xelerance / Openswan

Openswan
Other
858 stars 213 forks source link

openswan on ubuntu 14.04 LTS #75

Open zhu4ling3 opened 10 years ago

zhu4ling3 commented 10 years ago

i have install xl2tp over openswan in ubuntu 12.04_amd64 LTS, and it is runing. The last week ubuntu 14.04_amd64 LTS was released, so i try to install xl2tp over openswan in ubuntu 14.04. The install way is same as what i did in ubuntu 12.04 LTS. But it cannot running. The difference between them maybe is the following: (1) the kernel version( kernel 3.8.0-29 vis kernel 3.13.0-24) (2) the openswan version( openswan 2.6.37 on ubuntu 12.04, and openswan 2.6.38 on ubuntu 14.04) anybody can help me resolve this problem?

the attachment is following: (1)/var/log/auth.log 2

(2)the packets catched be wireshake 3

(3) the configuration of openswan and xl2tpd

# /etc/ipsec.conf - Openswan IPsec configuration file

# This file:  /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # Do not set debug options to debug configuration issues!
        # plutodebug / klipsdebug = "all", "none" or a combation from below:
        # "raw crypt parsing emitting control klips pfkey natt x509 dpd private"
        # eg:
        # plutodebug="control parsing"
        # Again: only enable plutodebug or klipsdebug when asked by a developer
        #
        # enable to get logs per-peer
        # plutoopts="--perpeerlog"
        #
        # Enable core dumps (might require system changes, like ulimit -C)
        # This is required for abrtd to work properly
        # Note: incorrect SElinux policies might prevent pluto writing the core
        dumpdir=/var/run/pluto/
        #
        # NAT-TRAVERSAL support, see README.NAT-Traversal
        nat_traversal=yes
        # exclude networks used on server side by adding %v4:!a.b.c.0/24
        # It seems that T-Mobile in the US and Rogers/Fido in Canada are
        # using 25/8 as "private" address space on their 3G network.
        # This range has not been announced via BGP (at least upto 2010-12-21)
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
        # OE is now off by default. Uncomment and change to on, to enable.
        oe=off
        # which IPsec stack to use. auto will try netkey, then klips then mast
        protostack=netkey
        # Use this to log to a file, or disable logging on embedded systems (like openwrt)
        #plutostderrlog=/dev/null

# Add connections here

# sample VPN connection
# for more examples, see /etc/ipsec.d/examples/
#conn sample
#               # Left security gateway, subnet behind it, nexthop toward right.
#               left=10.0.0.1
#               leftsubnet=172.16.0.0/24
#               leftnexthop=10.22.33.44
#               # Right security gateway, subnet behind it, nexthop toward left.
#               right=10.12.12.1
#               rightsubnet=192.168.0.0/24
#               rightnexthop=10.101.102.103
#               # To authorize this connection, but not actually start it, 
#               # at startup, uncomment this.
#               #auto=add

conn L2TP-PSK-NAT
        rightsubnet=vhost:%priv
        also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
        authby=secret
        pfs=no
        auto=add
        keyingtries=3
        # we cannot rekey for %any, let client rekey
        rekey=no
        # Apple iOS doesn't send delete notify so we need dead peer detection
        # to detect vanishing clients
        dpddelay=10
        dpdtimeout=90
        dpdaction=clear
        # Set ikelifetime and keylife to same defaults windows has
        ikelifetime=8h
        keylife=1h
        # l2tp-over-ipsec is transport mode
        type=transport
        #
        left=162.243.136.115
        #
        # For updated Windows 2000/XP clients,
        # to support old clients as well, use leftprotoport=17/%any
        leftprotoport=17/1701
        #
        # The remote user.
        #
        right=%any
        # Using the magic port of "%any" means "any one single port". This is
        # a work around required for Apple OSX clients that use a randomly
        # high port.
        rightprotoport=17/%any

conn passthrough-for-non-l2tp
        type=passthrough
        left=162.243.136.115
        leftnexthop=162.243.136.115
        right=0.0.0.0
        rightsubnet=0.0.0.0/0
        auto=route
# This file holds shared secrets or RSA private keys for inter-Pluto
# authentication.  See ipsec_pluto(8) manpage, and HTML documentation.

# RSA private key for this host, authenticating it to any other host
# which knows the public part.  Suitable public keys, for ipsec.conf, DNS,
# or configuration of other implementations, can be extracted conveniently
# with "ipsec showhostkey".

# this file is managed with debconf and will contain the automatically created RSA keys
include /var/lib/openswan/ipsec.secrets.inc

162.243.136.115  %any: PSK "12345678"
; /etc/xl2tpd/xl2tpd.conf

[global]
ipsec saref = no

[lns default]
ip range = 172.20.47.151-172.20.47.200
local ip = 172.20.47.10
require chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd.lns
length bit = yes
# /etc/ppp/options.l2tpd.lns

refuse-mschap-v2
refuse-mschap
ms-dns 8.8.8.8
ms-dns 8.8.4.4
asyncmap 0
auth
lock
hide-password
local
debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
mtu 1404
mru 1404
zhangping commented 10 years ago

the same problem as me

letoams commented 10 years ago

Can you try to add this to the ppp options file:

refuse-chap refuse-eap refuse-pap refuse-mschap require-mschap-v2

zhangping commented 10 years ago

it works:

ipsec.conf

version 2.0

config setup dumpdir=/var/run/pluto/ nat_traversal=yes virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10 protostack=netkey force_keepalive=yes keep_alive=60

conn l2tp-psk authby=secret pfs=no auto=add keyingtries=3 type=transport left=106.186.127.239 leftprotoport=17/1701 right=%any rightprotoport=17/%any

xl2tpd.conf

[global] listen-addr = 106.186.127.239

[lns default] ip range = 192.168.0.1-192.168.0.20 local ip = 192.168.0.21 assign ip = yes length bit = yes refuse pap = yes require authentication = yes pppoptfile = /etc/ppp/options

options

ms-dns 8.8.8.8 ms-dns 8.8.4.4 noccp asyncmap 0 auth crtscts lock hide-password modem mru 1200 nodefaultroute debug mtu 1200 proxyarp lcp-echo-interval 30 lcp-echo-failure 4 ipcp-accept-local ipcp-accept-remote noipx idle 1800 connect-delay 5000

chap-secrets

zhangxxxx * "**" 192.168.0.1/24 guoxxxx * "******" 192.168.0.1/24

ipsec.secrets

106.186.127.xxx 0.0.0.0: PSK "***"

fortiko commented 10 years ago

I observe exactly the same: installing via a script I wrote works 100% of the times in 12.04, for OSX and iOS clients.

