I'm busy trying to setup the L2TP VPN for several of my users and I've run up against a wall.
1) I setup L2TP w/ RADIUS on the firewall. The backend RADIUS connection works fine, showing that it connects and authenticates just fine.
2) I've setup the RADIUS server on Windows Server 2008r2 as per instructions form the knowledge bases and forum threads. For testing I allow MSCHAPv2, MSCHAP, CHAP, & PAP.
When I do try to connect, I get error 691 on the client and the following log entries:
2012:08:23-11:38:43 dclfw1 openl2tpd[22913]: Start, trace_flags=00000000
2012:08:23-11:38:43 dclfw1 openl2tpd[22913]: OpenL2TP V1.6, (c) Copyright 2004,2005,2006,2007,2008 Katalix Systems Ltd.
2012:08:23-11:38:43 dclfw1 openl2tpd[22913]: Loading plugin /usr/lib/openl2tp/ppp_unix.so, version V1.5
2012:08:23-11:38:43 dclfw1 openl2tpd[22913]: Using config file: /etc/openl2tpd.conf
2012:08:23-11:38:44 dclfw1 pluto[6513]: listening for IKE messages
2012:08:23-11:38:44 dclfw1 pluto[6513]: forgetting secrets
2012:08:23-11:38:44 dclfw1 pluto[6513]: loading secrets from "/etc/ipsec.secrets"
2012:08:23-11:38:44 dclfw1 pluto[6513]: loaded PSK secret for 207.194.97.57 %any
2012:08:23-11:38:44 dclfw1 pluto[6513]: loaded PSK secret for 207.194.97.57 207.194.244.26
2012:08:23-11:38:44 dclfw1 pluto[6513]: loaded PSK secret for 207.194.97.57 216.57.191.60
2012:08:23-11:38:44 dclfw1 pluto[6513]: loaded PSK secret for 207.194.97.57 216.57.191.58
2012:08:23-11:38:44 dclfw1 pluto[6513]: forgetting secrets
2012:08:23-11:38:44 dclfw1 pluto[6513]: loading secrets from "/etc/ipsec.secrets"
2012:08:23-11:38:44 dclfw1 pluto[6513]: loaded PSK secret for 207.194.97.57 %any
2012:08:23-11:38:44 dclfw1 pluto[6513]: loaded PSK secret for 207.194.97.57 207.194.244.26
2012:08:23-11:38:44 dclfw1 pluto[6513]: loaded PSK secret for 207.194.97.57 216.57.191.60
2012:08:23-11:38:44 dclfw1 pluto[6513]: loaded PSK secret for 207.194.97.57 216.57.191.58
2012:08:23-11:38:44 dclfw1 pluto[6513]: loading ca certificates from '/etc/ipsec.d/cacerts'
2012:08:23-11:38:44 dclfw1 pluto[6513]: loaded ca certificate from '/etc/ipsec.d/cacerts/REF_uVxjPFduyw.pem'
2012:08:23-11:38:44 dclfw1 pluto[6513]: loaded ca certificate from '/etc/ipsec.d/cacerts/REF_cRLdorRLeO.pem'
2012:08:23-11:38:44 dclfw1 pluto[6513]: loaded ca certificate from '/etc/ipsec.d/cacerts/REF_khCfMAnCje.pem'
2012:08:23-11:38:44 dclfw1 pluto[6513]: loading aa certificates from '/etc/ipsec.d/aacerts'
2012:08:23-11:38:44 dclfw1 pluto[6513]: loading ocsp certificates from '/etc/ipsec.d/ocspcerts'
2012:08:23-11:38:44 dclfw1 pluto[6513]: loading attribute certificates from '/etc/ipsec.d/acerts'
