| View previous topic :: View side by side topic |
| Author | Message |
Duco Ergo Sum
Apprentice
 Joined: 06 December 2005
Posts: 154
Location: Winsford
|  Posted: Mon Aug 18, 2014 8:56 am Postal service subject: VPN Client not connecting [SOLVED] |  |
| | Hi in that location, For the past week and a scrap I accept been trying to connect to my function VPN, without success. The instructions for connecting presume the client is a Windows 7 organization. The vpn is "IPSec (L2TP/IPSEC)" using a Pre-Shared Key. For the purpose of this mail I will use faux details and values: gateway: vpn.function.com
PSK: vpn-role-com
username: your-login-username
password: your-login-countersign
domain (optional): office-proper noun What I have tried and so far, includes: compiled every IPSEC kernel module -> No observable difference. KVPN -> Gives an mistake racoon config error and then a long list of other debug info which as information technology is security related I don't want mail service indiscriminately. VPNC -> reports "No responce from target"
Cisco and regular UPD
I have tried setting various ports to use, 47, l, 51, 443, 500, 1701, 1723, 10000 Strongswan -> the demon starts merely I cannot find evidence of a connection
ipsec.conf and ipsec.secret configured for the above details respectively. I tin can only guess that this isn't a firewall consequence as a colleague who already connects to the vpn can only do then using a virtual machine running Windows 7. My colleague says this is because of
firewall and routing problems from his Linux desktop. My assertion beingness that the virtual machines has to pass through the host and any other firewall in his network. Please assistance... Last edited past Duco Ergo Sum on Tue October 14, 2014 12:eleven am; edited ane fourth dimension in total | |
| Back to height |   |
 |
salahx
Guru
 Joined: 12 Mar 2005
Posts: 499
| | Posted: Tue Aug 19, 2014 8:56 pm Post subject field: | |
| | I wrote a Gentoo wiki commodity covering setting up the server side of it: https://wiki.gentoo.org/wiki/IPsec_L2TP_VPN_server . Because all the protocols (ipsec, lt2p and pppd) are peer-to-peer, configuring information technology on the customer side has a lot of similarities. | |
| Dorsum to meridian | |
| |
Duco Ergo Sum
Amateur
Joined: 06 Dec 2005
Posts: 154
Location: Winsford
| | Posted: Thu Aug 21, 2014 7:59 am Post subject: | |
| | Give thanks yous. I think what I need is the "Ipsec ID" (grouping id/name) parameter. I have a working Windows organization at present then I'll interrogate that. | |
| Dorsum to superlative | |
| |
Duco Ergo Sum
Amateur
Joined: 06 December 2005
Posts: 154
Location: Winsford
| | Posted: Mon Aug 25, 2014 ten:20 pm Post subject: | |
| | This is actually frustrating. I now have:
- VPNC which times out without much indication of annihilation happening.
- StrongSwan which starts just I don't see whatsoever sign of a VPN nor take I found a way to test it.
- OpenL2TP which I've had to install an overlay (booboo) to get. This doesn't seem to be able to initiate sessions, tunnel id not found, while tunnel testify - shows the tunnel I configured.
- NetworkManager seems to allow a sub-set of functionality in its configuration of different sub-systems simply information technology protests that its unable to find an agent when I try to offset a session.
Additionally, I've experimented with Windows. The initial setup is catchy merely the VPN works. No additional information needed. With security in mind I'thousand sure, they've hidden the config details from prying optics thus thwarting my plan to find the IP Sec ID there. I am beginning to question if it this is a propriety MS VPN implementation or could my system be just missing ane niggling screw somewhere? I have read the IPsec L2TP VPN server wiki page and attempted to adapt its wisdom to my needs just unfortunately unsuccessfully. Please tell me how I can test a VPN connectedness, merely to see if information technology exists? --
You know you lot really need aid when the voices tell y'all that you're becoming obsessed! | |
| Back to top | |
| |
salahx
Guru
Joined: 12 Mar 2005
Posts: 499
| | Posted: Wed Aug 27, 2014 3:39 am Post subject area: | |
| The kickoff, and most dificult layer, is the ipsec layer. Here's a simple config file you tin can suit. As the wiki page show, uncomment the "include" line at the very bottom of /etc/ipsec.conf and create a /etc/ipsec.d/office.vpn.com.conf with content similar to the following:
| Code: |
conn vpnclient
type=transport
authby=secret
pfs=no
rekey=no
left=%defaultroute
leftprotoport=udp/l2tp
right=vpn.office.com
rightprotoport=udp/l2tp
auto=add
| Don't forgot to create a /etc/ipsec.d/role.vpn.com.secret file also: | Code: |
vpn.office.com %whatever : PSK "vpn-part-com"
| Then start the ipsec service, and bring upwards your connection with "ipsec auto --up vpnclient" If you get a line in the log similar to "STATE_QUICK_I2: Sent QI2, IPsec SA established...." and so you have ipsec connectivity. ipsec is the hard role. Once yous've got that, the l2tp tunnel is much simpler. | |
| Back to top | |
| |
Duco Ergo Sum
Apprentice
Joined: 06 Dec 2005
Posts: 154
Location: Winsford
| | Posted: Thu Aug 28, 2014 12:48 am Post bailiwick: | |
