LinuxMCE Forums

General => Users => Topic started by: robwoodward75 on October 17, 2012, 04:50:23 pm

Title: No VPN Connection on 10.04
Post by: robwoodward75 on October 17, 2012, 04:50:23 pm
Despite following the very simple guide on the wiki, I cannot seem to get the VPN to work on my installation (Of which this is the second, as I completely wrecked the fist trying!)  After turning it on and off again, I started to trawl the net for solutions involving Openswan VPN.  In finding various issues with the version number, I upgraded the version, and still no luck.  I ended up completely ruining my network setup, and was forced to completely reinstall MCE from scratch, where I have since once again followed the wiki to set it up without success.

I will post in my Auth.log output from the MCE server and client side log later, as I'm guessing that will be one of the first questions!!  Is anyone else having trouble, or managed to connect?  Is there a minimum PSK length? etc etc?!


Thanks,



Rob.
Title: Re: No VPN Connection on 10.04
Post by: Techstyle on October 18, 2012, 05:40:51 pm
I think I can confirm the same. See:

http://forum.linuxmce.org/index.php/topic,12889.msg92967.html#msg92967 (http://forum.linuxmce.org/index.php/topic,12889.msg92967.html#msg92967)
Title: Re: No VPN Connection on 10.04
Post by: robwoodward75 on October 19, 2012, 11:44:42 am
Thanks Techstyle, feel better knowing I'm not on my own with this issue!!

OK, here are the log files from the server and client:

Server auth.log:
Code: [Select]
Oct 19 08:43:18 dcerouter pluto[10355]: packet from 192.168.80.133:500: ignoring unknown Vendor ID payload [4f45755c645c6a795c5c6170]
Oct 19 08:43:18 dcerouter pluto[10355]: packet from 192.168.80.133:500: received Vendor ID payload [Dead Peer Detection]
Oct 19 08:43:18 dcerouter pluto[10355]: packet from 192.168.80.133:500: received Vendor ID payload [RFC 3947] method set to=109
Oct 19 08:43:18 dcerouter pluto[10355]: packet from 192.168.80.133:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109
Oct 19 08:43:18 dcerouter pluto[10355]: packet from 192.168.80.133:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
Oct 19 08:43:18 dcerouter pluto[10355]: packet from 192.168.80.133:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
Oct 19 08:43:18 dcerouter pluto[10355]: packet from 192.168.80.133:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Oct 19 08:43:18 dcerouter pluto[10355]: packet from 192.168.80.133:500: initial Main Mode message received on 192.168.80.1:500 but no connection has been authorized with policy=PSK



Client auth.log:
Code: [Select]
Oct 19 10:30:20 rob-laptop pluto[14518]: shutting down
Oct 19 10:30:20 rob-laptop pluto[14518]: forgetting secrets
Oct 19 10:30:20 rob-laptop pluto[14518]: "Home": deleting connection
Oct 19 10:30:20 rob-laptop pluto[14518]: "Home" #2: deleting state (STATE_MAIN_I1)
Oct 19 10:30:20 rob-laptop pluto[14518]: shutting down interface lo/lo ::1:500
Oct 19 10:30:20 rob-laptop pluto[14518]: shutting down interface lo/lo 127.0.0.1:4500
Oct 19 10:30:20 rob-laptop pluto[14518]: shutting down interface lo/lo 127.0.0.1:500
Oct 19 10:30:20 rob-laptop pluto[14518]: shutting down interface eth1/eth1 192.168.80.133:4500
Oct 19 10:30:20 rob-laptop pluto[14518]: shutting down interface eth1/eth1 192.168.80.133:500
Oct 19 10:30:20 rob-laptop pluto[14527]: pluto_crypto_helper: helper (0) is  normal exiting
Oct 19 10:30:22 rob-laptop ipsec__plutorun: Starting Pluto subsystem...
Oct 19 10:30:22 rob-laptop pluto[14807]: Starting Pluto (Openswan Version 2.6.37; Vendor ID OEu\134d\134jy\134\134ap) pid:14807
Oct 19 10:30:22 rob-laptop pluto[14807]: LEAK_DETECTIVE support [disabled]
Oct 19 10:30:22 rob-laptop pluto[14807]: OCF support for IKE [disabled]
Oct 19 10:30:22 rob-laptop pluto[14807]: SAref support [disabled]: Protocol not available
Oct 19 10:30:22 rob-laptop pluto[14807]: SAbind support [disabled]: Protocol not available
Oct 19 10:30:22 rob-laptop pluto[14807]: NSS support [disabled]
Oct 19 10:30:22 rob-laptop pluto[14807]: HAVE_STATSD notification support not compiled in
Oct 19 10:30:22 rob-laptop pluto[14807]: Setting NAT-Traversal port-4500 floating to on
Oct 19 10:30:22 rob-laptop pluto[14807]:    port floating activation criteria nat_t=1/port_float=1
Oct 19 10:30:22 rob-laptop pluto[14807]:    NAT-Traversal support  [enabled]
Oct 19 10:30:22 rob-laptop pluto[14807]: using /dev/urandom as source of random entropy
Oct 19 10:30:22 rob-laptop pluto[14807]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Oct 19 10:30:22 rob-laptop pluto[14807]: starting up 1 cryptographic helpers
Oct 19 10:30:22 rob-laptop pluto[14807]: started helper pid=14827 (fd:6)
Oct 19 10:30:22 rob-laptop pluto[14807]: Using Linux 2.6 IPsec interface code on 3.2.0-32-generic (experimental code)
Oct 19 10:30:22 rob-laptop pluto[14827]: using /dev/urandom as source of random entropy
Oct 19 10:30:22 rob-laptop pluto[14807]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
Oct 19 10:30:22 rob-laptop pluto[14807]: ike_alg_add(): ERROR: Algorithm already exists
Oct 19 10:30:22 rob-laptop pluto[14807]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)
Oct 19 10:30:22 rob-laptop pluto[14807]: ike_alg_add(): ERROR: Algorithm already exists
Oct 19 10:30:22 rob-laptop pluto[14807]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
Oct 19 10:30:22 rob-laptop pluto[14807]: ike_alg_add(): ERROR: Algorithm already exists
Oct 19 10:30:22 rob-laptop pluto[14807]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)
Oct 19 10:30:22 rob-laptop pluto[14807]: ike_alg_add(): ERROR: Algorithm already exists
Oct 19 10:30:22 rob-laptop pluto[14807]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)
Oct 19 10:30:22 rob-laptop pluto[14807]: ike_alg_add(): ERROR: Algorithm already exists
Oct 19 10:30:22 rob-laptop pluto[14807]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
Oct 19 10:30:22 rob-laptop pluto[14807]: Changed path to directory '/etc/ipsec.d/cacerts'
Oct 19 10:30:22 rob-laptop pluto[14807]: Changed path to directory '/etc/ipsec.d/aacerts'
Oct 19 10:30:22 rob-laptop pluto[14807]: Changed path to directory '/etc/ipsec.d/ocspcerts'
Oct 19 10:30:22 rob-laptop pluto[14807]: Changing to directory '/etc/ipsec.d/crls'
Oct 19 10:30:22 rob-laptop pluto[14807]:   Warning: empty directory
Oct 19 10:30:22 rob-laptop pluto[14807]: added connection description "Home"
Oct 19 10:30:22 rob-laptop pluto[14807]: listening for IKE messages
Oct 19 10:30:22 rob-laptop pluto[14807]: adding interface eth1/eth1 192.168.80.133:500
Oct 19 10:30:22 rob-laptop pluto[14807]: adding interface eth1/eth1 192.168.80.133:4500
Oct 19 10:30:22 rob-laptop pluto[14807]: adding interface lo/lo 127.0.0.1:500
Oct 19 10:30:22 rob-laptop pluto[14807]: adding interface lo/lo 127.0.0.1:4500
Oct 19 10:30:22 rob-laptop pluto[14807]: adding interface lo/lo ::1:500
Oct 19 10:30:22 rob-laptop pluto[14807]: loading secrets from "/etc/ipsec.secrets"
Oct 19 10:30:22 rob-laptop pluto[14807]: listening for IKE messages
Oct 19 10:30:22 rob-laptop pluto[14807]: forgetting secrets
Oct 19 10:30:22 rob-laptop pluto[14807]: loading secrets from "/etc/ipsec.secrets"
Oct 19 10:30:22 rob-laptop pluto[14807]: "Home" #1: initiating Main Mode
Oct 19 10:31:32 rob-laptop pluto[14807]: "Home" #1: max number of retransmissions (2) reached STATE_MAIN_I1.  No response (or no acceptable response) to our first IKE message
Oct 19 10:31:32 rob-laptop pluto[14807]: "Home" #1: starting keying attempt 2 of at most 3, but releasing whack
Oct 19 10:31:32 rob-laptop pluto[14807]: "Home" #2: initiating Main Mode to replace #1
Oct 19 10:32:42 rob-laptop pluto[14807]: "Home" #2: max number of retransmissions (2) reached STATE_MAIN_I1.  No response (or no acceptable response) to our first IKE message
Oct 19 10:32:42 rob-laptop pluto[14807]: "Home" #2: starting keying attempt 3 of at most 3
Oct 19 10:32:42 rob-laptop pluto[14807]: "Home" #3: initiating Main Mode to replace #2


