cannot connect xl2tpd death_handler: Fatal signal 15 received

Hello we are having quite a difficult time setting up an l2tp/ipsec connection to our server (Windows 2008 Server). We use Yocto to create our own distro, based on the Angstrom distro.

We are using an old kernel that we patch to include the necessary modules for L2TP/ipsec connection. This setup below is connecting to our server, Windows 2008 Server, I have tried to connect to free servers on the ipspeed to see if we can establish any kind of connection, doesn't work, and I cannot find any more helpfull info anywhere.

uname -a: Linux colibri-t30 3.1.10-2.8.7+g5e3cb65 #1 SMP PREEMPT Tue Nov 30 12:04:00 UTC 2021 armv7l armv7l armv7l GNU/Linux

versions nm-l2tp-service: 1.2.18 xl2tpd version: 1.3.9 strongSwan U5.5.3

nm-l2tp[749] nm-l2tp-service (version 1.2.18) starting... nm-l2tp[749] uses default --bus-name "org.freedesktop.NetworkManager.l2tp" nm-l2tp[749] ipsec enable flag: yes ** Message: Check port 1701 connection id : "vpn2" (s) uuid : "5c912719-67d6-4bdb-b5eb-d5f3db641814" (s) interface-name : NULL (sd) type : "vpn" (s) permissions : [] (s) autoconnect : TRUE (sd) autoconnect-priority : 0 (sd) timestamp : 0 (sd) read-only : FALSE (sd) zone : NULL (sd) master : NULL (sd) slave-type : NULL (sd) autoconnect-slaves : ((NMSettingConnectionAutoconnectSlaves) NM_SETTING_CONNECTION_AUTOCONNECT_SLAVES_DEFAULT) (sd) secondaries : [] (s) gateway-ping-timeout : 0 (sd) metered : ((NMMetered) NM_METERED_UNKNOWN) (sd) lldp : -1 (sd) stable-id : NULL (sd)

ipv6 method : "auto" (s) dns : [] (s) dns-search : [] (s) dns-options : NULL (sd) dns-priority : 0 (sd) addresses : ((GPtrArray) 0x3a008) (s) gateway : NULL (sd) routes : ((GPtrArray) 0x42109c08) (s) route-metric : -1 (sd) ignore-auto-routes : FALSE (sd) ignore-auto-dns : FALSE (sd) dhcp-hostname : NULL (sd) dhcp-send-hostname : TRUE (sd) never-default : FALSE (sd) may-fail : TRUE (sd) dad-timeout : -1 (sd) dhcp-timeout : 0 (sd) ip6-privacy : ((NMSettingIP6ConfigPrivacy) NM_SETTING_IP6_CONFIG_PRIVACY_UNKNOWN) (sd) addr-gen-mode : 1 (sd) token : NULL (sd)

ipv4 method : "auto" (s) dns : [] (s) dns-search : [] (s) dns-options : NULL (sd) dns-priority : 0 (sd) addresses : ((GPtrArray) 0x421098a8) (s) gateway : NULL (sd) routes : ((GPtrArray) 0x52548) (s) route-metric : -1 (sd) ignore-auto-routes : FALSE (sd) ignore-auto-dns : FALSE (sd) dhcp-hostname : NULL (sd) dhcp-send-hostname : TRUE (sd) never-default : FALSE (sd) may-fail : TRUE (sd) dad-timeout : -1 (sd) dhcp-timeout : 0 (sd) dhcp-client-id : NULL (sd) dhcp-fqdn : NULL (sd)

vpn service-type : "org.freedesktop.NetworkManager.l2tp" (s) user-name : "" (s) persistent : FALSE (sd) data : ((GHashTable) 0x4dac0) (s) secrets : ((GHashTable) 0x4da50) (s) timeout : 0 (sd)