2012:08:23-11:38:44 dclfw1 pluto[6513]: Changing to directory '/etc/ipsec.d/crls'
2012:08:23-11:38:49 dclfw1 pluto[6513]: packet from 192.168.1.133:500: received Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000008]
2012:08:23-11:38:49 dclfw1 pluto[6513]: packet from 192.168.1.133:500: received Vendor ID payload [RFC 3947]
2012:08:23-11:38:49 dclfw1 pluto[6513]: packet from 192.168.1.133:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
2012:08:23-11:38:49 dclfw1 pluto[6513]: packet from 192.168.1.133:500: ignoring Vendor ID payload [FRAGMENTATION]
2012:08:23-11:38:49 dclfw1 pluto[6513]: packet from 192.168.1.133:500: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
2012:08:23-11:38:49 dclfw1 pluto[6513]: packet from 192.168.1.133:500: ignoring Vendor ID payload [Vid-Initial-Contact]
2012:08:23-11:38:49 dclfw1 pluto[6513]: packet from 192.168.1.133:500: ignoring Vendor ID payload [IKE CGA version 1]
2012:08:23-11:38:49 dclfw1 pluto[6513]: "S_REF_IpsL2t1_1"[17] 192.168.1.133 #17927: responding to Main Mode from unknown peer 192.168.1.133
2012:08:23-11:38:49 dclfw1 pluto[6513]: "S_REF_IpsL2t1_1"[17] 192.168.1.133 #17927: ECP_384 is not supported. Attribute OAKLEY_GROUP_DESCRIPTION
2012:08:23-11:38:49 dclfw1 pluto[6513]: "S_REF_IpsL2t1_1"[17] 192.168.1.133 #17927: ECP_256 is not supported. Attribute OAKLEY_GROUP_DESCRIPTION
2012:08:23-11:38:49 dclfw1 pluto[6513]: "S_REF_IpsL2t1_1"[17] 192.168.1.133 #17927: NAT-Traversal: Result using RFC 3947: peer is NATed
2012:08:23-11:38:49 dclfw1 pluto[6513]: "S_REF_IpsL2t1_1"[17] 192.168.1.133 #17927: Peer ID is ID_IPV4_ADDR: '192.168.42.245'
2012:08:23-11:38:49 dclfw1 pluto[6513]: "S_REF_IpsL2t1_1"[18] 192.168.1.133 #17927: deleting connection "S_REF_IpsL2t1_1"[17] instance with peer 192.168.1.133 {isakmp=#0/ipsec=#0}
2012:08:23-11:38:49 dclfw1 pluto[6513]: | NAT-T: new mapping 192.168.1.133:500/4500)
2012:08:23-11:38:49 dclfw1 pluto[6513]: "S_REF_IpsL2t1_1"[18] 192.168.1.133:4500 #17927: sent MR3, ISAKMP SA established
2012:08:23-11:38:49 dclfw1 pluto[6513]: "S_REF_IpsL2t1_0"[9] 192.168.1.133:4500 #17928: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
2012:08:23-11:38:49 dclfw1 pluto[6513]: "S_REF_IpsL2t1_0"[9] 192.168.1.133:4500 #17928: responding to Quick Mode
2012:08:23-11:38:50 dclfw1 pppd-l2tp[22995]: Plugin radius.so loaded.
2012:08:23-11:38:50 dclfw1 pppd-l2tp[22995]: RADIUS plugin initialized.
2012:08:23-11:38:50 dclfw1 pppd-l2tp[22995]: Plugin radattr.so loaded.
2012:08:23-11:38:50 dclfw1 pppd-l2tp[22995]: RADATTR plugin initialized.
2012:08:23-11:38:50 dclfw1 pppd-l2tp[22995]: Plugin ippool.so loaded.
2012:08:23-11:38:50 dclfw1 pppd-l2tp[22995]: Plugin pppol2tp.so loaded.
