It is currently Wed Apr 25, 2018 12:01 am

All times are UTC [ DST ]




Post new topic Reply to topic  [ 4 posts ] 
Author Message
 Post subject: openswan + openl2tp .. almost there, please help!
PostPosted: Thu Oct 13, 2011 6:25 am 

Joined: Thu Oct 13, 2011 6:02 am
Posts: 3
Hi,

I've made many steps towards getting this to work. I even submitted a few patches for OpenWRT that finally allow openl2tp to use a config file (http://dev.openwrt.org/ticket/10164).

My problem is the following. I can make openswan + xl2tpd connect and work. It's slow because xl2tpd hogs the cpu of my router a lot being a usermode app. openl2tp seems like a much better solution since it uses a kernel module (and looks *so* much better documented and structured).

I just couldn't get the openswan + openl2tp combo to work. I'm copy/pasting below the config files of openswan, xl2tpd/pppd and openl2tpd plus the output ... maybe someone can spot the error or provide with the correct equivalent config for openl2tp.

When I load the ipsec.so in the foreground module, it spits an error "/sbin/setkey: Invalid argument". The syslog contains the following message from openswan (whether openl2tpd runs in foreground or as a daemon):

Code:
Nov 11 12:32:48 OpenWrt authpriv.warn pluto[1727]: pfkey_async: unparseable PF_KEY message: K_SADB_REGISTER len=2, errno=22, seq=0, pid=2127; message ignored


It's using PAP auth in ppp (the pap-secrets file for xl2tpd is omitted).

I'd truly appreciate some help!

ipsec.conf
Code:
version   2.0

config setup
   dumpdir=/var/run/pluto/
   nat_traversal=yes
   oe=off
   protostack=auto

conn vpdn
   type=transport
   authby=secret
   pfs=no
   rekey=yes
   keyingtries=3
   left=%defaultroute
   leftnexthop=%defaultroute
   leftprotoport=17/1701
   leftid=@default
   right=SERVER_FQDN
   rightprotoport=17/1701
   auto=add


xl2tpd.conf
Code:
[global]
port = 1701
access control = no
debug tunnel = no
ipsec saref = yes

[lac vpdn]
lns = SERVER_FQDN
redial = yes
redial timeout = 15
max redials = 99
refuse chap = yes
require pap = yes
require authentication = yes
name = USERNAME
ppp debug = no
pppoptfile = /etc/ppp/options.xl2tpd.client
length bit = yes


options.xl2tpd.client
Code:
ipcp-accept-local
ipcp-accept-remote
require-pap
refuse-eap
refuse-chap
crtscts
idle 0
mtu 2410
mru 2410
defaultroute
connect-delay 5000
lcp-echo-interval 60
lcp-echo-failure 3
lock
noauth
#debug
#dump
#logfd 2
#logfile /var/log/xl2tpd-client.log
nodeflate
noccp
novj
novjccomp
nopcomp
noaccomp


works with the above openswan + xl2tpd


openl2tpd.conf
Code:
ppp profile modify profile_name=default \
   auth_eap=no auth_chap=no \
   auth_mschapv1=no auth_mschapv2=no

tunnel create tunnel_name=katalix dest_ipaddr=SERVER_IP \
   persist=yes

session create tunnel_name=katalix \
   session_name=katalix \
   user_name=USERNAME \
   user_password=PASSWORD

#session profile modify profile_name=default \
#   use_sequence_numbers=yes \
#   reorder_timeout=10


OUTPUT
Code:
root@OpenWrt:~# ipsec auto --up vpdn

104 "vpdn-access" #1: STATE_MAIN_I1: initiate
003 "vpdn-access" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] method set to=108
003 "vpdn-access" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 108
106 "vpdn-access" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "vpdn-access" #1: received Vendor ID payload [XAUTH]
003 "vpdn-access" #1: received Vendor ID payload [Dead Peer Detection]
003 "vpdn-access" #1: received Vendor ID payload [Cisco-Unity]
003 "vpdn-access" #1: ignoring unknown Vendor ID payload [e9e14995f28f7569c26cd4ece30152e6]
003 "vpdn-access" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
108 "vpdn-access" #1: STATE_MAIN_I3: sent MI3, expecting MR3
004 "vpdn-access" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_s                                         ha group=modp1024}
117 "vpdn-access" #2: STATE_QUICK_I1: initiate
003 "vpdn-access" #2: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME msgid=bd3efba0
004 "vpdn-access" #2: STATE_QUICK_I2: sent QI2, IPsec SA established transport mode {ESP=>0x9e9895a3 <0x1cb29104 xfrm=3DES_0-                                         HMAC_SHA1 NATOA=none NATD=none DPD=none}



