goalmarketing / vigor2130

Automatically exported from code.google.com/p/vigor2130
0 stars 0 forks source link

VPN not working, neider PPTP nor L2TP with V.1.5.1 RC #12

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago
First, I enable the Enable IPSec VPN Service

Then I configured the IPSec Remote Dial-in with mobile VPN Type to L2TP/IPSec 
with shared secret and in the advanced security settings tab phase1 and phase 2 
to automatic.

Then I try to connect with a device with correct user-name/-password and a 
correct shared secret. I can not establish a connection. When trying to 
connenct over L2TP  it does not work, end ends up with an error:
ERROR: asynchronous network error report on br-wan (sport=4500) for message to 
212.95.7.5 port 25956, complainant 212.95.7.5: Connection refused [errno 111, 
origin ICMP type 3 code 3 (not authenticated)]

Whats wrong with it?

Starting Log of VPN Service and log on trying to connect here below.

On Starting up the L2TP Service, thy system log of vigor says:

Time    Level   Type    Message
Apr 6 13:36:26  info    syslog  syslogd started: BusyBox v1.11.2
Apr 6 13:36:33  notice  user    firewall: Restart user's custom iptables rules
Apr 6 13:36:37  notice  user    miniupnpd: removing firewall rules for br-wan from 
zone wan
Apr 6 13:36:37  notice  daemon  miniupnpd[3799]: HTTP listening on port 5000
Apr 6 13:36:38  notice  user    miniupnpd: adding firewall rules for br-wan to zone 
wan
Apr 6 13:36:41  err daemon  ipsec_setup: (/etc/ipsec.conf, line 23) cannot open 
configuration file \'/etc/ipsec.d/grocx.conf\' -- `stop' may not work
Apr 6 13:36:41  err daemon  ipsec_setup: ...Openswan IPsec stopped
Apr 6 13:36:41  err daemon  ipsec_setup: Stopping Openswan IPsec...
Apr 6 13:36:41  err daemon  ipsec_setup: stop ordered, but IPsec appear to be 
stopped already!
Apr 6 13:36:41  err daemon  ipsec_setup: doing cleanup anyway...
Apr 6 13:36:42  info    user    kernel: NET: Registered protocol family 15
Apr 6 13:36:42  warn    user    kernel: register netdev : ipsec0^M
Apr 6 13:36:42  warn    user    kernel: register netdev : ipsec1^M
Apr 6 13:36:42  warn    user    kernel: register netdev : ipsec2^M
Apr 6 13:36:42  warn    user    kernel: register netdev : ipsec3^M
Apr 6 13:36:42  info    user    kernel: klips_info:ipsec_alg_init: KLIPS alg v=0.8.1-0 
(EALG_MAX=255, AALG_MAX=251)
Apr 6 13:36:42  info    user    kernel: klips_info:ipsec_alg_init: calling 
ipsec_alg_static_init()
Apr 6 13:36:42  warn    user    kernel: ipsec_aes_init(alg_type=15 alg_id=12 
name=aes): ret=0
Apr 6 13:36:42  debug   user    kernel: klips_debug: experimental ipsec_alg_AES_MAC 
not registered [Ok] (auth_id=0)
Apr 6 13:36:42  warn    user    kernel: ipsec_3des_init(alg_type=15 alg_id=3 
name=3des): ret=0
Apr 6 13:36:45  err daemon  ipsec_setup: KLIPS debug `none'
Apr 6 13:36:45  warn    user    kernel:
Apr 6 13:36:46  err daemon  ipsec_setup: KLIPS ipsec0 on br-wan 
62.178.180.202/255.255.255.0 broadcast 62.178.180.255
Apr 6 13:36:48  err authpriv    ipsec__plutorun: Starting Pluto subsystem...
Apr 6 13:36:48  err daemon  ipsec_setup: ...Openswan IPsec started
Apr 6 13:36:48  warn    authpriv    pluto[4170]: Starting Pluto (Openswan Version 
2.4.13 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OE`fijAufQMD)
Apr 6 13:36:48  warn    authpriv    pluto[4170]: Setting NAT-Traversal port-4500 
floating to on
Apr 6 13:36:48  warn    authpriv    pluto[4170]: port floating activation criteria 
nat_t=1/port_fload=1
Apr 6 13:36:48  warn    authpriv    pluto[4170]: including NAT-Traversal patch 
(Version 0.6c)
Apr 6 13:36:48  info    authpriv    ipsec__plutorun: Unknown default RSA hostkey 
scheme, not generating a default hostkey
Apr 6 13:36:49  warn    authpriv    pluto[4170]: ike_alg_register_enc(): Activating 
OAKLEY_AES_CBC: Ok (ret=0)
Apr 6 13:36:49  warn    authpriv    pluto[4170]: no helpers will be started, all 
cryptographic operations will be done inline
Apr 6 13:36:49  warn    authpriv    pluto[4170]: Using KLIPS IPsec interface code on 
2.6.23.17
Apr 6 13:36:49  warn    authpriv    pluto[4170]: Changing to directory '/etc/cacerts'
Apr 6 13:36:49  warn    authpriv    pluto[4170]: Could not change to directory 
'/etc/aacerts'
Apr 6 13:36:49  warn    authpriv    pluto[4170]: Could not change to directory 
'/etc/ocspcerts'
Apr 6 13:36:49  warn    authpriv    pluto[4170]: Could not change to directory 
'/etc/crls'
Apr 6 13:36:50  warn    authpriv    pluto[4170]: loading secrets from 
"/etc/ipsec.secrets"
Apr 6 13:36:50  warn    authpriv    pluto[4170]: loading secrets from 
"/etc/ipsec.d/grocx.secrets"
Apr 6 13:36:50  err daemon  ipsec__plutorun: auto=add/route/start search: 
(/etc/ipsec.conf, line 23) cannot open configuration file 
\'/etc/ipsec.d/grocx.conf\'
Apr 6 13:36:50  err daemon  ipsec__plutorun: unable to determine what conns to 
add -- adding none
Apr 6 13:36:52  err daemon  ipsec__plutorun: auto=route/start search: 
(/etc/ipsec.conf, line 23) cannot open configuration file 
\'/etc/ipsec.d/grocx.conf\'
Apr 6 13:36:52  err daemon  ipsec__plutorun: unable to determine what conns to 
route -- routing none
Apr 6 13:36:53  err daemon  ipsec__plutorun: auto=start search: (/etc/ipsec.conf, 
line 23) cannot open configuration file \'/etc/ipsec.d/grocx.conf\'
Apr 6 13:36:53  err daemon  ipsec__plutorun: unable to determine what conns to 
start -- starting none
Apr 6 13:36:53  warn    authpriv    pluto[4170]: listening for IKE messages
Apr 6 13:36:53  warn    authpriv    pluto[4170]: adding interface ipsec0/br-wan 
62.178.180.202:500
Apr 6 13:36:53  warn    authpriv    pluto[4170]: adding interface ipsec0/br-wan 
62.178.180.202:4500
Apr 6 13:36:53  warn    authpriv    pluto[4170]: forgetting secrets
Apr 6 13:36:53  warn    authpriv    pluto[4170]: loading secrets from 
"/etc/ipsec.secrets"
Apr 6 13:36:53  warn    authpriv    pluto[4170]: loading secrets from 
"/etc/ipsec.d/grocx.secrets"
Apr 6 13:37:58  crit    daemon  xl2tpd[5648]: setsockopt recvref: Protocol not 
available
Apr 6 13:37:58  info    daemon  xl2tpd[5648]: L2TP kernel support not detected.
Apr 6 13:37:58  info    daemon  xl2tpd[5649]: xl2tpd version xl2tpd-1.2.0 started on 
Vigor2130 PID:5649
Apr 6 13:37:58  info    daemon  xl2tpd[5649]: Written by Mark Spencer, Copyright (C) 
1998, Adtran, Inc.
Apr 6 13:37:58  info    daemon  xl2tpd[5649]: Forked by Scott Balmos and David 
Stipp, (C) 2001
Apr 6 13:37:58  info    daemon  xl2tpd[5649]: Inherited by Jeff McAdams, (C) 2002
Apr 6 13:37:58  info    daemon  xl2tpd[5649]: Forked again by Xelerance 
(www.xelerance.com) (C) 2006
Apr 6 13:37:58  info    daemon  xl2tpd[5649]: Listening on IP address 192.168.1.1, 
port 1701
Apr 6 13:38:00  warn    authpriv    pluto[4170]: shutting down
Apr 6 13:38:00  warn    authpriv    pluto[4170]: forgetting secrets
Apr 6 13:38:00  warn    authpriv    pluto[4170]: shutting down interface ipsec0/br-wan 
62.178.180.202:4500
Apr 6 13:38:00  warn    authpriv    pluto[4170]: shutting down interface ipsec0/br-wan 
62.178.180.202:500
Apr 6 13:38:02  crit    user    kernel: IPSEC EVENT: KLIPS device ipsec0 shut down.
Apr 6 13:38:02  warn    user    kernel:
Apr 6 13:38:03  warn    user    kernel:
Apr 6 13:38:03  info    user    kernel: klips_info:pfkey_cleanup: shutting down PF_KEY 
domain sockets.
Apr 6 13:38:03  info    user    kernel: NET: Unregistered protocol family 15
Apr 6 13:38:03  info    user    kernel: klips_info:cleanup_module: ipsec module 
unloaded.
Apr 6 13:38:03  err daemon  ipsec_setup: ...Openswan IPsec stopped
Apr 6 13:38:03  err daemon  ipsec_setup: Stopping Openswan IPsec...
Apr 6 13:38:04  info    user    kernel: klips_info:ipsec_init: KLIPS startup, Openswan 
KLIPS IPsec stack version: 2.4.13
Apr 6 13:38:04  info    user    kernel: NET: Registered protocol family 15
Apr 6 13:38:04  warn    user    kernel: register netdev : ipsec0^M
Apr 6 13:38:04  warn    user    kernel: register netdev : ipsec1^M
Apr 6 13:38:04  warn    user    kernel: register netdev : ipsec2^M
Apr 6 13:38:04  warn    user    kernel: register netdev : ipsec3^M
Apr 6 13:38:04  info    user    kernel: klips_info:ipsec_alg_init: KLIPS alg v=0.8.1-0 
(EALG_MAX=255, AALG_MAX=251)
Apr 6 13:38:04  info    user    kernel: klips_info:ipsec_alg_init: calling 
ipsec_alg_static_init()
Apr 6 13:38:04  warn    user    kernel: ipsec_aes_init(alg_type=15 alg_id=12 
name=aes): ret=0
Apr 6 13:38:04  debug   user    kernel: klips_debug: experimental ipsec_alg_AES_MAC 
not registered [Ok] (auth_id=0)
Apr 6 13:38:04  warn    user    kernel: ipsec_3des_init(alg_type=15 alg_id=3 
name=3des): ret=0
Apr 6 13:38:06  err daemon  ipsec_setup: KLIPS debug `none'
Apr 6 13:38:07  warn    user    kernel:
Apr 6 13:38:07  err daemon  ipsec_setup: KLIPS ipsec0 on br-wan 
62.178.180.202/255.255.255.0 broadcast 62.178.180.255
Apr 6 13:38:11  err authpriv    ipsec__plutorun: Starting Pluto subsystem...
Apr 6 13:38:11  err daemon  ipsec_setup: ...Openswan IPsec started
Apr 6 13:38:11  info    authpriv    ipsec__plutorun: Unknown default RSA hostkey 
scheme, not generating a default hostkey
Apr 6 13:38:11  warn    authpriv    pluto[6060]: Starting Pluto (Openswan Version 
2.4.13 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OE`fijAufQMD)
Apr 6 13:38:11  warn    authpriv    pluto[6060]: Setting NAT-Traversal port-4500 
floating to on
Apr 6 13:38:11  warn    authpriv    pluto[6060]: port floating activation criteria 
nat_t=1/port_fload=1
Apr 6 13:38:11  warn    authpriv    pluto[6060]: including NAT-Traversal patch 
(Version 0.6c)
Apr 6 13:38:11  warn    authpriv    pluto[6060]: ike_alg_register_enc(): Activating 
OAKLEY_AES_CBC: Ok (ret=0)
Apr 6 13:38:11  warn    authpriv    pluto[6060]: no helpers will be started, all 
cryptographic operations will be done inline
Apr 6 13:38:11  warn    authpriv    pluto[6060]: Using KLIPS IPsec interface code on 
2.6.23.17
Apr 6 13:38:11  warn    authpriv    pluto[6060]: Changing to directory '/etc/cacerts'
Apr 6 13:38:11  warn    authpriv    pluto[6060]: Could not change to directory 
'/etc/aacerts'
Apr 6 13:38:11  warn    authpriv    pluto[6060]: Could not change to directory 
'/etc/ocspcerts'
Apr 6 13:38:11  warn    authpriv    pluto[6060]: Could not change to directory 
'/etc/crls'
Apr 6 13:38:11  err daemon  ipsec_setup: Starting Openswan IPsec 2.4.13...
Apr 6 13:38:11  warn    authpriv    pluto[6060]: loading secrets from 
"/etc/ipsec.secrets"
Apr 6 13:38:11  warn    authpriv    pluto[6060]: loading secrets from 
"/etc/ipsec.d/grocx.secrets"
Apr 6 13:38:17  warn    authpriv    pluto[6060]: added connection description 
"l2tp_psk"
Apr 6 13:38:18  warn    authpriv    pluto[6060]: added connection description 
"l2tp_psk_NAT"
Apr 6 13:38:19  warn    authpriv    pluto[6060]: listening for IKE messages
Apr 6 13:38:19  warn    authpriv    pluto[6060]: adding interface ipsec0/br-wan 
62.178.180.202:500
Apr 6 13:38:19  warn    authpriv    pluto[6060]: adding interface ipsec0/br-wan 
62.178.180.202:4500
Apr 6 13:38:19  warn    authpriv    pluto[6060]: forgetting secrets
Apr 6 13:38:19  warn    authpriv    pluto[6060]: loading secrets from 
"/etc/ipsec.secrets"
Apr 6 13:38:19  warn    authpriv    pluto[6060]: loading secrets from 
"/etc/ipsec.d/grocx.secrets"

