[Swan] L2TP/IPSec connection/routing problems

David Harding daveh225 at gmail.com
Sat Mar 21 21:56:14 EET 2015


Hi all!

I've been battling an L2TP/IPSec connection for a few days now and for
as much as I've searched and read I'm no nearer a solution.  It seems
to my untrained eye to be a routing issue because I can negotiate an
IPSec connection, bring up the tunnel and get an IP assigned from the
remote VPN server to ppp0.  Once I get that far I haven't been able to
figure out how to pass traffic.

My ultimate goal is a host-to-host tunnel from a remote site to a
particular server on our organization's network.  As this is just a
proof of concept project right now I'm just playing around with it
from home and I can successfully connect using MS Windows with the
limited information supplied by my company to users that need VPN
access.  So from this I'm assuming that there's nothing blocking me on
my local side.

I stripped down the ipsec.conf file to what's shown below.  This is
what works to get a successful IPSec negotiation and allow PPP to get
an IP assigned from the remote network.  It brings up ppp0, but seems
to time out after about 30 seconds and ppp0 goes away.

Of note is that I am running libreswan-3.12 on CentOS 7 (kernel
3.10?).  I have used ipsec.verify to resolve all issues with port
forwarding, rp_filter, etc.  From the man pages it seems like I don't
need anything in the config section as the defaults all suffice, but I
have added an explicit protostack entry and since this is running
systemd added plutofork=no, (not that this seems to make any
difference).

Under connections I have type=transport even though I really want a
tunnel, (I think - or does L2TP handle everything tunnel-wise and this
should be transport?).  I'm only specifying the most basic of
left/right information because when I add anything else I break it. :)
 Left is specified as the local IP of the client, not the public IP of
my router.  Right is the public IP of the server.

I've also explicitly defined the phase 1 and phase 2 tunnel properties
which I got from work.  Typically if using a MS Windows client this
information isn't required, but for completeness sake I added them
anyway.  The remote VPN is a Cisco ASA, so I've also added cisco_unity
and remote_peer_type.

This is the only set up I have found that works to the point of
getting ppp0 up with an IP address from the remote network.  I really
need help in getting to the next step of communicating with the actual
server I need.

The required settings provided by work for setting up a MS VPN Client are:

Internet address: <public ip address of VPN>
Type of VPN: L2TP/IPSec
Preshared Key: <our PSK>
Data Encryption: Require Encryption
Allowed Protocols: CHAP and MS-CHAP v2
Username and password: <me> and <mine>, (no Domain)

What I know about the remote network is that the internal IP of the
Cisco ASA is on the 172.16.0.0/16 subnet, and I know the IP of the
server I wish to reach and it's on subnet 17.18.0.0/24.  I control
everything on my home network, and even though I have a dynamically
provided IP from my ISP I can retrieve it at anytime.  It's on a /20
subnet, which probably isn't unusual but I mention it anyway just in
case.  My local interface is assigned a static IP by me.  It's on the
same subnet as my Windows laptop that I can successfully connect with.

That's about all I can think of to describe where I'm at at the
moment.  Of course anything else you might need I'm happy to provide.
Right now my task for today is to do more research on iptables,
firewalld and other such fun routing stuff.  While I have tried adding
a route in various ways once I get ppp0 up and running, (as shown by
ifconfig), nothing has worked and so I haven't posted those pretty
lame attempts. :)

Thanks for any help or pointers you can provide!

Dave Harding

(Semi-)working ipsec.conf:

# basic configuration
config setup
        protostack=netkey
        plutodebug="control"
        plutofork=no

# connections
conn CPH-VPN
        authby=secret
        pfs=no
        auto=add
        keyingtries=3
        rekey=yes
        type=transport

        left=192.168.2.100
        leftprotoport=17/1701
        right=<public IP address of VPN server>
        rightprotoport=17/1701

