# VPN Client not connecting [SOLVED]

## Duco Ergo Sum

Hi there,

For the past week and a bit I have been trying to connect to my office VPN, without success.  The instructions for connecting assume the client is a Windows 7 system.

The vpn is "IPSec (L2TP/IPSEC)" using a Pre-Shared Key.

For the purpose of this post I will use faux details and values:

gateway: vpn.office.com

PSK: vpn-office-com

username: your-login-username

password: your-login-password

domain (optional): office-name

What I have tried so far, includes:

compiled every IPSEC kernel module  -> No appreciable difference.

KVPN -> Gives an error racoon config error and then a long list of other debug info which as it is security related I don't want post indiscriminately.

VPNC -> reports "No responce from target"

Cisco and regular UPD

I have tried setting various ports to use, 47, 50, 51, 443, 500, 1701, 1723, 10000

Strongswan -> the demon starts but I cannot find evidence of a connection

ipsec.conf and ipsec.secret configured for the above details respectively.

I can only guess that this isn't a firewall issue as a colleague who already connects to the vpn can only do so using a virtual machine running Windows 7.  My colleague says this is because of 

firewall and routing issues from his Linux desktop.  My assertion being that the virtual machines has to pass through the host and any other firewall in his network.

Please help...Last edited by Duco Ergo Sum on Tue Oct 14, 2014 12:11 am; edited 1 time in total

----------

## salahx

I wrote a Gentoo wiki article covering setting up the server side of it: https://wiki.gentoo.org/wiki/IPsec_L2TP_VPN_server . Because all the protocols (ipsec, lt2p and pppd) are peer-to-peer, configuring it on the client side has a lot of similarities.

----------

## Duco Ergo Sum

Thank you.

I think what I need is the "Ipsec ID" (group id/name) parameter.  I have a working Windows system now so I'll interrogate that.

----------

## Duco Ergo Sum

This is really frustrating.

I now have:

VPNC which times out without much indication of anything happening.

StrongSwan which starts but I don't see any sign of a VPN nor have I found a way to test it.

OpenL2TP which I've had to install an overlay (booboo) to get.  This doesn't seem to be able to initiate sessions, tunnel id not found, while tunnel show - shows the tunnel I configured.

NetworkManager seems to allow a sub-set of functionality in its configuration of different sub-systems but it protests that its unable to find an agent when I try to start a session.

Additionally, I've experimented with Windows.  The initial setup is tricky but the VPN works.  No additional information needed.  With security in mind I'm sure, they've hidden the config details from prying eyes thus thwarting my plan to find the IP Sec ID there.

I am beginning to question if it this is a propriety MS VPN implementation or could my system be just missing one little screw somewhere?

I have read the IPsec L2TP VPN server wiki page and attempted to adapt its wisdom to my needs but unfortunately unsuccessfully.

Please tell me how I can test a VPN connection, just to see if it exists?

--

You know you really need help when the voices tell you that you're becoming obsessed!

----------

## salahx

The first, and most dificult layer, is the ipsec layer. Here's a simple config file you can adapt. AS the wiki page show, uncomment the "include" line at the very bottom of /etc/ipsec.conf and create a /etc/ipsec.d/office.vpn.com.conf with content similar to the following: 

```

conn vpnclient

        type=transport

        authby=secret

        pfs=no

        rekey=no

        left=%defaultroute

        leftprotoport=udp/l2tp

        right=vpn.office.com

        rightprotoport=udp/l2tp

        auto=add

```

Don't forgot to create a /etc/ipsec.d/office.vpn.com.secret file too:

```

vpn.office.com %any : PSK "vpn-office-com"

```

Then start the ipsec service, and bring up your connection with "ipsec auto --up vpnclient" If you get a line in the log similar to "STATE_QUICK_I2: Sent QI2, IPsec SA established...." then you have ipsec connectivity.

ipsec is the hard part. Once you've got that, the l2tp tunnel is much simpler.

----------

## Duco Ergo Sum

Hi Salahx,

Thanks for again answering, I am very grateful.