The system log of vigor on trying to connect says:

Time    Level   Type    Message
Apr 6 13:39:47  info    syslog  syslogd started: BusyBox v1.11.2
Apr 6 13:39:53  warn    authpriv    pluto[6060]: packet from 212.95.7.5:23718: get 
VID_MACOSX ...
Apr 6 13:39:53  warn    authpriv    pluto[6060]: packet from 212.95.7.5:23718: 
received Vendor ID payload [Mac OSX 10.x]
Apr 6 13:39:53  warn    authpriv    pluto[6060]: packet from 212.95.7.5:23718: 
ignoring unknown Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
Apr 6 13:39:53  warn    authpriv    pluto[6060]: packet from 212.95.7.5:23718: 
ignoring unknown Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
Apr 6 13:39:53  warn    authpriv    pluto[6060]: packet from 212.95.7.5:23718: 
ignoring unknown Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
Apr 6 13:39:53  warn    authpriv    pluto[6060]: packet from 212.95.7.5:23718: 
ignoring unknown Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
Apr 6 13:39:53  warn    authpriv    pluto[6060]: packet from 212.95.7.5:23718: 
ignoring unknown Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
Apr 6 13:39:53  warn    authpriv    pluto[6060]: packet from 212.95.7.5:23718: 
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but 
already using method 109
Apr 6 13:39:53  warn    authpriv    pluto[6060]: packet from 212.95.7.5:23718: 
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but 
already using method 109
Apr 6 13:39:53  warn    authpriv    pluto[6060]: packet from 212.95.7.5:23718: 
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but 
already using method 109
Apr 6 13:39:53  warn    authpriv    pluto[6060]: packet from 212.95.7.5:23718: 
received Vendor ID payload [Dead Peer Detection]
Apr 6 13:39:53  warn    authpriv    pluto[6060]: packet from 212.95.7.5:23718: set 
forceencaps = 1
Apr 6 13:39:53  warn    authpriv    pluto[6060]: "l2tp_psk"[1] 212.95.7.5 #1: 
responding to Main Mode from unknown peer 212.95.7.5
Apr 6 13:39:53  warn    authpriv    pluto[6060]: "l2tp_psk"[1] 212.95.7.5 #1: 
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Apr 6 13:39:53  warn    authpriv    pluto[6060]: "l2tp_psk"[1] 212.95.7.5 #1: 
STATE_MAIN_R1: sent MR1, expecting MI2
Apr 6 13:39:54  warn    authpriv    pluto[6060]: "l2tp_psk"[1] 212.95.7.5 #1: 
NAT-Traversal: Result using RFC 3947 (NAT-Traversal): both are NATed
Apr 6 13:39:54  warn    authpriv    pluto[6060]: "l2tp_psk"[1] 212.95.7.5 #1: 
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Apr 6 13:39:54  warn    authpriv    pluto[6060]: "l2tp_psk"[1] 212.95.7.5 #1: 
STATE_MAIN_R2: sent MR2, expecting MI3
Apr 6 13:39:54  warn    authpriv    pluto[6060]: "l2tp_psk"[1] 212.95.7.5 #1: ignoring 
informational payload, type IPSEC_INITIAL_CONTACT
Apr 6 13:39:54  warn    authpriv    pluto[6060]: "l2tp_psk"[1] 212.95.7.5 #1: Main 
mode peer ID is ID_IPV4_ADDR: '10.58.172.104'
Apr 6 13:39:54  warn    authpriv    pluto[6060]: "l2tp_psk"[1] 212.95.7.5 #1: switched 
from "l2tp_psk" to "l2tp_psk"
Apr 6 13:39:54  warn    authpriv    pluto[6060]: "l2tp_psk"[2] 212.95.7.5 #1: deleting 
connection "l2tp_psk" instance with peer 212.95.7.5 {isakmp=#0/ipsec=#0}
Apr 6 13:39:54  warn    authpriv    pluto[6060]: "l2tp_psk"[2] 212.95.7.5 #1: I did 
not send a certificate because I do not have one.
Apr 6 13:39:54  warn    authpriv    pluto[6060]: "l2tp_psk"[2] 212.95.7.5 #1: 
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Apr 6 13:39:54  warn    authpriv    pluto[6060]: "l2tp_psk"[2] 212.95.7.5 #1: 
STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY 
cipher=aes_256 prf=oakley_sha group=modp1024}
Apr 6 13:39:54  warn    authpriv    pluto[6060]: "l2tp_psk"[2] 212.95.7.5 #1: Dead 
Peer Detection (RFC 3706): enabled
Apr 6 13:39:56  warn    authpriv    pluto[6060]: "l2tp_psk_NAT"[1] 212.95.7.5 #2: 
NAT-Traversal: received 2 NAT-OA. using first, ignoring others
Apr 6 13:39:56  warn    authpriv    pluto[6060]: "l2tp_psk_NAT"[1] 212.95.7.5 #2: 
responding to Quick Mode {msgid:eb0f9998}
Apr 6 13:39:56  warn    authpriv    pluto[6060]: "l2tp_psk_NAT"[1] 212.95.7.5 #2: 
transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Apr 6 13:39:56  warn    authpriv    pluto[6060]: "l2tp_psk_NAT"[1] 212.95.7.5 #2: 
STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Apr 6 13:39:56  warn    authpriv    pluto[6060]: "l2tp_psk_NAT"[1] 212.95.7.5 #2: Dead 
Peer Detection (RFC 3706): enabled
Apr 6 13:39:56  warn    authpriv    pluto[6060]: "l2tp_psk_NAT"[1] 212.95.7.5 #2: 
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Apr 6 13:39:56  warn    authpriv    pluto[6060]: "l2tp_psk_NAT"[1] 212.95.7.5 #2: 
STATE_QUICK_R2: IPsec SA established {ESP=>0x052189cd <0x3938e39b 
xfrm=AES_256-HMAC_SHA1 NATD=212.95.7.5:25956 DPD=enabled}
Apr 6 13:39:58  notice  daemon  xl2tpd[5649]: Connection established to 
212.95.7.5, 57849. Local: 31083, Remote: 27 (ref=0/0). LNS session is 'default'
Apr 6 13:39:58  debug   daemon  xl2tpd[5649]: [Get PPP_Num] : used ... ^H
Apr 6 13:39:58  debug   daemon  xl2tpd[5649]: [Get PPP_Num] : Assign ppp_num 650 
for in-coming call
Apr 6 13:39:58  debug   daemon  xl2tpd[5649]: start_pppd: I'm running:
Apr 6 13:39:58  debug   daemon  xl2tpd[5649]: "/usr/sbin/pppd"
Apr 6 13:39:58  debug   daemon  xl2tpd[5649]: "passive"
Apr 6 13:39:58  debug   daemon  xl2tpd[5649]: "-detach"
Apr 6 13:39:58  debug   daemon  xl2tpd[5649]: "unit"
Apr 6 13:39:58  debug   daemon  xl2tpd[5649]: "650"
Apr 6 13:39:58  debug   daemon  xl2tpd[5649]: "192.168.1.61:192.168.1.62"
Apr 6 13:39:58  debug   daemon  xl2tpd[5649]: "refuse-pap"
Apr 6 13:39:58  debug   daemon  xl2tpd[5649]: "auth"
Apr 6 13:39:58  debug   daemon  xl2tpd[5649]: "require-chap"
Apr 6 13:39:58  debug   daemon  xl2tpd[5649]: "name"
Apr 6 13:39:58  debug   daemon  xl2tpd[5649]: "Vigor"
Apr 6 13:39:58  debug   daemon  xl2tpd[5649]: "file"
Apr 6 13:39:58  debug   daemon  xl2tpd[5649]: "/etc/ppp/options.l2tp"
Apr 6 13:39:58  debug   daemon  xl2tpd[5649]: "/dev/pts/1"
Apr 6 13:39:58  notice  daemon  xl2tpd[5649]: Call established with 212.95.7.5, 
Local: 8889, Remote: 531, Serial: 1
Apr 6 13:39:59  err daemon  pppd[8373]: The remote system is required to 
authenticate itself
Apr 6 13:39:59  err daemon  pppd[8373]: but I couldn't find any suitable secret 
(password) for it to use to do so.
Apr 6 13:39:59  debug   daemon  xl2tpd[5649]: child_handler : pppd exited for call 
531 with code 1
Apr 6 13:39:59  info    daemon  xl2tpd[5649]: call_close: Call 8889 to 212.95.7.5 
disconnected
Apr 6 13:39:59  debug   daemon  xl2tpd[5649]: result_code_avp: result code out of 
range (768 8889 14). Ignoring.
Apr 6 13:39:59  info    daemon  xl2tpd[5649]: control_finish: Connection closed to 
212.95.7.5, serial 1 ()
Apr 6 13:39:59  debug   daemon  xl2tpd[5649]: Untrustingly terminating pppd: 
sending KILL signal to pid 8373
Apr 6 13:39:59  debug   daemon  xl2tpd[5649]: pppd 8373 successfully terminated
Apr 6 13:40:04  notice  user    root: udp-broadcast-relay not start: can't find 
interface ...
Apr 6 13:40:04  debug   daemon  xl2tpd[5649]: result_code_avp: result code out of 
range (256 8889 14). Ignoring.
Apr 6 13:40:04  debug   daemon  xl2tpd[5649]: control_finish: Peer tried to 
disconnect without specifying result code.
Apr 6 13:40:11  warn    authpriv    pluto[6060]: ERROR: asynchronous network error 
report on br-wan (sport=4500) for message to 212.95.7.5 port 25956, complainant 
212.95.7.5: Connection refused [errno 111, origin ICMP type 3 code 3 (not 
authenticated)]

