Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

openswan+xl2tpd server problem

New to Debian (Or Linux in general)? Ask your questions here!
Post Reply
Message
Author
Liber2
Posts: 2
Joined: 2013-03-22 09:55

openswan+xl2tpd server problem

#1 Post by Liber2 »

Hello!

I'am sorry, english is not my native language, so do not judje too hard.

I have some trouble I can't resolve. Almost week I'am trying to set up L2TP server on my Debian Squeeze router to let external clients access to my home network.

Router interfaces:
LAN: 192.168.129.1 (192.168.129.0/24 - home network)
WAN: 172.20.75.221 (172.20.75.x 255.255.255.192 - provider inner network)
INET: 195.128.x.x (via L2TP-server in prov. network)

I used openswan and xl2tpd to set up L2TP server which would listen for connections on WAN and INET interfaces. First of all, I am beginner, and I've found lot of articles about this applications. Second, I need services which are able to connect native Windows L2TP clients. And last, xl2tpd was already installed and configured to establish internet connection.

First I made CA certificate (by openSSL utilities). Made certificates for server and clients and signed them with CA. Then converted clients certs to .p12 format and installed it on win clients via mmc. CA, server cert and server key are fed to openswan (PEM pass is also provided).

All configs below:

/etc/ipsec.conf:
(mainly from /etc/ipsec.d/examples/l2tp-cert.conf)

Code: Select all

# /etc/ipsec.conf - Openswan IPsec configuration file

# This file:  /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5


version	2.0	# conforms to second version of ipsec.conf specification

# basic configuration
config setup
	# Do not set debug options to debug configuration issues!
	# plutodebug / klipsdebug = "all", "none" or a combation from below:
	# "raw crypt parsing emitting control klips pfkey natt x509 dpd private"
	# eg:
	# plutodebug="control parsing"
	#
	# enable to get logs per-peer
	# plutoopts="--perpeerlog"
	#
	# Again: only enable plutodebug or klipsdebug when asked by a developer
	#
	# NAT-TRAVERSAL support, see README.NAT-Traversal
	nat_traversal=yes
	# exclude networks used on server side by adding %v4:!a.b.c.0/24
	#default: virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
	virtual_private=%v4:192.168.0.0/16,%v4:!192.168.129.0/24
	# OE is now off by default. Uncomment and change to on, to enable.
	oe=off
	# which IPsec stack to use. auto will try netkey, then klips then mast
	protostack=netkey
	

# Add connections here

conn home
	# Use a certificate. Disable Perfect Forward Secrecy.
	#
	authby=rsasig
	pfs=no
	auto=add
	# we cannot rekey for %any, let client rekey
	rekey=no
	# Set ikelifetime and keylife to same defaults windows has
	ikelifetime=8h
	keylife=1h
	# l2tp-over-ipsec is transport mode
	# See http://bugs.xelerance.com/view.php?id=466
	type=transport
	#
	keyingtries=1
        #compress=yes
        disablearrivalcheck=no
	#
	left=%ppp0
	leftid=%fromcert
	leftrsasigkey=%cert
	leftcert=/etc/ipsec.d/certs/ipsec-server.home.pem
	leftprotoport=17/1701
	#
	# The remote user.
	#
	right=%any
	rightca=%same
	rightrsasigkey=%cert
	# Using the magic port of "0" means "any one single port". This is
	# a work around required for Apple OSX clients that use a randomly
	# high port, but propose "0" instead of their port. If that does
	# not work, try 17/%any
	rightprotoport=17/%any
	rightsubnet=vhost:%priv,%no
/etc/xl2tpd/xl2tpd.conf:

Code: Select all

[global]								; Global parameters:
 port = 1701						 	; * Bind to port 1701
; auth file = /etc/xl2tpd/l2tp-secrets 	; * Where our challenge secrets are
 access control = no					; * Refuse connections without IP match
 rand source = dev                     ; Source for entropy for random
 debug network = yes
 debug tunnel = yes
;                                       ; numbers, options are:
;                                       ; dev - reads of /dev/urandom
;                                       ; sys - uses rand()
;                                       ; egd - reads from egd socket
;                                       ; egd is not yet implemented