| | Howdy Salahx, Thanks for over again answering, I am very grateful. The command 'ipsec up vpnclient' has been about illustrative. StrongSwan doesn't get a response from the part network either. | Code: |
initiating IKE_SA vpn.office.com[1] to 17.xi.seven.5
generating IKE_SA_INIT request 0 [ SA KE No North(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 1.2.iii.4[500] to 17.11.7.5[500] (996 bytes)
received package: from 17.11.7.v[500] to one.2.3.4[500] (68 bytes)
ignoring INFORMATIONAL_V1 IKEv1 exchange on IKEv2 SA
retransmit 1 of request with bulletin ID 0
sending packet: from i.two.3.4[500] to 17.11.7.5[500] (996 bytes)
received packet: from 17.eleven.vii.5[500] to 1.two.3.4[500] (68 bytes)
ignoring INFORMATIONAL_V1 IKEv1 exchange on IKEv2 SA
retransmit 2 of request with message ID 0
sending package: from 1.2.3.4[500] to 17.11.7.5[500] (996 bytes)
received parcel: from 17.11.seven.v[500] to one.2.three.4[500] (68 bytes)
ignoring INFORMATIONAL_V1 IKEv1 substitution on IKEv2 SA
retransmit three of request with bulletin ID 0
sending packet: from 1.2.3.4[500] to 17.eleven.7.5[500] (996 bytes)
received packet: from 17.xi.7.v[500] to one.2.3.four[500] (68 bytes)
ignoring INFORMATIONAL_V1 IKEv1 exchange on IKEv2 SA [ ... ] giving upwards after 5 retransmits | So at present both VPNC and StrongSwan time out. Food for thought. | |
| Back to top | |
| |
salahx
Guru
Joined: 12 Mar 2005
Posts: 499
| | Posted: Thu Aug 28, 2014 6:53 am Post subject: | |
| | Its seeing SOMETHING on the other side, its just having problem negotiating with information technology. It appears its trying to negoitate an IKEv2 connection, but we want IKEv1. So lets tweak the config a bit: | Code: |
conn vpnclient
keyexchange=ikev1
type=send
authby=hush-hush
pfs=no
rekey=no
left=%defaultroute
leftprotoport=udp/l2tp
right=vpn.part.com
rightprotoport=udp/l2tp
auto=add
| | |
| Back to meridian | |
| |
Duco Ergo Sum
Apprentice
Joined: 06 Dec 2005
Posts: 154
Location: Winsford
| | Posted: Thu Aug 28, 2014 8:49 am Post subject: | |
| | Thanks. We're making progress, new response message: | Lawmaking: |
ipsec up vpn.office.com
initiating Main Way IKE_SA vpn.part.com[ane] to 17.11.7.5
generating ID_PROT request 0 [ SA V 5 V Five ]
sending packet: from 1.2.three.iv[500] to 17.11.vii.v[500] (220 bytes)
received packet: from 17.xi.7.5[500] to 1.two.iii.iv[500] (160 bytes)
parsed INFORMATIONAL_V1 request 0 [ N(NO_PROP) ]
received NO_PROPOSAL_CHOSEN error notify
establishing connectedness 'vpn.office.com' failed
| My installed version of StrongSwan does not back up the cardinal word. Therefore this is what my config looks like at the moment: | Lawmaking: |
conn vpn.role.com
keyexchange=ikev1
type=transport
authby=clandestine
esp=des-sha1-modp1024
rekey=no
left=%defaultroute
leftprotoport=udp/l2tp
right=vpn.role.com
rightprotoport=udp/l2tp
motorcar=add
| | |
| Back to tiptop | |
| |
Duco Ergo Sum
Apprentice
Joined: 06 December 2005
Posts: 154
Location: Winsford
| | Posted: Thu Aug 28, 2014 9:12 am Postal service subject: | |
| | Looking in Windows Control Panel - Administrative Tools - Windows Firewall with Advanced Security - Windows Firewall Properites (IPsec Settings) - Customize IPsec Defaults (Primal exchange (Main Mode) - Advanced [Customize]) - Customize Avant-garde Central Exchange Settings | Code: |
Security methods:
Integrity Encryption Key exchange algorithm
SHA-one AES-CBC 128 Diffie-Hellman Group 2 (default)
SHA-ane 3DES Diffie-Hellman Group 2
| I'm off to work at present merely will experiment with these values when I get back. | |
| Back to top | |
| |
salahx
Guru
Joined: 12 Mar 2005
Posts: 499
| | Posted: Thu Aug 28, 2014 4:14 pm Post subject: | |
| | Its "pfs=no" not "psf=no". It doesn't matter anyway because the command is ignored under strongSwan and "no" is the default. You lot shouldn't demand the "esp=des-sha1-modp1024" as it should choose the correct method during proffer process. In fact that will negotate PFS which is Non what you want - Microsoft's IKEv1 daemon doesn't support PFS. Note that Windows has 2 implementations of ipsec: the IKEv1 one used for l2tp tunnel, and and IKEv2 ane which is controlled via the ipsec snap-in. The windows Firewall and other ipsec settings refer to the latter, simply we want to apply the former. | |
| Back to top | |
| |
Duco Ergo Sum
Amateur
Joined: 06 Dec 2005
Posts: 154
Location: Winsford
| | Posted: Friday Aug 29, 2014 12:04 am Mail subject: | |
| | Apologies, "psf" was a typo. All the same, at present mater how I try to configure the pfs pick, I get the aforementioned result. | Code: |
parsed INFORMATIONAL_V1 request 0 [ N(NO_PROP) ]
received NO_PROPOSAL_CHOSEN error notify
establishing connection 'vpn.office.com' failed
| | |
| Dorsum to tiptop | |
| |
salahx
Guru
Joined: 12 Mar 2005
Posts: 499
| | Posted: Friday Aug 29, 2014 12:xiv am Postal service subject field: | |
| | pfs option is ignored in strongSwan anyway. But that "esp" line has to exist removed, considering i know its wrong. If the server However won't take whatsoever proposals offered by strongswan, even without the "esp" line there an "ike-browse" bundle in portage that should give some information on what proposals the gateway will accept. | |
