Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

openswan on ubuntu 14.04 LTS #75

Open
zhu4ling3 opened this issue Apr 23, 2014 · 11 comments
Open

openswan on ubuntu 14.04 LTS #75

zhu4ling3 opened this issue Apr 23, 2014 · 11 comments

Comments

@zhu4ling3
Copy link

i have install xl2tp over openswan in ubuntu 12.04_amd64 LTS, and it is runing. The last week ubuntu 14.04_amd64 LTS was released, so i try to install xl2tp over openswan in ubuntu 14.04.
The install way is same as what i did in ubuntu 12.04 LTS. But it cannot running. The difference between them maybe is the following:
(1) the kernel version( kernel 3.8.0-29 vis kernel 3.13.0-24)
(2) the openswan version( openswan 2.6.37 on ubuntu 12.04, and openswan 2.6.38 on ubuntu 14.04)
anybody can help me resolve this problem?

the attachment is following:
(1)/var/log/auth.log
2

(2)the packets catched be wireshake
3

(3) the configuration of openswan and xl2tpd

  • /etc/ipsec.conf
# /etc/ipsec.conf - Openswan IPsec configuration file

# This file:  /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5


version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # Do not set debug options to debug configuration issues!
        # plutodebug / klipsdebug = "all", "none" or a combation from below:
        # "raw crypt parsing emitting control klips pfkey natt x509 dpd private"
        # eg:
        # plutodebug="control parsing"
        # Again: only enable plutodebug or klipsdebug when asked by a developer
        #
        # enable to get logs per-peer
        # plutoopts="--perpeerlog"
        #
        # Enable core dumps (might require system changes, like ulimit -C)
        # This is required for abrtd to work properly
        # Note: incorrect SElinux policies might prevent pluto writing the core
        dumpdir=/var/run/pluto/
        #
        # NAT-TRAVERSAL support, see README.NAT-Traversal
        nat_traversal=yes
        # exclude networks used on server side by adding %v4:!a.b.c.0/24
        # It seems that T-Mobile in the US and Rogers/Fido in Canada are
        # using 25/8 as "private" address space on their 3G network.
        # This range has not been announced via BGP (at least upto 2010-12-21)
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
        # OE is now off by default. Uncomment and change to on, to enable.
        oe=off
        # which IPsec stack to use. auto will try netkey, then klips then mast
        protostack=netkey
        # Use this to log to a file, or disable logging on embedded systems (like openwrt)
        #plutostderrlog=/dev/null

# Add connections here

# sample VPN connection
# for more examples, see /etc/ipsec.d/examples/
#conn sample
#               # Left security gateway, subnet behind it, nexthop toward right.
#               left=10.0.0.1
#               leftsubnet=172.16.0.0/24
#               leftnexthop=10.22.33.44
#               # Right security gateway, subnet behind it, nexthop toward left.
#               right=10.12.12.1
#               rightsubnet=192.168.0.0/24
#               rightnexthop=10.101.102.103
#               # To authorize this connection, but not actually start it, 
#               # at startup, uncomment this.
#               #auto=add

conn L2TP-PSK-NAT
        rightsubnet=vhost:%priv
        also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
        authby=secret
        pfs=no
        auto=add
        keyingtries=3
        # we cannot rekey for %any, let client rekey
        rekey=no
        # Apple iOS doesn't send delete notify so we need dead peer detection
        # to detect vanishing clients
        dpddelay=10
        dpdtimeout=90
        dpdaction=clear
        # Set ikelifetime and keylife to same defaults windows has
        ikelifetime=8h
        keylife=1h
        # l2tp-over-ipsec is transport mode
        type=transport
        #
        left=162.243.136.115
        #
        # For updated Windows 2000/XP clients,
        # to support old clients as well, use leftprotoport=17/%any
        leftprotoport=17/1701
        #
        # The remote user.
        #
        right=%any
        # Using the magic port of "%any" means "any one single port". This is
        # a work around required for Apple OSX clients that use a randomly
        # high port.
        rightprotoport=17/%any

conn passthrough-for-non-l2tp
        type=passthrough
        left=162.243.136.115
        leftnexthop=162.243.136.115
        right=0.0.0.0
        rightsubnet=0.0.0.0/0
        auto=route
  • /etc/ipsec.secrets
# This file holds shared secrets or RSA private keys for inter-Pluto
# authentication.  See ipsec_pluto(8) manpage, and HTML documentation.

# RSA private key for this host, authenticating it to any other host
# which knows the public part.  Suitable public keys, for ipsec.conf, DNS,
# or configuration of other implementations, can be extracted conveniently
# with "ipsec showhostkey".

# this file is managed with debconf and will contain the automatically created RSA keys
include /var/lib/openswan/ipsec.secrets.inc

162.243.136.115  %any: PSK "12345678"
  • /etc/xl2tpd/xl2tpd.conf
; /etc/xl2tpd/xl2tpd.conf

[global]
ipsec saref = no

[lns default]
ip range = 172.20.47.151-172.20.47.200
local ip = 172.20.47.10
require chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd.lns
length bit = yes
  • /etc/ppp/options.l2tpd.lns
# /etc/ppp/options.l2tpd.lns

refuse-mschap-v2
refuse-mschap
ms-dns 8.8.8.8
ms-dns 8.8.4.4
asyncmap 0
auth
lock
hide-password
local
debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
mtu 1404
mru 1404
@zhangping
Copy link

the same problem as me

@letoams
Copy link
Contributor

letoams commented Jul 24, 2014

Can you try to add this to the ppp options file:

refuse-chap
refuse-eap
refuse-pap
refuse-mschap
require-mschap-v2

@zhangping
Copy link

it works:

ipsec.conf

version 2.0

config setup
dumpdir=/var/run/pluto/
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
protostack=netkey
force_keepalive=yes
keep_alive=60

conn l2tp-psk
authby=secret
pfs=no
auto=add
keyingtries=3
type=transport
left=106.186.127.239
leftprotoport=17/1701
right=%any
rightprotoport=17/%any

xl2tpd.conf

[global]
listen-addr = 106.186.127.239

[lns default]
ip range = 192.168.0.1-192.168.0.20
local ip = 192.168.0.21
assign ip = yes
length bit = yes
refuse pap = yes
require authentication = yes
pppoptfile = /etc/ppp/options

options

ms-dns 8.8.8.8
ms-dns 8.8.4.4
noccp
asyncmap 0
auth
crtscts
lock
hide-password
modem
mru 1200
nodefaultroute
debug
mtu 1200
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
ipcp-accept-local
ipcp-accept-remote
noipx
idle 1800
connect-delay 5000

chap-secrets

zhangxxxx * "_" 192.168.0.1/24
guoxxxx * "_" 192.168.0.1/24

ipsec.secrets

106.186.127.xxx 0.0.0.0: PSK "*******"

@fortiko
Copy link

fortiko commented Aug 9, 2014

I observe exactly the same: installing via a script I wrote works 100% of the times in 12.04, for OSX and iOS clients.