nm-l2tp[749] starting ipsec Stopping strongSwan IPsec failed: starter is not running Starting strongSwan ..3 IPsec [starter]... Loading config setup Loading conn '5c912719-67d6-4bdb-b5eb-d5f3db641814' found netkey IPsec stack nm-l2tp[749] Spawned ipsec up script with PID 817. initiating Main Mode IKE_SA 5c912719-67d6-4bdb-b5eb-d5f3db641814[1] to redacted generating ID_PROT request 0 [ SA V V V V V ] sending packet: from [500] to (532 bytes) received packet: from to [500] (212 bytes) parsed ID_PROT response 0 [ SA V V V V V V ] received MS NT5 ISAKMPOAKLEY vendor ID received NAT-T (RFC 3947) vendor ID received draft-ietf-ipsec-nat-t-ike-02\n vendor ID received FRAGMENTATION vendor ID received unknown vendor ID: fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20 received unknown vendor ID: e3:a5:96:6a:76:37:9f:e7:07:22:82:31:e5:ce::52 generating ID_PROT request 0 [ KE No NAT-D NAT-D ] sending packet: from [500] to (212 bytes) received packet: from to [500] (228 bytes) parsed ID_PROT response 0 [ KE No NAT-D NAT-D ] local host is behind NAT, sending keep alives remote host is behind NAT generating ID_PROT request 0 [ ID HASH ] sending packet: from 10.42.78.122[4500] to redacted[4500] (76 bytes) received packet: from redacted[4500] to 10.42.78.122[4500] (76 bytes) parsed ID_PROT response 0 [ ID HASH ] IKE_SA 5c912719-67d6-4bdb-b5eb-d5f3db641814[1] established between 10.42.78.122[10.42.78.122]...redacted[192.168.90.90] scheduling reauthentication in 10221s maximum IKE_SA lifetime 10761s generating QUICK_MODE request 1672764256 [ HASH SA No ID ID NAT-OA NAT-OA ] sending packet: from 10.42.78.122[4500] to redacted[4500] (252 bytes) received packet: from redacted[4500] to 10.42.78.122[4500] (220 bytes) parsed QUICK_MODE response 1672764256 [ HASH SA No ID ID NAT-OA NAT-OA ] connection '5c912719-67d6-4bdb-b5eb-d5f3db641814' established successfully nm-l2tp[749] strongSwan IPsec tunnel is up. Message: xl2tpd started with pid 844 xl2tpd[844]: setsockopt recvref[30]: Protocol not available xl2tpd[844]: This binary does not support kernel L2TP. xl2tpd[844]: xl2tpd version xl2tpd-1.3.9 started on colibri-t30 PID:844 xl2tpd[844]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc. xl2tpd[844]: Forked by Scott Balmos and David Stipp, (C) 2001 xl2tpd[844]: Inherited by Jeff McAdams, (C) 2002 xl2tpd[844]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016 xl2tpd[844]: Listening on IP address 0.0.0.0, port 1701 xl2tpd[844]: get_call: allocating new tunnel for host redacted, port 1701. xl2tpd[844]: Connecting to host redacted, port 1701 xl2tpd[844]: control_finish: message type is (null)(0). Tunnel is 0, call is 0. xl2tpd[844]: control_finish: sending SCCRQ xl2tpd[844]: message_type_avp: message type 2 (Start-Control-Connection-Reply) xl2tpd[844]: protocol_version_avp: peer is using version 1, revision 0. xl2tpd[844]: framing_caps_avp: supported peer frames: sync xl2tpd[844]: bearer_caps_avp: supported peer bearers: xl2tpd[844]: firmware_rev_avp: peer reports firmware version 1537 (0x0601) xl2tpd[844]: hostname_avp: peer reports hostname 'WS2008R2-WH1' xl2tpd[844]: vendor_avp: peer reports vendor 'Microsoft' xl2tpd[844]: assigned_tunnel_avp: using peer's tunnel 298 xl2tpd[844]: receive_window_size_avp: peer wants RWS of 8. Will use flow control. xl2tpd[844]: control_finish: message type is Start-Control-Connection-Reply(2). Tunnel is 298, call is 0. xl2tpd[844]: control_finish: sending SCCCN xl2tpd[844]: Connection established to redacted, 1701. Local: 29027, Remote: 298 (ref=0/0). xl2tpd[844]: Calling on tunnel 29027 xl2tpd[844]: control_finish: message type is (null)(0). Tunnel is 298, call is 0. xl2tpd[844]: control_finish: sending ICRQ xl2tpd[844]: message_type_avp: message type 11 (Incoming-Call-Reply) xl2tpd[844]: assigned_call_avp: using peer's call 2 xl2tpd[844]: control_finish: message type is Incoming-Call-Reply(11). Tunnel is 298, call is 2. xl2tpd[844]: control_finish: Sending ICCN xl2tpd[844]: Call established with redacted, Local: 21420, Remote: 2, Serial: 1 (ref=0/0) Message: nm-l2tp-ppp-plugin: (plugin_init): initializing Message: nm-l2tp-ppp-plugin: (nm_phasechange): status 3 / phase 'serial connection' Message: nm-l2tp-ppp-plugin: (nm_phasechange): status / phase 'establish' xl2tpd[844]: message_type_avp: message type 2 (Start-Control-Connection-Reply) xl2tpd[844]: protocol_version_avp: peer is using version 1, revision 0. xl2tpd[844]: framing_caps_avp: supported peer frames: sync xl2tpd[844]: bearer_caps_avp: supported peer bearers: xl2tpd[844]: firmware_rev_avp: peer reports firmware version 1537 (0x0601) xl2tpd[844]: hostname_avp: peer reports hostname 'WS2008R2-WH1' xl2tpd[844]: vendor_avp: peer reports vendor 'Microsoft' xl2tpd[844]: assigned_tunnel_avp: using peer's tunnel 298 xl2tpd[844]: receive_window_size_avp: peer wants RWS of 8. Will use flow control. xl2tpd[844]: control_finish: message type is Start-Control-Connection-Reply(2). Tunnel is 298, call is 0. xl2tpd[844]: control_finish: sending SCCCN xl2tpd[844]: Connection established to redacted, 1701. Local: 29027, Remote: 298 (ref=0/0). xl2tpd[844]: Calling on tunnel 29027 xl2tpd[844]: control_finish: message type is (null)(0). Tunnel is 298, call is 0. xl2tpd[844]: control_finish: sending ICRQ xl2tpd[844]: message_type_avp: message type 2 (Start-Control-Connection-Reply) xl2tpd[844]: protocol_version_avp: peer is using version 1, revision 0. xl2tpd[844]: framing_caps_avp: supported peer frames: sync xl2tpd[844]: bearer_caps_avp: supported peer bearers: xl2tpd[844]: firmware_rev_avp: peer reports firmware version 1537 (0x0601) xl2tpd[844]: hostname_avp: peer reports hostname 'WS2008R2-WH1' xl2tpd[844]: vendor_avp: peer reports vendor 'Microsoft' xl2tpd[844]: assigned_tunnel_avp: using peer's tunnel 298 xl2tpd[844]: receive_window_size_avp: peer wants RWS of 8. Will use flow control. xl2tpd[844]: control_finish: message type is Start-Control-Connection-Reply(2). Tunnel is 298, call is 0. xl2tpd[844]: control_finish: sending SCCCN xl2tpd[844]: Connection established to redacted, 1701. Local: 29027, Remote: 298 (ref=0/0). xl2tpd[844]: Calling on tunnel 29027 xl2tpd[844]: control_finish: message type is (null)(0). Tunnel is 298, call is 0. xl2tpd[844]: control_finish: sending ICRQ xl2tpd[844]: message_type_avp: message type 2 (Start-Control-Connection-Reply) xl2tpd[844]: protocol_version_avp: peer is using version 1, revision 0. xl2tpd[844]: framing_caps_avp: supported peer frames: sync xl2tpd[844]: bearer_caps_avp: supported peer bearers: xl2tpd[844]: firmware_rev_avp: peer reports firmware version 1537 (0x0601) xl2tpd[844]: hostname_avp: peer reports hostname 'WS2008R2-WH1' xl2tpd[844]: vendor_avp: peer reports vendor 'Microsoft' xl2tpd[844]: assigned_tunnel_avp: using peer's tunnel 298 xl2tpd[844]: receive_window_size_avp: peer wants RWS of 8. Will use flow control. xl2tpd[844]: control_finish: message type is Start-Control-Connection-Reply(2). Tunnel is 298, call is 0. xl2tpd[844]: control_finish: sending SCCCN xl2tpd[844]: Connection established to redacted5..210, 1701. Local: 29027, Remote: 298 (ref=0/0). xl2tpd[844]: Calling on tunnel 29027 xl2tpd[844]: control_finish: message type is (null)(0). Tunnel is 298, call is 0. xl2tpd[844]: control_finish: sending ICRQ nm-l2tp[749] Looks like pppd didn't initialize our dbus module xl2tpd[844]: death_handler: Fatal signal 15 received Message: nm-l2tp-ppp-plugin: (nm_phasechange): status 11 / phase 'disconnect' nm-l2tp[749] Terminated xl2tpd daemon with PID 844. Message: nm-l2tp-ppp-plugin: (nm_phasechange): status 1 / phase 'dead' Message: nm-l2tp-ppp-plugin: (nm_exit_notify): cleaning up Stopping strongSwan IPsec... Message: ipsec shut down nm-l2tp[749] xl2tpd exited with error code 1 Stopping strongSwan IPsec failed: starter is not running ** Message: ipsec shut down

