Koozali.org formerly Contribs.org
Contribs.org Forums => General Discussion => Topic started by: tw-lewis on April 24, 2017, 04:31:55 AM
-
Development status with moving VPN to a more secure L2TP/IPSEC setup and away from PPTP. I see two years ago Reetp had been working on integrating L2TP into SME. Would anyone be able to give me an update on this?
I have tried Softether VPN with SME9 without success when following the documentation in contribs. Also due to the most ISPs actively blocking the more insecure PPTP/GRE protocols this no longer suits the growing needs for VPN access.
So my questions are:
What is the status of L2TP/IPSEC as a default feature in SME and how to I get it?
and
Has anyone else has this issue and what where there solutions?
Thanks ALL.
-
Have you tried the various OpenVPN contribs ? They are secure, reliable and NAT firendly. You can use OpenVPN Bridge for roadwarriors, and OpenVPN Site to Site to connect two SME (or one SME with something else, like a PfSense). There's also a routed contrib for roadwarriors where bridge is not possible (iOA, Android, ChromeOS for example)
-
So my questions are:
What is the status of L2TP/IPSEC as a default feature in SME and how to I get it?
and
Has anyone else has this issue and what where there solutions?
Thanks ALL.
Installed Softether and setup following the wiki, sussed the gotcha that it had inadvertently introduced and borked access to apache etc port 443 is a no no.. :-)
Using it on three servers, two server/gateway one server only, using IPsec/L2TP, also played with the OpenVPN/MS-SSTP feature.. all work fine..make sure to do the setups for port forwarding on server and router when in server only mode.
Used the Management app from windows, just make sure to stop it listening on 443..setup another port if that is your want.
This is a good resource that describes using vpncmd from the cli - https://www.digitalocean.com/community/tutorials/how-to-setup-a-multi-protocol-vpn-server-using-softether
All in all a very useful tool for amateurs/users like me...if and when it gets setup as a contrib it will be a goto option for a VPN.
-
Lewis,
as per our discussions on IRC a little while back I hadn't got any further as I had other priorities.
I am happy to try and do a bit more work but could do with a hand :-)
Rgds
John
-
I am happy to try and do a bit more work but could do with a hand :-)
You should try with both hands, might be easier ;)
Joke apart, yes we should have a look, and also about softether. There is a bug related to allow to change default port for https.
-
Hello All,
I don't really have a dev budget for this so I am wondering who else is using l2tp/ipsec on SME and is using the native clients on android,mac and windows?
PP2P works well on a standard Internet connection but fails completely on 3g/4g with tethering on mobile devices.
The Ideal results would be to not have to install 3rd party apps and having to copy certs over onto all devices. This should work the same way as SME's current PPTP setup so we can easly manage client access. Would it be too hard to replace or choose between PPTP and L2TP/IPsec?
As above SoftetherVPN will not do as it requires a windows application to control it along with a very confusing per user setup. I also want to avoid openvpn with PDPadmin on SME as this also takes to long to setup individual clients.
Any help would be appreciated
Regards
Lewis
-
I doubt very much anyone is currently using it. I had no real assistance when I was trying to get it working which generally means there is not much interest.
PPTP should not be used. It is a long busted flush. If we ever got L2TP/IPsec running PPTP would be rightly ditched by SME for sure.
I think I got pretty close to getting it running but fell foul of a bug in SME that was subsequently fixed. By then I had run out of play time.
I may get some time to look at where I was at over the next week.
The source is in github. It will generate most if not all of the required templates, but needs some refinement to the configs, and testing.
I don't want any money for doing anything. Just some time/help.
Note the libreswan ipsec contrib works for pure ipsec (I have used it daily for a few years). I may have some updates for it that haven't yet been pushed to cvs, but it would beed revisiting to ensure it works with L2TP configs.
If you want to try and help then let me know and I can guide you through what I have so far. But you are going to have to do some legwork.....
I suggest you go and speak to Michael and tell him I'll be there for a beer at Christmas :-)
B. Rgda
John
-
FYI I have updated some stuff in the contrib but I suspect there will be a lot of breakages in there.