Client syslog:
Code: [Select]
Oct 19 08:43:15 rob-laptop L2tpIPsecVpnControlDaemon: Opening client connection
Oct 19 08:43:15 rob-laptop L2tpIPsecVpnControlDaemon: Executing command ipsec setup stop
Oct 19 08:43:15 rob-laptop ipsec_setup: Stopping Openswan IPsec...
Oct 19 08:43:17 rob-laptop kernel: [ 1105.812134] NET: Unregistered protocol family 15
Oct 19 08:43:17 rob-laptop ipsec_setup: ...Openswan IPsec stopped
Oct 19 08:43:17 rob-laptop L2tpIPsecVpnControlDaemon: Command ipsec setup stop finished with exit code 0
Oct 19 08:43:17 rob-laptop L2tpIPsecVpnControlDaemon: Executing command invoke-rc.d xl2tpd stop
Oct 19 08:43:17 rob-laptop L2tpIPsecVpnControlDaemon: Command invoke-rc.d xl2tpd stop finished with exit code 0
Oct 19 08:43:17 rob-laptop L2tpIPsecVpnControlDaemon: Opening client connection
Oct 19 08:43:17 rob-laptop L2tpIPsecVpnControlDaemon: Executing command ipsec setup start
Oct 19 08:43:17 rob-laptop L2tpIPsecVpnControlDaemon: Closing client connection
Oct 19 08:43:17 rob-laptop xl2tpd[3596]: death_handler: Fatal signal 15 received
Oct 19 08:43:17 rob-laptop kernel: [ 1106.163206] NET: Registered protocol family 15
Oct 19 08:43:17 rob-laptop ipsec_setup: Starting Openswan IPsec U2.6.37/K3.2.0-32-generic...
Oct 19 08:43:17 rob-laptop ipsec_setup: Using NETKEY(XFRM) stack
Oct 19 08:43:17 rob-laptop kernel: [ 1106.515942] Initializing XFRM netlink socket
Oct 19 08:43:18 rob-laptop kernel: [ 1106.557560] padlock_sha: VIA PadLock Hash Engine not detected.
Oct 19 08:43:18 rob-laptop kernel: [ 1106.605526] Intel AES-NI instructions are not detected.
Oct 19 08:43:18 rob-laptop kernel: [ 1106.655817] Intel AES-NI instructions are not detected.
Oct 19 08:43:18 rob-laptop ipsec_setup: ...Openswan IPsec started
Oct 19 08:43:18 rob-laptop L2tpIPsecVpnControlDaemon: Command ipsec setup start finished with exit code 0
Oct 19 08:43:18 rob-laptop L2tpIPsecVpnControlDaemon: Executing command invoke-rc.d xl2tpd start
Oct 19 08:43:18 rob-laptop xl2tpd[11410]: setsockopt recvref[30]: Protocol not available
Oct 19 08:43:18 rob-laptop xl2tpd[11410]: This binary does not support kernel L2TP.
Oct 19 08:43:18 rob-laptop xl2tpd[11411]: xl2tpd version xl2tpd-1.3.1 started on rob-laptop PID:11411
Oct 19 08:43:18 rob-laptop xl2tpd[11411]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
Oct 19 08:43:18 rob-laptop xl2tpd[11411]: Forked by Scott Balmos and David Stipp, (C) 2001
Oct 19 08:43:18 rob-laptop xl2tpd[11411]: Inherited by Jeff McAdams, (C) 2002
Oct 19 08:43:18 rob-laptop xl2tpd[11411]: Forked again by Xelerance (www.xelerance.com) (C) 2006
Oct 19 08:43:18 rob-laptop xl2tpd[11411]: Listening on IP address 0.0.0.0, port 1701
Oct 19 08:43:18 rob-laptop L2tpIPsecVpnControlDaemon: Command invoke-rc.d xl2tpd start finished with exit code 0
Oct 19 08:43:18 rob-laptop pluto: adjusting ipsec.d to /etc/ipsec.d
Oct 19 08:43:18 rob-laptop ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
Oct 19 08:43:18 rob-laptop ipsec__plutorun: 002 added connection description "Home"
Oct 19 08:43:18 rob-laptop L2tpIPsecVpnControlDaemon: Executing command ipsec auto --ready
Oct 19 08:43:18 rob-laptop L2tpIPsecVpnControlDaemon: Command ipsec auto --ready finished with exit code 0
Oct 19 08:43:18 rob-laptop L2tpIPsecVpnControlDaemon: Executing command ipsec auto --up Home
Oct 19 08:44:28 rob-laptop L2tpIPsecVpnControlDaemon: Command ipsec auto --up Home finished with exit code 0
Oct 19 08:44:28 rob-laptop L2tpIPsecVpnControlDaemon: Closing client connection
Title: Re: No VPN Connection on 10.04
Post by: robwoodward75 on October 26, 2012, 07:39:03 pm
Tried a few more things with the settings, this time without trying to upgrade anything!!  I have managed to get the L2TP working, however xl2tp seems to still be causing an issue.  See below:

Code: [Select]
Oct 26 17:52:01 dcerouter pluto[27401]: "L2TP-PSK-NAT"[1] 192.168.80.139 #23: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
Oct 26 17:52:01 dcerouter pluto[27401]: "L2TP-PSK-NAT"[1] 192.168.80.139 #23: received and ignored informational message
Oct 26 17:52:02 dcerouter pluto[27401]: "L2TP-PSK-NAT"[1] 192.168.80.139 #23: the peer proposed: 92.235.79.186/32:17/1701 -> 192.168.80.139/32:17/0
Oct 26 17:52:02 dcerouter pluto[27401]: "L2TP-PSK-NAT"[1] 192.168.80.139 #24: responding to Quick Mode proposal {msgid:431872ee}
Oct 26 17:52:02 dcerouter pluto[27401]: "L2TP-PSK-NAT"[1] 192.168.80.139 #24:     us: 92.235.79.186[+S=C]:17/1701
Oct 26 17:52:02 dcerouter pluto[27401]: "L2TP-PSK-NAT"[1] 192.168.80.139 #24:   them: 192.168.80.139[+S=C]:17/0
Oct 26 17:52:02 dcerouter pluto[27401]: "L2TP-PSK-NAT"[1] 192.168.80.139 #24: keeping refhim=4294901761 during rekey
Oct 26 17:52:02 dcerouter pluto[27401]: "L2TP-PSK-NAT"[1] 192.168.80.139 #24: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Oct 26 17:52:02 dcerouter pluto[27401]: "L2TP-PSK-NAT"[1] 192.168.80.139 #24: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Oct 26 17:52:02 dcerouter pluto[27401]: "L2TP-PSK-NAT"[1] 192.168.80.139 #24: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Oct 26 17:52:02 dcerouter pluto[27401]: "L2TP-PSK-NAT"[1] 192.168.80.139 #24: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0x032ff1f1 <0xda77ca7b xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=none}

Apparently, from what I've read, the last line means the L2TP tunnel has been established.  In /var/log/daemon.log I get the following output:

Code: [Select]
Oct 26 17:51:24 dcerouter xl2tpd[12399]: Listening on IP address 0.0.0.0, port 1701
Oct 26 17:52:05 dcerouter xl2tpd[12399]: control_finish: Peer requested tunnel 26256 twice, ignoring second one.
Oct 26 17:52:10 dcerouter xl2tpd[12399]: last message repeated 2 times
Oct 26 17:52:10 dcerouter xl2tpd[12399]: Maximum retries exceeded for tunnel 16046.  Closing.
Oct 26 17:52:11 dcerouter xl2tpd[12399]: control_finish: Peer requested tunnel 26256 twice, ignoring second one.
Oct 26 17:52:11 dcerouter xl2tpd[12399]: Connection 26256 closed to 192.168.80.139, port 50906 (Timeout)
Oct 26 17:52:13 dcerouter xl2tpd[12399]: control_finish: Peer requested tunnel 26256 twice, ignoring second one.
Oct 26 17:52:15 dcerouter xl2tpd[12399]: control_finish: Peer requested tunnel 26256 twice, ignoring second one.
Oct 26 17:52:16 dcerouter xl2tpd[12399]: Unable to deliver closing message for tunnel 16046. Destroying anyway.
Oct 26 17:52:17 dcerouter xl2tpd[12399]: control_finish: Peer requested tunnel 26256 twice, ignoring second one.
Oct 26 17:52:26 dcerouter xl2tpd[12399]: last message repeated 3 times
Oct 26 17:52:26 dcerouter xl2tpd[12399]: Maximum retries exceeded for tunnel 51656.  Closing.
Oct 26 17:52:27 dcerouter xl2tpd[12399]: control_finish: Peer requested tunnel 26256 twice, ignoring second one.
Oct 26 17:52:27 dcerouter xl2tpd[12399]: Connection 26256 closed to 192.168.80.139, port 50906 (Timeout)
Oct 26 17:52:29 dcerouter xl2tpd[12399]: control_finish: Peer requested tunnel 26256 twice, ignoring second one.
Oct 26 17:52:31 dcerouter xl2tpd[12399]: control_finish: Peer requested tunnel 26256 twice, ignoring second one.
Oct 26 17:52:32 dcerouter xl2tpd[12399]: Unable to deliver closing message for tunnel 51656. Destroying anyway.
Oct 26 17:52:33 dcerouter xl2tpd[12399]: control_finish: Peer requested tunnel 26256 twice, ignoring second one.
Oct 26 17:52:37 dcerouter xl2tpd[12399]: control_finish: Peer requested tunnel 26256 twice, ignoring second one.
Oct 26 17:52:39 dcerouter xl2tpd[12399]: control_finish: Peer requested tunnel 26256 twice, ignoring second one.
Oct 26 17:52:41 dcerouter xl2tpd[12399]: control_finish: Peer requested tunnel 26256 twice, ignoring second one.
Oct 26 17:52:42 dcerouter xl2tpd[12399]: Maximum retries exceeded for tunnel 7793.  Closing.
Oct 26 17:52:43 dcerouter xl2tpd[12399]: control_finish: Peer requested tunnel 26256 twice, ignoring second one.
Oct 26 17:52:43 dcerouter xl2tpd[12399]: Connection 26256 closed to 192.168.80.139, port 50906 (Timeout)
Oct 26 17:52:43 dcerouter xl2tpd[12399]: control_finish: Peer requested tunnel 26256 twice, ignoring second one.
Oct 26 17:52:43 dcerouter xl2tpd[12399]: check_control: Received out of order control packet on tunnel -1 (got 1, expected 0)
Oct 26 17:52:43 dcerouter xl2tpd[12399]: handle_packet: bad control packet!
Oct 26 17:52:48 dcerouter xl2tpd[12399]: Unable to deliver closing message for tunnel 7793. Destroying anyway.

So, its definitely a xl2tpd issue....... I think?!

I got this far by making the following changes, not entirely sure which of them affected the connection:

/etc/ipsec.conf
changed
Code: [Select]
virtual_private=%4:192.168.80.0/24to
Code: [Select]
virtual_private=%v4:192.168.80.0/24(adding a v after the %)


/etc/ipsec.secrets
changed:
Code: [Select]
%any %any: "MyXL2TPSuperSecretPassword"to
Code: [Select]
%defaultroute %any: PSK "MyXL2TPSuperSecretPassword"
/etc/ppp/options.xl2tpd
Code: [Select]
ms-dns 192.168.80.1to
Code: [Select]
ms-dns 8.8.8.8
ms-dns 8.8.4.4

The only file that I haven't changed within the likely culprits is /etc/ppp/chap-secrets, which contains no mention of the VPN password I set, but instead has the following type entries:

Code: [Select]
# Secrets for authentication using CHAP
myuser    l2tpd   !VPNpass1       *

How does it resolve !VPNpass1? I also tried putting a plain text password in instead and restarting the x2ltpd, but no better!

The upshot is it's still not working grrrrrrrrrrrrrrrrrrrrrrr!!!!!    >:( >:( >:(

Title: Re: No VPN Connection on 10.04
Post by: robwoodward75 on October 28, 2012, 04:42:56 pm
Update:

From my internal network, I can get my Android phone to connect briefly (as in seconds before dropping the connection)  Which tends to suggest there's an external firewall issue as well as whatever security / version issues I have.

I have the following ports open:
4500 upd
500 udp
1701 udp

oddly, I can't connect with either my kubuntu or Windows laptops internally or externally.

Getting very frustrated with this issue!!!
Title: Re: No VPN Connection on 10.04
Post by: polly on October 28, 2012, 08:06:04 pm
Hey ...

i had my vpn running weeks ago. Stopped working :-(

anyways, this is my list of opened ports in the firewall:

udp    500
udp    1701
tcp    1723
udp    4500
udp    5500

hope this helps...

ochorocho
Title: Re: No VPN Connection on 10.04
Post by: Techstyle on October 29, 2012, 01:08:24 am
I tried this with the Firewall disabled and still cannot get in
Title: Re: No VPN Connection on 10.04
Post by: pw44 on October 29, 2012, 03:24:46 am
For ppp, you need to enable the protocol 47, only opening port 1723 will not work.
Insert the following iptables rules:

iptables --append FORWARD -o ppp+ --protocol tcp --tcp-flags SYN,RST SYN --jump TCPMSS --clamp-mss-to-pmtu
iptables --append INPUT  --protocol 47 --jump ACCEPT
iptables --append OUTPUT --protocol 47 --jump ACCEPT
Title: Re: No VPN Connection on 10.04
Post by: Techstyle on October 29, 2012, 04:15:33 am
pw44,

is yours working now then?

where do you add those iptable rules?
Title: Re: No VPN Connection on 10.04
Post by: pw44 on October 29, 2012, 02:06:46 pm
Append it to /usr/pluto/bin/Network_Firewall.sh
Title: Re: No VPN Connection on 10.04
Post by: tschak909 on October 29, 2012, 02:48:15 pm
Can you please open a ticket and submit a patch, so one of us can fold it into the system?

-Thom
Title: Re: No VPN Connection on 10.04
Post by: Techstyle on October 29, 2012, 04:26:07 pm
Ticket Created:

http://svn.linuxmce.org/trac.cgi/ticket/1598  (http://svn.linuxmce.org/trac.cgi/ticket/1598)

So far we do not have a complete solution to submit with the ticket but it is Open and references the two threads on this subject.
Title: Re: No VPN Connection on 10.04
Post by: Marie.O on October 29, 2012, 05:04:43 pm
It would be appreciated, if people would find the energy to condense the information from forum threads into the trac ticket, so that an interested developer does not have to jump around to find information.
Title: Re: No VPN Connection on 10.04
Post by: Techstyle on October 29, 2012, 05:50:56 pm
Will do, but it will be a work in progress - nobody has it working yet
Title: Re: No VPN Connection on 10.04
Post by: polly on October 29, 2012, 06:12:01 pm
my config was working ... but it stopped after reboot ....
i make mine worked again... lets say i try! ... :-)

if i'ma able to make it work again i let you know and can compare configs and stuff ....

thx.

Jochen
Title: Re: No VPN Connection on 10.04
Post by: Techstyle on October 29, 2012, 06:21:43 pm
I updated the ticket
Title: Re: No VPN Connection on 10.04
Post by: robwoodward75 on October 29, 2012, 08:57:00 pm
Thanks pw44

Just edited /usr/pluto/bin/Network_Firewall.sh

I would suggest adding the following to the bottom of /usr/pluto/bin/Network_Firewall.sh

Code: [Select]
# Set VPN Protocols
if [[ "$VPNenabled" == "on" ]]; then
        iptables --append FORWARD -o ppp+ --protocol tcp --tcp-flags SYN,RST SYN --jump TCPMSS --clamp-mss-to-pmtu
        iptables --append INPUT  --protocol 47 --jump ACCEPT
        iptables --append OUTPUT --protocol 47 --jump ACCEPT
fi


I have tested the above, and it appears to be working,

In as much as I now have the same issue as connecting locally, which I presume will be incompatibility issue between Openswan and Android 2.3!!!