output of journalctl -b

NetworkManager[323]: [1639572668.5147] audit: op="connection-activate" uuid="5c912719-67d6-4bdb-b5eb-d5f3db641814" name="vpn2" pid=759 uid=0 result="success" NetworkManager[323]: [1639572668.5212] vpn-connection[0x28a0e8,5c912719-67d6-4bdb-b5eb-d5f3db641814,"vpn2",0]: Saw the service appear; activating connection NetworkManager[323]: [1639572668.5634] vpn-connection[0x28a0e8,5c912719-67d6-4bdb-b5eb-d5f3db641814,"vpn2",0]: VPN connection: (ConnectInteractive) reply received ipsec_starter[775]: Starting strongSwan 5.5.3 IPsec [starter]... ipsec_starter[775]: Loading config setup ipsec_starter[775]: Loading conn '5c912719-67d6-4bdb-b5eb-d5f3db641814' ipsec_starter[775]: found netkey IPsec stack ipsec_starter[792]: Attempting to start charon... charon[794]: 00[DMN] Starting IKE charon daemon (strongSwan 5.5.3, Linux 3.1.10-2.8.7+g5e3cb65, armv7l) charon[794]: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' charon[794]: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' charon[794]: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' charon[794]: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' charon[794]: 00[CFG] loading crls from '/etc/ipsec.d/crls' charon[794]: 00[CFG] loading secrets from '/etc/ipsec.secrets' charon[794]: 00[CFG] loaded IKE secret for charon[794]: 00[CFG] loaded EAP secret for charon[794]: 00[CFG] loading secrets from '/etc/ipsec.d/ipsec.nm-l2tp.secrets' charon[794]: 00[CFG] loaded IKE secret for %any charon[794]: 00[LIB] loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gm charon[794]: 00[JOB] spawning 16 worker threads charon[794]: 05[CFG] rereading secrets charon[794]: 05[CFG] loading secrets from '/etc/ipsec.secrets' charon[794]: 05[CFG] loaded IKE secret for charon[794]: 05[CFG] loaded EAP secret for charon[794]: 05[CFG] loading secrets from '/etc/ipsec.d/ipsec.nm-l2tp.secrets' charon[794]: 05[CFG] loaded IKE secret for %any ipsec_starter[792]: charon (794) started after 200 ms charon[794]: 07[CFG] received stroke: add connection '5c912719-67d6-4bdb-b5eb-d5f3db641814' charon[794]: 07[CFG] conn 5c912719-67d6-4bdb-b5eb-d5f3db641814 charon[794]: 07[CFG] left=%any charon[794]: 07[CFG] leftauth=psk charon[794]: 07[CFG] right=redacted charon[794]: 07[CFG] rightauth=psk charon[794]: 07[CFG] rightid=%any charon[794]: 07[CFG] ike=aes256-sha2_256-modp2048,aes256-sha2_256-modp1536,aes256-sha2_256-modp1024,aes256-sha1-modp2048,aes256-sha1-modp1536,aes256-sha1-modp1024,aes256-sha charon[794]: 07[CFG] esp=aes256-sha1,aes128-sha1,3des-sha1! charon[794]: 07[CFG] dpddelay=30 charon[794]: 07[CFG] dpdtimeout=150 charon[794]: 07[CFG] sha256_96=no charon[794]: 07[CFG] mediation=no charon[794]: 07[CFG] keyexchange=ikev1 charon[794]: 07[CFG] added configuration '5c912719-67d6-4bdb-b5eb-d5f3db641814' charon[794]: 09[CFG] received stroke: initiate '5c912719-67d6-4bdb-b5eb-d5f3db641814' charon[794]: 11[IKE] queueing ISAKMP_VENDOR task charon[794]: 11[IKE] queueing ISAKMP_CERT_PRE task charon[794]: 11[IKE] queueing MAIN_MODE task charon[794]: 11[IKE] queueing ISAKMP_CERT_POST task charon[794]: 11[IKE] queueing ISAKMP_NATD task charon[794]: 11[IKE] queueing QUICK_MODE task charon[794]: 11[IKE] activating new tasks charon[794]: 11[IKE] activating ISAKMP_VENDOR task charon[794]: 11[IKE] activating ISAKMP_CERT_PRE task charon[794]: 11[IKE] activating MAIN_MODE task charon[794]: 11[IKE] activating ISAKMP_CERT_POST task charon[794]: 11[IKE] activating ISAKMP_NATD task charon[794]: 11[IKE] sending XAuth vendor ID charon[794]: 11[IKE] sending DPD vendor ID charon[794]: 11[IKE] sending FRAGMENTATION vendor ID charon[794]: 11[IKE] sending NAT-T (RFC 3947) vendor ID charon[794]: 11[IKE] sending draft-ietf-ipsec-nat-t-ike-02\n vendor ID charon[794]: 11[IKE] initiating Main Mode IKE_SA 5c912719-67d6-4bdb-b5eb-d5f3db641814[1] to redacted charon[794]: 11[IKE] initiating Main Mode IKE_SA 5c912719-67d6-4bdb-b5eb-d5f3db641814[1] to redacted charon[794]: 11[IKE] IKE_SA 5c912719-67d6-4bdb-b5eb-d5f3db641814[1] state change: CREATED => CONNECTING charon[794]: 11[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AE charon[794]: 11[ENC] generating ID_PROT request 0 [ SA V V V V V ] charon[794]: 11[NET] sending packet: from 10.42.78.122[500] to redacted[500] (532 bytes) charon[794]: 12[NET] received packet: from redacted[500] to 10.42.78.122[500] (212 bytes) charon[794]: 12[ENC] parsed ID_PROT response 0 [ SA V V V V V V ] charon[794]: 12[IKE] received MS NT5 ISAKMPOAKLEY vendor ID charon[794]: 12[IKE] received NAT-T (RFC 3947) vendor ID charon[794]: 12[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID charon[794]: 12[IKE] received FRAGMENTATION vendor ID charon[794]: 12[ENC] received unknown vendor ID: fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20 charon[794]: 12[ENC] received unknown vendor ID: e3:a5:96:6a:76:37:9f:e7:07:22:82:31:e5:ce:86:52 charon[794]: 12[CFG] selecting proposal: charon[794]: 12[CFG] no acceptable PSEUDO_RANDOM_FUNCTION found charon[794]: 12[CFG] selecting proposal: charon[794]: 12[CFG] no acceptable PSEUDO_RANDOM_FUNCTION found charon[794]: 12[CFG] selecting proposal: charon[794]: 12[CFG] no acceptable PSEUDO_RANDOM_FUNCTION found charon[794]: 12[CFG] selecting proposal: charon[794]: 12[CFG] no acceptable DIFFIE_HELLMAN_GROUP found charon[794]: 12[CFG] selecting proposal: charon[794]: 12[CFG] no acceptable DIFFIE_HELLMAN_GROUP found charon[794]: 12[CFG] selecting proposal: charon[794]: 12[CFG] no acceptable DIFFIE_HELLMAN_GROUP found charon[794]: 12[CFG] selecting proposal: charon[794]: 12[CFG] proposal matches charon[794]: 12[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384 charon[794]: 12[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AE charon[794]: 12[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384 charon[794]: 12[IKE] reinitiating already active tasks charon[794]: 12[IKE] ISAKMP_VENDOR task charon[794]: 12[IKE] MAIN_MODE task charon[794]: 12[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ] charon[794]: 12[NET] sending packet: from 10.42.78.122[500] to redacted[500] (212 bytes) charon[794]: 13[NET] received packet: from redacted[500] to 10.42.78.122[500] (228 bytes) charon[794]: 13[ENC] parsed ID_PROT response 0 [ KE No NAT-D NAT-D ] charon[794]: 13[IKE] local host is behind NAT, sending keep alives charon[794]: 13[IKE] remote host is behind NAT charon[794]: 13[IKE] reinitiating already active tasks charon[794]: 13[IKE] ISAKMP_VENDOR task charon[794]: 13[IKE] MAIN_MODE task charon[794]: 13[ENC] generating ID_PROT request 0 [ ID HASH ] charon[794]: 13[NET] sending packet: from 10.42.78.122[4500] to redacted[4500] (76 bytes) charon[794]: 14[NET] received packet: from redacted[4500] to 10.42.78.122[4500] (76 bytes) charon[794]: 14[ENC] parsed ID_PROT response 0 [ ID HASH ] charon[794]: 14[IKE] IKE_SA 5c912719-67d6-4bdb-b5eb-d5f3db641814[1] established between 