Client VPN-connection with IPSec L2TP

Hello everyone
There is a task to establish client VPN connection with corporate server using L2TP and PSK.
It’s very easy to establish such connection in Windows XP: specify server domain name, preshared key, using L2TP, specify login and password.
But I failed to do it in my environment: OpenSUSE 11.3
I establish internet connection with my provider via VPN over PPTP successfully.
I use NetworkManager without any problem.

So I need to establish client VPN connection with corporate server.
I thought it would be easy to do it with NetworkManager as with my provider. But I was mistaken.
Furthermore NetworkManager doesn’t allow to establish more than one vpn-connection at once.

I used th following manual as a guide: Using Linux as an L2TP/IPsec VPN client
But I failed.

I succeeded to do it in Windows XP which run in VM Ware Player.
I deployed OpenSUSE 12.1 RC2 in virtual environment. Its network interface works in NAT mode.
Network is brought up in traditional way with ‘ifup’.
But I failed. I used the same manual.

I start ipsec:

# ipsec start
Starting strongSwan 4.5.3 IPsec [starter]...

Logs in /var/log/messages:

Nov 15 14:29:38 linux-j2md ipsec_starter[6018]: Starting strongSwan 4.5.3 IPsec [starter]...
Nov 15 14:29:39 linux-j2md ipsec_starter[6026]: pluto (6027) started after 100 ms
Nov 15 14:29:39 linux-j2md pluto[6027]: Starting IKEv1 pluto daemon (strongSwan 4.5.3) THREADS SMARTCARD VENDORID CISCO_QUIRKS
Nov 15 14:29:39 linux-j2md pluto[6027]: attr-sql plugin: database URI not set
Nov 15 14:29:39 linux-j2md pluto[6027]: plugin 'attr-sql': failed to load - attr_sql_plugin_create returned NULL
Nov 15 14:29:39 linux-j2md pluto[6027]: listening on interfaces:
Nov 15 14:29:39 linux-j2md pluto[6027]:   eth0
Nov 15 14:29:39 linux-j2md pluto[6027]:     172.16.153.133
Nov 15 14:29:39 linux-j2md pluto[6027]:     fe80::20c:29ff:fecc:e399
Nov 15 14:29:39 linux-j2md pluto[6027]: loaded plugins: curl ldap mysql sqlite aes des blowfish sha1 sha2 md5 random x509 pkcs1 pgp dnskey pem openssl gcrypt gmp hmac xauth attr kernel-netlink resolve 
Nov 15 14:29:39 linux-j2md pluto[6027]:   including NAT-Traversal patch (Version 0.6c)
Nov 15 14:29:39 linux-j2md pluto[6027]: failed to load pkcs11 module '/usr/lib/opensc-pkcs11.so'
Nov 15 14:29:39 linux-j2md pluto[6027]: loading ca certificates from '/etc/ipsec.d/cacerts'
Nov 15 14:29:39 linux-j2md pluto[6027]: loading aa certificates from '/etc/ipsec.d/aacerts'
Nov 15 14:29:39 linux-j2md pluto[6027]: loading ocsp certificates from '/etc/ipsec.d/ocspcerts'
Nov 15 14:29:39 linux-j2md pluto[6027]: Changing to directory '/etc/ipsec.d/crls'
Nov 15 14:29:39 linux-j2md pluto[6027]: loading attribute certificates from '/etc/ipsec.d/acerts'
Nov 15 14:29:39 linux-j2md pluto[6027]: spawning 4 worker threads
Nov 15 14:29:39 linux-j2md pluto[6027]: listening for IKE messages
Nov 15 14:29:39 linux-j2md pluto[6027]: adding interface eth0/eth0 172.16.153.133:500
Nov 15 14:29:39 linux-j2md pluto[6027]: adding interface eth0/eth0 172.16.153.133:4500
Nov 15 14:29:39 linux-j2md pluto[6027]: adding interface lo/lo 127.0.0.1:500
Nov 15 14:29:39 linux-j2md pluto[6027]: adding interface lo/lo 127.0.0.1:4500
Nov 15 14:29:39 linux-j2md pluto[6027]: adding interface lo/lo ::1:500
Nov 15 14:29:39 linux-j2md pluto[6027]: loading secrets from "/etc/ipsec.secrets"
Nov 15 14:29:39 linux-j2md pluto[6027]:   loaded PSK secret for 172.16.153.133 <VPN-server IP-address> 
Nov 15 14:29:39 linux-j2md pluto[6027]: added connection description "l2tp-psk-client"

Bring up connection

# ipsec up l2tp-psk-client

Logs in /var/log/messages:

Nov 15 14:29:46 linux-j2md pluto[6027]: "l2tp-psk-client" #1: initiating Main Mode
Nov 15 14:29:46 linux-j2md pluto[6027]: "l2tp-psk-client" #1: ignoring Vendor ID payload [4f456768495f775c414c4679]
Nov 15 14:29:46 linux-j2md pluto[6027]: "l2tp-psk-client" #1: received Vendor ID payload [Dead Peer Detection]
Nov 15 14:29:46 linux-j2md pluto[6027]: "l2tp-psk-client" #1: received Vendor ID payload [RFC 3947]
Nov 15 14:29:46 linux-j2md pluto[6027]: "l2tp-psk-client" #1: enabling possible NAT-traversal with method 3
Nov 15 14:29:46 linux-j2md pluto[6027]: "l2tp-psk-client" #1: NAT-Traversal: Result using RFC 3947: i am NATed
Nov 15 14:29:46 linux-j2md pluto[6027]: "l2tp-psk-client" #1: ignoring Vendor ID payload [494b457632]
Nov 15 14:29:46 linux-j2md pluto[6027]: "l2tp-psk-client" #1: Peer ID is ID_IPV4_ADDR: '<VPN-server IP-address>'
Nov 15 14:29:46 linux-j2md pluto[6027]: "l2tp-psk-client" #1: ISAKMP SA established
Nov 15 14:29:46 linux-j2md pluto[6027]: "l2tp-psk-client" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP {using isakmp#1}
Nov 15 14:29:46 linux-j2md pluto[6027]: "l2tp-psk-client" #2: sent QI2, IPsec SA established {ESP=>0x4e6ab939 <0xc8fc8d34 NATOA=0.0.0.0}

As I thought, connection was established.
Next:

# /etc/init.d/xl2tpd start
redirecting to systemctl

Logs in /var/log/messages:

Nov 15 14:30:10 linux-j2md xl2tpd[6455]: setsockopt recvref[22]: Protocol not available
Nov 15 14:30:10 linux-j2md xl2tpd[6455]: Using l2tp kernel support.
Nov 15 14:30:10 linux-j2md xl2tpd[6458]: xl2tpd version xl2tpd-1.2.4 started on linux-j2md PID:6458
Nov 15 14:30:10 linux-j2md xl2tpd[6458]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
Nov 15 14:30:10 linux-j2md xl2tpd[6458]: Forked by Scott Balmos and David Stipp, (C) 2001
Nov 15 14:30:10 linux-j2md xl2tpd[6458]: Inherited by Jeff McAdams, (C) 2002
Nov 15 14:30:10 linux-j2md xl2tpd[6458]: Forked again by Xelerance (www.xelerance.com) (C) 2006
Nov 15 14:30:10 linux-j2md xl2tpd[6458]: Listening on IP address 0.0.0.0, port 1701
Nov 15 14:30:10 linux-j2md xl2tpd[6448]: Starting xl2tpd..done

L2TP connection:

# echo "c l2tp-psk-client" > /var/run/xl2tpd/l2tp-control

Logs in /var/log/messages:

Nov 15 14:30:42 linux-j2md xl2tpd[6458]: get_call: allocating new tunnel for host <VPN-server IP-address>, port 1701.
Nov 15 14:30:42 linux-j2md xl2tpd[6458]: Connecting to host <VPN-server domain name>, port 1701
Nov 15 14:30:42 linux-j2md xl2tpd[6458]: control_finish: message type is (null)(0).  Tunnel is 0, call is 0.
Nov 15 14:30:42 linux-j2md xl2tpd[6458]: control_finish: sending SCCRQ
Nov 15 14:30:47 linux-j2md xl2tpd[6458]: Maximum retries exceeded for tunnel 31350.  Closing.

That’s all, I can’t establish vpn-connection.
What’s wrong?
Now I have to work in virtual environment in Windows XP.

Content of /etc/ipsec.conf:

config setup
	nat_traversal=yes
	charonstart=no

conn l2tp-psk-client
    authby=secret
    pfs=no
    rekey=yes
    keyexchange=ikev1
    keyingtries=3
    type=tunnel
    left=%defaultroute
    leftprotoport=17/1701
    right=<VPN-server domain name>
    rightprotoport=17/1701
    auto=add

Content of /etc/ipsec.secrets:

172.16.153.133 <VPN-server IP-address> : PSK "<preshared key>"

Content of /etc/xl2tpd/xl2tpd.conf:

[global]
auth file = /etc/xl2tpd/l2tp-secrets
debug state = yes
debug tunnel = yes

[lac l2tp-psk-client]
lns = <VPN-server domain name>
require chap = yes
refuse pap = yes
require authentication = yes
name = <my login>
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd.client
length bit = yes

Thanks

The problem has been solved :slight_smile:
Strongswan was built without option --enable-net-transport.
I’ve rebuilt rpm package from source with that option.
That’s OK.

I mistaken in my previsous post:

  1. in ipsec.conf parameter “type” must be “transport”
  2. kernel module pppol2tp must be unloaded.