The command 'ipsec up vpnclient' has been most illustrative.  StrongSwan doesn't get a response from the office network either.

```

initiating IKE_SA vpn.office.com[1] to 17.11.7.5

generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]

sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (996 bytes)

received packet: from 17.11.7.5[500] to 1.2.3.4[500] (68 bytes)

ignoring INFORMATIONAL_V1 IKEv1 exchange on IKEv2 SA

retransmit 1 of request with message ID 0

sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (996 bytes)

received packet: from 17.11.7.5[500] to 1.2.3.4[500] (68 bytes)

ignoring INFORMATIONAL_V1 IKEv1 exchange on IKEv2 SA

retransmit 2 of request with message ID 0

sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (996 bytes)

received packet: from 17.11.7.5[500] to 1.2.3.4[500] (68 bytes)

ignoring INFORMATIONAL_V1 IKEv1 exchange on IKEv2 SA

retransmit 3 of request with message ID 0

sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (996 bytes)

received packet: from 17.11.7.5[500] to 1.2.3.4[500] (68 bytes)

ignoring INFORMATIONAL_V1 IKEv1 exchange on IKEv2 SA

[  ...  ]

giving up after 5 retransmits

```

So now both VPNC and StrongSwan time out.

Food for thought.

----------

## salahx

Its seeing SOMETHING on the other side, its just having trouble negotiating with it. It appears its trying to negoitate an IKEv2 connection, but we want IKEv1.

So lets tweak the config a bit:

```

conn vpnclient

        keyexchange=ikev1

        type=transport

        authby=secret

        pfs=no

        rekey=no

        left=%defaultroute

        leftprotoport=udp/l2tp

        right=vpn.office.com

        rightprotoport=udp/l2tp

        auto=add 

```

----------

## Duco Ergo Sum

Thanks.

We're making progress, new response message:

```

ipsec up vpn.office.com

initiating Main Mode IKE_SA vpn.office.com[1] to 17.11.7.5

generating ID_PROT request 0 [ SA V V V V ]

sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (220 bytes)

received packet: from 17.11.7.5[500] to 1.2.3.4[500] (160 bytes)

parsed INFORMATIONAL_V1 request 0 [ N(NO_PROP) ]

received NO_PROPOSAL_CHOSEN error notify

establishing connection 'vpn.office.com' failed

```

My installed version of StrongSwan does not support the 

```
psf=no
```

 key word.  Therefore this is what my config looks like at the moment:

```

conn vpn.office.com

        keyexchange=ikev1

        type=transport

        authby=secret

        esp=des-sha1-modp1024

        rekey=no

        left=%defaultroute

        leftprotoport=udp/l2tp

        right=vpn.office.com

        rightprotoport=udp/l2tp

        auto=add

```

----------

## Duco Ergo Sum

Looking in Windows

Control Panel - Administrative Tools - Windows Firewall with Advanced Security - Windows Firewall Properites (IPsec Settings) - Customize IPsec Defaults (Key exchange (Main Mode) - Advanced [Customize]) - Customize Advanced Key Exchange Settings

```

Security methods:

Integrity       Encryption          Key exchange algorithm

SHA-1          AES-CBC 128     Diffie-Hellman Group 2 (default)

SHA-1          3DES                 Diffie-Hellman Group 2

```

I'm off to work now but will experiment with these values when I get back.

----------

## salahx

Its "pfs=no" not "psf=no". It doesn't matter anyway because the command is ignored under strongSwan and "no" is the default. You shouldn't need the "esp=des-sha1-modp1024" as it should choose the correct method during proposition process. In fact that will negotate PFS which is NOT what you want - Microsoft's IKEv1 daemon doesn't support PFS.

Note that Windows has TWO implementations of ipsec: the IKEv1 one used for l2tp tunnel, and and IKEv2 one which is controlled via the ipsec snap-in. The windows Firewall and other ipsec settings refer to the latter, but we want to use the former.

----------

## Duco Ergo Sum

Apologies, "psf" was a typo.

However, now mater how I try to configure the pfs option, I get the same result.

```

parsed INFORMATIONAL_V1 request 0 [ N(NO_PROP) ]                                                                   

received NO_PROPOSAL_CHOSEN error notify

establishing connection 'vpn.office.com' failed

```

----------

## salahx

pfs option is ignored in strongSwan anyway. But that "esp" line has to be removed, because i know its wrong. If the server STILL won't accept any proposals offered by strongswan, even without the "esp" line there an "ike-scan" package in portage that should give some information on what proposals the gateway will accept.