With the same script/resulting setup under a fresh 14.04, the connection negotiation from the same clients that worked perfectly under 12.04 fails/stops at the exact same spot as the OP showed.

It appears that xl2tpd does not get the connection request (?) from openswan, and just sits there.

How can I help to debug this?

fortiko commented 10 years ago

To elaborate on this: the only difference I can spot is that under 12.04 we have (note the "NATOA=none" in the last line!)

Aug  9 18:17:47 vpn pluto[14018]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: Dead Peer Detection (RFC 3706): enabled
Aug  9 18:17:48 vpn pluto[14018]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: Applying workaround for Mac OS X NAT-OA bug, ignoring proposed subnet
Aug  9 18:17:48 vpn pluto[14018]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: the peer proposed: A.B.C.D/32:17/1701 -> W.X.Y.Z/32:17/0
Aug  9 18:17:48 vpn pluto[14018]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: peer proposal was reject in a virtual connection policy because:
Aug  9 18:17:48 vpn pluto[14018]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1:   a private network virtual IP was required, but the proposed IP did not match our list (virtual_private=)
Aug  9 18:17:48 vpn pluto[14018]: "L2TP-PSK-noNAT"[1] W.X.Y.Z #2: responding to Quick Mode proposal {msgid:aa32488c}
Aug  9 18:17:48 vpn pluto[14018]: "L2TP-PSK-noNAT"[1] W.X.Y.Z #2:     us: A.B.C.D<A.B.C.D>[+S=C]:17/1701
Aug  9 18:17:48 vpn pluto[14018]: "L2TP-PSK-noNAT"[1] W.X.Y.Z #2:   them: W.X.Y.Z[192.168.8.14,+S=C]:17/53116
Aug  9 18:17:48 vpn pluto[14018]: "L2TP-PSK-noNAT"[1] W.X.Y.Z #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Aug  9 18:17:48 vpn pluto[14018]: "L2TP-PSK-noNAT"[1] W.X.Y.Z #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Aug  9 18:17:48 vpn pluto[14018]: "L2TP-PSK-noNAT"[1] W.X.Y.Z #2: Dead Peer Detection (RFC 3706): enabled
Aug  9 18:17:48 vpn pluto[14018]: "L2TP-PSK-noNAT"[1] W.X.Y.Z #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Aug  9 18:17:48 vpn pluto[14018]: "L2TP-PSK-noNAT"[1] W.X.Y.Z #2: STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0x066d455e <0x7c3f682b xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=W.X.Y.Z:4500 DPD=enabled}

whereas on 14.04 we don't have the explicit workaround and accept the peer's proposal (note the "NATOA=192.168.8.14" on the last line) and we do not enter into the L2TP-PSK-noNAT connection. Again, exact same configuration as under 12.04 where this works:

Aug  9 20:08:48 vpn pluto[1815]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: Dead Peer Detection (RFC 3706): enabled
Aug  9 20:08:48 vpn pluto[1815]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: the peer proposed: A.B.C.D/32:17/1701 -> 192.168.8.14/32:17/0
Aug  9 20:08:48 vpn pluto[1815]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
Aug  9 20:08:48 vpn pluto[1815]: "L2TP-PSK-NAT"[2] W.X.Y.Z #2: responding to Quick Mode proposal {msgid:c34601b4}
Aug  9 20:08:48 vpn pluto[1815]: "L2TP-PSK-NAT"[2] W.X.Y.Z #2:     us: A.B.C.D<A.B.C.D>:17/1701
Aug  9 20:08:48 vpn pluto[1815]: "L2TP-PSK-NAT"[2] W.X.Y.Z #2:   them: W.X.Y.Z[192.168.8.14]:17/62338===192.168.8.14/32
Aug  9 20:08:48 vpn pluto[1815]: "L2TP-PSK-NAT"[2] W.X.Y.Z #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Aug  9 20:08:48 vpn pluto[1815]: "L2TP-PSK-NAT"[2] W.X.Y.Z #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Aug  9 20:08:48 vpn pluto[1815]: "L2TP-PSK-NAT"[2] W.X.Y.Z #2: Dead Peer Detection (RFC 3706): enabled
Aug  9 20:08:48 vpn pluto[1815]: "L2TP-PSK-NAT"[2] W.X.Y.Z #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Aug  9 20:08:48 vpn pluto[1815]: "L2TP-PSK-NAT"[2] W.X.Y.Z #2: STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0x04a658c6 <0x55fade1b xfrm=AES_256-HMAC_SHA1 NATOA=192.168.8.14 NATD=W.X.Y.Z:4500 DPD=enabled}

Below I include the complete logs for both 12.04 and 14.04 with the exact same configuration (in fact, I updated from that 12.04 instance to 14.04 keeping the openswan/xl2tpd configuration).

######### this one works, on a fresh 12.04

# uname -a
Linux vpn 3.2.0-59-virtual #90-Ubuntu SMP Tue Jan 7 23:02:33 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

# cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=12.04
DISTRIB_CODENAME=precise
DISTRIB_DESCRIPTION="Ubuntu 12.04.5 LTS"

