I'am sorry, english is not my native language, so do not judje too hard.
I have some trouble I can't resolve. Almost week I'am trying to set up L2TP server on my Debian Squeeze router to let external clients access to my home network.
Router interfaces:
LAN: 192.168.129.1 (192.168.129.0/24 - home network)
WAN: 172.20.75.221 (172.20.75.x 255.255.255.192 - provider inner network)
INET: 195.128.x.x (via L2TP-server in prov. network)
I used openswan and xl2tpd to set up L2TP server which would listen for connections on WAN and INET interfaces. First of all, I am beginner, and I've found lot of articles about this applications. Second, I need services which are able to connect native Windows L2TP clients. And last, xl2tpd was already installed and configured to establish internet connection.
First I made CA certificate (by openSSL utilities). Made certificates for server and clients and signed them with CA. Then converted clients certs to .p12 format and installed it on win clients via mmc. CA, server cert and server key are fed to openswan (PEM pass is also provided).
All configs below:
/etc/ipsec.conf:
(mainly from /etc/ipsec.d/examples/l2tp-cert.conf)
Code: Select all
# /etc/ipsec.conf - Openswan IPsec configuration file
# This file: /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual: ipsec.conf.5
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# Do not set debug options to debug configuration issues!
# plutodebug / klipsdebug = "all", "none" or a combation from below:
# "raw crypt parsing emitting control klips pfkey natt x509 dpd private"
# eg:
# plutodebug="control parsing"
#
# enable to get logs per-peer
# plutoopts="--perpeerlog"
#
# Again: only enable plutodebug or klipsdebug when asked by a developer
#
# NAT-TRAVERSAL support, see README.NAT-Traversal
nat_traversal=yes
# exclude networks used on server side by adding %v4:!a.b.c.0/24
#default: virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
virtual_private=%v4:192.168.0.0/16,%v4:!192.168.129.0/24
# OE is now off by default. Uncomment and change to on, to enable.
oe=off
# which IPsec stack to use. auto will try netkey, then klips then mast
protostack=netkey
# Add connections here
conn home
# Use a certificate. Disable Perfect Forward Secrecy.
#
authby=rsasig
pfs=no
auto=add
# we cannot rekey for %any, let client rekey
rekey=no
# Set ikelifetime and keylife to same defaults windows has
ikelifetime=8h
keylife=1h
# l2tp-over-ipsec is transport mode
# See http://bugs.xelerance.com/view.php?id=466
type=transport
#
keyingtries=1
#compress=yes
disablearrivalcheck=no
#
left=%ppp0
leftid=%fromcert
leftrsasigkey=%cert
leftcert=/etc/ipsec.d/certs/ipsec-server.home.pem
leftprotoport=17/1701
#
# The remote user.
#
right=%any
rightca=%same
rightrsasigkey=%cert
# Using the magic port of "0" means "any one single port". This is
# a work around required for Apple OSX clients that use a randomly
# high port, but propose "0" instead of their port. If that does
# not work, try 17/%any
rightprotoport=17/%any
rightsubnet=vhost:%priv,%no
Code: Select all
[global] ; Global parameters:
port = 1701 ; * Bind to port 1701
; auth file = /etc/xl2tpd/l2tp-secrets ; * Where our challenge secrets are
access control = no ; * Refuse connections without IP match
rand source = dev ; Source for entropy for random
debug network = yes
debug tunnel = yes
; ; numbers, options are:
; ; dev - reads of /dev/urandom
; ; sys - uses rand()
; ; egd - reads from egd socket
; ; egd is not yet implemented
[lns home-l2tp]
ip range = 192.168.130.240-192.168.130.250
local ip = 192.168.130.5
require chap = yes
refuse pap = yes
require authentication = yes
name = home-l2tp
ppp debug = yes
pppoptfile = /etc/ppp/options.home.l2tp
length bit = yes
flow bit = yes
Code: Select all
lock
noauth
debug
# logfile /var/log/xl2tpd.log
mtu 1448
mru 1448
lcp-echo-failure 8
lcp-echo-interval 3
nodeflate
nomppe
noproxyarp
nopersist
/etc/ppp/chap-secrets has such line:
Code: Select all
user home-l2tp pass *
Now to the trouble...
Wonder does not happen =)
Client persistently gets 651 error (http://mintywhite.com/windows-7/7mainte ... ted-error/)
Logs:
All logs below are parsed by grep.
