Howto set up a L2TP/IPsec VPN Dial-In Server (Part I to III)

OP
A

Anonymous

Guest


ssh2 said:
I have another questions on configurations.
You have this: [User somewhere in NET] -> [Modem/Router with white dynamic IP] -> [VPN Server in DMZ] -> [LAN].

This is no more true, see Part III of the present Howto:

rolfheinrich said:
4. ipfw/NAT for the L2TP/IPsec and PPTP Dial-In Services, all running on the same FreeBSD box

Once I wrote Part I and Part II of this Howto, my FreeBSD home server was sitting in the DMZ behind a SOHO router into the internet, and firewall/NAT was managed by the router. Recently, I connected the cable modem via USB directly to the FreeBSD box, enabled ipfw and NAT, and now it plays the role of the gateway into the internet. ...

From the point of view of the FreeBSD box, the cable modem is just another network interface, therefore, the setup described in Part III can be taken as a bare two-NIC setup, one NIC into the WAN (here the cable modem ue0), and the other NIC into the LAN (here re0). In your scheme this would mean:

[User somewhere in NET] -> [dynamic IP (ue0) - ipfw/NAT - VPN (& other services) (re0)] -> [LAN]

ssh2 said:
Can you help me with settings for this:
1) [User (ios/android/windows/osx) somewhere in NET but mostly behind NAT with gray IP (cafe, airports and other untrusted places)] -> [trusted VPN Server with white static IP and NAT for secure surfing]

2) [User (ios/android/windows/osx) somewhere in NET but mostly behind NAT with gray IP (cafe, airports and other untrusted places)] -> [trusted VPN Server with white static IP and NAT] -> [LAN in office]

For the setup, described in Part III it is completely irrelevant that ue0 got a dynamic IP, so it would work exactly the same for said IP being static. So, I assume that the described settings should simply work for both of your usage cases.

However note, that I had no luck with Windows and L2TP/IPsec. For this reason, I have running also a PPTP-VPN server, as is mentioned in Part III and described here: http://forums.freebsd.org/showthread.php?p=137792.

Best regards

Rolf
 

ssh2

New Member


Messages: 15

I don't trust that not possible use ipsec-tools on *nix with windows clients :(
Because I've seen and tested some VPN's on the internet that allow connections from windows with l2tp/ipsec enabled.

And I'm stUck on this:
Code:
2012-02-14 10:42:25: INFO: respond new phase 1 negotiation: 88.88.88.88[500]<=>1.2.3.4[500]
2012-02-14 10:42:25: INFO: begin Identity Protection mode.
2012-02-14 10:42:25: INFO: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY
2012-02-14 10:42:25: INFO: received Vendor ID: RFC 3947
2012-02-14 10:42:25: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02

2012-02-14 10:42:25: INFO: received Vendor ID: FRAGMENTATION
2012-02-14 10:42:25: [1.2.3.4] INFO: Selected NAT-T version: RFC 3947
2012-02-14 10:42:25: ERROR: invalid DH group 20.
2012-02-14 10:42:25: ERROR: invalid DH group 19.
2012-02-14 10:42:25: [88.88.88.88] INFO: Hashing 88.88.88.88[500] with algo #2
2012-02-14 10:42:25: INFO: NAT-D payload #0 verified
2012-02-14 10:42:25: [1.2.3.4] INFO: Hashing 1.2.3.4[500] with algo #2
2012-02-14 10:42:25: INFO: NAT-D payload #1 doesn't match
2012-02-14 10:42:25: INFO: NAT detected: PEER
2012-02-14 10:42:25: [1.2.3.4] INFO: Hashing 1.2.3.4[500] with algo #2
2012-02-14 10:42:25: [88.88.88.88] INFO: Hashing 88.88.88.88[500] with algo #2
2012-02-14 10:42:25: INFO: Adding remote and local NAT-D payloads.
2012-02-14 10:42:25: INFO: NAT-T: ports changed to: 1.2.3.4[4500]<->88.88.88.88[4500]
2012-02-14 10:42:25: INFO: KA list add: 88.88.88.88[4500]->1.2.3.4[4500]

When I try to connect with windows 7 behind NATed office.
But when I try to connect from some place with ipad2 connection successfully.

My configs:
Code:
path pre_shared_key "/usr/local/etc/racoon/psk.txt";
log info;
padding {
        maximum_length 20;
        randomize off;
        strict_check off;
        exclusive_tail off;
}
listen {
        isakmp 88.88.88.88;
        isakmp_natt 88.88.88.88 [4500];
}
timer {
        counter 5;
        interval 20 sec;
        persend 1;
        phase1 30 sec;
        phase2 15 sec;
}
remote anonymous {
        exchange_mode main,aggressive;
        doi ipsec_doi;
        passive on;
        generate_policy off;
        proposal_check obey;
        nat_traversal on;
        ike_frag on;
        proposal {
                encryption_algorithm aes;
                hash_algorithm sha1;
                authentication_method pre_shared_key;
                dh_group modp1024;
        }
        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method pre_shared_key;
                dh_group modp1024;
        }
}
sainfo anonymous {
        encryption_algorithm aes;
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate;
        pfs_group 2;
}
sainfo anonymous {
        encryption_algorithm 3des;
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate;
        pfs_group 2;
}
Code:
flush;
spdflush;
spdadd 0.0.0.0/0[0] 0.0.0.0/0[1701] udp -P in  ipsec esp/transport//require;
spdadd 0.0.0.0/0[1701] 0.0.0.0/0[0] udp -P out ipsec esp/transport//require;
 

scorpizz

New Member


Messages: 8

IKE phase 1 error..?

Hi all,

First of all, thank you Rolf for the great work in putting this ipsec setup online :) But - I have been fighting a bit with this ipsec setup on a fbsd FreeBSD. Maybe there is someone who can bring some light to the following problem: Iphone / Ipad is trying to make a tunnel to the fbsd FreeBSD server where the ipsec is running but get a "server is not responding".

IOS: version 5.0.1
fbsd FreeBSD: version 8.2, fresh updated ports before install.
racoon: version 0.8.0_3 (ipsec-tools)
psk: easy pwd without special charters.
user: super (as the admin user)

All the configuration files are as the ones published earlier in this Howto. Nothing is altered. The two .diff patches have been added as well to the installation. I started off from an external IP, but had this phase 1 problem. Moved the client the LAN to bypass the router just to make sure that it was not a lack of router configuration (udp ports 500, 1701 and 4500). But same error on the LAN. I know that this probably will give some other errors later on in phase 2, when outside and inside net is the same. But let's have phase 1 up and run first.

