| View previous topic :: View adjacent topic |
| Author | Message |
Duco Ergo Sum
Amateur
 Joined: 06 Dec 2005
Posts: 154
Location: Winsford
|  Posted: Mon Aug 18, 2014 8:56 am Mail service subject: VPN Customer non connecting [SOLVED] |  |
| | Hi at that place, For the past week and a fleck I have been trying to connect to my function VPN, without success. The instructions for connecting presume the customer is a Windows 7 system. The vpn is "IPSec (L2TP/IPSEC)" using a Pre-Shared Key. For the purpose of this postal service I will employ simulated details and values: gateway: vpn.office.com
PSK: vpn-office-com
username: your-login-username
password: your-login-countersign
domain (optional): part-name What I accept tried so far, includes: compiled every IPSEC kernel module -> No appreciable difference. KVPN -> Gives an error racoon config error so a long list of other debug info which as information technology is security related I don't want post indiscriminately. VPNC -> reports "No responce from target"
Cisco and regular UPD
I accept tried setting diverse ports to use, 47, l, 51, 443, 500, 1701, 1723, 10000 Strongswan -> the demon starts simply I cannot find evidence of a connection
ipsec.conf and ipsec.secret configured for the in a higher place details respectively. I can only guess that this isn't a firewall upshot as a colleague who already connects to the vpn can only practice then using a virtual machine running Windows 7. My colleague says this is because of
firewall and routing issues from his Linux desktop. My assertion beingness that the virtual machines has to pass through the host and any other firewall in his network. Please help... Last edited by Duco Ergo Sum on Tue Oct fourteen, 2014 12:11 am; edited 1 fourth dimension in total | |
| Dorsum to meridian |   |
 |
salahx
Guru
 Joined: 12 Mar 2005
Posts: 499
| | Posted: Tue Aug nineteen, 2014 8:56 pm Mail subject: | |
| | I wrote a Gentoo wiki article covering setting upwards the server side of information technology: https://wiki.gentoo.org/wiki/IPsec_L2TP_VPN_server . Because all the protocols (ipsec, lt2p and pppd) are peer-to-peer, configuring information technology on the client side has a lot of similarities. | |
| Back to elevation | |
| |
Duco Ergo Sum
Apprentice
Joined: 06 Dec 2005
Posts: 154
Location: Winsford
| | Posted: Thu Aug 21, 2014 7:59 am Post subject: | |
| | Thank you. I call back what I need is the "Ipsec ID" (group id/name) parameter. I take a working Windows organisation at present so I'll interrogate that. | |
| Dorsum to superlative | |
| |
Duco Ergo Sum
Apprentice
Joined: 06 December 2005
Posts: 154
Location: Winsford
| | Posted: Monday Aug 25, 2014 ten:twenty pm Post bailiwick: | |
| | This is really frustrating. I now take:
- VPNC which times out without much indication of anything happening.
- StrongSwan which starts merely I don't see whatever sign of a VPN nor have I institute a mode to test it.
- OpenL2TP which I've had to install an overlay (booboo) to get. This doesn't seem to be able to initiate sessions, tunnel id not found, while tunnel testify - shows the tunnel I configured.
- NetworkManager seems to permit a sub-set of functionality in its configuration of unlike sub-systems merely it protests that its unable to find an agent when I endeavour to first a session.
Additionally, I've experimented with Windows. The initial setup is catchy but the VPN works. No boosted data needed. With security in mind I'g sure, they've hidden the config details from prying eyes thus thwarting my programme to find the IP Sec ID there. I am kickoff to question if it this is a propriety MS VPN implementation or could my system be just missing one picayune screw somewhere? I have read the IPsec L2TP VPN server wiki folio and attempted to adjust its wisdom to my needs but unfortunately unsuccessfully. Please tell me how I can exam a VPN connection, just to meet if it exists? --
You know yous actually demand help when the voices tell you that yous're condign obsessed! | |
| Dorsum to top | |
| |
salahx
Guru
Joined: 12 Mar 2005
Posts: 499
| | Posted: Midweek Aug 27, 2014 three:39 am Postal service bailiwick: | |
| The offset, and near dificult layer, is the ipsec layer. Hither's a elementary config file you can adapt. Every bit the wiki page testify, uncomment the "include" line at the very lesser of /etc/ipsec.conf and create a /etc/ipsec.d/office.vpn.com.conf with content similar to the following:
| Code: |
conn vpnclient
type=send
authby=secret
pfs=no
rekey=no
left=%defaultroute
leftprotoport=udp/l2tp
right=vpn.office.com
rightprotoport=udp/l2tp
motorcar=add
| Don't forgot to create a /etc/ipsec.d/part.vpn.com.secret file too: | Lawmaking: |
vpn.office.com %whatsoever : PSK "vpn-office-com"
| Then start the ipsec service, and bring upwards your connectedness with "ipsec auto --up vpnclient" If you go a line in the log similar to "STATE_QUICK_I2: Sent QI2, IPsec SA established...." then y'all have ipsec connectivity. ipsec is the hard part. Once you've got that, the l2tp tunnel is much simpler. | |
| Dorsum to pinnacle | |
| |
Duco Ergo Sum
Apprentice
Joined: 06 Dec 2005
Posts: 154
Location: Winsford
| | Posted: Thu Aug 28, 2014 12:48 am Post subject: | |