I'am not sure which logs could be useful. If logs below are not sufficient to find problem, please, tell me what to show.
xl2tpd report form syslog:
Code: Select all
Mar 22 20:29:02 debsrv xl2tpd[2520]: network_thread: recv packet from 87.225.84.25, size = 97, tunnel = 0, call = 0 ref=0 refhim=0
Mar 22 20:29:02 debsrv xl2tpd[2520]: get_call: allocating new tunnel for host 87.225.84.25, port 1701.
Mar 22 20:29:02 debsrv xl2tpd[2520]: control_finish: Denied connection to unauthorized peer 87.225.84.25
Mar 22 20:29:02 debsrv xl2tpd[2520]: network_thread: bad packet
Mar 22 20:29:02 debsrv xl2tpd[2520]: build_fdset: closing down tunnel 21628
Mar 22 20:29:02 debsrv xl2tpd[2520]: Connection 1 closed to 87.225.84.25, port 1701 (No Authorization)
Mar 22 20:29:02 debsrv xl2tpd[2520]: network_thread: recv packet from 87.225.84.25, size = 12, tunnel = 0, call = 0 ref=0 refhim=0
Mar 22 20:29:02 debsrv xl2tpd[2520]: get_call: allocating new tunnel for host 87.225.84.25, port 1701.
Mar 22 20:29:02 debsrv xl2tpd[2520]: check_control: Received out of order control packet on tunnel -1 (got 1, expected 0)
Mar 22 20:29:02 debsrv xl2tpd[2520]: handle_packet: bad control packet!
Mar 22 20:29:02 debsrv xl2tpd[2520]: network_thread: bad packet
Mar 22 20:29:02 debsrv xl2tpd[2520]: build_fdset: closing down tunnel 15089
Mar 22 20:29:03 debsrv xl2tpd[2520]: network_thread: select timeout
Mar 22 20:29:04 debsrv xl2tpd[2520]: network_thread: select timeout
Mar 22 20:29:04 debsrv xl2tpd[2520]: udp_xmit failed with err=-1:Operation not permitted
Mar 22 20:29:05 debsrv xl2tpd[2520]: network_thread: select timeout
Mar 22 20:29:05 debsrv xl2tpd[2520]: udp_xmit failed with err=-1:Operation not permitted
Mar 22 20:29:06 debsrv xl2tpd[2520]: network_thread: select timeout
Mar 22 20:29:06 debsrv xl2tpd[2520]: udp_xmit failed with err=-1:Operation not permitted
Mar 22 20:29:07 debsrv xl2tpd[2520]: network_thread: select timeout
Mar 22 20:29:07 debsrv xl2tpd[2520]: Unable to deliver closing message for tunnel 21628. Destroying anyway.
Mar 22 20:29:07 debsrv xl2tpd[2520]: build_fdset: closing down tunnel 21628
Mar 22 20:29:46 debsrv xl2tpd[2520]: network_thread: select timeout
Mar 22 20:29:47 debsrv xl2tpd[2520]: network_thread: select timeout
When MTU was obviously higher than INET interface MTU:
Code: Select all
Mar 18 00:14:02 debsrv xl2tpd[12525]: control_finish: Denied connection to unauthorized peer 92.37.202.230
Mar 18 00:14:02 debsrv xl2tpd[12525]: Connection 29 closed to 92.37.202.230, port 1701 (No Authorization)
Mar 18 00:14:02 debsrv xl2tpd[12525]: check_control: Received out of order control packet on tunnel -1 (got 1, expected 0)
Mar 18 00:14:02 debsrv xl2tpd[12525]: handle_packet: bad control packet!
Mar 18 00:14:07 debsrv xl2tpd[12525]: Unable to deliver closing message for tunnel 8674. Destroying anyway.
Code: Select all
Mar 18 00:14:02 debsrv xl2tpd[12525]: control_finish: Denied connection to unauthorized peer 92.37.202.230
Mar 18 00:14:02 debsrv xl2tpd[12525]: Connection 29 closed to 92.37.202.230, port 1701 (No Authorization)
Mar 18 00:14:02 debsrv xl2tpd[12525]: check_control: Received out of order control packet on tunnel -1 (got 1, expected 0)
Mar 18 00:14:02 debsrv xl2tpd[12525]: handle_packet: bad control packet!
