Hello all,
I've been having some problems with getting linux clients to connect to our already working infrastructure.. We're using Astaro V6 standard config for Windows access, with password authentication (against an existing Radius base).. The config works flawlessly, but now Linux users are starting to get interested too, so we need a way to get them to connect to the IPSec/L2TP configuration as well.
I've been following Jacco's tutorial on Linux IPSec/L2TP, but somehow I cannot get it to work:
Here's my current setup
Server (Astaro V6 -- ip as 111.222.2.4)
Client (Fedora 6 DVD desktop install -- ip as 111.222.30.116) with:
-- xl2tpd version : xl2tpd-1.1.06 (From yum)
-- ipsec versioncode: U2.4.5/K2.6.18-1.2798.fc6 (netkey)
currently, ipsec works flawlessly, but somehow i cannot connect thru l2tpd
here are the logfiles:
[root@airbus-fedora vpn]# ipsec auto --up VPN-Unicamp
104 "VPN-Access" #5: STATE_MAIN_I1: initiate
003 "VPN-Access" #5: ignoring unknown Vendor ID payload [4f455b7075417d5959587e46]
003 "VPN-Access" #5: received Vendor ID payload [Dead Peer Detection]
003 "VPN-Access" #5: received Vendor ID payload [RFC 3947] method set to=110
106 "VPN-Access" #5: STATE_MAIN_I2: sent MI2, expecting MR2
003 "VPN-Access" #5: NAT-Traversal: Result using 3: no NAT detected
108 "VPN-Access" #5: STATE_MAIN_I3: sent MI3, expecting MR3
004 "VPN-Access" #5: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1536}
117 "VPN-Access" #6: STATE_QUICK_I1: initiate
004 "VPN-Access" #6: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x1bd12d09 [root@airbus-fedora vpn]# echo "c L2TPserver" > /var/run/l2tp-control
(from the xl2tpd log)
l2tpd[24934]: do_control: Got message c L2TPserver (12 bytes long)
l2tpd[24934]: ourtid = 16686, entropy_buf = 412e
l2tpd[24934]: ourcid = 16958, entropy_buf = 423e
l2tpd[24934]: Connecting to host 111.222.2.4, port 1701
l2tpd[24934]: check_control: control, cid = 0, Ns = 0, Nr = 1
l2tpd[24934]: Connection established to 111.222.2.4, 1701. Local: 16686, Remote: 58159 (ref=0/0).
l2tpd[24934]: ourcid = 32083, entropy_buf = 7d53
l2tpd[24934]: Calling on tunnel 16686
l2tpd[24934]: check_control: control, cid = 0, Ns = 1, Nr = 2
l2tpd[24934]: check_control: control, cid = 0, Ns = 1, Nr = 3
l2tpd[24934]: Call established with 111.222.2.4, Local: 32083, Remote: 38406, Serial: 2 (ref=0/0)
l2tpd[24934]: start_pppd: I'm running:
l2tpd[24934]: "/usr/sbin/pppd"
l2tpd[24934]: "passive"
l2tpd[24934]: "-detach"
l2tpd[24934]: ":"
l2tpd[24934]: "refuse-pap"
l2tpd[24934]: "auth"
l2tpd[24934]: "require-chap"
l2tpd[24934]: "name"
l2tpd[24934]: "username"
l2tpd[24934]: "debug"
l2tpd[24934]: "file"
l2tpd[24934]: "/etc/ppp/options.l2tpd.client"
l2tpd[24934]: "/dev/pts/3"
l2tpd[24934]: check_control: control, cid = 0, Ns = 2, Nr = 3
l2tpd[24934]: check_control: control, cid = 38406, Ns = 2, Nr = 4
l2tpd[24934]: check_control: control, cid = 38406, Ns = 2, Nr = 4
l2tpd[24934]: control_finish: Connection closed to 111.222.2.4, serial 2 (Bad file descriptor)
The logfile from the server
2007:01:29-16:31:26 vpn pluto[28110]: packet from 111.222.30.116:500: ignoring unknown Vendor ID payload [4f456e4d43757f784f704063]
2007:01:29-16:31:26 vpn pluto[28110]: packet from 111.222.30.116:500: received Vendor ID payload [Dead Peer Detection]
2007:01:29-16:31:26 vpn pluto[28110]: packet from 111.222.30.116:500: received Vendor ID payload [RFC 3947] method set to=109
2007:01:29-16:31:26 vpn pluto[28110]: packet from 111.222.30.116:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109
2007:01:29-16:31:26 vpn pluto[28110]: packet from 111.222.30.116:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
2007:01:29-16:31:26 vpn pluto[28110]: packet from 111.222.30.116:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
