[Openl2tp-users] openswan + openl2tp .. almost there, please help!

Bogdan mastabog at gmail.com
Thu Oct 13 17:45:52 BST 2011


Hi,

(I've posted the same on the forums but seeing they are not very active, 
I'm trying my luck here)

I've made many steps towards getting <subj> to work. I even submitted a 
few patches for OpenWRT that finally allow openl2tp to use a config file 
(http://dev.openwrt.org/ticket/10164).

My problem is the following. I can make openswan + xl2tpd connect and 
work. It's slow because xl2tpd hogs the cpu of my router a lot being a 
usermode app. openl2tp seems like a much better solution since it uses a 
kernel module (and looks *so* much better documented and structured).

I just couldn't get the openswan + openl2tp combo to work. I'm 
copy/pasting below the config files of openswan, xl2tpd/pppd and openl2tpd 
plus the output ... maybe someone can spot the error or provide with the 
correct equivalent config for openl2tp.

When I load the ipsec.so in the foreground module, it spits an error 
"/sbin/setkey: Invalid argument". The syslog contains the following 
message from openswan (whether openl2tpd runs in foreground or as a daemon):

Nov 11 12:32:48 OpenWrt authpriv.warn pluto[1727]: pfkey_async: 
unparseable PF_KEY message: K_SADB_REGISTER len=2, errno=22, seq=0, 
pid=2127; message ignored


It's using PAP auth in ppp (the pap-secrets file for xl2tpd is omitted).

I'd truly appreciate some help!


============ ipsec.conf ============

version   2.0

config setup
    dumpdir=/var/run/pluto/
    nat_traversal=yes
    oe=off
    protostack=auto

conn vpdn
    type=transport
    authby=secret
    pfs=no
    rekey=yes
    keyingtries=3
    left=%defaultroute
    leftnexthop=%defaultroute
    leftprotoport=17/1701
    leftid=@default
    right=SERVER_FQDN
    rightprotoport=17/1701
    auto=add


============ xl2tpd.conf ============

[global]
port = 1701
access control = no
debug tunnel = no
ipsec saref = yes

[lac vpdn]
lns = SERVER_FQDN
redial = yes
redial timeout = 15
max redials = 99
refuse chap = yes
require pap = yes
require authentication = yes
name = USERNAME
ppp debug = no
pppoptfile = /etc/ppp/options.xl2tpd.client
length bit = yes


============ options.xl2tpd.client ============

ipcp-accept-local
ipcp-accept-remote
require-pap
refuse-eap
refuse-chap
crtscts
idle 0
mtu 2410
mru 2410
defaultroute
connect-delay 5000
lcp-echo-interval 60
lcp-echo-failure 3
lock
noauth
#debug
#dump
#logfd 2
#logfile /var/log/xl2tpd-client.log
nodeflate
noccp
novj
novjccomp
nopcomp
noaccomp


The above works with the above openswan + xl2tpd fine (but slow and cpu 
intensive).


============ openl2tpd.conf ============

ppp profile modify profile_name=default \
    auth_eap=no auth_chap=no \
    auth_mschapv1=no auth_mschapv2=no

tunnel create tunnel_name=katalix dest_ipaddr=SERVER_IP \
    persist=yes

session create tunnel_name=katalix \
    session_name=katalix \
    user_name=USERNAME \
    user_password=PASSWORD

#session profile modify profile_name=default \
#   use_sequence_numbers=yes \
#   reorder_timeout=10



============ OUTPUTS ============

root at OpenWrt:~# ipsec auto --up vpdn

104 "vpdn-access" #1: STATE_MAIN_I1: initiate
003 "vpdn-access" #1: received Vendor ID payload 
[draft-ietf-ipsec-nat-t-ike-03] method set to=108
003 "vpdn-access" #1: received Vendor ID payload 
[draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 108
106 "vpdn-access" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "vpdn-access" #1: received Vendor ID payload [XAUTH]
003 "vpdn-access" #1: received Vendor ID payload [Dead Peer Detection]
003 "vpdn-access" #1: received Vendor ID payload [Cisco-Unity]
003 "vpdn-access" #1: ignoring unknown Vendor ID payload 
[e9e14995f28f7569c26cd4ece30152e6]
003 "vpdn-access" #1: NAT-Traversal: Result using 
draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
108 "vpdn-access" #1: STATE_MAIN_I3: sent MI3, expecting MR3
004 "vpdn-access" #1: STATE_MAIN_I4: ISAKMP SA established 
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha 
group=modp1024}
117 "vpdn-access" #2: STATE_QUICK_I1: initiate
003 "vpdn-access" #2: ignoring informational payload, type 
IPSEC_RESPONDER_LIFETIME msgid=bd3efba0
004 "vpdn-access" #2: STATE_QUICK_I2: sent QI2, IPsec SA established 
transport mode {ESP=>0x9e9895a3 <0x1cb29104 xfrm=3DES_0-HMAC_SHA1 
NATOA=none NATD=none DPD=none}