10.42.78.122[10.42.78.122]...redacted[192.168.90.90] charon[794]: 14[IKE] IKE_SA 5c912719-67d6-4bdb-b5eb-d5f3db641814[1] established between 10.42.78.122[10.42.78.122]...redacted[192.168.90.90] charon[794]: 14[IKE] IKE_SA 5c912719-67d6-4bdb-b5eb-d5f3db641814[1] state change: CONNECTING => ESTABLISHED charon[794]: 14[IKE] scheduling reauthentication in 10221s charon[794]: 14[IKE] maximum IKE_SA lifetime 10761s charon[794]: 14[IKE] activating new tasks charon[794]: 14[IKE] activating QUICK_MODE task charon[794]: 14[CFG] configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ charon[794]: 14[CFG] configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ charon[794]: 14[CFG] proposing traffic selectors for us: charon[794]: 14[CFG] 10.42.78.122/32[udp/l2f] charon[794]: 14[CFG] proposing traffic selectors for other: charon[794]: 14[CFG] redacted/32[udp/l2f] charon[794]: 14[ENC] generating QUICK_MODE request 1672764256 [ HASH SA No ID ID NAT-OA NAT-OA ] charon[794]: 14[NET] sending packet: from 10.42.78.122[4500] to redacted[4500] (252 bytes) charon[794]: 15[NET] received packet: from redacted[4500] to 10.42.78.122[4500] (220 bytes) charon[794]: 15[ENC] parsed QUICK_MODE response 1672764256 [ HASH SA No ID ID NAT-OA NAT-OA ] charon[794]: 15[CFG] selecting proposal: charon[794]: 15[CFG] proposal matches charon[794]: 15[CFG] received proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ charon[794]: 15[CFG] configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ charon[794]: 15[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ charon[794]: 15[IKE] changing received traffic selectors 80.187.101.122/32[udp/l2f]=== 192.168.90.90/32[udp/l2f] due to NAT charon[794]: 15[IKE] CHILD_SA 5c912719-67d6-4bdb-b5eb-d5f3db641814{1} established with SPIs ce51b5d8_i 0ae49212_o and TS 10.42.78.122/32[udp/l2f] === redacted/32[udp/l2f] charon[794]: 15[IKE] CHILD_SA 5c912719-67d6-4bdb-b5eb-d5f3db641814{1} established with SPIs ce51b5d8_i 0ae49212_o and TS 10.42.78.122/32[udp/l2f] === redacted/32[udp/l2f] charon[794]: 15[IKE] reinitiating already active tasks charon[794]: 15[IKE] QUICK_MODE task charon[794]: 15[ENC] generating QUICK_MODE request 1672764256 [ HASH ] charon[794]: 15[NET] sending packet: from 10.42.78.122[4500] to redacted[4500] (60 bytes) charon[794]: 15[IKE] activating new tasks charon[794]: 15[IKE] nothing to initiate NetworkManager[323]: [1639572673.9668] vpn-connection[0x28a0e8,5c912719-67d6-4bdb-b5eb-d5f3db641814,"vpn2",0]: VPN plugin: state changed: starting (3) charon[794]: 05[NET] received packet: from redacted[4500] to 10.42.78.122[4500] (76 bytes) charon[794]: 05[ENC] parsed QUICK_MODE response 1672764256 [ HASH N(INIT_CONTACT) ] charon[794]: 05[IKE] ignoring fourth Quick Mode message pppd[846]: Plugin /usr/lib/pppd/2.4.7/nm-l2tp-pppd-plugin.so loaded. pppd[846]: pppd 2.4.7 started by root, uid 0 pppd[846]: Using interface ppp1 pppd[846]: Connect: ppp1 <--> /dev/pts/4 systemd-udevd[847]: link_config: autonegotiation is unset or enabled, the speed and duplex are not writable. NetworkManager[323]: [1639572675.5872] manager: (ppp1): new Generic device (/org/freedesktop/NetworkManager/Devices/8) systemd-udevd[847]: link_config: could not get ethtool features for ppp1 systemd-udevd[847]: Could not set offload features of ppp1: Operation not supported NetworkManager[323]: [1639572675.7045] devices added (path: /sys/devices/virtual/net/ppp1, iface: ppp1) NetworkManager[323]: [1639572675.7046] device added (path: /sys/devices/virtual/net/ppp1, iface: ppp1): no ifupdown configuration found. dnsmasq[393]: reading /etc/resolv.conf dnsmasq[393]: using nameserver 192.168.10.237#53 pppd[846]: Hangup (SIGHUP) pppd[846]: Modem hangup pppd[846]: Connection terminated. charon[794]: 13[KNL] interface ppp1 deleted dnsmasq[393]: reading /etc/resolv.conf pppd[846]: Exit. NetworkManager[323]: [1639572688.0073] vpn-connection[0x28a0e8,5c912719-67d6-4bdb-b5eb-d5f3db641814,"vpn2",0]: VPN plugin: failed: connect-failed (1) dnsmasq[393]: using nameserver 192.168.10.237#53 dnsmasq[393]: reading /etc/resolv.conf dnsmasq[393]: using nameserver 192.168.10.237#53 NetworkManager[323]: [1639572688.0518] vpn-connection[0x28a0e8,5c912719-67d6-4bdb-b5eb-d5f3db641814,"vpn2",0]: VPN plugin: failed: connect-failed (1) NetworkManager[323]: [1639572688.0521] vpn-connection[0x28a0e8,5c912719-67d6-4bdb-b5eb-d5f3db641814,"vpn2",0]: VPN plugin: state changed: stopping (5) charon[794]: 14[IKE] keeping connection path 10.42.78.122 - redacted NetworkManager[323]: [1639572688.1814] devices removed (path: /sys/devices/virtual/net/ppp1, iface: ppp1) charon[794]: 00[DMN] signal of type SIGINT received. Shutting down charon[794]: 00[IKE] queueing QUICK_DELETE task charon[794]: 00[IKE] queueing ISAKMP_DELETE task charon[794]: 00[IKE] activating new tasks charon[794]: 00[IKE] activating QUICK_DELETE task charon[794]: 00[IKE] closing CHILD_SA 5c912719-67d6-4bdb-b5eb-d5f3db641814{1} with SPIs ce51b5d8_i (788 bytes) 0ae49212_o (1872 bytes) and TS 10.42.78.122/32[udp/l2f] === 91.5 charon[794]: 00[IKE] closing CHILD_SA 5c912719-67d6-4bdb-b5eb-d5f3db641814{1} with SPIs ce51b5d8_i (788 bytes) 0ae49212_o (1872 bytes) and TS 10.42.78.122/32[udp/l2f] === 91.5 charon[794]: 00[IKE] sending DELETE for ESP CHILD_SA with SPI ce51b5d8 charon[794]: 00[ENC] generating INFORMATIONAL_V1 request 2746148567 [ HASH D ] charon[794]: 00[NET] sending packet: from 10.42.78.122[4500] to redacted[4500] (76 bytes) charon[794]: 00[IKE] activating new tasks charon[794]: 00[IKE] activating ISAKMP_DELETE task charon[794]: 00[IKE] deleting IKE_SA 5c912719-67d6-4bdb-b5eb-d5f3db641814[1] between 10.42.78.122[10.42.78.122]...redacted[192.168.90.90] charon[794]: 00[IKE] deleting IKE_SA 5c912719-67d6-4bdb-b5eb-d5f3db641814[1] between 10.42.78.122[10.42.78.122]...redacted[192.168.90.90] charon[794]: 00[IKE] sending DELETE for IKE_SA 5c912719-67d6-4bdb-b5eb-d5f3db641814[1] charon[794]: 00[IKE] IKE_SA 5c912719-67d6-4bdb-b5eb-d5f3db641814[1] state change: ESTABLISHED => DELETING charon[794]: 00[ENC] generating INFORMATIONAL_V1 request 1411247294 [ HASH D ] charon[794]: 00[NET] sending packet: from 10.42.78.122[4500] to redacted[4500] (92 bytes) charon[794]: 00[IKE] IKE_SA 5c912719-67d6-4bdb-b5eb-d5f3db641814[1] state change: DELETING => DESTROYING ipsec_starter[792]: child 794 (charon) has quit (exit code 0) ipsec_starter[792]: ipsec_starter[792]: charon stopped after 200 ms ipsec_starter[792]: ipsec starter stopped NetworkManager[323]: [1639572688.4424] vpn-connection[0x28a0e8,5c912719-67d6-4bdb-b5eb-d5f3db641814,"vpn2",0]: VPN plugin: state changed: stopped (6) NetworkManager[323]: [1639572688.4495] vpn-connection[0x28a0e8,5c912719-67d6-4bdb-b5eb-d5f3db641814,"vpn2",0]: VPN plugin: state change reason: unknown (0) NetworkManager[323]: [1639572688.5134] vpn-connection[0x28a0e8,5c912719-67d6-4bdb-b5eb-d5f3db641814,"vpn2",0]: VPN plugin: failed: connect-failed (1)

