Open zhu4ling3 opened 10 years ago
the same problem as me
Can you try to add this to the ppp options file:
refuse-chap refuse-eap refuse-pap refuse-mschap require-mschap-v2
it works:
version 2.0
config setup dumpdir=/var/run/pluto/ nat_traversal=yes virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10 protostack=netkey force_keepalive=yes keep_alive=60
conn l2tp-psk authby=secret pfs=no auto=add keyingtries=3 type=transport left=106.186.127.239 leftprotoport=17/1701 right=%any rightprotoport=17/%any
[global] listen-addr = 106.186.127.239
[lns default] ip range = 192.168.0.1-192.168.0.20 local ip = 192.168.0.21 assign ip = yes length bit = yes refuse pap = yes require authentication = yes pppoptfile = /etc/ppp/options
ms-dns 8.8.8.8 ms-dns 8.8.4.4 noccp asyncmap 0 auth crtscts lock hide-password modem mru 1200 nodefaultroute debug mtu 1200 proxyarp lcp-echo-interval 30 lcp-echo-failure 4 ipcp-accept-local ipcp-accept-remote noipx idle 1800 connect-delay 5000
zhangxxxx * "**" 192.168.0.1/24 guoxxxx * "******" 192.168.0.1/24
106.186.127.xxx 0.0.0.0: PSK "***"
I observe exactly the same: installing via a script I wrote works 100% of the times in 12.04, for OSX and iOS clients.
With the same script/resulting setup under a fresh 14.04, the connection negotiation from the same clients that worked perfectly under 12.04 fails/stops at the exact same spot as the OP showed.
It appears that xl2tpd does not get the connection request (?) from openswan, and just sits there.
How can I help to debug this?
To elaborate on this: the only difference I can spot is that under 12.04 we have (note the "NATOA=none" in the last line!)
Aug 9 18:17:47 vpn pluto[14018]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: Dead Peer Detection (RFC 3706): enabled
Aug 9 18:17:48 vpn pluto[14018]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: Applying workaround for Mac OS X NAT-OA bug, ignoring proposed subnet
Aug 9 18:17:48 vpn pluto[14018]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: the peer proposed: A.B.C.D/32:17/1701 -> W.X.Y.Z/32:17/0
Aug 9 18:17:48 vpn pluto[14018]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: peer proposal was reject in a virtual connection policy because:
Aug 9 18:17:48 vpn pluto[14018]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: a private network virtual IP was required, but the proposed IP did not match our list (virtual_private=)
Aug 9 18:17:48 vpn pluto[14018]: "L2TP-PSK-noNAT"[1] W.X.Y.Z #2: responding to Quick Mode proposal {msgid:aa32488c}
Aug 9 18:17:48 vpn pluto[14018]: "L2TP-PSK-noNAT"[1] W.X.Y.Z #2: us: A.B.C.D<A.B.C.D>[+S=C]:17/1701
Aug 9 18:17:48 vpn pluto[14018]: "L2TP-PSK-noNAT"[1] W.X.Y.Z #2: them: W.X.Y.Z[192.168.8.14,+S=C]:17/53116
Aug 9 18:17:48 vpn pluto[14018]: "L2TP-PSK-noNAT"[1] W.X.Y.Z #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Aug 9 18:17:48 vpn pluto[14018]: "L2TP-PSK-noNAT"[1] W.X.Y.Z #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Aug 9 18:17:48 vpn pluto[14018]: "L2TP-PSK-noNAT"[1] W.X.Y.Z #2: Dead Peer Detection (RFC 3706): enabled
Aug 9 18:17:48 vpn pluto[14018]: "L2TP-PSK-noNAT"[1] W.X.Y.Z #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Aug 9 18:17:48 vpn pluto[14018]: "L2TP-PSK-noNAT"[1] W.X.Y.Z #2: STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0x066d455e <0x7c3f682b xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=W.X.Y.Z:4500 DPD=enabled}
whereas on 14.04 we don't have the explicit workaround and accept the peer's proposal (note the "NATOA=192.168.8.14" on the last line) and we do not enter into the L2TP-PSK-noNAT connection. Again, exact same configuration as under 12.04 where this works:
Aug 9 20:08:48 vpn pluto[1815]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: Dead Peer Detection (RFC 3706): enabled
Aug 9 20:08:48 vpn pluto[1815]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: the peer proposed: A.B.C.D/32:17/1701 -> 192.168.8.14/32:17/0
Aug 9 20:08:48 vpn pluto[1815]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
Aug 9 20:08:48 vpn pluto[1815]: "L2TP-PSK-NAT"[2] W.X.Y.Z #2: responding to Quick Mode proposal {msgid:c34601b4}
Aug 9 20:08:48 vpn pluto[1815]: "L2TP-PSK-NAT"[2] W.X.Y.Z #2: us: A.B.C.D<A.B.C.D>:17/1701
Aug 9 20:08:48 vpn pluto[1815]: "L2TP-PSK-NAT"[2] W.X.Y.Z #2: them: W.X.Y.Z[192.168.8.14]:17/62338===192.168.8.14/32
Aug 9 20:08:48 vpn pluto[1815]: "L2TP-PSK-NAT"[2] W.X.Y.Z #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Aug 9 20:08:48 vpn pluto[1815]: "L2TP-PSK-NAT"[2] W.X.Y.Z #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Aug 9 20:08:48 vpn pluto[1815]: "L2TP-PSK-NAT"[2] W.X.Y.Z #2: Dead Peer Detection (RFC 3706): enabled
Aug 9 20:08:48 vpn pluto[1815]: "L2TP-PSK-NAT"[2] W.X.Y.Z #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Aug 9 20:08:48 vpn pluto[1815]: "L2TP-PSK-NAT"[2] W.X.Y.Z #2: STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0x04a658c6 <0x55fade1b xfrm=AES_256-HMAC_SHA1 NATOA=192.168.8.14 NATD=W.X.Y.Z:4500 DPD=enabled}
Below I include the complete logs for both 12.04 and 14.04 with the exact same configuration (in fact, I updated from that 12.04 instance to 14.04 keeping the openswan/xl2tpd configuration).