| | Hullo Salahx, Thanks for again answering, I am very grateful. The command 'ipsec upward vpnclient' has been most illustrative. StrongSwan doesn't go a response from the office network either. | Code: |
initiating IKE_SA vpn.part.com[one] to 17.xi.vii.5
generating IKE_SA_INIT asking 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending parcel: from 1.2.3.4[500] to 17.xi.vii.5[500] (996 bytes)
received packet: from 17.eleven.7.v[500] to one.two.iii.4[500] (68 bytes)
ignoring INFORMATIONAL_V1 IKEv1 exchange on IKEv2 SA
retransmit 1 of request with message ID 0
sending parcel: from 1.2.three.4[500] to 17.11.7.5[500] (996 bytes)
received packet: from 17.eleven.vii.v[500] to one.two.3.four[500] (68 bytes)
ignoring INFORMATIONAL_V1 IKEv1 substitution on IKEv2 SA
retransmit 2 of request with bulletin ID 0
sending packet: from one.two.3.iv[500] to 17.11.7.five[500] (996 bytes)
received parcel: from 17.eleven.vii.five[500] to i.two.3.4[500] (68 bytes)
ignoring INFORMATIONAL_V1 IKEv1 exchange on IKEv2 SA
retransmit 3 of request with message ID 0
sending bundle: from 1.2.3.4[500] to 17.xi.7.five[500] (996 bytes)
received bundle: from 17.eleven.7.5[500] to ane.2.3.4[500] (68 bytes)
ignoring INFORMATIONAL_V1 IKEv1 substitution on IKEv2 SA [ ... ] giving up after 5 retransmits | And then now both VPNC and StrongSwan time out. Nutrient for thought. | |
| Back to top | |
| |
salahx
Guru
Joined: 12 Mar 2005
Posts: 499
| | Posted: Thu Aug 28, 2014 6:53 am Mail subject: | |
| | Its seeing SOMETHING on the other side, its merely having trouble negotiating with information technology. It appears its trying to negoitate an IKEv2 connection, but we want IKEv1. So lets tweak the config a fleck: | Code: |
conn vpnclient
keyexchange=ikev1
type=send
authby=hugger-mugger
pfs=no
rekey=no
left=%defaultroute
leftprotoport=udp/l2tp
correct=vpn.office.com
rightprotoport=udp/l2tp
auto=add
| | |
| Dorsum to elevation | |
| |
Duco Ergo Sum
Apprentice
Joined: 06 Dec 2005
Posts: 154
Location: Winsford
| | Posted: Thu Aug 28, 2014 8:49 am Mail field of study: | |
| | Thanks. We're making progress, new response message: | Code: |
ipsec upward vpn.office.com
initiating Chief Mode IKE_SA vpn.part.com[1] to 17.eleven.vii.5
generating ID_PROT asking 0 [ SA V V V V ]
sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (220 bytes)
received package: from 17.11.7.5[500] to 1.2.three.iv[500] (160 bytes)
parsed INFORMATIONAL_V1 asking 0 [ North(NO_PROP) ]
received NO_PROPOSAL_CHOSEN error notify
establishing connection 'vpn.role.com' failed
| My installed version of StrongSwan does not support the key word. Therefore this is what my config looks like at the moment: | Lawmaking: |
conn vpn.office.com
keyexchange=ikev1
type=send
authby=secret
esp=des-sha1-modp1024
rekey=no
left=%defaultroute
leftprotoport=udp/l2tp
right=vpn.function.com
rightprotoport=udp/l2tp
auto=add
| | |
| Back to top | |
| |
Duco Ergo Sum
Apprentice
Joined: 06 Dec 2005
Posts: 154
Location: Winsford
| | Posted: Thu Aug 28, 2014 9:12 am Post field of study: | |
| | Looking in Windows Command Panel - Administrative Tools - Windows Firewall with Advanced Security - Windows Firewall Properites (IPsec Settings) - Customize IPsec Defaults (Key substitution (Main Fashion) - Advanced [Customize]) - Customize Advanced Key Substitution Settings | Code: |
Security methods:
Integrity Encryption Central exchange algorithm
SHA-1 AES-CBC 128 Diffie-Hellman Grouping ii (default)
SHA-1 3DES Diffie-Hellman Group two
| I'grand off to work now but will experiment with these values when I get back. | |
| Back to elevation | |
| |
salahx
Guru
Joined: 12 Mar 2005
Posts: 499
| | Posted: Thu Aug 28, 2014 4:xiv pm Post subject: | |
| | Its "pfs=no" non "psf=no". It doesn't thing anyway because the command is ignored under strongSwan and "no" is the default. You shouldn't need the "esp=des-sha1-modp1024" every bit information technology should choose the right method during proffer procedure. In fact that will negotate PFS which is Non what y'all want - Microsoft's IKEv1 daemon doesn't support PFS. Note that Windows has TWO implementations of ipsec: the IKEv1 1 used for l2tp tunnel, and and IKEv2 one which is controlled via the ipsec snap-in. The windows Firewall and other ipsec settings refer to the latter, simply nosotros want to apply the former. | |
| Dorsum to top | |
| |
Duco Ergo Sum
Apprentice
Joined: 06 December 2005
Posts: 154
Location: Winsford
| | Posted: Friday Aug 29, 2014 12:04 am Post discipline: | |
| | Apologies, "psf" was a typo. Yet, now mater how I try to configure the pfs option, I get the same result. | Code: |
parsed INFORMATIONAL_V1 asking 0 [ Due north(NO_PROP) ]
received NO_PROPOSAL_CHOSEN error notify
establishing connection 'vpn.office.com' failed
| | |
| Back to summit | |
| |
salahx
Guru
Joined: 12 Mar 2005
Posts: 499
| | Posted: Fri Aug 29, 2014 12:14 am Postal service subject: | |
| | pfs selection is ignored in strongSwan anyway. Simply that "esp" line has to exist removed, because i know its wrong. If the server Notwithstanding won't accept whatever proposals offered by strongswan, even without the "esp" line there an "ike-scan" package in portage that should requite some information on what proposals the gateway will accept. | |