Going to try from my Kubuntu & Windows laptops........again!!
Title: Re: No VPN Connection on 10.04
Post by: Techstyle on October 29, 2012, 09:39:06 pm
Can you check that the ticket matches the changes you have made?:

http://svn.linuxmce.org/trac.cgi/ticket/1598#comment:2 (http://svn.linuxmce.org/trac.cgi/ticket/1598#comment:2)
Title: Re: No VPN Connection on 10.04
Post by: pw44 on October 29, 2012, 11:49:56 pm
It's all in this wiki: http://wiki.linuxmce.org/index.php/PPTP_server
I created it two years ago.
Title: Re: No VPN Connection on 10.04
Post by: polly on November 02, 2012, 07:35:09 pm
Hey...
tried to setup everything as showed in the ticket http://svn.linuxmce.org/trac.cgi/ticket/1598

cant connect with my macbook, iphone.

i cant find a fix for this:
Code: [Select]
Nov  2 18:53:15 dcerouter pluto[29818]: packet from 192.168.80.131:500: received Vendor ID payload [RFC 3947] method set to=115
Nov  2 18:53:15 dcerouter pluto[29818]: packet from 192.168.80.131:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] meth=114, but already using method 115
Nov  2 18:53:15 dcerouter pluto[29818]: packet from 192.168.80.131:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-08] meth=113, but already using method 115
Nov  2 18:53:15 dcerouter pluto[29818]: packet from 192.168.80.131:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-07] meth=112, but already using method 115
Nov  2 18:53:15 dcerouter pluto[29818]: packet from 192.168.80.131:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-06] meth=111, but already using method 115
Nov  2 18:53:15 dcerouter pluto[29818]: packet from 192.168.80.131:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-05] meth=110, but already using method 115
Nov  2 18:53:15 dcerouter pluto[29818]: packet from 192.168.80.131:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-04] meth=109, but already using method 115
Nov  2 18:53:15 dcerouter pluto[29818]: packet from 192.168.80.131:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 115
Nov  2 18:53:15 dcerouter pluto[29818]: packet from 192.168.80.131:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 115
Nov  2 18:53:15 dcerouter pluto[29818]: packet from 192.168.80.131:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 115
Nov  2 18:53:15 dcerouter pluto[29818]: packet from 192.168.80.131:500: ignoring Vendor ID payload [FRAGMENTATION 80000000]
Nov  2 18:53:15 dcerouter pluto[29818]: packet from 192.168.80.131:500: received Vendor ID payload [Dead Peer Detection]
Nov  2 18:53:15 dcerouter pluto[29818]: packet from 192.168.80.131:500: initial Main Mode message received on XX.XXX.XXX.XXX:500 but no connection has been authorized with policy=PSK

Thanks.

ochorocho

EDIT:
output of /var/log/auth.log while restarting ipsec:
Code: [Select]
Nov  2 20:38:31 dcerouter pluto[30482]: Using Linux 2.6 IPsec interface code on 2.6.32-42-generic (experimental code)
Nov  2 20:38:31 dcerouter pluto[30484]: using /dev/urandom as source of random entropy
Nov  2 20:38:31 dcerouter pluto[30482]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
Nov  2 20:38:31 dcerouter pluto[30482]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Nov  2 20:38:31 dcerouter pluto[30482]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)
Nov  2 20:38:31 dcerouter pluto[30482]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Nov  2 20:38:31 dcerouter pluto[30482]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
Nov  2 20:38:31 dcerouter pluto[30482]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Nov  2 20:38:31 dcerouter pluto[30482]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)
Nov  2 20:38:31 dcerouter pluto[30482]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Nov  2 20:38:31 dcerouter pluto[30482]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)
Nov  2 20:38:31 dcerouter pluto[30482]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Nov  2 20:38:31 dcerouter pluto[30482]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
Nov  2 20:38:31 dcerouter pluto[30482]: added connection description "L2TP-PSK-NAT"
Nov  2 20:38:31 dcerouter pluto[30482]: added connection description "L2TP-PSK-noNAT"
Nov  2 20:38:31 dcerouter pluto[30482]: listening for IKE messages
Nov  2 20:38:31 dcerouter pluto[30482]: adding interface ppp0/ppp0 80.143.122.134:500
Nov  2 20:38:31 dcerouter pluto[30482]: adding interface ppp0/ppp0 80.143.122.134:4500
Nov  2 20:38:31 dcerouter pluto[30482]: adding interface eth0/eth0 192.168.80.1:500
Nov  2 20:38:31 dcerouter pluto[30482]: adding interface eth0/eth0 192.168.80.1:4500
Nov  2 20:38:31 dcerouter pluto[30482]: adding interface lo/lo 127.0.0.1:500
Nov  2 20:38:31 dcerouter pluto[30482]: adding interface lo/lo 127.0.0.1:4500
Nov  2 20:38:31 dcerouter pluto[30482]: adding interface lo/lo ::1:500
Nov  2 20:38:31 dcerouter pluto[30482]: loading secrets from "/etc/ipsec.secrets"
Nov  2 20:38:31 dcerouter pluto[30482]: ERROR "/etc/ipsec.secrets" line 11: index "%defaultroute" illegal (non-DNS-name) character in name
Title: Re: No VPN Connection on 10.04
Post by: Techstyle on November 02, 2012, 09:17:59 pm
Quote
Code: [Select]
Nov  2 20:38:31 dcerouter pluto[30482]: ERROR "/etc/ipsec.secrets" line 11: index "%defaultroute" illegal (non-DNS-name) character in name

I get that also, I changed this to %any and 192.168.80.1 with no success (but no errors).

There is still something wrong.  I do get another error message refering to RSASIG no being authorised and wonder if
Code: [Select]
authby=PSK perhaps, instead of
Code: [Select]
authby=secret in ipsec.conf

I am totally guessing and will play with this once I have re-installed
Title: Re: No VPN Connection on 10.04
Post by: Techstyle on November 05, 2012, 05:57:03 am
Code: [Select]
authby=PSK doesn't work and 'secret' should point the system to the shared secret so should work.

not sure where I have gone wrong robwoodward75 can you post your setup so we can fix this with a ticket?
Title: Re: No VPN Connection on 10.04
Post by: sambuca on November 05, 2012, 10:54:03 am
Just for reference, this is the wiki page that describes VPN in LMCE (http://wiki.linuxmce.org/index.php/VPN (http://wiki.linuxmce.org/index.php/VPN)). I'm sure most of you have read it already, though.

There are some gotchas in there as well, for instance this
Quote
Note: Currently you need to re-enable the user and change his username after any change to the Network settings page as the files are rewritten

Also, messing around with forwarding network ports without understanding how VPN works can be a big security problem:
Quote
Do NOT forward port 1701 (L2TP), this would have allowed direct access to the L2TP server, bypassing IPSEC entirely and sending all your data unencrypted. The whole idea is that the IPSEC connection encrypts your data from end to end, and on the server end, this data will be passed on to port 1701 internally.
It *is* easier to get a connection when not going through IPSEC, but some devices will happily connect to the L2TP server if the IPSEC fails for some reason.

That said, my biggest hurdle getting VPN set up was to configure other network routers in the path (my broadband router) properly. This was mostly a try-and-fail history until I got the correct setting. Any setting related to IPSEC should be tried in all their possible settings (I had to turn one IPSEC setting off to get mine working). It seems to me that IPSEC is the cause of most problems with this VPN, so that is where I would do my investigations.

And in one case I was unable to get VPN working from one particular network because of the router at that site (or possibly other network limitation at that site).

If you have any concrete questions I can try to answer them.

best regards,
sambuca
Title: Re: No VPN Connection on 10.04
Post by: polly on November 05, 2012, 11:17:49 am
Note: Currently you need to re-enable the user and change his username after any change to the Network settings page as the files are rewritten

first, how can i re-enable users?
I did some changes to php.ini (i think, cant remember exactly) and i was able to check "can connect to VPN" and save within webadmin.