Available currently from my repo (I won't update CVS until this is a bit better)
https://www.reetspetit.com/smeserver/6/repoview/index.html (https://www.reetspetit.com/smeserver/6/repoview/index.html)
Safest thing is probably:
Have basic ipsec installed
yum --enablerepo=smecontribs install smeserver-libreswan
Download and install the smeserver-libreswan-xl2tpd rpm
https://www.reetspetit.com/smeserver/6/repoview/smeserver-libreswan-xl2tpd.html (https://www.reetspetit.com/smeserver/6/repoview/smeserver-libreswan-xl2tpd.html)
yum localinstall smeserver-libreswan-xl2tpd
Add some settings as per the readme. Debug mode is enabled. Try a connection and see what goes bang (as something certainly will - probably post connection ip-up.xl2tpd issues)
Report a bug either here, or in the bug tracker (preferably)
When I get a minute I'll lob it on my test box and try it but I am too busy and spent enough time on this already.
Although sorting out the ip-up/down will take a bit of doing, the challenge is when you have a server as your DHCP server and is using a full range of IPs. Might need some catch coding in the contrib at some point.
B. Rgds
John
-
Finally installed on a test box and realised the rpm was a mess. I have rebuilt it and it is far better now I think.
Current ver is 0.1-11
I have found a few gotchas interacting with pppd and pptpd which I am working on slowly, plus better interaction with the existing smeserver-libreswan contrib.
I'll continue to chisel away but be grateful for any assistance.
Note I fully expect this is broken so do NOT install on a production machine as there may be broken template fragments etc hanging about. A VM with roll back so you can do a clean install each time is a prerequisite. At this point I just want to get the basic templates looking right.
B. Rgds
John
-
YESSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS
Get in there !!!!!!!!!!!!!!!!!!!!!!!!!!!!!
I got it to work !!!!!
Needs refining, but i connected !
Will post back more in due course.
B. Rgds
John
-
Thanks John for your work on this. I think we should try to push your work into the core, to replace PPTP. While I personnaly prefer OpenVPN, the advantage of your solution is that there's a native client at least on Android and iOS, built right into the stock OS
-
Thanks John for your work on this. I think we should try to push your work into the core, to replace PPTP. While I personnaly prefer OpenVPN, the advantage of your solution is that there's a native client at least on Android and iOS, built right into the stock OS
Yes I understand but I see lots of people using PPTP still and this is a simple replacement that needs no other apps etc and works on most devices. It has to be better than PPTP and may get some takeup!
I need to refine some stuff a bit, and it needs some better eyes than mine on it to make it to core, but I think it is worth looking at.
-
Ok, if you want to play.
This bug refers for now:
https://bugs.contribs.org/show_bug.cgi?id=8890 (https://bugs.contribs.org/show_bug.cgi?id=8890)
You do NOT need PPTP enabled for this. You can go to your server manager and disable it forever and sing a thousand hallelujahs for secure communications ;-)
ONLY use a VM in server gateway mode
You need my repo to test install.
https://wiki.contribs.org/User:ReetP (https://wiki.contribs.org/User:ReetP)
yum --enablerepo=reetp,epel install smeserver-libreswan-xl2tpd
That should bring everything in.
post-upgrade and reboot
Make sure the IPs you are going to issue are NOT in your server DHCP range
You need at least one user on the system - for testing it can be admin
For now we need to set the right subnet to the same as the server local subnet
Check you have a basic connection:
db ipsec_configuration show
config show dhcpd
Check the IP range. Make sure the following IPs do not confiict with the server range found
Lets add some magic sauce substituting x for your local IP range:
db ipsec_connections set L2TPD-PSK status enabled IPRangeStart 192.168.x.180 IPRangeFinish 192.168.x.200 rightsubnet 192.168.x.0/24 passwd someLongSecret dpdaction clear dpddelay 10 dpdtimeout 90
Check the services are enabled:
config setprop xl2tpd status enabled;service xl2tpd start
config setprop ipsec status enabled
signal-event ipsec-update
Check you have some config files:
/etc/ipsec.conf
/etc/ipsec.d/ipsec.conf
/etc/ipsec.d/ipsec.secrets
Set up your phone.
Server Type L2TPD/UIpsec PSK
Server IP
Ipsec preshared key (use the one set above)
Username admin or other local user
Password admin password or other local user
Try connecting and watch:
/var/log/messages
The DNS is hard wired to Googly stuff server for now. You can modify this in:
/etc/xl2tpd/xl2tpd.conf
(the template is in templates-custom for now)
There is lot still to test - I have to make sure it doesn't break my existing ipsec configs for starters. If you ONLY want L2TPD/Ipsec that is about all you need to do.
Sure there will be lots of bugs, and a lot of them I won't know the answers too ;-)
If you see this one check the above bug and have a look online as it is know but doesn't stop it working as far as I can tell
xl2tpd[19441]: handle_avps: Bad exit status handling attribute 1 (Result Code) on mandatory packet.
Enjoy :-)
-
Thank's John for your work on this - I am excited to get beer in the fridge for your Xmas arrival soon! :-)
I am working with Lewis from our team in trying to find a PPTP replacement that can be used easily and ideally comes with native clients for the typical OS hence our preference for this. As much as I otherwise like OpenVPN, this would be easier to set up on individual, travelling user devices.
Thanks again for your most recent updates John, we will test asap and come back.
Michael
-
Hi Michael,
No probs. Any help appreciated. I'll try and fix whatever is broken.
Look forward to the beer !
B. Rgds
John
-
OK,
I have had a big thrash today - added a load of checks on the templates so they are empty unless stuff is enabled etc.
I have missed a patch to the smeserver-libreswan contrib in the password section so I have fixed that.
Lastly I am having to rework a load of bits in the ipsec-update script to allow for L2TPD. I also think I found some of my own bugs in there, but I am going to need a hand fixing some of the code. I'll explain later.
Once I have done what I can with ipsec-update I'll build some new RPMs but it may not be until next week now.
I'll keep you posted.
B. Rgds
John
-
Sounds great. No rush please. We will wait for you.
Thanks
Michael
-
LOL..... been trying to get my pool finished & full !!
I'd be pleased if you try it as above and let me know if a) it works for you and b) any errors.
You may see one on install for masq templates that I know about.
The work I am doing is to make the templates aware of enabled/disabled status, some more configurable options, and to make the sneserver-libreswan package more L2TP aware, especially the ipsec-update event.
If you try it just use a single L2TP ipsec connectoid. Any more may confuse ipsec-update currently, but a single one should work.... it does on my test box.
Let me know.
B. Rgds
John
-
Please see bug https://bugs.contribs.org/show_bug.cgi?id=8890
I have updated xl2tpd and libreswan rpms and I hope that they vaguely work.
https://github.com/reetp/smeserver-libreswan-xl2tpd/blob/smeserver-libreswan-xl2tpd-0.1/ipsecXl2tpd.Notes
Install.
Add your options to:
db ipsec_connections setprop L2TPD-PSK status disabled IPRangeStart 192.168.x.180 IPRangeFinish 192.168.x.200 rightsubnet 192.168.x.0/24 passwd somesecret dpdaction clear dpddelay 10 dpdtimeout 90 DNS 208.67.222.222,208.67.220.220
config setprop xl2tpd status enabled
config setprop ipsec status enabled
signal-event ipsec-update
Pray.
-
Two small questions:
- Why do you have to set the netmask at the contrib level. I think you told it must be the same as the local network, if so, the templates of the contrib can directly read InternalInterface settings
- Why don't you push the IP of SME as DNS servers to the clients, instead of external DNS ?
-
Two small questions:
Why do you have to set the netmask at the contrib level. I think you told it must be the same as the local network, if so, the templates of the contrib can directly read InternalInterface settings[/li][/list]
It probably could but a) I am no expert hence asking for help and b) I tried to keep everything separate for the time being.... it may need extra stuff for ipsec in general but can't remember. Still very much a work in progress....
Why don't you push the IP of SME as DNS servers to the clients, instead of external DNS ?
It does default to the local IP if you look. I added the ability to use other DNS if required
-
Slightly updated smeserver-libreswan rpm available - see https://bugs.contribs.org/show_bug.cgi?id=8890
Note the version number has not been raised so you need to clean metadata/reinstall
I have probably reached the limits of my ability with all of this.
It fundamentally works, but needs lots of refinements.
The L2TPD part on its own is pretty straightforward. The complex part is allowing for pure ipsec connections at the same time (though ironically you have to get a working ipsec setup before you can run L2TPD)
I think the ipsec-update script probably needs a review/rewrite along with createlinks/services/logging etc etc. The complexity in ipsec-update is due to the script trying to reset individual connections without upsetting /disconnecting others.
I have tried to make sure that any templates used are empty if connection or services are disabled.
I am happy to explain the logic and various settings to anyone interested - it is a pretty huge subject and I managed to refine it down to a set of defaults that work pretty well out of the box.
This should all work fairly seamlessly on the CLI before attempts are made to build panels because the core code may change quite comprehensively and destroy any panel work.
If the xl2tpd contrib is felt to be working sufficiently well then it should get a version bump and then go in to CVS
Please feedback here or in the bug tracker.
JC
-
Thumbs up :cool:
-
Note the version number has not been raised so you need to clean metadata/reinstall
Numbers come cheap. *Always* bump the revision number if you make changes! :-)
-
Numbers come cheap. *Always* bump the revision number if you make changes! :-)
Strangely Charlie, there is a method in my madness ;-)
I have been test building in my own repo as I have made truck loads of changes, reverting some, modding the other, as this amateur hack fumbles his way about.
If it was just in git then fine, but I have a script etc to copy from git to CVS , make a patch etc, and it gets in a right mucking fuddle with CVS if I keep bumping the version numbers - there would be a whole huge pile of patches in there by now :-)
I didn't want to end up with a big mess in CVS - I just want to push one changeset and bump.
So I have worked in git, mock built on my test box, and tested from there. Now it is about right I'll push it all to CVS (at least the Libreswan parts - xl2tpd is not in CVS yet)
I've built a xl2tpd v0.2 now. That can go in to CVS but someone will have to do it for me.
-
John,
first thanks for your huge work on this
If it was just in git then fine, but I have a script etc to copy from git to CVS , make a patch etc, and it gets in a right mucking fuddle with CVS if I keep bumping the version numbers - there would be a whole huge pile of patches in there by now :-)
I didn't want to end up with a big mess in CVS - I just want to push one changeset and bump.
that is not a problem, we love huge amount of patches rather than a big one, easier to see what have been done and revert one or two changes. Further more, it is easily deleted when bumping a complete version simply by importing a new source rpm. The buildsystem will be able to clean all at once and put the new source in place.
So I have worked in git, mock built on my test box, and tested from there. Now it is about right I'll push it all to CVS (at least the Libreswan parts - xl2tpd is not in CVS yet)
I've built a xl2tpd v0.2 now. That can go in to CVS but someone will have to do it for me.
well, when you have time I can guide you trough this, I know you already have the rights to do it on the buildsys, and this is just a matter to do it once you will see it is easier than translating git to cvs ;)
-
Yes I get that..... but I currently use git as a scratchpad.
I often revert stuff or otherwise bugger about. When I have something as a workable patch I push it.
Currently expended as much time as I can (wife is now nagging me), and off to the UK next week so have no time to do any much more now.
-
we all have a life ( and some a wife too), anytime, just make a sign when available, and I will try to make room!
-
Wiki page:
https://wiki.contribs.org/Smeserver-libreswan-xl2tpd
Needs a good tidy up though
-
I have done some formatting on wiki page.
I have one question: why this requires SERVER-GATEWAY mode ?
I use to connect my servers as SERVER-ONLY and use a pfSense as firewall most of time.
BTW: It's not because pfSense is better than SME, it's because it support some nice tricks like load balance and 2 internet links! ;)
Regards,
Jáder
-
I have one question: why this requires SERVER-GATEWAY mode ?
If your SME server is in server-only mode, it isn't routing traffic in and out of your network. Although it's no doubt possible to implement a VPN server in that case, it seems like your edge device (i.e., your pfSense box) is a better place for that to go (which is what I'm doing, also on a pfSense box).
-
If your SME server is in server-only mode, it isn't routing traffic in and out of your network. Although it's no doubt possible to implement a VPN server in that case, it seems like your edge device (i.e., your pfSense box) is a better place for that to go (which is what I'm doing, also on a pfSense box).
Yup, that sums it up.
Yes I am sure it could be configured for server only. Not sure about the ipsec setup but no doubt 'doable'.
Security wise I have some servers the same as Jader but in that instance I'd use the firewall/router as it undoubtedly has VPN built in and would be easier to do.
This is really for those who need to VPN in but have no other system to handle it.
Thanks to Jader for the tidy up. Any issues to report?
B. Rgds
John
-
Hello All,
I'm back!
I have just updated SME to latest version and now getting no connection to the L2TP server with ReetP's contrib.
Looks like servers are running and no errors in logs but there is no open port on lsof -i for 1701.
Anyone else run into this issue?
Thanks guys.
-
I can't do anything right now as it is late my time.
I also have the one and only G. Zartman himself winging his way to mine for the weekend....
'It isn't working' doesn't help debugging....
Can you go through exactly what you did to install please.
config ipsec show
config xl2tpd show
cat /etc/ipsec.conf
cat /etc/ipsec.d/ipsec.conf & secrets
Check in /var/log/pluto/pluto.log
Check ipsec is running with:
ipsec whack --status
It will help you a great deal to also read the libreswan docs.
You will get a better understanding of the config directives.
That should keep you busy for a bit.....
Rgds
John
P.S. tell Michael the beer bill is rising.... :-)
-
Hello All,
I'm back!
I have just updated SME to latest version and now getting no connection to the L2TP server with ReetP's contrib.
Looks like servers are running and no errors in logs but there is no open port on lsof -i for 1701.
Anyone else run into this issue?
Thanks guys.
BTW you probably don't want lsof - that lists open files. My testbox shows nothing even though l2tpd is running.
check
netstat -an |grep 1701
[root@test ~]# netstat -an |grep 1701
udp 0 0 0.0.0.0:1701 0.0.0.0:*
You can also check 4500 & 500
Rgds
John
-
cat /etc/ipsec.conf
config setup
protostack=netkey
plutodebug=none
#klipsdebug=none
plutostderrlog=/var/log/pluto/pluto.log
dumpdir=/var/run/pluto/
nat_traversal=yes
virtual_private=%v4:172.16.1.0/22
include /etc/ipsec.d/ipsec.conf
cat /etc/ipsec.d/ipsec.conf
conn L2TPD-PSK
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
type=transport
forceencaps=yes
right=%any
rightsubnet=vhost:%no,%priv
rightprotoport=17/%any
# Using the magic port of "0" means "any one single port". This is
# a work around required for Apple OSX clients that use a randomly
# high port, but propose "0" instead of their port.
left=%defaultroute
leftprotoport=17/1701
# Apple iOS doesn't send delete notify so we need dead peer detection
# to detect vanishing clients
dpddelay=10
dpdtimeout=90
dpdaction=clear
Check in /var/log/pluto/pluto.log
Aug 11 09:01:03: "L2TPD-PSK"[7] 43.243.56.130 #16: received Delete SA(0xb1bad446) payload: deleting IPSEC State #20
Aug 11 09:01:03: "L2TPD-PSK"[7] 43.243.56.130 #16: deleting other state #20 (STATE_QUICK_R2) "L2TPD-PSK"[7] 43.243.56.130
Aug 11 09:01:03: "L2TPD-PSK"[7] 43.243.56.130 #16: ESP traffic information: in=0B out=0B
Aug 11 09:01:03: "L2TPD-PSK"[7] 43.243.56.130 #16: received and ignored empty informational notification payload
Aug 11 09:01:13: "L2TPD-PSK"[7] 43.243.56.130 #16: the peer proposed: 43.243.56.132/32:17/1701 -> 192.168.222.22/32:17/1701
Aug 11 09:01:13: "L2TPD-PSK"[7] 43.243.56.130 #16: NAT-Traversal: received 2 NAT-OA. Using first, ignoring others
Aug 11 09:01:13: "L2TPD-PSK"[7] 43.243.56.130 #22: responding to Quick Mode proposal {msgid:06000000}
Aug 11 09:01:13: "L2TPD-PSK"[7] 43.243.56.130 #22: us: 43.243.56.132:17/1701
Aug 11 09:01:13: "L2TPD-PSK"[7] 43.243.56.130 #22: them: 43.243.56.130[192.168.222.22]:17/1701===192.168.222.22/32
Aug 11 09:01:13: "L2TPD-PSK"[7] 43.243.56.130 #22: them: 43.243.56.130[192.168.222.22]:17/1701===192.168.222.22/32
Aug 11 09:01:13: "L2TPD-PSK"[7] 43.243.56.130 #22: keeping refhim=0 during rekey
Aug 11 09:01:13: "L2TPD-PSK"[7] 43.243.56.130 #22: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Aug 11 09:01:13: "L2TPD-PSK"[7] 43.243.56.130 #22: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2 transport mode {ESP/NAT=>0x3a7b3832 <0xf29e9a67 xfrm=AES_256-HMAC_SHA1 NATOA=192.168.222.22 NATD=43.243.56.130:4500 DPD=active}
Aug 11 09:01:13: "L2TPD-PSK"[7] 43.243.56.130 #22: Configured DPD (RFC 3706) support not enabled because remote peer did not advertise DPD support
Aug 11 09:01:13: "L2TPD-PSK"[7] 43.243.56.130 #22: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Aug 11 09:01:13: "L2TPD-PSK"[7] 43.243.56.130 #22: STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0x3a7b3832 <0xf29e9a67 xfrm=AES_256-HMAC_SHA1 NATOA=192.168.222.22 NATD=43.243.56.130:4500 DPD=active}
Aug 11 09:01:13: "L2TPD-PSK"[7] 43.243.56.130 #16: received Delete SA(0xa9382650) payload: deleting IPSEC State #21
Aug 11 09:01:13: "L2TPD-PSK"[7] 43.243.56.130 #16: deleting other state #21 (STATE_QUICK_R2) "L2TPD-PSK"[7] 43.243.56.130
Aug 11 09:01:13: "L2TPD-PSK"[7] 43.243.56.130 #16: ESP traffic information: in=0B out=0B
Aug 11 09:01:13: "L2TPD-PSK"[7] 43.243.56.130 #16: ESP traffic information: in=0B out=0B
Aug 11 09:01:13: "L2TPD-PSK"[7] 43.243.56.130 #16: received and ignored empty informational notification payload
Aug 11 09:01:23: "L2TPD-PSK"[7] 43.243.56.130 #16: received Delete SA(0x3a7b3832) payload: deleting IPSEC State #22
Aug 11 09:01:23: "L2TPD-PSK"[7] 43.243.56.130 #16: deleting other state #22 (STATE_QUICK_R2) "L2TPD-PSK"[7] 43.243.56.130
Aug 11 09:01:23: "L2TPD-PSK"[7] 43.243.56.130 #16: ESP traffic information: in=0B out=0B
Aug 11 09:01:23: "L2TPD-PSK" #16: deleting state (STATE_MAIN_R3)
Aug 11 09:01:23: "L2TPD-PSK"[7] 43.243.56.130: deleting connection "L2TPD-PSK"[7] 43.243.56.130 instance with peer 43.243.56.130 {isakmp=#0/ipsec=#0}
Aug 11 09:01:23: packet from 43.243.56.130:4500: received and ignored empty informational notification payload
ipsec whack --status
000 using kernel interface: netkey
000 interface lo/lo 127.0.0.1@4500
000 interface lo/lo 127.0.0.1@500
000 interface eth0/eth0 172.16.0.2@4500
000 interface eth0/eth0 172.16.0.2@500
000 interface eth1/eth1 43.243.56.132@4500
000 interface eth1/eth1 43.243.56.132@500
000
000
000 fips mode=disabled;
000 SElinux=disabled
000
000 config setup options:
000
000 configdir=/etc, configfile=/etc/ipsec.conf, secrets=/etc/ipsec.secrets, ipsecdir=/etc/ipsec.d, dumpdir=/var/run/pluto/, statsbin=unset
000 sbindir=/usr/sbin, libexecdir=/usr/libexec/ipsec
000 pluto_version=3.18, pluto_vendorid=OE-Libreswan-3.18
000 nhelpers=-1, uniqueids=yes, perpeerlog=no, shuntlifetime=900s, xfrmlifetime=300s