| Back to top | |
| |
Duco Ergo Sum
Apprentice
Joined: 06 Dec 2005
Posts: 154
Location: Winsford
| | Posted: Fri Aug 29, 2014 8:45 am Postal service subject field: | |
| | Hi, I take used IKE-Scan which prompted me to change my Config as below and this has generated the follow information. ike-scan output | Code: |
ike-scan --verbose vpn.office.com
DEBUG: pkt len=336 bytes, bandwidth=56000 bps, int=52000 us
Starting ike-scan 1.9 with one hosts (http://www.nta-monitor.com/tools/ike-browse/)
17.xi.7.five Principal Mode Handshake returned HDR=(CKY-R=[Available On Request]) SA=(Enc=3DES Hash=SHA1 Group=ii:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
VID=[Available On Request] (IKE Fragmentation) Ending ike-scan 1.9: ane hosts scanned in 0.037 seconds (27.14 hosts/sec). 1 returned handshake; 0 returned notify | New Config | Lawmaking: |
conn vpn.office.com
keyexchange=ikev1
type=transport
authby=secret
ike=3des-sha1-modp1024
rekey=no
left=%defaultroute
leftprotoport=udp/l2tp
correct=vpn.office.com
rightprotoport=udp/l2tp
auto=add
| ipsec output | Code: |
ipsec upwardly vpn.function.com
initiating Main Mode IKE_SA vpn.office.com[three] to 17.11.vii.5
generating ID_PROT request 0 [ SA Five V V V ]
sending packet: from 1.two.three.4[500] to 17.11.7.5[500] (184 bytes)
received packet: from 17.xi.7.5[500] to 1.2.3.4[500] (116 bytes)
parsed ID_PROT response 0 [ SA V 5 ]
received typhoon-ietf-ipsec-nat-t-ike-02\due north vendor ID
received FRAGMENTATION vendor ID
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 1.2.iii.4[500] to 17.eleven.7.5[500] (244 bytes)
received packet: from 17.11.vii.five[500] to 1.2.three.4[500] (304 bytes)
parsed ID_PROT response 0 [ KE No Five V Five 5 NAT-D NAT-D ]
received Cisco Unity vendor ID
received XAuth vendor ID
received unknown vendor ID: [Bachelor On Asking]
received unknown vendor ID: [Available On Asking]
generating INFORMATIONAL_V1 request [Available On Request] [ Due north(INVAL_KE) ]
sending packet: from 1.2.three.4[500] to 17.eleven.7.5[500] (56 bytes)
establishing connection 'vpn.function.com' failed
| Charon Log | Lawmaking: |
Aug 29 09:xiv:39 sveta charon: 02[CFG] received stroke: initiate 'vpn.part.com'
Aug 29 09:14:39 sveta charon: 13[IKE] initiating Primary Style IKE_SA vpn.role.com[3] to 17.11.7.5
Aug 29 09:14:39 sveta charon: thirteen[IKE] initiating Main Manner IKE_SA vpn.role.com[3] to 17.11.7.5
Aug 29 09:14:39 sveta charon: 13[ENC] generating ID_PROT request 0 [ SA Five V Five V ]
Aug 29 09:xiv:39 sveta charon: 13[NET] sending packet: from 1.2.iii.4[500] to 17.11.vii.v[500] (184 bytes)
Aug 29 09:14:39 sveta charon: 06[Internet] received packet: from 17.11.vii.five[500] to one.2.3.4[500] (116 bytes)
Aug 29 09:14:39 sveta charon: 06[ENC] parsed ID_PROT response 0 [ SA V V ]
Aug 29 09:14:39 sveta charon: 06[IKE] received typhoon-ietf-ipsec-nat-t-ike-02\n vendor ID
Aug 29 09:14:39 sveta charon: 06[IKE] received FRAGMENTATION vendor ID
Aug 29 09:xiv:39 sveta charon: 06[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
Aug 29 09:14:39 sveta charon: 06[Cyberspace] sending packet: from 1.ii.3.4[500] to 17.xi.7.five[500] (244 bytes)
Aug 29 09:14:40 sveta charon: 05[NET] received parcel: from 17.11.7.v[500] to i.2.three.iv[500] (304 bytes)
Aug 29 09:fourteen:40 sveta charon: 05[ENC] parsed ID_PROT response 0 [ KE No V Five Five V NAT-D NAT-D ]
Aug 29 09:14:xl sveta charon: 05[IKE] received Cisco Unity vendor ID
Aug 29 09:14:twoscore sveta charon: 05[IKE] received XAuth vendor ID
Aug 29 09:14:40 sveta charon: 05[ENC] received unknown vendor ID: [Available On Asking]
Aug 29 09:14:40 sveta charon: 05[ENC] received unknown vendor ID: [Available On Request]
Aug 29 09:14:forty sveta charon: 05[ENC] generating INFORMATIONAL_V1 request [Bachelor On Asking] [ N(INVAL_KE) ]
Aug 29 09:14:40 sveta charon: 05[Net] sending packet: from 1.2.3.4[500] to 17.11.7.v[500] (56 bytes)
| | |
| Back to meridian | |
| |
salahx
Guru
Joined: 12 Mar 2005
Posts: 499
| | Posted: Fri Aug 29, 2014 3:12 pm Post subject: | |
| OK now its accepting the proposal only its having problem with the PSK. It probably has to exercise with how the VPN server is ideifying itself. So lets change the secrets file to
| Lawmaking: | | : PSK "vpn-function-com" |
This will make strongSwan use the key for all connections. | |
| Back to top | |
| |
Duco Ergo Sum
Apprentice
Joined: 06 December 2005
Posts: 154
Location: Winsford
| | Posted: Fri Aug 29, 2014 9:51 pm Post subject field: | |
| Awesome! Thanks! | Code: |
ipsec upwards vpn.office.com
initiating Primary Style IKE_SA vpn.office.com[1] to 17.eleven.seven.v
generating ID_PROT asking 0 [ SA 5 5 5 V ]
sending package: from one.2.iii.4[500] to 17.11.7.5[500] (184 bytes)
received packet: from 17.11.7.5[500] to 1.2.3.4[500] (116 bytes)
parsed ID_PROT response 0 [ SA 5 V ]
received draft-ietf-ipsec-nat-t-ike-02\due north vendor ID
received FRAGMENTATION vendor ID
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending parcel: from ane.two.3.4[500] to 17.11.7.5[500] (244 bytes)
received packet: from 17.11.7.v[500] to i.ii.3.4[500] (304 bytes)
parsed ID_PROT response 0 [ KE No Five V V V NAT-D NAT-D ]
received Cisco Unity vendor ID
received XAuth vendor ID