With the same script/resulting setup under a fresh 14.04, the connection negotiation from the same clients that worked perfectly under 12.04 fails/stops at the exact same spot as the OP showed.

It appears that xl2tpd does not get the connection request (?) from openswan, and just sits there.

How can I help to debug this?

@fortiko
Copy link

fortiko commented Aug 9, 2014

To elaborate on this: the only difference I can spot is that under 12.04 we have (note the "NATOA=none" in the last line!)

Aug  9 18:17:47 vpn pluto[14018]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: Dead Peer Detection (RFC 3706): enabled
Aug  9 18:17:48 vpn pluto[14018]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: Applying workaround for Mac OS X NAT-OA bug, ignoring proposed subnet
Aug  9 18:17:48 vpn pluto[14018]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: the peer proposed: A.B.C.D/32:17/1701 -> W.X.Y.Z/32:17/0
Aug  9 18:17:48 vpn pluto[14018]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: peer proposal was reject in a virtual connection policy because:
Aug  9 18:17:48 vpn pluto[14018]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1:   a private network virtual IP was required, but the proposed IP did not match our list (virtual_private=)
Aug  9 18:17:48 vpn pluto[14018]: "L2TP-PSK-noNAT"[1] W.X.Y.Z #2: responding to Quick Mode proposal {msgid:aa32488c}
Aug  9 18:17:48 vpn pluto[14018]: "L2TP-PSK-noNAT"[1] W.X.Y.Z #2:     us: A.B.C.D<A.B.C.D>[+S=C]:17/1701
Aug  9 18:17:48 vpn pluto[14018]: "L2TP-PSK-noNAT"[1] W.X.Y.Z #2:   them: W.X.Y.Z[192.168.8.14,+S=C]:17/53116
Aug  9 18:17:48 vpn pluto[14018]: "L2TP-PSK-noNAT"[1] W.X.Y.Z #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Aug  9 18:17:48 vpn pluto[14018]: "L2TP-PSK-noNAT"[1] W.X.Y.Z #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Aug  9 18:17:48 vpn pluto[14018]: "L2TP-PSK-noNAT"[1] W.X.Y.Z #2: Dead Peer Detection (RFC 3706): enabled
Aug  9 18:17:48 vpn pluto[14018]: "L2TP-PSK-noNAT"[1] W.X.Y.Z #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Aug  9 18:17:48 vpn pluto[14018]: "L2TP-PSK-noNAT"[1] W.X.Y.Z #2: STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0x066d455e <0x7c3f682b xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=W.X.Y.Z:4500 DPD=enabled}

whereas on 14.04 we don't have the explicit workaround and accept the peer's proposal (note the "NATOA=192.168.8.14" on the last line) and we do not enter into the L2TP-PSK-noNAT connection. Again, exact same configuration as under 12.04 where this works:

Aug  9 20:08:48 vpn pluto[1815]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: Dead Peer Detection (RFC 3706): enabled
Aug  9 20:08:48 vpn pluto[1815]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: the peer proposed: A.B.C.D/32:17/1701 -> 192.168.8.14/32:17/0
Aug  9 20:08:48 vpn pluto[1815]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
Aug  9 20:08:48 vpn pluto[1815]: "L2TP-PSK-NAT"[2] W.X.Y.Z #2: responding to Quick Mode proposal {msgid:c34601b4}
Aug  9 20:08:48 vpn pluto[1815]: "L2TP-PSK-NAT"[2] W.X.Y.Z #2:     us: A.B.C.D<A.B.C.D>:17/1701
Aug  9 20:08:48 vpn pluto[1815]: "L2TP-PSK-NAT"[2] W.X.Y.Z #2:   them: W.X.Y.Z[192.168.8.14]:17/62338===192.168.8.14/32
Aug  9 20:08:48 vpn pluto[1815]: "L2TP-PSK-NAT"[2] W.X.Y.Z #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Aug  9 20:08:48 vpn pluto[1815]: "L2TP-PSK-NAT"[2] W.X.Y.Z #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Aug  9 20:08:48 vpn pluto[1815]: "L2TP-PSK-NAT"[2] W.X.Y.Z #2: Dead Peer Detection (RFC 3706): enabled
Aug  9 20:08:48 vpn pluto[1815]: "L2TP-PSK-NAT"[2] W.X.Y.Z #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Aug  9 20:08:48 vpn pluto[1815]: "L2TP-PSK-NAT"[2] W.X.Y.Z #2: STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0x04a658c6 <0x55fade1b xfrm=AES_256-HMAC_SHA1 NATOA=192.168.8.14 NATD=W.X.Y.Z:4500 DPD=enabled}

Below I include the complete logs for both 12.04 and 14.04 with the exact same configuration (in fact, I updated from that 12.04 instance to 14.04 keeping the openswan/xl2tpd configuration).

######### this one works, on a fresh 12.04

# uname -a
Linux vpn 3.2.0-59-virtual #90-Ubuntu SMP Tue Jan 7 23:02:33 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

# cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=12.04
DISTRIB_CODENAME=precise
DISTRIB_DESCRIPTION="Ubuntu 12.04.5 LTS"