============ (1st try: no ipsec.so module) ============

root at OpenWrt:~# openl2tpd -f -D -c /etc/openl2tpd.conf

Start, trace_flags=00000000 (debug enabled)
OpenL2TP V1.8, (c) Copyright 2004-2010 Katalix Systems Ltd.
Loading plugin /usr/lib/openl2tp/ppp_unix.so, version V1.5
Using config file: /etc/openl2tpd.conf
FUNC: tunl 59491: allocated context using profile 'default'
FSM: CCE(59491) event OPEN_REQ in state IDLE
AVP: tunl 59491: building SCCRQ message, 9 AVPs
PROTO: tunl 59491: sending SCCRQ
XPRT: tunl 59491: queuing tx packet, type 1, len 133, ns/nr 0/0
XPRT: tunl 59491: update ns to 1
XPRT: tunl 59491: adding packet to ackq, type 1, len 133, ns/nr 0/0
DATA: TX: tunl 59491/0: send 133 bytes to peer 192.153.213.6, packet ns/nr 
0/0 type 1, retry 0
FSM: CCE(59491) state change: IDLE --> WAITCTLREPLY
FUNC: tunl 59491 created
FSM: LAIC(59491/62440) event INCALL_IND in state IDLE
PROTO: tunl 59491/62440: waiting for tunnel up
FSM: LAIC(59491/62440) state change: IDLE --> WAITTUNNEL
59491/62440: creating UNIX pppd context
59491/62440: using ppp profile 'default'
XPRT: tunl 59491: set retry interval to 2
XPRT: tunl 59491: set retry interval to 4
DATA: TX: tunl 59491/0: resend 133 bytes to peer SERVER_IP, packet ns/nr 
0/0 type 1, retry 1
XPRT: tunl 59491: set retry interval to 8
DATA: TX: tunl 59491/0: resend 133 bytes to peer SERVER_IP, packet ns/nr 
0/0 type 1, retry 2
DATA: TX: tunl 59491/0: resend 133 bytes to peer SERVER_IP, packet ns/nr 
0/0 type 1, retry 3
DATA: TX: tunl 59491/0: resend 133 bytes to peer SERVER_IP, packet ns/nr 
0/0 type 1, retry 4
DATA: TX: tunl 59491/0: resend 133 bytes to peer SERVER_IP, packet ns/nr 
0/0 type 1, retry 5
XPRT: tunl 59491: retry failure
FSM: CCE(59491) event XPRT_DOWN in state WAITCTLREPLY
FUNC: tunl 59491: starting cleanup timer
FSM: CCE(59491) state change: WAITCTLREPLY --> CLOSING
^C
Exiting
Cleaning up before exiting
L2TP: tunl 59491/62440: free when use_count=3
tunl 59491: free when use_count=4
Unloading plugin /usr/lib/openl2tp/ppp_unix.so



============ (2nd try: load ipsec.so module) ============

(note the "/sbin/setkey: Invalid argument" -- this goes away when run as a 
daemon, without -f)


root at OpenWrt:~# ln /usr/sbin/setkey /sbin/setkey
root at OpenWrt:~# openl2tpd -f -D -p ipsec.so -c/etc/openl2tpd.conf