[lns home-l2tp]
ip range = 192.168.130.240-192.168.130.250
local ip = 192.168.130.5
require chap = yes
refuse pap = yes
require authentication = yes
name = home-l2tp
ppp debug = yes
pppoptfile = /etc/ppp/options.home.l2tp
length bit = yes
flow bit = yes
/etc/ppp/options.home.l2tp:

Code: Select all

lock
noauth
debug
# logfile /var/log/xl2tpd.log
mtu 1448
mru 1448
lcp-echo-failure 8
lcp-echo-interval 3
nodeflate
nomppe
noproxyarp
nopersist
No changes in /etc/xl2tpd/l2tp-secrets has been made.

/etc/ppp/chap-secrets has such line:

Code: Select all

user home-l2tp       pass  *
About firewall rules... It is little complicated. I have rather wide set of rules. It would take too much place to show them here. But also I have special logging rules. In log_all mode they shows what happens to any packet (accepted/dropped/rejected by rules or policies). Nothing is dropped, I checked it.

Now to the trouble...

Wonder does not happen =)
Client persistently gets 651 error (http://mintywhite.com/windows-7/7mainte ... ted-error/)

Logs:
All logs below are parsed by grep.

I'am not sure which logs could be useful. If logs below are not sufficient to find problem, please, tell me what to show.

xl2tpd report form syslog:

Code: Select all

Mar 22 20:29:02 debsrv xl2tpd[2520]: network_thread: recv packet from 87.225.84.25, size = 97, tunnel = 0, call = 0 ref=0 refhim=0
Mar 22 20:29:02 debsrv xl2tpd[2520]: get_call: allocating new tunnel for host 87.225.84.25, port 1701.
Mar 22 20:29:02 debsrv xl2tpd[2520]: control_finish: Denied connection to unauthorized peer 87.225.84.25
Mar 22 20:29:02 debsrv xl2tpd[2520]: network_thread: bad packet
Mar 22 20:29:02 debsrv xl2tpd[2520]: build_fdset: closing down tunnel 21628
Mar 22 20:29:02 debsrv xl2tpd[2520]: Connection 1 closed to 87.225.84.25, port 1701 (No Authorization)
Mar 22 20:29:02 debsrv xl2tpd[2520]: network_thread: recv packet from 87.225.84.25, size = 12, tunnel = 0, call = 0 ref=0 refhim=0
Mar 22 20:29:02 debsrv xl2tpd[2520]: get_call: allocating new tunnel for host 87.225.84.25, port 1701.
Mar 22 20:29:02 debsrv xl2tpd[2520]: check_control: Received out of order control packet on tunnel -1 (got 1, expected 0)
Mar 22 20:29:02 debsrv xl2tpd[2520]: handle_packet: bad control packet!
Mar 22 20:29:02 debsrv xl2tpd[2520]: network_thread: bad packet
Mar 22 20:29:02 debsrv xl2tpd[2520]: build_fdset: closing down tunnel 15089
Mar 22 20:29:03 debsrv xl2tpd[2520]: network_thread: select timeout
Mar 22 20:29:04 debsrv xl2tpd[2520]: network_thread: select timeout
Mar 22 20:29:04 debsrv xl2tpd[2520]: udp_xmit failed with err=-1:Operation not permitted
Mar 22 20:29:05 debsrv xl2tpd[2520]: network_thread: select timeout
Mar 22 20:29:05 debsrv xl2tpd[2520]: udp_xmit failed with err=-1:Operation not permitted
Mar 22 20:29:06 debsrv xl2tpd[2520]: network_thread: select timeout
Mar 22 20:29:06 debsrv xl2tpd[2520]: udp_xmit failed with err=-1:Operation not permitted
Mar 22 20:29:07 debsrv xl2tpd[2520]: network_thread: select timeout
Mar 22 20:29:07 debsrv xl2tpd[2520]: Unable to deliver closing message for tunnel 21628. Destroying anyway.
Mar 22 20:29:07 debsrv xl2tpd[2520]: build_fdset: closing down tunnel 21628
Mar 22 20:29:46 debsrv xl2tpd[2520]: network_thread: select timeout
Mar 22 20:29:47 debsrv xl2tpd[2520]: network_thread: select timeout
Notice: some entries may relate ro internet connection. I saw that when options debug network = yes; debug tunnel = yes; where disabled:

When MTU was obviously higher than INET interface MTU:

Code: Select all

Mar 18 00:14:02 debsrv xl2tpd[12525]: control_finish: Denied connection to unauthorized peer 92.37.202.230
Mar 18 00:14:02 debsrv xl2tpd[12525]: Connection 29 closed to 92.37.202.230, port 1701 (No Authorization)
Mar 18 00:14:02 debsrv xl2tpd[12525]: check_control: Received out of order control packet on tunnel -1 (got 1, expected 0)
Mar 18 00:14:02 debsrv xl2tpd[12525]: handle_packet: bad control packet!
Mar 18 00:14:07 debsrv xl2tpd[12525]: Unable to deliver closing message for tunnel 8674. Destroying anyway.
When I've noticed that and decreased it:

Code: Select all

Mar 18 00:14:02 debsrv xl2tpd[12525]: control_finish: Denied connection to unauthorized peer 92.37.202.230
Mar 18 00:14:02 debsrv xl2tpd[12525]: Connection 29 closed to 92.37.202.230, port 1701 (No Authorization)
Mar 18 00:14:02 debsrv xl2tpd[12525]: check_control: Received out of order control packet on tunnel -1 (got 1, expected 0)
Mar 18 00:14:02 debsrv xl2tpd[12525]: handle_packet: bad control packet!
Mar 18 00:14:04 debsrv xl2tpd[12525]: udp_xmit failed with err=-1:Operation not permitted
Mar 18 00:14:05 debsrv xl2tpd[12525]: udp_xmit failed with err=-1:Operation not permitted
Mar 18 00:14:06 debsrv xl2tpd[12525]: udp_xmit failed with err=-1:Operation not permitted
Mar 18 00:14:07 debsrv xl2tpd[12525]: Unable to deliver closing message for tunnel 8674. Destroying anyway.
pppd reports nothing when client tries to connect...

Pluto reports from auth.log:

Code: Select all

Mar 22 20:28:31 debsrv ipsec__plutorun: Starting Pluto subsystem...
Mar 22 20:28:31 debsrv pluto[4241]: Starting Pluto (Openswan Version 2.6.28; Vendor ID OEQ{O\177nez{CQ) pid:4241
Mar 22 20:28:31 debsrv pluto[4241]: SAref support [disabled]: Protocol not available
Mar 22 20:28:31 debsrv pluto[4241]: SAbind support [disabled]: Protocol not available
Mar 22 20:28:31 debsrv pluto[4241]: Setting NAT-Traversal port-4500 floating to on
Mar 22 20:28:31 debsrv pluto[4241]:    port floating activation criteria nat_t=1/port_float=1
Mar 22 20:28:31 debsrv pluto[4241]:    NAT-Traversal support  [enabled]
Mar 22 20:28:31 debsrv pluto[4241]: using /dev/urandom as source of random entropy
Mar 22 20:28:31 debsrv pluto[4241]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
Mar 22 20:28:31 debsrv pluto[4241]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
Mar 22 20:28:31 debsrv pluto[4241]: ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
Mar 22 20:28:31 debsrv pluto[4241]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Mar 22 20:28:31 debsrv pluto[4241]: ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
Mar 22 20:28:31 debsrv pluto[4241]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
Mar 22 20:28:31 debsrv pluto[4241]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
Mar 22 20:28:31 debsrv pluto[4241]: starting up 3 cryptographic helpers
Mar 22 20:28:31 debsrv pluto[4241]: started helper pid=4245 (fd:7)
Mar 22 20:28:31 debsrv pluto[4241]: started helper pid=4246 (fd:8)
Mar 22 20:28:31 debsrv pluto[4245]: using /dev/urandom as source of random entropy
Mar 22 20:28:31 debsrv pluto[4246]: using /dev/urandom as source of random entropy
Mar 22 20:28:31 debsrv pluto[4247]: using /dev/urandom as source of random entropy
Mar 22 20:28:31 debsrv pluto[4241]: started helper pid=4247 (fd:9)
Mar 22 20:28:31 debsrv pluto[4241]: Using Linux 2.6 IPsec interface code on 2.6.32-5-686 (experimental code)
Mar 22 20:28:31 debsrv pluto[4241]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
Mar 22 20:28:31 debsrv pluto[4241]: ike_alg_add(): ERROR: Algorithm already exists
Mar 22 20:28:31 debsrv pluto[4241]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)
Mar 22 20:28:31 debsrv pluto[4241]: ike_alg_add(): ERROR: Algorithm already exists
Mar 22 20:28:31 debsrv pluto[4241]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
Mar 22 20:28:31 debsrv pluto[4241]: ike_alg_add(): ERROR: Algorithm already exists
Mar 22 20:28:31 debsrv pluto[4241]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)
Mar 22 20:28:31 debsrv pluto[4241]: ike_alg_add(): ERROR: Algorithm already exists
Mar 22 20:28:31 debsrv pluto[4241]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)
Mar 22 20:28:31 debsrv pluto[4241]: ike_alg_add(): ERROR: Algorithm already exists
Mar 22 20:28:31 debsrv pluto[4241]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
Mar 22 20:28:31 debsrv pluto[4241]: Changed path to directory '/etc/ipsec.d/cacerts'
Mar 22 20:28:31 debsrv pluto[4241]:   loaded CA cert file 'cacert.pem' (4404 bytes)
Mar 22 20:28:31 debsrv pluto[4241]: Changed path to directory '/etc/ipsec.d/aacerts'
Mar 22 20:28:31 debsrv pluto[4241]: Changed path to directory '/etc/ipsec.d/ocspcerts'
Mar 22 20:28:31 debsrv pluto[4241]: Changing to directory '/etc/ipsec.d/crls'
Mar 22 20:28:31 debsrv pluto[4241]:   loaded crl file 'crl.pem' (601 bytes)
Mar 22 20:28:31 debsrv pluto[4241]: loading certificate from /etc/ipsec.d/certs/ipsec-server.home.pem 
Mar 22 20:28:31 debsrv pluto[4241]:   loaded host cert file '/etc/ipsec.d/certs/ipsec-server.home.pem' (3614 bytes)
Mar 22 20:28:31 debsrv pluto[4241]:   no subjectAltName matches ID '%fromcert', replaced by subject DN
Mar 22 20:28:31 debsrv pluto[4241]: added connection description "home"
Mar 22 20:28:31 debsrv pluto[4241]: listening for IKE messages
Mar 22 20:28:31 debsrv pluto[4241]: NAT-Traversal: Trying new style NAT-T
Mar 22 20:28:31 debsrv pluto[4241]: NAT-Traversal: ESPINUDP(1) setup failed for new style NAT-T family IPv4 (errno=19)
Mar 22 20:28:31 debsrv pluto[4241]: NAT-Traversal: Trying old style NAT-T
Mar 22 20:28:31 debsrv pluto[4241]: adding interface ppp0/ppp0 195.128.xxx.xxx:500
Mar 22 20:28:31 debsrv pluto[4241]: adding interface ppp0/ppp0 195.128.xxx.xxx:4500
Mar 22 20:28:31 debsrv pluto[4241]: adding interface eth_lan/eth_lan 192.168.129.1:500
Mar 22 20:28:31 debsrv pluto[4241]: adding interface eth_lan/eth_lan 192.168.129.1:4500
Mar 22 20:28:31 debsrv pluto[4241]: adding interface eth_wan/eth_wan 172.20.75.221:500
Mar 22 20:28:31 debsrv pluto[4241]: adding interface eth_wan/eth_wan 172.20.75.221:4500
Mar 22 20:28:31 debsrv pluto[4241]: adding interface lo/lo 127.0.0.1:500
Mar 22 20:28:31 debsrv pluto[4241]: adding interface lo/lo 127.0.0.1:4500
Mar 22 20:28:31 debsrv pluto[4241]: adding interface lo/lo ::1:500
Mar 22 20:28:31 debsrv pluto[4241]: loading secrets from "/etc/ipsec.secrets"
Mar 22 20:28:31 debsrv pluto[4241]: loading secrets from "/var/lib/openswan/ipsec.secrets.inc"