Original issue reported on code.google.com by johannes...@gmail.com on 6 Apr 2011 at 11:47

GoogleCodeExporter commented 8 years ago
1.5.1 RC1 have L2TP/IPSEC issue. Please upgrade firmware to RC2
http://code.google.com/p/vigor2130/downloads/detail?name=v2130_151RC2.7z&can=2&q
=

PPTP should be ok. please check if the user permission settings is correct.

Original comment by jht...@gmail.com on 7 Apr 2011 at 1:37

GoogleCodeExporter commented 8 years ago
in RC1 PPTP does not work too. Permissions are ok. I will try RC2 now.

Original comment by johannes...@gmail.com on 7 Apr 2011 at 7:28

GoogleCodeExporter commented 8 years ago
OK, first: Thank you for your answer!

I uploaded the C1.5.1_RC2 now, and L2TP is working ... YEEAAH!

But PPTP is still not working. The Client says: Server not reachable. Here I 
will post the System Log for you below.

The System Log:

Apr 7 10:16:20  info    daemon  pptpd[22823]: CTRL: Client 213.162.68.42 control 
connection started
Apr 7 10:16:20  info    daemon  pptpd[22823]: CTRL: Starting call (launching pppd, 
opening GRE)
Apr 7 10:16:20  debug   daemon  pptpd[22824]: [Get PPP_Num] : used ...
Apr 7 10:16:20  debug   daemon  pptpd[22824]: [Get PPP_Num] : Assign ppp_num 600 
for in-coming call
Apr 7 10:16:20  info    daemon  pppd[22824]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so 
loaded.
Apr 7 10:16:20  info    daemon  pptp[22824]: Plugin pptp.so loaded.
Apr 7 10:16:20  info    daemon  pptp[22824]: PPTP plugin version 0.8.5 compiled for 
pppd-2.4.4, linux-2.6.23.17
Apr 7 10:16:20  notice  daemon  pptp[22824]: pppd 2.4.4 started by root, uid 0
Apr 7 10:16:20  warn    user    kernel: register netdev : ppp600^M
Apr 7 10:16:21  info    daemon  pptp[22824]: Using interface ppp600
Apr 7 10:16:21  notice  daemon  pptp[22824]: Connect: ppp600 <--> pptp 
(213.162.68.42)
Apr 7 10:16:51  warn    daemon  pptp[22824]: LCP: timeout sending Config-Requests
Apr 7 10:16:51  notice  daemon  pptp[22824]: Connection terminated.
Apr 7 10:16:51  notice  daemon  pptp[22824]: Modem hangup
Apr 7 10:16:51  info    daemon  pptp[22824]: Exit.
Apr 7 10:16:51  debug   daemon  pptpd[22823]: CTRL: Reaping child PPP[22824]
Apr 7 10:16:51  info    daemon  pptpd[22823]: CTRL: Client pppd TERM sending
Apr 7 10:16:51  info    daemon  pptpd[22823]: CTRL: Client pppd finish wait
Apr 7 10:16:51  err daemon  pptpd[22823]: CTRL: EOF or bad error reading ctrl 
packet length.
Apr 7 10:16:51  err daemon  pptpd[22823]: CTRL: couldn't read packet header (exit)
Apr 7 10:16:51  warn    daemon  pptpd[22823]: CTRL: Fatal error reading control 
message in disconnect sequence
Apr 7 10:16:51  info    daemon  pptpd[22823]: CTRL: Client 213.162.68.42 control 
connection finished

Original comment by johannes...@gmail.com on 7 Apr 2011 at 8:21

GoogleCodeExporter commented 8 years ago
PPTP should be work fine.
Can you describe more detail ? PPTP dial in or dial out ? What is your cient / 
device ?
You can also try to change the Remote access control MPPE settings.

Original comment by jht...@gmail.com on 13 Apr 2011 at 3:20

GoogleCodeExporter commented 8 years ago
I use several iOS devices. No luck till now so far...

Original comment by johannes...@gmail.com on 2 May 2011 at 11:38

GoogleCodeExporter commented 8 years ago
and L2TP is only working for a very short time after starting the vpn service...

and... vpn dial in

Original comment by johannes...@gmail.com on 2 May 2011 at 11:41

GoogleCodeExporter commented 8 years ago
Can you try the latest 1.5.1 RC4 ?

Original comment by jht...@gmail.com on 4 May 2011 at 11:03

GoogleCodeExporter commented 8 years ago
OK, I gave it a try with 1.5.1 RC4.

PPTP still not working with iOS devices, but working with computers. 

L2TP: had to change the encryption mode in the IPSec Remote Dial-in tab to 
automatic. It worked so far now. But I have to check the duration of an stable 
connection. In the past L2TP refused its service after a while an it was not 
possible to establish a new connection.

I will report in a few hours how it worked out.

Original comment by johannes...@gmail.com on 4 May 2011 at 11:20

GoogleCodeExporter commented 8 years ago
So, testet it now. L2TP is still not stable. After some hours I can not connect 
as before with RC4

That is so annoying.....

Original comment by johannes...@gmail.com on 4 May 2011 at 7:53

GoogleCodeExporter commented 8 years ago
I mean RC3

Original comment by johannes...@gmail.com on 4 May 2011 at 7:54

GoogleCodeExporter commented 8 years ago
no, L2TP still not stable....