Start, trace_flags=00000000 (debug enabled)
OpenL2TP V1.8, (c) Copyright 2004-2010 Katalix Systems Ltd.
Loading plugin /usr/lib/openl2tp/ipsec.so, version V1.1
L2TP/IPSec ephemeral port support enabled.
Loading plugin /usr/lib/openl2tp/ppp_unix.so, version V1.5
Using config file: /etc/openl2tpd.conf
FUNC: tunl 38162: allocated context using profile 'default'
tunl 38162: setting up outbound ipsec SPD entry from ac1ae41a/33290
/sbin/setkey: Invalid argument
tunl 38162: failed to up outbound ipsec SPD entry from ac1ae41a/33290
FSM: CCE(38162) event OPEN_REQ in state IDLE
AVP: tunl 38162: building SCCRQ message, 9 AVPs
PROTO: tunl 38162: sending SCCRQ
XPRT: tunl 38162: queuing tx packet, type 1, len 133, ns/nr 0/0
XPRT: tunl 38162: update ns to 1
XPRT: tunl 38162: adding packet to ackq, type 1, len 133, ns/nr 0/0
DATA: TX: tunl 38162/0: send 133 bytes to peer 192.153.213.6, packet ns/nr 
0/0 type 1, retry 0
FSM: CCE(38162) state change: IDLE --> WAITCTLREPLY
FUNC: tunl 38162 created
FSM: LAIC(38162/27745) event INCALL_IND in state IDLE
PROTO: tunl 38162/27745: waiting for tunnel up
FSM: LAIC(38162/27745) state change: IDLE --> WAITTUNNEL
38162/27745: creating UNIX pppd context
38162/27745: using ppp profile 'default'
XPRT: tunl 38162: set retry interval to 2
XPRT: tunl 38162: set retry interval to 4
DATA: TX: tunl 38162/0: resend 133 bytes to peer SERVER_IP, packet ns/nr 
0/0 type 1, retry 1
XPRT: tunl 38162: set retry interval to 8
DATA: TX: tunl 38162/0: resend 133 bytes to peer SERVER_IP, packet ns/nr 
0/0 type 1, retry 2
DATA: TX: tunl 38162/0: resend 133 bytes to peer SERVER_IP, packet ns/nr 
0/0 type 1, retry 3
DATA: TX: tunl 38162/0: resend 133 bytes to peer SERVER_IP, packet ns/nr 
0/0 type 1, retry 4
DATA: TX: tunl 38162/0: resend 133 bytes to peer SERVER_IP, packet ns/nr 
0/0 type 1, retry 5
XPRT: tunl 38162: retry failure
FSM: CCE(38162) event XPRT_DOWN in state WAITCTLREPLY
FUNC: tunl 38162: starting cleanup timer
FSM: CCE(38162) state change: WAITCTLREPLY --> CLOSING
^C
Exiting
Cleaning up before exiting
L2TP: tunl 38162/27745: free when use_count=3
tunl 38162: free when use_count=4
Unloading plugin /usr/lib/openl2tp/ipsec.so
Unloading plugin /usr/lib/openl2tp/ppp_unix.so


============ (3rd try: background daemon mode) ============

root at OpenWrt:~# ln /usr/sbin/setkey /sbin/setkey
root at OpenWrt:~# openl2tpd -D -p ipsec.so -c/etc/openl2tpd.conf
root at OpenWrt:~# logread