######### this one works, on a fresh 12.04
# uname -a
Linux vpn 3.2.0-59-virtual #90-Ubuntu SMP Tue Jan 7 23:02:33 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
# cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=12.04
DISTRIB_CODENAME=precise
DISTRIB_DESCRIPTION="Ubuntu 12.04.5 LTS"
openswan 1:2.6.37-1
xl2tpd 1.3.1+dfsg-1ubuntu0.12.04.1
ppp 2.4.5-5ubuntu1
Aug 9 18:16:55 vpn ipsec__plutorun: Starting Pluto subsystem...
Aug 9 18:16:55 vpn pluto[14018]: Starting Pluto (Openswan Version 2.6.37; Vendor ID OEu\134d\134jy\134\134ap) pid:14018
Aug 9 18:16:55 vpn pluto[14018]: LEAK_DETECTIVE support [disabled]
Aug 9 18:16:55 vpn pluto[14018]: OCF support for IKE [disabled]
Aug 9 18:16:55 vpn pluto[14018]: SAref support [disabled]: Protocol not available
Aug 9 18:16:55 vpn pluto[14018]: SAbind support [disabled]: Protocol not available
Aug 9 18:16:55 vpn pluto[14018]: NSS support [disabled]
Aug 9 18:16:55 vpn pluto[14018]: HAVE_STATSD notification support not compiled in
Aug 9 18:16:55 vpn pluto[14018]: Setting NAT-Traversal port-4500 floating to on
Aug 9 18:16:55 vpn pluto[14018]: port floating activation criteria nat_t=1/port_float=1
Aug 9 18:16:55 vpn pluto[14018]: NAT-Traversal support [enabled] [Force KeepAlive]
Aug 9 18:16:55 vpn pluto[14018]: using /dev/urandom as source of random entropy
Aug 9 18:16:55 vpn pluto[14018]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Aug 9 18:16:55 vpn pluto[14018]: starting up 1 cryptographic helpers
Aug 9 18:16:55 vpn pluto[14018]: started helper pid=14020 (fd:6)
Aug 9 18:16:55 vpn pluto[14018]: Using Linux 2.6 IPsec interface code on 3.2.0-59-virtual (experimental code)
Aug 9 18:16:55 vpn pluto[14020]: using /dev/urandom as source of random entropy
Aug 9 18:16:55 vpn pluto[14018]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
Aug 9 18:16:55 vpn pluto[14018]: ike_alg_add(): ERROR: Algorithm already exists
Aug 9 18:16:55 vpn pluto[14018]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)
Aug 9 18:16:55 vpn pluto[14018]: ike_alg_add(): ERROR: Algorithm already exists
Aug 9 18:16:55 vpn pluto[14018]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
Aug 9 18:16:55 vpn pluto[14018]: ike_alg_add(): ERROR: Algorithm already exists
Aug 9 18:16:55 vpn pluto[14018]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)
Aug 9 18:16:55 vpn pluto[14018]: ike_alg_add(): ERROR: Algorithm already exists
Aug 9 18:16:55 vpn pluto[14018]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)
Aug 9 18:16:55 vpn pluto[14018]: ike_alg_add(): ERROR: Algorithm already exists
Aug 9 18:16:55 vpn pluto[14018]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
Aug 9 18:16:55 vpn pluto[14018]: Changed path to directory '/etc/ipsec.d/cacerts'
Aug 9 18:16:55 vpn pluto[14018]: Changed path to directory '/etc/ipsec.d/aacerts'
Aug 9 18:16:55 vpn pluto[14018]: Changed path to directory '/etc/ipsec.d/ocspcerts'
Aug 9 18:16:55 vpn pluto[14018]: Changing to directory '/etc/ipsec.d/crls'
Aug 9 18:16:55 vpn pluto[14018]: Warning: empty directory
Aug 9 18:16:55 vpn pluto[14018]: added connection description "L2TP-PSK-NAT"
Aug 9 18:16:55 vpn pluto[14018]: added connection description "L2TP-PSK-noNAT"
Aug 9 18:16:55 vpn pluto[14018]: listening for IKE messages
Aug 9 18:16:55 vpn pluto[14018]: adding interface eth0/eth0 A.B.C.D:500
Aug 9 18:16:55 vpn pluto[14018]: adding interface eth0/eth0 A.B.C.D:4500
Aug 9 18:16:55 vpn pluto[14018]: adding interface lo/lo 127.0.0.1:500
Aug 9 18:16:55 vpn pluto[14018]: adding interface lo/lo 127.0.0.1:4500
Aug 9 18:16:55 vpn pluto[14018]: adding interface lo/lo ::1:500
Aug 9 18:16:55 vpn pluto[14018]: loading secrets from "/etc/ipsec.secrets"
Aug 9 18:16:55 vpn pluto[14018]: loading secrets from "/var/lib/openswan/ipsec.secrets.inc"
Aug 9 18:17:47 vpn pluto[14018]: packet from W.X.Y.Z:500: received Vendor ID payload [RFC 3947] method set to=109
Aug 9 18:17:47 vpn pluto[14018]: packet from W.X.Y.Z:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] method set to=110
Aug 9 18:17:47 vpn pluto[14018]: packet from W.X.Y.Z:500: ignoring unknown Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
Aug 9 18:17:47 vpn pluto[14018]: packet from W.X.Y.Z:500: ignoring unknown Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
Aug 9 18:17:47 vpn pluto[14018]: packet from W.X.Y.Z:500: ignoring unknown Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
Aug 9 18:17:47 vpn pluto[14018]: packet from W.X.Y.Z:500: ignoring unknown Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
Aug 9 18:17:47 vpn pluto[14018]: packet from W.X.Y.Z:500: ignoring unknown Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
Aug 9 18:17:47 vpn pluto[14018]: packet from W.X.Y.Z:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 110
Aug 9 18:17:47 vpn pluto[14018]: packet from W.X.Y.Z:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 110
Aug 9 18:17:47 vpn pluto[14018]: packet from W.X.Y.Z:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 110
Aug 9 18:17:47 vpn pluto[14018]: packet from W.X.Y.Z:500: ignoring Vendor ID payload [FRAGMENTATION 80000000]