openswan 1:2.6.37-1
xl2tpd 1.3.1+dfsg-1ubuntu0.12.04.1
ppp 2.4.5-5ubuntu1

Aug  9 18:16:55 vpn ipsec__plutorun: Starting Pluto subsystem...
Aug  9 18:16:55 vpn pluto[14018]: Starting Pluto (Openswan Version 2.6.37; Vendor ID OEu\134d\134jy\134\134ap) pid:14018
Aug  9 18:16:55 vpn pluto[14018]: LEAK_DETECTIVE support [disabled]
Aug  9 18:16:55 vpn pluto[14018]: OCF support for IKE [disabled]
Aug  9 18:16:55 vpn pluto[14018]: SAref support [disabled]: Protocol not available
Aug  9 18:16:55 vpn pluto[14018]: SAbind support [disabled]: Protocol not available
Aug  9 18:16:55 vpn pluto[14018]: NSS support [disabled]
Aug  9 18:16:55 vpn pluto[14018]: HAVE_STATSD notification support not compiled in
Aug  9 18:16:55 vpn pluto[14018]: Setting NAT-Traversal port-4500 floating to on
Aug  9 18:16:55 vpn pluto[14018]:    port floating activation criteria nat_t=1/port_float=1
Aug  9 18:16:55 vpn pluto[14018]:    NAT-Traversal support  [enabled] [Force KeepAlive]
Aug  9 18:16:55 vpn pluto[14018]: using /dev/urandom as source of random entropy
Aug  9 18:16:55 vpn pluto[14018]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Aug  9 18:16:55 vpn pluto[14018]: starting up 1 cryptographic helpers
Aug  9 18:16:55 vpn pluto[14018]: started helper pid=14020 (fd:6)
Aug  9 18:16:55 vpn pluto[14018]: Using Linux 2.6 IPsec interface code on 3.2.0-59-virtual (experimental code)
Aug  9 18:16:55 vpn pluto[14020]: using /dev/urandom as source of random entropy
Aug  9 18:16:55 vpn pluto[14018]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
Aug  9 18:16:55 vpn pluto[14018]: ike_alg_add(): ERROR: Algorithm already exists
Aug  9 18:16:55 vpn pluto[14018]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)
Aug  9 18:16:55 vpn pluto[14018]: ike_alg_add(): ERROR: Algorithm already exists
Aug  9 18:16:55 vpn pluto[14018]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
Aug  9 18:16:55 vpn pluto[14018]: ike_alg_add(): ERROR: Algorithm already exists
Aug  9 18:16:55 vpn pluto[14018]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)
Aug  9 18:16:55 vpn pluto[14018]: ike_alg_add(): ERROR: Algorithm already exists
Aug  9 18:16:55 vpn pluto[14018]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)
Aug  9 18:16:55 vpn pluto[14018]: ike_alg_add(): ERROR: Algorithm already exists
Aug  9 18:16:55 vpn pluto[14018]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
Aug  9 18:16:55 vpn pluto[14018]: Changed path to directory '/etc/ipsec.d/cacerts'
Aug  9 18:16:55 vpn pluto[14018]: Changed path to directory '/etc/ipsec.d/aacerts'
Aug  9 18:16:55 vpn pluto[14018]: Changed path to directory '/etc/ipsec.d/ocspcerts'
Aug  9 18:16:55 vpn pluto[14018]: Changing to directory '/etc/ipsec.d/crls'
Aug  9 18:16:55 vpn pluto[14018]:   Warning: empty directory
Aug  9 18:16:55 vpn pluto[14018]: added connection description "L2TP-PSK-NAT"
Aug  9 18:16:55 vpn pluto[14018]: added connection description "L2TP-PSK-noNAT"
Aug  9 18:16:55 vpn pluto[14018]: listening for IKE messages
Aug  9 18:16:55 vpn pluto[14018]: adding interface eth0/eth0 A.B.C.D:500
Aug  9 18:16:55 vpn pluto[14018]: adding interface eth0/eth0 A.B.C.D:4500
Aug  9 18:16:55 vpn pluto[14018]: adding interface lo/lo 127.0.0.1:500
Aug  9 18:16:55 vpn pluto[14018]: adding interface lo/lo 127.0.0.1:4500
Aug  9 18:16:55 vpn pluto[14018]: adding interface lo/lo ::1:500
Aug  9 18:16:55 vpn pluto[14018]: loading secrets from "/etc/ipsec.secrets"
Aug  9 18:16:55 vpn pluto[14018]: loading secrets from "/var/lib/openswan/ipsec.secrets.inc"
Aug  9 18:17:47 vpn pluto[14018]: packet from W.X.Y.Z:500: received Vendor ID payload [RFC 3947] method set to=109
Aug  9 18:17:47 vpn pluto[14018]: packet from W.X.Y.Z:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] method set to=110
Aug  9 18:17:47 vpn pluto[14018]: packet from W.X.Y.Z:500: ignoring unknown Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
Aug  9 18:17:47 vpn pluto[14018]: packet from W.X.Y.Z:500: ignoring unknown Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
Aug  9 18:17:47 vpn pluto[14018]: packet from W.X.Y.Z:500: ignoring unknown Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
Aug  9 18:17:47 vpn pluto[14018]: packet from W.X.Y.Z:500: ignoring unknown Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
Aug  9 18:17:47 vpn pluto[14018]: packet from W.X.Y.Z:500: ignoring unknown Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
Aug  9 18:17:47 vpn pluto[14018]: packet from W.X.Y.Z:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 110
Aug  9 18:17:47 vpn pluto[14018]: packet from W.X.Y.Z:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 110
Aug  9 18:17:47 vpn pluto[14018]: packet from W.X.Y.Z:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 110
Aug  9 18:17:47 vpn pluto[14018]: packet from W.X.Y.Z:500: ignoring Vendor ID payload [FRAGMENTATION 80000000]
Aug  9 18:17:47 vpn pluto[14018]: packet from W.X.Y.Z:500: received Vendor ID payload [Dead Peer Detection]
Aug  9 18:17:47 vpn pluto[14018]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: responding to Main Mode from unknown peer W.X.Y.Z
Aug  9 18:17:47 vpn pluto[14018]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Aug  9 18:17:47 vpn pluto[14018]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: STATE_MAIN_R1: sent MR1, expecting MI2
Aug  9 18:17:47 vpn pluto[14018]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): both are NATed
Aug  9 18:17:47 vpn pluto[14018]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Aug  9 18:17:47 vpn pluto[14018]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: STATE_MAIN_R2: sent MR2, expecting MI3
Aug  9 18:17:47 vpn pluto[14018]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: Main mode peer ID is ID_IPV4_ADDR: '192.168.8.14'
Aug  9 18:17:47 vpn pluto[14018]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: switched from "L2TP-PSK-NAT" to "L2TP-PSK-NAT"
Aug  9 18:17:47 vpn pluto[14018]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: deleting connection "L2TP-PSK-NAT" instance with peer W.X.Y.Z {isakmp=#0/ipsec=#0}
Aug  9 18:17:47 vpn pluto[14018]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Aug  9 18:17:47 vpn pluto[14018]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: new NAT mapping for #1, was W.X.Y.Z:500, now W.X.Y.Z:4500
Aug  9 18:17:47 vpn pluto[14018]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1024}
Aug  9 18:17:47 vpn pluto[14018]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: Dead Peer Detection (RFC 3706): enabled
Aug  9 18:17:48 vpn pluto[14018]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: Applying workaround for Mac OS X NAT-OA bug, ignoring proposed subnet
Aug  9 18:17:48 vpn pluto[14018]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: the peer proposed: A.B.C.D/32:17/1701 -> W.X.Y.Z/32:17/0
Aug  9 18:17:48 vpn pluto[14018]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: peer proposal was reject in a virtual connection policy because:
Aug  9 18:17:48 vpn pluto[14018]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1:   a private network virtual IP was required, but the proposed IP did not match our list (virtual_private=)
Aug  9 18:17:48 vpn pluto[14018]: "L2TP-PSK-noNAT"[1] W.X.Y.Z #2: responding to Quick Mode proposal {msgid:aa32488c}
Aug  9 18:17:48 vpn pluto[14018]: "L2TP-PSK-noNAT"[1] W.X.Y.Z #2:     us: A.B.C.D<A.B.C.D>[+S=C]:17/1701
Aug  9 18:17:48 vpn pluto[14018]: "L2TP-PSK-noNAT"[1] W.X.Y.Z #2:   them: W.X.Y.Z[192.168.8.14,+S=C]:17/53116
Aug  9 18:17:48 vpn pluto[14018]: "L2TP-PSK-noNAT"[1] W.X.Y.Z #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Aug  9 18:17:48 vpn pluto[14018]: "L2TP-PSK-noNAT"[1] W.X.Y.Z #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Aug  9 18:17:48 vpn pluto[14018]: "L2TP-PSK-noNAT"[1] W.X.Y.Z #2: Dead Peer Detection (RFC 3706): enabled
Aug  9 18:17:48 vpn pluto[14018]: "L2TP-PSK-noNAT"[1] W.X.Y.Z #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Aug  9 18:17:48 vpn pluto[14018]: "L2TP-PSK-noNAT"[1] W.X.Y.Z #2: STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0x066d455e <0x7c3f682b xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=W.X.Y.Z:4500 DPD=enabled}