| Back to elevation | |
| |
Duco Ergo Sum
Apprentice
Joined: 06 Dec 2005
Posts: 154
Location: Winsford
| | Posted: Fri Aug 29, 2014 8:45 am Mail subject: | |
| | Hi, I have used IKE-Scan which prompted me to change my Config as below and this has generated the follow information. ike-browse output | Code: |
ike-scan --verbose vpn.office.com
DEBUG: pkt len=336 bytes, bandwidth=56000 bps, int=52000 us
Starting ike-browse i.nine with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
17.eleven.vii.5 Main Fashion Handshake returned HDR=(CKY-R=[Available On Request]) SA=(Enc=3DES Hash=SHA1 Group=ii:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
VID=[Available On Request] (IKE Fragmentation) Ending ike-scan 1.nine: 1 hosts scanned in 0.037 seconds (27.14 hosts/sec). 1 returned handshake; 0 returned notify | New Config | Code: |
conn vpn.office.com
keyexchange=ikev1
type=transport
authby=secret
ike=3des-sha1-modp1024
rekey=no
left=%defaultroute
leftprotoport=udp/l2tp
right=vpn.office.com
rightprotoport=udp/l2tp
motorcar=add together
| ipsec output | Code: |
ipsec up vpn.role.com
initiating Primary Way IKE_SA vpn.office.com[three] to 17.xi.7.5
generating ID_PROT request 0 [ SA V V Five V ]
sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (184 bytes)
received package: from 17.11.7.5[500] to 1.2.iii.4[500] (116 bytes)
parsed ID_PROT response 0 [ SA Five V ]
received typhoon-ietf-ipsec-nat-t-ike-02\n vendor ID
received FRAGMENTATION vendor ID
generating ID_PROT asking 0 [ KE No NAT-D NAT-D ]
sending packet: from 1.2.3.4[500] to 17.11.vii.5[500] (244 bytes)
received packet: from 17.11.7.v[500] to ane.2.3.4[500] (304 bytes)
parsed ID_PROT response 0 [ KE No Five V V 5 NAT-D NAT-D ]
received Cisco Unity vendor ID
received XAuth vendor ID
received unknown vendor ID: [Bachelor On Asking]
received unknown vendor ID: [Available On Request]
generating INFORMATIONAL_V1 request [Available On Request] [ Due north(INVAL_KE) ]
sending packet: from 1.ii.3.four[500] to 17.eleven.7.5[500] (56 bytes)
establishing connection 'vpn.role.com' failed
| Charon Log | Code: |
Aug 29 09:xiv:39 sveta charon: 02[CFG] received stroke: initiate 'vpn.office.com'
Aug 29 09:14:39 sveta charon: xiii[IKE] initiating Main Way IKE_SA vpn.office.com[3] to 17.xi.7.5
Aug 29 09:14:39 sveta charon: xiii[IKE] initiating Main Fashion IKE_SA vpn.office.com[three] to 17.xi.vii.5
Aug 29 09:14:39 sveta charon: xiii[ENC] generating ID_PROT request 0 [ SA V V V 5 ]
Aug 29 09:xiv:39 sveta charon: thirteen[Internet] sending packet: from one.2.3.iv[500] to 17.11.7.5[500] (184 bytes)
Aug 29 09:14:39 sveta charon: 06[NET] received package: from 17.11.7.5[500] to 1.ii.3.4[500] (116 bytes)
Aug 29 09:fourteen:39 sveta charon: 06[ENC] parsed ID_PROT response 0 [ SA V V ]
Aug 29 09:fourteen:39 sveta charon: 06[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Aug 29 09:fourteen:39 sveta charon: 06[IKE] received FRAGMENTATION vendor ID
Aug 29 09:14:39 sveta charon: 06[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
Aug 29 09:14:39 sveta charon: 06[Net] sending packet: from 1.2.3.4[500] to 17.xi.7.5[500] (244 bytes)
Aug 29 09:14:40 sveta charon: 05[Internet] received packet: from 17.11.seven.5[500] to one.ii.3.4[500] (304 bytes)
Aug 29 09:14:forty sveta charon: 05[ENC] parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]
Aug 29 09:14:forty sveta charon: 05[IKE] received Cisco Unity vendor ID
Aug 29 09:14:40 sveta charon: 05[IKE] received XAuth vendor ID
Aug 29 09:fourteen:40 sveta charon: 05[ENC] received unknown vendor ID: [Available On Request]
Aug 29 09:xiv:40 sveta charon: 05[ENC] received unknown vendor ID: [Bachelor On Request]
Aug 29 09:14:forty sveta charon: 05[ENC] generating INFORMATIONAL_V1 request [Available On Request] [ N(INVAL_KE) ]
Aug 29 09:xiv:40 sveta charon: 05[NET] sending packet: from 1.ii.three.four[500] to 17.xi.seven.5[500] (56 bytes)
| | |
| Dorsum to top | |
| |
salahx
Guru
Joined: 12 Mar 2005
Posts: 499
| | Posted: Fri Aug 29, 2014 3:12 pm Postal service subject field: | |
| OK now its accepting the proposal but its having trouble with the PSK. Information technology probably has to practice with how the VPN server is ideifying itself. Then lets change the secrets file to
| Code: | | : PSK "vpn-part-com" |
This will make strongSwan use the fundamental for all connections. | |
| Back to peak | |
| |
Duco Ergo Sum
Apprentice
Joined: 06 Dec 2005
Posts: 154
Location: Winsford
| | Posted: Fri Aug 29, 2014 9:51 pm Post subject: | |
| Awesome! Cheers! | Lawmaking: |
ipsec upwards vpn.office.com
initiating Primary Manner IKE_SA vpn.role.com[1] to 17.11.7.5
generating ID_PROT asking 0 [ SA V 5 Five V ]
sending packet: from ane.2.3.4[500] to 17.11.vii.5[500] (184 bytes)
received packet: from 17.11.7.v[500] to 1.2.3.4[500] (116 bytes)
parsed ID_PROT response 0 [ SA Five Five ]
received draft-ietf-ipsec-nat-t-ike-02\due north vendor ID
received FRAGMENTATION vendor ID
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from ane.2.three.4[500] to 17.eleven.vii.five[500] (244 bytes)
received bundle: from 17.eleven.7.v[500] to 1.ii.3.four[500] (304 bytes)
parsed ID_PROT response 0 [ KE No V V 5 V NAT-D NAT-D ]
received Cisco Unity vendor ID