openswan 1:2.6.37-1
xl2tpd 1.3.1+dfsg-1ubuntu0.12.04.1
ppp 2.4.5-5ubuntu1



Aug  9 18:16:55 vpn ipsec__plutorun: Starting Pluto subsystem...
Aug  9 18:16:55 vpn pluto[14018]: Starting Pluto (Openswan Version 2.6.37; Vendor ID OEu\134d\134jy\134\134ap) pid:14018
Aug  9 18:16:55 vpn pluto[14018]: LEAK_DETECTIVE support [disabled]
Aug  9 18:16:55 vpn pluto[14018]: OCF support for IKE [disabled]
Aug  9 18:16:55 vpn pluto[14018]: SAref support [disabled]: Protocol not available
Aug  9 18:16:55 vpn pluto[14018]: SAbind support [disabled]: Protocol not available
Aug  9 18:16:55 vpn pluto[14018]: NSS support [disabled]
Aug  9 18:16:55 vpn pluto[14018]: HAVE_STATSD notification support not compiled in
Aug  9 18:16:55 vpn pluto[14018]: Setting NAT-Traversal port-4500 floating to on
Aug  9 18:16:55 vpn pluto[14018]:    port floating activation criteria nat_t=1/port_float=1
Aug  9 18:16:55 vpn pluto[14018]:    NAT-Traversal support  [enabled] [Force KeepAlive]
Aug  9 18:16:55 vpn pluto[14018]: using /dev/urandom as source of random entropy
Aug  9 18:16:55 vpn pluto[14018]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Aug  9 18:16:55 vpn pluto[14018]: starting up 1 cryptographic helpers
Aug  9 18:16:55 vpn pluto[14018]: started helper pid=14020 (fd:6)
Aug  9 18:16:55 vpn pluto[14018]: Using Linux 2.6 IPsec interface code on 3.2.0-59-virtual (experimental code)
Aug  9 18:16:55 vpn pluto[14020]: using /dev/urandom as source of random entropy
Aug  9 18:16:55 vpn pluto[14018]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
Aug  9 18:16:55 vpn pluto[14018]: ike_alg_add(): ERROR: Algorithm already exists
Aug  9 18:16:55 vpn pluto[14018]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)
Aug  9 18:16:55 vpn pluto[14018]: ike_alg_add(): ERROR: Algorithm already exists
Aug  9 18:16:55 vpn pluto[14018]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
Aug  9 18:16:55 vpn pluto[14018]: ike_alg_add(): ERROR: Algorithm already exists
Aug  9 18:16:55 vpn pluto[14018]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)
Aug  9 18:16:55 vpn pluto[14018]: ike_alg_add(): ERROR: Algorithm already exists
Aug  9 18:16:55 vpn pluto[14018]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)
Aug  9 18:16:55 vpn pluto[14018]: ike_alg_add(): ERROR: Algorithm already exists
Aug  9 18:16:55 vpn pluto[14018]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
Aug  9 18:16:55 vpn pluto[14018]: Changed path to directory '/etc/ipsec.d/cacerts'
Aug  9 18:16:55 vpn pluto[14018]: Changed path to directory '/etc/ipsec.d/aacerts'
Aug  9 18:16:55 vpn pluto[14018]: Changed path to directory '/etc/ipsec.d/ocspcerts'
Aug  9 18:16:55 vpn pluto[14018]: Changing to directory '/etc/ipsec.d/crls'
Aug  9 18:16:55 vpn pluto[14018]:   Warning: empty directory
Aug  9 18:16:55 vpn pluto[14018]: added connection description "L2TP-PSK-NAT"
Aug  9 18:16:55 vpn pluto[14018]: added connection description "L2TP-PSK-noNAT"
Aug  9 18:16:55 vpn pluto[14018]: listening for IKE messages
Aug  9 18:16:55 vpn pluto[14018]: adding interface eth0/eth0 A.B.C.D:500
Aug  9 18:16:55 vpn pluto[14018]: adding interface eth0/eth0 A.B.C.D:4500
Aug  9 18:16:55 vpn pluto[14018]: adding interface lo/lo 127.0.0.1:500
Aug  9 18:16:55 vpn pluto[14018]: adding interface lo/lo 127.0.0.1:4500
Aug  9 18:16:55 vpn pluto[14018]: adding interface lo/lo ::1:500
Aug  9 18:16:55 vpn pluto[14018]: loading secrets from "/etc/ipsec.secrets"
Aug  9 18:16:55 vpn pluto[14018]: loading secrets from "/var/lib/openswan/ipsec.secrets.inc"
Aug  9 18:17:47 vpn pluto[14018]: packet from W.X.Y.Z:500: received Vendor ID payload [RFC 3947] method set to=109
Aug  9 18:17:47 vpn pluto[14018]: packet from W.X.Y.Z:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] method set to=110
Aug  9 18:17:47 vpn pluto[14018]: packet from W.X.Y.Z:500: ignoring unknown Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
Aug  9 18:17:47 vpn pluto[14018]: packet from W.X.Y.Z:500: ignoring unknown Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
Aug  9 18:17:47 vpn pluto[14018]: packet from W.X.Y.Z:500: ignoring unknown Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
Aug  9 18:17:47 vpn pluto[14018]: packet from W.X.Y.Z:500: ignoring unknown Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
Aug  9 18:17:47 vpn pluto[14018]: packet from W.X.Y.Z:500: ignoring unknown Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
Aug  9 18:17:47 vpn pluto[14018]: packet from W.X.Y.Z:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 110
Aug  9 18:17:47 vpn pluto[14018]: packet from W.X.Y.Z:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 110
Aug  9 18:17:47 vpn pluto[14018]: packet from W.X.Y.Z:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 110
Aug  9 18:17:47 vpn pluto[14018]: packet from W.X.Y.Z:500: ignoring Vendor ID payload [FRAGMENTATION 80000000]
Aug  9 18:17:47 vpn pluto[14018]: packet from W.X.Y.Z:500: received Vendor ID payload [Dead Peer Detection]
Aug  9 18:17:47 vpn pluto[14018]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: responding to Main Mode from unknown peer W.X.Y.Z
Aug  9 18:17:47 vpn pluto[14018]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Aug  9 18:17:47 vpn pluto[14018]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: STATE_MAIN_R1: sent MR1, expecting MI2
Aug  9 18:17:47 vpn pluto[14018]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): both are NATed
Aug  9 18:17:47 vpn pluto[14018]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Aug  9 18:17:47 vpn pluto[14018]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: STATE_MAIN_R2: sent MR2, expecting MI3
Aug  9 18:17:47 vpn pluto[14018]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: Main mode peer ID is ID_IPV4_ADDR: '192.168.8.14'
Aug  9 18:17:47 vpn pluto[14018]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: switched from "L2TP-PSK-NAT" to "L2TP-PSK-NAT"
Aug  9 18:17:47 vpn pluto[14018]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: deleting connection "L2TP-PSK-NAT" instance with peer W.X.Y.Z {isakmp=#0/ipsec=#0}
Aug  9 18:17:47 vpn pluto[14018]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Aug  9 18:17:47 vpn pluto[14018]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: new NAT mapping for #1, was W.X.Y.Z:500, now W.X.Y.Z:4500
Aug  9 18:17:47 vpn pluto[14018]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1024}
Aug  9 18:17:47 vpn pluto[14018]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: Dead Peer Detection (RFC 3706): enabled
Aug  9 18:17:48 vpn pluto[14018]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: Applying workaround for Mac OS X NAT-OA bug, ignoring proposed subnet
Aug  9 18:17:48 vpn pluto[14018]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: the peer proposed: A.B.C.D/32:17/1701 -> W.X.Y.Z/32:17/0
Aug  9 18:17:48 vpn pluto[14018]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: peer proposal was reject in a virtual connection policy because:
Aug  9 18:17:48 vpn pluto[14018]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1:   a private network virtual IP was required, but the proposed IP did not match our list (virtual_private=)
Aug  9 18:17:48 vpn pluto[14018]: "L2TP-PSK-noNAT"[1] W.X.Y.Z #2: responding to Quick Mode proposal {msgid:aa32488c}
Aug  9 18:17:48 vpn pluto[14018]: "L2TP-PSK-noNAT"[1] W.X.Y.Z #2:     us: A.B.C.D<A.B.C.D>[+S=C]:17/1701
Aug  9 18:17:48 vpn pluto[14018]: "L2TP-PSK-noNAT"[1] W.X.Y.Z #2:   them: W.X.Y.Z[192.168.8.14,+S=C]:17/53116
Aug  9 18:17:48 vpn pluto[14018]: "L2TP-PSK-noNAT"[1] W.X.Y.Z #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Aug  9 18:17:48 vpn pluto[14018]: "L2TP-PSK-noNAT"[1] W.X.Y.Z #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Aug  9 18:17:48 vpn pluto[14018]: "L2TP-PSK-noNAT"[1] W.X.Y.Z #2: Dead Peer Detection (RFC 3706): enabled
Aug  9 18:17:48 vpn pluto[14018]: "L2TP-PSK-noNAT"[1] W.X.Y.Z #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Aug  9 18:17:48 vpn pluto[14018]: "L2TP-PSK-noNAT"[1] W.X.Y.Z #2: STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0x066d455e <0x7c3f682b xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=W.X.Y.Z:4500 DPD=enabled}