[Tunnel works perfectly, now we disconnect manually]

Aug  9 18:19:32 vpn pluto[14018]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: received Delete SA(0x066d455e) payload: deleting IPSEC State #2
Aug  9 18:19:32 vpn pluto[14018]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: deleting connection "L2TP-PSK-noNAT" instance with peer W.X.Y.Z {isakmp=#0/ipsec=#0}
Aug  9 18:19:32 vpn pluto[14018]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: received and ignored informational message
Aug  9 18:19:32 vpn pluto[14018]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: received Delete SA payload: deleting ISAKMP State #1
Aug  9 18:19:32 vpn pluto[14018]: "L2TP-PSK-NAT"[2] W.X.Y.Z: deleting connection "L2TP-PSK-NAT" instance with peer W.X.Y.Z {isakmp=#0/ipsec=#0}
Aug  9 18:19:32 vpn pluto[14018]: packet from W.X.Y.Z:4500: received and ignored informational message

Aug  9 18:17:28 vpn xl2tpd[14565]: IPsec SAref does not work with L2TP kernel mode yet, enabling forceuserspace=yes
Aug  9 18:17:28 vpn xl2tpd[14565]: setsockopt recvref[30]: Protocol not available
Aug  9 18:17:28 vpn xl2tpd[14565]: This binary does not support kernel L2TP.
Aug  9 18:17:28 vpn xl2tpd[14566]: xl2tpd version xl2tpd-1.3.1 started on vpn PID:14566
Aug  9 18:17:28 vpn xl2tpd[14566]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
Aug  9 18:17:28 vpn xl2tpd[14566]: Forked by Scott Balmos and David Stipp, (C) 2001
Aug  9 18:17:28 vpn xl2tpd[14566]: Inherited by Jeff McAdams, (C) 2002
Aug  9 18:17:28 vpn xl2tpd[14566]: Forked again by Xelerance (www.xelerance.com) (C) 2006
Aug  9 18:17:28 vpn xl2tpd[14566]: Listening on IP address A.B.C.D, port 1701
Aug  9 18:17:50 vpn xl2tpd[14566]: control_finish: Peer requested tunnel 93 twice, ignoring second one.
Aug  9 18:17:50 vpn xl2tpd[14566]: Connection established to W.X.Y.Z, 53116.  Local: 21640, Remote: 93 (ref=0/0).  LNS session is 'default'
Aug  9 18:17:50 vpn xl2tpd[14566]: start_pppd: I'm running:
Aug  9 18:17:50 vpn xl2tpd[14566]: "/usr/sbin/pppd"
Aug  9 18:17:50 vpn xl2tpd[14566]: "passive"
Aug  9 18:17:50 vpn xl2tpd[14566]: "nodetach"
Aug  9 18:17:50 vpn xl2tpd[14566]: "10.1.1.1:10.1.1.2"
Aug  9 18:17:50 vpn xl2tpd[14566]: "refuse-pap"
Aug  9 18:17:50 vpn xl2tpd[14566]: "refuse-chap"
Aug  9 18:17:50 vpn xl2tpd[14566]: "auth"
Aug  9 18:17:50 vpn xl2tpd[14566]: "debug"
Aug  9 18:17:50 vpn xl2tpd[14566]: "file"
Aug  9 18:17:50 vpn xl2tpd[14566]: "/etc/ppp/options.xl2tpd"
Aug  9 18:17:50 vpn xl2tpd[14566]: "ipparam"
Aug  9 18:17:50 vpn xl2tpd[14566]: "W.X.Y.Z"
Aug  9 18:17:50 vpn xl2tpd[14566]: "/dev/pts/4"
Aug  9 18:17:50 vpn xl2tpd[14566]: Call established with W.X.Y.Z, Local: 52578, Remote: 7838, Serial: 1
Aug  9 18:17:50 vpn pppd[14906]: pppd 2.4.5 started by root, uid 0
Aug  9 18:17:50 vpn pppd[14906]: using channel 3
Aug  9 18:17:50 vpn pppd[14906]: Using interface ppp0
Aug  9 18:17:50 vpn pppd[14906]: Connect: ppp0 <--> /dev/pts/4
Aug  9 18:17:50 vpn pppd[14906]: sent [LCP ConfReq id=0x1 <mru 1200> <asyncmap 0x0> <auth chap MS-v2> <magic 0x1621ada0> <pcomp> <accomp>]
Aug  9 18:17:50 vpn pppd[14906]: rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x674b0976> <pcomp> <accomp>]
Aug  9 18:17:50 vpn pppd[14906]: sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x674b0976> <pcomp> <accomp>]
Aug  9 18:17:50 vpn pppd[14906]: rcvd [LCP ConfAck id=0x1 <mru 1200> <asyncmap 0x0> <auth chap MS-v2> <magic 0x1621ada0> <pcomp> <accomp>]
Aug  9 18:17:50 vpn pppd[14906]: sent [LCP EchoReq id=0x0 magic=0x1621ada0]
Aug  9 18:17:50 vpn pppd[14906]: sent [CHAP Challenge id=0xc6 <5d1a4938707bc9b1781ad45d5a8739f5>, name = "l2tpd"]
Aug  9 18:17:50 vpn pppd[14906]: rcvd [LCP EchoReq id=0x0 magic=0x674b0976]
Aug  9 18:17:50 vpn pppd[14906]: sent [LCP EchoRep id=0x0 magic=0x1621ada0]
Aug  9 18:17:50 vpn pppd[14906]: rcvd [LCP EchoRep id=0x0 magic=0x674b0976]