Log:
ipsec_setup: Stopping Openswan IPsec...
May 4 23:53:07  info    user    kernel: klips_info:ipsec_init: KLIPS startup, Openswan 
KLIPS IPsec stack version: 2.4.13
May 4 23:53:07  info    user    kernel: NET: Registered protocol family 15
May 4 23:53:07  warn    user    kernel: register netdev : ipsec0^M
May 4 23:53:07  warn    user    kernel: register netdev : ipsec1^M
May 4 23:53:07  warn    user    kernel: register netdev : ipsec2^M
May 4 23:53:07  warn    user    kernel: register netdev : ipsec3^M
May 4 23:53:07  info    user    kernel: klips_info:ipsec_alg_init: KLIPS alg v=0.8.1-0 
(EALG_MAX=255, AALG_MAX=251)
May 4 23:53:07  info    user    kernel: klips_info:ipsec_alg_init: calling 
ipsec_alg_static_init()
May 4 23:53:07  warn    user    kernel: ipsec_aes_init(alg_type=15 alg_id=12 
name=aes): ret=0
May 4 23:53:07  debug   user    kernel: klips_debug: experimental ipsec_alg_AES_MAC 
not registered [Ok] (auth_id=0)
May 4 23:53:07  warn    user    kernel: ipsec_3des_init(alg_type=15 alg_id=3 
name=3des): ret=0
May 4 23:53:09  err daemon  ipsec_setup: KLIPS debug `none'
May 4 23:53:09  warn    user    kernel:
May 4 23:53:10  err daemon  ipsec_setup: KLIPS ipsec0 on br-wan 
62.178.180.202/255.255.255.0 broadcast 62.178.180.255
May 4 23:53:12  err authpriv    ipsec__plutorun: Starting Pluto subsystem...
May 4 23:53:12  err daemon  ipsec_setup: ...Openswan IPsec started
May 4 23:53:12  info    authpriv    ipsec__plutorun: Unknown default RSA hostkey 
scheme, not generating a default hostkey
May 4 23:53:12  warn    authpriv    pluto[26711]: Starting Pluto (Openswan Version 
2.4.13 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OE`fijAufQMD)
May 4 23:53:12  warn    authpriv    pluto[26711]: Setting NAT-Traversal port-4500 
floating to on
May 4 23:53:12  warn    authpriv    pluto[26711]: port floating activation criteria 
nat_t=1/port_fload=1
May 4 23:53:12  warn    authpriv    pluto[26711]: including NAT-Traversal patch 
(Version 0.6c)
May 4 23:53:12  warn    authpriv    pluto[26711]: ike_alg_register_enc(): Activating 
OAKLEY_AES_CBC: Ok (ret=0)
May 4 23:53:13  warn    authpriv    pluto[26711]: no helpers will be started, all 
cryptographic operations will be done inline
May 4 23:53:13  warn    authpriv    pluto[26711]: Using KLIPS IPsec interface code on 
2.6.23.17
May 4 23:53:13  warn    authpriv    pluto[26711]: Changing to directory '/etc/cacerts'
May 4 23:53:13  warn    authpriv    pluto[26711]: Could not change to directory 
'/etc/aacerts'
May 4 23:53:13  warn    authpriv    pluto[26711]: Could not change to directory 
'/etc/ocspcerts'
May 4 23:53:13  warn    authpriv    pluto[26711]: Could not change to directory 
'/etc/crls'
May 4 23:53:13  err daemon  ipsec_setup: Starting Openswan IPsec 2.4.13...
May 4 23:53:13  warn    authpriv    pluto[26711]: loading secrets from 
"/etc/ipsec.secrets"
May 4 23:53:13  warn    authpriv    pluto[26711]: loading secrets from 
"/etc/ipsec.d/grocx.secrets"
May 4 23:53:19  warn    authpriv    pluto[26711]: added connection description 
"l2tp_psk"
May 4 23:53:21  warn    authpriv    pluto[26711]: added connection description 
"l2tp_psk_NAT"
May 4 23:53:21  warn    authpriv    pluto[26711]: listening for IKE messages
May 4 23:53:21  warn    authpriv    pluto[26711]: adding interface ipsec0/br-wan 
62.178.180.202:500
May 4 23:53:21  warn    authpriv    pluto[26711]: adding interface ipsec0/br-wan 
62.178.180.202:4500
May 4 23:53:21  warn    authpriv    pluto[26711]: forgetting secrets
May 4 23:53:21  warn    authpriv    pluto[26711]: loading secrets from 
"/etc/ipsec.secrets"
May 4 23:53:21  warn    authpriv    pluto[26711]: loading secrets from 
"/etc/ipsec.d/grocx.secrets"
May 4 23:54:38  warn    authpriv    pluto[26711]: packet from 212.95.7.59:29212: 
received Vendor ID payload [RFC 3947] method set to=109
May 4 23:54:38  warn    authpriv    pluto[26711]: packet from 212.95.7.59:29212: get 
VID_MACOSX ...
May 4 23:54:38  warn    authpriv    pluto[26711]: packet from 212.95.7.59:29212: 
received Vendor ID payload [Mac OSX 10.x]
May 4 23:54:38  warn    authpriv    pluto[26711]: packet from 212.95.7.59:29212: 
ignoring unknown Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
May 4 23:54:38  warn    authpriv    pluto[26711]: packet from 212.95.7.59:29212: 
ignoring unknown Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
May 4 23:54:38  warn    authpriv    pluto[26711]: packet from 212.95.7.59:29212: 
ignoring unknown Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
May 4 23:54:38  warn    authpriv    pluto[26711]: packet from 212.95.7.59:29212: 
ignoring unknown Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
May 4 23:54:38  warn    authpriv    pluto[26711]: packet from 212.95.7.59:29212: 
ignoring unknown Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
May 4 23:54:38  warn    authpriv    pluto[26711]: packet from 212.95.7.59:29212: 
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but 
already using method 109
May 4 23:54:38  warn    authpriv    pluto[26711]: packet from 212.95.7.59:29212: 
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but 
already using method 109
May 4 23:54:38  warn    authpriv    pluto[26711]: packet from 212.95.7.59:29212: 
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but 
already using method 109
May 4 23:54:38  warn    authpriv    pluto[26711]: packet from 212.95.7.59:29212: 
received Vendor ID payload [Dead Peer Detection]
May 4 23:54:38  warn    authpriv    pluto[26711]: packet from 212.95.7.59:29212: set 
forceencaps = 1
May 4 23:54:38  warn    authpriv    pluto[26711]: "l2tp_psk"[1] 212.95.7.59 #1: 
responding to Main Mode from unknown peer 212.95.7.59
May 4 23:54:38  warn    authpriv    pluto[26711]: "l2tp_psk"[1] 212.95.7.59 #1: 
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
May 4 23:54:38  warn    authpriv    pluto[26711]: "l2tp_psk"[1] 212.95.7.59 #1: 
STATE_MAIN_R1: sent MR1, expecting MI2
May 4 23:54:39  warn    authpriv    pluto[26711]: "l2tp_psk"[1] 212.95.7.59 #1: 
NAT-Traversal: Result using RFC 3947 (NAT-Traversal): both are NATed
May 4 23:54:39  warn    authpriv    pluto[26711]: "l2tp_psk"[1] 212.95.7.59 #1: 
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
May 4 23:54:39  warn    authpriv    pluto[26711]: "l2tp_psk"[1] 212.95.7.59 #1: 
STATE_MAIN_R2: sent MR2, expecting MI3
May 4 23:55:11  warn    authpriv    pluto[26711]: ERROR: asynchronous network error 
report on br-wan (sport=500) for message to 212.95.7.59 port 29212, complainant 
212.95.7.59: Connection refused [errno 111, origin ICMP type 3 code 3 (not 
authenticated)]
May 4 23:55:41  warn    authpriv    pluto[26711]: packet from 212.95.7.59:29212: 
received Vendor ID payload [RFC 3947] method set to=109
May 4 23:55:41  warn    authpriv    pluto[26711]: packet from 212.95.7.59:29212: get 
VID_MACOSX ...
May 4 23:55:41  warn    authpriv    pluto[26711]: packet from 212.95.7.59:29212: 
received Vendor ID payload [Mac OSX 10.x]
May 4 23:55:41  warn    authpriv    pluto[26711]: packet from 212.95.7.59:29212: 
ignoring unknown Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
May 4 23:55:41  warn    authpriv    pluto[26711]: packet from 212.95.7.59:29212: 
ignoring unknown Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
May 4 23:55:41  warn    authpriv    pluto[26711]: packet from 212.95.7.59:29212: 
ignoring unknown Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
May 4 23:55:41  warn    authpriv    pluto[26711]: packet from 212.95.7.59:29212: 
ignoring unknown Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
May 4 23:55:41  warn    authpriv    pluto[26711]: packet from 212.95.7.59:29212: 
ignoring unknown Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
May 4 23:55:41  warn    authpriv    pluto[26711]: packet from 212.95.7.59:29212: 
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but 
already using method 109
May 4 23:55:41  warn    authpriv    pluto[26711]: packet from 212.95.7.59:29212: 
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but 
already using method 109
May 4 23:55:41  warn    authpriv    pluto[26711]: packet from 212.95.7.59:29212: 
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but 
already using method 109
May 4 23:55:41  warn    authpriv    pluto[26711]: packet from 212.95.7.59:29212: 
received Vendor ID payload [Dead Peer Detection]
May 4 23:55:41  warn    authpriv    pluto[26711]: packet from 212.95.7.59:29212: set 
forceencaps = 1
May 4 23:55:41  warn    authpriv    pluto[26711]: "l2tp_psk"[1] 212.95.7.59 #2: 
responding to Main Mode from unknown peer 212.95.7.59
May 4 23:55:41  warn    authpriv    pluto[26711]: "l2tp_psk"[1] 212.95.7.59 #2: 
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
May 4 23:55:41  warn    authpriv    pluto[26711]: "l2tp_psk"[1] 212.95.7.59 #2: 
STATE_MAIN_R1: sent MR1, expecting MI2
May 4 23:55:42  warn    authpriv    pluto[26711]: "l2tp_psk"[1] 212.95.7.59 #2: 
NAT-Traversal: Result using RFC 3947 (NAT-Traversal): both are NATed
May 4 23:55:42  warn    authpriv    pluto[26711]: "l2tp_psk"[1] 212.95.7.59 #2: 
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
May 4 23:55:42  warn    authpriv    pluto[26711]: "l2tp_psk"[1] 212.95.7.59 #2: 
STATE_MAIN_R2: sent MR2, expecting MI3
May 4 23:55:49  warn    authpriv    pluto[26711]: "l2tp_psk"[1] 212.95.7.59 #1: max 
number of retransmissions (2) reached STATE_MAIN_R2
May 4 23:56:14  warn    authpriv    pluto[26711]: ERROR: asynchronous network error 
report on br-wan (sport=500) for message to 212.95.7.59 port 29212, complainant 
212.95.7.59: Connection refused [errno 111, origin ICMP type 3 code 3 (not 
authenticated)]
May 4 23:56:22  info    daemon  dnsmasq-dhcp[2905]: DHCPREQUEST(br-lan) 10.0.1.13 
34:15:9e:78:29:f2
May 4 23:56:22  info    daemon  dnsmasq-dhcp[2905]: DHCPACK(br-lan) 10.0.1.13 
34:15:9e:78:29:f2 ipbindmac3
May 4 23:56:52  warn    authpriv    pluto[26711]: "l2tp_psk"[1] 212.95.7.59 #2: max 
number of retransmissions (2) reached STATE_MAIN_R2
May 4 23:56:52  warn    authpriv    pluto[26711]: "l2tp_psk"[1] 212.95.7.59: deleting 
connection "l2tp_psk" instance with peer 212.95.7.59 {isakmp=#0/ipsec=#0}

Original comment by johannes...@gmail.com on 4 May 2011 at 10:01

GoogleCodeExporter commented 8 years ago
Is it possible that the L2TP problem has something to do with an instable IPSec 
?

May  9 10:13:23 Vigor2130 authpriv.warn pluto[20891]: Starting Pluto (Openswan 
Version 2.4.13 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OE`fijAufQMD)

May  9 10:13:23 Vigor2130 authpriv.warn pluto[20891]: Setting NAT-Traversal 
port-4500 floating to on
May  9 10:13:23 Vigor2130 authpriv.warn pluto[20891]:    port floating 
activation criteria nat_t=1/port_fload=1
May  9 10:13:23 Vigor2130 authpriv.warn pluto[20891]:   including NAT-Traversal 
patch (Version 0.6c)
May  9 10:13:23 Vigor2130 authpriv.warn pluto[20891]: ike_alg_register_enc(): 
Activating OAKLEY_AES_CBC: Ok (ret=0)
May  9 10:13:23 Vigor2130 authpriv.warn pluto[20891]: no helpers will be 
started, all cryptographic operations will be done inline
May  9 10:13:23 Vigor2130 authpriv.warn pluto[20891]: Using KLIPS IPsec 
interface code on 2.6.23.17

###### Here the problem starts?

May  9 10:13:23 Vigor2130 daemon.err ipsec_setup: Starting Openswan IPsec 
2.4.13...
May  9 10:13:23 Vigor2130 authpriv.warn pluto[20891]: Changing to directory 
'/etc/cacerts'
May  9 10:13:23 Vigor2130 authpriv.warn pluto[20891]: Could not change to 
directory '/etc/aacerts'
May  9 10:13:23 Vigor2130 authpriv.warn pluto[20891]: Could not change to 
directory '/etc/ocspcerts'
May  9 10:13:23 Vigor2130 authpriv.warn pluto[20891]: Could not change to 
directory '/etc/crls'

###### vigor is not able to allocate the specified folders...

May  9 10:13:24 Vigor2130 authpriv.warn pluto[20891]: loading secrets from 
"/etc/ipsec.secrets"
May  9 10:13:24 Vigor2130 authpriv.warn pluto[20891]: loading secrets from 
"/etc/ipsec.d/grocx.secrets"
May  9 10:13:29 Vigor2130 authpriv.warn pluto[20891]: added connection 
description "l2tp_psk"
May  9 10:13:31 Vigor2130 authpriv.warn pluto[20891]: added connection 
description "l2tp_psk_NAT"
May  9 10:13:31 Vigor2130 authpriv.warn pluto[20891]: listening for IKE messages
May  9 10:13:31 Vigor2130 authpriv.warn pluto[20891]: adding interface 
ipsec0/br-wan 62.178.180.202:500
May  9 10:13:31 Vigor2130 authpriv.warn pluto[20891]: adding interface 
ipsec0/br-wan 62.178.180.202:4500
May  9 10:13:31 Vigor2130 authpriv.warn pluto[20891]: forgetting secrets
May  9 10:13:31 Vigor2130 authpriv.warn pluto[20891]: loading secrets from 
"/etc/ipsec.secrets"
May  9 10:13:31 Vigor2130 authpriv.warn pluto[20891]: loading secrets from 
"/etc/ipsec.d/grocx.secrets"