        ike=3des-sha1;modp1024
        phase2=esp
        phase2alg=3des-sha1;modp1024

        cisco_unity=yes
        remote_peer_type=cisco

Result of: # ipsec auto --up CPH-VPN
002 "CPH-VPN" #1: initiating Main Mode
104 "CPH-VPN" #1: STATE_MAIN_I1: initiate
003 "CPH-VPN" #1: received Vendor ID payload [RFC 3947]
003 "CPH-VPN" #1: received Vendor ID payload [FRAGMENTATION c0000000]
002 "CPH-VPN" #1: enabling possible NAT-traversal with method RFC 3947
(NAT-Traversal)
002 "CPH-VPN" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
106 "CPH-VPN" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "CPH-VPN" #1: received Vendor ID payload [Cisco-Unity]
003 "CPH-VPN" #1: received Vendor ID payload [XAUTH]
003 "CPH-VPN" #1: ignoring unknown Vendor ID payload
[65130056889adbd3f7bdd54c62bebc5c]
003 "CPH-VPN" #1: ignoring Vendor ID payload [Cisco VPN 3000 Series]
003 "CPH-VPN" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal)
sender port 500: I am behind NAT
002 "CPH-VPN" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
108 "CPH-VPN" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "CPH-VPN" #1: received Vendor ID payload [Dead Peer Detection]
002 "CPH-VPN" #1: Main mode peer ID is ID_IPV4_ADDR: '<public IP
address of VPN server>'
002 "CPH-VPN" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
004 "CPH-VPN" #1: STATE_MAIN_I4: ISAKMP SA established
{auth=PRESHARED_KEY cipher=oakley_3des_cbc_192 integ=sha
group=MODP1024}
002 "CPH-VPN" #2: initiating Quick Mode
PSK+ENCRYPT+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW {using isakmp#1
msgid:f44507ac proposal=3DES(3)_000-SHA1(2)_000 pfsgroup=no-pfs}
117 "CPH-VPN" #2: STATE_QUICK_I1: initiate
003 "CPH-VPN" #2: ignoring informational payload
IPSEC_RESPONDER_LIFETIME, msgid=f44507ac, length=28
003 "CPH-VPN" #2: NAT-Traversal: received 2 NAT-OA. Ignored because
peer is not NATed
002 "CPH-VPN" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
004 "CPH-VPN" #2: STATE_QUICK_I2: sent QI2, IPsec SA established
transport mode {ESP/NAT=>0xf90314c1 <0xe00f6d08 xfrm=3DES_0-HMAC_SHA1
NATOA=none NATD=<public IP address of VPN server>:4500 DPD=passive}

ppp0 after bringing up the tunnel: # ifconfig ppp0
ppp0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 172.29.0.45  netmask 255.255.255.255  destination <public
IP address of VPN server>
        ppp  txqueuelen 3  (Point-to-Point Protocol)
        RX packets 3  bytes 30 (30.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 3  bytes 30 (30.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Log file stuff: # grep 'l2tp\|ppp' /var/log/messages
Mar 21 11:37:52 cphsga xl2tpd[5423]: Not looking for kernel SAref support.
Mar 21 11:37:52 cphsga kernel: l2tp_core: L2TP core driver, V2.0
Mar 21 11:37:52 cphsga kernel: l2tp_netlink: L2TP netlink interface
Mar 21 11:37:52 cphsga kernel: l2tp_ppp: PPPoL2TP kernel driver, V2.0
Mar 21 11:37:52 cphsga xl2tpd[5423]: Using l2tp kernel support.
Mar 21 11:37:52 cphsga xl2tpd[5431]: xl2tpd version xl2tpd-1.3.6
started on cphsga PID:5431
Mar 21 11:37:52 cphsga xl2tpd[5431]: Written by Mark Spencer,
Copyright (C) 1998, Adtran, Inc.
Mar 21 11:37:52 cphsga xl2tpd[5431]: Forked by Scott Balmos and David
Stipp, (C) 2001
Mar 21 11:37:52 cphsga xl2tpd[5431]: Inherited by Jeff McAdams, (C) 2002
Mar 21 11:37:52 cphsga xl2tpd[5431]: Forked again by Xelerance
(www.xelerance.com) (C) 2006
Mar 21 11:37:52 cphsga xl2tpd[5431]: Listening on IP address 0.0.0.0, port 1701
Mar 21 11:38:22 cphsga xl2tpd[5431]: Connecting to host <public IP
address of VPN server>, port 1701
Mar 21 11:38:23 cphsga xl2tpd[5431]: Connection established to <public
IP address of VPN server>, 1701.  Local: 56038, Remote: 746 (ref=0/0).
Mar 21 11:38:23 cphsga xl2tpd[5431]: Calling on tunnel 56038
Mar 21 11:38:24 cphsga xl2tpd[5431]: Call established with <public IP
address of VPN server>, Local: 18191, Remote: 746, Serial: 1 (ref=0/0)
Mar 21 11:38:24 cphsga pppd[5447]: Plugin pppol2tp.so loaded.
Mar 21 11:38:25 cphsga pppd[5447]: pppd 2.4.5 started by root, uid 0
Mar 21 11:38:25 cphsga pppd[5447]: Using interface ppp0
Mar 21 11:38:25 cphsga pppd[5447]: Connect: ppp0 <-->
Mar 21 11:38:25 cphsga NetworkManager[886]: <info> (ppp0): new Generic
device (driver: 'unknown' ifindex: 5)
Mar 21 11:38:25 cphsga NetworkManager[886]: <info> (ppp0): exported as
/org/freedesktop/NetworkManager/Devices/4
Mar 21 11:38:29 cphsga pppd[5447]: CHAP authentication succeeded
Mar 21 11:38:31 cphsga pppd[5447]: not replacing existing default
route via 192.168.2.1
Mar 21 11:38:31 cphsga pppd[5447]: local  IP address 172.29.0.45
Mar 21 11:38:31 cphsga pppd[5447]: remote IP address <public IP
address of VPN server>
Mar 21 11:39:28 cphsga xl2tpd[5431]: Maximum retries exceeded for
tunnel 56038.  Closing.
Mar 21 11:39:28 cphsga avahi-daemon[713]: Withdrawing workstation
service for ppp0.
Mar 21 11:39:28 cphsga xl2tpd[5431]: Connection 746 closed to <public
IP address of VPN server>, port 1701 (Timeout)


More information about the Swan mailing list