Travel

Categories

L2TP over IPsec client on Linux and Ubuntu

Finally, a tool which can provide the required UI and generate the suitable configuration for xl2tp, ppp and openswan to provide the L2TP over IPsec on Linux with only a few clicks. I have tested it, it works without problem with my dept ASA applicance and CUHK’s VPN. The only minor problem is that you better to do a reboot after adding VPN connection, otherwise it will never works!! Moreover, after the disconnection, the assigned DNS servers cannot be resumed to the original one.

https://launchpad.net/l2tp-ipsec-vpn

Ubuntu 11.04 installation procedures :

sudo apt-add-repository ppa:werner-jaeger/ppa-werner-vpn
sudo apt-get update
sudo apt-get install l2tp-ipsec-vpn
gsettings set com.canonical.Unity.Panel systray-whitelist "['all']"
sudo shutdown -r now

http://wiki.l2tpipsecvpn.tuxfamily.org/wiki/index.php?title=Main_Page#L2TP_over_IPsec_VPN_Manager_User_Guide

http://www.tuvpn.com/en/tutorials/l2tp-ipsec-ubuntu-11-04-natty-narwhal#step-0

PS: After testing  the VPN connections to my dept. VPN for a while, I found a strange problem : All the connection worked without problem at the very beginning, say ssh, http, etc. However, whenever I needed to submit a form via one of my testing web server. The connection hanged and the form could never been saved. I have puzzled for this problem for weeks. At last, baesd on my past experience of configuration of modem dialup, I changed the mtu of the ppp connection from default 1500 to 1000 since sometimes you may need to adjust the mtu during dialup over WAN and everything worked like a magic!!

For my conflagration at home, I need to add mtu 1000 at the end of the file /etc/ppp/IEVPN.options.xl2tpd and at my office LAN, I don’t need to add this to make the stuff works.

Extra:

http://riobard.com/blog/2010-04-30-l2tp-over-ipsec-ubuntu/

5 comments to L2TP over IPsec client on Linux and Ubuntu

  • 中大undergraduate

    你好, ubuntu連不上 cuhk vpn的問題困擾我好久
    我嘗試按照你的方法去做但連不上CUHK VPN
    請問那個remote server不是vpn.cuhk.edu.hk麼, 圖中看上去不太像
    求求你幫幫我吧!!

    附上log
    xl2tpd[1128]: death_handler: Fatal signal 15 received
    Stopping xl2tpd: xl2tpd.
    ipsec_setup: Starting Openswan IPsec U2.6.28/K2.6.38-11-generic…
    Sep 11 02:31:15 CQ40 ipsec__plutorun: Starting Pluto subsystem…
    recvref[22]: Protocol not available
    xl2tpd[1957]: This binary does not support kernel L2TP.
    xl2tpd[1958]: xl2tpd version xl2tpd-1.2.6 started on CQ40 PID:1958
    xl2tpd[1958]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
    xl2tpd[1958]: Forked by Scott Balmos and David Stipp, (C) 2001
    xl2tpd[1958]: Inherited by Jeff McAdams, (C) 2002
    xl2tpd[1958]: Forked again by Xelerance (www.xelerance.com) (C) 2006
    xl2tpd[1958]: Listening on IP address 0.0.0.0, port 1701
    Starting xl2tpd: xl2tpd.
    Sep 11 02:31:15 CQ40 ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
    Sep 11 02:31:16 CQ40 ipsec__plutorun: 002 added connection description “CUHK”
    003 NAT-Traversal: Trying new style NAT-T
    003 NAT-Traversal: ESPINUDP(1) setup failed for new style NAT-T family IPv4 (errno=19)
    003 NAT-Traversal: Trying old style NAT-T
    104 “CUHK” #1: STATE_MAIN_I1: initiate
    003 “CUHK” #1: received Vendor ID payload [RFC 3947] method set to=109
    106 “CUHK” #1: STATE_MAIN_I2: sent MI2, expecting MR2
    003 “CUHK” #1: received Vendor ID payload [Cisco-Unity]
    003 “CUHK” #1: received Vendor ID payload [Dead Peer Detection]
    003 “CUHK” #1: ignoring unknown Vendor ID payload [dd4bef7cf49cdd8d64a70ddb632cbf57]
    003 “CUHK” #1: received Vendor ID payload [XAUTH]
    003 “CUHK” #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): i am NATed
    108 “CUHK” #1: STATE_MAIN_I3: sent MI3, expecting MR3
    004 “CUHK” #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
    117 “CUHK” #2: STATE_QUICK_I1: initiate
    003 “CUHK” #2: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME msgid=4d323697
    003 “CUHK” #2: NAT-Traversal: received 2 NAT-OA. ignored because peer is not NATed
    004 “CUHK” #2: STATE_QUICK_I2: sent QI2, IPsec SA established transport mode {ESP=>0xcbdfe529 <0x30c5657f xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}
    xl2tpd[1958]: Connecting to host vpn.cuhk.edu.hk, port 1701
    xl2tpd[1958]: handle_avps: don't know how to handle atribute 110.
    xl2tpd[1958]: handle_avps: don't know how to handle atribute 111.
    xl2tpd[1958]: Connection established to 137.189.192.204, 1701. Local: 48691, Remote: 54684 (ref=0/0).
    xl2tpd[1958]: Calling on tunnel 48691
    xl2tpd[1958]: Call established with 137.189.192.204, Local: 30828, Remote: 5047, Serial: 1 (ref=0/0)
    xl2tpd[1958]: start_pppd: I'm running:
    xl2tpd[1958]: "/usr/sbin/pppd"
    xl2tpd[1958]: "passive"
    xl2tpd[1958]: "nodetach"
    xl2tpd[1958]: ":"
    xl2tpd[1958]: "file"
    xl2tpd[1958]: "/etc/ppp/CUHK.options.xl2tpd"
    xl2tpd[1958]: "/dev/pts/0"
    pppd[2171]: Plugin passprompt.so loaded.
    pppd[2171]: pppd 2.4.5 started by root, uid 0
    pppd[2171]: Using interface ppp0
    pppd[2171]: Connect: ppp0 /dev/pts/0
    pppd[2171]: No response to PAP authenticate-requests
    pppd[2171]: Connection terminated.
    pppd[2171]: Exit.
    xl2tpd[1958]: child_handler : pppd exited for call 5047 with code 19
    xl2tpd[1958]: call_close: Call 30828 to 137.189.192.204 disconnected
    xl2tpd[1958]: control_finish: Connection closed to 137.189.192.204, port 1701 (No application/session timer expired), Local: 48691, Remote: 54684
    xl2tpd[1958]: Terminating pppd: sending TERM signal to pid 2171

  • From your log, it seems that you are almost there. I suggest you to try to uncheck all the protocols of EAP and left only PAP.

  • 中大undergraduate

    http://imageshack.us/photo/my-images/594/screenshotconnectionset.png/
    http://imageshack.us/photo/my-images/823/screenshotconnectionset.png/
    http://imageshack.us/photo/my-images/534/screenshotconnectionset.png/
    http://imageshack.us/photo/my-images/190/screenshotconnectionset.png/
    this is my current setting, i unchecked all the protocols except PAP and it is still not working, the log becomes like this
    please help~~~~m(- -)m

    ipsec_setup: Stopping Openswan IPsec…
    xl2tpd[2928]: death_handler: Fatal signal 15 received
    Stopping xl2tpd: xl2tpd.
    ipsec_setup: Starting Openswan IPsec U2.6.28/K2.6.38-11-generic…
    Sep 12 19:07:08 CQ40 ipsec__plutorun: Starting Pluto subsystem…
    Sep 12 19:07:08 CQ40 ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
    recvref[22]: Protocol not available
    xl2tpd[3211]: This binary does not support kernel L2TP.
    Starting xl2tpd: xl2tpd.
    xl2tpd[3213]: xl2tpd version xl2tpd-1.2.6 started on CQ40 PID:3213
    xl2tpd[3213]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
    xl2tpd[3213]: Forked by Scott Balmos and David Stipp, (C) 2001
    xl2tpd[3213]: Inherited by Jeff McAdams, (C) 2002
    xl2tpd[3213]: Forked again by Xelerance (www.xelerance.com) (C) 2006
    xl2tpd[3213]: Listening on IP address 0.0.0.0, port 1701
    Sep 12 19:07:08 CQ40 ipsec__plutorun: 002 added connection description “CUHK”
    Sep 12 19:07:08 CQ40 ipsec__plutorun: 003 NAT-Traversal: Trying new style NAT-T
    Sep 12 19:07:08 CQ40 ipsec__plutorun: 003 NAT-Traversal: ESPINUDP(1) setup failed for new style NAT-T family IPv4 (errno=19)
    Sep 12 19:07:08 CQ40 ipsec__plutorun: 003 NAT-Traversal: Trying old style NAT-T
    104 “CUHK” #1: STATE_MAIN_I1: initiate
    003 “CUHK” #1: received Vendor ID payload [RFC 3947] method set to=109
    106 “CUHK” #1: STATE_MAIN_I2: sent MI2, expecting MR2
    003 “CUHK” #1: received Vendor ID payload [Cisco-Unity]
    003 “CUHK” #1: received Vendor ID payload [Dead Peer Detection]
    003 “CUHK” #1: ignoring unknown Vendor ID payload [33aa879741ccfb4ded4fbfaf8cbd021b]
    003 “CUHK” #1: received Vendor ID payload [XAUTH]
    003 “CUHK” #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
    108 “CUHK” #1: STATE_MAIN_I3: sent MI3, expecting MR3
    004 “CUHK” #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
    117 “CUHK” #2: STATE_QUICK_I1: initiate
    003 “CUHK” #2: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME msgid=151ddba0
    004 “CUHK” #2: STATE_QUICK_I2: sent QI2, IPsec SA established transport mode {ESP=>0x4ee71270 <0xac6febca xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}
    xl2tpd[3213]: Connecting to host vpn.cuhk.edu.hk, port 1701
    xl2tpd[3213]: handle_avps: don't know how to handle atribute 110.
    xl2tpd[3213]: handle_avps: don't know how to handle atribute 111.
    xl2tpd[3213]: Connection established to 137.189.192.204, 1701. Local: 34142, Remote: 40572 (ref=0/0).
    xl2tpd[3213]: Calling on tunnel 34142
    xl2tpd[3213]: Call established with 137.189.192.204, Local: 35858, Remote: 6930, Serial: 1 (ref=0/0)
    xl2tpd[3213]: start_pppd: I'm running:
    xl2tpd[3213]: "/usr/sbin/pppd"
    xl2tpd[3213]: "passive"
    xl2tpd[3213]: "nodetach"
    xl2tpd[3213]: ":"
    xl2tpd[3213]: "file"
    xl2tpd[3213]: "/etc/ppp/CUHK.options.xl2tpd"
    xl2tpd[3213]: "/dev/pts/0"
    pppd[3259]: Plugin passprompt.so loaded.
    pppd[3259]: pppd 2.4.5 started by root, uid 0
    pppd[3259]: Using interface ppp0
    pppd[3259]: Connect: ppp0 /dev/pts/0
    pppd[3259]: No response to PAP authenticate-requests
    pppd[3259]: Connection terminated.
    pppd[3259]: Exit.
    xl2tpd[3213]: child_handler : pppd exited for call 6930 with code 19
    xl2tpd[3213]: call_close: Call 35858 to 137.189.192.204 disconnected