received XAuth vendor ID
received unknown vendor ID: [Bachelor On Request]
received unknown vendor ID: [Available On Request]
local host is behind NAT, sending keep alives
generating ID_PROT request 0 [ ID HASH ]
sending packet: from i.2.3.4[4500] to 17.11.vii.5[4500] (68 bytes)
received packet: from 17.11.7.5[4500] to 1.ii.3.4[4500] (84 bytes)
parsed ID_PROT response 0 [ ID HASH 5 ]
received DPD vendor ID
IDir '17.xi.seven.5' does non match to 'vpn.role.com'
deleting IKE_SA vpn.office.com[i] between 1.2.iii.4[ane.2.iii.4]...17.11.7.v[%any]
sending DELETE for IKE_SA vpn.office.com[ane]
generating INFORMATIONAL_V1 asking [Available On Asking] [ HASH D ]
sending packet: from 1.2.three.four[4500] to 17.11.seven.v[4500] (84 bytes)
connectedness 'vpn.part.com' established successfully
| I have pinged my office PC and did not become whatever returned packets. I haven't attempted to fix the L2TP layer notwithstanding but your guide says that is insufficiently easy. These lines though exercise worry me: | Code: |
IDir '17.11.vii.5' does not match to 'vpn.office.com'
deleting IKE_SA vpn.function.com[i] between 1.2.3.4[i.2.3.iv]...17.xi.7.5[%any]
sending DELETE for IKE_SA vpn.office.com[1]
| | |
| Back to top | |
| |
salahx
Guru
Joined: 12 Mar 2005
Posts: 499
| | Posted: Fri Aug 29, 2014 11:03 pm Postal service subject area: | |
| | Were most there, simply were non at that place all the same. This goes dorsum with "how the server is identifty itself" problem with the PSK: Instead of identify itself via its name (vpn.case.com), it does so by its IP address (17.11.7.5). Nosotros simply need to make one tweak: | Code: |
conn vpn.part.com
keyexchange=ikev1
blazon=transport
authby=surreptitious
ike=3des-sha1-modp1024
rekey=no
left=%defaultroute
leftprotoport=udp/l2tp
right=vpn.office.com
rightprotoport=udp/l2tp
rightid=17.xi.7.5
auto=add
| Or failing that, change the value of "right=" from "vpn.role.com" to "17.11.7.five" instead. Notation y'all still can't do annihilation with the connexion yet, as merely L2TP packets volition be passed beyond the ipsec link (thus you cannot ping anything across the link). | |
| Dorsum to pinnacle | |
| |
Duco Ergo Sum
Apprentice
Joined: 06 Dec 2005
Posts: 154
Location: Winsford
| | Posted: Sat Aug 30, 2014 5:21 pm Post bailiwick: | |
| Perfect, next pace L2TP! | Code: |
ipsec up vpn.part.com
initiating Main Mode IKE_SA vpn.office.com[1] to 17.xi.7.5
generating ID_PROT request 0 [ SA V Five Five 5 ]
sending packet: from ane.ii.three.4[500] to 17.xi.7.5[500] (184 bytes)
received packet: from 17.eleven.7.v[500] to 1.two.3.4[500] (116 bytes)
parsed ID_PROT response 0 [ SA V V ]
received draft-ietf-ipsec-nat-t-ike-02\due north vendor ID
received FRAGMENTATION vendor ID
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 1.2.three.4[500] to 17.11.7.5[500] (244 bytes)
received parcel: from 17.11.7.5[500] to 1.2.3.4[500] (304 bytes)
parsed ID_PROT response 0 [ KE No V 5 V V NAT-D NAT-D ]
received Cisco Unity vendor ID
received XAuth vendor ID
received unknown vendor ID: [Bachelor On Request]
received unknown vendor ID: [Available On Request]
local host is behind NAT, sending keep alives
generating ID_PROT request 0 [ ID HASH ]
sending packet: from one.two.iii.4[4500] to 17.11.vii.five[4500] (68 bytes)
received packet: from 17.eleven.vii.five[4500] to i.2.three.four[4500] (84 bytes)
parsed ID_PROT response 0 [ ID HASH V ]
received DPD vendor ID
IKE_SA vpn.function.com[ane] established between one.2.iii.four[1.2.iii.4]...17.xi.seven.5[17.eleven.7.5]
generating QUICK_MODE request [Available On Request] [ HASH SA No ID ID NAT-OA NAT-OA ]
sending packet: from 1.two.iii.iv[4500] to 17.11.vii.5[4500] (220 bytes)
received packet: from 17.11.vii.five[4500] to 1.2.3.4[4500] (180 bytes)
parsed QUICK_MODE response [Available On Request] [ HASH SA No ID ID North((24576)) NAT-OA ]
received 28800s lifetime, configured 0s
CHILD_SA vpn.office.com{1} established with SPIs [Available On Request] [Available On Request] and TS one.ii.iii.4/32[udp/l2tp] === 17.eleven.seven.five/32[udp/l2tp] connection 'vpn.office.com' established successfully | Thanks. I expect every bit soon as I try L2TP I'll be back here dislocated every bit ever. Either way, I'll report back. | |
| Dorsum to top | |
| |
Duco Ergo Sum
Amateur
Joined: 06 Dec 2005
Posts: 154
Location: Winsford
| | Posted: Saturday Aug 30, 2014 x:04 pm Post subject: | |
| | I thought this might happen. /etc/xl2tp/xl2tpd.conf | Code: |
[global] ; Global parameters:
port = 1701 ; * Demark to port 1701
; auth file = /etc/l2tpd/l2tp-secrets ; * Where our challenge secrets are
access control = no ; * Refuse connections without IP friction match
; rand source = dev ; Source for entropy for random
; ; numbers, options are:
; ; dev - reads of /dev/urandom
; ; sys - uses rand()
; ; egd - reads from egd socket
; ; egd is non yet implemented
;
[lns default] ; Our fallthrough LNS definition
; ip range = 192.168.0.1-192.168.0.20 ; * Allocate from this IP range
; ip range = lac1-lac2 ; * And anything from lac1 to lac2'southward IP
; lac = 192.168.1.4 - 192.168.1.8 ; * These tin can connect as LAC's
; no lac = untrusted.marko.cyberspace ; * This guy can't connect
; hidden chip = no ; * Use subconscious AVP's?
