No VPN Connection on 10.04

[robwoodward75]

Despite following the very simple guide on the wiki, I cannot seem to get the VPN to work on my installation (Of which this is the second, as I completely wrecked the fist trying!)  After turning it on and off again, I started to trawl the net for solutions involving Openswan VPN.  In finding various issues with the version number, I upgraded the version, and still no luck.  I ended up completely ruining my network setup, and was forced to completely reinstall MCE from scratch, where I have since once again followed the wiki to set it up without success.

I will post in my Auth.log output from the MCE server and client side log later, as I'm guessing that will be one of the first questions!!  Is anyone else having trouble, or managed to connect?  Is there a minimum PSK length? etc etc?!


Thanks,



Rob.

[Techstyle]

I think I can confirm the same. See:

http://forum.linuxmce.org/index.php/topic,12889.msg92967.html#msg92967

[robwoodward75]

Thanks Techstyle, feel better knowing I'm not on my own with this issue!!

OK, here are the log files from the server and client:

Server auth.log:

Code:

Oct 19 08:43:18 dcerouter pluto[10355]: packet from 192.168.80.133:500: ignoring unknown Vendor ID payload [4f45755c645c6a795c5c6170]
Oct 19 08:43:18 dcerouter pluto[10355]: packet from 192.168.80.133:500: received Vendor ID payload [Dead Peer Detection]
Oct 19 08:43:18 dcerouter pluto[10355]: packet from 192.168.80.133:500: received Vendor ID payload [RFC 3947] method set to=109
Oct 19 08:43:18 dcerouter pluto[10355]: packet from 192.168.80.133:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109
Oct 19 08:43:18 dcerouter pluto[10355]: packet from 192.168.80.133:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
Oct 19 08:43:18 dcerouter pluto[10355]: packet from 192.168.80.133:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
Oct 19 08:43:18 dcerouter pluto[10355]: packet from 192.168.80.133:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Oct 19 08:43:18 dcerouter pluto[10355]: packet from 192.168.80.133:500: initial Main Mode message received on 192.168.80.1:500 but no connection has been authorized with policy=PSK

Client auth.log:

Code:

Oct 19 10:30:20 rob-laptop pluto[14518]: shutting down
Oct 19 10:30:20 rob-laptop pluto[14518]: forgetting secrets
Oct 19 10:30:20 rob-laptop pluto[14518]: "Home": deleting connection
Oct 19 10:30:20 rob-laptop pluto[14518]: "Home" #2: deleting state (STATE_MAIN_I1)
Oct 19 10:30:20 rob-laptop pluto[14518]: shutting down interface lo/lo ::1:500
Oct 19 10:30:20 rob-laptop pluto[14518]: shutting down interface lo/lo 127.0.0.1:4500
Oct 19 10:30:20 rob-laptop pluto[14518]: shutting down interface lo/lo 127.0.0.1:500
Oct 19 10:30:20 rob-laptop pluto[14518]: shutting down interface eth1/eth1 192.168.80.133:4500
Oct 19 10:30:20 rob-laptop pluto[14518]: shutting down interface eth1/eth1 192.168.80.133:500
Oct 19 10:30:20 rob-laptop pluto[14527]: pluto_crypto_helper: helper (0) is  normal exiting
Oct 19 10:30:22 rob-laptop ipsec__plutorun: Starting Pluto subsystem...
Oct 19 10:30:22 rob-laptop pluto[14807]: Starting Pluto (Openswan Version 2.6.37; Vendor ID OEu\134d\134jy\134\134ap) pid:14807
Oct 19 10:30:22 rob-laptop pluto[14807]: LEAK_DETECTIVE support [disabled]
Oct 19 10:30:22 rob-laptop pluto[14807]: OCF support for IKE [disabled]
Oct 19 10:30:22 rob-laptop pluto[14807]: SAref support [disabled]: Protocol not available
Oct 19 10:30:22 rob-laptop pluto[14807]: SAbind support [disabled]: Protocol not available
Oct 19 10:30:22 rob-laptop pluto[14807]: NSS support [disabled]
Oct 19 10:30:22 rob-laptop pluto[14807]: HAVE_STATSD notification support not compiled in
Oct 19 10:30:22 rob-laptop pluto[14807]: Setting NAT-Traversal port-4500 floating to on
Oct 19 10:30:22 rob-laptop pluto[14807]:    port floating activation criteria nat_t=1/port_float=1
Oct 19 10:30:22 rob-laptop pluto[14807]:    NAT-Traversal support  [enabled]
Oct 19 10:30:22 rob-laptop pluto[14807]: using /dev/urandom as source of random entropy
Oct 19 10:30:22 rob-laptop pluto[14807]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Oct 19 10:30:22 rob-laptop pluto[14807]: starting up 1 cryptographic helpers
Oct 19 10:30:22 rob-laptop pluto[14807]: started helper pid=14827 (fd:6)
Oct 19 10:30:22 rob-laptop pluto[14807]: Using Linux 2.6 IPsec interface code on 3.2.0-32-generic (experimental code)
Oct 19 10:30:22 rob-laptop pluto[14827]: using /dev/urandom as source of random entropy
Oct 19 10:30:22 rob-laptop pluto[14807]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
Oct 19 10:30:22 rob-laptop pluto[14807]: ike_alg_add(): ERROR: Algorithm already exists
Oct 19 10:30:22 rob-laptop pluto[14807]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)
Oct 19 10:30:22 rob-laptop pluto[14807]: ike_alg_add(): ERROR: Algorithm already exists
Oct 19 10:30:22 rob-laptop pluto[14807]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
Oct 19 10:30:22 rob-laptop pluto[14807]: ike_alg_add(): ERROR: Algorithm already exists
Oct 19 10:30:22 rob-laptop pluto[14807]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)
Oct 19 10:30:22 rob-laptop pluto[14807]: ike_alg_add(): ERROR: Algorithm already exists
Oct 19 10:30:22 rob-laptop pluto[14807]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)
Oct 19 10:30:22 rob-laptop pluto[14807]: ike_alg_add(): ERROR: Algorithm already exists
Oct 19 10:30:22 rob-laptop pluto[14807]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
Oct 19 10:30:22 rob-laptop pluto[14807]: Changed path to directory '/etc/ipsec.d/cacerts'
Oct 19 10:30:22 rob-laptop pluto[14807]: Changed path to directory '/etc/ipsec.d/aacerts'
Oct 19 10:30:22 rob-laptop pluto[14807]: Changed path to directory '/etc/ipsec.d/ocspcerts'
Oct 19 10:30:22 rob-laptop pluto[14807]: Changing to directory '/etc/ipsec.d/crls'
Oct 19 10:30:22 rob-laptop pluto[14807]:   Warning: empty directory
Oct 19 10:30:22 rob-laptop pluto[14807]: added connection description "Home"
Oct 19 10:30:22 rob-laptop pluto[14807]: listening for IKE messages
Oct 19 10:30:22 rob-laptop pluto[14807]: adding interface eth1/eth1 192.168.80.133:500
Oct 19 10:30:22 rob-laptop pluto[14807]: adding interface eth1/eth1 192.168.80.133:4500
Oct 19 10:30:22 rob-laptop pluto[14807]: adding interface lo/lo 127.0.0.1:500
Oct 19 10:30:22 rob-laptop pluto[14807]: adding interface lo/lo 127.0.0.1:4500
Oct 19 10:30:22 rob-laptop pluto[14807]: adding interface lo/lo ::1:500
Oct 19 10:30:22 rob-laptop pluto[14807]: loading secrets from "/etc/ipsec.secrets"
Oct 19 10:30:22 rob-laptop pluto[14807]: listening for IKE messages
Oct 19 10:30:22 rob-laptop pluto[14807]: forgetting secrets
Oct 19 10:30:22 rob-laptop pluto[14807]: loading secrets from "/etc/ipsec.secrets"
Oct 19 10:30:22 rob-laptop pluto[14807]: "Home" #1: initiating Main Mode
Oct 19 10:31:32 rob-laptop pluto[14807]: "Home" #1: max number of retransmissions (2) reached STATE_MAIN_I1.  No response (or no acceptable response) to our first IKE message
Oct 19 10:31:32 rob-laptop pluto[14807]: "Home" #1: starting keying attempt 2 of at most 3, but releasing whack
Oct 19 10:31:32 rob-laptop pluto[14807]: "Home" #2: initiating Main Mode to replace #1
Oct 19 10:32:42 rob-laptop pluto[14807]: "Home" #2: max number of retransmissions (2) reached STATE_MAIN_I1.  No response (or no acceptable response) to our first IKE message
Oct 19 10:32:42 rob-laptop pluto[14807]: "Home" #2: starting keying attempt 3 of at most 3
Oct 19 10:32:42 rob-laptop pluto[14807]: "Home" #3: initiating Main Mode to replace #2

Client syslog:

Code:

Oct 19 08:43:15 rob-laptop L2tpIPsecVpnControlDaemon: Opening client connection
Oct 19 08:43:15 rob-laptop L2tpIPsecVpnControlDaemon: Executing command ipsec setup stop
Oct 19 08:43:15 rob-laptop ipsec_setup: Stopping Openswan IPsec...
Oct 19 08:43:17 rob-laptop kernel: [ 1105.812134] NET: Unregistered protocol family 15
Oct 19 08:43:17 rob-laptop ipsec_setup: ...Openswan IPsec stopped
Oct 19 08:43:17 rob-laptop L2tpIPsecVpnControlDaemon: Command ipsec setup stop finished with exit code 0
Oct 19 08:43:17 rob-laptop L2tpIPsecVpnControlDaemon: Executing command invoke-rc.d xl2tpd stop
Oct 19 08:43:17 rob-laptop L2tpIPsecVpnControlDaemon: Command invoke-rc.d xl2tpd stop finished with exit code 0
Oct 19 08:43:17 rob-laptop L2tpIPsecVpnControlDaemon: Opening client connection
Oct 19 08:43:17 rob-laptop L2tpIPsecVpnControlDaemon: Executing command ipsec setup start
Oct 19 08:43:17 rob-laptop L2tpIPsecVpnControlDaemon: Closing client connection
Oct 19 08:43:17 rob-laptop xl2tpd[3596]: death_handler: Fatal signal 15 received
Oct 19 08:43:17 rob-laptop kernel: [ 1106.163206] NET: Registered protocol family 15
Oct 19 08:43:17 rob-laptop ipsec_setup: Starting Openswan IPsec U2.6.37/K3.2.0-32-generic...
Oct 19 08:43:17 rob-laptop ipsec_setup: Using NETKEY(XFRM) stack
Oct 19 08:43:17 rob-laptop kernel: [ 1106.515942] Initializing XFRM netlink socket
Oct 19 08:43:18 rob-laptop kernel: [ 1106.557560] padlock_sha: VIA PadLock Hash Engine not detected.
Oct 19 08:43:18 rob-laptop kernel: [ 1106.605526] Intel AES-NI instructions are not detected.
Oct 19 08:43:18 rob-laptop kernel: [ 1106.655817] Intel AES-NI instructions are not detected.
Oct 19 08:43:18 rob-laptop ipsec_setup: ...Openswan IPsec started
Oct 19 08:43:18 rob-laptop L2tpIPsecVpnControlDaemon: Command ipsec setup start finished with exit code 0
Oct 19 08:43:18 rob-laptop L2tpIPsecVpnControlDaemon: Executing command invoke-rc.d xl2tpd start
Oct 19 08:43:18 rob-laptop xl2tpd[11410]: setsockopt recvref[30]: Protocol not available
Oct 19 08:43:18 rob-laptop xl2tpd[11410]: This binary does not support kernel L2TP.
Oct 19 08:43:18 rob-laptop xl2tpd[11411]: xl2tpd version xl2tpd-1.3.1 started on rob-laptop PID:11411
Oct 19 08:43:18 rob-laptop xl2tpd[11411]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
Oct 19 08:43:18 rob-laptop xl2tpd[11411]: Forked by Scott Balmos and David Stipp, (C) 2001
Oct 19 08:43:18 rob-laptop xl2tpd[11411]: Inherited by Jeff McAdams, (C) 2002
Oct 19 08:43:18 rob-laptop xl2tpd[11411]: Forked again by Xelerance (www.xelerance.com) (C) 2006
Oct 19 08:43:18 rob-laptop xl2tpd[11411]: Listening on IP address 0.0.0.0, port 1701
Oct 19 08:43:18 rob-laptop L2tpIPsecVpnControlDaemon: Command invoke-rc.d xl2tpd start finished with exit code 0
Oct 19 08:43:18 rob-laptop pluto: adjusting ipsec.d to /etc/ipsec.d
Oct 19 08:43:18 rob-laptop ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
Oct 19 08:43:18 rob-laptop ipsec__plutorun: 002 added connection description "Home"
Oct 19 08:43:18 rob-laptop L2tpIPsecVpnControlDaemon: Executing command ipsec auto --ready
Oct 19 08:43:18 rob-laptop L2tpIPsecVpnControlDaemon: Command ipsec auto --ready finished with exit code 0
Oct 19 08:43:18 rob-laptop L2tpIPsecVpnControlDaemon: Executing command ipsec auto --up Home
Oct 19 08:44:28 rob-laptop L2tpIPsecVpnControlDaemon: Command ipsec auto --up Home finished with exit code 0
Oct 19 08:44:28 rob-laptop L2tpIPsecVpnControlDaemon: Closing client connection

[robwoodward75]