received unknown vendor ID: [Available On Request]
received unknown vendor ID: [Available On Request]
local host is behind NAT, sending keep alives
generating ID_PROT asking 0 [ ID HASH ]
sending packet: from ane.2.3.4[4500] to 17.11.7.5[4500] (68 bytes)
received parcel: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes)
parsed ID_PROT response 0 [ ID HASH V ]
received DPD vendor ID
IDir '17.11.7.5' does not friction match to 'vpn.office.com'
deleting IKE_SA vpn.part.com[ane] between ane.2.3.four[1.2.3.4]...17.11.7.five[%any]
sending DELETE for IKE_SA vpn.office.com[1]
generating INFORMATIONAL_V1 asking [Available On Request] [ HASH D ]
sending packet: from 1.2.iii.four[4500] to 17.xi.vii.five[4500] (84 bytes)
connectedness 'vpn.part.com' established successfully
| I have pinged my office PC and did not become any returned packets. I haven't attempted to prepare the L2TP layer yet but your guide says that is comparatively easy. These lines though do worry me: | Code: |
IDir '17.11.7.5' does not friction match to 'vpn.office.com'
deleting IKE_SA vpn.office.com[i] between 1.two.3.4[1.ii.3.four]...17.11.7.5[%whatsoever]
sending DELETE for IKE_SA vpn.office.com[1]
| | |
| Back to superlative | |
| |
salahx
Guru
Joined: 12 Mar 2005
Posts: 499
| | Posted: Fri Aug 29, 2014 eleven:03 pm Post subject: | |
| | Were almost in that location, simply were not there nevertheless. This goes back with "how the server is identifty itself" problem with the PSK: Instead of identify itself via its name (vpn.example.com), information technology does so past its IP accost (17.eleven.7.5). Nosotros just need to brand one tweak: | Code: |
conn vpn.part.com
keyexchange=ikev1
type=ship
authby=secret
ike=3des-sha1-modp1024
rekey=no
left=%defaultroute
leftprotoport=udp/l2tp
right=vpn.office.com
rightprotoport=udp/l2tp
rightid=17.11.7.five
automobile=add together
| Or failing that, change the value of "right=" from "vpn.office.com" to "17.eleven.7.five" instead. Note you lot still can't do annihilation with the connexion yet, every bit only L2TP packets will be passed across the ipsec link (thus you lot cannot ping annihilation across the link). | |
| Back to height | |
| |
Duco Ergo Sum
Apprentice
Joined: 06 December 2005
Posts: 154
Location: Winsford
| | Posted: Sat Aug 30, 2014 5:21 pm Mail service subject: | |
| Perfect, next pace L2TP! | Code: |
ipsec upwardly vpn.office.com
initiating Main Style IKE_SA vpn.office.com[i] to 17.eleven.vii.5
generating ID_PROT asking 0 [ SA 5 5 V V ]
sending packet: from i.ii.iii.4[500] to 17.xi.7.5[500] (184 bytes)
received packet: from 17.11.7.5[500] to 1.2.3.4[500] (116 bytes)
parsed ID_PROT response 0 [ SA V Five ]
received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
received FRAGMENTATION vendor ID
generating ID_PROT asking 0 [ KE No NAT-D NAT-D ]
sending package: from ane.two.iii.4[500] to 17.xi.7.5[500] (244 bytes)
received packet: from 17.11.7.5[500] to 1.2.3.iv[500] (304 bytes)
parsed ID_PROT response 0 [ KE No Five V V 5 NAT-D NAT-D ]
received Cisco Unity vendor ID
received XAuth vendor ID
received unknown vendor ID: [Available On Request]
received unknown vendor ID: [Available On Request]
local host is behind NAT, sending keep alives
generating ID_PROT asking 0 [ ID HASH ]
sending packet: from ane.2.3.4[4500] to 17.11.vii.v[4500] (68 bytes)
received packet: from 17.xi.7.5[4500] to ane.two.3.4[4500] (84 bytes)
parsed ID_PROT response 0 [ ID HASH 5 ]
received DPD vendor ID
IKE_SA vpn.office.com[i] established between i.ii.3.iv[i.2.3.4]...17.11.7.5[17.11.7.5]
generating QUICK_MODE asking [Available On Request] [ HASH SA No ID ID NAT-OA NAT-OA ]
sending parcel: from one.two.3.4[4500] to 17.eleven.7.5[4500] (220 bytes)
received packet: from 17.11.vii.5[4500] to ane.2.iii.4[4500] (180 bytes)
parsed QUICK_MODE response [Available On Request] [ HASH SA No ID ID N((24576)) NAT-OA ]
received 28800s lifetime, configured 0s
CHILD_SA vpn.office.com{1} established with SPIs [Available On Request] [Available On Asking] and TS ane.2.3.four/32[udp/l2tp] === 17.11.7.5/32[udp/l2tp] connectedness 'vpn.office.com' established successfully | Thank you. I expect as soon equally I attempt L2TP I'll be back hither confused every bit ever. Either way, I'll report back. | |
| Back to top | |
| |
Duco Ergo Sum
Apprentice
Joined: 06 Dec 2005
Posts: 154
Location: Winsford
| | Posted: Sabbatum Aug 30, 2014 10:04 pm Post subject field: | |
| | I thought this might happen. /etc/xl2tp/xl2tpd.conf | Code: |
[global] ; Global parameters:
port = 1701 ; * Demark to port 1701
; auth file = /etc/l2tpd/l2tp-secrets ; * Where our challenge secrets are
admission command = no ; * Refuse connections without IP match
; rand source = dev ; Source for entropy for random
; ; numbers, options are:
; ; dev - reads of /dev/urandom
; ; sys - uses rand()
; ; egd - reads from egd socket
; ; egd is not yet implemented
;
[lns default] ; Our fallthrough LNS definition
; ip range = 192.168.0.1-192.168.0.20 ; * Classify from this IP range
; ip range = lac1-lac2 ; * And annihilation from lac1 to lac2's IP
; lac = 192.168.ane.4 - 192.168.i.8 ; * These can connect as LAC's
; no lac = untrusted.marko.net ; * This guy can't connect
; hidden chip = no ; * Use hidden AVP'southward?
