l2tpd troubleshooting on FreeBSD 11.1

[mzs47]

Hi,

I am trying to setup IPSEC/L2TP VPN client on FreeBSD 11.1, I got security/strongswan working and I can see it establish the connection, now trying to setup net/l2tpd, Following is the configuration:

/usr/local/etc/l2tp/l2tp.conf

[global]
access control = yes
Port = 1701
[lac l2tp]
lns = 3x.x.x.x
require pap = yes
pppoptfile = /etc/ppp/ppp-oh.opts
tunnel rws = 8
autodial = yes
redial = yes

The messages I see when I execute l2tpd -D -c /usr/local/etc/l2tp/l2tp.conf:

This binary does not support kernel L2TP.
l2tpd version 0.69 started on freebsd PID:6967
Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
Forked by Scott Balmos and David Stipp, (C) 2001
Inhereted by Jeff McAdams, (C) 2002
FreeBSD version 11.1-RELEASE-p4 on a amd64, addr 0.0.0.0, port 1701
ourtid = 43639, entropy_buf = aa77
l2tp_call:Connecting to host 3x.x.x.x, port 1701
check_control: control, cid = 0, Ns = 0, Nr = 1
handle_avps: handling avp's for tunnel 43639, call 0
message_type_avp: message type 2 (Start-Control-Connection-Reply)
protocol_version_avp: peer is using version 1, revision 0.
framing_caps_avp: supported peer frames: async sync
bearer_caps_avp: supported peer bearers: analog digital
firmware_rev_avp: peer reports firmware version 264 (0x0108)
hostname_avp: peer reports hostname 'm00180A02B198'
vendor_avp: peer reports vendor 'Katalix Systems Ltd. Linux-3.18.21-meraki-x86+ (x86_64'
assigned_tunnel_avp: using peer's tunnel 54383
receive_window_size_avp: peer wants RWS of 10.  Will use flow control.
control_finish: Connection established to 3x.x.x.x, 1701.  Local: 43639, Remote: 54383.
ourcid = 37916, entropy_buf = 941c
lac_call: Calling on tunnel 43639
check_control: control, cid = 0, Ns = 1, Nr = 3
handle_avps: handling avp's for tunnel 43639, call 37916
message_type_avp: message type 11 (Incoming-Call-Reply)
assigned_call_avp: using peer's call 7817
control_finish: Call established with 3x.x.x.x, Local: 37916, Remote: 7817, Serial: 1
getPtyMaster: No more free pseudo-tty's
start_pppd: unable to allocate pty, abandoning!
write_packet: tty is not open yet.
check_control: control, cid = 0, Ns = 2, Nr = 4
write_packet: tty is not open yet.
write_packet: tty is not open yet.
write_packet: tty is not open yet.
write_packet: tty is not open yet.
write_packet: tty is not open yet.
write_packet: tty is not open yet.
write_packet: tty is not open yet.
write_packet: tty is not open yet.
write_packet: tty is not open yet.
check_control: control, cid = 0, Ns = 2, Nr = 5

Content of /etc/ppp/ppp-oh.opts

detach
usepeerdns
noipdefault
nodefaultroute
noauth
noccp
refuse-eap
refuse-chap
refuse-mschap
refuse-mschap-v2
lcp-echo-failure 0
lcp-echo-interval 0
mru 1400
mtu 1400
user MY_LDAP_ID_HERE
password MY_PASSWORD

I have similar setup on a Debian 9 VM and it works fine. I am trying to make this work.

 

[SirDice]

The configuration file is called l2tpd.conf, not l2tp.conf.

l2tpd.conf(5)

And [lac l2tp] appears to be an error. I don't think you can use spaces in a section header.

 

[mzs47]

Thanks I will check the config tomorrow at work.

I anyways passed the file explicitly using -c and got the message, thought it might be working perhaps I was missing something.
Once I get this working I'll publish a 'How to' blog.

 

[VVD]

mzs47, what is your VPN server? Can you describe your network configuration - where are white IPs, where is NAT (natd, ipfw, ipf), where is client and etc?

I have to configure L2TP over IPSec, some information wrote here: https://forums.freebsd.org/threads/61570/#post-372944

> now trying to setup net/l2tpd
Why not mpd5?

Thanks!

 

[mzs47]

VVD

So the network setup on FreeBSD 11.1 client is similar to the working setup on Debian 9.3 => https://kgibran.wordpress.com/2018/01/17/ipsec-l2tp-vpn-setup-on-debian-using-cli-tools/
I have no firewall configured on this.

I don't have much idea on net/mpd5 and I would like to try using it with security/racoon and write another blog on them. But first I want to exhaust trying all options with the setup similar to GNU/Linux.

I am trying all of these to configure the client FreeBSD 11.1 VM installed on emulators/virtualbox-ose. I don't have access to the remote VPN server, as it is managed by a corporate IT department and I was just handed details like LDAP username and password, the VPN FQDN, and the PSK/shared secret key. All the setup details are captured in the blog above, but the setup is on Debian.

I had to use security/ike-scan to scan the VPN server and actually mirror the working configuration generated by network-manager on Lubuntu 16.04 to match the security schemes being used to configure IPSEC using security/strongswan, which is working fine and I get a "connection established successfully" message.

I think I am missing something on FreeBSD as the exact same thing works on Debian.

 

[VVD]

I got almost the same:

control_finish: Call established with XXX.XXX.XXX.XXX, Local: 28014, Remote: 3, Serial: 1
getPtyMaster: No more free pseudo-tty's
start_pppd: unable to allocate pty, abandoning!
check_control: control, cid = 0, Ns = 2, Nr = 3
check_control: control, cid = 0, Ns = 2, Nr = 4

May be FreeBSD's ppp is not the same as Debian's…

I think /etc/ppp/ppp-options.opts have to be different than in your configuration for Debian:

nodetach
 usepeerdns
 noipdefault
 nodefaultroute
 noauth
 noccp
 refuse-eap
 refuse-chap
 refuse-mschap
 refuse-mschap-v2
 lcp-echo-failure 0
 lcp-echo-interval 0
 mru 1400
 mtu 1400
 user LOGIN
 password PASSWORD

 

[mzs47]

Gooood..

I will try enabling ppp debug in l2tpd config and see whether it will give me some pointers. Just need to find time during the weekdays, else on weekends I can deep dive into this and try various options.

 

[yurybx]

I will try enabling ppp debug in l2tpd config and see whether it will give me some pointers. Just need to find time during the weekdays, else on weekends I can deep dive into this and try various options.

I have the same problem! Did you manage to solve it?

 

[mzs47]

yurybx unfortunately could not continue the debug on this issue.
Hope you can see a breakthrough with FreeBSD 12.x, do share your findings.

 

[yurybx]

mzs47, in this case, I will have to add a CentOS virtual machine in which the StrongSwan+XL2TP bundle normally works (also LibreSwan+XL2TP).