Thanks.

ochorocho
Title: Re: No VPN Connection on 10.04
Post by: sambuca on November 05, 2012, 12:36:37 pm
It is the "Can connect to VPN" setting, yes.

br,
sambuca
Title: Re: No VPN Connection on 10.04
Post by: polly on November 05, 2012, 02:18:59 pm
It is the "Can connect to VPN" setting, yes.

br,
sambuca

thanks.

regards,
ochorocho
Title: Re: No VPN Connection on 10.04
Post by: robwoodward75 on November 06, 2012, 12:21:00 am
My current settings for the brief connections I can get:

/etc/ipsec.conf
Code: [Select]
# /etc/ipsec.conf - Openswan IPsec configuration file

version 2.0

config setup
  nat_traversal=yes
  virtual_private=%4:192.168.80.0/24
  oe=off
  protostack=netkey

conn L2TP-PSK-NAT
  rightsubnet=vhost:%priv
  also=L2TP-PSK-noNAT


conn L2TP-PSK-noNAT
  authby=secret
  pfs=no
  auto=add
  keyingtries=3
  rekey=no
  ikelifetime=8h
  keylife=1h
  type=transport
  left=%defaultroute
  leftprotoport=17/1701
  right=%any
  rightprotoport=17/%any
  dpddelay=15
  dpdtimeout=30
  dpdaction=clear

/etc/ipsec.secret
Code: [Select]
# RCSID $Id: ipsec.secrets.proto,v 1.3.6.1 2005/09/28 13:59:14 paul Exp $
# This file holds shared secrets or RSA private keys for inter-Pluto
# authentication.  See ipsec_pluto(8) manpage, and HTML documentation.

# RSA private key for this host, authenticating it to any other host
# which knows the public part.  Suitable public keys, for ipsec.conf, DNS,
# or configuration of other implementations, can be extracted conveniently
# with "ipsec showhostkey".

192.168.80.1 %any: PSK "MyPSKSecret"



/etc/xl2tpd/xl2tpd.conf
Code: [Select]
[global]
ipsec saref = yes

[lns default]
ip range = 192.168.80.200-192.168.80.220
local ip = 192.168.80.1
refuse chap = yes
refuse pap = yes
require authentication = yes
name = LinuxMCE_VPN_Server
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

/etc/ppp/options.xl2tpd
Code: [Select]
require-mschap-v2
ms-dns 192.168.80.1
ms-dns 8.8.4.4
asyncmap 0
auth
crtscts
lock
hide-password
modem
debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4

/etc/ppp/chap-secrets
Code: [Select]
# Secrets for authentication using CHAP
test1     l2tpd   MyPasswd        *


I found I couldn't get a connection to work however until I replaced the !VPNpass1 against my user with a plain text password.  Hope this helps someone make sense of the issues.
Title: Re: No VPN Connection on 10.04
Post by: Techstyle on November 06, 2012, 12:44:53 am
interesting to see:
Code: [Select]
virtual_private=%4:192.168.80.0/24in /etc/ipsec.conf, I was expecting a %v4

is this correct or is this after you have rebooted?  I believe they revert back after reboot based on the files being written from the templates. (it is these we will have to change in the end)

I will configure as per yours tonight and check
Title: Re: No VPN Connection on 10.04
Post by: sambuca on November 06, 2012, 08:20:26 am
Mine is
Quote
virtual_private=%4:192.168.80.0/24
and it is working, so I don't think that is your problem.

I found I couldn't get a connection to work however until I replaced the !VPNpass1 against my user with a plain text password.  Hope this helps someone make sense of the issues.
What do you mean, "!VPNPass1" seems pretty plain text to me..?

br,
sambuca
Title: Re: No VPN Connection on 10.04
Post by: robwoodward75 on November 07, 2012, 12:32:15 pm
Techstyle,

Good spot, yes, I have rebooted, well, power cut anyway!!  Next step I think is a UPS!!!!  Although, judging by Sambuca's comments, this may have been a red herring in the first place.  It was simply something I had spotted in the Openswan setup guides which was different, therefore, worth a try!


Sambuca,
Quote
What do you mean, "!VPNPass1" seems pretty plain text to me..?
In my chap-secrets file, all my users have the same password, "!VPNpass1", and !VPNpass1 is not my, nor any other of the users password!!  I presume from this, you do not?!

i.e it looks roughly like this (obviously my users aren't called test1, test2...... but you get the picture!):
Code: [Select]
# Secrets for authentication using CHAP
test1     l2tpd   !VPNpass1        *
test2     l2tpd   !VPNpass1        *
test3     l2tpd   !VPNpass1        *
test4     l2tpd   !VPNpass1        *


I'm beginning to wonder if I have something wrong with my webadmin after Sambuca's comments?!

For any LinuxMCE God's about, I'd be interested to know how the average user, who is not happy to fiddle in the command line, or less still access the MySQL database is able as the primary / admin user within their LinuxMCE system to reset a forgotten normal or VPN passwords for others?  This is a fairly basic Admin type task, yet I see no feature for it?!
Title: Re: No VPN Connection on 10.04
Post by: robwoodward75 on November 15, 2012, 10:58:25 pm
Regarding the !VPNpass1 issue, I've attached 3 files of the web admin which I've edited to allow Admin / primary / power users, whatever you want to call them to change user passwords and VPN passwords without needing to know the initial password (fairly basic admin operations).  Also, stops the enable / disable VPN option from resetting the VPN password to !VPNpass1.  I will also attach them to Techstyle's ticket.

Still working on the actual connection however!
Title: Re: No VPN Connection on 10.04
Post by: Techstyle on November 15, 2012, 11:13:16 pm
Rob,

You may want to go through the ticket and adjust it to what works for you. So far I have not successfully connected
Title: Re: No VPN Connection on 10.04
Post by: robwoodward75 on November 19, 2012, 02:21:21 pm
Techstyle,

I have attached my latest files to this post which allows for a stable connection from within my network.  i.e. I attach my phone to my wifi, and set 192.168.80.1 as the VPN server.  The connection was stable until I disconnected it.  From outside connecting through my DynDNS account however, I get the following line in the Auth.log:

Code: [Select]
initial Main Mode message received on XXX.XXX.XXX.XXX:500 but no connection has been authorized with policy=PSK

I think this might now be down to Firewall issues (Port 500 udp is open on my Firewall by the way).

Feel free to test and add to if you find anything.  Will try to get around to testing with Firewall turned off, in theory, this should work if all the other settings are correct!
Title: Re: No VPN Connection on 10.04
Post by: polly on November 19, 2012, 04:01:37 pm
just a hint!
i'm not sure if its really true, but i read that ipsec needs ICMP requests.
ICMP requests must be enabled. Afaik you can ping local but not the external.

Hope this helps....

Cheers,
ochorocho
Title: Re: No VPN Connection on 10.04
Post by: robwoodward75 on November 19, 2012, 04:40:02 pm
Thanks Polly,

Added ICMP, still the same message in auth.log.

Title: Re: No VPN Connection on 10.04
Post by: Techstyle on November 19, 2012, 07:36:32 pm
Rob,

I have the same message:
Code: [Select]
initial Main Mode message received on XXX.XXX.XXX.XXX:500 but no connection has been authorized with policy=PSK
Even, I believe with the firewall disabled
Title: Re: No VPN Connection on 10.04
Post by: robwoodward75 on November 19, 2012, 09:17:41 pm
Techstyle,

You're right, I've just confirmed even with the firewall disabled, the same issue / error, so now I'm back to being rather lost!!  interface issue perhaps?!