local ip = 1.2.iii.4 ; * Our local IP to use
; refuse authentication = no ; * Refuse hallmark altogether
crave hallmark = yep ; * Require peer to authenticate
unix authentication = no ; * Utilise /etc/passwd for auth.
name = vpn.role.com ; * Report this as our hostname
pppoptfile = /etc/ppp/options.l2tpd ; * ppp options file
| /etc/ppp/options.l2tpd | Code: |
noccp
auth
crtscts
mtu 1410
mru 1410
nodefaultroute
lock
proxyarp
silent
| I started xl2tpd with: /etc/init.d/xl2tpd start So cypher, I'm sure I'one thousand missing something this is a client after all and your instructions are for a server. Then shut! | |
| Dorsum to top | |
| |
salahx
Guru
Joined: 12 Mar 2005
Posts: 499
| | Posted: Dominicus Aug 31, 2014 eight:46 am Post subject: | |
| | Configuring an l2tp the customer is a different that the server - thakfully client side is even easier: The /etc/xl2tpd/xl2tpd.conf is even simpler then the server one: | Code: |
[lac vpnclient]
lns = vpn.office.com
pppoptfile = /etc/ppp/options.xl2tpd.client
| Y'all may not need the /etc/ppp/options.xl2tpd.client file (in which case comment that line out), but if you do, here's ane that should piece of work: | Code: |
ipcp-accept-local
ipcp-accept-remote
refuse-eap
crave-mschap-v2
noccp
noauth
mtu 1410
mru 1410
nodefaultroute
usepeerdns
lock
#debug
| Get-go up the xl2tpd service, then initiate a connexion: | Code: | | xl2tpd-command connect vpnclient Office-Proper noun\\your-login-username your-login-password | Note TWO backslashes (the Function-Name\\ part may be optinal) xl2tpd may fail with " open_controlfd: Unable to open /var/run/xl2tpd/l2tp-control for reading". If you run across this, just practise a "mkdir /var/run/xl2tpd" Notation that xl2tpd-command will always just render "00 OK", to actually see if it works, you lot demand to bank check the organisation logs. | |
| Back to pinnacle | |
| |
Duco Ergo Sum
Apprentice
Joined: 06 Dec 2005
Posts: 154
Location: Winsford
| | Posted: Sun Aug 31, 2014 eleven:58 pm Post subject: | |
| | Hi, I take now tried a number of variations on a theme. Mostly where vpn.office.com could mean the url vpn.office.com or the ipsec connection name VPN.Office.COM, capitalise to accent the distinciton
of these two roles. As well with and without Role-NAME\\login-name login-password and in combination with including excluding options.xl2tpd.client. /etc/xl2tpd/xl2tpd.conf | Code: |
[lac vpnclient]
lns = vpn.role.com
pppoptfile = /etc/ppp/options.xl2tpd.client
| /etc/ppp/options.xl2tpd.client | Code: |
ipcp-take-local
ipcp-take-remote
decline-eap
require-mschap-v2
noccp
noauth
mtu 1410
mru 1410
nodefaultroute
usepeerdns
lock
| | Code: |
xl2tpd-control connect vpnclient Function-NAME\\your-login-username your-login-password
| | Lawmaking: |
Sep ane 00:39:58 sveta xl2tpd[4845]: Connecting to host vpn.office.com, port 1701
Sep 1 00:xl:01 sveta cron[4865]: (OhCaptian) CMD (test -x /usr/sbin/run-crons && /usr/sbin/run-crons)
Sep ane 00:40:03 sveta xl2tpd[4845]: Maximum retries exceeded for tunnel 16278. Closing.
Sep i 00:40:03 sveta xl2tpd[4845]: Connectedness 0 closed to 17.11.vii.5, port 1701 (Timeout)
Sep 1 00:40:08 sveta xl2tpd[4845]: Unable to deliver closing message for tunnel 16278. Destroying anyhow.
| If I get the opportunity, I will exist more methodical in the morning. | |
| Back to top | |
| |
salahx
Guru
Joined: 12 Mar 2005
Posts: 499
| | Posted: Mon Sep 01, 2014 four:02 am Post bailiwick: | |
| | xl2tpd and strongswan are unconnect, thus the "lns" value in the LAC section is but the server's domain proper noun or IP accost. In this case though, its non seeing the L2TP LNS (server) on the other side . This usually ways the ipsec tunnel is down. Check and restart the tunnel if needed. To run across if data is going over the tunnel: You won't run across anything cantankerous the tunnel until xl2tpd-connect is started. You should see packets going in both directions. If not, either the tunnel is down, strongSwan is configured wrong or something (similar a local firewall) is getting in the way.