Mar 22 20:28:31 debsrv pluto[4241]:   loaded private key file '/etc/ipsec.d/private/ipsec-server.home.key' (963 bytes)
Mar 22 20:28:31 debsrv pluto[4241]: loaded private key for keyid: PPK_RSA:AwEAAdV5R
Mar 22 20:29:01 debsrv pluto[4241]: packet from 87.225.84.25:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000008]
Mar 22 20:29:01 debsrv pluto[4241]: packet from 87.225.84.25:500: received Vendor ID payload [RFC 3947] method set to=109 
Mar 22 20:29:01 debsrv pluto[4241]: packet from 87.225.84.25:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
Mar 22 20:29:01 debsrv pluto[4241]: packet from 87.225.84.25:500: ignoring Vendor ID payload [FRAGMENTATION]
Mar 22 20:29:01 debsrv pluto[4241]: packet from 87.225.84.25:500: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
Mar 22 20:29:01 debsrv pluto[4241]: packet from 87.225.84.25:500: ignoring Vendor ID payload [Vid-Initial-Contact]
Mar 22 20:29:01 debsrv pluto[4241]: packet from 87.225.84.25:500: ignoring Vendor ID payload [IKE CGA version 1]
Mar 22 20:29:01 debsrv pluto[4241]: "home"[1] 87.225.84.25 #1: responding to Main Mode from unknown peer 87.225.84.25
Mar 22 20:29:01 debsrv pluto[4241]: "home"[1] 87.225.84.25 #1: OAKLEY_GROUP 20 not supported.  Attribute OAKLEY_GROUP_DESCRIPTION
Mar 22 20:29:01 debsrv pluto[4241]: "home"[1] 87.225.84.25 #1: OAKLEY_GROUP 19 not supported.  Attribute OAKLEY_GROUP_DESCRIPTION
Mar 22 20:29:01 debsrv pluto[4241]: "home"[1] 87.225.84.25 #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Mar 22 20:29:01 debsrv pluto[4241]: "home"[1] 87.225.84.25 #1: STATE_MAIN_R1: sent MR1, expecting MI2
Mar 22 20:29:01 debsrv pluto[4241]: "home"[1] 87.225.84.25 #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): peer is NATed
Mar 22 20:29:01 debsrv pluto[4241]: "home"[1] 87.225.84.25 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Mar 22 20:29:01 debsrv pluto[4241]: "home"[1] 87.225.84.25 #1: STATE_MAIN_R2: sent MR2, expecting MI3
Mar 22 20:29:02 debsrv pluto[4241]: "home"[1] 87.225.84.25 #1: Main mode peer ID is ID_DER_ASN1_DN: 'C=RU, ST=Hab, L=Hab, O=Home, CN=drvital'
Mar 22 20:29:02 debsrv pluto[4241]: "home"[1] 87.225.84.25 #1: switched from "home" to "home"
Mar 22 20:29:02 debsrv pluto[4241]: "home"[2] 87.225.84.25 #1: deleting connection "home" instance with peer 87.225.84.25 {isakmp=#0/ipsec=#0}
Mar 22 20:29:02 debsrv pluto[4241]: "home"[2] 87.225.84.25 #1: I am sending my cert
Mar 22 20:29:02 debsrv pluto[4241]: "home"[2] 87.225.84.25 #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Mar 22 20:29:02 debsrv pluto[4241]: "home"[2] 87.225.84.25 #1: new NAT mapping for #1, was 87.225.84.25:500, now 87.225.84.25:4500
Mar 22 20:29:02 debsrv pluto[4241]: "home"[2] 87.225.84.25 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=aes_256 prf=oakley_sha group=modp2048}
Mar 22 20:29:02 debsrv pluto[4241]: "home"[2] 87.225.84.25 #1: the peer proposed: 195.128.xxx.xxx/32:17/1701 -> 192.168.0.100/32:17/0
Mar 22 20:29:02 debsrv pluto[4241]: "home"[2] 87.225.84.25 #1: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
Mar 22 20:29:02 debsrv pluto[4241]: "home"[2] 87.225.84.25 #2: responding to Quick Mode proposal {msgid:01000000}
Mar 22 20:29:02 debsrv pluto[4241]: "home"[2] 87.225.84.25 #2:     us: 195.128.xxx.xxx<%ppp0>[C=RU, ST=Hab, L=Hab, O=Home, CN=debsrv,+S=C]:17/1701
Mar 22 20:29:02 debsrv pluto[4241]: "home"[2] 87.225.84.25 #2:   them: 87.225.84.25[C=RU, ST=Hab, L=Hab, O=Home, CN=drvital,+S=C]:17/1701===192.168.0.100/32
Mar 22 20:29:02 debsrv pluto[4241]: "home"[2] 87.225.84.25 #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Mar 22 20:29:02 debsrv pluto[4241]: "home"[2] 87.225.84.25 #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Mar 22 20:29:02 debsrv pluto[4241]: "home"[2] 87.225.84.25 #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Mar 22 20:29:02 debsrv pluto[4241]: "home"[2] 87.225.84.25 #2: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0xccc5e22d <0x697d43d8 xfrm=AES_128-HMAC_SHA1 NATOA=192.168.0.100 NATD=87.225.84.25:4500 DPD=none}
Mar 22 20:29:02 debsrv pluto[4241]: "home"[2] 87.225.84.25 #1: received Delete SA(0xccc5e22d) payload: deleting IPSEC State #2
Mar 22 20:29:02 debsrv pluto[4241]: "home"[2] 87.225.84.25 #1: ERROR: netlink XFRM_MSG_DELPOLICY response for flow eroute_connection delete included errno 2: No such file or directory
Mar 22 20:29:02 debsrv pluto[4241]: "home"[2] 87.225.84.25 #1: received and ignored informational message
Mar 22 20:29:02 debsrv pluto[4241]: "home"[2] 87.225.84.25 #1: received Delete SA payload: deleting ISAKMP State #1
Mar 22 20:29:02 debsrv pluto[4241]: "home"[2] 87.225.84.25: deleting connection "home" instance with peer 87.225.84.25 {isakmp=#0/ipsec=#0}
Mar 22 20:29:02 debsrv pluto[4241]: packet from 87.225.84.25:4500: received and ignored informational message
Mar 22 20:29:03 debsrv pluto[4241]: initiate on demand from 195.128.xxx.xxx:1701 to 87.225.84.25:1701 proto=17 state: fos_start because: acquire
Conclusion