local ip = ane.2.3.4 ; * Our local IP to use
; reject hallmark = no ; * Refuse authentication altogether
require authentication = yes ; * Require peer to authenticate
unix authentication = no ; * Use /etc/passwd for auth.
name = vpn.office.com ; * Report this every bit our hostname
pppoptfile = /etc/ppp/options.l2tpd ; * ppp options file
| /etc/ppp/options.l2tpd | Code: |
noccp
auth
crtscts
mtu 1410
mru 1410
nodefaultroute
lock
proxyarp
silent
| I started xl2tpd with: /etc/init.d/xl2tpd outset Then nothing, I'1000 sure I'm missing something this is a client after all and your instructions are for a server. So close! | |
| Back to top | |
| |
salahx
Guru
Joined: 12 Mar 2005
Posts: 499
| | Posted: Sun Aug 31, 2014 viii:46 am Post subject area: | |
| | Configuring an l2tp the customer is a dissimilar that the server - thakfully customer side is even easier: The /etc/xl2tpd/xl2tpd.conf is even simpler and then the server i: | Code: |
[lac vpnclient]
lns = vpn.role.com
pppoptfile = /etc/ppp/options.xl2tpd.customer
| You may not need the /etc/ppp/options.xl2tpd.client file (in which case annotate that line out), just if yous exercise, here's ane that should piece of work: | Code: |
ipcp-have-local
ipcp-accept-remote
refuse-eap
require-mschap-v2
noccp
noauth
mtu 1410
mru 1410
nodefaultroute
usepeerdns
lock
#debug
| Start up the xl2tpd service, then initiate a connectedness: | Lawmaking: | | xl2tpd-control connect vpnclient OFFICE-NAME\\your-login-username your-login-password | Note Ii backslashes (the OFFICE-NAME\\ role may be optinal) xl2tpd may fail with " open_controlfd: Unable to open /var/run/xl2tpd/l2tp-control for reading". If you run across this, just practice a "mkdir /var/run/xl2tpd" Note that xl2tpd-command will always only return "00 OK", to actually see if information technology works, you need to check the organisation logs. | |
| Back to top | |
| |
Duco Ergo Sum
Amateur
Joined: 06 Dec 2005
Posts: 154
Location: Winsford
| | Posted: Sun Aug 31, 2014 xi:58 pm Post subject: | |
| | Hi, I take at present tried a number of variations on a theme. Mostly where vpn.office.com could mean the url vpn.office.com or the ipsec connection name VPN.Function.COM, capitalise to emphasis the distinciton
of these two roles. Also with and without Function-Proper noun\\login-proper noun login-password and in combination with including excluding options.xl2tpd.client. /etc/xl2tpd/xl2tpd.conf | Code: |
[lac vpnclient]
lns = vpn.office.com
pppoptfile = /etc/ppp/options.xl2tpd.client
| /etc/ppp/options.xl2tpd.customer | Code: |
ipcp-accept-local
ipcp-take-remote
refuse-eap
require-mschap-v2
noccp
noauth
mtu 1410
mru 1410
nodefaultroute
usepeerdns
lock
| | Code: |
xl2tpd-control connect vpnclient OFFICE-NAME\\your-login-username your-login-password
| | Code: |
Sep i 00:39:58 sveta xl2tpd[4845]: Connecting to host vpn.office.com, port 1701
Sep 1 00:40:01 sveta cron[4865]: (OhCaptian) CMD (test -x /usr/sbin/run-crons && /usr/sbin/run-crons)
Sep 1 00:twoscore:03 sveta xl2tpd[4845]: Maximum retries exceeded for tunnel 16278. Closing.
Sep i 00:40:03 sveta xl2tpd[4845]: Connection 0 airtight to 17.11.vii.5, port 1701 (Timeout)
Sep 1 00:40:08 sveta xl2tpd[4845]: Unable to deliver endmost message for tunnel 16278. Destroying anyhow.
| If I get the opportunity, I volition be more than methodical in the morning. | |
| Back to elevation | |
| |
salahx
Guru
Joined: 12 Mar 2005
Posts: 499
| | Posted: Monday Sep 01, 2014 four:02 am Postal service subject: | |
| | xl2tpd and strongswan are unconnect, thus the "lns" value in the LAC department is just the server's domain name or IP address. In this case though, its not seeing the L2TP LNS (server) on the other side . This usually means the ipsec tunnel is down. Bank check and restart the tunnel if needed. To see if information is going over the tunnel: | Lawmaking: | | tcpdump proto 50 | You lot won't see anything cross the tunnel until xl2tpd-connect is started. You lot should run into packets going in both directions. If non, either the tunnel is downward, strongSwan is configured wrong or something (like a local firewall) is getting in the way.