Aug 9 18:17:47 vpn pluto[14018]: packet from W.X.Y.Z:500: received Vendor ID payload [Dead Peer Detection]
Aug 9 18:17:47 vpn pluto[14018]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: responding to Main Mode from unknown peer W.X.Y.Z
Aug 9 18:17:47 vpn pluto[14018]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Aug 9 18:17:47 vpn pluto[14018]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: STATE_MAIN_R1: sent MR1, expecting MI2
Aug 9 18:17:47 vpn pluto[14018]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): both are NATed
Aug 9 18:17:47 vpn pluto[14018]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Aug 9 18:17:47 vpn pluto[14018]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: STATE_MAIN_R2: sent MR2, expecting MI3
Aug 9 18:17:47 vpn pluto[14018]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: Main mode peer ID is ID_IPV4_ADDR: '192.168.8.14'
Aug 9 18:17:47 vpn pluto[14018]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: switched from "L2TP-PSK-NAT" to "L2TP-PSK-NAT"
Aug 9 18:17:47 vpn pluto[14018]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: deleting connection "L2TP-PSK-NAT" instance with peer W.X.Y.Z {isakmp=#0/ipsec=#0}
Aug 9 18:17:47 vpn pluto[14018]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Aug 9 18:17:47 vpn pluto[14018]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: new NAT mapping for #1, was W.X.Y.Z:500, now W.X.Y.Z:4500
Aug 9 18:17:47 vpn pluto[14018]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1024}
Aug 9 18:17:47 vpn pluto[14018]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: Dead Peer Detection (RFC 3706): enabled
Aug 9 18:17:48 vpn pluto[14018]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: Applying workaround for Mac OS X NAT-OA bug, ignoring proposed subnet
Aug 9 18:17:48 vpn pluto[14018]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: the peer proposed: A.B.C.D/32:17/1701 -> W.X.Y.Z/32:17/0
Aug 9 18:17:48 vpn pluto[14018]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: peer proposal was reject in a virtual connection policy because:
Aug 9 18:17:48 vpn pluto[14018]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: a private network virtual IP was required, but the proposed IP did not match our list (virtual_private=)
Aug 9 18:17:48 vpn pluto[14018]: "L2TP-PSK-noNAT"[1] W.X.Y.Z #2: responding to Quick Mode proposal {msgid:aa32488c}
Aug 9 18:17:48 vpn pluto[14018]: "L2TP-PSK-noNAT"[1] W.X.Y.Z #2: us: A.B.C.D<A.B.C.D>[+S=C]:17/1701
Aug 9 18:17:48 vpn pluto[14018]: "L2TP-PSK-noNAT"[1] W.X.Y.Z #2: them: W.X.Y.Z[192.168.8.14,+S=C]:17/53116
Aug 9 18:17:48 vpn pluto[14018]: "L2TP-PSK-noNAT"[1] W.X.Y.Z #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Aug 9 18:17:48 vpn pluto[14018]: "L2TP-PSK-noNAT"[1] W.X.Y.Z #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Aug 9 18:17:48 vpn pluto[14018]: "L2TP-PSK-noNAT"[1] W.X.Y.Z #2: Dead Peer Detection (RFC 3706): enabled
Aug 9 18:17:48 vpn pluto[14018]: "L2TP-PSK-noNAT"[1] W.X.Y.Z #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Aug 9 18:17:48 vpn pluto[14018]: "L2TP-PSK-noNAT"[1] W.X.Y.Z #2: STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0x066d455e <0x7c3f682b xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=W.X.Y.Z:4500 DPD=enabled}
[Tunnel works perfectly, now we disconnect manually]
Aug 9 18:19:32 vpn pluto[14018]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: received Delete SA(0x066d455e) payload: deleting IPSEC State #2
Aug 9 18:19:32 vpn pluto[14018]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: deleting connection "L2TP-PSK-noNAT" instance with peer W.X.Y.Z {isakmp=#0/ipsec=#0}
Aug 9 18:19:32 vpn pluto[14018]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: received and ignored informational message
Aug 9 18:19:32 vpn pluto[14018]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: received Delete SA payload: deleting ISAKMP State #1
Aug 9 18:19:32 vpn pluto[14018]: "L2TP-PSK-NAT"[2] W.X.Y.Z: deleting connection "L2TP-PSK-NAT" instance with peer W.X.Y.Z {isakmp=#0/ipsec=#0}
Aug 9 18:19:32 vpn pluto[14018]: packet from W.X.Y.Z:4500: received and ignored informational message
Aug 9 18:17:28 vpn xl2tpd[14565]: IPsec SAref does not work with L2TP kernel mode yet, enabling forceuserspace=yes
Aug 9 18:17:28 vpn xl2tpd[14565]: setsockopt recvref[30]: Protocol not available
Aug 9 18:17:28 vpn xl2tpd[14565]: This binary does not support kernel L2TP.
Aug 9 18:17:28 vpn xl2tpd[14566]: xl2tpd version xl2tpd-1.3.1 started on vpn PID:14566
Aug 9 18:17:28 vpn xl2tpd[14566]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
Aug 9 18:17:28 vpn xl2tpd[14566]: Forked by Scott Balmos and David Stipp, (C) 2001
Aug 9 18:17:28 vpn xl2tpd[14566]: Inherited by Jeff McAdams, (C) 2002
Aug 9 18:17:28 vpn xl2tpd[14566]: Forked again by Xelerance (www.xelerance.com) (C) 2006
Aug 9 18:17:28 vpn xl2tpd[14566]: Listening on IP address A.B.C.D, port 1701
Aug 9 18:17:50 vpn xl2tpd[14566]: control_finish: Peer requested tunnel 93 twice, ignoring second one.