I tried to make it work many times with many different variations of config options. And did not succeed.
I suspect possible MTU issue or may be I missunderstand some options...
So I need help of expirienced debian administrators, because I am unable to resolve this myself.

Thank you very much!

Liber2
Posts: 2
Joined: 2013-03-22 09:55

Re: openswan+xl2tpd server problem

#2 Post by Liber2 »

i did try to use require authentication = no in LNS settings section, uncomment auth file = /etc/xl2tpd/l2tp-secrets and put auth data there. Without any results.

May be some rules in nat or mangle table are needed?

I can not figure out why access denied... And have no idea how to get more detailed logs which could explain that.

Aslo I'am not sure is this openswan or xl2tpd problem. Could anybody please check pluto and xl2tpd log and tell me which part of sheaf causes problem?

Samuel194
Posts: 1
Joined: 2019-01-10 05:32

Re: openswan+xl2tpd server problem

#3 Post by Samuel194 »

You need to enable IP forwarding, and disable the send_redirects, as per the results of the "ipsec verify" step you did.

This should do the trick:

Code: Select all

echo 1 > /proc/sys/net/ipv4/ip_forward
for each in /proc/sys/net/ipv4/conf/*
do
    echo 0 > $each/accept_redirects
    echo 0 > $each/send_redirects
done
Then run "ipsec verify" again, and that failure should go away.

Post Reply