(1st try: no ipsec.so module)

Code:
root@OpenWrt:~# openl2tpd -f -D -c /etc/openl2tpd.conf
root@OpenWrt:~# openl2tpd -f -D -c /etc/openl2tpd.conf

Start, trace_flags=00000000 (debug enabled)
OpenL2TP V1.8, (c) Copyright 2004-2010 Katalix Systems Ltd.
Loading plugin /usr/lib/openl2tp/ppp_unix.so, version V1.5
Using config file: /etc/openl2tpd.conf
FUNC: tunl 59491: allocated context using profile 'default'
FSM: CCE(59491) event OPEN_REQ in state IDLE
AVP: tunl 59491: building SCCRQ message, 9 AVPs
PROTO: tunl 59491: sending SCCRQ
XPRT: tunl 59491: queuing tx packet, type 1, len 133, ns/nr 0/0
XPRT: tunl 59491: update ns to 1
XPRT: tunl 59491: adding packet to ackq, type 1, len 133, ns/nr 0/0
DATA: TX: tunl 59491/0: send 133 bytes to peer 192.153.213.6, packet ns/nr 0/0 type 1, retry 0
FSM: CCE(59491) state change: IDLE --> WAITCTLREPLY
FUNC: tunl 59491 created
FSM: LAIC(59491/62440) event INCALL_IND in state IDLE
PROTO: tunl 59491/62440: waiting for tunnel up
FSM: LAIC(59491/62440) state change: IDLE --> WAITTUNNEL
59491/62440: creating UNIX pppd context
59491/62440: using ppp profile 'default'
XPRT: tunl 59491: set retry interval to 2
XPRT: tunl 59491: set retry interval to 4
DATA: TX: tunl 59491/0: resend 133 bytes to peer SERVER_IP, packet ns/nr 0/0 type 1, retry 1
XPRT: tunl 59491: set retry interval to 8
DATA: TX: tunl 59491/0: resend 133 bytes to peer SERVER_IP, packet ns/nr 0/0 type 1, retry 2
DATA: TX: tunl 59491/0: resend 133 bytes to peer SERVER_IP, packet ns/nr 0/0 type 1, retry 3
DATA: TX: tunl 59491/0: resend 133 bytes to peer SERVER_IP, packet ns/nr 0/0 type 1, retry 4
DATA: TX: tunl 59491/0: resend 133 bytes to peer SERVER_IP, packet ns/nr 0/0 type 1, retry 5
XPRT: tunl 59491: retry failure
FSM: CCE(59491) event XPRT_DOWN in state WAITCTLREPLY
FUNC: tunl 59491: starting cleanup timer
FSM: CCE(59491) state change: WAITCTLREPLY --> CLOSING
^C
Exiting
Cleaning up before exiting
L2TP: tunl 59491/62440: free when use_count=3
tunl 59491: free when use_count=4
Unloading plugin /usr/lib/openl2tp/ppp_unix.so



(2nd try: load ipsec.so module .. however, note the "/sbin/setkey: Invalid argument" error)

Code:
root@OpenWrt:~# ln /usr/sbin/setkey /sbin/setkey
root@OpenWrt:~# openl2tpd -f -D -p ipsec.so -c/etc/openl2tpd.conf