In dissimilarity, no l2tp packets should seen in the clear: | Lawmaking: | | tcpdump udp port 1701 | This command should produce NO output when xl2tpd-connect is invoked. If information technology does either the tunnel is down, or strongSwan is configured wrong. | |
| Back to peak | |
| |
Duco Ergo Sum
Apprentice
Joined: 06 Dec 2005
Posts: 154
Location: Winsford
| | Posted: Tue Sep 02, 2014 9:09 am Mail service field of study: | |
| | Hi, I have tried multifariousness configurations of xl2tp. Just to add together to the confusion my mobo has two lan ports and wifi, I fear now this characteristic is coming dorsum to confuse me and my set-upwardly. 'eno1' is the lan port which is would be eth0 and is currently the only operational network connexion in this machine. It appears that tcpdump is looking at 'bond0' so non finding annihilation. Could xl2tp be doing the aforementioned? tcpdump -i eno1 produces the same output as below. Make connexion | Lawmaking: |
# xl2tpd-control connect vpnclient vpn.part.com\\Uname Upassword
00 OK
| Test proto fifty | Code: |
# tcpdump proto 50
tcpdump: WARNING: bond0: no IPv4 address assigned
error : ret -i
tcpdump: verbose output suppressed, utilize -v or -vv for full protocol decode
listening on bond0, link-type EN10MB (Ethernet), capture size 65535 bytes
0 packets captured
0 packets received by filter
0 packets dropped by kernel
| Test udp port 1701 | Code: |
# tcpdump udp port 1701
tcpdump: WARNING: bond0: no IPv4 address assigned
error : ret -ane
tcpdump: verbose output suppressed, use -v or -vv for total protocol decode
listening on bond0, link-type EN10MB (Ethernet), capture size 65535 bytes
0 packets captured
0 packets received past filter
0 packets dropped by kernel
| Some network devices | Code: |
# ifconfig
bond0: flags=5123<UP,Broadcast,MASTER,MULTICAST> mtu 1500
ether ce:71:b2:5a:c2:1d txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 eno1: flags=4163<UP,Circulate,RUNNING,MULTICAST> mtu 1500
inet 1.2.3.four netmask 255.255.255.0 broadcast 10.1.1.255
inet6 fd00::ca60:ff:fecc:4614 prefixlen 64 scopeid 0x0<global>
inet6 fe80::ca60:ff:fecc:4614 prefixlen 64 scopeid 0x20<link>
ether c8:lx:00:cc:46:fourteen txqueuelen 1000 (Ethernet)
RX packets 14060 bytes 14971920 (14.2 MiB)
RX errors 0 dropped iii overruns 0 frame 0
TX packets 10353 bytes 1465328 (ane.3 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 20 memory #x########-######## lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.ane netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 0 (Local Loopback)
RX packets 40 bytes 16841 (sixteen.4 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 40 bytes 16841 (16.four KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 | Log | Code: |
Sep two 08:55:31 sveta xl2tpd[4128]: xl2tpd version xl2tpd-one.three.1 started on sveta PID:4128
Sep 2 08:55:31 sveta xl2tpd[4128]: Written past Mark Spencer, Copyright (C) 1998, Adtran, Inc.
Sep 2 08:55:31 sveta xl2tpd[4128]: Forked by Scott Balmos and David Stipp, (C) 2001
Sep 2 08:55:31 sveta xl2tpd[4128]: Inherited by Jeff McAdams, (C) 2002
Sep 2 08:55:31 sveta xl2tpd[4128]: Forked again by Xelerance (world wide web.xelerance.com) (C) 2006
Sep 2 08:55:31 sveta xl2tpd[4128]: Listening on IP address 0.0.0.0, port 1701
Sep two 08:55:37 sveta charon: 09[IKE] sending keep live to 17.eleven.7.5[4500]
Sep 2 08:55:49 sveta charon: 10[Internet] received bundle: from 17.11.7.5[4500] to 1.2.3.iv[4500] (84 bytes)
Sep 2 08:55:49 sveta charon: ten[ENC] parsed INFORMATIONAL_V1 request [Available On Request] [ HASH N(DPD) ]
Sep 2 08:55:49 sveta charon: x[ENC] generating INFORMATIONAL_V1 request [Available On Request] [ HASH North(DPD_ACK) ]
Sep 2 08:55:49 sveta charon: 10[NET] sending package: from 1.two.iii.4[4500] to 17.xi.7.5[4500] (92 bytes)
Sep ii 08:55:59 sveta xl2tpd[4128]: Connecting to host vpn.function.com, port 1701
Sep 2 08:55:59 sveta xl2tpd[4128]: Connection established to 17.11.seven.v, 1701. Local: [Bachelor On Request], Remote: [Bachelor On Request] (ref=0/0).
Sep two 08:55:59 sveta xl2tpd[4128]: Calling on tunnel [Available On Request]
Sep 2 08:55:59 sveta xl2tpd[4128]: Telephone call established with 17.xi.vii.v, Local: [Available On Request], Remote: [Available On Request], Serial: 1 (ref=0/0)
Sep 2 08:55:59 sveta xl2tpd[4128]: start_pppd: I'm running:
Sep 2 08:55:59 sveta xl2tpd[4128]: "/usr/sbin/pppd"
Sep 2 08:55:59 sveta xl2tpd[4128]: "passive"
Sep 2 08:55:59 sveta xl2tpd[4128]: "nodetach"
Sep 2 08:55:59 sveta xl2tpd[4128]: ":"
Sep 2 08:55:59 sveta xl2tpd[4128]: "name"
Sep 2 08:55:59 sveta xl2tpd[4128]: "vpn.office.com\Uname"
Sep ii 08:55:59 sveta xl2tpd[4128]: "plugin"
Sep 2 08:55:59 sveta xl2tpd[4128]: "passwordfd.so"
Sep 2 08:55:59 sveta xl2tpd[4128]: "passwordfd"
Sep 2 08:55:59 sveta xl2tpd[4128]: "8"
Sep 2 08:55:59 sveta xl2tpd[4128]: "file"
Sep 2 08:55:59 sveta xl2tpd[4128]: "/etc/ppp/options.l2tpd.lns"
Sep 2 08:55:59 sveta xl2tpd[4128]: "ipparam"
Sep two 08:55:59 sveta xl2tpd[4128]: "17.eleven.7.five"
Sep 2 08:55:59 sveta xl2tpd[4128]: "plugin"
Sep 2 08:55:59 sveta xl2tpd[4128]: "pppol2tp.so"
Sep 2 08:55:59 sveta xl2tpd[4128]: "pppol2tp"
Sep 2 08:55:59 sveta xl2tpd[4128]: "ix"
Sep 2 08:55:59 sveta pppd[4138]: Plugin passwordfd.so loaded.