###### and what id that with the death_handler beyond?

May  9 10:18:18 Vigor2130 daemon.crit xl2tpd[20563]: death_handler: Fatal 
signal 15 received
May  9 10:18:18 Vigor2130 daemon.crit xl2tpd[27130]: setsockopt recvref: 
Protocol not available
May  9 10:18:18 Vigor2130 daemon.info xl2tpd[27130]: L2TP kernel support not 
detected.
May  9 10:18:18 Vigor2130 daemon.info xl2tpd[27131]: xl2tpd version 
xl2tpd-1.2.0 started on Vigor2130 PID:27131
May  9 10:18:18 Vigor2130 daemon.info xl2tpd[27131]: Written by Mark Spencer, 
Copyright (C) 1998, Adtran, Inc.
May  9 10:18:18 Vigor2130 daemon.info xl2tpd[27131]: Forked by Scott Balmos and 
David Stipp, (C) 2001
May  9 10:18:18 Vigor2130 daemon.info xl2tpd[27131]: Inherited by Jeff McAdams, 
(C) 2002
May  9 10:18:18 Vigor2130 daemon.info xl2tpd[27131]: Forked again by Xelerance 
(www.xelerance.com) (C) 2006
May  9 10:18:18 Vigor2130 daemon.info xl2tpd[27131]: Listening on IP address 
10.0.1.1, port 1701

###### and here it can not open the configuration file...

May  9 10:18:20 Vigor2130 daemon.err ipsec_setup: (/etc/ipsec.conf, line 23) 
cannot open configuration file \'/etc/ipsec.d/grocx.conf\' -- `stop' may not 
work

May  9 10:18:21 Vigor2130 authpriv.warn pluto[20891]: shutting down
May  9 10:18:21 Vigor2130 authpriv.warn pluto[20891]: forgetting secrets
May  9 10:18:21 Vigor2130 authpriv.warn pluto[20891]: "l2tp_psk_NAT": deleting 
connection
May  9 10:18:21 Vigor2130 authpriv.warn pluto[20891]: "l2tp_psk": deleting 
connection
May  9 10:18:21 Vigor2130 authpriv.warn pluto[20891]: shutting down interface 
ipsec0/br-wan 62.178.180.202:4500
May  9 10:18:21 Vigor2130 authpriv.warn pluto[20891]: shutting down interface 
ipsec0/br-wan 62.178.180.202:500
May  9 10:18:22 Vigor2130 user.info : whack: read() failed (104 Connection 
reset by peer)
May  9 10:18:23 Vigor2130 user.crit kernel: IPSEC EVENT: KLIPS device ipsec0 
shut down.
May  9 10:18:23 Vigor2130 user.warn kernel: 
May  9 10:18:24 Vigor2130 user.warn kernel: 
May  9 10:18:24 Vigor2130 user.info kernel: klips_info:pfkey_cleanup: shutting 
down PF_KEY domain sockets.
May  9 10:18:24 Vigor2130 user.info kernel: NET: Unregistered protocol family 15
May  9 10:18:24 Vigor2130 user.info kernel: klips_info:cleanup_module: ipsec 
module unloaded.
May  9 10:18:25 Vigor2130 daemon.err ipsec_setup: ...Openswan IPsec stopped

###### and openswan IPsec stopped...

May  9 10:18:25 Vigor2130 daemon.err ipsec_setup: Stopping Openswan IPsec...

Original comment by johannes...@gmail.com on 9 May 2011 at 8:28

GoogleCodeExporter commented 8 years ago
the grocx.conf file does not exist in the path /etc/ipsec.d/grocx.conf

Original comment by johannes...@gmail.com on 9 May 2011 at 8:32

GoogleCodeExporter commented 8 years ago
May  9 10:13:23 Vigor2130 daemon.err ipsec_setup: Starting Openswan IPsec 
2.4.13...
May  9 10:13:23 Vigor2130 authpriv.warn pluto[20891]: Changing to directory 
'/etc/cacerts'
May  9 10:13:23 Vigor2130 authpriv.warn pluto[20891]: Could not change to 
directory '/etc/aacerts'
May  9 10:13:23 Vigor2130 authpriv.warn pluto[20891]: Could not change to 
directory '/etc/ocspcerts'
May  9 10:13:23 Vigor2130 authpriv.warn pluto[20891]: Could not change to 
directory '/etc/crls'

and should not be the path to aacerts, ocspcerts and crls and cacerts in 
/etc/ipsec.d instead of /etc ?

Original comment by johannes...@gmail.com on 9 May 2011 at 8:35

GoogleCodeExporter commented 8 years ago
L2TP working again...

I added 3 symbolic links in the folder /etc

1. ln -s ipsec.d/aacerts aacerts
2. ln -s ipsec.d/ocspcerts ocspcerts
3. ln -s ipsec.d/crls crls

and L2TP is working so far now. 

It still says: 

May  9 12:08:53 Vigor2130 authpriv.warn pluto[6093]:   could not open crl file 
'ocspcertscrls'

but I have no idea, where the file should be placed and what it should contain.

Original comment by johannes...@gmail.com on 9 May 2011 at 10:13

GoogleCodeExporter commented 8 years ago
2130 doesn't support certificate now.
You need to use pre-shared key. But I don't know how to set this in the iOS.

Original comment by jht...@gmail.com on 9 May 2011 at 10:19

GoogleCodeExporter commented 8 years ago
I don't use a certificate. I use a preshared key. But something is wrong with 
ipsec, so that the l2tp over ipsec service crashes and so after a while l2tp is 
not working any more. i read on another website, that the l2tp issue is caused 
by ipsec

Original comment by johannes...@gmail.com on 9 May 2011 at 10:21

GoogleCodeExporter commented 8 years ago
and as I can see in the log, openswan has some issues

Original comment by johannes...@gmail.com on 9 May 2011 at 10:22

GoogleCodeExporter commented 8 years ago
the problem is not, that it is not working, the problem is, that is not working 
anymore after a day....

so first it works, but after a day l2tp is not working any more. so I have to 
restart l2tp over ipsec every day...

Original comment by johannes...@gmail.com on 9 May 2011 at 10:26

GoogleCodeExporter commented 8 years ago
the problem is: OpenSWAN crashes after a while.... WHY????

Original comment by johannes...@gmail.com on 9 May 2011 at 10:34

GoogleCodeExporter commented 8 years ago
So, yesterday VPN via L2TP over IPSec worked. Today... does not work any 
more.... as usual.

So here is the log of the not working try to connect:

 __     ___                    ____  _ _____  ___
 \ \   / (_) __ _  ___  _ __  |___ \/ |___ / / _ \
  \ \ / /| |/ _` |/ _ \| '__|   __) | | |_ \| | | |
   \ V / | | (_| | (_) | |     / __/| |___) | |_| |
    \_/  |_|\__, |\___/|_|    |_____|_|____/ \___/
            |___/
 Firmware version ("v1.5.1_RC4")

 ---------------------------------------------------
root@Vigor2130:~# readlog
-ash: readlog: not found
root@Vigor2130:~# logread -f
May 10 12:25:33 Vigor2130 authpriv.warn pluto[7565]: packet from 
212.95.7.6:31137: received Vendor ID payload [RFC 3947] method set to=109 
May 10 12:25:33 Vigor2130 authpriv.warn pluto[7565]: packet from 
212.95.7.6:31137: get VID_MACOSX ...
May 10 12:25:33 Vigor2130 authpriv.warn pluto[7565]: packet from 
212.95.7.6:31137: received Vendor ID payload [Mac OSX 10.x]
May 10 12:25:33 Vigor2130 authpriv.warn pluto[7565]: packet from 
212.95.7.6:31137: ignoring unknown Vendor ID payload 
[8f8d83826d246b6fc7a8a6a428c11de8]
May 10 12:25:33 Vigor2130 authpriv.warn pluto[7565]: packet from 
212.95.7.6:31137: ignoring unknown Vendor ID payload 
[439b59f8ba676c4c7737ae22eab8f582]
May 10 12:25:33 Vigor2130 authpriv.warn pluto[7565]: packet from 
212.95.7.6:31137: ignoring unknown Vendor ID payload 
[4d1e0e136deafa34c4f3ea9f02ec7285]
May 10 12:25:33 Vigor2130 authpriv.warn pluto[7565]: packet from 
212.95.7.6:31137: ignoring unknown Vendor ID payload 
[80d0bb3def54565ee84645d4c85ce3ee]
May 10 12:25:33 Vigor2130 authpriv.warn pluto[7565]: packet from 
212.95.7.6:31137: ignoring unknown Vendor ID payload 
[9909b64eed937c6573de52ace952fa6b]
May 10 12:25:33 Vigor2130 authpriv.warn pluto[7565]: packet from 
212.95.7.6:31137: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] 
meth=108, but already using method 109
May 10 12:25:33 Vigor2130 authpriv.warn pluto[7565]: packet from 
212.95.7.6:31137: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] 
meth=107, but already using method 109
May 10 12:25:33 Vigor2130 authpriv.warn pluto[7565]: packet from 
212.95.7.6:31137: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] 
meth=106, but already using method 109
May 10 12:25:33 Vigor2130 authpriv.warn pluto[7565]: packet from 
212.95.7.6:31137: received Vendor ID payload [Dead Peer Detection]
May 10 12:25:33 Vigor2130 authpriv.warn pluto[7565]: packet from 
212.95.7.6:31137: set forceencaps = 1 
May 10 12:25:33 Vigor2130 authpriv.warn pluto[7565]: "l2tp_psk"[46] 212.95.7.6 
#72: responding to Main Mode from unknown peer 212.95.7.6
May 10 12:25:33 Vigor2130 authpriv.warn pluto[7565]: "l2tp_psk"[46] 212.95.7.6 
#72: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
May 10 12:25:33 Vigor2130 authpriv.warn pluto[7565]: "l2tp_psk"[46] 212.95.7.6 
#72: STATE_MAIN_R1: sent MR1, expecting MI2
May 10 12:25:33 Vigor2130 authpriv.warn pluto[7565]: "l2tp_psk"[46] 212.95.7.6 
#72: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): both are NATed
May 10 12:25:33 Vigor2130 authpriv.warn pluto[7565]: "l2tp_psk"[46] 212.95.7.6 
#72: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
May 10 12:25:33 Vigor2130 authpriv.warn pluto[7565]: "l2tp_psk"[46] 212.95.7.6 
#72: STATE_MAIN_R2: sent MR2, expecting MI3
May 10 12:25:54 Vigor2130 authpriv.warn pluto[7565]: "l2tp_psk"[46] 212.95.7.6 
#71: max number of retransmissions (2) reached STATE_MAIN_R2
May 10 12:26:04 Vigor2130 authpriv.warn pluto[7565]: ERROR: asynchronous 
network error report on br-wan (sport=500) for message to 212.95.7.6 port 
31137, complainant 212.95.7.6: Connection refused [errno 111, origin ICMP type 
3 code 3 (not authenticated)]