Aug 9 18:17:50 vpn xl2tpd[14566]: Connection established to W.X.Y.Z, 53116. Local: 21640, Remote: 93 (ref=0/0). LNS session is 'default'
Aug 9 18:17:50 vpn xl2tpd[14566]: start_pppd: I'm running:
Aug 9 18:17:50 vpn xl2tpd[14566]: "/usr/sbin/pppd"
Aug 9 18:17:50 vpn xl2tpd[14566]: "passive"
Aug 9 18:17:50 vpn xl2tpd[14566]: "nodetach"
Aug 9 18:17:50 vpn xl2tpd[14566]: "10.1.1.1:10.1.1.2"
Aug 9 18:17:50 vpn xl2tpd[14566]: "refuse-pap"
Aug 9 18:17:50 vpn xl2tpd[14566]: "refuse-chap"
Aug 9 18:17:50 vpn xl2tpd[14566]: "auth"
Aug 9 18:17:50 vpn xl2tpd[14566]: "debug"
Aug 9 18:17:50 vpn xl2tpd[14566]: "file"
Aug 9 18:17:50 vpn xl2tpd[14566]: "/etc/ppp/options.xl2tpd"
Aug 9 18:17:50 vpn xl2tpd[14566]: "ipparam"
Aug 9 18:17:50 vpn xl2tpd[14566]: "W.X.Y.Z"
Aug 9 18:17:50 vpn xl2tpd[14566]: "/dev/pts/4"
Aug 9 18:17:50 vpn xl2tpd[14566]: Call established with W.X.Y.Z, Local: 52578, Remote: 7838, Serial: 1
Aug 9 18:17:50 vpn pppd[14906]: pppd 2.4.5 started by root, uid 0
Aug 9 18:17:50 vpn pppd[14906]: using channel 3
Aug 9 18:17:50 vpn pppd[14906]: Using interface ppp0
Aug 9 18:17:50 vpn pppd[14906]: Connect: ppp0 <--> /dev/pts/4
Aug 9 18:17:50 vpn pppd[14906]: sent [LCP ConfReq id=0x1 <mru 1200> <asyncmap 0x0> <auth chap MS-v2> <magic 0x1621ada0> <pcomp> <accomp>]
Aug 9 18:17:50 vpn pppd[14906]: rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x674b0976> <pcomp> <accomp>]
Aug 9 18:17:50 vpn pppd[14906]: sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x674b0976> <pcomp> <accomp>]
Aug 9 18:17:50 vpn pppd[14906]: rcvd [LCP ConfAck id=0x1 <mru 1200> <asyncmap 0x0> <auth chap MS-v2> <magic 0x1621ada0> <pcomp> <accomp>]
Aug 9 18:17:50 vpn pppd[14906]: sent [LCP EchoReq id=0x0 magic=0x1621ada0]
Aug 9 18:17:50 vpn pppd[14906]: sent [CHAP Challenge id=0xc6 <5d1a4938707bc9b1781ad45d5a8739f5>, name = "l2tpd"]
Aug 9 18:17:50 vpn pppd[14906]: rcvd [LCP EchoReq id=0x0 magic=0x674b0976]
Aug 9 18:17:50 vpn pppd[14906]: sent [LCP EchoRep id=0x0 magic=0x1621ada0]
Aug 9 18:17:50 vpn pppd[14906]: rcvd [LCP EchoRep id=0x0 magic=0x674b0976]
Aug 9 18:17:50 vpn pppd[14906]: rcvd [CHAP Response id=0xc6 <ba3c5af1be64e99cba126bb7024326ae000000000000000055c0937ef8d0188e2b1ec27e0f1d866cdfbd2ce0d4ee2de800>, name = "VPN_USERNAME"]
Aug 9 18:17:50 vpn pppd[14906]: sent [CHAP Success id=0xc6 "S=367F80A803A2405D8FE6A49720691A1F8412473D M=Access granted"]
Aug 9 18:17:50 vpn pppd[14906]: sent [CCP ConfReq id=0x1 <deflate 15> <deflate(old#) 15> <bsd v1 15>]
Aug 9 18:17:50 vpn pppd[14906]: sent [IPCP ConfReq id=0x1 <compress VJ 0f 01> <addr 10.1.1.1>]
Aug 9 18:17:50 vpn pppd[14906]: rcvd [IPCP ConfReq id=0x1 <addr 0.0.0.0> <ms-dns1 0.0.0.0> <ms-dns2 0.0.0.0>]
Aug 9 18:17:50 vpn pppd[14906]: sent [IPCP ConfNak id=0x1 <addr 10.1.1.2> <ms-dns1 8.8.8.8> <ms-dns2 8.8.4.4>]
Aug 9 18:17:50 vpn pppd[14906]: rcvd [IPV6CP ConfReq id=0x1 <addr fe80::6203:08ff:fe9d:2e4a>]
Aug 9 18:17:50 vpn pppd[14906]: Unsupported protocol 'IPv6 Control Protocol' (0x8057) received
Aug 9 18:17:50 vpn pppd[14906]: sent [LCP ProtRej id=0x2 80 57 01 01 00 0e 01 0a 62 03 08 ff fe 9d 2e 4a]
Aug 9 18:17:50 vpn pppd[14906]: rcvd [LCP ProtRej id=0x2 80 fd 01 01 00 0f 1a 04 78 00 18 04 78 00 15 03 2f]
Aug 9 18:17:50 vpn pppd[14906]: Protocol-Reject for 'Compression Control Protocol' (0x80fd) received
Aug 9 18:17:50 vpn pppd[14906]: rcvd [IPCP ConfRej id=0x1 <compress VJ 0f 01>]
Aug 9 18:17:50 vpn pppd[14906]: sent [IPCP ConfReq id=0x2 <addr 10.1.1.1>]
Aug 9 18:17:50 vpn pppd[14906]: rcvd [IPCP ConfReq id=0x2 <addr 10.1.1.2> <ms-dns1 8.8.8.8> <ms-dns2 8.8.4.4>]
Aug 9 18:17:50 vpn pppd[14906]: sent [IPCP ConfAck id=0x2 <addr 10.1.1.2> <ms-dns1 8.8.8.8> <ms-dns2 8.8.4.4>]
Aug 9 18:17:50 vpn pppd[14906]: rcvd [IPCP ConfAck id=0x2 <addr 10.1.1.1>]
Aug 9 18:17:50 vpn pppd[14906]: Cannot determine ethernet address for proxy ARP
Aug 9 18:17:50 vpn pppd[14906]: local IP address 10.1.1.1
Aug 9 18:17:50 vpn pppd[14906]: remote IP address 10.1.1.2
Aug 9 18:17:50 vpn pppd[14906]: Script /etc/ppp/ip-up started (pid 14909)
Aug 9 18:17:50 vpn pppd[14906]: Script /etc/ppp/ip-up finished (pid 14909), status = 0x0
Aug 9 18:18:20 vpn pppd[14906]: sent [LCP EchoReq id=0x1 magic=0x1621ada0]
Aug 9 18:18:20 vpn pppd[14906]: rcvd [LCP EchoRep id=0x1 magic=0x674b0976]
Aug 9 18:18:50 vpn pppd[14906]: rcvd [LCP EchoReq id=0x1 magic=0x674b0976]
Aug 9 18:18:50 vpn pppd[14906]: sent [LCP EchoRep id=0x1 magic=0x1621ada0]
Aug 9 18:18:50 vpn pppd[14906]: sent [LCP EchoReq id=0x2 magic=0x1621ada0]
Aug 9 18:18:50 vpn pppd[14906]: rcvd [LCP EchoRep id=0x2 magic=0x674b0976]
Aug 9 18:19:20 vpn pppd[14906]: sent [LCP EchoReq id=0x3 magic=0x1621ada0]
Aug 9 18:19:20 vpn pppd[14906]: rcvd [LCP EchoRep id=0x3 magic=0x674b0976]
[Tunnel works perfectly, now we disconnect manually]
Aug 9 18:19:32 vpn pppd[14906]: rcvd [LCP TermReq id=0x3 "User request"]
Aug 9 18:19:32 vpn pppd[14906]: LCP terminated by peer (User request)