Very frustrating!!  keep digging!!
Title: Re: No VPN Connection on 10.04
Post by: pw44 on November 24, 2012, 01:43:13 am
News about using l2tp and ipsec?
I get a different result, from outside:
Code: [Select]
Nov 23 22:40:09 dcerouter CRON[5524]: pam_unix(cron:session): session closed for user root
Nov 23 22:40:12 dcerouter pluto[21730]: packet from 187.124.217.240:500: received Vendor ID payload [RFC 3947] method set to=109
Nov 23 22:40:12 dcerouter pluto[21730]: packet from 187.124.217.240:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] method set to=110
Nov 23 22:40:12 dcerouter pluto[21730]: packet from 187.124.217.240:500: ignoring unknown Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
Nov 23 22:40:12 dcerouter pluto[21730]: packet from 187.124.217.240:500: ignoring unknown Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
Nov 23 22:40:12 dcerouter pluto[21730]: packet from 187.124.217.240:500: ignoring unknown Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
Nov 23 22:40:12 dcerouter pluto[21730]: packet from 187.124.217.240:500: ignoring unknown Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
Nov 23 22:40:12 dcerouter pluto[21730]: packet from 187.124.217.240:500: ignoring unknown Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
Nov 23 22:40:12 dcerouter pluto[21730]: packet from 187.124.217.240:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 110
Nov 23 22:40:12 dcerouter pluto[21730]: packet from 187.124.217.240:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 110
Nov 23 22:40:12 dcerouter pluto[21730]: packet from 187.124.217.240:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 110
Nov 23 22:40:12 dcerouter pluto[21730]: packet from 187.124.217.240:500: ignoring Vendor ID payload [FRAGMENTATION 80000000]
Nov 23 22:40:12 dcerouter pluto[21730]: packet from 187.124.217.240:500: received Vendor ID payload [Dead Peer Detection]
Nov 23 22:40:12 dcerouter pluto[21730]: "L2TP-PSK-NAT"[3] 187.124.217.240 #5: responding to Main Mode from unknown peer 187.124.217.240
Nov 23 22:40:12 dcerouter pluto[21730]: "L2TP-PSK-NAT"[3] 187.124.217.240 #5: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Nov 23 22:40:12 dcerouter pluto[21730]: "L2TP-PSK-NAT"[3] 187.124.217.240 #5: STATE_MAIN_R1: sent MR1, expecting MI2
Nov 23 22:40:12 dcerouter pluto[21730]: "L2TP-PSK-NAT"[3] 187.124.217.240 #5: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): i am NATed
Nov 23 22:40:12 dcerouter pluto[21730]: "L2TP-PSK-NAT"[3] 187.124.217.240 #5: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Nov 23 22:40:12 dcerouter pluto[21730]: "L2TP-PSK-NAT"[3] 187.124.217.240 #5: STATE_MAIN_R2: sent MR2, expecting MI3
Nov 23 22:40:12 dcerouter pluto[21730]: "L2TP-PSK-NAT"[3] 187.124.217.240 #5: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
Nov 23 22:40:12 dcerouter pluto[21730]: "L2TP-PSK-NAT"[3] 187.124.217.240 #5: Main mode peer ID is ID_IPV4_ADDR: '187.124.217.240'
Nov 23 22:40:12 dcerouter pluto[21730]: "L2TP-PSK-NAT"[3] 187.124.217.240 #5: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Nov 23 22:40:12 dcerouter pluto[21730]: "L2TP-PSK-NAT"[3] 187.124.217.240 #5: new NAT mapping for #5, was 187.124.217.240:500, now 187.124.217.240:4500
Nov 23 22:40:12 dcerouter pluto[21730]: "L2TP-PSK-NAT"[3] 187.124.217.240 #5: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1024}
Nov 23 22:40:13 dcerouter pluto[21730]: "L2TP-PSK-NAT"[3] 187.124.217.240 #5: the peer proposed: 187.15.164.55/32:17/1701 -> 187.124.217.240/32:17/0
Nov 23 22:40:13 dcerouter pluto[21730]: "L2TP-PSK-NAT"[3] 187.124.217.240 #6: responding to Quick Mode proposal {msgid:6aad2eab}
Nov 23 22:40:13 dcerouter pluto[21730]: "L2TP-PSK-NAT"[3] 187.124.217.240 #6:     us: 192.168.0.160[+S=C]:17/1701
Nov 23 22:40:13 dcerouter pluto[21730]: "L2TP-PSK-NAT"[3] 187.124.217.240 #6:   them: 187.124.217.240[+S=C]:17/61362===?
Nov 23 22:40:13 dcerouter pluto[21730]: "L2TP-PSK-NAT"[3] 187.124.217.240 #6: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Nov 23 22:40:13 dcerouter pluto[21730]: "L2TP-PSK-NAT"[3] 187.124.217.240 #6: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Nov 23 22:40:13 dcerouter pluto[21730]: "L2TP-PSK-NAT"[3] 187.124.217.240 #6: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Nov 23 22:40:13 dcerouter pluto[21730]: "L2TP-PSK-NAT"[3] 187.124.217.240 #6: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0x06bdda38 <0x0874effc xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=187.124.217.240:4500 DPD=none}
Nov 23 22:40:35 dcerouter pluto[21730]: "L2TP-PSK-NAT"[3] 187.124.217.240 #5: received Delete SA(0x06bdda38) payload: deleting IPSEC State #6
Nov 23 22:40:35 dcerouter pluto[21730]: "L2TP-PSK-NAT"[3] 187.124.217.240 #5: netlink recvfrom() of response to our XFRM_MSG_DELPOLICY message for policy eroute_connection delete inbound was too long: 100 > 36
Nov 23 22:40:35 dcerouter pluto[21730]: "L2TP-PSK-NAT"[3] 187.124.217.240 #5: netlink recvfrom() of response to our XFRM_MSG_DELPOLICY message for policy eroute_connection delete inbound was too long: 100 > 36
Nov 23 22:40:35 dcerouter pluto[21730]: "L2TP-PSK-NAT"[3] 187.124.217.240 #5: netlink recvfrom() of response to our XFRM_MSG_DELPOLICY message for policy unk255.10000@192.168.0.160 was too long: 168 > 36
Nov 23 22:40:35 dcerouter pluto[21730]: | raw_eroute result=0
Nov 23 22:40:35 dcerouter pluto[21730]: "L2TP-PSK-NAT"[3] 187.124.217.240 #5: received and ignored informational message
Nov 23 22:40:35 dcerouter pluto[21730]: "L2TP-PSK-NAT"[3] 187.124.217.240 #5: received Delete SA payload: deleting ISAKMP State #5
Nov 23 22:40:35 dcerouter pluto[21730]: "L2TP-PSK-NAT"[3] 187.124.217.240: deleting connection "L2TP-PSK-NAT" instance with peer 187.124.217.240 {isakmp=#0/ipsec=#0}
Nov 23 22:40:35 dcerouter pluto[21730]: packet from 187.124.217.240:4500: received and ignored informational message
Nov 23 22:42:01 dcerouter CRON[8123]: pam_unix(cron:session): session opened for user root by (uid=0)
Nov 23 22:42:02 dcerouter CRON[8123]: pam_unix(cron:session): session closed for user root
Any hints?

I'm not willing to use ppp....
Title: Re: No VPN Connection on 10.04
Post by: sambuca on November 24, 2012, 01:13:22 pm
pw44, from the logs it seem like the ipsec connection has been established succesfully, but there are no record of any xl2tpd activity. Are xl2tdp running?

br,
sambuca
Title: Re: No VPN Connection on 10.04
Post by: pw44 on November 24, 2012, 04:34:47 pm
Hi Sambuca,
yes, xl2tpd is running.