For L2TP interoperability with Windows Server, I've found that the L2TP kernel modules need to be used instead of the fallback xl2tp userspace support. It's briefly discussed in the Issue with blacklisting of L2TP kernel modules section of the README.md file. In the log output I see:

xl2tpd[844]: This binary does not support kernel L2TP.

Later (or other?) xl2tp binaries have the following output:

xl2tpd[1234]: L2TP kernel support not detected (try modprobing l2tp_ppp and pppol2tp)

So I guess you could try sudo modprobe pppol2tp ( or sudo modprobe l2tp_ppp for newer kernels).

I'm guessing xl2tpd needs to be rebuilt with kernel support by setting OSFLAGS+= -DUSE_KERNEL in the xl2tpd Makefile.

Thanks for your response. 1) I checked the make file and checked to see that OSFLAGS+= -DUSE_KERNEL was uncommented 2) rebuilt xl2tp after doing a git pull on master, so this should be top of the tree 3) copied pppol2tp.so to /usr/lib/ppp/2.4.7

now the kernel support seems to be there. but for some reason the connection is still dropped right away. So I found https://github.com/nm-l2tp/NetworkManager-l2tp/issues/51 ( based on the message nm-l2tp[2409] Looks like pppd didn't initialize our dbus module) and there they are saying that the ppp options being passed are not correct.

So I edited /var/run/nm-l2tp-5c912719-67d6-4bdb-b5eb-d5f3db641814/ppp-options to add "silent" to the options to see if it stops the disconnect. And that did not seem to take because it appears that nm-l2tp overwrites the ppp options. So I looked through the nm-l2tp code to see if there was a way to configure it to set the silent option in the file it generates... but I don't see that as one of the options that we can pass in the "vpn.data" argument (we are setting up this connection with Python (or nmcli) and not using a GUI)

So should I patch the nm-l2tp-service.c file to set this ppp option? OR another thought, that strongswan is causing us problems because we have a weak key (PSK is less than 8 characters), and we should replace strongswan with libreswan ?

Below is the log data from nm-l2tp-service --debug

_xl2tpd[2483]: Not looking for kernel SAref support. xl2tpd[2483]: Using l2tp kernel support. xl2tpd[2483]: xl2tpd version xl2tpd-1.3.16 started on colibri-t30 PID:2483 xl2tpd[2483]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc. xl2tpd[2483]: Forked by Scott Balmos and David Stipp, (C) 2001 xl2tpd[2483]: Inherited by Jeff McAdams, (C) 2002 xl2tpd[2483]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016 xl2tpd[2483]: Listening on IP address 0.0.0.0, port 1701 xl2tpd[2483]: get_call: allocating new tunnel for host , port 1701. xl2tpd[2483]: Connecting to host , port 1701 xl2tpd[2483]: control_finish: message type is (null)(0). Tunnel is 0, call is 0. xl2tpd[2483]: control_finish: sending SCCRQ xl2tpd[2483]: message_type_avp: message type 2 (Start-Control-Connection-Reply) xl2tpd[2483]: protocol_version_avp: peer is using version 1, revision 0. xl2tpd[2483]: framing_caps_avp: supported peer frames: sync xl2tpd[2483]: bearer_caps_avp: supported peer bearers: xl2tpd[2483]: firmware_rev_avp: peer reports firmware version 1537 (0x0601) xl2tpd[2483]: hostname_avp: peer reports hostname 'WS2008R2-WH1' xl2tpd[2483]: vendor_avp: peer reports vendor 'Microsoft' xl2tpd[2483]: assigned_tunnel_avp: using peer's tunnel 305 xl2tpd[2483]: receive_window_size_avp: peer wants RWS of 8. Will use flow control. xl2tpd[2483]: control_finish: message type is Start-Control-Connection-Reply(2). Tunnel is 305, call is 0. xl2tpd[2483]: control_finish: sending SCCCN xl2tpd[2483]: Connection established to , 1701. Local: 5016, Remote: 305 (ref=0/0). xl2tpd[2483]: Calling on tunnel 5016 xl2tpd[2483]: control_finish: message type is (null)(0). Tunnel is 305, call is 0. xl2tpd[2483]: control_finish: sending ICRQ xl2tpd[2483]: message_type_avp: message type 11 (Incoming-Call-Reply) xl2tpd[2483]: assigned_call_avp: using peer's call 2 xl2tpd[2483]: control_finish: message type is Incoming-Call-Reply(11). Tunnel is 305, call is 2. xl2tpd[2483]: control_finish: Sending ICCN xl2tpd[2483]: Call established with , Local: 5880, Remote: 2, Serial: 1 (ref=0/0) xl2tpd[2483]: start_pppd: I'm running: xl2tpd[2483]: "/usr/sbin/pppd" xl2tpd[2483]: "plugin" xl2tpd[2483]: "pppol2tp.so" xl2tpd[2483]: "pppol2tp" xl2tpd[2483]: "7" xl2tpd[2483]: "passive" xl2tpd[2483]: "nodetach" xl2tpd[2483]: ":" xl2tpd[2483]: "debug" xl2tpd[2483]: "file" xl2tpd[2483]: "/var/run/nm-l2tp-5c912719-67d6-4bdb-b5eb-d5f3db641814/ppp-options" Message: nm-l2tp-ppp-plugin: (plugin_init): initializing Message: nm-l2tp-ppp-plugin: (nm_phasechange): status 3 / phase 'serial connection' Message: nm-l2tp-ppp-plugin: (nm_phasechange): status 5 / phase 'establish' nm-l2tp[2409] Looks like pppd didn't initialize our dbus module xl2tpd[2483]: death_handler: Fatal signal 15 received xl2tpd[2483]: Terminating pppd: sending TERM signal to pid 2484 xl2tpd[2483]: Connection 305 closed to , port 1701 (Server closing) Message: nm-l2tp-ppp-plugin: (nm_phasechange): status 10 / phase 'terminate' Message: nm-l2tp-ppp-plugin: (nm_phasechange): status 11 / phase 'disconnect' nm-l2tp[2409] Terminated xl2tpd daemon with PID 2483. Message: nm-l2tp-ppp-plugin: (nm_phasechange): status 1 / phase 'dead' Message: nm-l2tp-ppp-plugin: (nm_exit_notify): cleaning up Stopping strongSwan IPsec... Message: ipsec shut down nm-l2tp[2409] xl2tpd exited with error code 1 Stopping strongSwan IPsec failed: starter is not running ** Message: ipsec shut down_