Aug 9 18:19:32 vpn pppd[14906]: Connect time 1.7 minutes.
Aug 9 18:19:32 vpn pppd[14906]: Sent 213174 bytes, received 103569 bytes.
Aug 9 18:19:32 vpn xl2tpd[14566]: result_code_avp: result code endianness fix for buggy Apple client. network=768, le=3
Aug 9 18:19:32 vpn xl2tpd[14566]: control_finish: Connection closed to W.X.Y.Z, serial 1 ()
Aug 9 18:19:32 vpn xl2tpd[14566]: Terminating pppd: sending TERM signal to pid 14906
Aug 9 18:19:32 vpn xl2tpd[14566]: result_code_avp: result code endianness fix for buggy Apple client. network=256, le=1
Aug 9 18:19:32 vpn xl2tpd[14566]: control_finish: Connection closed to W.X.Y.Z, port 53116 (), Local: 21640, Remote: 93
Aug 9 18:19:32 vpn pppd[14906]: Script /etc/ppp/ip-down started (pid 16430)
Aug 9 18:19:32 vpn pppd[14906]: sent [LCP TermAck id=0x3]
Aug 9 18:19:32 vpn pppd[14906]: Terminating on signal 15
Aug 9 18:19:32 vpn pppd[14906]: Modem hangup
Aug 9 18:19:32 vpn pppd[14906]: Connection terminated.
Aug 9 18:19:32 vpn pppd[14906]: Script /etc/ppp/ip-down finished (pid 16430), status = 0x0
Aug 9 18:19:32 vpn pppd[14906]: Exit.
######### this one is broken, on 14.04 (updated from the 12.04 above)
# uname -a
Linux vpn 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
# cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=14.04
DISTRIB_CODENAME=trusty
DISTRIB_DESCRIPTION="Ubuntu 14.04.1 LTS"
openswan 1:2.6.38-1
xl2tpd 1.3.6+dfsg-1
ppp 2.4.5-5.1ubuntu2
Aug 9 20:08:20 vpn ipsec__plutorun: Starting Pluto subsystem...
Aug 9 20:08:20 vpn pluto[1815]: Starting Pluto (Openswan Version 2.6.38; Vendor ID OEvy\134kgzWq\134s) pid:1815
Aug 9 20:08:20 vpn pluto[1815]: LEAK_DETECTIVE support [disabled]
Aug 9 20:08:20 vpn pluto[1815]: OCF support for IKE [disabled]
Aug 9 20:08:20 vpn pluto[1815]: SAref support [disabled]: Protocol not available
Aug 9 20:08:20 vpn pluto[1815]: SAbind support [disabled]: Protocol not available
Aug 9 20:08:20 vpn pluto[1815]: NSS support [disabled]
Aug 9 20:08:20 vpn pluto[1815]: HAVE_STATSD notification support not compiled in
Aug 9 20:08:20 vpn pluto[1815]: Setting NAT-Traversal port-4500 floating to on
Aug 9 20:08:20 vpn pluto[1815]: port floating activation criteria nat_t=1/port_float=1
Aug 9 20:08:20 vpn pluto[1815]: NAT-Traversal support [enabled] [Force KeepAlive]
Aug 9 20:08:20 vpn pluto[1815]: using /dev/urandom as source of random entropy
Aug 9 20:08:20 vpn pluto[1815]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Aug 9 20:08:20 vpn pluto[1815]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
Aug 9 20:08:20 vpn pluto[1815]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
Aug 9 20:08:20 vpn pluto[1815]: starting up 1 cryptographic helpers
Aug 9 20:08:20 vpn pluto[1815]: started helper pid=1820 (fd:6)
Aug 9 20:08:20 vpn pluto[1815]: Using Linux 2.6 IPsec interface code on 3.13.0-32-generic (experimental code)
Aug 9 20:08:20 vpn pluto[1820]: using /dev/urandom as source of random entropy
Aug 9 20:08:20 vpn pluto[1815]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
Aug 9 20:08:20 vpn pluto[1815]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Aug 9 20:08:20 vpn pluto[1815]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)
Aug 9 20:08:20 vpn pluto[1815]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Aug 9 20:08:20 vpn pluto[1815]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
Aug 9 20:08:20 vpn pluto[1815]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Aug 9 20:08:20 vpn pluto[1815]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)
Aug 9 20:08:20 vpn pluto[1815]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Aug 9 20:08:20 vpn pluto[1815]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)
Aug 9 20:08:20 vpn pluto[1815]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Aug 9 20:08:20 vpn pluto[1815]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
Aug 9 20:08:20 vpn pluto[1815]: added connection description "L2TP-PSK-NAT"
Aug 9 20:08:20 vpn pluto[1815]: added connection description "L2TP-PSK-noNAT"
Aug 9 20:08:20 vpn pluto[1815]: listening for IKE messages
Aug 9 20:08:20 vpn pluto[1815]: adding interface eth0/eth0 A.B.C.D:500
Aug 9 20:08:20 vpn pluto[1815]: adding interface eth0/eth0 A.B.C.D:4500
Aug 9 20:08:20 vpn pluto[1815]: adding interface lo/lo 127.0.0.1:500
Aug 9 20:08:20 vpn pluto[1815]: adding interface lo/lo 127.0.0.1:4500
Aug 9 20:08:20 vpn pluto[1815]: adding interface lo/lo ::1:500
Aug 9 20:08:20 vpn pluto[1815]: loading secrets from "/etc/ipsec.secrets"
Aug 9 20:08:20 vpn pluto[1815]: loading secrets from "/var/lib/openswan/ipsec.secrets.inc"
Aug 9 20:08:47 vpn pluto[1815]: packet from W.X.Y.Z:500: received Vendor ID payload [RFC 3947] method set to=115
Aug 9 20:08:47 vpn pluto[1815]: packet from W.X.Y.Z:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] meth=114, but already using method 115
