# L2TP/IPsec: established IPsec tunnel but no further

## streamkid

I am trying to set up a vpn server with openswan and xl2tp.

General info:

My box is not behind a router (it is the router). It has a real ip, 212.70.208.55/32, on (wan0->ppp0) and on the other nic (lan0) is the local network (192.168.1.0/24).

While testing I drop all my iptables rules and set default actions to ACCEPT..

Remote box is a winxpsp2, behind a nat, with external ip 88.218.153.26/32 and internal ip of 192.168.3.5/24. I *don't know* (yet) what is filtered by the firewall in front of this box.

It's my first try on linux vpn stuff.

Here is my config (after trying several configs went for the one on the wiki):

```
cat /etc/ipsec/ipsec.conf

version 2.0     # conforms to second version of ipsec.conf specification

config setup

        interfaces=%defaultroute

        nat_traversal=yes

        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12

conn vpn-connection

        authby=secret

        pfs=no

        rekey=no

        keyingtries=1

        left=%defaultroute

        leftprotoport=udp/l2tp

        leftid=vpn.streamkid.net

        right=%any

        rightprotoport=udp/%any

        auto=add

include /etc/ipsec/ipsec.d/examples/no_oe.conf
```

```
cat /etc/ipsec/ipsec.secrets

         : RSA   {

        # RSA 2048 bits   mail   Mon Jul 26 12:02:39 2010

        # for signatures only, UNSAFE FOR ENCRYPTION

        [… omitted for space …]

212.70.208.55 %any: PSK "wouldbesecureifup"
```

```
cat /etc/xl2tpd/xl2tpd.conf

[global]

port = 1701

access control = no

[lns default]

require authentication = yes

name = vpn.streamkid.net

ppp debug = yes

pppoptfile = /etc/ppp/options.xl2tpd

length bit = yes
```

```
cat /etc/ppp/options.xl2tpd

ipcp-accept-local

ipcp-accept-remote

noccp

auth

crtscts

mtu 1410

mru 1410

nodefaultroute

lock

proxyarp

silent
```

```
cat /etc/ppp/chap-secrets

alex * "xela" 192.168.1.0/24

* alex "xela" 192.168.1.0/24
```

From what I get from the logs, the IPsec tunnel is established, but it doesn't get any further.

The xp box reports "error 678 the remote computer did not respond".

```
cat /var/log/auth.log

ug 10 22:06:03 mail ipsec__plutorun: Starting Pluto subsystem...

Aug 10 22:06:03 mail pluto[4805]: Starting Pluto (Openswan Version 2.4.15 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OE}xT`Pu{prE)

Aug 10 22:06:03 mail pluto[4805]: Setting NAT-Traversal port-4500 floating to on

Aug 10 22:06:03 mail pluto[4805]:    port floating activation criteria nat_t=1/port_fload=1

Aug 10 22:06:03 mail pluto[4805]:   including NAT-Traversal patch (Version 0.6c)

Aug 10 22:06:03 mail pluto[4805]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)

Aug 10 22:06:03 mail pluto[4805]: starting up 1 cryptographic helpers

Aug 10 22:06:03 mail pluto[4805]: started helper pid=4806 (fd:6)

Aug 10 22:06:03 mail pluto[4805]: Using NETKEY IPsec interface code on 2.6.29-hardened

Aug 10 22:06:03 mail pluto[4805]: Changing to directory '/etc/ipsec/ipsec.d/cacerts'

Aug 10 22:06:03 mail pluto[4805]: Changing to directory '/etc/ipsec/ipsec.d/aacerts'

Aug 10 22:06:03 mail pluto[4805]: Changing to directory '/etc/ipsec/ipsec.d/ocspcerts'

Aug 10 22:06:03 mail pluto[4805]: Changing to directory '/etc/ipsec/ipsec.d/crls'

Aug 10 22:06:03 mail pluto[4805]:   Warning: empty directory

Aug 10 22:06:04 mail pluto[4805]: added connection description "vpn-connection"

Aug 10 22:06:04 mail pluto[4805]: listening for IKE messages

Aug 10 22:06:04 mail pluto[4805]: adding interface wan0/wan0 212.70.208.55:500

Aug 10 22:06:04 mail pluto[4805]: adding interface wan0/wan0 212.70.208.55:4500

Aug 10 22:06:04 mail pluto[4805]: adding interface lan0/lan0 192.168.1.1:500

Aug 10 22:06:04 mail pluto[4805]: adding interface lan0/lan0 192.168.1.1:4500

Aug 10 22:06:04 mail pluto[4805]: adding interface lo/lo 127.0.0.1:500

Aug 10 22:06:04 mail pluto[4805]: adding interface lo/lo 127.0.0.1:4500

Aug 10 22:06:04 mail pluto[4805]: adding interface 80/80 2001:470:1f0a:6a3::2:500

Aug 10 22:06:04 mail pluto[4805]: adding interface lo/lo ::1:500

Aug 10 22:06:04 mail pluto[4805]: loading secrets from "/etc/ipsec/ipsec.secrets"

Aug 10 22:06:27 mail pluto[4805]: packet from 88.218.153.26:56128: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]

Aug 10 22:06:27 mail pluto[4805]: packet from 88.218.153.26:56128: ignoring Vendor ID payload [FRAGMENTATION]

Aug 10 22:06:27 mail pluto[4805]: packet from 88.218.153.26:56128: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106

Aug 10 22:06:27 mail pluto[4805]: packet from 88.218.153.26:56128: ignoring Vendor ID payload [Vid-Initial-Contact]

Aug 10 22:06:27 mail pluto[4805]: "vpn-connection"[1] 88.218.153.26 #1: responding to Main Mode from unknown peer 88.218.153.26

Aug 10 22:06:27 mail pluto[4805]: "vpn-connection"[1] 88.218.153.26 #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1

Aug 10 22:06:27 mail pluto[4805]: "vpn-connection"[1] 88.218.153.26 #1: STATE_MAIN_R1: sent MR1, expecting MI2

Aug 10 22:06:27 mail pluto[4805]: "vpn-connection"[1] 88.218.153.26 #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATedAug 10 22:06:28 mail pluto[4805]: "vpn-connection"[1] 88.218.153.26 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2

Aug 10 22:06:28 mail pluto[4805]: "vpn-connection"[1] 88.218.153.26 #1: STATE_MAIN_R2: sent MR2, expecting MI3Aug 10 22:06:28 mail pluto[4805]: "vpn-connection"[1] 88.218.153.26 #1: Main mode peer ID is ID_FQDN: '@computer'