As it can be seen from the log below, it fails to find a way to do the authentication. A lorv-parm = 65001 (racoon not seems to be very happy with this.) But where to dig further down to find the cause for this invalid authentication method? The only thing that I can see is that it falls back down through the proposals, down to "low-end" encryption as the last one, so that part is working :) But with the faulty "authentication" method on every attempt.

Best regards
Gert

This is the (long) debug from racoon:
Code:
2012-02-19 23:04:43: DEBUG: ===
2012-02-19 23:04:43: DEBUG: 572 bytes message received from 172.16.0.35[500] to 172.16.0.15[500]
2012-02-19 23:04:43: DEBUG: 
a32443d4 6879c6b1 00000000 00000000 01100200 00000000 0000023c 0d000124
00000001 00000001 00000118 01010008 03000024 01010000 800b0001 800c0e10
...
... [data deleted to save space] 
...
80010007 800e0100 8003fde9 80020002 80040002 03000024 02010000 800b0001
702d9fe2 74cc0100 00000014 afcad713 68a1f1c9 6b8696fc 77570100
2012-02-19 23:04:43: [172.16.0.35] DEBUG2: Checking remote conf "anonymous" anonymous.
2012-02-19 23:04:43: DEBUG2: enumrmconf: "anonymous" matches.
2012-02-19 23:04:43: DEBUG: ===
2012-02-19 23:04:43: INFO: respond new phase 1 negotiation: 172.16.0.15[500]<=>172.16.0.35[500]
2012-02-19 23:04:43: INFO: begin Identity Protection mode.
2012-02-19 23:04:43: DEBUG: begin.
2012-02-19 23:04:43: DEBUG: seen nptype=1(sa)
2012-02-19 23:04:43: DEBUG: seen nptype=13(vid)
2012-02-19 23:04:43: DEBUG: seen nptype=13(vid)
2012-02-19 23:04:43: DEBUG: seen nptype=13(vid)
...
... [8 lines of repeating debug message deleted]
...
2012-02-19 23:04:43: DEBUG: seen nptype=13(vid)
2012-02-19 23:04:43: DEBUG: seen nptype=13(vid)
2012-02-19 23:04:43: DEBUG: succeed.
2012-02-19 23:04:43: INFO: received Vendor ID: RFC 3947
2012-02-19 23:04:43: [172.16.0.35] DEBUG2: Checking remote conf "anonymous" anonymous.
2012-02-19 23:04:43: DEBUG2: enumrmconf: "anonymous" matches.
2012-02-19 23:04:43: DEBUG: received unknown Vendor ID
2012-02-19 23:04:43: DEBUG: 
4df37928 e9fc4fd1 b3262170 d515c662
2012-02-19 23:04:43: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
2012-02-19 23:04:43: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
2012-02-19 23:04:43: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
2012-02-19 23:04:43: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
2012-02-19 23:04:43: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
2012-02-19 23:04:43: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
2012-02-19 23:04:43: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
2012-02-19 23:04:43: [172.16.0.35] DEBUG2: Checking remote conf "anonymous" anonymous.
2012-02-19 23:04:43: DEBUG2: enumrmconf: "anonymous" matches.
2012-02-19 23:04:43: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02