Start, trace_flags=00000000 (debug enabled)
OpenL2TP V1.8, (c) Copyright 2004-2010 Katalix Systems Ltd.
Loading plugin /usr/lib/openl2tp/ipsec.so, version V1.1
L2TP/IPSec ephemeral port support enabled.
Loading plugin /usr/lib/openl2tp/ppp_unix.so, version V1.5
Using config file: /etc/openl2tpd.conf
FUNC: tunl 38162: allocated context using profile 'default'
tunl 38162: setting up outbound ipsec SPD entry from ac1ae41a/33290
/sbin/setkey: Invalid argument
tunl 38162: failed to up outbound ipsec SPD entry from ac1ae41a/33290
FSM: CCE(38162) event OPEN_REQ in state IDLE
AVP: tunl 38162: building SCCRQ message, 9 AVPs
PROTO: tunl 38162: sending SCCRQ
XPRT: tunl 38162: queuing tx packet, type 1, len 133, ns/nr 0/0
XPRT: tunl 38162: update ns to 1
XPRT: tunl 38162: adding packet to ackq, type 1, len 133, ns/nr 0/0
DATA: TX: tunl 38162/0: send 133 bytes to peer 192.153.213.6, packet ns/nr 0/0 type 1, retry 0
FSM: CCE(38162) state change: IDLE --> WAITCTLREPLY
FUNC: tunl 38162 created
FSM: LAIC(38162/27745) event INCALL_IND in state IDLE
PROTO: tunl 38162/27745: waiting for tunnel up
FSM: LAIC(38162/27745) state change: IDLE --> WAITTUNNEL
38162/27745: creating UNIX pppd context
38162/27745: using ppp profile 'default'
XPRT: tunl 38162: set retry interval to 2
XPRT: tunl 38162: set retry interval to 4
DATA: TX: tunl 38162/0: resend 133 bytes to peer SERVER_IP, packet ns/nr 0/0 type 1, retry 1
XPRT: tunl 38162: set retry interval to 8
DATA: TX: tunl 38162/0: resend 133 bytes to peer SERVER_IP, packet ns/nr 0/0 type 1, retry 2
DATA: TX: tunl 38162/0: resend 133 bytes to peer SERVER_IP, packet ns/nr 0/0 type 1, retry 3
DATA: TX: tunl 38162/0: resend 133 bytes to peer SERVER_IP, packet ns/nr 0/0 type 1, retry 4
DATA: TX: tunl 38162/0: resend 133 bytes to peer SERVER_IP, packet ns/nr 0/0 type 1, retry 5
XPRT: tunl 38162: retry failure
FSM: CCE(38162) event XPRT_DOWN in state WAITCTLREPLY
FUNC: tunl 38162: starting cleanup timer
FSM: CCE(38162) state change: WAITCTLREPLY --> CLOSING
^C
Exiting
Cleaning up before exiting
L2TP: tunl 38162/27745: free when use_count=3
tunl 38162: free when use_count=4
Unloading plugin /usr/lib/openl2tp/ipsec.so
Unloading plugin /usr/lib/openl2tp/ppp_unix.so


