search

goalmarketing / vigor2130

Automatically exported from code.google.com/p/vigor2130
0 stars 0 forks source link

VPN L2TP/IPsec with Firmware 1.5.1 Final STILL NOT WORKING #30

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago 
I made a clear FW upgrade with the .rst File, which is for corrupted Firmwares.
But also that did not change anything: VPN still does not work, also not with 
the final RC of FW 1.5.1

Now I also tried to connect to the VPN SERVER (the Vigor) in the local LAN, 
does also not work. Within the LAN the Vigor does not even recognize any VPN 
Demand from the Client.

Here again the logread from the connection-testing witch an absolute clean 
installation of the router:

Jun 18 15:12:51 Vigor2130 authpriv.warn pluto[12676]: packet from 
212.95.7.115:7010: received Vendor ID payload [RFC 3947] method set to=109 
Jun 18 15:12:51 Vigor2130 authpriv.warn pluto[12676]: packet from 
212.95.7.115:7010: get VID_MACOSX ...
Jun 18 15:12:51 Vigor2130 authpriv.warn pluto[12676]: packet from 
212.95.7.115:7010: received Vendor ID payload [Mac OSX 10.x]
Jun 18 15:12:51 Vigor2130 authpriv.warn pluto[12676]: packet from 
212.95.7.115:7010: ignoring unknown Vendor ID payload 
[8f8d83826d246b6fc7a8a6a428c11de8]
Jun 18 15:12:51 Vigor2130 authpriv.warn pluto[12676]: packet from 
212.95.7.115:7010: ignoring unknown Vendor ID payload 
[439b59f8ba676c4c7737ae22eab8f582]
Jun 18 15:12:51 Vigor2130 authpriv.warn pluto[12676]: packet from 
212.95.7.115:7010: ignoring unknown Vendor ID payload 
[4d1e0e136deafa34c4f3ea9f02ec7285]
Jun 18 15:12:51 Vigor2130 authpriv.warn pluto[12676]: packet from 
212.95.7.115:7010: ignoring unknown Vendor ID payload 
[80d0bb3def54565ee84645d4c85ce3ee]
Jun 18 15:12:51 Vigor2130 authpriv.warn pluto[12676]: packet from 
212.95.7.115:7010: ignoring unknown Vendor ID payload 
[9909b64eed937c6573de52ace952fa6b]
Jun 18 15:12:51 Vigor2130 authpriv.warn pluto[12676]: packet from 
212.95.7.115:7010: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] 
meth=108, but already using method 109
Jun 18 15:12:51 Vigor2130 authpriv.warn pluto[12676]: packet from 
212.95.7.115:7010: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] 
meth=107, but already using method 109
Jun 18 15:12:51 Vigor2130 authpriv.warn pluto[12676]: packet from 
212.95.7.115:7010: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] 
meth=106, but already using method 109
Jun 18 15:12:51 Vigor2130 authpriv.warn pluto[12676]: packet from 
212.95.7.115:7010: received Vendor ID payload [Dead Peer Detection]
Jun 18 15:12:51 Vigor2130 authpriv.warn pluto[12676]: packet from 
212.95.7.115:7010: set forceencaps = 1 
Jun 18 15:12:51 Vigor2130 authpriv.warn pluto[12676]: "l2tp_psk"[3] 
212.95.7.115 #3: responding to Main Mode from unknown peer 212.95.7.115