2012-02-19 23:04:43: [172.16.0.35] DEBUG2: Checking remote conf "anonymous" anonymous.
2012-02-19 23:04:43: DEBUG2: enumrmconf: "anonymous" matches.
2012-02-19 23:04:43: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
2012-02-19 23:04:43: INFO: received Vendor ID: CISCO-UNITY
2012-02-19 23:04:43: INFO: received Vendor ID: DPD
2012-02-19 23:04:43: DEBUG: remote supports DPD
2012-02-19 23:04:43: [172.16.0.35] INFO: Selected NAT-T version: RFC 3947
2012-02-19 23:04:43: DEBUG: total SA len=288
2012-02-19 23:04:43: DEBUG: 
00000001 00000001 00000118 01010008 03000024 01010000 800b0001 800c0e10
80010007 800e0100 8003fde9 80020002 80040002 03000024 02010000 800b0001
...
... [6 lines of data deleted]
...
03000020 07010000 800b0001 800c0e10 80010001 8003fde9 80020002 80040002
00000020 08010000 800b0001 800c0e10 80010001 8003fde9 80020001 80040002
2012-02-19 23:04:43: DEBUG: begin.
2012-02-19 23:04:43: DEBUG: seen nptype=2(prop)
2012-02-19 23:04:43: DEBUG: succeed.
2012-02-19 23:04:43: DEBUG: proposal #1 len=280
2012-02-19 23:04:43: DEBUG: begin.
2012-02-19 23:04:43: DEBUG: seen nptype=3(trns)
...
... [6 lines of repeating debug message deleted]
...
2012-02-19 23:04:43: DEBUG: seen nptype=3(trns)
2012-02-19 23:04:43: DEBUG: succeed.
2012-02-19 23:04:43: DEBUG: transform #1 len=36
2012-02-19 23:04:43: DEBUG: type=Life Type, flag=0x8000, lorv=seconds
2012-02-19 23:04:43: DEBUG: type=Life Duration, flag=0x8000, lorv=3600
2012-02-19 23:04:43: DEBUG: type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC
2012-02-19 23:04:43: DEBUG: encryption(aes)
2012-02-19 23:04:43: DEBUG: type=Key Length, flag=0x8000, lorv=256
2012-02-19 23:04:43: DEBUG: type=Authentication Method, flag=0x8000, lorv=65001
2012-02-19 23:04:43: ERROR: invalid auth method 65001.
2012-02-19 23:04:43: DEBUG: transform #2 len=36
2012-02-19 23:04:43: DEBUG: type=Life Type, flag=0x8000, lorv=seconds
2012-02-19 23:04:43: DEBUG: type=Life Duration, flag=0x8000, lorv=3600
2012-02-19 23:04:43: DEBUG: type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC
2012-02-19 23:04:43: DEBUG: encryption(aes)
2012-02-19 23:04:43: DEBUG: type=Key Length, flag=0x8000, lorv=128
2012-02-19 23:04:43: DEBUG: type=Authentication Method, flag=0x8000, lorv=65001
2012-02-19 23:04:43: ERROR: invalid auth method 65001.
2012-02-19 23:04:43: DEBUG: transform #3 len=36
2012-02-19 23:04:43: DEBUG: type=Life Type, flag=0x8000, lorv=seconds
2012-02-19 23:04:43: DEBUG: type=Life Duration, flag=0x8000, lorv=3600
2012-02-19 23:04:43: DEBUG: type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC
2012-02-19 23:04:43: DEBUG: encryption(aes)
2012-02-19 23:04:43: DEBUG: type=Key Length, flag=0x8000, lorv=256
2012-02-19 23:04:43: DEBUG: type=Authentication Method, flag=0x8000, lorv=65001
2012-02-19 23:04:43: ERROR: invalid auth method 65001.
2012-02-19 23:04:43: DEBUG: transform #4 len=36
2012-02-19 23:04:43: DEBUG: type=Life Type, flag=0x8000, lorv=seconds
2012-02-19 23:04:43: DEBUG: type=Life Duration, flag=0x8000, lorv=3600
2012-02-19 23:04:43: DEBUG: type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC
2012-02-19 23:04:43: DEBUG: encryption(aes)
2012-02-19 23:04:43: DEBUG: type=Key Length, flag=0x8000, lorv=128
2012-02-19 23:04:43: DEBUG: type=Authentication Method, flag=0x8000, lorv=65001
2012-02-19 23:04:43: ERROR: invalid auth method 65001.
2012-02-19 23:04:43: DEBUG: transform #5 len=32
2012-02-19 23:04:43: DEBUG: type=Life Type, flag=0x8000, lorv=seconds
2012-02-19 23:04:43: DEBUG: type=Life Duration, flag=0x8000, lorv=3600
2012-02-19 23:04:43: DEBUG: type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC
2012-02-19 23:04:43: DEBUG: encryption(3des)
2012-02-19 23:04:43: DEBUG: type=Authentication Method, flag=0x8000, lorv=65001
2012-02-19 23:04:43: ERROR: invalid auth method 65001.
2012-02-19 23:04:43: DEBUG: transform #6 len=32
2012-02-19 23:04:43: DEBUG: type=Life Type, flag=0x8000, lorv=seconds
2012-02-19 23:04:43: DEBUG: type=Life Duration, flag=0x8000, lorv=3600
2012-02-19 23:04:43: DEBUG: type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC
2012-02-19 23:04:43: DEBUG: encryption(3des)
2012-02-19 23:04:43: DEBUG: type=Authentication Method, flag=0x8000, lorv=65001
2012-02-19 23:04:43: ERROR: invalid auth method 65001.
2012-02-19 23:04:43: DEBUG: transform #7 len=32
2012-02-19 23:04:43: DEBUG: type=Life Type, flag=0x8000, lorv=seconds
2012-02-19 23:04:43: DEBUG: type=Life Duration, flag=0x8000, lorv=3600
2012-02-19 23:04:43: DEBUG: type=Encryption Algorithm, flag=0x8000, lorv=DES-CBC
2012-02-19 23:04:43: DEBUG: encryption(des)
2012-02-19 23:04:43: DEBUG: type=Authentication Method, flag=0x8000, lorv=65001
2012-02-19 23:04:43: ERROR: invalid auth method 65001.
2012-02-19 23:04:43: DEBUG: transform #8 len=32
2012-02-19 23:04:43: DEBUG: type=Life Type, flag=0x8000, lorv=seconds
2012-02-19 23:04:43: DEBUG: type=Life Duration, flag=0x8000, lorv=3600
2012-02-19 23:04:43: DEBUG: type=Encryption Algorithm, flag=0x8000, lorv=DES-CBC
2012-02-19 23:04:43: DEBUG: encryption(des)
2012-02-19 23:04:43: DEBUG: type=Authentication Method, flag=0x8000, lorv=65001
2012-02-19 23:04:43: ERROR: invalid auth method 65001.
2012-02-19 23:04:43: ERROR: no Proposal found.
2012-02-19 23:04:43: [172.16.0.35] ERROR: failed to get valid proposal.
2012-02-19 23:04:43: [172.16.0.35] ERROR: failed to pre-process ph1 packet (side: 1, status 1).
2012-02-19 23:04:43: [172.16.0.35] ERROR: phase1 negotiation failed.
 
OP
A

Anonymous

Guest


scorpizz said:
...
I have been fighting a bit with this ipsec setup on a FreeBSD. Maybe there is someone who can bring some light to the following problem: Iphone / Ipad is trying to make a tunnel to the FreeBSD server where the ipsec is running but get a "server is not responding".
...
...

Code:
...
012-02-19 23:04:43: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
2012-02-19 23:04:43: INFO: received Vendor ID: [color="Red"]CISCO-UNITY[/color]
...

There is probably a misunderstanding on your side. My Howto is not about setting up an IPsec tunnel connection between two dedicated endpoints, but about setting up a L2TP server that utilizes IPsec for establishing point-to-point connections in IPsec transport mode. Hence, you would not use the VPN-IPsec/Cisco client that is built-into iOS. Please try again using the VPN-L2TP/IPsec client. And as a side note, as already stated elsewhere, L2TP/IPsec connections within the same network won't work - so please try external connections only.

Best regards

Rolf
 

scorpizz

New Member


Messages: 8

Arrg,- sorry. I have mixed up the l2TP and IPSEC and very much focused on the IPSEC part. But after hitting the "right" buttons and fired up the L2TP tunnel on the iPhone, there is beginning to happen a lot more than before. After changing the ACL on the psk.txt file to "600", Racoon is not complaining about low security either and brings up the tunnel with no problems.

I just made a small test and it seems that there is no problem in start up the tunnel with an inside IP as well. Are having access to inside and outside world with the local LAN address.

Thanks for bringing me on the right track again :)

Best regards
Gert
 

ronjns

Member

Reaction score: 2
Messages: 31

Hello rolfheinrich,

First of all thanks for putting up this howto. I tried to compile ipsec-tools with the 2 patches and it failed. Any comment appreciated. I'm running FreeBSD 9 Rel. Thanks!

Code:
===>>> Returning to dependency check for security/ipsec-tools
===>>> Dependency check complete for security/ipsec-tools
===>  Cleaning for ipsec-tools-0.8.0_3

===>  Vulnerability check disabled, database not found
===>  License check disabled, port has not defined LICENSE
===>  Found saved configuration for ipsec-tools-0.8.0_3
===>  Extracting for ipsec-tools-0.8.0_3
=> SHA256 Checksum OK for ipsec-tools-0.8.0.tar.bz2.
===>  Patching for ipsec-tools-0.8.0_3
===>  Applying FreeBSD patches for ipsec-tools-0.8.0_3
2 out of 2 hunks failed--saving rejects to src/racoon/grabmyaddr.c.rej
=> Patch patch-zz-local-0.diff failed to apply cleanly.
*** Error code 1

Stop in /usr/ports/security/ipsec-tools.
*** Error code 1

Stop in /usr/ports/security/ipsec-tools.