Aug 9 20:08:47 vpn pluto[1815]: packet from W.X.Y.Z:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-08] meth=113, but already using method 115
Aug 9 20:08:47 vpn pluto[1815]: packet from W.X.Y.Z:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-07] meth=112, but already using method 115
Aug 9 20:08:47 vpn pluto[1815]: packet from W.X.Y.Z:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-06] meth=111, but already using method 115
Aug 9 20:08:47 vpn pluto[1815]: packet from W.X.Y.Z:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-05] meth=110, but already using method 115
Aug 9 20:08:47 vpn pluto[1815]: packet from W.X.Y.Z:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-04] meth=109, but already using method 115
Aug 9 20:08:47 vpn pluto[1815]: packet from W.X.Y.Z:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 115
Aug 9 20:08:47 vpn pluto[1815]: packet from W.X.Y.Z:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 115
Aug 9 20:08:47 vpn pluto[1815]: packet from W.X.Y.Z:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 115
Aug 9 20:08:47 vpn pluto[1815]: packet from W.X.Y.Z:500: ignoring Vendor ID payload [FRAGMENTATION 80000000]
Aug 9 20:08:47 vpn pluto[1815]: packet from W.X.Y.Z:500: received Vendor ID payload [Dead Peer Detection]
Aug 9 20:08:47 vpn pluto[1815]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: responding to Main Mode from unknown peer W.X.Y.Z
Aug 9 20:08:47 vpn pluto[1815]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Aug 9 20:08:47 vpn pluto[1815]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: STATE_MAIN_R1: sent MR1, expecting MI2
Aug 9 20:08:48 vpn pluto[1815]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): both are NATed
Aug 9 20:08:48 vpn pluto[1815]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Aug 9 20:08:48 vpn pluto[1815]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: STATE_MAIN_R2: sent MR2, expecting MI3
Aug 9 20:08:48 vpn pluto[1815]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: Main mode peer ID is ID_IPV4_ADDR: '192.168.8.14'
Aug 9 20:08:48 vpn pluto[1815]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: switched from "L2TP-PSK-NAT" to "L2TP-PSK-NAT"
Aug 9 20:08:48 vpn pluto[1815]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: deleting connection "L2TP-PSK-NAT" instance with peer W.X.Y.Z {isakmp=#0/ipsec=#0}
Aug 9 20:08:48 vpn pluto[1815]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Aug 9 20:08:48 vpn pluto[1815]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: new NAT mapping for #1, was W.X.Y.Z:500, now W.X.Y.Z:4500
Aug 9 20:08:48 vpn pluto[1815]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1024}
Aug 9 20:08:48 vpn pluto[1815]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: Dead Peer Detection (RFC 3706): enabled
Aug 9 20:08:48 vpn pluto[1815]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: the peer proposed: A.B.C.D/32:17/1701 -> 192.168.8.14/32:17/0
Aug 9 20:08:48 vpn pluto[1815]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
Aug 9 20:08:48 vpn pluto[1815]: "L2TP-PSK-NAT"[2] W.X.Y.Z #2: responding to Quick Mode proposal {msgid:c34601b4}
Aug 9 20:08:48 vpn pluto[1815]: "L2TP-PSK-NAT"[2] W.X.Y.Z #2: us: A.B.C.D<A.B.C.D>:17/1701
Aug 9 20:08:48 vpn pluto[1815]: "L2TP-PSK-NAT"[2] W.X.Y.Z #2: them: W.X.Y.Z[192.168.8.14]:17/62338===192.168.8.14/32
Aug 9 20:08:48 vpn pluto[1815]: "L2TP-PSK-NAT"[2] W.X.Y.Z #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Aug 9 20:08:48 vpn pluto[1815]: "L2TP-PSK-NAT"[2] W.X.Y.Z #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Aug 9 20:08:48 vpn pluto[1815]: "L2TP-PSK-NAT"[2] W.X.Y.Z #2: Dead Peer Detection (RFC 3706): enabled
Aug 9 20:08:48 vpn pluto[1815]: "L2TP-PSK-NAT"[2] W.X.Y.Z #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Aug 9 20:08:48 vpn pluto[1815]: "L2TP-PSK-NAT"[2] W.X.Y.Z #2: STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0x04a658c6 <0x55fade1b xfrm=AES_256-HMAC_SHA1 NATOA=192.168.8.14 NATD=W.X.Y.Z:4500 DPD=enabled}
Aug 9 20:09:08 vpn pluto[1815]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: received Delete SA(0x04a658c6) payload: deleting IPSEC State #2
Aug 9 20:09:08 vpn pluto[1815]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: ERROR: netlink XFRM_MSG_DELPOLICY response for flow eroute_connection delete included errno 2: No such file or directory
Aug 9 20:09:08 vpn pluto[1815]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: received and ignored informational message
Aug 9 20:09:08 vpn pluto[1815]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: received Delete SA payload: deleting ISAKMP State #1
Aug 9 20:09:08 vpn pluto[1815]: "L2TP-PSK-NAT"[2] W.X.Y.Z: deleting connection "L2TP-PSK-NAT" instance with peer W.X.Y.Z {isakmp=#0/ipsec=#0}
Aug 9 20:09:08 vpn pluto[1815]: packet from W.X.Y.Z:4500: received and ignored informational message
Aug 9 20:08:20 vpn ipsec_setup: Starting Openswan IPsec U2.6.38/K3.13.0-32-generic...