Aug 10 22:06:28 mail pluto[4805]: "vpn-connection"[1] 88.218.153.26 #1: switched from "vpn-connection" to "vpn-connection"

Aug 10 22:06:28 mail pluto[4805]: "vpn-connection"[2] 88.218.153.26 #1: deleting connection "vpn-connection" instance with peer 88.218.153.26 {isakmp=#0/ipsec=#0}

Aug 10 22:06:28 mail pluto[4805]: "vpn-connection"[2] 88.218.153.26 #1: I did not send a certificate because I do not have one.

Aug 10 22:06:28 mail pluto[4805]: "vpn-connection"[2] 88.218.153.26 #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3

Aug 10 22:06:28 mail pluto[4805]: "vpn-connection"[2] 88.218.153.26 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}

Aug 10 22:06:28 mail pluto[4805]: "vpn-connection"[2] 88.218.153.26 #2: responding to Quick Mode {msgid:6b549bdb}

Aug 10 22:06:28 mail pluto[4805]: "vpn-connection"[2] 88.218.153.26 #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1

Aug 10 22:06:28 mail pluto[4805]: "vpn-connection"[2] 88.218.153.26 #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2

Aug 10 22:06:28 mail pluto[4805]: "vpn-connection"[2] 88.218.153.26 #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2

Aug 10 22:06:28 mail pluto[4805]: "vpn-connection"[2] 88.218.153.26 #2: STATE_QUICK_R2: IPsec SA established {ESP=>0x1393e4d1 <0x0d0c1e7c xfrm=3DES_0-HMAC_MD5 NATD=88.218.153.26:56129 DPD=none}  

Aug 10 22:06:33 mail pluto[4805]: ERROR: asynchronous network error report on wan0 (sport=4500) for message to 88.218.153.26 port 56129, complainant 212.70.208.55: No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]

Aug 10 22:06:33 mail pluto[4805]: ERROR: asynchronous network error report on wan0 (sport=4500) for message to 88.218.153.26 port 56129, complainant 212.70.208.55: No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]

Aug 10 22:06:33 mail pluto[4805]: ERROR: asynchronous network error report on wan0 (sport=4500) for message to 88.218.153.26 port 56129, complainant 212.70.208.55: No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]

Aug 10 22:06:36 mail pluto[4805]: ERROR: asynchronous network error report on wan0 (sport=4500) for message to 88.218.153.26 port 56129, complainant 212.70.208.55: No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]

Aug 10 22:06:36 mail pluto[4805]: ERROR: asynchronous network error report on wan0 (sport=4500) for message to 88.218.153.26 port 56129, complainant 212.70.208.55: No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]
```

```
cat /var/log/daemon.log

ug 10 22:05:58 mail xl2tpd[4569]: This binary does not support kernel L2TP.

Aug 10 22:05:58 mail xl2tpd[4570]: xl2tpd version xl2tpd-1.2.3 started on mail PID:4570

Aug 10 22:05:58 mail xl2tpd[4570]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.

Aug 10 22:05:58 mail xl2tpd[4570]: Forked by Scott Balmos and David Stipp, (C) 2001

Aug 10 22:05:58 mail xl2tpd[4570]: Inherited by Jeff McAdams, (C) 2002

Aug 10 22:05:58 mail xl2tpd[4570]: Forked again by Xelerance (www.xelerance.com) (C) 2006

Aug 10 22:05:58 mail xl2tpd[4570]: Listening on IP address 0.0.0.0, port 1701

Aug 10 22:06:31 mail xl2tpd[4570]: network_thread: select timeout

Aug 10 22:06:32 mail xl2tpd[4570]: network_thread: select timeout

Aug 10 22:06:33 mail xl2tpd[4570]: network_thread: select timeout

Aug 10 22:06:34 mail xl2tpd[4570]: network_thread: select timeout

Aug 10 22:06:35 mail xl2tpd[4570]: network_thread: select timeout

Aug 10 22:06:35 mail xl2tpd[4570]: Maximum retries exceeded for tunnel 26562.  Closing.
```