===>>> make failed for security/ipsec-tools
===>>> Aborting update

Terminated
===>>> Installation of devel/libtool (libtool-2.4.2) complete

===>>> Deleting installed build-only dependencies


===>>> You can restart from the point of failure with this command line:
       portmaster <flags> security/ipsec-tools
 

suntzu

Member

Reaction score: 2
Messages: 21

Just modify the specific files by hand.

cd /usr/ports/security/ipsec-tools
make fetch && make extract
cd work/ipsec-tools-0.8.0/src/racoon

Edit grabmyaddr.c and localconf.c .
 
OP
A

Anonymous

Guest


ronjns said:
... I tried to compile ipsec-tools with the 2 patches and it failed. ...

Code:
...
===>  Applying FreeBSD patches for ipsec-tools-0.8.0_3
2 out of 2 hunks failed--saving rejects to src/racoon/grabmyaddr.c.rej
=> Patch patch-zz-local-0.diff failed to apply cleanly.
*** Error code 1
...

This happened already to another fellow before, see messages #22-24 of this thread.

One solution would be indeed to patch the respective files by hand, however, in the course of the next update of security/ipsec-tools the patches will be vanished.

Perhaps there is a problem with producing the patch-files by copying/pasting from the present howto. Therefore, I added a .zip package containing the patches to message #24 of this thread. I suggest that you replace your patch-files by this ones and then try it again.

Best regards

Rolf
 

ronjns

Member

Reaction score: 2
Messages: 31

Many hanks Suntzu and Rolf. I edited both files manually and it compiled with no error.

But I can't connect with my ipad2; made sure PSK is correct, restarted services etc but nada. :\

Code:
2012-03-27 17:05:16: INFO: respond new phase 1 negotiation: a.a.a.a[500]<=>b.b.b.b[23348]
2012-03-27 17:05:16: INFO: begin Identity Protection mode.
2012-03-27 17:05:16: INFO: received Vendor ID: RFC 3947
2012-03-27 17:05:16: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
2012-03-27 17:05:16: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
2012-03-27 17:05:16: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
2012-03-27 17:05:16: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
2012-03-27 17:05:16: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
2012-03-27 17:05:16: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
2012-03-27 17:05:16: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
2012-03-27 17:05:16: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02

2012-03-27 17:05:16: INFO: received Vendor ID: DPD
2012-03-27 17:05:16: [b.b.b.b] INFO: Selected NAT-T version: RFC 3947
2012-03-27 17:05:16: [a.a.a.a] INFO: Hashing a.a.a.a[500] with algo #2
2012-03-27 17:05:16: INFO: NAT-D payload #0 doesn't match
2012-03-27 17:05:16: [b.b.b.b] INFO: Hashing b.b.b.b[23348] with algo #2
2012-03-27 17:05:16: INFO: NAT-D payload #1 doesn't match
2012-03-27 17:05:16: INFO: NAT detected: ME PEER
2012-03-27 17:05:16: [b.b.b.b] INFO: Hashing b.b.b.b[23348] with algo #2
2012-03-27 17:05:16: [a.a.a.a] INFO: Hashing a.a.a.a[500] with algo #2
2012-03-27 17:05:16: INFO: Adding remote and local NAT-D payloads.
2012-03-27 17:05:17: [b.b.b.b] ERROR: couldn't find the pskey for b.b.b.b.
2012-03-27 17:05:17: [b.b.b.b] ERROR: failed to process ph1 packet (side: 1, status: 4).
2012-03-27 17:05:17: [b.b.b.b] ERROR: phase1 negotiation failed.
 
OP
A

Anonymous

Guest


This looks to me like something with the Wildcard-PSK patch went wrong.

Please download the zipped patches from message #24, unzip 'em, and move them to:
/usr/ports/security/ipsec-tools/files/patch-zz-local-0.diff and
/usr/ports/security/ipsec-tools/files/patch-zz-local-1.diff .

Then execute the following commands:
cd /usr/ports/security/ipsec-tools
make deinstall
make install clean
shutdown -r now

After restart, try again.

Best regards

Rolf

PS: If the file permissions of /usr/local/etc/racoon/psk.txt are too weak, then racoon would fail to load it, and racoon would report about this issue in its log file like so:
Code:
2012-03-27 08:01:42: ERROR: /usr/local/etc/racoon/psk.txt has weak file permission
2012-03-27 08:01:42: ERROR: failed to open pre_share_key file /usr/local/etc/racoon/psk.txt
2012-03-27 08:01:42: [xxx.xxx.xxx.xxx] ERROR: couldn't find the pskey for xxx.xxx.xxx.xxx.
2012-03-27 08:01:42: [xxx.xxx.xxx.xxx] ERROR: failed to process ph1 packet (side: 1, status: 4).
2012-03-27 08:01:42: [xxx.xxx.xxx.xxx] ERROR: phase1 negotiation failed.

According to your log, this is not the issue in your case. Anyway, it might be good to strip down the permissions of said file:
chmod 600 /usr/local/etc/racoon/psk.txt

I just added this recommendation to the Howto, and also attached the 2 .diff files also there.
 

ronjns

Member

Reaction score: 2
Messages: 31

Many thanks Rolf! Please bear with me, beginner here.

I did what you suggested and the PSK error disappeared, but still my ipad2 can't connect. Could it be my firewall? I'm running PF for packet filtering, NAT and port forwarding. Log and PF rules below.