In contrast, no l2tp packets should seen in the articulate: | Code: | | tcpdump udp port 1701 | This control should produce NO output when xl2tpd-connect is invoked. If it does either the tunnel is downward, or strongSwan is configured wrong. | |
| Back to pinnacle | |
| |
Duco Ergo Sum
Apprentice
Joined: 06 December 2005
Posts: 154
Location: Winsford
| | Posted: Tue Sep 02, 2014 nine:09 am Postal service subject: | |
| | Hi, I have tried diversity configurations of xl2tp. Just to add to the confusion my mobo has two lan ports and wifi, I fearfulness now this feature is coming back to confuse me and my set-up. 'eno1' is the lan port which is would be eth0 and is currently the only operational network connection in this machine. It appears that tcpdump is looking at 'bond0' and so not finding anything. Could xl2tp be doing the aforementioned? tcpdump -i eno1 produces the same output as below. Make connection | Code: |
# xl2tpd-control connect vpnclient vpn.office.com\\Uname Upassword
00 OK
| Exam proto 50 | Code: |
# tcpdump proto 50
tcpdump: Alert: bond0: no IPv4 accost assigned
error : ret -1
tcpdump: verbose output suppressed, use -5 or -vv for total protocol decode
listening on bond0, link-type EN10MB (Ethernet), capture size 65535 bytes
0 packets captured
0 packets received by filter
0 packets dropped by kernel
| Test udp port 1701 | Code: |
# tcpdump udp port 1701
tcpdump: Alert: bond0: no IPv4 address assigned
error : ret -1
tcpdump: verbose output suppressed, use -five or -vv for full protocol decode
listening on bond0, link-type EN10MB (Ethernet), capture size 65535 bytes
0 packets captured
0 packets received by filter
0 packets dropped by kernel
| Some network devices | Lawmaking: |
# ifconfig
bond0: flags=5123<UP,Circulate,Primary,MULTICAST> mtu 1500
ether ce:71:b2:5a:c2:1d txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 eno1: flags=4163<Upwards,Circulate,RUNNING,MULTICAST> mtu 1500
inet ane.ii.3.iv netmask 255.255.255.0 broadcast 10.1.ane.255
inet6 fd00::ca60:ff:fecc:4614 prefixlen 64 scopeid 0x0<global>
inet6 fe80::ca60:ff:fecc:4614 prefixlen 64 scopeid 0x20<link>
ether c8:lx:00:cc:46:14 txqueuelen chiliad (Ethernet)
RX packets 14060 bytes 14971920 (14.2 MiB)
RX errors 0 dropped 3 overruns 0 frame 0
TX packets 10353 bytes 1465328 (i.three MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt twenty memory #x########-######## lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.one netmask 255.0.0.0
inet6 ::ane prefixlen 128 scopeid 0x10<host>
loop txqueuelen 0 (Local Loopback)
RX packets forty bytes 16841 (16.4 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets xl bytes 16841 (xvi.4 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 | Log | Code: |
Sep 2 08:55:31 sveta xl2tpd[4128]: xl2tpd version xl2tpd-one.3.1 started on sveta PID:4128
Sep 2 08:55:31 sveta xl2tpd[4128]: Written past Marker Spencer, Copyright (C) 1998, Adtran, Inc.
Sep two 08:55:31 sveta xl2tpd[4128]: Forked past Scott Balmos and David Stipp, (C) 2001
Sep 2 08:55:31 sveta xl2tpd[4128]: Inherited by Jeff McAdams, (C) 2002
Sep two 08:55:31 sveta xl2tpd[4128]: Forked once again past Xelerance (www.xelerance.com) (C) 2006
Sep 2 08:55:31 sveta xl2tpd[4128]: Listening on IP address 0.0.0.0, port 1701
Sep 2 08:55:37 sveta charon: 09[IKE] sending continue alive to 17.11.7.5[4500]
Sep 2 08:55:49 sveta charon: 10[NET] received parcel: from 17.11.7.five[4500] to 1.ii.iii.4[4500] (84 bytes)
Sep ii 08:55:49 sveta charon: ten[ENC] parsed INFORMATIONAL_V1 request [Available On Request] [ HASH Northward(DPD) ]
Sep ii 08:55:49 sveta charon: 10[ENC] generating INFORMATIONAL_V1 request [Available On Request] [ HASH N(DPD_ACK) ]
Sep 2 08:55:49 sveta charon: 10[NET] sending bundle: from 1.ii.3.four[4500] to 17.11.7.5[4500] (92 bytes)
Sep 2 08:55:59 sveta xl2tpd[4128]: Connecting to host vpn.office.com, port 1701
Sep 2 08:55:59 sveta xl2tpd[4128]: Connection established to 17.11.seven.5, 1701. Local: [Available On Request], Remote: [Bachelor On Request] (ref=0/0).
Sep ii 08:55:59 sveta xl2tpd[4128]: Calling on tunnel [Bachelor On Asking]
Sep 2 08:55:59 sveta xl2tpd[4128]: Call established with 17.11.seven.v, Local: [Bachelor On Request], Remote: [Bachelor On Request], Series: one (ref=0/0)
Sep 2 08:55:59 sveta xl2tpd[4128]: start_pppd: I'm running:
Sep 2 08:55:59 sveta xl2tpd[4128]: "/usr/sbin/pppd"
Sep ii 08:55:59 sveta xl2tpd[4128]: "passive"
Sep 2 08:55:59 sveta xl2tpd[4128]: "nodetach"
Sep 2 08:55:59 sveta xl2tpd[4128]: ":"
Sep 2 08:55:59 sveta xl2tpd[4128]: "name"
Sep two 08:55:59 sveta xl2tpd[4128]: "vpn.office.com\Uname"
Sep 2 08:55:59 sveta xl2tpd[4128]: "plugin"
Sep 2 08:55:59 sveta xl2tpd[4128]: "passwordfd.so"
Sep ii 08:55:59 sveta xl2tpd[4128]: "passwordfd"
Sep 2 08:55:59 sveta xl2tpd[4128]: "8"
Sep 2 08:55:59 sveta xl2tpd[4128]: "file"
Sep ii 08:55:59 sveta xl2tpd[4128]: "/etc/ppp/options.l2tpd.lns"
Sep 2 08:55:59 sveta xl2tpd[4128]: "ipparam"
Sep 2 08:55:59 sveta xl2tpd[4128]: "17.11.7.v"
Sep two 08:55:59 sveta xl2tpd[4128]: "plugin"
Sep two 08:55:59 sveta xl2tpd[4128]: "pppol2tp.then"
Sep 2 08:55:59 sveta xl2tpd[4128]: "pppol2tp"
Sep ii 08:55:59 sveta xl2tpd[4128]: "9"
Sep 2 08:55:59 sveta pppd[4138]: Plugin passwordfd.so loaded.