2007:01:29-16:31:26 vpn pluto[28110]: packet from 111.222.30.116:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
2007:01:29-16:31:26 vpn pluto[28110]: "S_L2TP_over_IPSec_1"[11446] 111.222.30.116 #32743: responding to Main Mode from unknown peer 111.222.30.116
2007:01:29-16:31:26 vpn pluto[28110]: "S_L2TP_over_IPSec_1"[11446] 111.222.30.116 #32743: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
2007:01:29-16:31:26 vpn pluto[28110]: "S_L2TP_over_IPSec_1"[11446] 111.222.30.116 #32743: STATE_MAIN_R1: sent MR1, expecting MI2
2007:01:29-16:31:26 vpn pluto[28110]: "S_L2TP_over_IPSec_1"[11446] 111.222.30.116 #32743: NAT-Traversal: Result using 3: no NAT detected
2007:01:29-16:31:26 vpn pluto[28110]: "S_L2TP_over_IPSec_1"[11446] 111.222.30.116 #32743: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
2007:01:29-16:31:26 vpn pluto[28110]: "S_L2TP_over_IPSec_1"[11446] 111.222.30.116 #32743: STATE_MAIN_R2: sent MR2, expecting MI3
2007:01:29-16:31:26 vpn pluto[28110]: "S_L2TP_over_IPSec_1"[11446] 111.222.30.116 #32743: Main mode peer ID is ID_IPV4_ADDR: '111.222.30.116'
2007:01:29-16:31:26 vpn pluto[28110]: "S_L2TP_over_IPSec_1"[11446] 111.222.30.116 #32743: I did not send a certificate because I do not have one.
2007:01:29-16:31:26 vpn pluto[28110]: "S_L2TP_over_IPSec_1"[11446] 111.222.30.116 #32743: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
2007:01:29-16:31:26 vpn pluto[28110]: "S_L2TP_over_IPSec_1"[11446] 111.222.30.116 #32743: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1536}
2007:01:29-16:31:26 vpn pluto[28110]: "S_L2TP_over_IPSec_1"[11446] 111.222.30.116 #32743: Dead Peer Detection (RFC 3706): enabled
2007:01:29-16:31:26 vpn pluto[28110]: "S_L2TP_over_IPSec_1"[11446] 111.222.30.116 #32744: responding to Quick Mode {msgid:10845e10}
2007:01:29-16:31:26 vpn pluto[28110]: "S_L2TP_over_IPSec_1"[11446] 111.222.30.116 #32744: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
2007:01:29-16:31:26 vpn pluto[28110]: "S_L2TP_over_IPSec_1"[11446] 111.222.30.116 #32744: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
2007:01:29-16:31:26 vpn pluto[28110]: "S_L2TP_over_IPSec_1"[11446] 111.222.30.116 #32744: Dead Peer Detection (RFC 3706): enabled
2007:01:29-16:31:26 vpn pluto[28110]: "S_L2TP_over_IPSec_1"[11446] 111.222.30.116 #32744: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
2007:01:29-16:31:26 vpn pluto[28110]: "S_L2TP_over_IPSec_1"[11446] 111.222.30.116 #32744: STATE_QUICK_R2: IPsec SA established {ESP=>0xcd70354e /etc/ipsec.conf
(all default, appended[[:)]]
conn VPN-Unicamp
authby=secret
pfs=no
rekey=no
keyingtries=3
type=transport
#
#left = ponta local
#
left=%defaultroute
leftprotoport=17/1701
#
#right = ponta remota
#
right=111.222.2.4
rightprotoport=17/1701
#
#chave on/off
#on=add / off=ignore
auto=add
/etc/xl2tpd/xl2tpd.conf
(all default, appended[[:)]]
[lac L2TPserver]
lns = 111.222.2.4
require chap = yes
refuse pap = yes
require authentication = yes
;name deve ser o mesmo que o Username da conexao PPP
name = username
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd.client
length bit = yes
/etc/ppp/options.l2tpd.client
ipcp-accept-local
ipcp-accept-remote
refuse-eap
noccp
noauth
crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
lock
#proxyarp
connect-delay 5000
/etc/ppp/chap-secrets
# client server secret IP addresses
username * "password" 111.222.2.4
/etc/ipsec.secrets
111.222.30.112 111.222.2.4: PSK "preSharedKey"
any help i can get would be greatly appreciated, as i can't figure out anymore what to do...
any questions/clarifications, please feel free to ask.
Thanks in advance for the support.
Guto
This thread was automatically locked due to age.