Aug  9 18:17:50 vpn pppd[14906]: rcvd [CHAP Response id=0xc6 <ba3c5af1be64e99cba126bb7024326ae000000000000000055c0937ef8d0188e2b1ec27e0f1d866cdfbd2ce0d4ee2de800>, name = "VPN_USERNAME"]
Aug  9 18:17:50 vpn pppd[14906]: sent [CHAP Success id=0xc6 "S=367F80A803A2405D8FE6A49720691A1F8412473D M=Access granted"]
Aug  9 18:17:50 vpn pppd[14906]: sent [CCP ConfReq id=0x1 <deflate 15> <deflate(old#) 15> <bsd v1 15>]
Aug  9 18:17:50 vpn pppd[14906]: sent [IPCP ConfReq id=0x1 <compress VJ 0f 01> <addr 10.1.1.1>]
Aug  9 18:17:50 vpn pppd[14906]: rcvd [IPCP ConfReq id=0x1 <addr 0.0.0.0> <ms-dns1 0.0.0.0> <ms-dns2 0.0.0.0>]
Aug  9 18:17:50 vpn pppd[14906]: sent [IPCP ConfNak id=0x1 <addr 10.1.1.2> <ms-dns1 8.8.8.8> <ms-dns2 8.8.4.4>]
Aug  9 18:17:50 vpn pppd[14906]: rcvd [IPV6CP ConfReq id=0x1 <addr fe80::6203:08ff:fe9d:2e4a>]
Aug  9 18:17:50 vpn pppd[14906]: Unsupported protocol 'IPv6 Control Protocol' (0x8057) received
Aug  9 18:17:50 vpn pppd[14906]: sent [LCP ProtRej id=0x2 80 57 01 01 00 0e 01 0a 62 03 08 ff fe 9d 2e 4a]
Aug  9 18:17:50 vpn pppd[14906]: rcvd [LCP ProtRej id=0x2 80 fd 01 01 00 0f 1a 04 78 00 18 04 78 00 15 03 2f]
Aug  9 18:17:50 vpn pppd[14906]: Protocol-Reject for 'Compression Control Protocol' (0x80fd) received
Aug  9 18:17:50 vpn pppd[14906]: rcvd [IPCP ConfRej id=0x1 <compress VJ 0f 01>]
Aug  9 18:17:50 vpn pppd[14906]: sent [IPCP ConfReq id=0x2 <addr 10.1.1.1>]
Aug  9 18:17:50 vpn pppd[14906]: rcvd [IPCP ConfReq id=0x2 <addr 10.1.1.2> <ms-dns1 8.8.8.8> <ms-dns2 8.8.4.4>]
Aug  9 18:17:50 vpn pppd[14906]: sent [IPCP ConfAck id=0x2 <addr 10.1.1.2> <ms-dns1 8.8.8.8> <ms-dns2 8.8.4.4>]
Aug  9 18:17:50 vpn pppd[14906]: rcvd [IPCP ConfAck id=0x2 <addr 10.1.1.1>]
Aug  9 18:17:50 vpn pppd[14906]: Cannot determine ethernet address for proxy ARP
Aug  9 18:17:50 vpn pppd[14906]: local  IP address 10.1.1.1
Aug  9 18:17:50 vpn pppd[14906]: remote IP address 10.1.1.2
Aug  9 18:17:50 vpn pppd[14906]: Script /etc/ppp/ip-up started (pid 14909)
Aug  9 18:17:50 vpn pppd[14906]: Script /etc/ppp/ip-up finished (pid 14909), status = 0x0
Aug  9 18:18:20 vpn pppd[14906]: sent [LCP EchoReq id=0x1 magic=0x1621ada0]
Aug  9 18:18:20 vpn pppd[14906]: rcvd [LCP EchoRep id=0x1 magic=0x674b0976]
Aug  9 18:18:50 vpn pppd[14906]: rcvd [LCP EchoReq id=0x1 magic=0x674b0976]
Aug  9 18:18:50 vpn pppd[14906]: sent [LCP EchoRep id=0x1 magic=0x1621ada0]
Aug  9 18:18:50 vpn pppd[14906]: sent [LCP EchoReq id=0x2 magic=0x1621ada0]
Aug  9 18:18:50 vpn pppd[14906]: rcvd [LCP EchoRep id=0x2 magic=0x674b0976]
Aug  9 18:19:20 vpn pppd[14906]: sent [LCP EchoReq id=0x3 magic=0x1621ada0]
Aug  9 18:19:20 vpn pppd[14906]: rcvd [LCP EchoRep id=0x3 magic=0x674b0976]

[Tunnel works perfectly, now we disconnect manually]

Aug  9 18:19:32 vpn pppd[14906]: rcvd [LCP TermReq id=0x3 "User request"]
Aug  9 18:19:32 vpn pppd[14906]: LCP terminated by peer (User request)
Aug  9 18:19:32 vpn pppd[14906]: Connect time 1.7 minutes.
Aug  9 18:19:32 vpn pppd[14906]: Sent 213174 bytes, received 103569 bytes.
Aug  9 18:19:32 vpn xl2tpd[14566]: result_code_avp: result code endianness fix for buggy Apple client. network=768, le=3
Aug  9 18:19:32 vpn xl2tpd[14566]: control_finish: Connection closed to W.X.Y.Z, serial 1 ()
Aug  9 18:19:32 vpn xl2tpd[14566]: Terminating pppd: sending TERM signal to pid 14906
Aug  9 18:19:32 vpn xl2tpd[14566]: result_code_avp: result code endianness fix for buggy Apple client. network=256, le=1
Aug  9 18:19:32 vpn xl2tpd[14566]: control_finish: Connection closed to W.X.Y.Z, port 53116 (), Local: 21640, Remote: 93
Aug  9 18:19:32 vpn pppd[14906]: Script /etc/ppp/ip-down started (pid 16430)
Aug  9 18:19:32 vpn pppd[14906]: sent [LCP TermAck id=0x3]
Aug  9 18:19:32 vpn pppd[14906]: Terminating on signal 15
Aug  9 18:19:32 vpn pppd[14906]: Modem hangup
Aug  9 18:19:32 vpn pppd[14906]: Connection terminated.
Aug  9 18:19:32 vpn pppd[14906]: Script /etc/ppp/ip-down finished (pid 16430), status = 0x0
Aug  9 18:19:32 vpn pppd[14906]: Exit.

