openswan and xl2tpd tunnel not working?
Since weeks i want to setup l2tp tunnel with xl2tpd and openswan in debian wheezy, the external interface is ppp0 with dynamic ip and the internal interface is eth0 with ip address 192.168.1.1.
l2tp server give me the user_id, password and the preshared psk_key and it's ip 217.147.94.149.
The ipsec log show the connection is established but there is no pppx interface, these are the configuration and log files:
ipsec.conf:
version 2.0
config setup
dumpdir=/var/run/pluto/
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.1.0/24,%v4:172.16.0.0/12
oe=off
protostack=netkey
plutostderrlog=/var/log/pluto.log
interfaces="%defaultroute"
conn xltunnel
authby=secret
pfs=no
auto=add
rekey=no
type=transport
left=%defaultroute
leftnexthop=%defaultroute
leftprotoport=17/1701
leftsourceip=192.168.1.1
leftsubnet=192.168.1.0/24
right=217.147.94.149
rightid=217.147.94.149
rightprotoport=17/1701
xl2tpd.conf:
[global]
access control = no
port = 1701
ipsec saref = yes
auth file = /etc/ppp/chap-secrets
debug tunnel = yes
[lac securitykiss]
lns = 217.147.94.149
hostname = client_id
ip range = 10.1.2.2-10.1.2.255
local ip = 10.1.2.3
assign ip = yes
require chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
name = securitykiss
redial = yes
redial timeout = 10
max redials = 6
options.xl2tpd:
ipcp-accept-local
ipcp-accept-remote
ms-dns 8.8.8.8
ms-dns 8.8.4.4
auth
crtscts
idle 1800
mtu 1200
mru 1200
nodefaultroute
proxyarp
connect-delay 5000
plugin pppol2tp.so
lock
debug
name securitykiss
noccp
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
logfile /var/log/xl2tpd.log
ipsec.secrets:
217.147.94.149 %any : PSK "psk_key"
chap-secrets:
client_id securitykiss "password" *
securitykiss client_id "password" *
pluto.log:
# ipsec auto --up xltunnel
104 "xltunnel" #1: STATE_MAIN_I1: initiate
003 "xltunnel" #1: ignoring unknown Vendor ID payload [882fe56d6fd20dbc2251613b2ebe5beb]
003 "xltunnel" #1: received Vendor ID payload [XAUTH]
003 "xltunnel" #1: received Vendor ID payload [Dead Peer Detection]
003 "xltunnel" #1: received Vendor ID payload [RFC 3947] method set to=109
106 "xltunnel" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "xltunnel" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
108 "xltunnel" #1: STATE_MAIN_I3: sent MI3, expecting MR3
004 "xltunnel" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha group=modp2048}
117 "xltunnel" #2: STATE_QUICK_I1: initiate
004 "xltunnel" #2: STATE_QUICK_I2: sent QI2, IPsec SA established transport mode {ESP=>0xced0d73f
# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.37/K3.2.0-4-686-pae (netkey)
Checking for IPsec support in kernel [OK]
SAref kernel support [N/A]
NETKEY: Testing XFRM related proc values [FAILED]
Please disable /proc/sys/net/ipv4/conf/*/send_redirects
or NETKEY will cause the sending of bogus ICMP redirects!
[FAILED]
Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
or NETKEY will accept bogus ICMP redirects!
[OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [OK]
Checking for 'ip' command [OK]
Checking /bin/sh is not /bin/dash [WARNING]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [OK]
To start the l2tp tunnel i run the command:
echo "c securitykiss" > /var/run/xl2tpd/l2tp-control
But "ip link" didn't show the pppx for l2tp tunnel:
#ip link 1: lo: mtu 16436 qdisc noqueue state UNKNOWN mode DEFAULT link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 2: eth0: mtu 1500 qdisc pfifo_fast state DOWN mode DEFAULT qlen 1000 link/ether 00:07:e9:a8:ea:93 brd ff:ff:ff:ff:ff:ff 3: ppp0: mtu 1500 qdisc pfifo_fast state UNKNOWN mode DEFAULT qlen 3 link/ppp
Solution 1:
You need to enable IP forwarding, and disable the send_redirects, as per the results of the "ipsec verify" step you did.
This should do the trick:
echo 1 > /proc/sys/net/ipv4/ip_forward
for each in /proc/sys/net/ipv4/conf/*
do
echo 0 > $each/accept_redirects
echo 0 > $each/send_redirects
done
Then run "ipsec verify" again, and that failure should go away.