[Tunnel works perfectly, now we disconnect manually]

Aug  9 18:19:32 vpn pluto[14018]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: received Delete SA(0x066d455e) payload: deleting IPSEC State #2
Aug  9 18:19:32 vpn pluto[14018]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: deleting connection "L2TP-PSK-noNAT" instance with peer W.X.Y.Z {isakmp=#0/ipsec=#0}
Aug  9 18:19:32 vpn pluto[14018]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: received and ignored informational message
Aug  9 18:19:32 vpn pluto[14018]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: received Delete SA payload: deleting ISAKMP State #1
Aug  9 18:19:32 vpn pluto[14018]: "L2TP-PSK-NAT"[2] W.X.Y.Z: deleting connection "L2TP-PSK-NAT" instance with peer W.X.Y.Z {isakmp=#0/ipsec=#0}
Aug  9 18:19:32 vpn pluto[14018]: packet from W.X.Y.Z:4500: received and ignored informational message





Aug  9 18:17:28 vpn xl2tpd[14565]: IPsec SAref does not work with L2TP kernel mode yet, enabling forceuserspace=yes
Aug  9 18:17:28 vpn xl2tpd[14565]: setsockopt recvref[30]: Protocol not available
Aug  9 18:17:28 vpn xl2tpd[14565]: This binary does not support kernel L2TP.
Aug  9 18:17:28 vpn xl2tpd[14566]: xl2tpd version xl2tpd-1.3.1 started on vpn PID:14566
Aug  9 18:17:28 vpn xl2tpd[14566]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
Aug  9 18:17:28 vpn xl2tpd[14566]: Forked by Scott Balmos and David Stipp, (C) 2001
Aug  9 18:17:28 vpn xl2tpd[14566]: Inherited by Jeff McAdams, (C) 2002
Aug  9 18:17:28 vpn xl2tpd[14566]: Forked again by Xelerance (www.xelerance.com) (C) 2006
Aug  9 18:17:28 vpn xl2tpd[14566]: Listening on IP address A.B.C.D, port 1701
Aug  9 18:17:50 vpn xl2tpd[14566]: control_finish: Peer requested tunnel 93 twice, ignoring second one.
Aug  9 18:17:50 vpn xl2tpd[14566]: Connection established to W.X.Y.Z, 53116.  Local: 21640, Remote: 93 (ref=0/0).  LNS session is 'default'
Aug  9 18:17:50 vpn xl2tpd[14566]: start_pppd: I'm running:
Aug  9 18:17:50 vpn xl2tpd[14566]: "/usr/sbin/pppd"
Aug  9 18:17:50 vpn xl2tpd[14566]: "passive"
Aug  9 18:17:50 vpn xl2tpd[14566]: "nodetach"
Aug  9 18:17:50 vpn xl2tpd[14566]: "10.1.1.1:10.1.1.2"
Aug  9 18:17:50 vpn xl2tpd[14566]: "refuse-pap"
Aug  9 18:17:50 vpn xl2tpd[14566]: "refuse-chap"
Aug  9 18:17:50 vpn xl2tpd[14566]: "auth"
Aug  9 18:17:50 vpn xl2tpd[14566]: "debug"
Aug  9 18:17:50 vpn xl2tpd[14566]: "file"
Aug  9 18:17:50 vpn xl2tpd[14566]: "/etc/ppp/options.xl2tpd"
Aug  9 18:17:50 vpn xl2tpd[14566]: "ipparam"
Aug  9 18:17:50 vpn xl2tpd[14566]: "W.X.Y.Z"
Aug  9 18:17:50 vpn xl2tpd[14566]: "/dev/pts/4"
Aug  9 18:17:50 vpn xl2tpd[14566]: Call established with W.X.Y.Z, Local: 52578, Remote: 7838, Serial: 1
Aug  9 18:17:50 vpn pppd[14906]: pppd 2.4.5 started by root, uid 0
Aug  9 18:17:50 vpn pppd[14906]: using channel 3
Aug  9 18:17:50 vpn pppd[14906]: Using interface ppp0
Aug  9 18:17:50 vpn pppd[14906]: Connect: ppp0 <--> /dev/pts/4
Aug  9 18:17:50 vpn pppd[14906]: sent [LCP ConfReq id=0x1 <mru 1200> <asyncmap 0x0> <auth chap MS-v2> <magic 0x1621ada0> <pcomp> <accomp>]
Aug  9 18:17:50 vpn pppd[14906]: rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x674b0976> <pcomp> <accomp>]
Aug  9 18:17:50 vpn pppd[14906]: sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x674b0976> <pcomp> <accomp>]
Aug  9 18:17:50 vpn pppd[14906]: rcvd [LCP ConfAck id=0x1 <mru 1200> <asyncmap 0x0> <auth chap MS-v2> <magic 0x1621ada0> <pcomp> <accomp>]
Aug  9 18:17:50 vpn pppd[14906]: sent [LCP EchoReq id=0x0 magic=0x1621ada0]
Aug  9 18:17:50 vpn pppd[14906]: sent [CHAP Challenge id=0xc6 <5d1a4938707bc9b1781ad45d5a8739f5>, name = "l2tpd"]
Aug  9 18:17:50 vpn pppd[14906]: rcvd [LCP EchoReq id=0x0 magic=0x674b0976]
Aug  9 18:17:50 vpn pppd[14906]: sent [LCP EchoRep id=0x0 magic=0x1621ada0]
Aug  9 18:17:50 vpn pppd[14906]: rcvd [LCP EchoRep id=0x0 magic=0x674b0976]