Code:
2012-03-28 11:42:42: INFO: respond new phase 1 negotiation: a.a.a.a[500]<=>b.b.b.b[1760]
2012-03-28 11:42:42: INFO: begin Identity Protection mode.
2012-03-28 11:42:42: INFO: received Vendor ID: RFC 3947
2012-03-28 11:42:42: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
2012-03-28 11:42:42: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
2012-03-28 11:42:42: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
2012-03-28 11:42:42: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
2012-03-28 11:42:42: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
2012-03-28 11:42:42: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
2012-03-28 11:42:42: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
2012-03-28 11:42:42: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02

2012-03-28 11:42:42: INFO: received Vendor ID: DPD
2012-03-28 11:42:42: [b.b.b.b] INFO: Selected NAT-T version: RFC 3947
2012-03-28 11:42:42: [a.a.a.a] INFO: Hashing a.a.a.a[500] with algo #2
2012-03-28 11:42:42: INFO: NAT-D payload #0 doesn't match
2012-03-28 11:42:42: [b.b.b.b] INFO: Hashing b.b.b.b[1760] with algo #2
2012-03-28 11:42:42: INFO: NAT-D payload #1 doesn't match
2012-03-28 11:42:42: INFO: NAT detected: ME PEER
2012-03-28 11:42:42: [b.b.b.b] INFO: Hashing b.b.b.b[1760] with algo #2
2012-03-28 11:42:42: [a.a.a.a] INFO: Hashing a.a.a.a[500] with algo #2
2012-03-28 11:42:42: INFO: Adding remote and local NAT-D payloads.
2012-03-28 11:42:42: INFO: NAT-T: ports changed to: b.b.b.b[28453]<->a.a.a.a[4500]
2012-03-28 11:42:42: INFO: KA list add: a.a.a.a[4500]->b.b.b.b[28453]
2012-03-28 11:43:32: ERROR: phase1 negotiation failed due to time up. ee2076b60744fea5:8df9d5f6768cb634
2012-03-28 11:43:32: INFO: KA remove: a.a.a.a[4500]->b.b.b.b[28453]

Code:
# MACROS
wan="tun0"
vpn="tun1"
lan="em1"
localsubnet=$lan:network
fw="{a.a.a.a/32, b.b.b.b/32}"

# PACKET NORMALIZATION
scrub in all

# TRANSLATION
nat on $wan from $localsubnet to any -> ($wan)

# REDIRECTION
rdr log on $wan proto tcp from any to ($wan) port 1723 -> 192.168.2.254
rdr log on $wan proto udp from any to ($wan) port 1701 -> 192.168.2.254
rdr log on $wan proto udp from any to ($wan) port 500 -> 192.168.2.254
rdr log on $wan proto udp from any to ($wan) port 4500 -> 192.168.2.254

# PACKET FILTERING
antispoof log quick for ($wan)                                          # Enable anti-spoof for WAN
block in log on $wan from any to any                                    # Block all incoming traffic to WAN
pass in log on $lan from $localsubnet to any keep state                 # Pass all incoming traffic to LAN w/ source of local subnet
pass in log on $wan proto tcp from $pacnetfw to ($wan) port 22          # Pass ssh traffic from * firewall to WAN
pass in log on $wan proto tcp from $pacnetfw to ($wan) port 5222        # Pass openvpn traffic from * firewall to WAN
pass out log on $wan from ($wan) to any keep state                      # Pass all outgoing traffic to WAN w/ source of WAN interface

pass in log on $wan from any to $localsubnet
pass in log on $wan from $localsubnet to any

pass in log on $wan proto esp from any to ($wan)
pass in log on $wan proto ipencap from any to ($wan)
pass in log on $wan proto udp from any to ($wan) port isakmp
pass in log on $wan proto udp from any to ($wan) port 4500
 
OP
A

Anonymous

Guest


ronjns said:
... Could it be my firewall? I'm running PF for packet filtering, NAT and port forwarding. Log and PF rules below...

The timeout error means that the peer did not respond in time, and it might well be that this happened because the response has been catched by the firewall. However, here you catched me too, since about PF, I now only that it exist.

Few things to check.

- my IPFW setup contains two nat rules, one for incoming and another one for outgoing traffic.
- is the PF rdr rule really a nat redirection rule?
- you opened udp ports 500 and 4500, but not udp port 1701

I am sorry that I do not have a better answer for you. I am an IPFW guy, which does not mean that PF is bad, it only means that I have no idea about PF

Best regards

Rolf
 

ronjns

Member

Reaction score: 2
Messages: 31

Thanks again Rolf and Suntzu! I tried different PF rules including those suggested but nada. :\

From racoon debug I see 'invalid packet payload'. I can be wrong, but seems like client is talking to server vice versa?