Original comment by johannes...@gmail.com on 10 May 2011 at 10:28

GoogleCodeExporter commented 8 years ago
So, restartet L2TP over IPSec now. I have nothing changed on the client and now 
it works again. Maybe you can see something important in the log of the now 
working connection:

 __     ___                    ____  _ _____  ___
 \ \   / (_) __ _  ___  _ __  |___ \/ |___ / / _ \
  \ \ / /| |/ _` |/ _ \| '__|   __) | | |_ \| | | |
   \ V / | | (_| | (_) | |     / __/| |___) | |_| |
    \_/  |_|\__, |\___/|_|    |_____|_|____/ \___/
            |___/
 Firmware version ("v1.5.1_RC4")

 ---------------------------------------------------
root@Vigor2130:~# logread -f
May 10 12:31:26 Vigor2130 authpriv.warn pluto[28217]: packet from 
212.95.7.6:31138: received Vendor ID payload [RFC 3947] method set to=109 
May 10 12:31:26 Vigor2130 authpriv.warn pluto[28217]: packet from 
212.95.7.6:31138: get VID_MACOSX ...
May 10 12:31:26 Vigor2130 authpriv.warn pluto[28217]: packet from 
212.95.7.6:31138: received Vendor ID payload [Mac OSX 10.x]
May 10 12:31:26 Vigor2130 authpriv.warn pluto[28217]: packet from 
212.95.7.6:31138: ignoring unknown Vendor ID payload 
[8f8d83826d246b6fc7a8a6a428c11de8]
May 10 12:31:26 Vigor2130 authpriv.warn pluto[28217]: packet from 
212.95.7.6:31138: ignoring unknown Vendor ID payload 
[439b59f8ba676c4c7737ae22eab8f582]
May 10 12:31:26 Vigor2130 authpriv.warn pluto[28217]: packet from 
212.95.7.6:31138: ignoring unknown Vendor ID payload 
[4d1e0e136deafa34c4f3ea9f02ec7285]
May 10 12:31:26 Vigor2130 authpriv.warn pluto[28217]: packet from 
212.95.7.6:31138: ignoring unknown Vendor ID payload 
[80d0bb3def54565ee84645d4c85ce3ee]
May 10 12:31:26 Vigor2130 authpriv.warn pluto[28217]: packet from 
212.95.7.6:31138: ignoring unknown Vendor ID payload 
[9909b64eed937c6573de52ace952fa6b]
May 10 12:31:26 Vigor2130 authpriv.warn pluto[28217]: packet from 
212.95.7.6:31138: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] 
meth=108, but already using method 109
May 10 12:31:26 Vigor2130 authpriv.warn pluto[28217]: packet from 
212.95.7.6:31138: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] 
meth=107, but already using method 109
May 10 12:31:26 Vigor2130 authpriv.warn pluto[28217]: packet from 
212.95.7.6:31138: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] 
meth=106, but already using method 109
May 10 12:31:26 Vigor2130 authpriv.warn pluto[28217]: packet from 
212.95.7.6:31138: received Vendor ID payload [Dead Peer Detection]
May 10 12:31:26 Vigor2130 authpriv.warn pluto[28217]: packet from 
212.95.7.6:31138: set forceencaps = 1 
May 10 12:31:26 Vigor2130 authpriv.warn pluto[28217]: "l2tp_psk"[1] 212.95.7.6 
#1: responding to Main Mode from unknown peer 212.95.7.6
May 10 12:31:26 Vigor2130 authpriv.warn pluto[28217]: "l2tp_psk"[1] 212.95.7.6 
#1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
May 10 12:31:26 Vigor2130 authpriv.warn pluto[28217]: "l2tp_psk"[1] 212.95.7.6 
#1: STATE_MAIN_R1: sent MR1, expecting MI2
May 10 12:31:26 Vigor2130 authpriv.warn pluto[28217]: "l2tp_psk"[1] 212.95.7.6 
#1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): both are NATed
May 10 12:31:26 Vigor2130 authpriv.warn pluto[28217]: "l2tp_psk"[1] 212.95.7.6 
#1: WARNING: calc_dh_shared(): for OAKLEY_GROUP_MODP1024 took 220770 usec
May 10 12:31:26 Vigor2130 authpriv.warn pluto[28217]: "l2tp_psk"[1] 212.95.7.6 
#1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
May 10 12:31:26 Vigor2130 authpriv.warn pluto[28217]: "l2tp_psk"[1] 212.95.7.6 
#1: STATE_MAIN_R2: sent MR2, expecting MI3
May 10 12:31:27 Vigor2130 authpriv.warn pluto[28217]: "l2tp_psk"[1] 212.95.7.6 
#1: ignoring informational payload, type IPSEC_INITIAL_CONTACT
May 10 12:31:27 Vigor2130 authpriv.warn pluto[28217]: "l2tp_psk"[1] 212.95.7.6 
#1: Main mode peer ID is ID_IPV4_ADDR: '10.2.29.224'
May 10 12:31:27 Vigor2130 authpriv.warn pluto[28217]: "l2tp_psk"[1] 212.95.7.6 
#1: switched from "l2tp_psk" to "l2tp_psk"
May 10 12:31:27 Vigor2130 authpriv.warn pluto[28217]: "l2tp_psk"[2] 212.95.7.6 
#1: deleting connection "l2tp_psk" instance with peer 212.95.7.6 
{isakmp=#0/ipsec=#0}
May 10 12:31:27 Vigor2130 authpriv.warn pluto[28217]: "l2tp_psk"[2] 212.95.7.6 
#1: I did not send a certificate because I do not have one.
May 10 12:31:27 Vigor2130 authpriv.warn pluto[28217]: "l2tp_psk"[2] 212.95.7.6 
#1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
May 10 12:31:27 Vigor2130 authpriv.warn pluto[28217]: "l2tp_psk"[2] 212.95.7.6 
#1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY 
cipher=aes_256 prf=oakley_sha group=modp1024}
May 10 12:31:27 Vigor2130 authpriv.warn pluto[28217]: "l2tp_psk"[2] 212.95.7.6 
#1: Dead Peer Detection (RFC 3706): enabled
May 10 12:31:28 Vigor2130 authpriv.warn pluto[28217]: "l2tp_psk_NAT"[1] 
212.95.7.6 #2: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
May 10 12:31:28 Vigor2130 authpriv.warn pluto[28217]: "l2tp_psk_NAT"[1] 
212.95.7.6 #2: responding to Quick Mode {msgid:6aade197}
May 10 12:31:28 Vigor2130 authpriv.warn pluto[28217]: "l2tp_psk_NAT"[1] 
212.95.7.6 #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
May 10 12:31:28 Vigor2130 authpriv.warn pluto[28217]: "l2tp_psk_NAT"[1] 
212.95.7.6 #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting 
QI2
May 10 12:31:29 Vigor2130 authpriv.warn pluto[28217]: "l2tp_psk_NAT"[1] 
212.95.7.6 #2: Dead Peer Detection (RFC 3706): enabled
May 10 12:31:29 Vigor2130 authpriv.warn pluto[28217]: "l2tp_psk_NAT"[1] 
212.95.7.6 #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
May 10 12:31:29 Vigor2130 authpriv.warn pluto[28217]: "l2tp_psk_NAT"[1] 
212.95.7.6 #2: STATE_QUICK_R2: IPsec SA established {ESP=>0x084fa529 
<0x61ee7efc xfrm=AES_256-HMAC_SHA1 NATD=212.95.7.6:31234 DPD=enabled}
May 10 12:31:30 Vigor2130 daemon.debug xl2tpd[17188]: control_finish: Peer 
requested tunnel 4 twice, ignoring second one.
May 10 12:31:30 Vigor2130 daemon.notice xl2tpd[17188]: Connection established 
to 212.95.7.6, 55033.  Local: 20012, Remote: 4 (ref=0/0).  LNS session is 
'default'
May 10 12:31:30 Vigor2130 daemon.debug xl2tpd[17188]: [Get PPP_Num] : used ... 
^H
May 10 12:31:30 Vigor2130 daemon.debug xl2tpd[17188]: [Get PPP_Num] : Assign 
ppp_num 650 for in-coming call
May 10 12:31:30 Vigor2130 daemon.debug xl2tpd[17188]: start_pppd: I'm running: 
May 10 12:31:30 Vigor2130 daemon.debug xl2tpd[17188]: "/usr/sbin/pppd" 
May 10 12:31:30 Vigor2130 daemon.debug xl2tpd[17188]: "passive" 
May 10 12:31:30 Vigor2130 daemon.debug xl2tpd[17188]: "-detach" 
May 10 12:31:30 Vigor2130 daemon.debug xl2tpd[17188]: "unit" 
May 10 12:31:30 Vigor2130 daemon.debug xl2tpd[17188]: "650" 
May 10 12:31:30 Vigor2130 daemon.debug xl2tpd[17188]: "10.0.1.31:10.0.1.32" 
May 10 12:31:30 Vigor2130 daemon.debug xl2tpd[17188]: "refuse-pap" 
May 10 12:31:30 Vigor2130 daemon.debug xl2tpd[17188]: "auth" 
May 10 12:31:30 Vigor2130 daemon.debug xl2tpd[17188]: "require-chap" 
May 10 12:31:30 Vigor2130 daemon.debug xl2tpd[17188]: "name" 
May 10 12:31:30 Vigor2130 daemon.debug xl2tpd[17188]: "Vigor" 
May 10 12:31:30 Vigor2130 daemon.debug xl2tpd[17188]: "file" 
May 10 12:31:30 Vigor2130 daemon.debug xl2tpd[17188]: "/etc/ppp/options.l2tp" 
May 10 12:31:30 Vigor2130 daemon.debug xl2tpd[17188]: "/dev/pts/1" 
May 10 12:31:30 Vigor2130 daemon.notice xl2tpd[17188]: Call established with 
212.95.7.6, Local: 23139, Remote: 127, Serial: 1
May 10 12:31:30 Vigor2130 daemon.notice pppd[29562]: pppd 2.4.4 started by 
root, uid 0
May 10 12:31:30 Vigor2130 user.warn kernel: register netdev : ppp650^M
May 10 12:31:30 Vigor2130 daemon.info pppd[29562]: Using interface ppp650
May 10 12:31:30 Vigor2130 daemon.notice pppd[29562]: Connect: ppp650 <--> 
/dev/pts/1
May 10 12:31:34 Vigor2130 daemon.info pppd[29562]: found interface br-lan for 
proxy arp
May 10 12:31:34 Vigor2130 daemon.notice pppd[29562]: local  IP address 10.0.1.31
May 10 12:31:34 Vigor2130 daemon.notice pppd[29562]: remote IP address 10.0.1.32
May 10 12:31:34 Vigor2130 daemon.info dnsmasq-dhcp[17530]: DHCPINFORM(ppp650) 
10.0.1.32 00:00:00:01:00:00 
May 10 12:31:34 Vigor2130 daemon.info dnsmasq-dhcp[17530]: DHCPACK(ppp650) 
10.0.1.32 00:00:00:01:00:00 
May 10 12:31:39 Vigor2130 user.notice root: udp-broadcast-relay 1 137 br-lan 
ppp650 