Jun 18 15:12:51 Vigor2130 authpriv.warn pluto[12676]: "l2tp_psk"[3] 
212.95.7.115 #3: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jun 18 15:12:51 Vigor2130 authpriv.warn pluto[12676]: "l2tp_psk"[3] 
212.95.7.115 #3: STATE_MAIN_R1: sent MR1, expecting MI2
Jun 18 15:12:52 Vigor2130 authpriv.warn pluto[12676]: "l2tp_psk"[3] 
212.95.7.115 #3: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): both are 
NATed
Jun 18 15:12:52 Vigor2130 authpriv.warn pluto[12676]: "l2tp_psk"[3] 
212.95.7.115 #3: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jun 18 15:12:52 Vigor2130 authpriv.warn pluto[12676]: "l2tp_psk"[3] 
212.95.7.115 #3: STATE_MAIN_R2: sent MR2, expecting MI3
Jun 18 15:12:52 Vigor2130 authpriv.warn pluto[12676]: "l2tp_psk"[3] 
212.95.7.115 #3: ignoring informational payload, type IPSEC_INITIAL_CONTACT
Jun 18 15:12:52 Vigor2130 authpriv.warn pluto[12676]: "l2tp_psk"[3] 
212.95.7.115 #3: Main mode peer ID is ID_IPV4_ADDR: '10.2.19.241'
Jun 18 15:12:52 Vigor2130 authpriv.warn pluto[12676]: "l2tp_psk"[3] 
212.95.7.115 #3: switched from "l2tp_psk" to "l2tp_psk"
Jun 18 15:12:52 Vigor2130 authpriv.warn pluto[12676]: "l2tp_psk"[4] 
212.95.7.115 #3: deleting connection "l2tp_psk" instance with peer 212.95.7.115 
{isakmp=#0/ipsec=#0}
Jun 18 15:12:52 Vigor2130 authpriv.warn pluto[12676]: "l2tp_psk"[4] 
212.95.7.115 #3: I did not send a certificate because I do not have one.
Jun 18 15:12:52 Vigor2130 authpriv.warn pluto[12676]: "l2tp_psk"[4] 
212.95.7.115 #3: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jun 18 15:12:52 Vigor2130 authpriv.warn pluto[12676]: "l2tp_psk"[4] 
212.95.7.115 #3: STATE_MAIN_R3: sent MR3, ISAKMP SA established 
{auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1024}
Jun 18 15:12:52 Vigor2130 authpriv.warn pluto[12676]: "l2tp_psk"[4] 
212.95.7.115 #3: Dead Peer Detection (RFC 3706): enabled
Jun 18 15:12:53 Vigor2130 authpriv.warn pluto[12676]: "l2tp_psk_NAT"[2] 
212.95.7.115 #4: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
Jun 18 15:12:53 Vigor2130 authpriv.warn pluto[12676]: "l2tp_psk_NAT"[2] 
212.95.7.115 #4: responding to Quick Mode {msgid:d7bf9973}
Jun 18 15:12:53 Vigor2130 authpriv.warn pluto[12676]: "l2tp_psk_NAT"[2] 
212.95.7.115 #4: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Jun 18 15:12:53 Vigor2130 authpriv.warn pluto[12676]: "l2tp_psk_NAT"[2] 
212.95.7.115 #4: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, 
expecting QI2
Jun 18 15:12:54 Vigor2130 authpriv.warn pluto[12676]: "l2tp_psk_NAT"[2] 
212.95.7.115 #4: Dead Peer Detection (RFC 3706): enabled
Jun 18 15:12:54 Vigor2130 authpriv.warn pluto[12676]: "l2tp_psk_NAT"[2] 
212.95.7.115 #4: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Jun 18 15:12:54 Vigor2130 authpriv.warn pluto[12676]: "l2tp_psk_NAT"[2] 
212.95.7.115 #4: STATE_QUICK_R2: IPsec SA established {ESP=>0x0af924b5 