######### this one is broken, on 14.04 (updated from the 12.04 above)

# uname -a
Linux vpn 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

# cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=14.04
DISTRIB_CODENAME=trusty
DISTRIB_DESCRIPTION="Ubuntu 14.04.1 LTS"

openswan 1:2.6.38-1
xl2tpd 1.3.6+dfsg-1
ppp 2.4.5-5.1ubuntu2

Aug  9 20:08:20 vpn ipsec__plutorun: Starting Pluto subsystem...
Aug  9 20:08:20 vpn pluto[1815]: Starting Pluto (Openswan Version 2.6.38; Vendor ID OEvy\134kgzWq\134s) pid:1815
Aug  9 20:08:20 vpn pluto[1815]: LEAK_DETECTIVE support [disabled]
Aug  9 20:08:20 vpn pluto[1815]: OCF support for IKE [disabled]
Aug  9 20:08:20 vpn pluto[1815]: SAref support [disabled]: Protocol not available
Aug  9 20:08:20 vpn pluto[1815]: SAbind support [disabled]: Protocol not available
Aug  9 20:08:20 vpn pluto[1815]: NSS support [disabled]
Aug  9 20:08:20 vpn pluto[1815]: HAVE_STATSD notification support not compiled in
Aug  9 20:08:20 vpn pluto[1815]: Setting NAT-Traversal port-4500 floating to on
Aug  9 20:08:20 vpn pluto[1815]:    port floating activation criteria nat_t=1/port_float=1
Aug  9 20:08:20 vpn pluto[1815]:    NAT-Traversal support  [enabled] [Force KeepAlive]
Aug  9 20:08:20 vpn pluto[1815]: using /dev/urandom as source of random entropy
Aug  9 20:08:20 vpn pluto[1815]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Aug  9 20:08:20 vpn pluto[1815]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
Aug  9 20:08:20 vpn pluto[1815]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
Aug  9 20:08:20 vpn pluto[1815]: starting up 1 cryptographic helpers
Aug  9 20:08:20 vpn pluto[1815]: started helper pid=1820 (fd:6)
Aug  9 20:08:20 vpn pluto[1815]: Using Linux 2.6 IPsec interface code on 3.13.0-32-generic (experimental code)
Aug  9 20:08:20 vpn pluto[1820]: using /dev/urandom as source of random entropy
Aug  9 20:08:20 vpn pluto[1815]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
Aug  9 20:08:20 vpn pluto[1815]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Aug  9 20:08:20 vpn pluto[1815]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)
Aug  9 20:08:20 vpn pluto[1815]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Aug  9 20:08:20 vpn pluto[1815]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
Aug  9 20:08:20 vpn pluto[1815]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Aug  9 20:08:20 vpn pluto[1815]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)
Aug  9 20:08:20 vpn pluto[1815]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Aug  9 20:08:20 vpn pluto[1815]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)
Aug  9 20:08:20 vpn pluto[1815]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Aug  9 20:08:20 vpn pluto[1815]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
Aug  9 20:08:20 vpn pluto[1815]: added connection description "L2TP-PSK-NAT"
Aug  9 20:08:20 vpn pluto[1815]: added connection description "L2TP-PSK-noNAT"
Aug  9 20:08:20 vpn pluto[1815]: listening for IKE messages
Aug  9 20:08:20 vpn pluto[1815]: adding interface eth0/eth0 A.B.C.D:500
Aug  9 20:08:20 vpn pluto[1815]: adding interface eth0/eth0 A.B.C.D:4500
Aug  9 20:08:20 vpn pluto[1815]: adding interface lo/lo 127.0.0.1:500
Aug  9 20:08:20 vpn pluto[1815]: adding interface lo/lo 127.0.0.1:4500
Aug  9 20:08:20 vpn pluto[1815]: adding interface lo/lo ::1:500
Aug  9 20:08:20 vpn pluto[1815]: loading secrets from "/etc/ipsec.secrets"
Aug  9 20:08:20 vpn pluto[1815]: loading secrets from "/var/lib/openswan/ipsec.secrets.inc"
Aug  9 20:08:47 vpn pluto[1815]: packet from W.X.Y.Z:500: received Vendor ID payload [RFC 3947] method set to=115
Aug  9 20:08:47 vpn pluto[1815]: packet from W.X.Y.Z:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] meth=114, but already using method 115
Aug  9 20:08:47 vpn pluto[1815]: packet from W.X.Y.Z:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-08] meth=113, but already using method 115
Aug  9 20:08:47 vpn pluto[1815]: packet from W.X.Y.Z:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-07] meth=112, but already using method 115
Aug  9 20:08:47 vpn pluto[1815]: packet from W.X.Y.Z:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-06] meth=111, but already using method 115
Aug  9 20:08:47 vpn pluto[1815]: packet from W.X.Y.Z:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-05] meth=110, but already using method 115
Aug  9 20:08:47 vpn pluto[1815]: packet from W.X.Y.Z:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-04] meth=109, but already using method 115
Aug  9 20:08:47 vpn pluto[1815]: packet from W.X.Y.Z:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 115
Aug  9 20:08:47 vpn pluto[1815]: packet from W.X.Y.Z:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 115
Aug  9 20:08:47 vpn pluto[1815]: packet from W.X.Y.Z:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 115
Aug  9 20:08:47 vpn pluto[1815]: packet from W.X.Y.Z:500: ignoring Vendor ID payload [FRAGMENTATION 80000000]
Aug  9 20:08:47 vpn pluto[1815]: packet from W.X.Y.Z:500: received Vendor ID payload [Dead Peer Detection]
Aug  9 20:08:47 vpn pluto[1815]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: responding to Main Mode from unknown peer W.X.Y.Z
Aug  9 20:08:47 vpn pluto[1815]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Aug  9 20:08:47 vpn pluto[1815]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: STATE_MAIN_R1: sent MR1, expecting MI2
Aug  9 20:08:48 vpn pluto[1815]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): both are NATed
Aug  9 20:08:48 vpn pluto[1815]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Aug  9 20:08:48 vpn pluto[1815]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: STATE_MAIN_R2: sent MR2, expecting MI3
Aug  9 20:08:48 vpn pluto[1815]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: Main mode peer ID is ID_IPV4_ADDR: '192.168.8.14'
Aug  9 20:08:48 vpn pluto[1815]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: switched from "L2TP-PSK-NAT" to "L2TP-PSK-NAT"
Aug  9 20:08:48 vpn pluto[1815]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: deleting connection "L2TP-PSK-NAT" instance with peer W.X.Y.Z {isakmp=#0/ipsec=#0}
Aug  9 20:08:48 vpn pluto[1815]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Aug  9 20:08:48 vpn pluto[1815]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: new NAT mapping for #1, was W.X.Y.Z:500, now W.X.Y.Z:4500
Aug  9 20:08:48 vpn pluto[1815]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1024}
Aug  9 20:08:48 vpn pluto[1815]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: Dead Peer Detection (RFC 3706): enabled
Aug  9 20:08:48 vpn pluto[1815]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: the peer proposed: A.B.C.D/32:17/1701 -> 192.168.8.14/32:17/0
Aug  9 20:08:48 vpn pluto[1815]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
Aug  9 20:08:48 vpn pluto[1815]: "L2TP-PSK-NAT"[2] W.X.Y.Z #2: responding to Quick Mode proposal {msgid:c34601b4}
Aug  9 20:08:48 vpn pluto[1815]: "L2TP-PSK-NAT"[2] W.X.Y.Z #2:     us: A.B.C.D<A.B.C.D>:17/1701
Aug  9 20:08:48 vpn pluto[1815]: "L2TP-PSK-NAT"[2] W.X.Y.Z #2:   them: W.X.Y.Z[192.168.8.14]:17/62338===192.168.8.14/32
Aug  9 20:08:48 vpn pluto[1815]: "L2TP-PSK-NAT"[2] W.X.Y.Z #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Aug  9 20:08:48 vpn pluto[1815]: "L2TP-PSK-NAT"[2] W.X.Y.Z #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Aug  9 20:08:48 vpn pluto[1815]: "L2TP-PSK-NAT"[2] W.X.Y.Z #2: Dead Peer Detection (RFC 3706): enabled
Aug  9 20:08:48 vpn pluto[1815]: "L2TP-PSK-NAT"[2] W.X.Y.Z #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Aug  9 20:08:48 vpn pluto[1815]: "L2TP-PSK-NAT"[2] W.X.Y.Z #2: STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0x04a658c6 <0x55fade1b xfrm=AES_256-HMAC_SHA1 NATOA=192.168.8.14 NATD=W.X.Y.Z:4500 DPD=enabled}
Aug  9 20:09:08 vpn pluto[1815]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: received Delete SA(0x04a658c6) payload: deleting IPSEC State #2
Aug  9 20:09:08 vpn pluto[1815]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: ERROR: netlink XFRM_MSG_DELPOLICY response for flow eroute_connection delete included errno 2: No such file or directory
Aug  9 20:09:08 vpn pluto[1815]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: received and ignored informational message
Aug  9 20:09:08 vpn pluto[1815]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: received Delete SA payload: deleting ISAKMP State #1
Aug  9 20:09:08 vpn pluto[1815]: "L2TP-PSK-NAT"[2] W.X.Y.Z: deleting connection "L2TP-PSK-NAT" instance with peer W.X.Y.Z {isakmp=#0/ipsec=#0}
Aug  9 20:09:08 vpn pluto[1815]: packet from W.X.Y.Z:4500: received and ignored informational message