below is some output of the journactl -b that I do not understand

_Dec 16 10:31:08 colibri-t30 charon[2891]: 14[CFG] configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ Dec 16 10:31:08 colibri-t30 charon[2891]: 14[CFG] configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ Dec 16 10:31:08 colibri-t30 charon[2891]: 14[CFG] proposing traffic selectors for us: Dec 16 10:31:08 colibri-t30 charon[2891]: 14[CFG] 10.42.78.122/32[udp/l2f] Dec 16 10:31:08 colibri-t30 charon[2891]: 14[CFG] proposing traffic selectors for other: Dec 16 10:31:08 colibri-t30 charon[2891]: 14[CFG] /32[udp/l2f] Dec 16 10:31:08 colibri-t30 charon[2891]: 14[ENC] generating QUICK_MODE request 3526878650 [ HASH SA No ID ID NAT-OA NAT-OA ] Dec 16 10:31:08 colibri-t30 charon[2891]: 14[NET] sending packet: from 10.42.78.122[4500] to [4500] (252 bytes) Dec 16 10:31:08 colibri-t30 charon[2891]: 15[NET] received packet: from [4500] to 10.42.78.122[4500] (220 bytes) Dec 16 10:31:08 colibri-t30 charon[2891]: 15[ENC] parsed QUICK_MODE response 3526878650 [ HASH SA No ID ID NAT-OA NAT-OA ] Dec 16 10:31:08 colibri-t30 charon[2891]: 15[CFG] selecting proposal: Dec 16 10:31:08 colibri-t30 charon[2891]: 15[CFG] proposal matches Dec 16 10:31:08 colibri-t30 charon[2891]: 15[CFG] received proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ Dec 16 10:31:08 colibri-t30 charon[2891]: 15[CFG] configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ Dec 16 10:31:08 colibri-t30 charon[2891]: 15[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ Dec 16 10:31:08 colibri-t30 charon[2891]: 15[IKE] changing received traffic selectors 80.187.101.122/32[udp/l2f]=== 192.168.90.90/32[udp/l2f] due to NAT Dec 16 10:31:08 colibri-t30 charon[2891]: 15[IKE] CHILD_SA 72eef387-c293-4ba2-9ecb-d667deb71aeb{1} established with SPIs c37f638a_i 54c35d76_o and TS 10.42.78.122/32[udp/l2f] === /32[udp/l2f] Dec 16 10:31:08 colibri-t30 charon[2891]: 15[IKE] CHILD_SA 72eef387-c293-4ba2-9ecb-d667deb71aeb{1} established with SPIs c37f638a_i 54c35d76_o and TS 10.42.78.122/32[udp/l2f] === /32[udp/l2f] Dec 16 10:31:08 colibri-t30 charon[2891]: 15[IKE] reinitiating already active tasks Dec 16 10:31:08 colibri-t30 charon[2891]: 15[IKE] QUICK_MODE task Dec 16 10:31:08 colibri-t30 charon[2891]: 15[ENC] generating QUICK_MODE request 3526878650 [ HASH ] Dec 16 10:31:08 colibri-t30 charon[2891]: 15[NET] sending packet: from 10.42.78.122[4500] to [4500] (60 bytes) Dec 16 10:31:08 colibri-t30 charon[2891]: 15[IKE] activating new tasks Dec 16 10:31:08 colibri-t30 charon[2891]: 15[IKE] nothing to initiate Dec 16 10:31:08 colibri-t30 charon[2891]: 16[NET] received packet: from [4500] to 10.42.78.122[4500] (76 bytes) Dec 16 10:31:08 colibri-t30 charon[2891]: 16[ENC] parsed QUICK_MODE response 3526878650 [ HASH N(INIT_CONTACT) ] Dec 16 10:31:08 colibri-t30 charon[2891]: 16[IKE] ignoring fourth Quick Mode message Dec 16 10:31:08 colibri-t30 NetworkManager[323]: [1639650668.6716] vpn-connection[0x28a200,72eef387-c293-4ba2-9ecb-d667deb71aeb,"vpn3",0]: VPN plugin: state changed: starting (3) Dec 16 10:31:08 colibri-t30 pppd[2925]: Plugin pppol2tp.so loaded. Dec 16 10:31:08 colibri-t30 pppd[2925]: Plugin /usr/lib/pppd/2.4.7/nm-l2tp-pppd-plugin.so loaded. Dec 16 10:31:08 colibri-t30 pppd[2925]: pppd 2.4.7 started by root, uid 0 Dec 16 10:31:08 colibri-t30 pppd[2925]: Using interface ppp1 Dec 16 10:31:08 colibri-t30 pppd[2925]: Connect: ppp1 <--> Dec 16 10:31:08 colibri-t30 pppd[2925]: Overriding mtu 1500 to 1400 Dec 16 10:31:08 colibri-t30 pppd[2925]: Overriding mru 1500 to mtu value 1400 Dec 16 10:31:08 colibri-t30 systemd-udevd[2926]: link_config: autonegotiation is unset or enabled, the speed and duplex are not writable. Dec 16 10:31:08 colibri-t30 systemd-udevd[2926]: linkconfig: could not get ethtool features for ppp1 Dec 16 10:31:08 colibri-t30 systemd-udevd[2926]: Could not set offload features of ppp1: Operation not supported Dec 16 10:31:08 colibri-t30 NetworkManager[323]: [1639650668.9337] manager: (ppp1): new Generic device (/org/freedesktop/NetworkManager/Devices/16) Dec 16 10:31:09 colibri-t30 dnsmasq[393]: reading /etc/resolv.conf Dec 16 10:31:09 colibri-t30 dnsmasq[393]: using nameserver 192.168.10.237#53 Dec 16 10:31:09 colibri-t30 NetworkManager[323]: [1639650669.0283] devices added (path: /sys/devices/virtual/net/ppp1, iface: ppp1) Dec 16 10:31:09 colibri-t30 NetworkManager[323]: [1639650669.0287] device added (path: /sys/devices/virtual/net/ppp1, iface: ppp1): no ifupdown configuration found. Dec 16 10:31:22 colibri-t30 NetworkManager[323]: [1639650682.6874] vpn-connection[0x28a200,72eef387-c293-4ba2-9ecb-d667deb71aeb,"vpn3",0]: VPN plugin: failed: connect-failed (1) Dec 16 10:31:22 colibri-t30 NetworkManager[323]: [1639650682.6878] vpn-connection[0x28a200,72eef387-c293-4ba2-9ecb-d667deb71aeb,"vpn3",0]: VPN plugin: failed: connect-failed (1) Dec 16 10:31:22 colibri-t30 pppd[2925]: Terminating on signal 15 Dec 16 10:31:22 colibri-t30 NetworkManager[323]: [1639650682.6880] vpn-connection[0x28a200,72eef387-c293-4ba2-9ecb-d667deb71aeb,"vpn3",0]: VPN plugin: state changed: stopping (5) Dec 16 10:31:22 colibri-t30 pppd[2925]: Connection terminated. Dec 16 10:31:22 colibri-t30 charon[2891]: 13[KNL] interface ppp1 deleted