/var/log/auth.log
Code: [Select]
Nov 24 13:29:35 dcerouter pluto[21730]: packet from 186.242.129.142:500: received Vendor ID payload [RFC 3947] method set to=109
Nov 24 13:29:35 dcerouter pluto[21730]: packet from 186.242.129.142:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] method set to=110
Nov 24 13:29:35 dcerouter pluto[21730]: packet from 186.242.129.142:500: ignoring unknown Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
Nov 24 13:29:35 dcerouter pluto[21730]: packet from 186.242.129.142:500: ignoring unknown Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
Nov 24 13:29:35 dcerouter pluto[21730]: packet from 186.242.129.142:500: ignoring unknown Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
Nov 24 13:29:35 dcerouter pluto[21730]: packet from 186.242.129.142:500: ignoring unknown Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
Nov 24 13:29:35 dcerouter pluto[21730]: packet from 186.242.129.142:500: ignoring unknown Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
Nov 24 13:29:35 dcerouter pluto[21730]: packet from 186.242.129.142:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 110
Nov 24 13:29:35 dcerouter pluto[21730]: packet from 186.242.129.142:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 110
Nov 24 13:29:35 dcerouter pluto[21730]: packet from 186.242.129.142:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 110
Nov 24 13:29:35 dcerouter pluto[21730]: packet from 186.242.129.142:500: ignoring Vendor ID payload [FRAGMENTATION 80000000]
Nov 24 13:29:35 dcerouter pluto[21730]: packet from 186.242.129.142:500: received Vendor ID payload [Dead Peer Detection]
Nov 24 13:29:35 dcerouter pluto[21730]: "L2TP-PSK-NAT"[9] 186.242.129.142 #18: responding to Main Mode from unknown peer 186.242.129.142
Nov 24 13:29:35 dcerouter pluto[21730]: "L2TP-PSK-NAT"[9] 186.242.129.142 #18: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Nov 24 13:29:35 dcerouter pluto[21730]: "L2TP-PSK-NAT"[9] 186.242.129.142 #18: STATE_MAIN_R1: sent MR1, expecting MI2
Nov 24 13:29:35 dcerouter pluto[21730]: "L2TP-PSK-NAT"[9] 186.242.129.142 #18: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): i am NATed
Nov 24 13:29:35 dcerouter pluto[21730]: "L2TP-PSK-NAT"[9] 186.242.129.142 #18: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Nov 24 13:29:35 dcerouter pluto[21730]: "L2TP-PSK-NAT"[9] 186.242.129.142 #18: STATE_MAIN_R2: sent MR2, expecting MI3
Nov 24 13:29:36 dcerouter pluto[21730]: "L2TP-PSK-NAT"[9] 186.242.129.142 #18: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
Nov 24 13:29:36 dcerouter pluto[21730]: "L2TP-PSK-NAT"[9] 186.242.129.142 #18: Main mode peer ID is ID_IPV4_ADDR: '186.242.129.142'
Nov 24 13:29:36 dcerouter pluto[21730]: "L2TP-PSK-NAT"[9] 186.242.129.142 #18: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Nov 24 13:29:36 dcerouter pluto[21730]: "L2TP-PSK-NAT"[9] 186.242.129.142 #18: new NAT mapping for #18, was 186.242.129.142:500, now 186.242.129.142:4500
Nov 24 13:29:36 dcerouter pluto[21730]: "L2TP-PSK-NAT"[9] 186.242.129.142 #18: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1024}
Nov 24 13:29:36 dcerouter pluto[21730]: "L2TP-PSK-NAT"[9] 186.242.129.142 #18: the peer proposed: 187.15.164.55/32:17/1701 -> 186.242.129.142/32:17/0
Nov 24 13:29:36 dcerouter pluto[21730]: "L2TP-PSK-NAT"[9] 186.242.129.142 #19: responding to Quick Mode proposal {msgid:0e352bfd}
Nov 24 13:29:36 dcerouter pluto[21730]: "L2TP-PSK-NAT"[9] 186.242.129.142 #19:     us: 192.168.0.160[+S=C]:17/1701
Nov 24 13:29:36 dcerouter pluto[21730]: "L2TP-PSK-NAT"[9] 186.242.129.142 #19:   them: 186.242.129.142[+S=C]:17/51077===?
Nov 24 13:29:36 dcerouter pluto[21730]: "L2TP-PSK-NAT"[9] 186.242.129.142 #19: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Nov 24 13:29:36 dcerouter pluto[21730]: "L2TP-PSK-NAT"[9] 186.242.129.142 #19: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Nov 24 13:29:36 dcerouter pluto[21730]: "L2TP-PSK-NAT"[9] 186.242.129.142 #19: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Nov 24 13:29:36 dcerouter pluto[21730]: "L2TP-PSK-NAT"[9] 186.242.129.142 #19: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0x0bfea5b5 <0x46b2c1c7 xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=186.242.129.142:4500 DPD=none}
Nov 24 13:29:58 dcerouter pluto[21730]: "L2TP-PSK-NAT"[9] 186.242.129.142 #18: received Delete SA(0x0bfea5b5) payload: deleting IPSEC State #19
Nov 24 13:29:58 dcerouter pluto[21730]: "L2TP-PSK-NAT"[9] 186.242.129.142 #18: netlink recvfrom() of response to our XFRM_MSG_DELPOLICY message for policy eroute_connection delete inbound was too long: 100 > 36
Nov 24 13:29:58 dcerouter pluto[21730]: "L2TP-PSK-NAT"[9] 186.242.129.142 #18: netlink recvfrom() of response to our XFRM_MSG_DELPOLICY message for policy eroute_connection delete inbound was too long: 100 > 36
Nov 24 13:29:58 dcerouter pluto[21730]: "L2TP-PSK-NAT"[9] 186.242.129.142 #18: netlink recvfrom() of response to our XFRM_MSG_DELPOLICY message for policy unk255.10000@192.168.0.160 was too long: 168 > 36
Nov 24 13:29:58 dcerouter pluto[21730]: | raw_eroute result=0
Nov 24 13:29:58 dcerouter pluto[21730]: "L2TP-PSK-NAT"[9] 186.242.129.142 #18: received and ignored informational message
Nov 24 13:29:58 dcerouter pluto[21730]: "L2TP-PSK-NAT"[9] 186.242.129.142 #18: received Delete SA payload: deleting ISAKMP State #18
Nov 24 13:29:58 dcerouter pluto[21730]: "L2TP-PSK-NAT"[9] 186.242.129.142: deleting connection "L2TP-PSK-NAT" instance with peer 186.242.129.142 {isakmp=#0/ipsec=#0}
Nov 24 13:29:58 dcerouter pluto[21730]: packet from 186.242.129.142:4500: received and ignored informational message
Nov 24 13:30:01 dcerouter CRON[28937]: pam_unix(cron:session): session opened for user root by (uid=0)
Nov 24 13:30:01 dcerouter CRON[28938]: pam_unix(cron:session): session opened for user root by (uid=0)
Nov 24 13:30:01 dcerouter CRON[28939]: pam_unix(cron:session): session opened for user root by (uid=0)
Nov 24 13:30:03 dcerouter CRON[28939]: pam_unix(cron:session): session closed for user root
Nov 24 13:30:03 dcerouter CRON[28938]: pam_unix(cron:session): session closed for user root
Nov 24 13:30:10 dcerouter CRON[28937]: pam_unix(cron:session): session closed for user root

dcerouter_1031272:/var/log# ps ax | grep xl2
11310 pts/33   S+     0:00 grep --color=auto xl2
23156 ?        Ss     0:00 /usr/sbin/xl2tpd


/var/log/syslog (x2ltpd)
Code: [Select]
Nov 24 13:29:38 dcerouter xl2tpd[23156]: control_finish: Peer requested tunnel 17 twice, ignoring second one.
Nov 24 13:29:43 dcerouter xl2tpd[23156]: last message repeated 2 times
Nov 24 13:29:43 dcerouter xl2tpd[23156]: Maximum retries exceeded for tunnel 40741.  Closing.
Nov 24 13:29:48 dcerouter xl2tpd[23156]: control_finish: Peer requested tunnel 17 twice, ignoring second one.
Nov 24 13:29:48 dcerouter xl2tpd[23156]: Connection 17 closed to 186.242.129.142, port 51077 (Timeout)
Nov 24 13:29:52 dcerouter xl2tpd[23156]: control_finish: Peer requested tunnel 17 twice, ignoring second one.
Nov 24 13:29:53 dcerouter xl2tpd[23156]: Unable to deliver closing message for tunnel 40741. Destroying anyway.
Nov 24 13:29:57 dcerouter xl2tpd[23156]: control_finish: Peer requested tunnel 17 twice, ignoring second one.

Did recheck the configs, but is not working....
Title: Re: No VPN Connection on 10.04
Post by: pw44 on November 27, 2012, 10:14:13 pm
Any hints? Anyone have it working? TIA!
Title: Re: No VPN Connection on 10.04
Post by: sambuca on November 28, 2012, 07:26:28 am
From auth.log I can see that the ipsec connection has been established. But I see no record of the connection part of xl2tpd/pppd in syslog. Are you sure you have copied enough of the log?

br,
sambuca
Title: Re: No VPN Connection on 10.04
Post by: polly on November 28, 2012, 12:19:14 pm
pw44, vpn on my core is working as long as the dynamic ip gets updated.... :-/

it still needs some testing, i had some trouble connecting a second time ...
i got disconnected....

i'll do some more tests. For me its working, but its not reliable....
I will do further tests! ... This may take its time.

Cheers,
ochorocho
Title: Re: No VPN Connection on 10.04
Post by: pw44 on November 28, 2012, 09:03:22 pm
@Sambuca: yes, all the xl2tpd log is there.