Sep ii 08:55:59 sveta pppd[4138]: Can't open up options file /etc/ppp/options.l2tpd.lns: No such file or directory
Sep 2 08:55:59 sveta xl2tpd[4128]: child_handler : pppd exited for call [Available On Request] with code 2
Sep 2 08:55:59 sveta xl2tpd[4128]: call_close: Call [Available On Asking] to 17.xi.7.v asunder
Sep ii 08:55:59 sveta xl2tpd[4128]: Terminating pppd: sending TERM point to pid 4138
Sep 2 08:55:59 sveta xl2tpd[4128]: get_call: can't notice call [Available On Request] in tunnel [Available On Request]
(ref=0/0)
Sep two 08:55:59 sveta xl2tpd[4128]: get_call: can't find phone call [Bachelor On Asking] in tunnel [Available On Request]
(ref=0/0)
Sep two 08:55:59 sveta xl2tpd[4128]: check_control: Received out of order control packet on tunnel [Available On Request] (got 3, expected four)
Sep two 08:55:59 sveta xl2tpd[4128]: handle_packet: bad control bundle!
Sep two 08:55:59 sveta charon: 13[NET] received packet: from 17.eleven.seven.5[4500] to ane.2.3.4[4500] (68 bytes)
Sep two 08:55:59 sveta charon: xiii[ENC] parsed INFORMATIONAL_V1 request [Bachelor On Request] [ HASH D ]
Sep two 08:55:59 sveta charon: 13[IKE] received DELETE for ESP CHILD_SA with SPI ca6241bf
Sep ii 08:55:59 sveta charon: xiii[IKE] endmost CHILD_SA VPN.OFFICE.COM{1} with SPIs [Available On Request] (318 bytes) [Available On Request] (398 bytes) and TS ane.2.3.4/32[udp/l2tp] ===
17.11.7.5/32[udp/l2tp]
Sep two 08:55:59 sveta charon: 13[IKE] closing CHILD_SA VPN.OFFICE.COM{1} with SPIs [Available On Request] (318 bytes) [Bachelor On Request] (398 bytes) and TS 1.2.iii.four/32[udp/l2tp] ===
17.11.vii.five/32[udp/l2tp]
Sep 2 08:55:59 sveta charon: 08[NET] received packet: from 17.xi.7.5[4500] to 1.2.iii.4[4500] (84 bytes)
Sep 2 08:55:59 sveta charon: 08[ENC] parsed INFORMATIONAL_V1 asking [Available On Request] [ HASH D ]
Sep two 08:55:59 sveta charon: 08[IKE] received DELETE for IKE_SA VPN.OFFICE.COM[1]
Sep two 08:55:59 sveta charon: 08[IKE] deleting IKE_SA VPN.OFFICE.COM[one] between one.two.iii.iv[1.2.3.4]...17.xi.seven.five[17.11.7.five]
Sep 2 08:55:59 sveta charon: 08[IKE] deleting IKE_SA VPN.OFFICE.COM[1] between one.2.3.4[1.two.iii.iv]...17.11.7.5[17.11.7.five]
Sep 2 08:56:21 sveta kernel: [ 387.050043] device bond0 entered promiscuous fashion
Sep 2 08:56:41 sveta kernel: [ 406.710209] device bond0 left promiscuous mode
Sep 2 08:56:51 sveta kernel: [ 417.080010] device bond0 entered promiscuous mode
Sep 2 08:57:04 sveta xl2tpd[4128]: Maximum retries exceeded for tunnel [Available On Request]. Closing.
Sep 2 08:57:04 sveta xl2tpd[4128]: Connexion [Available On Request] closed to 17.11.seven.five, port 1701 (Timeout)
Sep ii 08:57:09 sveta xl2tpd[4128]: Unable to deliver closing bulletin for tunnel [Available On Asking]. Destroying anyway.
Sep 2 08:57:11 sveta kernel: [ 436.160583] device bond0 left promiscuous manner
Sep 2 08:57:15 sveta kernel: [ 441.038056] device bond0 entered promiscuous mode
Sep 2 08:57:21 sveta kernel: [ 446.590475] device bond0 left promiscuous way
Sep 2 08:57:36 sveta kernel: [ 461.822270] device bond0 entered promiscuous mode
Sep 2 08:57:54 sveta kernel: [ 479.973547] device bond0 left promiscuous mode
Sep 2 08:58:06 sveta kernel: [ 491.341755] device bond0 entered promiscuous fashion
Sep two 08:58:thirteen sveta kernel: [ 498.971002] device bond0 left promiscuous style
| | |
| Back to top | |
| |
salahx
Guru
Joined: 12 Mar 2005
Posts: 499
| | Posted: Tue Sep 02, 2014 v:01 pm Mail subject: | |
| | We're making progress. According to the log, it seeing the l2tp server on the other end. That means the ipsec is up and configurated properly, and traffic is flowing across it..At present the trouble is pppd. pppd is getting some extraneous options from somewhere. Namely, the nonexistent "/etc/ppp/options.l2tpd.lns" is causing pppd to exit. However it shouldn't even be looking for that. Very picayune configuration should be needed on the l2tp side,, merely in that location may exist one tweak we need: | Code: |
[lac vpnclient]
lns = vpn.role.com
pppoptfile = /etc/ppp/options.xl2tpd.client
name = your-login-username
| Some Cisco admission concentrators need the "name" thing, but normally, its not needed. However, adding information technology won't hurt. Everything else in /etc/xl2tpd/xl2tpd.conf should exist gone or commented out. | |
| Dorsum to summit | |
| |
Duco Ergo Sum
Apprentice
Joined: 06 December 2005
Posts: 154
Location: Winsford
| | Posted: Wed Sep 03, 2014 12:41 am Post subject: | |
| I discovered a typo in the /etc/ppp/options.xl2tpd.client path namely the missing 'x'. Likewise I have added the user proper noun as you take advised and no joy. | Code: |
[lac vpnclient]
lns = vpn.role.com
pppoptfile = /etc/ppp/options.[b]x[/b]l2tpd.client
name = Uname
| pppoptfile = /etc/ppp/options.xl2tpd.client | Lawmaking: |
ipcp-accept-local
ipcp-have-remote
pass up-eap
require-mschap-v2
noccp
noauth
mtu 1410
mru 1410
nodefaultroute
usepeerdns
lock
| Using a sparse xl2tpd.conf no comments only the config we need the following log entry is produced. | Code: |
Sep 3 01:28:26 sveta xl2tpd[4750]: setsockopt recvref[30]: Protocol non available
Sep iii 01:28:26 sveta xl2tpd[4750]: Using l2tp kernel support.
