.2.3.4  netmask 255.255.255.0  broadcast 10.1.1.255
        inet6 [HIDDEN]  prefixlen 64  scopeid 0x20<link>
        ether [HIDDEN]  txqueuelen 1000  (Ethernet)
        RX packets 14981  bytes 17385980 (16.5 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 10522  bytes 1389109 (1.3 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device interrupt 20  memory [HIDDEN] 

enp59s0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        ether [HIDDEN]  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device interrupt 19  memory [HIDDEN] 

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 0  (Local Loopback)
        RX packets 137  bytes 43277 (42.2 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 137  bytes 43277 (42.2 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ppp0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 125.64.27.8  netmask 255.255.255.255  destination 17.11.7.5
        ppp  txqueuelen 3  (Point-to-Point Protocol)
        RX packets 4  bytes 34 (34.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 19  bytes 8917 (8.7 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

sveta huoshe # ping 1.3.3.1
PING 1.3.3.1 (1.3.3.1) 56(84) bytes of data.
^C
--- 1.3.3.1 ping statistics ---
8 packets transmitted, 0 received, 100% packet loss, time 6999ms
Back to top
View user's profile Send private message
salahx
Guru
Guru


Joined: 12 Mar 2005
Posts: 437

PostPosted: Sun Sep 28, 2014 11:19 pm    Post subject: Reply with quote

OK, verify neither the session nor the tunnel go down by itself after a few seconds (The other end might time out after 15-30 minutes of idleness, so that's ok). If the tunnel stays up then its a network configuration problem.

If the tunnel is stable, try the "tracepath" and/or "traceroute" utility and see if data is crossing the tunnel. Ping the other end of the tunnel. Use the "tcpdump -i eno1 proto 50" and "tcpdump -i ppp0" and verify you see traffic (you met get the "ret: -1" thing, i get too, but it should still work)
Back to top
View user's profile Send private message
Duco Ergo Sum
Apprentice
Apprentice


Joined: 06 Dec 2005
Posts: 153
Location: Winsford

PostPosted: Sun Sep 28, 2014 11:33 pm    Post subject: Reply with quote

No traffic pass through the tunnel and then it disappears after less than a minute. After which to create an established tunnel, I need to restart ipsec and openl2tpd.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Goto page Previous  1, 2, 3, 4, 5  Next
Page 3 of 5

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum