SPD-records for L2TP IPSec client behind NAT

OP
OP
Y

yurybx

Member


Messages: 20

I configured the l2tpd as instructed, but the connection is not established: "No more free pseudo-tty's".
Here is the l2tpd's log:
Code:
This binary does not support kernel L2TP.
l2tpd version 0.69 started on TEST.local PID:860
Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
Forked by Scott Balmos and David Stipp, (C) 2001
Inhereted by Jeff McAdams, (C) 2002
FreeBSD version 11.2-RELEASE on a amd64, addr 0.0.0.0, port 1701
do_control: Got message c vpn-uz (8 bytes long)
ourtid = 49146, entropy_buf = bffa
l2tp_call:Connecting to host 195.149.70.70, port 1701
check_control: control, cid = 0, Ns = 0, Nr = 1
handle_avps: handling avp's for tunnel 49146, call 0
message_type_avp: message type 2 (Start-Control-Connection-Reply)
protocol_version_avp: peer is using version 1, revision 0.
framing_caps_avp: supported peer frames: async sync
bearer_caps_avp: supported peer bearers: analog digital
firmware_rev_avp: peer reports firmware version 4384 (0x1120)
hostname_avp: peer reports hostname 'ASA'
vendor_avp: peer reports vendor 'Cisco Systems, Inc.'
assigned_tunnel_avp: using peer's tunnel 51097
receive_window_size_avp: peer wants RWS of 16.  Will use flow control.
control_finish: Connection established to 195.149.70.70, 1701.  Local: 49146, Remote: 51097.
ourcid = 33308, entropy_buf = 821c
lac_call: Calling on tunnel 49146
check_control: control, cid = 0, Ns = 1, Nr = 2
check_control: control, cid = 0, Ns = 1, Nr = 3
handle_avps: handling avp's for tunnel 49146, call 33308
message_type_avp: message type 11 (Incoming-Call-Reply)
assigned_call_avp: using peer's call 40031
control_finish: Call established with 195.149.70.70, Local: 33308, Remote: 40031, Serial: 1
getPtyMaster: No more free pseudo-tty's
start_pppd: unable to allocate pty, abandoning!
check_control: control, cid = 40031, Ns = 2, Nr = 4
check_control: control, cid = 40031, Ns = 2, Nr = 4
handle_avps: handling avp's for tunnel 49146, call 33308
message_type_avp: message type 16 (Set-Link-Info)
ignore_avp : Ignoring AVP
check_control: control, cid = 0, Ns = 3, Nr = 4
handle_avps: handling avp's for tunnel 49146, call 0
message_type_avp: message type 6 (Hello)
check_control: control, cid = 0, Ns = 4, Nr = 4
handle_avps: handling avp's for tunnel 49146, call 0
message_type_avp: message type 6 (Hello)
check_control: control, cid = 0, Ns = 5, Nr = 4
handle_avps: handling avp's for tunnel 49146, call 0
message_type_avp: message type 6 (Hello)
...
And the StrongSwan's log at the moment of l2tpd trying to connect:
Code:
Dec 18 09:18:50 14[KNL] creating acquire job for policy 10.1.1.99/32[udp] === 195.149.70.70/32[udp/l2f] with reqid {1}
Dec 18 09:18:50 13[IKE] initiating Main Mode IKE_SA vpn-uz[1] to 195.149.70.70
Dec 18 09:18:50 13[ENC] generating ID_PROT request 0 [ SA V V V V V ]
Dec 18 09:18:50 13[NET] sending packet: from 10.1.1.99[500] to 195.149.70.70[500] (240 bytes)
Dec 18 09:18:50 14[NET] received packet: from 195.149.70.70[500] to 10.1.1.99[500] (128 bytes)
Dec 18 09:18:50 14[ENC] parsed ID_PROT response 0 [ SA V V ]
Dec 18 09:18:50 14[IKE] received NAT-T (RFC 3947) vendor ID
Dec 18 09:18:50 14[IKE] received FRAGMENTATION vendor ID
Dec 18 09:18:50 14[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
Dec 18 09:18:50 14[NET] sending packet: from 10.1.1.99[500] to 195.149.70.70[500] (244 bytes)
Dec 18 09:18:50 14[NET] received packet: from 195.149.70.70[500] to 10.1.1.99[500] (304 bytes)
Dec 18 09:18:50 14[ENC] parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]
Dec 18 09:18:50 14[IKE] received Cisco Unity vendor ID
Dec 18 09:18:50 14[IKE] received XAuth vendor ID
Dec 18 09:18:50 14[ENC] received unknown vendor ID: d3:fd:75:e4:51:5a:08:26:b4:d6:10:2c:92:6f:6e:34
Dec 18 09:18:50 14[ENC] received unknown vendor ID: 1f:07:f7:0e:aa:65:14:d3:b0:fa:96:54:2a:50:01:00
Dec 18 09:18:50 14[IKE] local host is behind NAT, sending keep alives
Dec 18 09:18:50 14[ENC] generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
Dec 18 09:18:50 14[NET] sending packet: from 10.1.1.99[4500] to 195.149.70.70[4500] (108 bytes)
Dec 18 09:18:50 14[NET] received packet: from 195.149.70.70[4500] to 10.1.1.99[4500] (92 bytes)
Dec 18 09:18:50 14[ENC] parsed ID_PROT response 0 [ ID HASH V ]
Dec 18 09:18:50 14[IKE] received DPD vendor ID
Dec 18 09:18:50 14[IKE] IKE_SA vpn-uz[1] established between 10.1.1.99[10.1.1.99]...195.149.70.70[195.149.70.70]
Dec 18 09:18:50 14[IKE] scheduling reauthentication in 10227s
Dec 18 09:18:50 14[IKE] maximum IKE_SA lifetime 10767s
Dec 18 09:18:50 14[ENC] generating QUICK_MODE request 723898552 [ HASH SA No ID ID NAT-OA NAT-OA ]
Dec 18 09:18:50 14[NET] sending packet: from 10.1.1.99[4500] to 195.149.70.70[45
00] (220 bytes)
Dec 18 09:18:50 14[NET] received packet: from 195.149.70.70[4500] to 10.1.1.99[4500] (188 bytes)
Dec 18 09:18:50 14[ENC] parsed QUICK_MODE response 723898552 [ HASH SA No ID ID NAT-OA NAT-OA ]
Dec 18 09:18:50 14[IKE] CHILD_SA vpn-uz{3} established with SPIs cc43a242_i 97bc78cf_o and TS 10.1.1.99/32[udp] === 195.149.70.70/32[udp/l2f]
Dec 18 09:18:50 14[ENC] generating QUICK_MODE request 723898552 [ HASH ]
Dec 18 09:18:50 14[NET] sending packet: from 10.1.1.99[4500] to 195.149.70.70[4500] (60 bytes)
Dec 18 09:19:22 16[NET] received packet: from 195.149.70.70[4500] to 10.1.1.99[4500] (76 bytes)
Dec 18 09:19:22 16[ENC] parsed INFORMATIONAL_V1 request 705272029 [ HASH D ]
Dec 18 09:19:22 16[IKE] received DELETE for ESP CHILD_SA with SPI 97bc78cf
Dec 18 09:19:22 16[IKE] closing CHILD_SA vpn-uz{3} with SPIs cc43a242_i (592 bytes) 97bc78cf_o (968 bytes) and TS 10.1.1.99/32[udp] === 195.149.70.70/32[udp/l2f]
Dec 18 09:19:22 16[NET] received packet: from 195.149.70.70[4500] to 10.1.1.99[4500] (92 bytes)
Dec 18 09:19:22 16[ENC] parsed INFORMATIONAL_V1 request 1270181315 [ HASH D ]
Dec 18 09:19:22 16[IKE] received DELETE for IKE_SA vpn-uz[1]
Dec 18 09:19:22 16[IKE] deleting IKE_SA vpn-uz[1] between 10.1.1.99[10.1.1.99]...195.149.70.70[195.149.70.70]
 

obsigna

Aspiring Daemon

Reaction score: 519
Messages: 894

Seems that you did not configure the ppp daemon. Something alike:

/usr/local/etc/l2tpd.conf:
Code:
...
pppoptfile = /etc/ppp/ppp-l2tp.opts
...
/etc/ppp/ppp-l2tp.opts
Code:
nodetach
usepeerdns
noipdefault
nodefaultroute
noauth
noccp
refuse-eap
refuse-chap
refuse-mschap
refuse-mschap-v2
lcp-echo-failure 0
lcp-echo-interval 0
mru 1410
mtu 1410
user LOGIN
password PASSWORD
I have no experience with net/l2tpd and ppp(8). At least the above should configure ppp to create an endpoint for the l2tpd connection.

See also: https://forums.freebsd.org/threads/l2tpd-troubleshooting-on-freebsd-11-1.64119/
 

lycosa32

New Member


Messages: 1

I configured the l2tpd as instructed, but the connection is not established: "No more free pseudo-tty's".
Guys, have you managed to connect the BSD client to the ipsec/l2tp server yet? Regarding "no more pseudo-tty's", most likely you have to load pty.ko module by executing "kldload pty". I am pulling my hair out trying to connect to my corporate VPN server. It seems a trivial task for Windows, Linux and even Android clients. I have almost the same settings in ipsec.conf and mpd.conf and in my case StrongSwan establishes the connection, MPD5 establishes the connection too, I can even ping the host inside the corporate network. But as soon as I try to get a file via FTP or to launch RDP session I see exactly the same picture with "LCP: no reply to 1 echo request(s)" and I have to restart MPD5.
 
OP
OP
Y

yurybx

Member


Messages: 20

No, I never managed to get the L2TP / IPSeс connection to work. I even installed CentOS and did everything according to the instructions from the service provider, but my connection still breaks immediately after the establishment. I am at a dead end, I do not know what to do.
 
Top