Code:
2012-03-29 11:01:51: DEBUG: begin.
2012-03-29 11:01:51: DEBUG: seen nptype=5(id)
2012-03-29 11:01:51: DEBUG: invalid length of payload
2012-03-29 11:01:52: DEBUG: ===
2012-03-29 11:01:52: DEBUG: 108 bytes message received from x.x.x.x[4500] to 192.168.y.y[4500]
2012-03-29 11:01:52: DEBUG:
43244935 f8cddf04 a062018f fbdf14e2 05100201 00000000 0000006c 0f0ab042
0ddab8d5 d2b63839 fbe20ba1 1409f703 7b42c597 43891166 ccee8c59 4030703c
c275fe61 1781bdda 38aecbaa 5e3c63db 631f7610 3f2ea4fd 59952a37 cb2f3f8d
1569375a d24dd7d5 ba9cd403
2012-03-29 11:01:52: DEBUG: begin decryption.
2012-03-29 11:01:52: DEBUG: encryption(aes)
2012-03-29 11:01:52: DEBUG: IV was saved for next processing:
2012-03-29 11:01:52: DEBUG:
cb2f3f8d 1569375a d24dd7d5 ba9cd403
2012-03-29 11:01:52: DEBUG: encryption(aes)
2012-03-29 11:01:52: DEBUG: with key:
2012-03-29 11:01:52: DEBUG:
1f582951 0446d90d 690e76b2 4a14c352 96995602 c782b01e 8d244190 a0951302
2012-03-29 11:01:52: DEBUG: decrypted payload by IV:
2012-03-29 11:01:52: DEBUG:
8ad743dc cfc6f556 4d44d67c 21a3f8e2
2012-03-29 11:01:52: DEBUG: decrypted payload, but not trimed.
2012-03-29 11:01:52: DEBUG:
a6a1dae6 9003b90d 79afff1e da5eff3b a642f43c 04561222 67f02e6e 5bb8bb51
61b16ac0 80bf504e 72e8dbf7 a144ea13 6e9b0acd a23528bb 8748c57f a2ee1c59
b2c008eb 7a2b139a 793d6e54 407ac6b3
2012-03-29 11:01:52: DEBUG: padding len=180
2012-03-29 11:01:52: DEBUG: skip to trim padding.
2012-03-29 11:01:52: DEBUG: decrypted.
2012-03-29 11:01:52: DEBUG:
43244935 f8cddf04 a062018f fbdf14e2 05100201 00000000 0000006c a6a1dae6
9003b90d 79afff1e da5eff3b a642f43c 04561222 67f02e6e 5bb8bb51 61b16ac0
80bf504e 72e8dbf7 a144ea13 6e9b0acd a23528bb 8748c57f a2ee1c59 b2c008eb
7a2b139a 793d6e54 407ac6b3
2012-03-29 11:01:52: DEBUG: begin.
2012-03-29 11:01:52: DEBUG: seen nptype=5(id)
2012-03-29 11:01:52: DEBUG: invalid length of payload
2012-03-29 11:02:01: DEBUG: 232 bytes from 192.168.y.y[4500] to x.x.x.x[4500]
2012-03-29 11:02:01: DEBUG: sockname 192.168.y.y[4500]
2012-03-29 11:02:01: DEBUG: send packet from 192.168.y.y[4500]
2012-03-29 11:02:01: DEBUG: send packet to x.x.x.x[4500]
2012-03-29 11:02:01: DEBUG: 1 times of 232 bytes message will be sent to x.x.x.x[4500]
2012-03-29 11:02:01: DEBUG:
00000000 43244935 f8cddf04 a062018f fbdf14e2 04100200 00000000 000000e4
0a000084 96d62fbe e0f871e6 255a89b4 c65ca8fc 8979d9b6 bdf1a5de 7bdb6b89
e0043dbb cfb03694 7222d5fb 0d089470 e0126b15 110ea8ad 0f07314f b5698a42
22d57f0f 1126ec0e 905ab022 38745cfa dad7bf77 c4a7e5a8 d9abd136 1a40d69d
394d4231 42f794f8 bbcbd7c5 0a433ea1 1e2686b5 b2bfcad8 c89d6dd4 512abf82
0e8335d7 14000014 bf23b485 d861d33f 7169da31 b618ede5 14000018 3e237c4b
25cd28a4 e134e1af d054a7a3 44cc1143 00000018 b5cb011f 1c3e8691 b72374ee
50437584 e0cbec33
2012-03-29 11:02:01: DEBUG: resend phase1 packet 43244935f8cddf04:a062018ffbdf14e2
2012-03-29 11:02:03: DEBUG: KA: 192.168.y.y[4500]->x.x.x.x[4500]
2012-03-29 11:02:03: DEBUG: sockname 192.168.y.y[4500]
2012-03-29 11:02:03: DEBUG: send packet from 192.168.y.y[4500]
2012-03-29 11:02:03: DEBUG: send packet to x.x.x.x[4500]
2012-03-29 11:02:03: DEBUG: 1 times of 1 bytes message will be sent to x.x.x.x[4500]
2012-03-29 11:02:03: DEBUG:
ff
2012-03-29 11:02:11: DEBUG: 232 bytes from 192.168.y.y[4500] to x.x.x.x[4500]
2012-03-29 11:02:11: DEBUG: sockname 192.168.y.y[4500]
2012-03-29 11:02:11: DEBUG: send packet from 192.168.y.y[4500]
2012-03-29 11:02:11: DEBUG: send packet to x.x.x.x[4500]
2012-03-29 11:02:11: DEBUG: 1 times of 232 bytes message will be sent to x.x.x.x[4500]
2012-03-29 11:02:11: DEBUG:
00000000 43244935 f8cddf04 a062018f fbdf14e2 04100200 00000000 000000e4
0a000084 96d62fbe e0f871e6 255a89b4 c65ca8fc 8979d9b6 bdf1a5de 7bdb6b89
e0043dbb cfb03694 7222d5fb 0d089470 e0126b15 110ea8ad 0f07314f b5698a42
22d57f0f 1126ec0e 905ab022 38745cfa dad7bf77 c4a7e5a8 d9abd136 1a40d69d
394d4231 42f794f8 bbcbd7c5 0a433ea1 1e2686b5 b2bfcad8 c89d6dd4 512abf82
0e8335d7 14000014 bf23b485 d861d33f 7169da31 b618ede5 14000018 3e237c4b
25cd28a4 e134e1af d054a7a3 44cc1143 00000018 b5cb011f 1c3e8691 b72374ee
50437584 e0cbec33
2012-03-29 11:02:11: DEBUG: resend phase1 packet 43244935f8cddf04:a062018ffbdf14e2
2012-03-29 11:02:21: ERROR: phase1 negotiation failed due to time up. 43244935f8cddf04:a062018ffbdf14e2
2012-03-29 11:02:21: INFO: KA remove: 192.168.y.y[4500]->x.x.x.x[4500]
2012-03-29 11:02:21: DEBUG: KA tree dump: 192.168.y.y[4500]->x.x.x.x[4500] (in_use=1)
2012-03-29 11:02:21: DEBUG: KA removing this one...
2012-03-29 11:02:21: DEBUG: IV freed
^C2012-03-29 11:02:26: INFO: caught signal 2
2012-03-29 11:02:26: DEBUG2: flushing all ph2 handlers...
2012-03-29 11:02:26: INFO: racoon process 4390 shutdown
 

val

Member

Reaction score: 1
Messages: 39

Thanks Rolf for your great work!

With iPhone (iOS 5.1) VPN PSK works perfectly, but I can't to achieve the same result with android device (samsung galaxy s2). It's seems mpd5 doesn't receive anything from racoon and IPsec session expiring
Code:
IPsec-SA established: ESP/Transport XX.XX.XX.XX[500] -> YY.YY.YY.YY[500] spi=aabbccdd
After that only connection timeout on device :(
 
OP
A

Anonymous

Guest


val said:
... With iPhone (iOS 5.1) VPN PSK works perfectly, but I can't to achieve the same result with android device (samsung galaxy s2). It's seems mpd5 doesn't receive anything from racoon and IPsec session expiring
Code:
IPsec-SA established: ESP/Transport XX.XX.XX.XX[500] -> YY.YY.YY.YY[500] spi=aabbccdd
After that only connection timeout on device :(

I saw an Android screenshot in the net that exhibits the possibility to enable and set the L2TP secret, i.e. the login password for mpd5. This is different from the PSK. Perhaps, you forgot to enable/set this password, and for this reason the VPN client of Android is trying its luck directly with racoon.

I never got Windows to work with L2TP/IPsec, and for this reason, I have running also a PPTP-VPN server, as is mentioned in Part III of the present Howto and described in the following forum message: http://forums.freebsd.org/showthread.php?p=137792. If you cannot get Android to working with L2TP/IPsec, then perhaps you might want to give PPTP a try.

Best regards

Rolf
 

val

Member

Reaction score: 1
Messages: 39

Rolf, thank you for your quick reply.