After that, I can't ever retry from the win box to reconnect. I have to /etc/init.d/ipsec restart, which shows

```
Aug 10 22:07:13 mail pluto[5522]: ERROR: asynchronous network error report on wan0 (sport=4500) for message to 88.218.153.26 port 56129, complainant 212.70.208.55: No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]

Aug 10 22:07:13 mail pluto[5522]: ERROR: asynchronous network error report on wan0 (sport=4500) for message to 88.218.153.26 port 56129, complainant 212.70.208.55: No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]
```

and then it's available again for connection.

As I get it the connection doesn't terminate and it waits.

Any ideas on getting this thing to work?

Thanks in advance,

Alex

----------

## salahx

leftid has to start with a @, it should be

```
leftid=@vpn.streamkid.net
```

also. in the ipsec.secrets files  , the left part must the the same as what you put in lefttid (less the @)

```
vpn.streamkit.net %any : PSK "wouldbesecureifup"
```

----------

## streamkid

Updated as advised, thanks!

```
Aug 10 23:32:12 mail pluto[15416]: packet from 88.218.153.26:56266: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]

Aug 10 23:32:12 mail pluto[15416]: packet from 88.218.153.26:56266: ignoring Vendor ID payload [FRAGMENTATION]

Aug 10 23:32:12 mail pluto[15416]: packet from 88.218.153.26:56266: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106

Aug 10 23:32:12 mail pluto[15416]: packet from 88.218.153.26:56266: ignoring Vendor ID payload [Vid-Initial-Contact]

Aug 10 23:32:12 mail pluto[15416]: "vpn-connection"[1] 88.218.153.26 #1: responding to Main Mode from unknown peer 88.218.153.26

Aug 10 23:32:12 mail pluto[15416]: "vpn-connection"[1] 88.218.153.26 #1: Can't authenticate: no preshared key found for `@vpn.streamkid.net' and `%any'.  Attribute OAKLEY_AUTHENTICATION_METHOD

Aug 10 23:32:12 mail pluto[15416]: "vpn-connection"[1] 88.218.153.26 #1: Can't authenticate: no preshared key found for `@vpn.streamkid.net' and `%any'.  Attribute OAKLEY_AUTHENTICATION_METHOD

Aug 10 23:32:12 mail pluto[15416]: "vpn-connection"[1] 88.218.153.26 #1: Can't authenticate: no preshared key found for `@vpn.streamkid.net' and `%any'.  Attribute OAKLEY_AUTHENTICATION_METHOD

Aug 10 23:32:12 mail pluto[15416]: "vpn-connection"[1] 88.218.153.26 #1: OAKLEY_DES_CBC is not supported.  Attribute OAKLEY_ENCRYPTION_ALGORITHM

Aug 10 23:32:12 mail pluto[15416]: "vpn-connection"[1] 88.218.153.26 #1: OAKLEY_DES_CBC is not supported.  Attribute OAKLEY_ENCRYPTION_ALGORITHM

Aug 10 23:32:12 mail pluto[15416]: "vpn-connection"[1] 88.218.153.26 #1: no acceptable Oakley Transform

Aug 10 23:32:12 mail pluto[15416]: "vpn-connection"[1] 88.218.153.26 #1: sending notification NO_PROPOSAL_CHOSEN to 88.218.153.26:56266

Aug 10 23:32:12 mail pluto[15416]: "vpn-connection"[1] 88.218.153.26: deleting connection "vpn-connection" instance with peer 88.218.153.26 {isakmp=#0/ipsec=#0}

```

Headache, going to continue tomorrow…

PS: Also tried with ip addr instead of %any. Got to look at this oakley stuff..

----------

## salahx

Maybe it might just better to leave the left and right sides out of ipsec.secrets. just do

```
: PSK "wouldbesecureifup"
```

Because of the way ipsec PSK works, if the right side is %any, you can only have 1 key anyway; this line match anything, as though both sides were %any .

I tried the configuration on my systems and it does work (or at least, its gets as far as connecting via pppd), so if its still not working, it might be something on the client. Oddly enough, I found the client configuration much more painful than the server side things.

----------

## streamkid

Did this and got me again in the state mentioned in the 1st post (key found, but dies with asynchronous network error).

Google suggested to experiment with nexthop. Added

```
leftnexthop=%defaultroute

rightnexthop=%defaultroute
```

IPsec established and we go on to pppd. It breaks then but that's a huge step already  :Razz: 