Aug  9 18:17:50 vpn pppd[14906]: rcvd [CHAP Response id=0xc6 <ba3c5af1be64e99cba126bb7024326ae000000000000000055c0937ef8d0188e2b1ec27e0f1d866cdfbd2ce0d4ee2de800>, name = "VPN_USERNAME"]
Aug  9 18:17:50 vpn pppd[14906]: sent [CHAP Success id=0xc6 "S=367F80A803A2405D8FE6A49720691A1F8412473D M=Access granted"]
Aug  9 18:17:50 vpn pppd[14906]: sent [CCP ConfReq id=0x1 <deflate 15> <deflate(old#) 15> <bsd v1 15>]
Aug  9 18:17:50 vpn pppd[14906]: sent [IPCP ConfReq id=0x1 <compress VJ 0f 01> <addr 10.1.1.1>]
Aug  9 18:17:50 vpn pppd[14906]: rcvd [IPCP ConfReq id=0x1 <addr 0.0.0.0> <ms-dns1 0.0.0.0> <ms-dns2 0.0.0.0>]
Aug  9 18:17:50 vpn pppd[14906]: sent [IPCP ConfNak id=0x1 <addr 10.1.1.2> <ms-dns1 8.8.8.8> <ms-dns2 8.8.4.4>]
Aug  9 18:17:50 vpn pppd[14906]: rcvd [IPV6CP ConfReq id=0x1 <addr fe80::6203:08ff:fe9d:2e4a>]
Aug  9 18:17:50 vpn pppd[14906]: Unsupported protocol 'IPv6 Control Protocol' (0x8057) received
Aug  9 18:17:50 vpn pppd[14906]: sent [LCP ProtRej id=0x2 80 57 01 01 00 0e 01 0a 62 03 08 ff fe 9d 2e 4a]
Aug  9 18:17:50 vpn pppd[14906]: rcvd [LCP ProtRej id=0x2 80 fd 01 01 00 0f 1a 04 78 00 18 04 78 00 15 03 2f]
Aug  9 18:17:50 vpn pppd[14906]: Protocol-Reject for 'Compression Control Protocol' (0x80fd) received
Aug  9 18:17:50 vpn pppd[14906]: rcvd [IPCP ConfRej id=0x1 <compress VJ 0f 01>]
Aug  9 18:17:50 vpn pppd[14906]: sent [IPCP ConfReq id=0x2 <addr 10.1.1.1>]
Aug  9 18:17:50 vpn pppd[14906]: rcvd [IPCP ConfReq id=0x2 <addr 10.1.1.2> <ms-dns1 8.8.8.8> <ms-dns2 8.8.4.4>]
Aug  9 18:17:50 vpn pppd[14906]: sent [IPCP ConfAck id=0x2 <addr 10.1.1.2> <ms-dns1 8.8.8.8> <ms-dns2 8.8.4.4>]
Aug  9 18:17:50 vpn pppd[14906]: rcvd [IPCP ConfAck id=0x2 <addr 10.1.1.1>]
Aug  9 18:17:50 vpn pppd[14906]: Cannot determine ethernet address for proxy ARP
Aug  9 18:17:50 vpn pppd[14906]: local  IP address 10.1.1.1
Aug  9 18:17:50 vpn pppd[14906]: remote IP address 10.1.1.2
Aug  9 18:17:50 vpn pppd[14906]: Script /etc/ppp/ip-up started (pid 14909)
Aug  9 18:17:50 vpn pppd[14906]: Script /etc/ppp/ip-up finished (pid 14909), status = 0x0
Aug  9 18:18:20 vpn pppd[14906]: sent [LCP EchoReq id=0x1 magic=0x1621ada0]
Aug  9 18:18:20 vpn pppd[14906]: rcvd [LCP EchoRep id=0x1 magic=0x674b0976]
Aug  9 18:18:50 vpn pppd[14906]: rcvd [LCP EchoReq id=0x1 magic=0x674b0976]
Aug  9 18:18:50 vpn pppd[14906]: sent [LCP EchoRep id=0x1 magic=0x1621ada0]
Aug  9 18:18:50 vpn pppd[14906]: sent [LCP EchoReq id=0x2 magic=0x1621ada0]
Aug  9 18:18:50 vpn pppd[14906]: rcvd [LCP EchoRep id=0x2 magic=0x674b0976]
Aug  9 18:19:20 vpn pppd[14906]: sent [LCP EchoReq id=0x3 magic=0x1621ada0]
Aug  9 18:19:20 vpn pppd[14906]: rcvd [LCP EchoRep id=0x3 magic=0x674b0976]

[Tunnel works perfectly, now we disconnect manually]

Aug  9 18:19:32 vpn pppd[14906]: rcvd [LCP TermReq id=0x3 "User request"]
Aug  9 18:19:32 vpn pppd[14906]: LCP terminated by peer (User request)
Aug  9 18:19:32 vpn pppd[14906]: Connect time 1.7 minutes.
Aug  9 18:19:32 vpn pppd[14906]: Sent 213174 bytes, received 103569 bytes.
Aug  9 18:19:32 vpn xl2tpd[14566]: result_code_avp: result code endianness fix for buggy Apple client. network=768, le=3
Aug  9 18:19:32 vpn xl2tpd[14566]: control_finish: Connection closed to W.X.Y.Z, serial 1 ()
Aug  9 18:19:32 vpn xl2tpd[14566]: Terminating pppd: sending TERM signal to pid 14906
Aug  9 18:19:32 vpn xl2tpd[14566]: result_code_avp: result code endianness fix for buggy Apple client. network=256, le=1
Aug  9 18:19:32 vpn xl2tpd[14566]: control_finish: Connection closed to W.X.Y.Z, port 53116 (), Local: 21640, Remote: 93
Aug  9 18:19:32 vpn pppd[14906]: Script /etc/ppp/ip-down started (pid 16430)
Aug  9 18:19:32 vpn pppd[14906]: sent [LCP TermAck id=0x3]
Aug  9 18:19:32 vpn pppd[14906]: Terminating on signal 15
Aug  9 18:19:32 vpn pppd[14906]: Modem hangup
Aug  9 18:19:32 vpn pppd[14906]: Connection terminated.
Aug  9 18:19:32 vpn pppd[14906]: Script /etc/ppp/ip-down finished (pid 16430), status = 0x0
Aug  9 18:19:32 vpn pppd[14906]: Exit.