Connection session for iPhone and android looks similar one to other. It's only one difference in iPhone: after line in racoon.log
Code:
IPsec-SA established: ESP/Transport XX.XX.XX.XX[500] -> YY.YY.YY.YY[500] spi=aabbccdd
in mpd.log exist following line:
Code:
Incoming L2TP packet from XX.XX.XX.XX 1701

L2TP secret field doesn't used in this process (or don't have effect)

And pptp works fine too.

Here full log from ipsec session:

Code:
2012-04-20 16:02:18: INFO: respond new phase 1 negotiation: XX.XX.XX.XX[500]<=>YY.YY.YY.YY[28420]
2012-04-20 16:02:18: INFO: begin Identity Protection mode.
2012-04-20 16:02:18: INFO: received Vendor ID: RFC 3947
2012-04-20 16:02:18: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
2012-04-20 16:02:18: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02

2012-04-20 16:02:18: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
2012-04-20 16:02:18: INFO: received broken Microsoft ID: FRAGMENTATION
2012-04-20 16:02:18: INFO: received Vendor ID: DPD
2012-04-20 16:02:18: [YY.YY.YY.YY] INFO: Selected NAT-T version: RFC 3947
2012-04-20 16:02:19: [XX.XX.XX.XX] INFO: Hashing XX.XX.XX.XX[500] with algo #2
2012-04-20 16:02:19: INFO: NAT-D payload #0 verified
2012-04-20 16:02:19: [YY.YY.YY.YY] INFO: Hashing YY.YY.YY.YY[28420] with algo #2
2012-04-20 16:02:19: INFO: NAT-D payload #1 doesn't match
2012-04-20 16:02:19: INFO: NAT detected: PEER
2012-04-20 16:02:19: [YY.YY.YY.YY] INFO: Hashing YY.YY.YY.YY[28420] with algo #2
2012-04-20 16:02:19: [XX.XX.XX.XX] INFO: Hashing XX.XX.XX.XX[500] with algo #2
2012-04-20 16:02:19: INFO: Adding remote and local NAT-D payloads.
2012-04-20 16:02:20: INFO: NAT-T: ports changed to: YY.YY.YY.YY[57300]<->XX.XX.XX.XX[4500]
2012-04-20 16:02:20: INFO: KA list add: XX.XX.XX.XX[4500]->YY.YY.YY.YY[57300]
2012-04-20 16:02:20: INFO: ISAKMP-SA established XX.XX.XX.XX[4500]-YY.YY.YY.YY[57300] spi:202593a6552a8869:6a6ddfa017cbd33a
2012-04-20 16:02:20: [YY.YY.YY.YY] INFO: received INITIAL-CONTACT
2012-04-20 16:02:21: INFO: respond new phase 2 negotiation: XX.XX.XX.XX[4500]<=>YY.YY.YY.YY[57300]
2012-04-20 16:02:21: INFO: Update the generated policy : 10.91.146.15/32[0] XX.XX.XX.XX/32[1701] proto=udp dir=in
2012-04-20 16:02:21: INFO: Adjusting my encmode UDP-Transport->Transport
2012-04-20 16:02:21: INFO: Adjusting peer's encmode UDP-Transport(4)->Transport(2)
2012-04-20 16:02:22: INFO: IPsec-SA established: ESP/Transport XX.XX.XX.XX[500]->YY.YY.YY.YY[500] spi=230013636(0xdb5bac4)
2012-04-20 16:02:22: INFO: IPsec-SA established: ESP/Transport XX.XX.XX.XX[500]->YY.YY.YY.YY[500] spi=160977102(0x99850ce)
2012-04-20 16:03:47: [YY.YY.YY.YY] INFO: DPD: remote (ISAKMP-SA spi=202593a6552a8869:6a6ddfa017cbd33a) seems to be dead.
2012-04-20 16:03:47: INFO: purging ISAKMP-SA spi=202593a6552a8869:6a6ddfa017cbd33a.
2012-04-20 16:03:47: INFO: deleting a generated policy.
2012-04-20 16:03:47: INFO: purged IPsec-SA spi=230013636.
2012-04-20 16:03:47: INFO: purged ISAKMP-SA spi=202593a6552a8869:6a6ddfa017cbd33a.
2012-04-20 16:03:47: INFO: ISAKMP-SA deleted XX.XX.XX.XX[4500]-YY.YY.YY.YY[57300] spi:202593a6552a8869:6a6ddfa017cbd33a
2012-04-20 16:03:47: INFO: ISAKMP-SA deleted XX.XX.XX.XX[4500]-YY.YY.YY.YY[57300] spi:202593a6552a8869:6a6ddfa017cbd33a
2012-04-20 16:03:47: INFO: KA remove: XX.XX.XX.XX[4500]->YY.YY.YY.YY[57300]
 
OP
A

Anonymous

Guest


val,

After googling a little bit, I found the following thread on the issue:

http://code.google.com/p/android/issues/detail?id=23124.

Seems, that I cannot be of any help here, but the android team has to get their act together.

For the time being, at least PPTP is confirmed to work. I am sorry, that I do not have a better answer for you.

Best regards

Rolf
 

jr

New Member


Messages: 2

PPP over L2TP Issue

Hey Rolf,

Slightly off the topic of IPSec here but I'm hoping you can assist given your experience with MPD. It seems that the mailing list for MPD on SourceForge was removed quite some time back and I'm struggling to find any other mailing lists or user groups that seem to be active on this stuff.

We're looking for some insights on an error message we're getting from MPD and the only reference we found to this error message in Google was on a Russian site even then it was hard to tell if there was anything by way of constructive input/feedback.

So you have some background, what we're trying to do is use OpenL2TP to generate some PPP over L2TP traffic such that we can test using MPD to do tunnel switching. The intent here is to use MPD to get around a problem with one of our carrier partners whereby we need to terminate multiple L2TP tunnels from them (for multiple wholesale clients) but they don't seem willing or able to provide a different tunnel name for each client. So we're planning to use MPD to switch the PPP traffic to a new tunnel and hand it off to our Cisco LNSs.