Even win realizes it, and now whines about the modem reporting an error (I suppose by modem it means the ppp end-link).

```
[… just the new stuff …]

tail /var/log/auth.log

Aug 11 01:41:52 mail pluto[15356]: "vpn-connection"[4] 88.218.153.26 #4: STATE_QUICK_R2: IPsec SA established {ESP=>0xfc02f742 <0x3eed5391 xfrm=3DES_0-HMAC_MD5 NATD=88.218.153.26:56431 DPD=none}

Aug 11 01:41:54 mail pluto[15356]: "vpn-connection"[4] 88.218.153.26 #3: received Delete SA(0xfc02f742) payload: deleting IPSEC State #4

Aug 11 01:41:55 mail pluto[15356]: "vpn-connection"[4] 88.218.153.26 #4: unroute-host output: /usr/lib/ipsec/_updown: doroute `ip route delete 88.218.153.26/32 via 212.70.192.38 dev wan0 ' failed (RTNETLINK answers: No such process)

Aug 11 01:41:55 mail pluto[15356]: "vpn-connection"[4] 88.218.153.26 #3: received and ignored informational message

Aug 11 01:41:55 mail pluto[15356]: "vpn-connection"[4] 88.218.153.26 #3: received Delete SA payload: deleting ISAKMP State #3

Aug 11 01:41:55 mail pluto[15356]: "vpn-connection"[4] 88.218.153.26: deleting connection "vpn-connection" instance with peer 88.218.153.26 {isakmp=#0/ipsec=#0}

Aug 11 01:41:55 mail pluto[15356]: packet from 88.218.153.26:56431: received and ignored informational message

tail /var/log/daemon.log

Aug 11 01:41:54 mail xl2tpd[14183]: control_finish: Peer requested tunnel 13 twice, ignoring second one.

Aug 11 01:41:54 mail xl2tpd[14183]: Connection established to 88.218.153.26, 1701.  Local: 25301, Remote: 13 (ref=0/0).  LNS session is 'default'

Aug 11 01:41:54 mail xl2tpd[14183]: call_close: Call 13924 to 88.218.153.26 disconnected

Aug 11 01:41:54 mail xl2tpd[14183]: control_finish: Out of IP addresses on tunnel 13!

Aug 11 01:41:54 mail xl2tpd[14183]: control_finish: Connection closed to 88.218.153.26, port 1701 (), Local: 25301, Remote: 13

Aug 11 01:42:04 mail xl2tpd[14183]: Can not find tunnel 25301 (refhim=0)

Aug 11 01:42:04 mail xl2tpd[14183]: network_thread: unable to find call or tunnel to handle packet.  call = 0, tunnel = 25301 Dumping.

Aug 11 01:42:14 mail xl2tpd[14183]: Can not find tunnel 25301 (refhim=0)

Aug 11 01:42:14 mail xl2tpd[14183]: network_thread: unable to find call or tunnel to handle packet.  call = 0, tunnel = 25301 Dumping.

Aug 11 01:42:25 mail xl2tpd[14183]: Can not find tunnel 25301 (refhim=0)

Aug 11 01:42:25 mail xl2tpd[14183]: network_thread: unable to find call or tunnel to handle packet.  call = 0, tunnel = 25301 Dumping.

Aug 11 01:42:35 mail xl2tpd[14183]: Can not find tunnel 25301 (refhim=0)

Aug 11 01:42:35 mail xl2tpd[14183]: network_thread: unable to find call or tunnel to handle packet.  call = 0, tunnel = 25301 Dumping.

Aug 11 01:42:45 mail xl2tpd[14183]: Can not find tunnel 25301 (refhim=0)

Aug 11 01:42:45 mail xl2tpd[14183]: network_thread: unable to find call or tunnel to handle packet.  call = 0, tunnel = 25301 Dumping.

```

Seems that it doesn't have an ip addr to hand out. Man page stated that if I have a dhcp server I don't need to specify a pool.

Checking this…

Edit: Gave it manually a pool, it connect  :Very Happy: 

BUT, stupid win machine tries to route all traffic through vpn, it can't, and I get kicked out of teamviewer. fail…