Tried a few more things with the settings, this time without trying to upgrade anything!!  I have managed to get the L2TP working, however xl2tp seems to still be causing an issue.  See below:

Code:

Oct 26 17:52:01 dcerouter pluto[27401]: "L2TP-PSK-NAT"[1] 192.168.80.139 #23: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
Oct 26 17:52:01 dcerouter pluto[27401]: "L2TP-PSK-NAT"[1] 192.168.80.139 #23: received and ignored informational message
Oct 26 17:52:02 dcerouter pluto[27401]: "L2TP-PSK-NAT"[1] 192.168.80.139 #23: the peer proposed: 92.235.79.186/32:17/1701 -> 192.168.80.139/32:17/0
Oct 26 17:52:02 dcerouter pluto[27401]: "L2TP-PSK-NAT"[1] 192.168.80.139 #24: responding to Quick Mode proposal {msgid:431872ee}
Oct 26 17:52:02 dcerouter pluto[27401]: "L2TP-PSK-NAT"[1] 192.168.80.139 #24:     us: 92.235.79.186[+S=C]:17/1701
Oct 26 17:52:02 dcerouter pluto[27401]: "L2TP-PSK-NAT"[1] 192.168.80.139 #24:   them: 192.168.80.139[+S=C]:17/0
Oct 26 17:52:02 dcerouter pluto[27401]: "L2TP-PSK-NAT"[1] 192.168.80.139 #24: keeping refhim=4294901761 during rekey
Oct 26 17:52:02 dcerouter pluto[27401]: "L2TP-PSK-NAT"[1] 192.168.80.139 #24: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Oct 26 17:52:02 dcerouter pluto[27401]: "L2TP-PSK-NAT"[1] 192.168.80.139 #24: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Oct 26 17:52:02 dcerouter pluto[27401]: "L2TP-PSK-NAT"[1] 192.168.80.139 #24: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Oct 26 17:52:02 dcerouter pluto[27401]: "L2TP-PSK-NAT"[1] 192.168.80.139 #24: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0x032ff1f1 <0xda77ca7b xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=none}

Apparently, from what I've read, the last line means the L2TP tunnel has been established.  In /var/log/daemon.log I get the following output:

Code:

Oct 26 17:51:24 dcerouter xl2tpd[12399]: Listening on IP address 0.0.0.0, port 1701
Oct 26 17:52:05 dcerouter xl2tpd[12399]: control_finish: Peer requested tunnel 26256 twice, ignoring second one.
Oct 26 17:52:10 dcerouter xl2tpd[12399]: last message repeated 2 times
Oct 26 17:52:10 dcerouter xl2tpd[12399]: Maximum retries exceeded for tunnel 16046.  Closing.
Oct 26 17:52:11 dcerouter xl2tpd[12399]: control_finish: Peer requested tunnel 26256 twice, ignoring second one.
Oct 26 17:52:11 dcerouter xl2tpd[12399]: Connection 26256 closed to 192.168.80.139, port 50906 (Timeout)
Oct 26 17:52:13 dcerouter xl2tpd[12399]: control_finish: Peer requested tunnel 26256 twice, ignoring second one.
Oct 26 17:52:15 dcerouter xl2tpd[12399]: control_finish: Peer requested tunnel 26256 twice, ignoring second one.
Oct 26 17:52:16 dcerouter xl2tpd[12399]: Unable to deliver closing message for tunnel 16046. Destroying anyway.
Oct 26 17:52:17 dcerouter xl2tpd[12399]: control_finish: Peer requested tunnel 26256 twice, ignoring second one.
Oct 26 17:52:26 dcerouter xl2tpd[12399]: last message repeated 3 times
Oct 26 17:52:26 dcerouter xl2tpd[12399]: Maximum retries exceeded for tunnel 51656.  Closing.
Oct 26 17:52:27 dcerouter xl2tpd[12399]: control_finish: Peer requested tunnel 26256 twice, ignoring second one.
Oct 26 17:52:27 dcerouter xl2tpd[12399]: Connection 26256 closed to 192.168.80.139, port 50906 (Timeout)
Oct 26 17:52:29 dcerouter xl2tpd[12399]: control_finish: Peer requested tunnel 26256 twice, ignoring second one.
Oct 26 17:52:31 dcerouter xl2tpd[12399]: control_finish: Peer requested tunnel 26256 twice, ignoring second one.
Oct 26 17:52:32 dcerouter xl2tpd[12399]: Unable to deliver closing message for tunnel 51656. Destroying anyway.
Oct 26 17:52:33 dcerouter xl2tpd[12399]: control_finish: Peer requested tunnel 26256 twice, ignoring second one.
Oct 26 17:52:37 dcerouter xl2tpd[12399]: control_finish: Peer requested tunnel 26256 twice, ignoring second one.
Oct 26 17:52:39 dcerouter xl2tpd[12399]: control_finish: Peer requested tunnel 26256 twice, ignoring second one.
Oct 26 17:52:41 dcerouter xl2tpd[12399]: control_finish: Peer requested tunnel 26256 twice, ignoring second one.
Oct 26 17:52:42 dcerouter xl2tpd[12399]: Maximum retries exceeded for tunnel 7793.  Closing.
Oct 26 17:52:43 dcerouter xl2tpd[12399]: control_finish: Peer requested tunnel 26256 twice, ignoring second one.
Oct 26 17:52:43 dcerouter xl2tpd[12399]: Connection 26256 closed to 192.168.80.139, port 50906 (Timeout)
Oct 26 17:52:43 dcerouter xl2tpd[12399]: control_finish: Peer requested tunnel 26256 twice, ignoring second one.
Oct 26 17:52:43 dcerouter xl2tpd[12399]: check_control: Received out of order control packet on tunnel -1 (got 1, expected 0)
Oct 26 17:52:43 dcerouter xl2tpd[12399]: handle_packet: bad control packet!
Oct 26 17:52:48 dcerouter xl2tpd[12399]: Unable to deliver closing message for tunnel 7793. Destroying anyway.