----------

## Duco Ergo Sum

Hi,

I have used IKE-Scan which prompted me to change my Config as below and this has generated the follow information.

ike-scan output

```

ike-scan --verbose vpn.office.com

DEBUG: pkt len=336 bytes, bandwidth=56000 bps, int=52000 us

Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)

17.11.7.5  Main Mode Handshake returned HDR=(CKY-R=[Available On Request]) SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800) 

VID=[Available On Request] (IKE Fragmentation)

Ending ike-scan 1.9: 1 hosts scanned in 0.037 seconds (27.14 hosts/sec).  1 returned handshake; 0 returned notify

```

New Config

```

conn vpn.office.com

        keyexchange=ikev1

        type=transport

        authby=secret

        ike=3des-sha1-modp1024

        rekey=no

        left=%defaultroute

        leftprotoport=udp/l2tp

        right=vpn.office.com

        rightprotoport=udp/l2tp

        auto=add

```

ipsec output

```

ipsec up vpn.office.com

initiating Main Mode IKE_SA vpn.office.com[3] to 17.11.7.5

generating ID_PROT request 0 [ SA V V V V ]

sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (184 bytes)

received packet: from 17.11.7.5[500] to 1.2.3.4[500] (116 bytes)

parsed ID_PROT response 0 [ SA V V ]

received draft-ietf-ipsec-nat-t-ike-02\n vendor ID

received FRAGMENTATION vendor ID

generating ID_PROT request 0 [ KE No NAT-D NAT-D ]

sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (244 bytes)

received packet: from 17.11.7.5[500] to 1.2.3.4[500] (304 bytes)

parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]

received Cisco Unity vendor ID

received XAuth vendor ID

received unknown vendor ID: [Available On Request]

received unknown vendor ID: [Available On Request]

generating INFORMATIONAL_V1 request [Available On Request] [ N(INVAL_KE) ]

sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (56 bytes)

establishing connection 'vpn.office.com' failed

```

Charon Log

```

Aug 29 09:14:39 sveta charon: 02[CFG] received stroke: initiate 'vpn.office.com'

Aug 29 09:14:39 sveta charon: 13[IKE] initiating Main Mode IKE_SA vpn.office.com[3] to 17.11.7.5

Aug 29 09:14:39 sveta charon: 13[IKE] initiating Main Mode IKE_SA vpn.office.com[3] to 17.11.7.5

Aug 29 09:14:39 sveta charon: 13[ENC] generating ID_PROT request 0 [ SA V V V V ]

Aug 29 09:14:39 sveta charon: 13[NET] sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (184 bytes)

Aug 29 09:14:39 sveta charon: 06[NET] received packet: from 17.11.7.5[500] to 1.2.3.4[500] (116 bytes)

Aug 29 09:14:39 sveta charon: 06[ENC] parsed ID_PROT response 0 [ SA V V ]

Aug 29 09:14:39 sveta charon: 06[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID

Aug 29 09:14:39 sveta charon: 06[IKE] received FRAGMENTATION vendor ID

Aug 29 09:14:39 sveta charon: 06[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]

Aug 29 09:14:39 sveta charon: 06[NET] sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (244 bytes)

Aug 29 09:14:40 sveta charon: 05[NET] received packet: from 17.11.7.5[500] to 1.2.3.4[500] (304 bytes)

Aug 29 09:14:40 sveta charon: 05[ENC] parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]

Aug 29 09:14:40 sveta charon: 05[IKE] received Cisco Unity vendor ID

Aug 29 09:14:40 sveta charon: 05[IKE] received XAuth vendor ID

Aug 29 09:14:40 sveta charon: 05[ENC] received unknown vendor ID: [Available On Request]

Aug 29 09:14:40 sveta charon: 05[ENC] received unknown vendor ID: [Available On Request]

Aug 29 09:14:40 sveta charon: 05[ENC] generating INFORMATIONAL_V1 request [Available On Request] [ N(INVAL_KE) ]

Aug 29 09:14:40 sveta charon: 05[NET] sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (56 bytes)

```

----------

## salahx

OK now its accepting the proposal but its having problem with the PSK. It probably has to do with how the VPN server is ideifying itself. So lets change the secrets file to

```
 : PSK "vpn-office-com" 
```

This will make strongSwan use the key for all connections.