  • Yes. I have tested it further on CUHK VPN and have similar result with you. After entered the correct password, the system will return No response to PAP authenticate-requests. Still can’t figure out what happens while the system settings work without problem with my dept. VPN.

  • platero

    Hi, I also use this tool by following this post: http://soeasytomakeitwork.wordpress.com/2014/05/02/set-up-a-l2tpipsec-vpn-connection-on-ubuntu-desktop/

    However, after setting CUHK VPN of IE VPN, I get the following error

    Dec 29 15:01:40 ivp ipsec_setup: …Openswan IPsec started
    Dec 29 15:01:40 ivp pluto: adjusting ipsec.d to /etc/ipsec.d
    Dec 29 15:01:40 ivp ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
    Dec 29 15:01:40 ivp ipsec__plutorun: 002 added connection description “CUHK”
    Dec 29 15:01:40 ivp ipsec__plutorun: 002 added connection description “IE”
    Dec 29 15:01:42 ivp wpa_supplicant[1287]: wlan0: CTRL-EVENT-SCAN-STARTED
    Dec 29 15:01:43 ivp pppd[25902]: Script /etc/ppp/ip-up finished (pid 25913), status = 0x0
    Dec 29 15:01:43 ivp pppd[25902]: Script /etc/ppp/ip-down started (pid 26261)
    Dec 29 15:01:43 ivp xl2tpd[25826]: death_handler: Fatal signal 15 received
    Dec 29 15:01:44 ivp pppd[25902]: Script /etc/ppp/ip-down finished (pid 26261), status = 0x1
    Dec 29 15:01:44 ivp pppd[25902]: Exit.
    Dec 29 15:01:44 ivp xl2tpd[26318]: setsockopt recvref[30]: Protocol not available
    Dec 29 15:01:44 ivp xl2tpd[26318]: This binary does not support kernel L2TP.
    Dec 29 15:01:44 ivp xl2tpd[26319]: xl2tpd version xl2tpd-1.3.6 started on ivp PID:26319
    Dec 29 15:01:44 ivp xl2tpd[26319]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
    Dec 29 15:01:44 ivp xl2tpd[26319]: Forked by Scott Balmos and David Stipp, (C) 2001
    Dec 29 15:01:44 ivp xl2tpd[26319]: Inherited by Jeff McAdams, (C) 2002
    Dec 29 15:01:44 ivp xl2tpd[26319]: Forked again by Xelerance (www.xelerance.com) (C) 2006
    Dec 29 15:01:44 ivp xl2tpd[26319]: Listening on IP address 0.0.0.0, port 1701

    Do you have any idea about this problem? Thank you!

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

  

  

  

WP-Highlight