Nov 11 12:42:42 OpenWrt daemon.info openl2tpd[2138]: Start, 
trace_flags=00000000 (debug enabled)
Nov 11 12:42:42 OpenWrt daemon.info openl2tpd[2138]: OpenL2TP V1.8, (c) 
Copyright 2004-2010 Katalix Systems Ltd.
Nov 11 12:42:42 OpenWrt daemon.info openl2tpd[2138]: Loading plugin 
/usr/lib/openl2tp/ipsec.so, version V1.1
Nov 11 12:42:42 OpenWrt daemon.info openl2tpd[2138]: L2TP/IPSec ephemeral 
port support enabled.
Nov 11 12:42:42 OpenWrt daemon.info openl2tpd[2138]: Loading plugin 
/usr/lib/openl2tp/ppp_unix.so, version V1.5
Nov 11 12:42:42 OpenWrt daemon.info openl2tpd[2138]: Using config file: 
/etc/openl2tpd.conf
Nov 11 12:42:42 OpenWrt daemon.info openl2tpd[2138]: FUNC: tunl 59063: 
allocated context using profile 'default'
Nov 11 12:42:42 OpenWrt daemon.info openl2tpd[2138]: tunl 59063: setting 
up outbound ipsec SPD entry from ac1ae41a/44030
Nov 11 12:42:42 OpenWrt authpriv.warn pluto[1727]: pfkey_async: 
unparseable PF_KEY message: K_SADB_REGISTER len=2, errno=22, seq=0, 
pid=2142; message ignored
Nov 11 12:42:42 OpenWrt daemon.warn openl2tpd[2138]: tunl 59063: failed to 
up outbound ipsec SPD entry from ac1ae41a/44030
Nov 11 12:42:42 OpenWrt daemon.info openl2tpd[2138]: FSM: CCE(59063) event 
OPEN_REQ in state IDLE
Nov 11 12:42:42 OpenWrt daemon.debug openl2tpd[2138]: AVP: tunl 59063: 
building SCCRQ message, 9 AVPs
Nov 11 12:42:42 OpenWrt daemon.info openl2tpd[2138]: PROTO: tunl 59063: 
sending SCCRQ
Nov 11 12:42:42 OpenWrt daemon.debug openl2tpd[2138]: XPRT: tunl 59063: 
queuing tx packet, type 1, len 133, ns/nr 0/0
Nov 11 12:42:42 OpenWrt daemon.debug openl2tpd[2138]: XPRT: tunl 59063: 
update ns to 1
Nov 11 12:42:42 OpenWrt daemon.debug openl2tpd[2138]: XPRT: tunl 59063: 
adding packet to ackq, type 1, len 133, ns/nr 0/0
Nov 11 12:42:42 OpenWrt daemon.debug openl2tpd[2138]: DATA: TX: tunl 
59063/0: send 133 bytes to peer 192.153.213.6, packet ns/nr 0/0 type 1, 
retry 0
Nov 11 12:42:42 OpenWrt daemon.info openl2tpd[2138]: FSM: CCE(59063) state 
change: IDLE --> WAITCTLREPLY
Nov 11 12:42:42 OpenWrt daemon.info openl2tpd[2138]: FUNC: tunl 59063 created
Nov 11 12:42:42 OpenWrt daemon.info openl2tpd[2138]: FSM: 
LAIC(59063/63432) event INCALL_IND in state IDLE
Nov 11 12:42:43 OpenWrt daemon.debug openl2tpd[2138]: XPRT: tunl 59063: 
set retry interval to 2
Nov 11 12:42:44 OpenWrt daemon.debug openl2tpd[2138]: XPRT: tunl 59063: 
set retry interval to 4
Nov 11 12:42:44 OpenWrt daemon.debug openl2tpd[2138]: DATA: TX: tunl 
59063/0: resend 133 bytes to peer SERVER_IP, packet ns/nr 0/0 type 1, retry 1
Nov 11 12:42:45 OpenWrt daemon.debug openl2tpd[2138]: XPRT: tunl 59063: 
set retry interval to 8
Nov 11 12:42:45 OpenWrt daemon.debug openl2tpd[2138]: DATA: TX: tunl 
59063/0: resend 133 bytes to peer SERVER_IP, packet ns/nr 0/0 type 1, retry 2
Nov 11 12:42:47 OpenWrt daemon.debug openl2tpd[2138]: DATA: TX: tunl 
59063/0: resend 133 bytes to peer SERVER_IP, packet ns/nr 0/0 type 1, retry 3
Nov 11 12:42:48 OpenWrt daemon.debug openl2tpd[2138]: DATA: TX: tunl 
59063/0: resend 133 bytes to peer SERVER_IP, packet ns/nr 0/0 type 1, retry 4
Nov 11 12:42:49 OpenWrt daemon.debug openl2tpd[2138]: DATA: TX: tunl 
59063/0: resend 133 bytes to peer SERVER_IP, packet ns/nr 0/0 type 1, retry 5
Nov 11 12:42:50 OpenWrt daemon.debug openl2tpd[2138]: XPRT: tunl 59063: 
retry failure
Nov 11 12:42:50 OpenWrt daemon.info openl2tpd[2138]: FSM: CCE(59063) event 
XPRT_DOWN in state WAITCTLREPLY
Nov 11 12:42:50 OpenWrt daemon.debug openl2tpd[2138]: FUNC: tunl 59063: 
starting cleanup timer
Nov 11 12:42:50 OpenWrt daemon.info openl2tpd[2138]: FSM: CCE(59063) state 
change: WAITCTLREPLY --> CLOSING



I'd be very grateful for some help ... I've been pulling my hair trying to 
first get openswan (by itself) then strongswan with l2tp clients.

Cheers,
Bogdan.

------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2d-oct
_______________________________________________
Openl2tp-users mailing list
Openl2tp-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openl2tp-users


More information about the Openl2tp-users mailing list