Mar 18 00:14:04 debsrv xl2tpd[12525]: udp_xmit failed with err=-1:Operation not permitted
Mar 18 00:14:05 debsrv xl2tpd[12525]: udp_xmit failed with err=-1:Operation not permitted
Mar 18 00:14:06 debsrv xl2tpd[12525]: udp_xmit failed with err=-1:Operation not permitted
Mar 18 00:14:07 debsrv xl2tpd[12525]: Unable to deliver closing message for tunnel 8674. Destroying anyway.
Pluto reports from auth.log:
Code: Select all
Mar 22 20:28:31 debsrv ipsec__plutorun: Starting Pluto subsystem...
Mar 22 20:28:31 debsrv pluto[4241]: Starting Pluto (Openswan Version 2.6.28; Vendor ID OEQ{O\177nez{CQ) pid:4241
Mar 22 20:28:31 debsrv pluto[4241]: SAref support [disabled]: Protocol not available
Mar 22 20:28:31 debsrv pluto[4241]: SAbind support [disabled]: Protocol not available
Mar 22 20:28:31 debsrv pluto[4241]: Setting NAT-Traversal port-4500 floating to on
Mar 22 20:28:31 debsrv pluto[4241]: port floating activation criteria nat_t=1/port_float=1
Mar 22 20:28:31 debsrv pluto[4241]: NAT-Traversal support [enabled]
Mar 22 20:28:31 debsrv pluto[4241]: using /dev/urandom as source of random entropy
Mar 22 20:28:31 debsrv pluto[4241]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
Mar 22 20:28:31 debsrv pluto[4241]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
Mar 22 20:28:31 debsrv pluto[4241]: ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
Mar 22 20:28:31 debsrv pluto[4241]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Mar 22 20:28:31 debsrv pluto[4241]: ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
Mar 22 20:28:31 debsrv pluto[4241]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
Mar 22 20:28:31 debsrv pluto[4241]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
Mar 22 20:28:31 debsrv pluto[4241]: starting up 3 cryptographic helpers
Mar 22 20:28:31 debsrv pluto[4241]: started helper pid=4245 (fd:7)
Mar 22 20:28:31 debsrv pluto[4241]: started helper pid=4246 (fd:8)
Mar 22 20:28:31 debsrv pluto[4245]: using /dev/urandom as source of random entropy
Mar 22 20:28:31 debsrv pluto[4246]: using /dev/urandom as source of random entropy
Mar 22 20:28:31 debsrv pluto[4247]: using /dev/urandom as source of random entropy
Mar 22 20:28:31 debsrv pluto[4241]: started helper pid=4247 (fd:9)
Mar 22 20:28:31 debsrv pluto[4241]: Using Linux 2.6 IPsec interface code on 2.6.32-5-686 (experimental code)
Mar 22 20:28:31 debsrv pluto[4241]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
Mar 22 20:28:31 debsrv pluto[4241]: ike_alg_add(): ERROR: Algorithm already exists
Mar 22 20:28:31 debsrv pluto[4241]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)
Mar 22 20:28:31 debsrv pluto[4241]: ike_alg_add(): ERROR: Algorithm already exists
Mar 22 20:28:31 debsrv pluto[4241]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
Mar 22 20:28:31 debsrv pluto[4241]: ike_alg_add(): ERROR: Algorithm already exists
Mar 22 20:28:31 debsrv pluto[4241]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)
Mar 22 20:28:31 debsrv pluto[4241]: ike_alg_add(): ERROR: Algorithm already exists
Mar 22 20:28:31 debsrv pluto[4241]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)
Mar 22 20:28:31 debsrv pluto[4241]: ike_alg_add(): ERROR: Algorithm already exists
Mar 22 20:28:31 debsrv pluto[4241]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
Mar 22 20:28:31 debsrv pluto[4241]: Changed path to directory '/etc/ipsec.d/cacerts'
Mar 22 20:28:31 debsrv pluto[4241]: loaded CA cert file 'cacert.pem' (4404 bytes)
Mar 22 20:28:31 debsrv pluto[4241]: Changed path to directory '/etc/ipsec.d/aacerts'