We're running OpenL2TP 1.8 with PPP 2.4.5 on CentOS 6.2 64-Bit. Open L2TP and PPP were both compiled from source. They seem to be operating correctly (OpenL2TP tests as per the doco work fine) however when we point the L2TP at the MPD instance we strike problems with the following output/error:

Code:
Incoming L2TP packet from 27.121.90.5 51937
L2TP: Control connection 0x801c90e10 27.121.90.1 1701 <-> 27.121.90.5 51937 connected
L2TP: Incoming call #1 via connection 0x801c90e10 received
[LNS1-3] L2TP: Incoming call #1 via control connection 0x801c90e10 accepted
[LNS1-3] Link: Matched action 'forward "LAC1"'
[R-LNS1-3] Rep: INCOMING event from LNS1-3 (0)
L2TP: Initiating control connection 0x801c91110 27.121.90.4 0 <-> 27.121.90.8 1701
[LNS1-3] L2TP: Call #1 connected
L2TP: Control connection 0x801c91110 27.121.90.4 46904 <-> 27.121.90.8 1701 connected
ppp_l2tp_initiate: Operation not supported
[R-LNS1-3] Rep: DOWN event from LAC1-4 (1)
[LNS1-3] L2TP: Call #1 terminated locally
[R-LNS1-3] Rep: DOWN event from LNS1-3 (0)
[R-LNS1-3] Rep: Shutdown
[LAC1-4] Link: SHUTDOWN event
[LAC1-4] Link: Shutdown
[LNS1-3] Link: SHUTDOWN event
[LNS1-3] Link: Shutdown
L2TP: Control connection 0x801c91110 terminated: 0 (No application/session timer expired)
L2TP: Control connection 0x801c90e10 terminated: 0 (no more sessions exist in this tunnel)
L2TP: Control connection 0x801c91110 destroyed
L2TP: Control connection 0x801c90e10 destroyed

MPD is running on FreeBSD 8.2 amd64 as this seemed to be about the best supported platform for it. Initially testing looked good but once we fire up the PPP over L2TP traffic we hit this error.

We have an urgent need to get this working and would appreciate any assistance you can offer. There doesn't seem to be much available in terms of doco / insights and it doesn't look like there are a lot of options for this sort of thing in a software based platform.

Cheers,

Jules
 
OP
A

Anonymous

Guest


jr said:
... I'm struggling to find any other mailing lists or user groups that seem to be active on this stuff.

The MPD-Forum on sourceforge is quite active.

jr said:
... We’re looking for some insights on an error message we’re getting from MPD and the only reference we found to this error message in Google was on a Russian site even then it was hard to tell if there was anything by way of constructive input/feedback.

I found that thread also, and Alexander Motin, who responded at that time, and who is one of the developers and also a quite active responder on said forum, gave some advises, i.e. searching the net for LAC / LNS or at least have a look into the mpd manual. I have to admit, that I have never dealt with access concentration into a LNS. I can tell you that Alexander helped me in the other forum to get me L2TP/IPsec to working, and the advise to consult the manual, even if it sounds harsh somehow - note, he did not say RTFM - is a good one. The mpd manual is really worth a thorough reading, I was able to clarify almost all my doubts by the way of reading the respective chapters.

jr said:
... We’re running OpenL2TP 1.8 with PPP 2.4.5 on CentOS 6.2 64-Bit. Open L2TP and PPP were both compiled from source. They seem to be operating correctly (OpenL2TP tests as per the doco work fine) however whe we point the L2TP at the MPD instance we strike problems with the following output/error:

Code:
...
ppp_l2tp_initiate: Operation not supported
...

Seems as if OpenL2TP is trying to initiate something in a way that is not supported by net/mpd5. OpenL2TP claims to be the most complete L2TP client/server, which would mean that the other systems in the crowd are not that complete. Perhaps it might be possible to configure OpenL2TP down to this crowd level.

Best regards

Rolf
 

jr

New Member


Messages: 2

Hey Rolf,

Many thanks for the quick reply mate.

I appreciate you pointing out the current SourceForge forum for MPD. We hadn't found that one yet in our travels and you're right, it seems to be pretty active/current.

Actually, as luck would have it, we seem to have worked out our problem. We were trying to bind a couple of LNS IP's from our upstream carrier to a single instance of mpd and this was the cause of the issues. Initially we dropped it back to one and then massaged the config to get it workign with both.

Now it's working nicely with OpenL2TP in our test environment and we've also been able to test it with a real end client. We're just about to add some more end clients so we can start to load it up but it was performing nicely with 8-10 Mbps running over it and there was very little latency added as traffic traversed our MPD instance. I'm keen to see how the CPU utilisation scales. I had yet to install VMware Tools into FreeBSD and will do this and see if I can enable on of the accelerated network adapter types. I trust that will give us more efficiency in terms of the ratio b/w traffic and CPU utilisation.

Happy to share more of the details if it's of interest.

Best Regards,

Jules
 
OP
A

Anonymous

Guest


Hallo Jules!

jr said:
...
Actually, as luck would have it, we seem to have worked out our problem.
...
Happy to share more of the details if it's of interest.

Glad to hear, that you were able to solve the problem. I am sure, that many people (me included) would appreciate a detailed writing-up, i.e. sort of Howto setup a LAC/LNS architecture using mpd5 on FreeBSD.

Best regards

Rolf
 

fuhdan

Member


Messages: 39

Hi all

I did. the installation without NAT and firewall. Everything seems to work. I can connect. I can ping my internal webserver (Apache 2.2). But if I try to connect with a browser, it times out.
My design:

Code:
Host A ----> Router (NAT) ----> Internet ----> Router ----> Firewall ----> VPN Server ----> Host B

What is working:
  • ping from Host A to Host B
  • ping from Host B to Host A
  • SSH from Host A to the VPN Server (internal Interface)
  • SSH from the VPN Server (internal Interface) to Host A
  • SSH from the VPN Server (internal Interface) to Host B
  • SSH from Host B to the VPN Server (internal Interface)
What is NOT working:
  • SSH from Host A to Host B
  • SSH from Host B to Host A
The same with a web server; http/https is not working but ping is working both ways.

Thanks for your help.
 
OP
A

Anonymous

Guest


Things to check:

  • Network addresses of Host A and Host B need to be different, for example 192.168.65.0/24 for Host A and 192.168.66.0/24 for Host B.
    .
  • In /usr/local/etc/mpd5/mpd.conf on the VPN server, proxy-arp needs to be enabled:
    Code:
    ...
    set iface enable proxy-arp
    ...
  • In /etc/sysctl.conf on the VPN server, ip-forwarding needs to be enabled:
    Code:
    ...
    net.inet.ip.forwarding=1
    net.inet6.ip6.forwarding=1
    ...

In addition, perhaps you might want to post your configuration files of the VPN server and an excerpt of /var/log/racoon.log exhibiting some details of an example session.

Best regards

Rolf
 
Top