Here is how it looks:

```
tail /var/log/debug.log

Aug 11 01:56:19 mail xl2tpd[19557]: control_finish: Peer requested tunnel 15 twice, ignoring second one.

Aug 11 01:56:19 mail xl2tpd[19557]: Connection established to 88.218.153.26, 1701.  Local: 19735, Remote: 15 (ref=0/0).  LNS session is 'default'

Aug 11 01:56:19 mail xl2tpd[19557]: start_pppd: I'm running: 

Aug 11 01:56:19 mail xl2tpd[19557]: "/usr/sbin/pppd" 

Aug 11 01:56:19 mail xl2tpd[19557]: "passive" 

Aug 11 01:56:19 mail xl2tpd[19557]: "-detach" 

Aug 11 01:56:19 mail xl2tpd[19557]: "192.168.1.1:192.168.1.201" 

Aug 11 01:56:19 mail xl2tpd[19557]: "refuse-pap" 

Aug 11 01:56:19 mail xl2tpd[19557]: "auth" 

Aug 11 01:56:19 mail xl2tpd[19557]: "require-chap" 

Aug 11 01:56:19 mail xl2tpd[19557]: "name" 

Aug 11 01:56:19 mail xl2tpd[19557]: "vpn.streamkid.net" 

Aug 11 01:56:19 mail xl2tpd[19557]: "debug" 

Aug 11 01:56:19 mail xl2tpd[19557]: "file" 

Aug 11 01:56:19 mail xl2tpd[19557]: "/etc/ppp/options.xl2tpd" 

Aug 11 01:56:19 mail xl2tpd[19557]: "/dev/pts/6" 

Aug 11 01:56:19 mail pppd[19740]: pppd 2.4.4 started by root, uid 0

Aug 11 01:56:19 mail pppd[19740]: using channel 3

Aug 11 01:56:19 mail pppd[19740]: Using interface ppp1

Aug 11 01:56:19 mail pppd[19740]: Connect: ppp1 <--> /dev/pts/6

Aug 11 01:56:19 mail xl2tpd[19557]: Call established with 88.218.153.26, Local: 3132, Remote: 1, Serial: 0

Aug 11 01:56:19 mail pppd[19740]: rcvd [LCP ConfReq id=0x0 <mru 1400> <magic 0x70994dbf> <pcomp> <accomp> <callback CBCP>]

Aug 11 01:56:19 mail pppd[19740]: sent [LCP ConfReq id=0x1 <mru 1410> <asyncmap 0x0> <auth chap MD5> <magic 0x5b50d4d0> <pcomp> <accomp>]

Aug 11 01:56:19 mail pppd[19740]: sent [LCP ConfRej id=0x0 <callback CBCP>]

Aug 11 01:56:19 mail pppd[19740]: rcvd [LCP ConfAck id=0x1 <mru 1410> <asyncmap 0x0> <auth chap MD5> <magic 0x5b50d4d0> <pcomp> <accomp>]

Aug 11 01:56:19 mail pppd[19740]: rcvd [LCP ConfReq id=0x1 <mru 1400> <magic 0x70994dbf> <pcomp> <accomp>]

Aug 11 01:56:19 mail pppd[19740]: sent [LCP ConfAck id=0x1 <mru 1400> <magic 0x70994dbf> <pcomp> <accomp>]

Aug 11 01:56:19 mail pppd[19740]: sent [CHAP Challenge id=0x59 <166d6ffa7977183a0574729af1ea3a44>, name = "vpn.streamkid.net"]

Aug 11 01:56:19 mail pppd[19740]: rcvd [LCP Ident id=0x2 magic=0x70994dbf "MSRASV5.10"]

Aug 11 01:56:19 mail pppd[19740]: rcvd [LCP Ident id=0x3 magic=0x70994dbf "MSRAS-0-COMPUTER"]

Aug 11 01:56:19 mail pppd[19740]: rcvd [CHAP Response id=0x59 <4c3256fb7511348cc30200b2886155fb>, name = "alex"]

Aug 11 01:56:19 mail pppd[19740]: sent [CHAP Success id=0x59 "Access granted"]

Aug 11 01:56:19 mail pppd[19740]: sent [IPCP ConfReq id=0x1 <compress VJ 0f 01> <addr 192.168.1.1>]

Aug 11 01:56:19 mail pppd[19740]: rcvd [CCP ConfReq id=0x4 <mppe +H -M -S -L -D +C>]

Aug 11 01:56:19 mail pppd[19740]: Unsupported protocol 'Compression Control Protocol' (0x80fd) received

Aug 11 01:56:19 mail pppd[19740]: sent [LCP ProtRej id=0x2 80 fd 01 04 00 0a 12 06 01 00 00 01]

Aug 11 01:56:19 mail pppd[19740]: rcvd [IPCP ConfReq id=0x5 <addr 0.0.0.0> <ms-dns1 0.0.0.0> <ms-wins 0.0.0.0> <ms-dns3 0.0.0.0> <ms-wins 0.0.0.0>]

Aug 11 01:56:19 mail pppd[19740]: sent [IPCP ConfRej id=0x5 <ms-dns1 0.0.0.0> <ms-wins 0.0.0.0> <ms-dns3 0.0.0.0> <ms-wins 0.0.0.0>]

Aug 11 01:56:19 mail pppd[19740]: rcvd [IPCP ConfRej id=0x1 <compress VJ 0f 01>]

Aug 11 01:56:19 mail pppd[19740]: sent [IPCP ConfReq id=0x2 <addr 192.168.1.1>]

Aug 11 01:56:19 mail pppd[19740]: rcvd [IPCP ConfReq id=0x6 <addr 0.0.0.0>]

Aug 11 01:56:19 mail pppd[19740]: sent [IPCP ConfNak id=0x6 <addr 192.168.1.201>]

Aug 11 01:56:19 mail pppd[19740]: rcvd [IPCP ConfAck id=0x2 <addr 192.168.1.1>]

Aug 11 01:56:19 mail pppd[19740]: rcvd [IPCP ConfReq id=0x7 <addr 192.168.1.201>]

Aug 11 01:56:19 mail pppd[19740]: sent [IPCP ConfAck id=0x7 <addr 192.168.1.201>]

Aug 11 01:56:19 mail pppd[19740]: found interface lan0 for proxy arp

Aug 11 01:56:19 mail pppd[19740]: local  IP address 192.168.1.1

Aug 11 01:56:19 mail pppd[19740]: remote IP address 192.168.1.201

Aug 11 01:56:19 mail pppd[19740]: Script /etc/ppp/ip-up started (pid 19743)

Aug 11 01:56:19 mail pppd[19740]: Script /etc/ppp/ip-up finished (pid 19743), status = 0x0

Aug 11 01:56:20 mail xl2tpd[19557]: network_thread: select timeout

Aug 11 01:56:20 mail xl2tpd[19557]: network_thread: select timeout