Aug 9 20:08:20 vpn ipsec_setup: Using NETKEY(XFRM) stack
Aug 9 20:08:20 vpn kernel: [ 3221.784634] Initializing XFRM netlink socket
Aug 9 20:08:20 vpn kernel: [ 3221.797310] sha512_ssse3: Neither AVX nor SSSE3 is available/usable.
Aug 9 20:08:20 vpn kernel: [ 3221.799575] sha256_ssse3: Neither AVX nor SSSE3 is available/usable.
Aug 9 20:08:20 vpn kernel: [ 3221.804761] AVX instructions are not detected.
Aug 9 20:08:20 vpn kernel: [ 3221.807889] AVX instructions are not detected.
Aug 9 20:08:20 vpn kernel: [ 3221.809872] AVX instructions are not detected.
Aug 9 20:08:20 vpn kernel: [ 3221.815598] AVX instructions are not detected.
Aug 9 20:08:20 vpn kernel: [ 3221.818569] AVX instructions are not detected.
Aug 9 20:08:20 vpn kernel: [ 3221.823023] AVX or AES-NI instructions are not detected.
Aug 9 20:08:20 vpn kernel: [ 3221.824892] AVX or AES-NI instructions are not detected.
Aug 9 20:08:20 vpn ipsec_setup: ...Openswan IPsec started
Aug 9 20:08:20 vpn ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
Aug 9 20:08:20 vpn pluto: adjusting ipsec.d to /etc/ipsec.d
Aug 9 20:08:20 vpn xl2tpd[765]: death_handler: Fatal signal 15 received
Aug 9 20:08:20 vpn ipsec__plutorun: 002 added connection description "L2TP-PSK-NAT"
Aug 9 20:08:20 vpn ipsec__plutorun: 002 added connection description "L2TP-PSK-noNAT"
Aug 9 20:08:21 vpn xl2tpd[1869]: IPsec SAref does not work with L2TP kernel mode yet, enabling force userspace=yes
Aug 9 20:08:21 vpn xl2tpd[1869]: setsockopt recvref[30]: Protocol not available
Aug 9 20:08:21 vpn xl2tpd[1869]: This binary does not support kernel L2TP.
Aug 9 20:08:21 vpn xl2tpd[1870]: xl2tpd version xl2tpd-1.3.6 started on vpn PID:1870
Aug 9 20:08:21 vpn xl2tpd[1870]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
Aug 9 20:08:21 vpn xl2tpd[1870]: Forked by Scott Balmos and David Stipp, (C) 2001
Aug 9 20:08:21 vpn xl2tpd[1870]: Inherited by Jeff McAdams, (C) 2002
Aug 9 20:08:21 vpn xl2tpd[1870]: Forked again by Xelerance (www.xelerance.com) (C) 2006
Aug 9 20:08:21 vpn xl2tpd[1870]: Listening on IP address A.B.C.D, port 1701
And just to top this off: I downgraded from openswan 1:2.6.38-1 in 14.04 to the default openswan 1:2.6.37-1 in 12.04 (from here: http://www.ubuntuupdates.org/package/core/precise/universe/base/openswan) and upon connecting, it immediately works, going as expected into the noNat connection:
Aug 9 20:30:04 vpn pluto[21278]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: responding to Main Mode from unknown peer W.X.Y.Z
Aug 9 20:30:04 vpn pluto[21278]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Aug 9 20:30:04 vpn pluto[21278]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: STATE_MAIN_R1: sent MR1, expecting MI2
Aug 9 20:30:05 vpn pluto[21278]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): both are NATed
Aug 9 20:30:05 vpn pluto[21278]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Aug 9 20:30:05 vpn pluto[21278]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: STATE_MAIN_R2: sent MR2, expecting MI3
Aug 9 20:30:05 vpn pluto[21278]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: Main mode peer ID is ID_IPV4_ADDR: '192.168.8.14'
Aug 9 20:30:05 vpn pluto[21278]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: switched from "L2TP-PSK-NAT" to "L2TP-PSK-NAT"
Aug 9 20:30:05 vpn pluto[21278]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: deleting connection "L2TP-PSK-NAT" instance with peer W.X.Y.Z {isakmp=#0/ipsec=#0}
Aug 9 20:30:05 vpn pluto[21278]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Aug 9 20:30:05 vpn pluto[21278]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: new NAT mapping for #1, was W.X.Y.Z:500, now W.X.Y.Z:4500
Aug 9 20:30:05 vpn pluto[21278]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1024}
Aug 9 20:30:05 vpn pluto[21278]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: Dead Peer Detection (RFC 3706): enabled
Aug 9 20:30:06 vpn pluto[21278]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: Applying workaround for Mac OS X NAT-OA bug, ignoring proposed subnet
Aug 9 20:30:06 vpn pluto[21278]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: the peer proposed: A.B.C.D/32:17/1701 -> W.X.Y.Z/32:17/0
Aug 9 20:30:06 vpn pluto[21278]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: peer proposal was reject in a virtual connection policy because:
Aug 9 20:30:06 vpn pluto[21278]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: a private network virtual IP was required, but the proposed IP did not match our list (virtual_private=)