Aug  9 20:08:20 vpn ipsec_setup: Starting Openswan IPsec U2.6.38/K3.13.0-32-generic...
Aug  9 20:08:20 vpn ipsec_setup: Using NETKEY(XFRM) stack
Aug  9 20:08:20 vpn kernel: [ 3221.784634] Initializing XFRM netlink socket
Aug  9 20:08:20 vpn kernel: [ 3221.797310] sha512_ssse3: Neither AVX nor SSSE3 is available/usable.
Aug  9 20:08:20 vpn kernel: [ 3221.799575] sha256_ssse3: Neither AVX nor SSSE3 is available/usable.
Aug  9 20:08:20 vpn kernel: [ 3221.804761] AVX instructions are not detected.
Aug  9 20:08:20 vpn kernel: [ 3221.807889] AVX instructions are not detected.
Aug  9 20:08:20 vpn kernel: [ 3221.809872] AVX instructions are not detected.
Aug  9 20:08:20 vpn kernel: [ 3221.815598] AVX instructions are not detected.
Aug  9 20:08:20 vpn kernel: [ 3221.818569] AVX instructions are not detected.
Aug  9 20:08:20 vpn kernel: [ 3221.823023] AVX or AES-NI instructions are not detected.
Aug  9 20:08:20 vpn kernel: [ 3221.824892] AVX or AES-NI instructions are not detected.
Aug  9 20:08:20 vpn ipsec_setup: ...Openswan IPsec started
Aug  9 20:08:20 vpn ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
Aug  9 20:08:20 vpn pluto: adjusting ipsec.d to /etc/ipsec.d
Aug  9 20:08:20 vpn xl2tpd[765]: death_handler: Fatal signal 15 received
Aug  9 20:08:20 vpn ipsec__plutorun: 002 added connection description "L2TP-PSK-NAT"
Aug  9 20:08:20 vpn ipsec__plutorun: 002 added connection description "L2TP-PSK-noNAT"
Aug  9 20:08:21 vpn xl2tpd[1869]: IPsec SAref does not work with L2TP kernel mode yet, enabling force userspace=yes
Aug  9 20:08:21 vpn xl2tpd[1869]: setsockopt recvref[30]: Protocol not available
Aug  9 20:08:21 vpn xl2tpd[1869]: This binary does not support kernel L2TP.
Aug  9 20:08:21 vpn xl2tpd[1870]: xl2tpd version xl2tpd-1.3.6 started on vpn PID:1870
Aug  9 20:08:21 vpn xl2tpd[1870]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
Aug  9 20:08:21 vpn xl2tpd[1870]: Forked by Scott Balmos and David Stipp, (C) 2001
Aug  9 20:08:21 vpn xl2tpd[1870]: Inherited by Jeff McAdams, (C) 2002
Aug  9 20:08:21 vpn xl2tpd[1870]: Forked again by Xelerance (www.xelerance.com) (C) 2006
Aug  9 20:08:21 vpn xl2tpd[1870]: Listening on IP address A.B.C.D, port 1701
fortiko commented 10 years ago

And just to top this off: I downgraded from openswan 1:2.6.38-1 in 14.04 to the default openswan 1:2.6.37-1 in 12.04 (from here: http://www.ubuntuupdates.org/package/core/precise/universe/base/openswan) and upon connecting, it immediately works, going as expected into the noNat connection:

Aug  9 20:30:04 vpn pluto[21278]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: responding to Main Mode from unknown peer W.X.Y.Z
Aug  9 20:30:04 vpn pluto[21278]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Aug  9 20:30:04 vpn pluto[21278]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: STATE_MAIN_R1: sent MR1, expecting MI2
Aug  9 20:30:05 vpn pluto[21278]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): both are NATed
Aug  9 20:30:05 vpn pluto[21278]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Aug  9 20:30:05 vpn pluto[21278]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: STATE_MAIN_R2: sent MR2, expecting MI3
Aug  9 20:30:05 vpn pluto[21278]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: Main mode peer ID is ID_IPV4_ADDR: '192.168.8.14'
Aug  9 20:30:05 vpn pluto[21278]: "L2TP-PSK-NAT"[1] W.X.Y.Z #1: switched from "L2TP-PSK-NAT" to "L2TP-PSK-NAT"
Aug  9 20:30:05 vpn pluto[21278]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: deleting connection "L2TP-PSK-NAT" instance with peer W.X.Y.Z {isakmp=#0/ipsec=#0}
Aug  9 20:30:05 vpn pluto[21278]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Aug  9 20:30:05 vpn pluto[21278]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: new NAT mapping for #1, was W.X.Y.Z:500, now W.X.Y.Z:4500
Aug  9 20:30:05 vpn pluto[21278]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1024}
Aug  9 20:30:05 vpn pluto[21278]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: Dead Peer Detection (RFC 3706): enabled
Aug  9 20:30:06 vpn pluto[21278]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: Applying workaround for Mac OS X NAT-OA bug, ignoring proposed subnet
Aug  9 20:30:06 vpn pluto[21278]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: the peer proposed: A.B.C.D/32:17/1701 -> W.X.Y.Z/32:17/0
Aug  9 20:30:06 vpn pluto[21278]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1: peer proposal was reject in a virtual connection policy because:
Aug  9 20:30:06 vpn pluto[21278]: "L2TP-PSK-NAT"[2] W.X.Y.Z #1:   a private network virtual IP was required, but the proposed IP did not match our list (virtual_private=)
Aug  9 20:30:06 vpn pluto[21278]: "L2TP-PSK-noNAT"[1] W.X.Y.Z #2: responding to Quick Mode proposal {msgid:3afd96d1}
Aug  9 20:30:06 vpn pluto[21278]: "L2TP-PSK-noNAT"[1] W.X.Y.Z #2:     us: A.B.C.D<A.B.C.D>[+S=C]:17/1701
Aug  9 20:30:06 vpn pluto[21278]: "L2TP-PSK-noNAT"[1] W.X.Y.Z #2:   them: W.X.Y.Z[192.168.8.14,+S=C]:17/50422
Aug  9 20:30:06 vpn pluto[21278]: "L2TP-PSK-noNAT"[1] W.X.Y.Z #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Aug  9 20:30:06 vpn pluto[21278]: "L2TP-PSK-noNAT"[1] W.X.Y.Z #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Aug  9 20:30:06 vpn pluto[21278]: "L2TP-PSK-noNAT"[1] W.X.Y.Z #2: Dead Peer Detection (RFC 3706): enabled
Aug  9 20:30:06 vpn pluto[21278]: "L2TP-PSK-noNAT"[1] W.X.Y.Z #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Aug  9 20:30:06 vpn pluto[21278]: "L2TP-PSK-noNAT"[1] W.X.Y.Z #2: STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0x01f803a1 <0x277af5b3 xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=W.X.Y.Z:4500 DPD=enabled}
letoams commented 10 years ago

On Sat, 9 Aug 2014, fortiko wrote:

Aug 9 18:17:48 vpn pluto[14018]: "L2TP-PSK-NAT"[2] 79.146.9.211 #1: the peer proposed: 78.46.240.127/32:17/1701 -> 79.146.9.211/32:17/0

whereas on 14.04 we don't have the explicit workaround and accept the peer's proposal (note the "NATOA=192.168.8.14" on the last line) and we do not enter into the L2TP-PSK-noNAT connection. Again, exact same configuration as under 12.04 where this works:

Aug 9 20:08:48 vpn pluto[1815]: "L2TP-PSK-NAT"[2] 79.146.9.211 #1: the peer proposed: 78.46.240.127/32:17/1701 -> 192.168.8.14/32:17/0

That is a bug with transport mode using the wrong IP address. I don't know which versions of openswan are broken and which are fixed. But it seems unrelated to the version of ubuntu (other than what they ship for openswan).

openswan 1:2.6.37-1

######### this one is broken, on 14.04 (updated from the 12.04 above)

openswan 1:2.6.38-1

Upstream openswan is dead. While I maintain openswan in RHEL6 (which is 2.6.32 plus 80+ patches) we ship libreswan (a fork from 2.6.38) in RHEL7. Libreswan has no issues with transport mode that I'm aware of.

Paul

fortiko commented 10 years ago

Thanks for the clarifications. I was not aware that upstream openswan was dead, so I guess I have to wait for the libreswan packages to arrive and then adapt my script!

zhu4ling3 commented 10 years ago

thank for zhangping. i will confirm your configuration is work.

han-cheng6 commented 10 years ago

I've got the same problem. zhangping's solution do solve the problem.

quantonganh commented 9 years ago

In the @zhangping's config, the real part which make it works is he merge two conn into only one. Mine and the other is:

conn L2TP-PSK-NAT
    rightsubnet=vhost:%priv
    also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
    authby=secret
    pfs=no
    auto=add
    ...

while his is:

conn l2tp-psk
    authby=secret
    pfs=no
    auto=add
    ...

As @fortiko pointed out, the only different in the log is:

12.04

pluto[9561]: "L2TP-PSK-noNAT"[2] x.y.z.t #4: STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0x03e24f47 <0x328dfaeb xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=a.b.c.d:13744 DPD=none}
pppd[9632]: pppd 2.4.5 started by root, uid 0
pppd[9632]: using channel 42
pppd[9632]: Using interface ppp0
pppd[9632]: Connect: ppp0 <--> /dev/pts/8

14.04:

pluto[23718]: "L2TP-PSK-NAT"[5] 58.187.166.x #7: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0x0570a2cf <0x31e16ae6 xfrm=AES_256-HMAC_SHA1 NATOA=192.168.1.104 NATD=58.187.166.x:62150 DPD=none}
pluto[23718]: "L2TP-PSK-NAT"[5] 58.187.166.x #6: received Delete SA(0x0570a2cf) payload: deleting IPSEC State #7
pluto[23718]: "L2TP-PSK-NAT"[5] 58.187.166.x #6: received and ignored informational message
pluto[23718]: "L2TP-PSK-NAT"[5] 58.187.166.x #6: received Delete SA payload: deleting ISAKMP State #6
pluto[23718]: "L2TP-PSK-NAT"[5] 58.187.166.x: deleting connection "L2TP-PSK-NAT" instance with peer 58.187.166.x {isakmp=#0/ipsec=#0}

Don't know why it receiverd Delete SA after transport mode is established, and didn't try the L2TP-PSK-noNAT. If I just define only one conn, everything will be OK (same as 12.04).

Can someone explain for me?