Original comment by johannes...@gmail.com on 10 May 2011 at 10:33

GoogleCodeExporter commented 8 years ago
The problem is NOT the client-mashine. Within these two connection-tests I have 
not changed anything on the client.
The issue is caused by to the router!!!
Please fix this bug as quick as possible !!!! Thanks.

the difference i can see seems to be here:
authpriv.warn pluto[7565]: "l2tp_psk"[46] 212.95.7.6 #72    instead of     
authpriv.warn pluto[28217]:  "l2tp_psk"[1] 212.95.7.6 #1

#######################
#NOT WORKING LOG-PART:#
#######################
May 10 12:25:33 Vigor2130 authpriv.warn pluto[7565]: "l2tp_psk"[46] 212.95.7.6 
#72: responding to Main Mode from unknown peer 212.95.7.6
May 10 12:25:33 Vigor2130 authpriv.warn pluto[7565]: "l2tp_psk"[46] 212.95.7.6 
#72: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
May 10 12:25:33 Vigor2130 authpriv.warn pluto[7565]: "l2tp_psk"[46] 212.95.7.6 
#72: STATE_MAIN_R1: sent MR1, expecting MI2
May 10 12:25:33 Vigor2130 authpriv.warn pluto[7565]: "l2tp_psk"[46] 212.95.7.6 
#72: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): both are NATed
May 10 12:25:33 Vigor2130 authpriv.warn pluto[7565]: "l2tp_psk"[46] 212.95.7.6 
#72: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
May 10 12:25:33 Vigor2130 authpriv.warn pluto[7565]: "l2tp_psk"[46] 212.95.7.6 
#72: STATE_MAIN_R2: sent MR2, expecting MI3
May 10 12:25:54 Vigor2130 authpriv.warn pluto[7565]: "l2tp_psk"[46] 212.95.7.6 
#71: max number of retransmissions (2) reached STATE_MAIN_R2
May 10 12:26:04 Vigor2130 authpriv.warn pluto[7565]: ERROR: asynchronous 
network error report on br-wan (sport=500) for message to 212.95.7.6 port 
31137, complainant 212.95.7.6: Connection refused [errno 111, origin ICMP type 
3 code 3 (not authenticated)]

###################
#WORKING LOG-PART:#
###################
May 10 12:31:26 Vigor2130 authpriv.warn pluto[28217]: "l2tp_psk"[1] 212.95.7.6 
#1: responding to Main Mode from unknown peer 212.95.7.6
May 10 12:31:26 Vigor2130 authpriv.warn pluto[28217]: "l2tp_psk"[1] 212.95.7.6 
#1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
May 10 12:31:26 Vigor2130 authpriv.warn pluto[28217]: "l2tp_psk"[1] 212.95.7.6 
#1: STATE_MAIN_R1: sent MR1, expecting MI2
May 10 12:31:26 Vigor2130 authpriv.warn pluto[28217]: "l2tp_psk"[1] 212.95.7.6 
#1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): both are NATed
May 10 12:31:26 Vigor2130 authpriv.warn pluto[28217]: "l2tp_psk"[1] 212.95.7.6 
#1: WARNING: calc_dh_shared(): for OAKLEY_GROUP_MODP1024 took 220770 usec
May 10 12:31:26 Vigor2130 authpriv.warn pluto[28217]: "l2tp_psk"[1] 212.95.7.6 
#1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
May 10 12:31:26 Vigor2130 authpriv.warn pluto[28217]: "l2tp_psk"[1] 212.95.7.6 
#1: STATE_MAIN_R2: sent MR2, expecting MI3
May 10 12:31:27 Vigor2130 authpriv.warn pluto[28217]: "l2tp_psk"[1] 212.95.7.6 
#1: ignoring informational payload, type IPSEC_INITIAL_CONTACT
May 10 12:31:27 Vigor2130 authpriv.warn pluto[28217]: "l2tp_psk"[1] 212.95.7.6 
#1: Main mode peer ID is ID_IPV4_ADDR: '10.2.29.224'
May 10 12:31:27 Vigor2130 authpriv.warn pluto[28217]: "l2tp_psk"[1] 212.95.7.6 
#1: switched from "l2tp_psk" to "l2tp_psk"
May 10 12:31:27 Vigor2130 authpriv.warn pluto[28217]: "l2tp_psk"[2] 212.95.7.6 
#1: deleting connection "l2tp_psk" instance with peer 212.95.7.6 
{isakmp=#0/ipsec=#0}
May 10 12:31:27 Vigor2130 authpriv.warn pluto[28217]: "l2tp_psk"[2] 212.95.7.6 
#1: I did not send a certificate because I do not have one.
May 10 12:31:27 Vigor2130 authpriv.warn pluto[28217]: "l2tp_psk"[2] 212.95.7.6 
#1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
May 10 12:31:27 Vigor2130 authpriv.warn pluto[28217]: "l2tp_psk"[2] 212.95.7.6 
#1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY 
cipher=aes_256 prf=oakley_sha group=modp1024}
May 10 12:31:27 Vigor2130 authpriv.warn pluto[28217]: "l2tp_psk"[2] 212.95.7.6 
#1: Dead Peer Detection (RFC 3706): enabled
May 10 12:31:28 Vigor2130 authpriv.warn pluto[28217]: "l2tp_psk_NAT"[1] 
212.95.7.6 #2: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
May 10 12:31:28 Vigor2130 authpriv.warn pluto[28217]: "l2tp_psk_NAT"[1] 
212.95.7.6 #2: responding to Quick Mode {msgid:6aade197}
May 10 12:31:28 Vigor2130 authpriv.warn pluto[28217]: "l2tp_psk_NAT"[1] 
212.95.7.6 #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
May 10 12:31:28 Vigor2130 authpriv.warn pluto[28217]: "l2tp_psk_NAT"[1] 
212.95.7.6 #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting 
QI2
May 10 12:31:29 Vigor2130 authpriv.warn pluto[28217]: "l2tp_psk_NAT"[1] 
212.95.7.6 #2: Dead Peer Detection (RFC 3706): enabled
May 10 12:31:29 Vigor2130 authpriv.warn pluto[28217]: "l2tp_psk_NAT"[1] 
212.95.7.6 #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
May 10 12:31:29 Vigor2130 authpriv.warn pluto[28217]: "l2tp_psk_NAT"[1] 
212.95.7.6 #2: STATE_QUICK_R2: IPsec SA established {ESP=>0x084fa529 
<0x61ee7efc xfrm=AES_256-HMAC_SHA1 NATD=212.95.7.6:31234 DPD=enabled}
May 10 12:31:30 Vigor2130 daemon.debug xl2tpd[17188]: control_finish: Peer 
requested tunnel 4 twice, ignoring second one.
May 10 12:31:30 Vigor2130 daemon.notice xl2tpd[17188]: Connection established 
to 212.95.7.6, 55033.  Local: 20012, Remote: 4 (ref=0/0).  LNS session is 
'default'

Original comment by johannes...@gmail.com on 10 May 2011 at 10:46

GoogleCodeExporter commented 8 years ago
######################################################
############## MAYBE THAT HELPS                #################
######################################################

I found a difference in the working service and the broken service in ipsec

with the command : ipsec auto --status there is a BIG BIG difference. on a 
working service the connections l2tp_psk and l2tp_psk_NAT is doubled with an 
array index.
see the logs below

#######################
##### NOT WORKING ######
#######################

000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} 
attrs={0,0,0} 
000  
000 "l2tp_psk": 62.178.180.202:17/1701...%any:17/%any; unrouted; eroute owner: 
#0
000 "l2tp_psk":     srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec 
_updown;
000 "l2tp_psk":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; 
rekey_fuzz: 100%; keyingtries: 3
000 "l2tp_psk":   policy: PSK+ENCRYPT+DONTREKEY; prio: 32,32; interface: 
br-wan; encap: esp;
000 "l2tp_psk":   dpd: action:hold; delay:15; timeout:30; 
000 "l2tp_psk":   newest ISAKMP SA: #0; newest IPsec SA: #0; 
000 "l2tp_psk_NAT": 62.178.180.202:17/1701...%virtual:17/%any===?; unrouted; 
eroute owner: #0
000 "l2tp_psk_NAT":     srcip=unset; dstip=unset; srcup=ipsec _updown; 
dstup=ipsec _updown;
000 "l2tp_psk_NAT":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; 
rekey_fuzz: 100%; keyingtries: 3
000 "l2tp_psk_NAT":   policy: PSK+ENCRYPT+TUNNEL+DONTREKEY; prio: 32,32; 
interface: br-wan; encap: esp;
000 "l2tp_psk_NAT":   dpd: action:hold; delay:15; timeout:30; 
000 "l2tp_psk_NAT":   newest ISAKMP SA: #0; newest IPsec SA: #0; 
000  
000  