----------

## Duco Ergo Sum

Awesome!  Thank you!

```

ipsec up vpn.office.com

initiating Main Mode IKE_SA vpn.office.com[1] to 17.11.7.5

generating ID_PROT request 0 [ SA V V V V ]

sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (184 bytes)

received packet: from 17.11.7.5[500] to 1.2.3.4[500] (116 bytes)

parsed ID_PROT response 0 [ SA V V ]

received draft-ietf-ipsec-nat-t-ike-02\n vendor ID

received FRAGMENTATION vendor ID

generating ID_PROT request 0 [ KE No NAT-D NAT-D ]

sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (244 bytes)

received packet: from 17.11.7.5[500] to 1.2.3.4[500] (304 bytes)

parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]

received Cisco Unity vendor ID

received XAuth vendor ID

received unknown vendor ID: [Available On Request]

received unknown vendor ID: [Available On Request]

local host is behind NAT, sending keep alives

generating ID_PROT request 0 [ ID HASH ]

sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (68 bytes)

received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes)

parsed ID_PROT response 0 [ ID HASH V ]

received DPD vendor ID

IDir '17.11.7.5' does not match to 'vpn.office.com'

deleting IKE_SA vpn.office.com[1] between 1.2.3.4[1.2.3.4]...17.11.7.5[%any]

sending DELETE for IKE_SA vpn.office.com[1]

generating INFORMATIONAL_V1 request [Available On Request] [ HASH D ]

sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (84 bytes)

connection 'vpn.office.com' established successfully

```

I have pinged my office PC and did not get any returned packets.  I haven't attempted to set up the L2TP layer yet but your guide says that is comparatively easy.

These lines though do worry me:

```

IDir '17.11.7.5' does not match to 'vpn.office.com'

deleting IKE_SA vpn.office.com[1] between 1.2.3.4[1.2.3.4]...17.11.7.5[%any]

sending DELETE for IKE_SA vpn.office.com[1]

```

----------

## salahx

Were almost there, but were not there yet. This goes back with "how the server is identifty itself" problem with the PSK: Instead of identify itself via its name (vpn.example.com), it does so by its IP address (17.11.7.5).

We just need to make one tweak:

```

conn vpn.office.com 

        keyexchange=ikev1 

        type=transport 

        authby=secret 

        ike=3des-sha1-modp1024 

        rekey=no 

        left=%defaultroute 

        leftprotoport=udp/l2tp 

        right=vpn.office.com 

        rightprotoport=udp/l2tp

        rightid=17.11.7.5

        auto=add 

```

Or failing that, change the value of "right=" from "vpn.office.com" to "17.11.7.5" instead. Note you still can't do anything with the connection yet, as only L2TP packets will be passed across the ipsec link (thus you cannot ping anything across the link).

----------

## Duco Ergo Sum

Perfect, next step L2TP!

```

ipsec up vpn.office.com

initiating Main Mode IKE_SA vpn.office.com[1] to 17.11.7.5                                                 

generating ID_PROT request 0 [ SA V V V V ]                                                                        

sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (184 bytes)                                              

received packet: from 17.11.7.5[500] to 1.2.3.4[500] (116 bytes)                                             

parsed ID_PROT response 0 [ SA V V ]                                                                               

received draft-ietf-ipsec-nat-t-ike-02\n vendor ID                                                                 

received FRAGMENTATION vendor ID                                                                                   

generating ID_PROT request 0 [ KE No NAT-D NAT-D ]                                                                 

sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (244 bytes)                                              

received packet: from 17.11.7.5[500] to 1.2.3.4[500] (304 bytes)                                             

parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]                                                            

received Cisco Unity vendor ID                                                                                     

received XAuth vendor ID                                                                                           

received unknown vendor ID: [Available On Request]                                        

received unknown vendor ID: [Available On Request]                                        

local host is behind NAT, sending keep alives                                                                      

generating ID_PROT request 0 [ ID HASH ]                                                                           

sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (68 bytes)                                             

received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes)                                            

parsed ID_PROT response 0 [ ID HASH V ]                                                                            

received DPD vendor ID                                                                                             

IKE_SA vpn.office.com[1] established between 1.2.3.4[1.2.3.4]...17.11.7.5[17.11.7.5]                

generating QUICK_MODE request [Available On Request] [ HASH SA No ID ID NAT-OA NAT-OA ]                                        

sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (220 bytes)                                            

received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (180 bytes)                                           

parsed QUICK_MODE response [Available On Request] [ HASH SA No ID ID N((24576)) NAT-OA ]                                       

received 28800s lifetime, configured 0s                                                                            

CHILD_SA vpn.office.com{1} established with SPIs [Available On Request] [Available On Request] and TS 1.2.3.4/32[udp/l2tp] === 17.11.7.5/32[udp/l2tp]                                                    

                                            

connection 'vpn.office.com' established successfully

```

Thank you.  I expect as soon as I try L2TP I'll be back here confused as ever.  Either way, I'll report back.

----------

## Duco Ergo Sum

I thought this might happen.

/etc/xl2tp/xl2tpd.conf

```

[global]                                                                ; Global parameters:

port = 1701                                                     ; * Bind to port 1701

; auth file = /etc/l2tpd/l2tp-secrets   ; * Where our challenge secrets are

access control = no                                     ; * Refuse connections without IP match

; rand source = dev                     ; Source for entropy for random

;                                       ; numbers, options are:

;                                       ; dev - reads of /dev/urandom

;                                       ; sys - uses rand()

;                                       ; egd - reads from egd socket

;                                       ; egd is not yet implemented

;

[lns default]                                                   ; Our fallthrough LNS definition

; ip range = 192.168.0.1-192.168.0.20   ; * Allocate from this IP range

; ip range = lac1-lac2                                  ; * And anything from lac1 to lac2's IP

; lac = 192.168.1.4 - 192.168.1.8               ; * These can connect as LAC's

; no lac = untrusted.marko.net                  ; * This guy can't connect

; hidden bit = no                                               ; * Use hidden AVP's?

local ip = 1.2.3.4                             ; * Our local IP to use

; refuse authentication = no                    ; * Refuse authentication altogether

require authentication = yes                    ; * Require peer to authenticate

unix authentication = no                                ; * Use /etc/passwd for auth.

name = vpn.office.com                                                ; * Report this as our hostname

pppoptfile = /etc/ppp/options.l2tpd         ; * ppp options file

```

/etc/ppp/options.l2tpd

```

noccp

auth

crtscts

mtu 1410

mru 1410

nodefaultroute

lock

proxyarp

silent

```

I started xl2tpd with:  /etc/init.d/xl2tpd start

Then nothing, I'm sure I'm missing something this is a client after all and your instructions are for a server.  So close!

----------

## salahx

Configuring an l2tp the client is a different that the server - thakfully client side is even easier:

The /etc/xl2tpd/xl2tpd.conf is even simpler then the server one:

```

[lac vpnclient]

lns = vpn.office.com 

pppoptfile = /etc/ppp/options.xl2tpd.client

```

You may not need the /etc/ppp/options.xl2tpd.client file (in which case comment that line out), but if you do, here's one that should work:

```

ipcp-accept-local

ipcp-accept-remote

refuse-eap

require-mschap-v2

noccp

noauth

mtu 1410

mru 1410

nodefaultroute

usepeerdns

lock

#debug

```

Start up the xl2tpd service, then initiate a connection:

```
xl2tpd-control connect vpnclient OFFICE-NAME\\your-login-username your-login-password
```

Note TWO backslashes (the OFFICE-NAME\\ part may be optinal)

xl2tpd may fail with " open_controlfd: Unable to open /var/run/xl2tpd/l2tp-control for reading". If you run across this, just do a "mkdir /var/run/xl2tpd"

Note that xl2tpd-control will always just return "00 OK", to actually see if it works, you need to check the system logs.