<0xdc934b7a xfrm=AES_256-HMAC_SHA1 NATD=212.95.7.115:7794 DPD=enabled}
Jun 18 15:12:56 Vigor2130 daemon.debug xl2tpd[12383]: control_finish: Peer 
requested tunnel 13 twice, ignoring second one.
Jun 18 15:12:56 Vigor2130 daemon.debug xl2tpd[12383]: control_finish: Peer 
requested tunnel 13 twice, ignoring second one.
Jun 18 15:12:57 Vigor2130 daemon.notice xl2tpd[12383]: Connection established 
to 212.95.7.115, 49922.  Local: 56492, Remote: 13 (ref=0/0).  LNS session is 
'default'
Jun 18 15:12:57 Vigor2130 daemon.debug xl2tpd[12383]: [Get PPP_Num] : used ... 
^H
Jun 18 15:12:57 Vigor2130 daemon.debug xl2tpd[12383]: [Get PPP_Num] : Assign 
ppp_num 650 for in-coming call
Jun 18 15:12:57 Vigor2130 daemon.debug xl2tpd[12383]: start_pppd: I'm running: 
Jun 18 15:12:57 Vigor2130 daemon.debug xl2tpd[12383]: "/usr/sbin/pppd" 
Jun 18 15:12:57 Vigor2130 daemon.debug xl2tpd[12383]: "passive" 
Jun 18 15:12:57 Vigor2130 daemon.debug xl2tpd[12383]: "-detach" 
Jun 18 15:12:57 Vigor2130 daemon.debug xl2tpd[12383]: "unit" 
Jun 18 15:12:57 Vigor2130 daemon.debug xl2tpd[12383]: "650" 
Jun 18 15:12:57 Vigor2130 daemon.debug xl2tpd[12383]: 
"192.168.1.221:192.168.1.222" 
Jun 18 15:12:57 Vigor2130 daemon.debug xl2tpd[12383]: "refuse-pap" 
Jun 18 15:12:57 Vigor2130 daemon.debug xl2tpd[12383]: "auth" 
Jun 18 15:12:57 Vigor2130 daemon.debug xl2tpd[12383]: "require-chap" 
Jun 18 15:12:57 Vigor2130 daemon.debug xl2tpd[12383]: "name" 
Jun 18 15:12:57 Vigor2130 daemon.debug xl2tpd[12383]: "Vigor" 
Jun 18 15:12:57 Vigor2130 daemon.debug xl2tpd[12383]: "file" 
Jun 18 15:12:57 Vigor2130 daemon.debug xl2tpd[12383]: "/etc/ppp/options.l2tp" 
Jun 18 15:12:57 Vigor2130 daemon.debug xl2tpd[12383]: "/dev/pts/1" 
Jun 18 15:12:57 Vigor2130 daemon.notice xl2tpd[12383]: Call established with 
212.95.7.115, Local: 3679, Remote: 624, Serial: 1
Jun 18 15:12:57 Vigor2130 daemon.notice pppd[17828]: pppd 2.4.4 started by 
root, uid 0
Jun 18 15:12:57 Vigor2130 user.warn kernel: register netdev : ppp650^M
Jun 18 15:12:57 Vigor2130 daemon.info pppd[17828]: Using interface ppp650
Jun 18 15:12:57 Vigor2130 daemon.notice pppd[17828]: Connect: ppp650 <--> 
/dev/pts/1
Jun 18 15:13:00 Vigor2130 daemon.warn pppd[17828]: peer refused to 
authenticate: terminating link
Jun 18 15:13:01 Vigor2130 daemon.notice pppd[17828]: Connection terminated.
Jun 18 15:13:01 Vigor2130 daemon.info pppd[17828]: Exit.
Jun 18 15:13:01 Vigor2130 daemon.debug xl2tpd[12383]: child_handler : pppd 
exited for call 624 with code 11
Jun 18 15:13:01 Vigor2130 daemon.info xl2tpd[12383]: call_close: Call 3679 to 
212.95.7.115 disconnected
Jun 18 15:13:01 Vigor2130 daemon.debug xl2tpd[12383]: result_code_avp: result 
code out of range (768 3679 14).  Ignoring.
Jun 18 15:13:01 Vigor2130 daemon.info xl2tpd[12383]: control_finish: Connection 