Sep 2 08:55:59 sveta pppd[4138]: Can't open options file /etc/ppp/options.l2tpd.lns: No such file or directory
Sep 2 08:55:59 sveta xl2tpd[4128]: child_handler : pppd exited for call [Available On Asking] with code 2
Sep 2 08:55:59 sveta xl2tpd[4128]: call_close: Phone call [Bachelor On Request] to 17.11.vii.5 disconnected
Sep 2 08:55:59 sveta xl2tpd[4128]: Terminating pppd: sending TERM bespeak to pid 4138
Sep two 08:55:59 sveta xl2tpd[4128]: get_call: can't find telephone call [Available On Request] in tunnel [Available On Request]
(ref=0/0)
Sep ii 08:55:59 sveta xl2tpd[4128]: get_call: can't observe call [Available On Asking] in tunnel [Available On Request]
(ref=0/0)
Sep ii 08:55:59 sveta xl2tpd[4128]: check_control: Received out of gild command packet on tunnel [Available On Request] (got iii, expected iv)
Sep 2 08:55:59 sveta xl2tpd[4128]: handle_packet: bad control packet!
Sep two 08:55:59 sveta charon: 13[Cyberspace] received package: from 17.11.7.v[4500] to i.two.3.iv[4500] (68 bytes)
Sep ii 08:55:59 sveta charon: 13[ENC] parsed INFORMATIONAL_V1 request [Available On Asking] [ HASH D ]
Sep 2 08:55:59 sveta charon: xiii[IKE] received DELETE for ESP CHILD_SA with SPI ca6241bf
Sep two 08:55:59 sveta charon: 13[IKE] closing CHILD_SA VPN.OFFICE.COM{1} with SPIs [Available On Request] (318 bytes) [Available On Request] (398 bytes) and TS 1.two.3.4/32[udp/l2tp] ===
17.11.7.5/32[udp/l2tp]
Sep 2 08:55:59 sveta charon: xiii[IKE] closing CHILD_SA VPN.Function.COM{ane} with SPIs [Available On Request] (318 bytes) [Available On Request] (398 bytes) and TS 1.2.three.4/32[udp/l2tp] ===
17.11.7.five/32[udp/l2tp]
Sep ii 08:55:59 sveta charon: 08[NET] received bundle: from 17.xi.7.5[4500] to ane.2.three.iv[4500] (84 bytes)
Sep two 08:55:59 sveta charon: 08[ENC] parsed INFORMATIONAL_V1 request [Bachelor On Asking] [ HASH D ]
Sep 2 08:55:59 sveta charon: 08[IKE] received DELETE for IKE_SA VPN.Office.COM[i]
Sep two 08:55:59 sveta charon: 08[IKE] deleting IKE_SA VPN.OFFICE.COM[i] between 1.ii.three.4[1.2.3.4]...17.11.seven.5[17.11.7.5]
Sep two 08:55:59 sveta charon: 08[IKE] deleting IKE_SA VPN.Function.COM[one] between 1.2.iii.4[1.2.three.4]...17.xi.7.5[17.11.vii.five]
Sep 2 08:56:21 sveta kernel: [ 387.050043] device bond0 entered promiscuous mode
Sep 2 08:56:41 sveta kernel: [ 406.710209] device bond0 left promiscuous manner
Sep 2 08:56:51 sveta kernel: [ 417.080010] device bond0 entered promiscuous mode
Sep ii 08:57:04 sveta xl2tpd[4128]: Maximum retries exceeded for tunnel [Available On Request]. Closing.
Sep 2 08:57:04 sveta xl2tpd[4128]: Connectedness [Available On Request] airtight to 17.11.seven.5, port 1701 (Timeout)
Sep 2 08:57:09 sveta xl2tpd[4128]: Unable to deliver closing message for tunnel [Bachelor On Request]. Destroying anyway.
Sep 2 08:57:11 sveta kernel: [ 436.160583] device bond0 left promiscuous mode
Sep 2 08:57:15 sveta kernel: [ 441.038056] device bond0 entered promiscuous mode
Sep two 08:57:21 sveta kernel: [ 446.590475] device bond0 left promiscuous mode
Sep 2 08:57:36 sveta kernel: [ 461.822270] device bond0 entered promiscuous mode
Sep two 08:57:54 sveta kernel: [ 479.973547] device bond0 left promiscuous style
Sep two 08:58:06 sveta kernel: [ 491.341755] device bond0 entered promiscuous mode
Sep 2 08:58:thirteen sveta kernel: [ 498.971002] device bond0 left promiscuous mode
| | |
| Back to top | |
| |
salahx
Guru
Joined: 12 Mar 2005
Posts: 499
| | Posted: Tue Sep 02, 2014 5:01 pm Post subject: | |
| | We're making progress. According to the log, it seeing the l2tp server on the other end. That ways the ipsec is up and configurated properly, and traffic is flowing across information technology..Now the problem is pppd. pppd is getting some extraneous options from somewhere. Namely, the nonexistent "/etc/ppp/options.l2tpd.lns" is causing pppd to get out. Nonetheless information technology shouldn't even be looking for that. Very little configuration should be needed on the l2tp side,, but there may exist one tweak we need: | Code: |
[lac vpnclient]
lns = vpn.office.com
pppoptfile = /etc/ppp/options.xl2tpd.client
name = your-login-username
| Some Cisco access concentrators demand the "proper name" matter, merely commonly, its non needed. Nonetheless, adding it won't hurt. Everything else in /etc/xl2tpd/xl2tpd.conf should exist gone or commented out. | |
| Dorsum to top | |
| |
Duco Ergo Sum
Amateur
Joined: 06 Dec 2005
Posts: 154
Location: Winsford
| | Posted: Wed Sep 03, 2014 12:41 am Post subject: | |
| I discovered a typo in the /etc/ppp/options.xl2tpd.client path namely the missing '10'. As well I accept added the user proper name as you lot have brash and no joy. | Code: |
[lac vpnclient]
lns = vpn.office.com
pppoptfile = /etc/ppp/options.[b]ten[/b]l2tpd.customer
name = Uname
| pppoptfile = /etc/ppp/options.xl2tpd.client | Code: |
ipcp-accept-local
ipcp-have-remote
refuse-eap
crave-mschap-v2
noccp
noauth
mtu 1410
mru 1410
nodefaultroute
usepeerdns
lock
| Using a sparse xl2tpd.conf no comments simply the config we need the post-obit log entry is produced. | Code: |
Sep 3 01:28:26 sveta xl2tpd[4750]: setsockopt recvref[30]: Protocol not available
Sep iii 01:28:26 sveta xl2tpd[4750]: Using l2tp kernel back up.