000 ddos-cookies-threshold=50000, ddos-max-halfopen=25000, ddos-mode=auto
000 ikeport=500, strictcrlpolicy=no, crlcheckinterval=0, listen=<any>, nflog-all=0
000 secctx-attr-type=32001
000 myid = (none)
000 debug none
000
000 nat-traversal=yes, keep-alive=20, nat-ikeport=4500
000 virtual-private (%priv):
000 - allowed subnet: 172.16.0.0/22
000
000 ESP algorithms supported:
000
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=128, keysizemax=128
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=12, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=16, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm AH/ESP auth: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm AH/ESP auth: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm AH/ESP auth: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm AH/ESP auth: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384
000 algorithm AH/ESP auth: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512
000 algorithm AH/ESP auth: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160
000 algorithm AH/ESP auth: id=9, name=AUTH_ALGORITHM_AES_XCBC, keysizemin=128, keysizemax=128
000 algorithm AH/ESP auth: id=251, name=AUTH_ALGORITHM_NULL_KAME, keysizemin=0, keysizemax=0
000
000 IKE algorithms supported:
000
000 algorithm IKE encrypt: v1id=0, v1name=0??, v2id=16, v2name=AES_CCM_C, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=0, v1name=0??, v2id=15, v2name=AES_CCM_B, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=0, v1name=0??, v2id=14, v2name=AES_CCM_A, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=5, v1name=OAKLEY_3DES_CBC, v2id=3, v2name=3DES, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: v1id=24, v1name=OAKLEY_CAMELLIA_CTR, v2id=24, v2name=CAMELLIA_CTR, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=8, v1name=OAKLEY_CAMELLIA_CBC, v2id=23, v2name=CAMELLIA_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=20, v1name=OAKLEY_AES_GCM_C, v2id=20, v2name=AES_GCM_C, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=19, v1name=OAKLEY_AES_GCM_B, v2id=19, v2name=AES_GCM_B, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=18, v1name=OAKLEY_AES_GCM_A, v2id=18, v2name=AES_GCM_A, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=13, v1name=OAKLEY_AES_CTR, v2id=13, v2name=AES_CTR, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=7, v1name=OAKLEY_AES_CBC, v2id=12, v2name=AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65004, v1name=OAKLEY_SERPENT_CBC, v2id=65004, v2name=SERPENT_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65005, v1name=OAKLEY_TWOFISH_CBC, v2id=65005, v2name=TWOFISH_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65289, v1name=OAKLEY_TWOFISH_CBC_SSH, v2id=65289, v2name=TWOFISH_CBC_SSH, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashlen=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashlen=20
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashlen=32
000 algorithm IKE hash: id=5, name=OAKLEY_SHA2_384, hashlen=48
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashlen=64
000 algorithm IKE hash: id=9, name=DISABLED-OAKLEY_AES_XCBC, hashlen=16
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}
000
000 Connection list:
000
000 "L2TPD-PSK": 43.243.56.132:17/1701---43.243.56.134...%virtual:17/%any===vhost:?; unrouted; eroute owner: #0
000 "L2TPD-PSK": oriented; my_ip=unset; their_ip=unset
000 "L2TPD-PSK": xauth us:none, xauth them:none, my_username=[any]; their_username=[any]
000 "L2TPD-PSK": modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset, cat:unset;
000 "L2TPD-PSK": labeled_ipsec:no;
000 "L2TPD-PSK": policy_label:unset;
000 "L2TPD-PSK": ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3;
000 "L2TPD-PSK": retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "L2TPD-PSK": sha2-truncbug:no; initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "L2TPD-PSK": policy: PSK+ENCRYPT+DONT_REKEY+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
000 "L2TPD-PSK": conn_prio: 32,32; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "L2TPD-PSK": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no;
000 "L2TPD-PSK": dpd: action:clear; delay:10; timeout:90; nat-t: force_encaps:yes; nat_keepalive:yes; ikev1_natt:both
000 "L2TPD-PSK": newest ISAKMP SA: #0; newest IPsec SA: #0;
000
000 Total IPsec connections: loaded 1, active 0
000
000 State Information: DDoS cookies not required, Accepting new IKE connections
000 IKE SAs: total(0), half-open(0), open(0), authenticated(0), anonymous(0)
000 IPsec SAs: total(0), authenticated(0), anonymous(0)
000
000 Bare Shunt list:
000
Sorry for the log spam but pluto.log shows the connection attempt but no connection. Sorry used netstat and found ports open.. funny now lsof is showing the port.