closed to 212.95.7.115, serial 1 ()
Jun 18 15:13:01 Vigor2130 daemon.debug xl2tpd[12383]: Untrustingly terminating 
pppd: sending KILL signal to pid 17828
Jun 18 15:13:01 Vigor2130 daemon.debug xl2tpd[12383]: pppd 17828 successfully 
terminated
Jun 18 15:13:07 Vigor2130 user.notice root: udp-broadcast-relay not start: 
can't find interface ...
Jun 18 15:13:07 Vigor2130 daemon.debug xl2tpd[12383]: result_code_avp: result 
code out of range (256 3679 14).  Ignoring.
Jun 18 15:13:07 Vigor2130 daemon.debug xl2tpd[12383]: control_finish: Peer 
tried to disconnect without specifying result code.
Jun 18 15:13:09 Vigor2130 authpriv.warn pluto[12676]: ERROR: asynchronous 
network error report on br-wan (sport=4500) for message to 212.95.7.115 port 
7794, complainant 212.95.7.115: Connection refused [errno 111, origin ICMP type 
3 code 3 (not authenticated)]
Jun 18 15:13:24 Vigor2130 authpriv.warn pluto[12676]: ERROR: asynchronous 
network error report on br-wan (sport=4500) for message to 212.95.7.115 port 
7794, complainant 212.95.7.115: Connection refused [errno 111, origin ICMP type 
3 code 3 (not authenticated)]
Jun 18 15:13:39 Vigor2130 authpriv.warn pluto[12676]: "l2tp_psk"[4] 
212.95.7.115 #3: DPD: Info: No response from peer - declaring peer dead
Jun 18 15:13:39 Vigor2130 authpriv.warn pluto[12676]: "l2tp_psk"[4] 
212.95.7.115 #3: DPD: Info: Putting connection into %trap
Jun 18 15:13:39 Vigor2130 authpriv.warn pluto[12676]: "l2tp_psk_NAT"[2] 
212.95.7.115 #4: deleting state (STATE_QUICK_R2)
Jun 18 15:13:39 Vigor2130 authpriv.warn pluto[12676]: "l2tp_psk_NAT"[2] 
212.95.7.115: deleting connection "l2tp_psk_NAT" instance with peer 
212.95.7.115 {isakmp=#0/ipsec=#0}
Jun 18 15:13:39 Vigor2130 authpriv.warn pluto[12676]: "l2tp_psk" #3: deleting 
state (STATE_MAIN_R3)
Jun 18 15:13:39 Vigor2130 authpriv.warn pluto[12676]: "l2tp_psk"[4] 
212.95.7.115: deleting connection "l2tp_psk" instance with peer 212.95.7.115 
{isakmp=#0/ipsec=#0}
Jun 18 15:13:40 Vigor2130 authpriv.warn pluto[12676]: ERROR: asynchronous 
network error report on br-wan (sport=4500) for message to 212.95.7.115 port 
7794, complainant 212.95.7.115: Connection refused [errno 111, origin ICMP type 
3 code 3 (not authenticated)]
Jun 18 15:13:40 Vigor2130 authpriv.warn pluto[12676]: ERROR: asynchronous 
network error report on br-wan (sport=4500) for message to 212.95.7.115 port 
7794, complainant 212.95.7.115: Connection refused [errno 111, origin ICMP type 
3 code 3 (not authenticated)]
Jun 18 15:14:02 Vigor2130 daemon.notice xl2tpd[12383]: Maximum retries exceeded 
for tunnel 56492.  Closing.
Jun 18 15:14:02 Vigor2130 daemon.info xl2tpd[12383]: Connection 13 closed to 
212.95.7.115, port 49922 (Timeout)
Jun 18 15:14:07 Vigor2130 daemon.debug xl2tpd[12383]: Unable to deliver closing 
message for tunnel 56492. Destroying anyway.