Sep 3 01:28:26 sveta xl2tpd[4752]: xl2tpd version xl2tpd-1.3.one started on sveta PID:4752
Sep three 01:28:26 sveta xl2tpd[4752]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
Sep 3 01:28:26 sveta xl2tpd[4752]: Forked by Scott Balmos and David Stipp, (C) 2001
Sep 3 01:28:26 sveta xl2tpd[4752]: Inherited by Jeff McAdams, (C) 2002
Sep 3 01:28:26 sveta xl2tpd[4752]: Forked once more past Xelerance (world wide web.xelerance.com) (C) 2006
Sep 3 01:28:26 sveta xl2tpd[4752]: Listening on IP address 0.0.0.0, port 1701
Sep 3 01:28:thirty sveta xl2tpd[4752]: Connecting to host vpn.office.com, port 1701
Sep 3 01:28:35 sveta xl2tpd[4752]: Maximum retries exceeded for tunnel 41. Closing.
Sep 3 01:28:35 sveta xl2tpd[4752]: Connection 0 closed to 17.11.7.5, port 1701 (Timeout)
Sep 3 01:28:35 sveta kernel: [ 5494.780053] device eno1 entered promiscuous way
Sep 3 01:28:39 sveta kernel: [ 5498.420761] device eno1 left promiscuous mode
Sep 3 01:28:40 sveta xl2tpd[4752]: Unable to deliver endmost message for tunnel 41. Destroying anyway.
| I have even tried swapping the [lac vpnclien]' for [lac VPN.Role.COM], it just served to prove that the config is read at the start up of xl2ptd. | |
| Back to meridian | |
| |
salahx
Guru
Joined: 12 Mar 2005
Posts: 499
| | Posted: Wed Sep 03, 2014 12:58 am Post subject area: | |
| | The proper noun used for the lac isn't important. Its non seeing the l2tp server again. Be sure the strongSwan connectedness is up, and try again. If it still won'r piece of work, stop strongswan and xl2tp, in some other windows exercise a "ip xfrm monitor", starts strongswan and xl2tpd. Connect via strongSwan and the window "ip xfrm monitor" should display some stuff. Make a connectedness with xl2tpd-connect and more than stuff volition appear in the other window (warning: this control outputs the secrets keys for the ipsec connectedness. The real keys have been replaced with 0's) Something like this: | Lawmaking: |
Updated src 192.168.10.108 dst 192.168.ten.17
proto esp spi 0xc3e3e289 reqid 4 mode transport
replay-window 32
auth-trunc hmac(sha1) 0x000000000000000000000000000000000000000 96
enc cbc(aes) 0x0000000000000000000000000000000
sel src 192.168.10.108/32 dst 192.168.ten.17/32
src 192.168.10.17 dst 192.168.ten.108
proto esp spi 0xcdfbb1d9 reqid 4 manner transport
replay-window 32
auth-trunc hmac(sha1) 0x000000000000000000000000000000000000000 96
enc cbc(aes) 0x0000000000000000000000000000000
sel src 192.168.10.17/32 dst 192.168.10.108/32
src 192.168.x.17/32 dst 192.168.10.108/32 proto udp sport 1701 dport 1701
dir out action block priority 7936 ptype main
src 192.168.ten.108/32 dst 192.168.ten.17/32 proto udp sport 1701 dport 1701
dir in action block priority 7936 ptype main
Updated src 192.168.10.17/32 dst 192.168.ten.108/32 proto udp sport 1701 dport 1701
dir out priority 1792 ptype main
tmpl src 0.0.0.0 dst 0.0.0.0
proto esp reqid 4 mode transport
Updated src 192.168.10.108/32 dst 192.168.x.17/32 proto udp sport 1701 dport 1701
dir in priority 1792 ptype main
tmpl src 0.0.0.0 dst 0.0.0.0
proto esp reqid iv manner send
Async event (0x20) timer expired
src 192.168.x.108 dst 192.168.10.17 reqid 0x4 protocol esp SPI 0xc3e3e289
Async consequence (0x20) timer expired
src 192.168.10.108 dst 192.168.10.17 reqid 0x4 protocol esp SPI 0xc3e3e289
Async event (0x20) timer expired
src 192.168.10.108 dst 192.168.10.17 reqid 0x4 protocol esp SPI 0xc3e3e289
Async event (0x20) timer expired
src 192.168.10.17 dst 192.168.10.108 reqid 0x4 protocol esp SPI 0xcdfbb1d9
Async upshot (0x10) replay update
src 192.168.ten.17 dst 192.168.10.108 reqid 0x4 protocol esp SPI 0xcdfbb1d9
Async upshot (0x10) replay update
src 192.168.10.108 dst 192.168.x.17 reqid 0x4 protocol esp SPI 0xc3e3e289
Async result (0x10) replay update
src 192.168.ten.17 dst 192.168.10.108 reqid 0x4 protocol esp SPI 0xcdfbb1d9
Async consequence (0x10) replay update
src 192.168.x.108 dst 192.168.10.17 reqid 0x4 protocol esp SPI 0xc3e3e289
Async effect (0x10) replay update
src 192.168.10.17 dst 192.168.x.108 reqid 0x4 protocol esp SPI 0xcdfbb1d9
Async event (0x10) replay update
src 192.168.10.108 dst 192.168.10.17 reqid 0x4 protocol esp SPI 0xc3e3e289
Async event (0x10) replay update
src 192.168.10.108 dst 192.168.10.17 reqid 0x4 protocol esp SPI 0xc3e3e289
....
| | |
| Back to top | |
| |
| Display posts from previous: | |
0 Response to "Illegal Parameter Number in Definition of Test. N L.73 End{itemize}"
Post a Comment