######### this one is broken, on 14.04 (updated from the 12.04 above)

# uname -a
Linux vpn 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

# cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=14.04
DISTRIB_CODENAME=trusty
DISTRIB_DESCRIPTION="Ubuntu 14.04.1 LTS"

openswan 1:2.6.38-1
xl2tpd 1.3.6+dfsg-1
ppp 2.4.5-5.1ubuntu2



Aug  9 20:08:20 vpn ipsec__plutorun: Starting Pluto subsystem...
Aug  9 20:08:20 vpn pluto[1815]: Starting Pluto (Openswan Version 2.6.38; Vendor ID OEvy\134kgzWq\134s) pid:1815
Aug  9 20:08:20 vpn pluto[1815]: LEAK_DETECTIVE support [disabled]
Aug  9 20:08:20 vpn pluto[1815]: OCF support for IKE [disabled]
Aug  9 20:08:20 vpn pluto[1815]: SAref support [disabled]: Protocol not available
Aug  9 20:08:20 vpn pluto[1815]: SAbind support [disabled]: Protocol not available
Aug  9 20:08:20 vpn pluto[1815]: NSS support [disabled]
Aug  9 20:08:20 vpn pluto[1815]: HAVE_STATSD notification support not compiled in
Aug  9 20:08:20 vpn pluto[1815]: Setting NAT-Traversal port-4500 floating to on
Aug  9 20:08:20 vpn pluto[1815]:    port floating activation criteria nat_t=1/port_float=1
Aug  9 20:08:20 vpn pluto[1815]:    NAT-Traversal support  [enabled] [Force KeepAlive]
Aug  9 20:08:20 vpn pluto[1815]: using /dev/urandom as source of random entropy
Aug  9 20:08:20 vpn pluto[1815]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Aug  9 20:08:20 vpn pluto[1815]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
Aug  9 20:08:20 vpn pluto[1815]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
Aug  9 20:08:20 vpn pluto[1815]: starting up 1 cryptographic helpers
Aug  9 20:08:20 vpn pluto[1815]: started helper pid=1820 (fd:6)
Aug  9 20:08:20 vpn pluto[1815]: Using Linux 2.6 IPsec interface code on 3.13.0-32-generic (experimental code)
Aug  9 20:08:20 vpn pluto[1820]: using /dev/urandom as source of random entropy
Aug  9 20:08:20 vpn pluto[1815]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
Aug  9 20:08:20 vpn pluto[1815]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Aug  9 20:08:20 vpn pluto[1815]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)
Aug  9 20:08:20 vpn pluto[1815]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Aug  9 20:08:20 vpn pluto[1815]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
Aug  9 20:08:20 vpn pluto[1815]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Aug  9 20:08:20 vpn pluto[1815]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)
Aug  9 20:08:20 vpn pluto[1815]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Aug  9 20:08:20 vpn pluto[1815]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)
Aug  9 20:08:20 vpn pluto[1815]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Aug  9 20:08:20 vpn pluto[1815]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
Aug  9 20:08:20 vpn pluto[1815]: added connection description "L2TP-PSK-NAT"
Aug  9 20:08:20 vpn pluto[1815]: added connection description "L2TP-PSK-noNAT"
Aug  9 20:08:20 vpn pluto[1815]: listening for IKE messages
Aug  9 20:08:20 vpn pluto[1815]: adding interface eth0/eth0 A.B.C.D:500
Aug  9 20:08:20 vpn pluto[1815]: adding interface eth0/eth0 A.B.C.D:4500
Aug  9 20:08:20 vpn pluto[1815]: adding interface lo/lo 127.0.0.1:500
Aug  9 20:08:20 vpn pluto[1815]: adding interface lo/lo 127.0.0.1:4500
Aug  9 20:08:20 vpn pluto[1815]: adding interface lo/lo ::1:500
Aug  9 20:08:20 vpn pluto[1815]: loading secrets from "/etc/ipsec.secrets"
Aug  9 20:08:20 vpn pluto[1815]: loading secrets from "/var/lib/openswan/ipsec.secrets.inc"
Aug  9 20:08:47 vpn pluto[1815]: packet from W.X.Y.Z:500: received Vendor ID payload [RFC 3947] method set to=115
Aug  9 20:08:47 vpn pluto[1815]: packet from W.X.Y.Z:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] meth=114, but already using method 115
Aug  9 20:08:47 vpn pluto[1815]: packet from W.X.Y.Z:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-08] meth=113, but already using method 115
Aug  9 20:08:47 vpn pluto[1815]: packet from W.X.Y.Z:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-07] meth=112, but already using method 115
Aug  9 20:08:47 vpn pluto[1815]: packet from W.X.Y.Z:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-06] meth=111, but already using method 115
Aug  9 20:08:47 vpn pluto[1815]: packet from W.X.Y.Z:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-05] meth=110, but already using method 115
Aug  9 20:08:47 vpn pluto[1815]: packet from W.X.Y.Z:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-04] meth=109, but already using method 115
Aug  9 20:08:47 vpn pluto[1815]: packet from W.X.Y.Z:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 115
Aug  9 20:08:47 vpn pluto[1815]: packet from W.X.Y.Z:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 115
Aug  9 20:08:47 vpn pluto[1815]: packet from W.X.Y.Z:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 115
Aug  9 20:08:47 vpn pluto[1815]: packet from W.X.Y.Z:500: ignoring Vendor ID payload [FRAGMENTATION 80000000]
Aug  9 20:08:47 vpn pluto[1815]: packet from W.X.Y.Z:500: received Vendor ID payload [Dead Peer Detection]
Aug  9 20:08:47 vpn pluto[1815]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: responding to Main Mode from unknown peer W.X.Y.Z
Aug  9 20:08:47 vpn pluto[1815]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Aug  9 20:08:47 vpn pluto[1815]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: STATE_MAIN_R1: sent MR1, expecting MI2
Aug  9 20:08:48 vpn pluto[1815]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): both are NATed
Aug  9 20:08:48 vpn pluto[1815]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Aug  9 20:08:48 vpn pluto[1815]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: STATE_MAIN_R2: sent MR2, expecting MI3
Aug  9 20:08:48 vpn pluto[1815]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: Main mode peer ID is ID_IPV4_ADDR: '192.168.8.14'
Aug  9 20:08:48 vpn pluto[1815]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: switched from "L2TP-PSK-NAT" to "L2TP-PSK-NAT"
Aug  9 20:08:48 vpn pluto[1815]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: deleting connection "L2TP-PSK-NAT" instance with peer W.X.Y.Z {isakmp=#0/ipsec=#0}
Aug  9 20:08:48 vpn pluto[1815]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Aug  9 20:08:48 vpn pluto[1815]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: new NAT mapping for #1, was W.X.Y.Z:500, now W.X.Y.Z:4500
Aug  9 20:08:48 vpn pluto[1815]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1024}
Aug  9 20:08:48 vpn pluto[1815]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: Dead Peer Detection (RFC 3706): enabled
Aug  9 20:08:48 vpn pluto[1815]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: the peer proposed: A.B.C.D/32:17/1701 -> 192.168.8.14/32:17/0
Aug  9 20:08:48 vpn pluto[1815]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
Aug  9 20:08:48 vpn pluto[1815]: "L2TP-PSK-NAT"[2] W.X.Y.Z #2: responding to Quick Mode proposal {msgid:c34601b4}
Aug  9 20:08:48 vpn pluto[1815]: "L2TP-PSK-NAT"[2] W.X.Y.Z #2:     us: A.B.C.D<A.B.C.D>:17/1701
Aug  9 20:08:48 vpn pluto[1815]: "L2TP-PSK-NAT"[2] W.X.Y.Z #2:   them: W.X.Y.Z[192.168.8.14]:17/62338===192.168.8.14/32
Aug  9 20:08:48 vpn pluto[1815]: "L2TP-PSK-NAT"[2] W.X.Y.Z #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Aug  9 20:08:48 vpn pluto[1815]: "L2TP-PSK-NAT"[2] W.X.Y.Z #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Aug  9 20:08:48 vpn pluto[1815]: "L2TP-PSK-NAT"[2] W.X.Y.Z #2: Dead Peer Detection (RFC 3706): enabled
Aug  9 20:08:48 vpn pluto[1815]: "L2TP-PSK-NAT"[2] W.X.Y.Z #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Aug  9 20:08:48 vpn pluto[1815]: "L2TP-PSK-NAT"[2] W.X.Y.Z #2: STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0x04a658c6 <0x55fade1b xfrm=AES_256-HMAC_SHA1 NATOA=192.168.8.14 NATD=W.X.Y.Z:4500 DPD=enabled}
Aug  9 20:09:08 vpn pluto[1815]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: received Delete SA(0x04a658c6) payload: deleting IPSEC State #2
Aug  9 20:09:08 vpn pluto[1815]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: ERROR: netlink XFRM_MSG_DELPOLICY response for flow eroute_connection delete included errno 2: No such file or directory
Aug  9 20:09:08 vpn pluto[1815]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: received and ignored informational message
Aug  9 20:09:08 vpn pluto[1815]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: received Delete SA payload: deleting ISAKMP State #1
Aug  9 20:09:08 vpn pluto[1815]: "L2TP-PSK-NAT"[2] W.X.Y.Z: deleting connection "L2TP-PSK-NAT" instance with peer W.X.Y.Z {isakmp=#0/ipsec=#0}
Aug  9 20:09:08 vpn pluto[1815]: packet from W.X.Y.Z:4500: received and ignored informational message