Mar 22 20:28:31 debsrv pluto[4241]: Changed path to directory '/etc/ipsec.d/ocspcerts'
Mar 22 20:28:31 debsrv pluto[4241]: Changing to directory '/etc/ipsec.d/crls'
Mar 22 20:28:31 debsrv pluto[4241]: loaded crl file 'crl.pem' (601 bytes)
Mar 22 20:28:31 debsrv pluto[4241]: loading certificate from /etc/ipsec.d/certs/ipsec-server.home.pem
Mar 22 20:28:31 debsrv pluto[4241]: loaded host cert file '/etc/ipsec.d/certs/ipsec-server.home.pem' (3614 bytes)
Mar 22 20:28:31 debsrv pluto[4241]: no subjectAltName matches ID '%fromcert', replaced by subject DN
Mar 22 20:28:31 debsrv pluto[4241]: added connection description "home"
Mar 22 20:28:31 debsrv pluto[4241]: listening for IKE messages
Mar 22 20:28:31 debsrv pluto[4241]: NAT-Traversal: Trying new style NAT-T
Mar 22 20:28:31 debsrv pluto[4241]: NAT-Traversal: ESPINUDP(1) setup failed for new style NAT-T family IPv4 (errno=19)
Mar 22 20:28:31 debsrv pluto[4241]: NAT-Traversal: Trying old style NAT-T
Mar 22 20:28:31 debsrv pluto[4241]: adding interface ppp0/ppp0 195.128.xxx.xxx:500
Mar 22 20:28:31 debsrv pluto[4241]: adding interface ppp0/ppp0 195.128.xxx.xxx:4500
Mar 22 20:28:31 debsrv pluto[4241]: adding interface eth_lan/eth_lan 192.168.129.1:500
Mar 22 20:28:31 debsrv pluto[4241]: adding interface eth_lan/eth_lan 192.168.129.1:4500
Mar 22 20:28:31 debsrv pluto[4241]: adding interface eth_wan/eth_wan 172.20.75.221:500
Mar 22 20:28:31 debsrv pluto[4241]: adding interface eth_wan/eth_wan 172.20.75.221:4500
Mar 22 20:28:31 debsrv pluto[4241]: adding interface lo/lo 127.0.0.1:500
Mar 22 20:28:31 debsrv pluto[4241]: adding interface lo/lo 127.0.0.1:4500
Mar 22 20:28:31 debsrv pluto[4241]: adding interface lo/lo ::1:500
Mar 22 20:28:31 debsrv pluto[4241]: loading secrets from "/etc/ipsec.secrets"
Mar 22 20:28:31 debsrv pluto[4241]: loading secrets from "/var/lib/openswan/ipsec.secrets.inc"
Mar 22 20:28:31 debsrv pluto[4241]: loaded private key file '/etc/ipsec.d/private/ipsec-server.home.key' (963 bytes)
Mar 22 20:28:31 debsrv pluto[4241]: loaded private key for keyid: PPK_RSA:AwEAAdV5R
Mar 22 20:29:01 debsrv pluto[4241]: packet from 87.225.84.25:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000008]
Mar 22 20:29:01 debsrv pluto[4241]: packet from 87.225.84.25:500: received Vendor ID payload [RFC 3947] method set to=109
Mar 22 20:29:01 debsrv pluto[4241]: packet from 87.225.84.25:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
Mar 22 20:29:01 debsrv pluto[4241]: packet from 87.225.84.25:500: ignoring Vendor ID payload [FRAGMENTATION]
Mar 22 20:29:01 debsrv pluto[4241]: packet from 87.225.84.25:500: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
Mar 22 20:29:01 debsrv pluto[4241]: packet from 87.225.84.25:500: ignoring Vendor ID payload [Vid-Initial-Contact]
Mar 22 20:29:01 debsrv pluto[4241]: packet from 87.225.84.25:500: ignoring Vendor ID payload [IKE CGA version 1]
Mar 22 20:29:01 debsrv pluto[4241]: "home"[1] 87.225.84.25 #1: responding to Main Mode from unknown peer 87.225.84.25
Mar 22 20:29:01 debsrv pluto[4241]: "home"[1] 87.225.84.25 #1: OAKLEY_GROUP 20 not supported. Attribute OAKLEY_GROUP_DESCRIPTION
Mar 22 20:29:01 debsrv pluto[4241]: "home"[1] 87.225.84.25 #1: OAKLEY_GROUP 19 not supported. Attribute OAKLEY_GROUP_DESCRIPTION
Mar 22 20:29:01 debsrv pluto[4241]: "home"[1] 87.225.84.25 #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Mar 22 20:29:01 debsrv pluto[4241]: "home"[1] 87.225.84.25 #1: STATE_MAIN_R1: sent MR1, expecting MI2
Mar 22 20:29:01 debsrv pluto[4241]: "home"[1] 87.225.84.25 #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): peer is NATed