Sep 3 01:28:26 sveta xl2tpd[4752]: xl2tpd version xl2tpd-1.3.1 started on sveta PID:4752
Sep 3 01:28:26 sveta xl2tpd[4752]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
Sep 3 01:28:26 sveta xl2tpd[4752]: Forked by Scott Balmos and David Stipp, (C) 2001
Sep 3 01:28:26 sveta xl2tpd[4752]: Inherited past Jeff McAdams, (C) 2002
Sep three 01:28:26 sveta xl2tpd[4752]: Forked again by Xelerance (www.xelerance.com) (C) 2006
Sep 3 01:28:26 sveta xl2tpd[4752]: Listening on IP address 0.0.0.0, port 1701
Sep 3 01:28:thirty sveta xl2tpd[4752]: Connecting to host vpn.role.com, port 1701
Sep 3 01:28:35 sveta xl2tpd[4752]: Maximum retries exceeded for tunnel 41. Closing.
Sep three 01:28:35 sveta xl2tpd[4752]: Connection 0 closed to 17.xi.7.five, port 1701 (Timeout)
Sep 3 01:28:35 sveta kernel: [ 5494.780053] device eno1 entered promiscuous mode
Sep iii 01:28:39 sveta kernel: [ 5498.420761] device eno1 left promiscuous mode
Sep 3 01:28:40 sveta xl2tpd[4752]: Unable to evangelize closing bulletin for tunnel 41. Destroying anyway.
| I have even tried swapping the [lac vpnclien]' for [lac VPN.Role.COM], it simply served to prove that the config is read at the start up of xl2ptd. | |
| Dorsum to top | |
| |
salahx
Guru
Joined: 12 Mar 2005
Posts: 499
| | Posted: Wed Sep 03, 2014 12:58 am Mail subject area: | |
| | The name used for the lac isn't important. Its not seeing the l2tp server once again. Be sure the strongSwan connection is upwardly, and try again. If it notwithstanding won'r work, stop strongswan and xl2tp, in another windows do a "ip xfrm monitor", starts strongswan and xl2tpd. Connect via strongSwan and the window "ip xfrm monitor" should display some stuff. Make a connection with xl2tpd-connect and more stuff will announced in the other window (alarm: this command outputs the secrets keys for the ipsec connection. The real keys have been replaced with 0'south) Something like this: | Code: |
Updated src 192.168.10.108 dst 192.168.10.17
proto esp spi 0xc3e3e289 reqid 4 style transport
replay-window 32
auth-trunc hmac(sha1) 0x000000000000000000000000000000000000000 96
enc cbc(aes) 0x0000000000000000000000000000000
sel src 192.168.10.108/32 dst 192.168.10.17/32
src 192.168.ten.17 dst 192.168.10.108
proto esp spi 0xcdfbb1d9 reqid 4 mode ship
replay-window 32
auth-trunc hmac(sha1) 0x000000000000000000000000000000000000000 96
enc cbc(aes) 0x0000000000000000000000000000000
sel src 192.168.10.17/32 dst 192.168.10.108/32
src 192.168.10.17/32 dst 192.168.10.108/32 proto udp sport 1701 dport 1701
dir out action block priority 7936 ptype main
src 192.168.10.108/32 dst 192.168.x.17/32 proto udp sport 1701 dport 1701
dir in activity cake priority 7936 ptype main
Updated src 192.168.10.17/32 dst 192.168.ten.108/32 proto udp sport 1701 dport 1701
dir out priority 1792 ptype main
tmpl src 0.0.0.0 dst 0.0.0.0
proto esp reqid four mode transport
Updated src 192.168.10.108/32 dst 192.168.ten.17/32 proto udp sport 1701 dport 1701
dir in priority 1792 ptype main
tmpl src 0.0.0.0 dst 0.0.0.0
proto esp reqid iv manner transport
Async event (0x20) timer expired
src 192.168.10.108 dst 192.168.10.17 reqid 0x4 protocol esp SPI 0xc3e3e289
Async consequence (0x20) timer expired
src 192.168.10.108 dst 192.168.10.17 reqid 0x4 protocol esp SPI 0xc3e3e289
Async consequence (0x20) timer expired
src 192.168.10.108 dst 192.168.10.17 reqid 0x4 protocol esp SPI 0xc3e3e289
Async upshot (0x20) timer expired
src 192.168.10.17 dst 192.168.10.108 reqid 0x4 protocol esp SPI 0xcdfbb1d9
Async consequence (0x10) replay update
src 192.168.10.17 dst 192.168.ten.108 reqid 0x4 protocol esp SPI 0xcdfbb1d9
Async upshot (0x10) replay update
src 192.168.x.108 dst 192.168.10.17 reqid 0x4 protocol esp SPI 0xc3e3e289
Async issue (0x10) replay update
src 192.168.10.17 dst 192.168.10.108 reqid 0x4 protocol esp SPI 0xcdfbb1d9
Async effect (0x10) replay update
src 192.168.10.108 dst 192.168.10.17 reqid 0x4 protocol esp SPI 0xc3e3e289
Async result (0x10) replay update
src 192.168.10.17 dst 192.168.10.108 reqid 0x4 protocol esp SPI 0xcdfbb1d9
Async event (0x10) replay update
src 192.168.10.108 dst 192.168.10.17 reqid 0x4 protocol esp SPI 0xc3e3e289
Async event (0x10) replay update
src 192.168.ten.108 dst 192.168.x.17 reqid 0x4 protocol esp SPI 0xc3e3e289
....
| | |
| Back to top | |
| |
| Display posts from previous: | |
0 Response to "System Cant Satisfy the Requested Bandwith. Please Input Again"
Post a Comment