2012:08:23-11:38:50 dclfw1 pppd-l2tp[22995]: pppd 2.4.5 started by (unknown), uid 0
2012:08:23-11:38:50 dclfw1 pppd-l2tp[22995]: using channel 32
2012:08:23-11:38:50 dclfw1 pppd-l2tp[22995]: Using interface ppp0
2012:08:23-11:38:50 dclfw1 pppd-l2tp[22995]: Connect: ppp0
2012:08:23-11:38:50 dclfw1 pppd-l2tp[22995]: Overriding mtu 1500 to 1380
2012:08:23-11:38:50 dclfw1 pppd-l2tp[22995]: PPPoL2TP options: lnsmode tid 34704 sid 840 debugmask 0
2012:08:23-11:38:50 dclfw1 pppd-l2tp[22995]: Overriding mru 1500 to mtu value 1380
2012:08:23-11:38:50 dclfw1 pppd-l2tp[22995]: sent [LCP ConfReq id=0x1 ]
2012:08:23-11:38:50 dclfw1 pppd-l2tp[22995]: rcvd [LCP ConfAck id=0x1 ]
2012:08:23-11:38:51 dclfw1 pluto[6513]: "S_REF_IpsL2t1_0"[9] 192.168.1.133:4500 #17928: IPsec SA established {ESP=>0x2b39e366 ]
2012:08:23-11:38:52 dclfw1 pppd-l2tp[22995]: sent [LCP ConfRej id=0x1 ]
2012:08:23-11:38:52 dclfw1 pppd-l2tp[22995]: rcvd [LCP ConfReq id=0x2 ]
2012:08:23-11:38:52 dclfw1 pppd-l2tp[22995]: sent [LCP ConfAck id=0x2 ]
2012:08:23-11:38:52 dclfw1 pppd-l2tp[22995]: Overriding mtu 1400 to 1380
2012:08:23-11:38:52 dclfw1 pppd-l2tp[22995]: PPPoL2TP options: lnsmode tid 34704 sid 840 debugmask 0
2012:08:23-11:38:52 dclfw1 pppd-l2tp[22995]: sent [CHAP Challenge id=0x26 , name = "dclfw1.dawcon.com"]
2012:08:23-11:38:52 dclfw1 pppd-l2tp[22995]: rcvd [LCP Ident id=0x3 magic=0x74f10034 "MSRASV5.20"]
2012:08:23-11:38:52 dclfw1 pppd-l2tp[22995]: rcvd [LCP Ident id=0x4 magic=0x74f10034 "MSRAS-0-DGCITA-110816"]
2012:08:23-11:38:52 dclfw1 pppd-l2tp[22995]: rcvd [LCP Ident id=0x5 magic=0x74f10034 "J\035\37777777700\37777777664|\37777777724DB\37777777674\37777777725\"\37777777640\37777777740\37777777655\025U"]
2012:08:23-11:38:52 dclfw1 pppd-l2tp[22995]: rcvd [CHAP Response id=0x26 , name = "andrewk"]
2012:08:23-11:38:52 dclfw1 pppd-l2tp[22995]: rc_check_reply: received invalid reply digest from RADIUS server
2012:08:23-11:38:52 dclfw1 pppd-l2tp[22995]: Peer andrewk failed CHAP authentication
2012:08:23-11:38:52 dclfw1 pppd-l2tp[22995]: sent [CHAP Failure id=0x26 ""]
2012:08:23-11:38:52 dclfw1 pppd-l2tp[22995]: Overriding mtu 1500 to 1380
2012:08:23-11:38:52 dclfw1 pppd-l2tp[22995]: PPPoL2TP options: lnsmode tid 34704 sid 840 debugmask 0
2012:08:23-11:38:52 dclfw1 pppd-l2tp[22995]: Overriding mru 1500 to mtu value 1380
2012:08:23-11:38:52 dclfw1 pppd-l2tp[22995]: sent [LCP TermReq id=0x2 "Authentication failed"]
2012:08:23-11:38:52 dclfw1 pppd-l2tp[22995]: rcvd [LCP TermAck id=0x2 "Authentication failed"]
2012:08:23-11:38:52 dclfw1 pppd-l2tp[22995]: Connection terminated.
2012:08:23-11:38:53 dclfw1 pppd-l2tp[22995]: RADATTR plugin removed file /var/run/radattr.ppp0.
2012:08:23-11:38:53 dclfw1 pppd-l2tp[22995]: Exit.
2012:08:23-11:38:54 dclfw1 pluto[6513]: "S_REF_IpsL2t1_1"[18] 192.168.1.133:4500 #17927: received Delete SA(0x2b39e366) payload: deleting IPSEC State #17928
2012:08:23-11:38:54 dclfw1 pluto[6513]: "S_REF_IpsL2t1_1"[18] 192.168.1.133:4500 #17927: deleting connection "S_REF_IpsL2t1_0"[9] instance with peer 192.168.1.133 {isakmp=#0/ipsec=#0}
2012:08:23-11:38:54 dclfw1 pluto[6513]: "S_REF_IpsL2t1_1"[18] 192.168.1.133:4500 #17927: received Delete SA payload: deleting ISAKMP State #17927
2012:08:23-11:38:54 dclfw1 pluto[6513]: "S_REF_IpsL2t1_1"[18] 192.168.1.133:4500: deleting connection "S_REF_IpsL2t1_1"[18] instance with peer 192.168.1.133 {isakmp=#0/ipsec=#0}
It looks like the PC is failing CHAP authentication after getting the IPSEC tunnel up. The question is why?
This thread was automatically locked due to age.