So, its definitely a xl2tpd issue....... I think?!

I got this far by making the following changes, not entirely sure which of them affected the connection:

/etc/ipsec.conf
changed

Code:

virtual_private=%4:192.168.80.0/24

to

Code:

virtual_private=%v4:192.168.80.0/24

(adding a v after the %)


/etc/ipsec.secrets
changed:

Code:

%any %any: "MyXL2TPSuperSecretPassword"

to

Code:

%defaultroute %any: PSK "MyXL2TPSuperSecretPassword"

/etc/ppp/options.xl2tpd

Code:

ms-dns 192.168.80.1

to

Code:

ms-dns 8.8.8.8
ms-dns 8.8.4.4

The only file that I haven't changed within the likely culprits is /etc/ppp/chap-secrets, which contains no mention of the VPN password I set, but instead has the following type entries:

Code:

# Secrets for authentication using CHAP
myuser    l2tpd   !VPNpass1       *

How does it resolve !VPNpass1? I also tried putting a plain text password in instead and restarting the x2ltpd, but no better!

The upshot is it's still not working grrrrrrrrrrrrrrrrrrrrrrr!!!!!   

[robwoodward75]

Update:

From my internal network, I can get my Android phone to connect briefly (as in seconds before dropping the connection)  Which tends to suggest there's an external firewall issue as well as whatever security / version issues I have.

I have the following ports open:
4500 upd
500 udp
1701 udp

oddly, I can't connect with either my kubuntu or Windows laptops internally or externally.

Getting very frustrated with this issue!!!

[polly]

Hey ...

i had my vpn running weeks ago. Stopped working :-(

anyways, this is my list of opened ports in the firewall:

udp    500
udp    1701
tcp    1723
udp    4500
udp    5500

hope this helps...

ochorocho

[Techstyle]

I tried this with the Firewall disabled and still cannot get in

[pw44]

For ppp, you need to enable the protocol 47, only opening port 1723 will not work.
Insert the following iptables rules:

iptables --append FORWARD -o ppp+ --protocol tcp --tcp-flags SYN,RST SYN --jump TCPMSS --clamp-mss-to-pmtu
iptables --append INPUT  --protocol 47 --jump ACCEPT
iptables --append OUTPUT --protocol 47 --jump ACCEPT

[Techstyle]

pw44,

is yours working now then?

where do you add those iptable rules?

[pw44]

Append it to /usr/pluto/bin/Network_Firewall.sh

[tschak909]

Can you please open a ticket and submit a patch, so one of us can fold it into the system?

-Thom

[Techstyle]

Ticket Created:

http://svn.linuxmce.org/trac.cgi/ticket/1598

So far we do not have a complete solution to submit with the ticket but it is Open and references the two threads on this subject.

[posde]

It would be appreciated, if people would find the energy to condense the information from forum threads into the trac ticket, so that an interested developer does not have to jump around to find information.

[Techstyle]

Will do, but it will be a work in progress - nobody has it working yet

[polly]

my config was working ... but it stopped after reboot ....
i make mine worked again... lets say i try! ... :-)

if i'ma able to make it work again i let you know and can compare configs and stuff ....

thx.

Jochen