#######################
####### WORKING ########
#######################

000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} 
attrs={0,0,0} 
000  
000 "l2tp_psk": 62.178.180.202:17/1701...%any:17/%any; unrouted; eroute owner: 
#0
000 "l2tp_psk":     srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec 
_updown;
000 "l2tp_psk":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; 
rekey_fuzz: 100%; keyingtries: 3
000 "l2tp_psk":   policy: PSK+ENCRYPT+DONTREKEY; prio: 32,32; interface: 
br-wan; encap: esp;
000 "l2tp_psk":   dpd: action:hold; delay:15; timeout:30; 
000 "l2tp_psk":   newest ISAKMP SA: #0; newest IPsec SA: #0; 
000 "l2tp_psk"[8]: 
62.178.180.202:17/1701...213.162.68.43[10.3.115.216]:17/%any; unrouted; eroute 
owner: #0
000 "l2tp_psk"[8]:     srcip=unset; dstip=unset; srcup=ipsec _updown; 
dstup=ipsec _updown;
000 "l2tp_psk"[8]:   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; 
rekey_fuzz: 100%; keyingtries: 3
000 "l2tp_psk"[8]:   policy: PSK+ENCRYPT+DONTREKEY; prio: 32,32; interface: 
br-wan; encap: esp;
000 "l2tp_psk"[8]:   dpd: action:hold; delay:15; timeout:30; 
000 "l2tp_psk"[8]:   newest ISAKMP SA: #8; newest IPsec SA: #0; 
000 "l2tp_psk"[8]:   IKE algorithm newest: AES_CBC_256-SHA1-MODP1024
000 "l2tp_psk_NAT": 62.178.180.202:17/1701...%virtual:17/%any===?; unrouted; 
eroute owner: #0
000 "l2tp_psk_NAT":     srcip=unset; dstip=unset; srcup=ipsec _updown; 
dstup=ipsec _updown;
000 "l2tp_psk_NAT":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; 
rekey_fuzz: 100%; keyingtries: 3
000 "l2tp_psk_NAT":   policy: PSK+ENCRYPT+TUNNEL+DONTREKEY; prio: 32,32; 
interface: br-wan; encap: esp;
000 "l2tp_psk_NAT":   dpd: action:hold; delay:15; timeout:30; 
000 "l2tp_psk_NAT":   newest ISAKMP SA: #0; newest IPsec SA: #0; 
000 "l2tp_psk_NAT"[1]: 
62.178.180.202:17/1701...213.162.68.43[10.3.115.216]:17/62483; erouted; eroute 
owner: #9
000 "l2tp_psk_NAT"[1]:     srcip=unset; dstip=unset; srcup=ipsec _updown; 
dstup=ipsec _updown;
000 "l2tp_psk_NAT"[1]:   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 
540s; rekey_fuzz: 100%; keyingtries: 3
000 "l2tp_psk_NAT"[1]:   policy: PSK+ENCRYPT+TUNNEL+DONTREKEY; prio: 32,32; 
interface: br-wan; encap: esp;
000 "l2tp_psk_NAT"[1]:   dpd: action:hold; delay:15; timeout:30; 
000 "l2tp_psk_NAT"[1]:   newest ISAKMP SA: #0; newest IPsec SA: #9; 
000  
000 #8: "l2tp_psk"[8] 213.162.68.43:28860 STATE_MAIN_R3 (sent MR3, ISAKMP SA 
established); EVENT_SA_EXPIRE in 3574s; newest ISAKMP; lastdpd=9s(seq in:25945 
out:0)
000 #9: "l2tp_psk_NAT"[1] 213.162.68.43:28860 STATE_QUICK_R2 (IPsec SA 
established); EVENT_SA_EXPIRE in 3576s; newest IPSEC; eroute owner
000 #9: "l2tp_psk_NAT"[1] 213.162.68.43 esp.13ec8fe@213.162.68.43 
esp.e8725f7f@62.178.180.202

Original comment by johannes...@gmail.com on 11 May 2011 at 10:22

GoogleCodeExporter commented 8 years ago
Is your client behind NAT ?
Do you have more than one client behind the same NAT ?

You can refer to
http://lists.openswan.org/pipermail/users/2007-March/012170.html

Original comment by jht...@gmail.com on 12 May 2011 at 1:11

GoogleCodeExporter commented 8 years ago
My Client is not behind a nat. And this can't be the problem, because it IS 
WORKING FOR A WHILE. But it STOPS WORKING AFTER A WHILE.

Original comment by johannes...@gmail.com on 28 May 2011 at 1:25

GoogleCodeExporter commented 8 years ago
Now the restart ipsec command says:

root@Vigor2130:/etc/ipsec.d# ipsec setup restart
ipsec_setup: Superuser is recommended for IPSEC daemon

ipsec_setup: Stopping Openswan IPsec...

ipsec_setup: rmmod: ipsec: Resource temporarily unavailable

insmod: cannot insert '/lib/modules/2.6.23.17/ipsec.ko': File exists (-1): File 
exists
ipsec_setup: Superuser is recommended for IPSEC daemon

ipsec_setup: Starting Openswan IPsec 2.4.13...

root@Vigor2130:/etc/ipsec.d# 

Original comment by johannes...@gmail.com on 28 May 2011 at 10:45

GoogleCodeExporter commented 8 years ago
[deleted comment]
GoogleCodeExporter commented 8 years ago
VERY INTERESTING:

after restarting p2tp and pptp through the web-interface and then using the 
ipsec setup restart command aggain somthing changes: no error with 
2.6.23.17/ipsec.ko

root@Vigor2130:/sbin# ipsec setup restart
ipsec_setup: Superuser is recommended for IPSEC daemon

ipsec_setup: Stopping Openswan IPsec...

ipsec_setup: Superuser is recommended for IPSEC daemon

ipsec_setup: Starting Openswan IPsec 2.4.13...

root@Vigor2130:/sbin# 

Original comment by johannes...@gmail.com on 29 May 2011 at 12:23

GoogleCodeExporter commented 8 years ago
I turned on plutodebug=all and it gives a very long log. but in the end it says:

Jun  9 15:10:16 Vigor2130 authpriv.debug pluto[8757]: | 
pfkey_lib_debug:pfkey_msg_parse: Extension 28(X-NAT-T-dport) parsed. 
Jun  9 15:10:16 Vigor2130 authpriv.debug pluto[8757]: | 
pfkey_lib_debug:pfkey_msg_parse: parsing ext type=29(X-NAT-T-OA) remain=4. 
Jun  9 15:10:16 Vigor2130 authpriv.debug pluto[8757]: | 
pfkey_lib_debug:pfkey_msg_parse: remain=4 ext_type=29(X-NAT-T-OA) ext_len=1 
parsing ext 0p0xb6820 with parser pfkey_x_ext_nat_t_port_parse. 
Jun  9 15:10:16 Vigor2130 authpriv.debug pluto[8757]: | 
pfkey_lib_debug:pfkey_msg_parse: Extension 29(X-NAT-T-OA) parsed. 
Jun  9 15:10:16 Vigor2130 daemon.err ipsec__plutorun: Segmentation fault
Jun  9 15:10:16 Vigor2130 daemon.err ipsec__plutorun: !pluto failure!:  exited 
with error status 139 (signal 11)
Jun  9 15:10:16 Vigor2130 daemon.err ipsec__plutorun: restarting IPsec after 
pause...
Jun  9 15:10:24 Vigor2130 user.info : whack: is Pluto running?  connect() for 
"/var/run/pluto/pluto.ctl" failed (111 Connection refused)

Original comment by johannes...@gmail.com on 9 Jun 2011 at 1:12

GoogleCodeExporter commented 8 years ago
Jun  9 15:13:06 Vigor2130 authpriv.debug pluto[12848]: | *received whack message
Jun  9 15:13:06 Vigor2130 authpriv.warn pluto[12848]: listening for IKE messages
Jun  9 15:13:06 Vigor2130 authpriv.debug pluto[12848]: | found lo with address 
127.0.0.1
Jun  9 15:13:06 Vigor2130 authpriv.debug pluto[12848]: | found br-lan with 
address 192.168.1.1
Jun  9 15:13:06 Vigor2130 authpriv.debug pluto[12848]: | found br-wan with 
address 62.178.180.202
Jun  9 15:13:06 Vigor2130 authpriv.debug pluto[12848]: | found ipsec0 with 
address 62.178.180.202
Jun  9 15:13:06 Vigor2130 authpriv.warn pluto[12848]: adding interface 
ipsec0/br-wan 62.178.180.202:500
Jun  9 15:13:06 Vigor2130 authpriv.warn pluto[12848]: adding interface 
ipsec0/br-wan 62.178.180.202:4500
Jun  9 15:13:06 Vigor2130 authpriv.debug pluto[12848]: | IP interface br-lan 
192.168.1.1 has no matching ipsec* interface -- ignored
Jun  9 15:13:06 Vigor2130 authpriv.debug pluto[12848]: | IP interface lo 
127.0.0.1 has no matching ipsec* interface -- ignored
Jun  9 15:13:06 Vigor2130 authpriv.debug pluto[12848]: | found br-lan with 
address 2000:0000:0000:0000:0000:0000:0000:0001
Jun  9 15:13:06 Vigor2130 authpriv.debug pluto[12848]: | found lo with address 
0000:0000:0000:0000:0000:0000:0000:0001
Jun  9 15:13:06 Vigor2130 authpriv.debug pluto[12848]: | IP interface lo ::1 
has no matching ipsec* interface -- ignored
Jun  9 15:13:06 Vigor2130 authpriv.debug pluto[12848]: | IP interface br-lan 
2000::1 has no matching ipsec* interface -- ignored
Jun  9 15:13:06 Vigor2130 authpriv.debug pluto[12848]: | connect_to_host_pair: 
62.178.180.202:500 0.0.0.0:500 -> hp:none 
Jun  9 15:13:06 Vigor2130 authpriv.debug pluto[12848]: | find_host_pair: 
comparing to 62.178.180.202:500 0.0.0.0:500 
Jun  9 15:13:06 Vigor2130 authpriv.debug pluto[12848]: | connect_to_host_pair: 
62.178.180.202:500 0.0.0.0:500 -> hp:l2tp_psk_NAT 

Original comment by johannes...@gmail.com on 9 Jun 2011 at 1:14

GoogleCodeExporter commented 8 years ago
So pleas don't tell me all the time that my client is the problem or a nat.

the problem seems to be pluto, which is part of the router-system (vpn-server):

Jun  9 15:28:35 Vigor2130 daemon.err ipsec__plutorun: Segmentation fault
Jun  9 15:28:35 Vigor2130 daemon.err ipsec__plutorun: !pluto failure!:  exited 
with error status 139 (signal 11)
Jun  9 15:28:35 Vigor2130 daemon.err ipsec__plutorun: restarting IPsec after 
pause...
Jun  9 15:28:38 Vigor2130 user.info : whack: is Pluto running?  connect() for 
"/var/run/pluto/pluto.ctl" failed (111 Connection refused)
Jun  9 15:28:41 Vigor2130 user.info : whack: is Pluto running?  connect() for 
"/var/run/pluto/pluto.ctl" failed (111 Connection refused)
Jun  9 15:28:41 Vigor2130 user.info : whack: is Pluto running?  connect() for 
"/var/run/pluto/pluto.ctl" failed (111 Connection refused)

Original comment by johannes...@gmail.com on 9 Jun 2011 at 1:30

GoogleCodeExporter commented 8 years ago
It seems you have similar issue with the bug
http://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg509564.html

Can you try to modify the ipsec configuration file : /etc/ipsec.conf

Modify the line

nat_traversal=yes

to

#nat_traversal=yes

Original comment by jht...@gmail.com on 13 Jun 2011 at 7:04

GoogleCodeExporter commented 8 years ago
I tried it, but now VPN is not working any more in a sly condition. I really 
don't know what's wrong with that piece of crap. since I have this router I 
only do have troubles. I thought draytek would be a good choice because it is a 
well known company, but with the vigor 2130 draytek really made a bad product. 
disksharig does not work any more. VPN does not work any more. transmission 
does not work anymore. and all that without changing anything. I did not change 
a thing and one service after the other stops working.

I am really dissapointed about that. 

Original comment by johannes...@gmail.com on 17 Jun 2011 at 10:45