if I run it as a daemon (no -f option) then the syslog shows
Code:
Nov 11 12:42:42 OpenWrt daemon.info openl2tpd[2138]: Start, trace_flags=00000000 (debug enabled)
Nov 11 12:42:42 OpenWrt daemon.info openl2tpd[2138]: OpenL2TP V1.8, (c) Copyright 2004-2010 Katalix Systems Ltd.
Nov 11 12:42:42 OpenWrt daemon.info openl2tpd[2138]: Loading plugin /usr/lib/openl2tp/ipsec.so, version V1.1
Nov 11 12:42:42 OpenWrt daemon.info openl2tpd[2138]: L2TP/IPSec ephemeral port support enabled.
Nov 11 12:42:42 OpenWrt daemon.info openl2tpd[2138]: Loading plugin /usr/lib/openl2tp/ppp_unix.so, version V1.5
Nov 11 12:42:42 OpenWrt daemon.info openl2tpd[2138]: Using config file: /etc/openl2tpd.conf
Nov 11 12:42:42 OpenWrt daemon.info openl2tpd[2138]: FUNC: tunl 59063: allocated context using profile 'default'
Nov 11 12:42:42 OpenWrt daemon.info openl2tpd[2138]: tunl 59063: setting up outbound ipsec SPD entry from ac1ae41a/44030
Nov 11 12:42:42 OpenWrt authpriv.warn pluto[1727]: pfkey_async: unparseable PF_KEY message: K_SADB_REGISTER len=2, errno=22, seq=0, pid=2142; message ignored
Nov 11 12:42:42 OpenWrt daemon.warn openl2tpd[2138]: tunl 59063: failed to up outbound ipsec SPD entry from ac1ae41a/44030
Nov 11 12:42:42 OpenWrt daemon.info openl2tpd[2138]: FSM: CCE(59063) event OPEN_REQ in state IDLE
Nov 11 12:42:42 OpenWrt daemon.debug openl2tpd[2138]: AVP: tunl 59063: building SCCRQ message, 9 AVPs
Nov 11 12:42:42 OpenWrt daemon.info openl2tpd[2138]: PROTO: tunl 59063: sending SCCRQ
Nov 11 12:42:42 OpenWrt daemon.debug openl2tpd[2138]: XPRT: tunl 59063: queuing tx packet, type 1, len 133, ns/nr 0/0
Nov 11 12:42:42 OpenWrt daemon.debug openl2tpd[2138]: XPRT: tunl 59063: update ns to 1
Nov 11 12:42:42 OpenWrt daemon.debug openl2tpd[2138]: XPRT: tunl 59063: adding packet to ackq, type 1, len 133, ns/nr 0/0
Nov 11 12:42:42 OpenWrt daemon.debug openl2tpd[2138]: DATA: TX: tunl 59063/0: send 133 bytes to peer 192.153.213.6, packet ns/nr 0/0 type 1, retry 0
Nov 11 12:42:42 OpenWrt daemon.info openl2tpd[2138]: FSM: CCE(59063) state change: IDLE --> WAITCTLREPLY
Nov 11 12:42:42 OpenWrt daemon.info openl2tpd[2138]: FUNC: tunl 59063 created
Nov 11 12:42:42 OpenWrt daemon.info openl2tpd[2138]: FSM: LAIC(59063/63432) event INCALL_IND in state IDLE
Nov 11 12:42:43 OpenWrt daemon.debug openl2tpd[2138]: XPRT: tunl 59063: set retry interval to 2
Nov 11 12:42:44 OpenWrt daemon.debug openl2tpd[2138]: XPRT: tunl 59063: set retry interval to 4
Nov 11 12:42:44 OpenWrt daemon.debug openl2tpd[2138]: DATA: TX: tunl 59063/0: resend 133 bytes to peer SERVER_IP, packet ns/nr 0/0 type 1, retry 1
Nov 11 12:42:45 OpenWrt daemon.debug openl2tpd[2138]: XPRT: tunl 59063: set retry interval to 8
Nov 11 12:42:45 OpenWrt daemon.debug openl2tpd[2138]: DATA: TX: tunl 59063/0: resend 133 bytes to peer SERVER_IP, packet ns/nr 0/0 type 1, retry 2
Nov 11 12:42:47 OpenWrt daemon.debug openl2tpd[2138]: DATA: TX: tunl 59063/0: resend 133 bytes to peer SERVER_IP, packet ns/nr 0/0 type 1, retry 3
Nov 11 12:42:48 OpenWrt daemon.debug openl2tpd[2138]: DATA: TX: tunl 59063/0: resend 133 bytes to peer SERVER_IP, packet ns/nr 0/0 type 1, retry 4
Nov 11 12:42:49 OpenWrt daemon.debug openl2tpd[2138]: DATA: TX: tunl 59063/0: resend 133 bytes to peer SERVER_IP, packet ns/nr 0/0 type 1, retry 5
Nov 11 12:42:50 OpenWrt daemon.debug openl2tpd[2138]: XPRT: tunl 59063: retry failure
Nov 11 12:42:50 OpenWrt daemon.info openl2tpd[2138]: FSM: CCE(59063) event XPRT_DOWN in state WAITCTLREPLY
Nov 11 12:42:50 OpenWrt daemon.debug openl2tpd[2138]: FUNC: tunl 59063: starting cleanup timer
Nov 11 12:42:50 OpenWrt daemon.info openl2tpd[2138]: FSM: CCE(59063) state change: WAITCTLREPLY --> CLOSING



I'd be very grateful for some help!

Cheers


Top
 Profile  
 
 Post subject: Re: openswan + openl2tp .. almost there, please help!
PostPosted: Thu Oct 13, 2011 7:11 pm 

Joined: Wed Oct 12, 2011 8:03 pm
Posts: 2
What are your configurations on the server side?


Top
 Profile  
 
 Post subject: Re: openswan + openl2tp .. almost there, please help!
PostPosted: Thu Oct 13, 2011 8:18 pm 

Joined: Thu Oct 13, 2011 6:02 am
Posts: 3
Unfortunately, I don't own or control the server. I know it's a Cisco PIX for the ipsec. It works fine if I use openswan with xl2tpd as I mentioned in my post above and I posted the configs I have used which worked. It also works fine from Windows 7 using l2tp/ipsec (with psk + pap), see screenshots here: http://db.tt/OHWPCb96

The openswan ipsec transport is starting fine (see logs) but then openl2tp fails for some reason that escapes me at the moment (logs above). I was hoping that someone looking at the logs and configs above can spot it, especially given i posted the xl2tpd+ppp config that works.


Top
 Profile  
 
 Post subject: Re: openswan + openl2tp .. almost there, please help!
PostPosted: Sat Oct 22, 2011 9:36 pm 

Joined: Thu Oct 13, 2011 6:02 am
Posts: 3
Bump ... anyone?


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 4 posts ] 

All times are UTC [ DST ]


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
cron
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group