-
Hmmm Ok.
Couple of things. Here's my test ipsec setup :
[root@test ~]# db networks show
192.168.97.0=network
Mask=255.255.255.0
SystemLocalNetwork=yes
[root@test ~]# db ipsec_connections show
L2TPD-PSK=xl2tpd
IPRangeFinish=192.168.97.200
IPRangeStart=192.168.97.180
PreviousState=enabled
connectiontype=transport
dpdaction=clear
dpddelay=10
dpdtimeout=90
passwd=#somelongpassword#
rightsubnet=192.168.97.0/24
status=enabled
[root@test ~]# config show ipsec
ipsec=service
UDPPort=500
UDPPorts=500,4500
access=public
auto=start
connectiontype=tunnel
debug=none
dpdaction=restart
dpddelay=30
dpdtimeout=10
ike=aes256-sha2_256-modp2048
ikelifetime=3600s
ipsecversion=yes
left=%defaultroute
pfs=yes
phase2=aes-256
salifetime=28800s
security=secret
status=enabled
xl2tpd=service
DNS=208.67.222.222,208.67.220.220
UDPPort=1701
debug=enabled
status=enabled
/etc/ipsec/ipsec.conf
conn L2TPD-PSK
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
type=transport
forceencaps=yes
right=%any
rightsubnet=vhost:%any,%priv
rightprotoport=17/%any
# Using the magic port of "0" means "any one single port". This is
# a work around required for Apple OSX clients that use a randomly
# high port, but propose "0" instead of their port.
left=%defaultroute
leftprotoport=17/1701
# Apple iOS doesn't send delete notify so we need dead peer detection
# to detect vanishing clients
dpddelay=10
dpdtimeout=90
dpdaction=clear
/etc/ipsec.conf
config setup
protostack=netkey
plutodebug=none
#klipsdebug=none
plutostderrlog=/var/log/pluto/pluto.log
dumpdir=/var/run/pluto/
nat_traversal=yes
virtual_private=%v4:192.168.97.0/24
include /etc/ipsec.d/ipsec.conf
/etc/ipsec.d/ipsec.secrets
212.83.164.73 %any : PSK "#somelongpassword#"
Make sure your DHCP range is outside that of normal SME connections.
[root@test xl2tpd]# cat /etc/xl2tpd/xl2tpd.conf
[global]
ipsec saref = yes
force userspace = yes
[lns default]
name=L2TP-VPN
ip range = 192.168.97.180-192.168.97.200
local ip = 192.168.97.1
unix authentication = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
There are some other xl2tpd files that need checking. Most show 'disabled' if something is not right. Check the templates against the actual files to see they look OK.
/etc/pam.d/ppp
/etc/ppp/ip-up.local
/etc/ppp/options.xl2tpd
/etc/ppp/papa-secrets
/etc/rc.d/init/masq
/etc/xl2tpd/xl2tpd.conf
Also check /var/log/messages for some activity on connection - pppd, ip-up etc
Rgds
John