Aug  9 20:08:20 vpn ipsec_setup: Starting Openswan IPsec U2.6.38/K3.13.0-32-generic...
Aug  9 20:08:20 vpn ipsec_setup: Using NETKEY(XFRM) stack
Aug  9 20:08:20 vpn kernel: [ 3221.784634] Initializing XFRM netlink socket
Aug  9 20:08:20 vpn kernel: [ 3221.797310] sha512_ssse3: Neither AVX nor SSSE3 is available/usable.
Aug  9 20:08:20 vpn kernel: [ 3221.799575] sha256_ssse3: Neither AVX nor SSSE3 is available/usable.
Aug  9 20:08:20 vpn kernel: [ 3221.804761] AVX instructions are not detected.
Aug  9 20:08:20 vpn kernel: [ 3221.807889] AVX instructions are not detected.
Aug  9 20:08:20 vpn kernel: [ 3221.809872] AVX instructions are not detected.
Aug  9 20:08:20 vpn kernel: [ 3221.815598] AVX instructions are not detected.
Aug  9 20:08:20 vpn kernel: [ 3221.818569] AVX instructions are not detected.
Aug  9 20:08:20 vpn kernel: [ 3221.823023] AVX or AES-NI instructions are not detected.
Aug  9 20:08:20 vpn kernel: [ 3221.824892] AVX or AES-NI instructions are not detected.
Aug  9 20:08:20 vpn ipsec_setup: ...Openswan IPsec started
Aug  9 20:08:20 vpn ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
Aug  9 20:08:20 vpn pluto: adjusting ipsec.d to /etc/ipsec.d
Aug  9 20:08:20 vpn xl2tpd[765]: death_handler: Fatal signal 15 received
Aug  9 20:08:20 vpn ipsec__plutorun: 002 added connection description "L2TP-PSK-NAT"
Aug  9 20:08:20 vpn ipsec__plutorun: 002 added connection description "L2TP-PSK-noNAT"
Aug  9 20:08:21 vpn xl2tpd[1869]: IPsec SAref does not work with L2TP kernel mode yet, enabling force userspace=yes
Aug  9 20:08:21 vpn xl2tpd[1869]: setsockopt recvref[30]: Protocol not available
Aug  9 20:08:21 vpn xl2tpd[1869]: This binary does not support kernel L2TP.
Aug  9 20:08:21 vpn xl2tpd[1870]: xl2tpd version xl2tpd-1.3.6 started on vpn PID:1870
Aug  9 20:08:21 vpn xl2tpd[1870]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
Aug  9 20:08:21 vpn xl2tpd[1870]: Forked by Scott Balmos and David Stipp, (C) 2001
Aug  9 20:08:21 vpn xl2tpd[1870]: Inherited by Jeff McAdams, (C) 2002
Aug  9 20:08:21 vpn xl2tpd[1870]: Forked again by Xelerance (www.xelerance.com) (C) 2006
Aug  9 20:08:21 vpn xl2tpd[1870]: Listening on IP address A.B.C.D, port 1701

@fortiko
Copy link

fortiko commented Aug 9, 2014

And just to top this off: I downgraded from openswan 1:2.6.38-1 in 14.04 to the default openswan 1:2.6.37-1 in 12.04 (from here: http://www.ubuntuupdates.org/package/core/precise/universe/base/openswan) and upon connecting, it immediately works, going as expected into the noNat connection:

Aug  9 20:30:04 vpn pluto[21278]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: responding to Main Mode from unknown peer W.X.Y.Z
Aug  9 20:30:04 vpn pluto[21278]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Aug  9 20:30:04 vpn pluto[21278]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: STATE_MAIN_R1: sent MR1, expecting MI2
Aug  9 20:30:05 vpn pluto[21278]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): both are NATed
Aug  9 20:30:05 vpn pluto[21278]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Aug  9 20:30:05 vpn pluto[21278]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: STATE_MAIN_R2: sent MR2, expecting MI3
Aug  9 20:30:05 vpn pluto[21278]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: Main mode peer ID is ID_IPV4_ADDR: '192.168.8.14'
Aug  9 20:30:05 vpn pluto[21278]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: switched from "L2TP-PSK-NAT" to "L2TP-PSK-NAT"
Aug  9 20:30:05 vpn pluto[21278]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: deleting connection "L2TP-PSK-NAT" instance with peer W.X.Y.Z {isakmp=#0/ipsec=#0}
Aug  9 20:30:05 vpn pluto[21278]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Aug  9 20:30:05 vpn pluto[21278]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: new NAT mapping for #1, was W.X.Y.Z:500, now W.X.Y.Z:4500
Aug  9 20:30:05 vpn pluto[21278]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1024}
Aug  9 20:30:05 vpn pluto[21278]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: Dead Peer Detection (RFC 3706): enabled
Aug  9 20:30:06 vpn pluto[21278]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: Applying workaround for Mac OS X NAT-OA bug, ignoring proposed subnet
Aug  9 20:30:06 vpn pluto[21278]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: the peer proposed: A.B.C.D/32:17/1701 -> W.X.Y.Z/32:17/0
Aug  9 20:30:06 vpn pluto[21278]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: peer proposal was reject in a virtual connection policy because:
Aug  9 20:30:06 vpn pluto[21278]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1:   a private network virtual IP was required, but the proposed IP did not match our list (virtual_private=)
Aug  9 20:30:06 vpn pluto[21278]: "L2TP-PSK-noNAT"[1] W.X.Y.Z #2: responding to Quick Mode proposal {msgid:3afd96d1}
Aug  9 20:30:06 vpn pluto[21278]: "L2TP-PSK-noNAT"[1] W.X.Y.Z #2:     us: A.B.C.D<A.B.C.D>[+S=C]:17/1701
Aug  9 20:30:06 vpn pluto[21278]: "L2TP-PSK-noNAT"[1] W.X.Y.Z #2:   them: W.X.Y.Z[192.168.8.14,+S=C]:17/50422
Aug  9 20:30:06 vpn pluto[21278]: "L2TP-PSK-noNAT"[1] W.X.Y.Z #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Aug  9 20:30:06 vpn pluto[21278]: "L2TP-PSK-noNAT"[1] W.X.Y.Z #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Aug  9 20:30:06 vpn pluto[21278]: "L2TP-PSK-noNAT"[1] W.X.Y.Z #2: Dead Peer Detection (RFC 3706): enabled
Aug  9 20:30:06 vpn pluto[21278]: "L2TP-PSK-noNAT"[1] W.X.Y.Z #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Aug  9 20:30:06 vpn pluto[21278]: "L2TP-PSK-noNAT"[1] W.X.Y.Z #2: STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0x01f803a1 <0x277af5b3 xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=W.X.Y.Z:4500 DPD=enabled}

@letoams
Copy link
Contributor

letoams commented Aug 9, 2014

On Sat, 9 Aug 2014, fortiko wrote:

Aug 9 18:17:48 vpn pluto[14018]: "L2TP-PSK-NAT"[2] 79.146.9.211 #1: the peer proposed: 78.46.240.127/32:17/1701 -> 79.146.9.211/32:17/0

whereas on 14.04 we don't have the explicit workaround and accept the peer's proposal (note the "NATOA=192.168.8.14" on the last line)
and we do not enter into the L2TP-PSK-noNAT connection. Again, exact same configuration as under 12.04 where this works:

Aug 9 20:08:48 vpn pluto[1815]: "L2TP-PSK-NAT"[2] 79.146.9.211 #1: the peer proposed: 78.46.240.127/32:17/1701 -> 192.168.8.14/32:17/0

That is a bug with transport mode using the wrong IP address. I don't
know which versions of openswan are broken and which are fixed. But it
seems unrelated to the version of ubuntu (other than what they ship for
openswan).

openswan 1:2.6.37-1

######### this one is broken, on 14.04 (updated from the 12.04 above)

openswan 1:2.6.38-1

Upstream openswan is dead. While I maintain openswan in RHEL6 (which
is 2.6.32 plus 80+ patches) we ship libreswan (a fork from 2.6.38)
in RHEL7. Libreswan has no issues with transport mode that I'm aware of.

Paul

@fortiko
Copy link

fortiko commented Aug 11, 2014

Thanks for the clarifications. I was not aware that upstream openswan was dead, so I guess I have to wait for the libreswan packages to arrive and then adapt my script!

@zhu4ling3
Copy link
Author

thank for zhangping.
i will confirm your configuration is work.

@han-cheng6
Copy link

I've got the same problem.
zhangping's solution do solve the problem.

@quantonganh
Copy link

In the @zhangping's config, the real part which make it works is he merge two conn into only one. Mine and the other is:

conn L2TP-PSK-NAT
    rightsubnet=vhost:%priv
    also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
    authby=secret
    pfs=no
    auto=add
    ...

while his is:

conn l2tp-psk
    authby=secret
    pfs=no
    auto=add
    ...

As @fortiko pointed out, the only different in the log is:

12.04

pluto[9561]: "L2TP-PSK-noNAT"[2] x.y.z.t #4: STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0x03e24f47 <0x328dfaeb xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=a.b.c.d:13744 DPD=none}
pppd[9632]: pppd 2.4.5 started by root, uid 0
pppd[9632]: using channel 42
pppd[9632]: Using interface ppp0
pppd[9632]: Connect: ppp0 <--> /dev/pts/8

14.04:

pluto[23718]: "L2TP-PSK-NAT"[5] 58.187.166.x #7: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0x0570a2cf <0x31e16ae6 xfrm=AES_256-HMAC_SHA1 NATOA=192.168.1.104 NATD=58.187.166.x:62150 DPD=none}
pluto[23718]: "L2TP-PSK-NAT"[5] 58.187.166.x #6: received Delete SA(0x0570a2cf) payload: deleting IPSEC State #7
pluto[23718]: "L2TP-PSK-NAT"[5] 58.187.166.x #6: received and ignored informational message
pluto[23718]: "L2TP-PSK-NAT"[5] 58.187.166.x #6: received Delete SA payload: deleting ISAKMP State #6
pluto[23718]: "L2TP-PSK-NAT"[5] 58.187.166.x: deleting connection "L2TP-PSK-NAT" instance with peer 58.187.166.x {isakmp=#0/ipsec=#0}

Don't know why it receiverd Delete SA after transport mode is established, and didn't try the L2TP-PSK-noNAT. If I just define only one conn, everything will be OK (same as 12.04).

Can someone explain for me?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@zhangping @han-cheng6 @quantonganh @fortiko @letoams @zhu4ling3