Wow, enabling L2TP kernel module support seems to have made it a lot worse. The only reason I know about Windows Server interoperability requiring L2TP kernel modules is because when Fedora 31 started blacklisting kernel-extras kernel modules including the L2TP kernel modules, I got multiple Fedora bug reports indicating they weren't able to connect to Windows Server anymore. I don't know how far back L2TP kernel module support was required for interoperability with Windows Server.

Although not the issue in this case yet, Windows Server does not allow multiple L2TP clients behind the same NAT as it can't tell them apart if the source port is 1701 (which is what Windows clients use, so probably more accurate to say does not allow multiple L2TP Windows behind the same NAT). e.g. Windows Server could have problems with the following connection :

$ sudo netstat -u -n
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
udp        0      0 192.168.0.74:1701      120.103.71.66:1701      ESTABLISHED

A workaround to tell the L2TP connections apart is to start the system xl2tpd, this will result in an ephemeral port (random) source port being used by the xl2tpd process NetworkManager-l2tp starts up, e.g. :

$ sudo netstat -u -n
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
udp        0      0 192.168.0.74:45575      120.103.71.66:1701      ESTABLISHED

The PSK < 8 character issue is only a issue if you are trying to use a Libreswan server, for NetworkManager-l2tp with libreswan, it is only a warning that is printed out up to 5 times and harmless.

You can modify the files under /var/run/nm-l2tp-5c912719-67d6-4bdb-b5eb-d5f3db641814/for testing, but would need to manually launch strongswan/libreswan and xl2tpd. The ppp-options file would need to be modified by removing the following line :

plugin /usr/lib/pppd/2.4.7/nm-l2tp-pppd-plugin.so

and replace it with:

user the-username
password password-string

Coincidentally it is nm-l2tp-pppd-plugin.so which provides the D-Bus bridge to pppd that the pppd didn't initialize our dbus module error is referring to.

NetworkManager-l2tp auto-detects if libreswan or strongswan is being used and generates an appropriate ipsec.conf file based on the auto-detection.

The below ipsec commands are identical to what NetworkManager-l2tp does (except it doesn't use the sleep 2 command, but a for loop to determine when the IPsec daemon is ready).

For libreswan based connection, issue:

sudo ipsec restart
sleep 2
sudo ipsec auto \
  --config /var/run/nm-l2tp-ipsec-5c912719-67d6-4bdb-b5eb-d5f3db641814.conf \
  --verbose --add 5c912719-67d6-4bdb-b5eb-d5f3db641814
sudo ipsec auto --up 5c912719-67d6-4bdb-b5eb-d5f3db641814

sudo ipsec status

For strongswan based connection, issue:

sudo ipsec restart --conf /var/run/nm-l2tp-5c912719-67d6-4bdb-b5eb-d5f3db641814/ipsec.conf --debug
sleep 2
sudo ipsec up 5c912719-67d6-4bdb-b5eb-d5f3db641814

sudo ipsec status

For the L2TP connection, it would be:

sudo xl2tpd -D \
  -c /var/run/nm-l2tp-5c912719-67d6-4bdb-b5eb-d5f3db641814/xl2tpd.conf \
  -C /var/run/nm-l2tp-5c912719-67d6-4bdb-b5eb-d5f3db641814/xl2tpd-control \
  -p /var/run/nm-l2tp-5c912719-67d6-4bdb-b5eb-d5f3db641814/xl2tpd.pid

xl2tpd-control and xl2tpd.pid are files xl2tpd generates.

Hi, thanks for that response. I did what you suggested and modified the ppp-options file and tried to build the connection manually using ipsec(strongswan) and then calling xl2tpd as you suggested.

Here is the reponse from (I am running as root) xl2tpd -D \ -c /var/run/nm-l2tp-5c912719-67d6-4bdb-b5eb-d5f3db641814/xl2tpd.conf \ -C /var/run/nm-l2tp-5c912719-67d6-4bdb-b5eb-d5f3db641814/xl2tpd-control \ -p /var/run/nm-l2tp-5c912719-67d6-4bdb-b5eb-d5f3db641814/xl2tpd.pid