Mar 22 20:29:01 debsrv pluto[4241]: "home"[1] 87.225.84.25 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Mar 22 20:29:01 debsrv pluto[4241]: "home"[1] 87.225.84.25 #1: STATE_MAIN_R2: sent MR2, expecting MI3
Mar 22 20:29:02 debsrv pluto[4241]: "home"[1] 87.225.84.25 #1: Main mode peer ID is ID_DER_ASN1_DN: 'C=RU, ST=Hab, L=Hab, O=Home, CN=drvital'
Mar 22 20:29:02 debsrv pluto[4241]: "home"[1] 87.225.84.25 #1: switched from "home" to "home"
Mar 22 20:29:02 debsrv pluto[4241]: "home"[2] 87.225.84.25 #1: deleting connection "home" instance with peer 87.225.84.25 {isakmp=#0/ipsec=#0}
Mar 22 20:29:02 debsrv pluto[4241]: "home"[2] 87.225.84.25 #1: I am sending my cert
Mar 22 20:29:02 debsrv pluto[4241]: "home"[2] 87.225.84.25 #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Mar 22 20:29:02 debsrv pluto[4241]: "home"[2] 87.225.84.25 #1: new NAT mapping for #1, was 87.225.84.25:500, now 87.225.84.25:4500
Mar 22 20:29:02 debsrv pluto[4241]: "home"[2] 87.225.84.25 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=aes_256 prf=oakley_sha group=modp2048}
Mar 22 20:29:02 debsrv pluto[4241]: "home"[2] 87.225.84.25 #1: the peer proposed: 195.128.xxx.xxx/32:17/1701 -> 192.168.0.100/32:17/0
Mar 22 20:29:02 debsrv pluto[4241]: "home"[2] 87.225.84.25 #1: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
Mar 22 20:29:02 debsrv pluto[4241]: "home"[2] 87.225.84.25 #2: responding to Quick Mode proposal {msgid:01000000}
Mar 22 20:29:02 debsrv pluto[4241]: "home"[2] 87.225.84.25 #2: us: 195.128.xxx.xxx<%ppp0>[C=RU, ST=Hab, L=Hab, O=Home, CN=debsrv,+S=C]:17/1701
Mar 22 20:29:02 debsrv pluto[4241]: "home"[2] 87.225.84.25 #2: them: 87.225.84.25[C=RU, ST=Hab, L=Hab, O=Home, CN=drvital,+S=C]:17/1701===192.168.0.100/32
Mar 22 20:29:02 debsrv pluto[4241]: "home"[2] 87.225.84.25 #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Mar 22 20:29:02 debsrv pluto[4241]: "home"[2] 87.225.84.25 #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Mar 22 20:29:02 debsrv pluto[4241]: "home"[2] 87.225.84.25 #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Mar 22 20:29:02 debsrv pluto[4241]: "home"[2] 87.225.84.25 #2: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0xccc5e22d <0x697d43d8 xfrm=AES_128-HMAC_SHA1 NATOA=192.168.0.100 NATD=87.225.84.25:4500 DPD=none}
Mar 22 20:29:02 debsrv pluto[4241]: "home"[2] 87.225.84.25 #1: received Delete SA(0xccc5e22d) payload: deleting IPSEC State #2
Mar 22 20:29:02 debsrv pluto[4241]: "home"[2] 87.225.84.25 #1: ERROR: netlink XFRM_MSG_DELPOLICY response for flow eroute_connection delete included errno 2: No such file or directory
Mar 22 20:29:02 debsrv pluto[4241]: "home"[2] 87.225.84.25 #1: received and ignored informational message
Mar 22 20:29:02 debsrv pluto[4241]: "home"[2] 87.225.84.25 #1: received Delete SA payload: deleting ISAKMP State #1
Mar 22 20:29:02 debsrv pluto[4241]: "home"[2] 87.225.84.25: deleting connection "home" instance with peer 87.225.84.25 {isakmp=#0/ipsec=#0}
Mar 22 20:29:02 debsrv pluto[4241]: packet from 87.225.84.25:4500: received and ignored informational message
Mar 22 20:29:03 debsrv pluto[4241]: initiate on demand from 195.128.xxx.xxx:1701 to 87.225.84.25:1701 proto=17 state: fos_start because: acquire
I tried to make it work many times with many different variations of config options. And did not succeed.
I suspect possible MTU issue or may be I missunderstand some options...
So I need help of expirienced debian administrators, because I am unable to resolve this myself.
Thank you very much!