Original issue reported on code.google.com by johannes...@gmail.com on 18 Jun 2011 at 3:17

GoogleCodeExporter commented 8 years ago 
Additional Information: The problem must be the router, because I set up an 
UBUNTU Server 10.04 and made a VPN Pass-through to it, and then it works.
So I am absolutely sure THE VPN SERVER OF THE ROUTER IS THE PROBLEM

Original comment by johannes...@gmail.com on 18 Jun 2011 at 3:29

GoogleCodeExporter commented 8 years ago 
So, I compared the Ubuntu Server 10.04 with the Vigor router now and I figured 
out something that was the solution for me:

the vigor asks the peer to authenticate and it refused. so if the peer is an 
ISP it will never authenticate himselve, why should he... so the key is the 
noauth property

so i changed the configuration in the /etc/ppp/options.l2tp file and now it 
works !!!

BEFORE (default configuration of Vigor2130):

root@Vigor2130:/etc/ppp# cat options.l2tp
lock
noccp
novj
novjccomp
nopcomp
noaccomp
proxyarp
lcp-echo-interval 3
name l2tp-server
mtu 1000
ms-dns 192.168.1.1

AFTER (and working):

root@Vigor2130:/etc/ppp# cat options.l2tp
192.168.1.1:  <---- here I added the ip
#debug
noauth             <---- here I added the noauth property
lock
noccp
novj
novjccomp
nopcomp
noaccomp
proxyarp
lcp-echo-interval 3
name l2tp-server
mtu 1000
ms-dns 192.168.1.1

Original comment by johannes...@gmail.com on 18 Jun 2011 at 4:23

GoogleCodeExporter commented 8 years ago 
i figured out one interesting thing. with deleting the noauth attribute, i cant 
connect as usually.

BUT: when i shorten my username to less then 6 characters, it works in any 
condition. my normal username would have 8 characters, what does not work. 
clipping it to 6 characters, and it works with the default configuration.... hm
tested with several machines (linux ubuntu lucid lynx, mac os x 10.6, ios 4.3, 
ios 5 beta1) always the same: username more then 6 characters, peer refused to 
auth.....

DRAYTEK-TEAM: Repair this! or limit the username box to 6 characters. SOLVING 
SUCH A RIDDLE SHOULD NOT BE A SHIPPED TO THE CUSTOMERS. WE HAVE PAID MONEY FOR 
IT, AND NOT TOO LESS... THEREFORE WE WANT A WORKING PRODUCT!!!

SO, CHECK IT OUT. PROBLEM OCCURS WHITH USERNAMES WHICH HAVE MORE THEN 6 
CHARACTERS

REPAIR THIS AND SUBMIT AN UPDATET RELEASE OF THE FIRMWARE. THX

With best regards,
a very dissatisfied customer.

Original comment by johannes...@gmail.com on 21 Jun 2011 at 8:56

GoogleCodeExporter commented 8 years ago 
Hi Johannes,
I'm also a Vigor-2130 user.
I happened to found one issue that if you change the username/password of an 
existing account of IPSEC/L2TP, the password won't be changed in the 
/etc/ppp/chap-secrets.
ex:
1       l2tp-server     "1"     *
12      l2tp-server     "12"    *
11      l2tp-server     "1234567"       *
I changed the third username/password 1234567/1234567 to 11/11, but the 
password was not changed. I don't think the length of username/password is the 
root cause of your issue. You can try to add a new account whose length is more 
than 6 characters instead of changing an existing account.

Original comment by wedid...@gmail.com on 22 Jun 2011 at 6:58

GoogleCodeExporter commented 8 years ago 
Hi Wedid,

I checked the username and password in the /etc/ppp/chap-secrets and them were 
right.
for testing a made a clean install of the router with FW1.5.1 and added new 
accounts, starting fom username with 2 characters to 8 characters. always the 
same password. worked fine for usernames from 2 to 6 characters. but user with 
7 and 8 brought the router to crash the vpn system. first error is "peer 
refused to authenticate" and this is followed by the error "asynchronous 
network error". after the asynchronous network error, vpn is broken, so the 
usernames with 2 to 6 characters also cant login anymore. but this networkerror 
only apperas by login of users with more then 6 characters.

this router has such a buggy implementation of openwrt. I bought a draytek 
router because I thought it would be a gread product. I HAVE NEVER HAD SUCH A 
BUGGY CRAP BEFORE.

Original comment by johannes...@gmail.com on 22 Jun 2011 at 8:08