```

----------

## salahx

Weird, according to the documentation of OpenSwan, right/left nexthop. But if you computer is a router too, and has more than 1 interface, maybe it needs it in order to pick the right place to route to. Try moving on or the other nexthop and see which one fixes it (or if both are needed).

Windows, by default, DOES route everything over the VPN. However, you can enable split tunneling  On Vista, right right-click->Networking tab->Internet Protocol (v4)->Properites->Advaend->Uncheck "Use default gateway on remote network". I'm sure its in a similar place on XP.

----------

## streamkid

 *salahx wrote:*   

> Weird, according to the documentation of OpenSwan, right/left nexthop. But if you computer is a router too, and has more than 1 interface, maybe it needs it in order to pick the right place to route to. Try moving on or the other nexthop and see which one fixes it (or if both are needed).
> 
> Windows, by default, DOES route everything over the VPN. However, you can enable split tunneling  On Vista, right right-click->Networking tab->Internet Protocol (v4)->Properites->Advaend->Uncheck "Use default gateway on remote network". I'm sure its in a similar place on XP.

 

You can also do that on xp.

Ok fine up to here.

Client connects and gets a /32 address (I want /24, access to all subnet).

Next step is dual setup, clients with certificate go on .1.0/24 (my lan) with /24 addr and are routed to the outter world, and clients with psk go to .2.0/24 with /32 addr and only see 192.168.1.1.

Long way to go eh?

EDIT:

I can't seem to get it work with DHCP. I didn't find any options on xl2tpd.conf or pppd. Google doesn't tell me much either. Any ideas?

----------

## salahx

If you're going to use a DHCP server to hand out IP, then you do it from ppp. Good luck finding this documentation, only way to find it is to manually download the plugin tarball, unpack and read the README File

The short version you need to add "plugin dhcpc.so" to your ppp options file. It has 4 options: "dhcp-interface", "dhcp-relay-address", "dhcp-server", "dhcp-subnet-selection"

If you dhcp-relay-address, make sure it isn't 127.0.0.1 . ISC dhcp treats this as a special debugging mode, and the results aren't want you'd expect/

Also, if not going to use the IP pool ability of xl2tpd, you might want to use rp-l2tp instead. xl2tpd spams the syslog with all kinds of useless junk (especially the "network_thread: select timeout ").

----------

## streamkid

I finally decided to go with pure IPsec and nothing else.

Add:

I have a "problem".

I have set up in racoon a connection for certificates, works fine, everybody can connect (win, os x, iphone).

Now I want to add another connection, auth by psk, for another set of people that I am going to route only specific traffic.

Any ideas?

----------

## moxychris

streamkid,

Would you mind posting your configuration information for your certificate based pure ipsec vpn? I've noticed a few recent posts that have had issues, and there is a wiki tutorial in the wiki (for iPhone) that doesn't work anymore. I think your directions would clear up questions for a lot of people. 

Thanks for reading!

----------