_xl2tpd[4098]: Not looking for kernel SAref support. xl2tpd[4098]: Using l2tp kernel support. xl2tpd[4098]: xl2tpd version xl2tpd-1.3.16 started on colibri-t30 PID:4098 xl2tpd[4098]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc. xl2tpd[4098]: Forked by Scott Balmos and David Stipp, (C) 2001 xl2tpd[4098]: Inherited by Jeff McAdams, (C) 2002 xl2tpd[4098]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016 xl2tpd[4098]: Listening on IP address 0.0.0.0, port 1701 xl2tpd[4098]: get_call: allocating new tunnel for host 91.5.86.210, port 1701. xl2tpd[4098]: Connecting to host , port 1701 xl2tpd[4098]: control_finish: message type is (null)(0). Tunnel is 0, call is 0. xl2tpd[4098]: control_finish: sending SCCRQ xl2tpd[4098]: message_type_avp: message type 2 (Start-Control-Connection-Reply) xl2tpd[4098]: protocol_version_avp: peer is using version 1, revision 0. xl2tpd[4098]: framing_caps_avp: supported peer frames: sync xl2tpd[4098]: bearer_caps_avp: supported peer bearers: xl2tpd[4098]: firmware_rev_avp: peer reports firmware version 1537 (0x0601) xl2tpd[4098]: hostname_avp: peer reports hostname 'WS2008R2-WH1' xl2tpd[4098]: vendor_avp: peer reports vendor 'Microsoft' xl2tpd[4098]: assigned_tunnel_avp: using peer's tunnel 310 xl2tpd[4098]: receive_window_size_avp: peer wants RWS of 8. Will use flow control. xl2tpd[4098]: control_finish: message type is Start-Control-Connection-Reply(2). Tunnel is 310, call is 0. xl2tpd[4098]: control_finish: sending SCCCN xl2tpd[4098]: Connection established to , 1701. Local: 58878, Remote: 310 (ref=0/0). xl2tpd[4098]: Calling on tunnel 58878 xl2tpd[4098]: control_finish: message type is (null)(0). Tunnel is 310, call is 0. xl2tpd[4098]: control_finish: sending ICRQ xl2tpd[4098]: message_type_avp: message type 11 (Incoming-Call-Reply) xl2tpd[4098]: assigned_call_avp: using peer's call 2 xl2tpd[4098]: control_finish: message type is Incoming-Call-Reply(11). Tunnel is 310, call is 2. xl2tpd[4098]: control_finish: Sending ICCN xl2tpd[4098]: Call established with , Local: 27949, Remote: 2, Serial: 1 (ref=0/0) xl2tpd[4098]: start_pppd: I'm running: xl2tpd[4098]: "/usr/sbin/pppd" xl2tpd[4098]: "plugin" xl2tpd[4098]: "pppol2tp.so" xl2tpd[4098]: "pppol2tp" xl2tpd[4098]: "7" xl2tpd[4098]: "passive" xl2tpd[4098]: "nodetach" xl2tpd[4098]: ":" xl2tpd[4098]: "debug" xl2tpd[4098]: "file" xl2tpd[4098]: "/var/run/nm-l2tp-5c912719-67d6-4bdb-b5eb-d5f3db641814/ppp-options" xl2tpd[4098]: message_type_avp: message type 6 (Hello) xl2tpd[4098]: control_finish: message type is Hello(6). Tunnel is 310, call is 0. xl2tpd[4098]: message_type_avp: message type 6 (Hello) xl2tpd[4098]: control_finish: message type is Hello(6). Tunnel is 310, call is 0. xl2tpd[4098]: message_type_avp: message type 14 (Call-Disconnect-Notify) xl2tpd[4098]: result_code_avp: peer closing for reason 3 (Control channel already exists), error = 0 () xl2tpd[4098]: assigned_call_avp: using peer's call 2 xl2tpd[4098]: control_finish: message type is Call-Disconnect-Notify(14). Tunnel is 310, call is 2. xl2tpd[4098]: control_finish: Connection closed to , serial 1 () xl2tpd[4098]: Terminating pppd: sending TERM signal to pid 4099 xl2tpd[4098]: message_type_avp: message type 6 (Hello) xl2tpd[4098]: control_finish: message type is Hello(6). Tunnel is 310, call is 0. xl2tpd[4098]: message_type_avp: message type 6 (Hello) xl2tpd[4098]: controlfinish: message type is Hello(6). Tunnel is 310, call is 0.

and then ran root@colibri-t30:~# netstat -u -n Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State
udp 0 0 :1701 :1701 ESTABLISHED

I am really baffled about what is happening. Why am I get the Call-Disonnect-Notify message? I looked on the windows server and it shows a warning about the authentication not completing in time.

Then I tried to start modifying more ppp options and that didnt seem to help.

So I turned on the traces on the windows server and I found the error DEV_SPECIFIC_INFO_KEY(RDT_TUNNEL_INFO): Invalid size But I don't have the source code for the RASMAN process on windows, so I don't know what that really means

Sorry I'm not sure what is going on and I don't understand the L2TP protocol at that level. Perhaps broken L2TP kernel modules. There have been a few occasions where a kernel update broke the L2TP kernel modules. Maybe ignore what I said about using the L2TP kernel modules, you might get further now using the xl2tpd userspace support.

As Windows Server supports PPTP, you could try NetworkManager-pptp and see if you have luck there, It will confirm if the PPP connection is working to Windows Server with that old kernel. The NetworkManager-l2tp code started off as a modified version of NetworkManager-pptp, so is very similar.

Hi, thanks again for the response. Since we have not been able to connect to ANY L2TP/IPsec server (even if it is not windows) I am guessing that something else is wrong besides the problems that we have seen when xl2tpd uses kernel modules.

And honestly, switching to a new kernel for us seems to be quite difficult for us. We are kind of in a tough situation where Toradex has stopped updating the kernel for this SOM and I am relatively new to linux, so moving a mainline (LTS) kernel to this SOM seems somewhat daunting.

Would switching to kl2tpd be something good to try? I really have not seen any response to a post I have left on the xl2tp board, so I am guessing that xl2tpd is not active in helping users with issues. I have had some success at crosscompiling kl2tpd for our SOM.

The big problem with switching to kl2tpd seems to be the changes to networkmanager-l2tp itself. The service doesn't on the nm-1-2 branch doesn't even look for the kl2tpd ...that seems to only have been added in later versions. Is there anyway to patch support for kl2tpd into nm-1-2?

I would recommend using a xl2tpd version closer in vintage to the kernel you are using. On Fedora with the later xl2tpd versions initially it was only the L2TP Windows Servers but with subsequent kernel updates (or xl2tpd updates?), it was most L2TP servers that needed kernel modules for interoperability. Ubuntu 14.04 (i.e. released April, 2014) lists xl2tpd 1.3.1 to 1.3.6 on the Ubuntu Launchpad site : https://launchpad.net/ubuntu/trusty/+source/xl2tpd

But I would have thought the xl2tpd 1.3.9 you were originally using would have been okay.

go-l2tp supports L2TPv3 which I thought was is in later kernels (4.x?), although L2TPv3 is not used by kl2tpd, I'm not certain if kl2tpd will work with older kernels. To use kl2tpd in an older NetworkManager-l2tp, it would just be a matter of backporting commit# https://github.com/nm-l2tp/NetworkManager-l2tp/commit/0b35b7c5c63bebfc7875d6310910a57431ec696a. It also wouldn't be too difficult to write a config file and run kl2tpd from the command-line, the PPP options file will still be the same as used with xl2tpd.

Forgot to mention another thing to try if you have SELinux or AppArmor enabled, try temporarily disabling and then try to reestablish the L2TP connection. On some linux distros you don’t see any log output from SELinux or AppArmor.

I also forgot to mention the main reason I recommended testing PPTP over PPP and seeing if it worked (when you were having issues with L2TP over PPP) is that you’ll get good support from the pppd maintainers if it turns out to be a PPP issue that is common to both PPTP and L2TP.

This was fixed by updating the kernel to 4.14.

Glad to hear you managed to get things to work

nm-l2tp / NetworkManager-l2tp

cannot connect xl2tpd death_handler: Fatal signal 15 received #173