Code: [Select]
dcerouter_1031272:/etc/fail2ban/action.d# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.6.23/K2.6.32-42-generic (netkey)
Checking for IPsec support in kernel                            [OK]
NETKEY detected, testing for disabled ICMP send_redirects       [OK]
NETKEY detected, testing for disabled ICMP accept_redirects     [OK]
Checking for RSA private key (/etc/ipsec.secrets)               [OK]
Checking that pluto is running                                  [OK]
Pluto listening for IKE on udp 500                              [OK]
Pluto listening for NAT-T on udp 4500                           [OK]
Two or more interfaces found, checking IP forwarding            [OK]
Checking NAT and MASQUERADEing                             
Checking for 'ip' command                                       [OK]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]

Code: [Select]
dcerouter_1031272:/home/cameras# grep pppd /var/log/syslog*
dcerouter_1031272:/home/cameras# grep xl2tpd /var/log/syslog*
/var/log/syslog.1:Nov 27 12:47:04 dcerouter xl2tpd[6009]: control_finish: Peer requested tunnel 23 twice, ignoring second one.
/var/log/syslog.1:Nov 27 12:47:04 dcerouter xl2tpd[6009]: control_finish: Peer requested tunnel 23 twice, ignoring second one.
/var/log/syslog.1:Nov 27 12:47:09 dcerouter xl2tpd[6009]: Maximum retries exceeded for tunnel 34456.  Closing.
/var/log/syslog.1:Nov 27 12:47:10 dcerouter xl2tpd[6009]: control_finish: Peer requested tunnel 23 twice, ignoring second one.
/var/log/syslog.1:Nov 27 12:47:10 dcerouter xl2tpd[6009]: Connection 23 closed to 186.242.246.139, port 56213 (Timeout)
/var/log/syslog.1:Nov 27 12:47:14 dcerouter xl2tpd[6009]: control_finish: Peer requested tunnel 23 twice, ignoring second one.
/var/log/syslog.1:Nov 27 12:47:15 dcerouter xl2tpd[6009]: Unable to deliver closing message for tunnel 34456. Destroying anyway.
/var/log/syslog.1:Nov 27 12:47:18 dcerouter xl2tpd[6009]: control_finish: Peer requested tunnel 23 twice, ignoring second one.
/var/log/syslog.1:Nov 27 12:47:28 dcerouter xl2tpd[6009]: Maximum retries exceeded for tunnel 3240.  Closing.

@polly: i did read about dpd (dead peer detection). I guess this will solve the second time....
Would you share your config file with me (changed passwords and secrets, of course)?

Anyway, i'm reading, trying but am not able to get x2tpd right.

TIA
Title: Re: No VPN Connection on 10.04
Post by: polly on November 28, 2012, 11:54:29 pm
### EDIT: SORRY TO EARLY ... as usual, after connecting several times it stopped working again ....


hey......

here is my config:

http://dokuwiki.knallimall.org/de/linuxmce_ipsec_working

pw44, "dead peer connection" was the key!!! thx a lot....
you should click on the "update" button in network settings, i guess  to update the network config. Make also sure you updated linuxMCE to the most recent version coz' sambuca added a few changes regarding config using lmce-admin done by robwoodward75.

hope this helps!

Cheers,
ochorocho
Title: Re: No VPN Connection on 10.04
Post by: pw44 on November 29, 2012, 09:44:37 pm
Polly, the strange is that your config files are almost the same as mines, but i'm stiil getting xl2tpd error.
How is your l2tp-secrets looking (no password, please) :)
Ipsec goes well......
Sambuca, any hint?
TIA,
Paulo
Title: Re: No VPN Connection on 10.04
Post by: pw44 on November 30, 2012, 06:53:41 pm
Hi,
yesterday, vpn connected, two times and no more.
Is xl2tp reliable?
Title: Re: No VPN Connection on 10.04
Post by: sambuca on November 30, 2012, 08:51:31 pm
I have experienced that ipsec has stopped a few times - I haven't looked any more at it.

I'm sorry, but I don't know much about xl2tpd in this regard.

br,
sambuca
Title: Re: No VPN Connection on 10.04
Post by: pw44 on November 30, 2012, 10:54:31 pm
well, it seams the ppp will be the reliable one..... :(
I will test ppp on 10.04 (had i working on 8.10).
BR
Paulo
Title: Re: No VPN Connection on 10.04
Post by: Techstyle on December 04, 2012, 09:18:37 pm
It seems somebody closed the ticket, can anybody confirm it works out of the box?
Title: Re: No VPN Connection on 10.04
Post by: robwoodward75 on December 04, 2012, 11:05:42 pm
Hi Techstyle,

Looks like Pos decided that Sambuca's comment of:
Quote
Changed 10 days ago by sambuca

For the record, the ipsec stuff is logged to /var/log/auth.log and the pppd and xl2tpd is logged to /var/log/syslog. Once you see "STATE_QUICK_R2: IPsec SA established transport mode" in the auth.log, ipsec is connected, and you should start looking at the xl2tpd/pppd logs.

meant that the whole thing was working, rather than just the ipsec connection.  Any chance you can re-open the ticket with a suitable comment to make sure the whole thing is fixed before closing the ticket?!!
Title: Re: No VPN Connection on 10.04
Post by: pw44 on December 06, 2012, 07:19:45 pm
ipsec maybe working, but xl2tpd is unreliable..... could not make it work for more than 2 minutes and repeat it.... i only got it working 2 times, for less than 2 minutes, in a universe of more than 100 tries.
Title: Re: No VPN Connection on 10.04
Post by: Marie.O on December 06, 2012, 08:23:20 pm
If someone is able to get a good connection for 2 minutes, try changing /etc/ppp/options.xl2tpd

Code: [Select]
lcp-echo-interval 30
lcp-echo-failure 4

to higher numbers, and see if that changes stuff.
Title: Re: No VPN Connection on 10.04
Post by: robwoodward75 on December 10, 2012, 01:38:33 pm
According to Sambuca on the Ticket, he has a working VPN connection, and has had all along.

Quote
For the record, this was a generic comment related to the logs posted here and elsewhere.

For me, VPN has worked all along, and this was communicated to pos in IRC.


Sambuca,

Any chance you could therefore share all your VPN related settings with us all (obviously hiding passwords), so that we may all have working VPN please?  We just need one fully working set which we can try them and confirm.


I am struggling to understand how you've had a working connection all a along, and we (myself, Techstyle, Polly, pw44, and I think posde?!) cannot.  I have only ever managed to get a stable VPN connection by connecting to it from within my own network at home, not from outside that network.  From outside my network, I can get the IPSEC to authenticate via PSK now, but never managed to connect the L2TP part to establish the fully working VPN. Even with the firewall switched off, I cannot establish a connection.


Thanks.
Title: Re: No VPN Connection on 10.04
Post by: sambuca on December 10, 2012, 02:44:27 pm
I don't do any special setup in LMCE for VPN, the standard setup done through the web-admin is enough.

That said, I did struggle to get my router to cooperate, and imho I think that is were most people have problems too. To support this theory even more, I am unable to get a VPN connection from my office, but from other networks it works fine.

br,
sambuca
Title: Re: No VPN Connection on 10.04
Post by: robwoodward75 on December 11, 2012, 03:24:07 pm
Interesting........

I only have a modem connection to the outside facing NIC, the routers are connected to the internal NIC, which I can get (or at least have got) VPN connection on using one of the settings suggested.  Office issue I can understand, I have similar problem with ssh to my server from the office, as they block outgoing traffic on port 22, so I have to port forward from another port number back to 22 within the LMCE firewall.  however, I have been trying using my Android mobile mainly, or, my laptop pointing at the external DNS entry.  Both of which I can get to work from internal to the network, using 192.168.80.1 as the host.


Not sure if it is the modem how I can test / verify that?!  Any ideas?


Rob.
Title: Re: No VPN Connection on 10.04
Post by: sambuca on December 11, 2012, 03:39:56 pm
I have used my mobile data carrier for testing, but I can't guarantee that all providers are the same..

I would first see if there is any settings related to VPN in the modem.

br,
sambuca
Title: Re: No VPN Connection on 10.04
Post by: pw44 on December 11, 2012, 09:56:11 pm
Frankly speaking, i gave up with ipsec/l2tp.
My setup is:
ADSL <------>  Tomato router <----> external NIC LMCE <-----> Internal NIC <-----> Home network.
On my tomato: UDP 500, 1701 and 4500 forward to external NIC
On my LMCE Firewall: 500 and 4500.
I did read a ton of tutorials, had examples, but got it working only 2 times for less than 3 minutes each.
That's all.
I will set up the old pptp, which i had working on my 8.10 box with no glitch, but after vacation.
Title: Re: No VPN Connection on 10.04
Post by: sambuca on December 12, 2012, 07:25:58 am
Ok, fair enough.

Just a clarification on the ports, in case anyone reads this later on.
Do not forward port 1701!! Doing so allows bypassing the security of the VPN completely.

In my setup I forwarded ports 500 and 4500, and also enabled "IPSEC passthrough" on the router.

br,
sambuca