Aug 9 20:30:06 vpn pluto[21278]: "L2TP-PSK-noNAT"[1] W.X.Y.Z #2: responding to Quick Mode proposal {msgid:3afd96d1}
Aug 9 20:30:06 vpn pluto[21278]: "L2TP-PSK-noNAT"[1] W.X.Y.Z #2: us: A.B.C.D<A.B.C.D>[+S=C]:17/1701
Aug 9 20:30:06 vpn pluto[21278]: "L2TP-PSK-noNAT"[1] W.X.Y.Z #2: them: W.X.Y.Z[192.168.8.14,+S=C]:17/50422
Aug 9 20:30:06 vpn pluto[21278]: "L2TP-PSK-noNAT"[1] W.X.Y.Z #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Aug 9 20:30:06 vpn pluto[21278]: "L2TP-PSK-noNAT"[1] W.X.Y.Z #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Aug 9 20:30:06 vpn pluto[21278]: "L2TP-PSK-noNAT"[1] W.X.Y.Z #2: Dead Peer Detection (RFC 3706): enabled
Aug 9 20:30:06 vpn pluto[21278]: "L2TP-PSK-noNAT"[1] W.X.Y.Z #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Aug 9 20:30:06 vpn pluto[21278]: "L2TP-PSK-noNAT"[1] W.X.Y.Z #2: STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0x01f803a1 <0x277af5b3 xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=W.X.Y.Z:4500 DPD=enabled}
On Sat, 9 Aug 2014, fortiko wrote:
Aug 9 18:17:48 vpn pluto[14018]: "L2TP-PSK-NAT"[2] 79.146.9.211 #1: the peer proposed: 78.46.240.127/32:17/1701 -> 79.146.9.211/32:17/0
whereas on 14.04 we don't have the explicit workaround and accept the peer's proposal (note the "NATOA=192.168.8.14" on the last line) and we do not enter into the L2TP-PSK-noNAT connection. Again, exact same configuration as under 12.04 where this works:
Aug 9 20:08:48 vpn pluto[1815]: "L2TP-PSK-NAT"[2] 79.146.9.211 #1: the peer proposed: 78.46.240.127/32:17/1701 -> 192.168.8.14/32:17/0
That is a bug with transport mode using the wrong IP address. I don't know which versions of openswan are broken and which are fixed. But it seems unrelated to the version of ubuntu (other than what they ship for openswan).
openswan 1:2.6.37-1
######### this one is broken, on 14.04 (updated from the 12.04 above)
openswan 1:2.6.38-1
Upstream openswan is dead. While I maintain openswan in RHEL6 (which is 2.6.32 plus 80+ patches) we ship libreswan (a fork from 2.6.38) in RHEL7. Libreswan has no issues with transport mode that I'm aware of.
Paul
Thanks for the clarifications. I was not aware that upstream openswan was dead, so I guess I have to wait for the libreswan packages to arrive and then adapt my script!
thank for zhangping. i will confirm your configuration is work.
I've got the same problem. zhangping's solution do solve the problem.
In the @zhangping's config, the real part which make it works is he merge two conn
into only one. Mine and the other is:
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
...
while his is:
conn l2tp-psk
authby=secret
pfs=no
auto=add
...
As @fortiko pointed out, the only different in the log is:
12.04
pluto[9561]: "L2TP-PSK-noNAT"[2] x.y.z.t #4: STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0x03e24f47 <0x328dfaeb xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=a.b.c.d:13744 DPD=none}
pppd[9632]: pppd 2.4.5 started by root, uid 0
pppd[9632]: using channel 42
pppd[9632]: Using interface ppp0
pppd[9632]: Connect: ppp0 <--> /dev/pts/8
14.04:
pluto[23718]: "L2TP-PSK-NAT"[5] 58.187.166.x #7: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0x0570a2cf <0x31e16ae6 xfrm=AES_256-HMAC_SHA1 NATOA=192.168.1.104 NATD=58.187.166.x:62150 DPD=none}
pluto[23718]: "L2TP-PSK-NAT"[5] 58.187.166.x #6: received Delete SA(0x0570a2cf) payload: deleting IPSEC State #7
pluto[23718]: "L2TP-PSK-NAT"[5] 58.187.166.x #6: received and ignored informational message
pluto[23718]: "L2TP-PSK-NAT"[5] 58.187.166.x #6: received Delete SA payload: deleting ISAKMP State #6
pluto[23718]: "L2TP-PSK-NAT"[5] 58.187.166.x: deleting connection "L2TP-PSK-NAT" instance with peer 58.187.166.x {isakmp=#0/ipsec=#0}
Don't know why it receiverd Delete SA after transport mode is established, and didn't try the L2TP-PSK-noNAT
. If I just define only one conn
, everything will be OK (same as 12.04).
Can someone explain for me?
i have install xl2tp over openswan in ubuntu 12.04_amd64 LTS, and it is runing. The last week ubuntu 14.04_amd64 LTS was released, so i try to install xl2tp over openswan in ubuntu 14.04. The install way is same as what i did in ubuntu 12.04 LTS. But it cannot running. The difference between them maybe is the following: (1) the kernel version( kernel 3.8.0-29 vis kernel 3.13.0-24) (2) the openswan version( openswan 2.6.37 on ubuntu 12.04, and openswan 2.6.38 on ubuntu 14.04) anybody can help me resolve this problem?
the attachment is following: (1)/var/log/auth.log
(2)the packets catched be wireshake
(3) the configuration of openswan and xl2tpd