I'm trying to connect to a ipsec/l2tp vpn from a private network behind a nat-router. It works from different windows clients, but from my linux machine (openSuSE 12.3, stronswan 5.1.3, xl2tp 1.3.0) I don't manage to connect. First problem was, that the server seems to handle just IKE v1 protocol. "keyexchange = ikev1" in ipsec.conf solved this issue. Now "ipsec statusall" shows:
Status of IKE charon daemon (strongSwan 5.1.3, Linux 3.16.7-53-desktop, x86_64):
uptime: 6 minutes, since Dec 20 01:08:01 2016
malloc: sbrk 2838528, mmap 0, used 652816, free 2185712
worker threads: 10 of 16 idle, 6/0/0/0 working, job queue: 0/0/0/0, scheduled: 3
loaded plugins: charon curl soup ldap pkcs11 aes des blowfish rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp agent xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default farp stroke smp updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam tnc-imc tnc-imv tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp certexpire led duplicheck radattr addrblock unity
Listening IP addresses:
client_ip
Connections:
L2TP-PSK: %any...server_ip IKEv1
L2TP-PSK: local: [client_ip] uses pre-shared key authentication
L2TP-PSK: remote: [server_ip] uses pre-shared key authentication
L2TP-PSK: child: dynamic[udp] === dynamic[udp/l2f] TRANSPORT
Security Associations (1 up, 0 connecting):
L2TP-PSK[1]: ESTABLISHED 6 minutes ago, client_ip[client_ip]...server_ip[server_ip]
L2TP-PSK[1]: IKEv1 SPIs: a505b49c4edac068_i* 829bf572900386be_r, pre-shared key reauthentication in 7 hours
L2TP-PSK[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
So everything seems fine on the side of ipsec When starting the l2tp protocol with "echo "c connection_name" > /var/run/xl2tpd/l2tp-control" I just see some timeouts in the systemlog:
xl2tpd[16779]: get_call: allocating new tunnel for host server_ip, port 1701.
xl2tpd[16779]: Connecting to host server_ip, port 1701
xl2tpd[16779]: control_finish: message type is (null)(0). Tunnel is 0, call is 0.
xl2tpd[16779]: control_finish: sending SCCRQ
xl2tpd[16779]: network_thread: select timeout
... (5x)
Maximum retries exceeded for tunnel 55245. Closing.
network_thread: select timeout
... (5x)
Unable to deliver closing message for tunnel 55245. Destroying anyway.
Watching the traffic with
tcpdump host server_ip and port l2tp
shows only the following:
12:58:39.221494 IP client_ip.l2f > server_ip.l2f: l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP() *FIRM_VER(1680) *HOST_NAME(my_site) *VENDOR_NAME(xelerance.com) *ASSND_TUN_ID(49091) *RECV_WIN_SIZE(4)
repeatet 5 times and later 3 times:
12:58:44.226892 IP client_ip.l2f > server_ip.l2f: l2tp:[TLS](0/0)Ns=1,Nr=0 *MSGTYPE(StopCCN) *ASSND_TUN_ID(49091) *RESULT_CODE(1/0 Timeout)
Obviously there is no answer from the server to the l2tp packages. But as said before, it works with several windows clients What could be wrong?
What can I do, to get more information about the l2tp connection?
I switched on all debugging option in the xl2tp.conf already. Here are my conf-files:
ipsec.conf
conn L2TP-PSK
keyexchange = ikev1
authby=secret
auto=start
keying=1
rekey=yes
ikelifetime=8h
keylife=1h
type=transport
left=%any
leftprotoport=udp/%any
right=server_ip
rightprotoport=udp/l2tp
xl2tp.conf
[global]
access control = yes
auth file = /etc/xl2tpd/l2tp-secrets
debug avp = yes
debug network = yes
debug state = yes
debug tunnel = yes
[lac connection_name]
lns = server-ip
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd.connection_name
length bit = yes
require authentication = yes
require chap = yes
refuse pap = yes
name = my_loginname
I was able to get this working in my case (Ubuntu) by using the NetworkManager L2TP plugin and forcing only the specific encryption algorithm supported by the server.
To discover the algorithms supported by your server you can use
ike-scan
which may be in the package repository or you can find an equivalent script here.Then once you know the supported protocols you can put them into the config files or use the GUI by installing the below.
http://blog.z-proj.com/enabling-l2tp-over-ipsec-on-ubuntu-16-04/
http://disq.us/p/1jcput9