----------

## Duco Ergo Sum

Hi,

I have now tried a number of variations on a theme.  Mostly where vpn.office.com could mean the url vpn.office.com or the ipsec connection name VPN.OFFICE.COM, capitalise to emphasis the distinciton 

of these two roles.  Also with and without OFFICE-NAME\\login-name login-password and in combination with including excluding options.xl2tpd.client.

/etc/xl2tpd/xl2tpd.conf

```

[lac vpnclient] 

lns = vpn.office.com 

pppoptfile = /etc/ppp/options.xl2tpd.client

```

/etc/ppp/options.xl2tpd.client

```

ipcp-accept-local 

ipcp-accept-remote 

refuse-eap 

require-mschap-v2 

noccp 

noauth 

mtu 1410 

mru 1410 

nodefaultroute 

usepeerdns 

lock

```

```

xl2tpd-control connect vpnclient OFFICE-NAME\\your-login-username your-login-password

```

```

Sep  1 00:39:58 sveta xl2tpd[4845]: Connecting to host vpn.office.com, port 1701

Sep  1 00:40:01 sveta cron[4865]: (OhCaptian) CMD (test -x /usr/sbin/run-crons && /usr/sbin/run-crons)

Sep  1 00:40:03 sveta xl2tpd[4845]: Maximum retries exceeded for tunnel 16278.  Closing.

Sep  1 00:40:03 sveta xl2tpd[4845]: Connection 0 closed to 17.11.7.5, port 1701 (Timeout)

Sep  1 00:40:08 sveta xl2tpd[4845]: Unable to deliver closing message for tunnel 16278. Destroying anyway.

```

If I get the opportunity, I will be more methodical in the morning.

----------

## salahx

xl2tpd and strongswan are unconnect, thus the "lns" value in the LAC section is just the server's domain name or IP address. In this case though, its not seeing the L2TP LNS (server) on the other side . This usually means the ipsec tunnel is down.  Check and restart the tunnel if needed.

To see if data is going over the tunnel: 

```
tcpdump proto 50
```

 You won't see anything cross the tunnel until xl2tpd-connect is started. You should see packets going in both directions. If not, either the tunnel is down, strongSwan is configured wrong or something (like a local firewall) is getting in the way.

In contrast, no l2tp packets should seen in the clear:

```
tcpdump udp port 1701
```

 This command should produce NO output when xl2tpd-connect is invoked. If it does either the tunnel is down, or strongSwan is configured wrong.

----------

## Duco Ergo Sum

Hi,

I have tried variety configurations of xl2tp.  Just to add to the confusion my mobo has two lan ports and wifi, I fear now this feature is coming back to confuse me and my set-up.  'eno1' is the lan port which is would be eth0 and is currently the only operational network connection in this machine.

It appears that tcpdump is looking at 'bond0' and then not finding anything.  Could xl2tp be doing the same?

tcpdump -i eno1 produces the same output as below.

Make connection

```

# xl2tpd-control connect vpnclient vpn.office.com\\Uname Upassword

00 OK

```

Test proto 50

```

# tcpdump proto 50

tcpdump: WARNING: bond0: no IPv4 address assigned

error : ret -1

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on bond0, link-type EN10MB (Ethernet), capture size 65535 bytes

0 packets captured

0 packets received by filter

0 packets dropped by kernel

```

Test udp port 1701

```

# tcpdump udp port 1701

tcpdump: WARNING: bond0: no IPv4 address assigned

error : ret -1

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on bond0, link-type EN10MB (Ethernet), capture size 65535 bytes

0 packets captured

0 packets received by filter

0 packets dropped by kernel

```

Some network devices

```

# ifconfig

bond0: flags=5123<UP,BROADCAST,MASTER,MULTICAST>  mtu 1500

        ether ce:71:b2:5a:c2:1d  txqueuelen 0  (Ethernet)

        RX packets 0  bytes 0 (0.0 B)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 0  bytes 0 (0.0 B)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eno1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500

        inet 1.2.3.4  netmask 255.255.255.0  broadcast 10.1.1.255

        inet6 fd00::ca60:ff:fecc:4614  prefixlen 64  scopeid 0x0<global>

        inet6 fe80::ca60:ff:fecc:4614  prefixlen 64  scopeid 0x20<link>

        ether c8:60:00:cc:46:14  txqueuelen 1000  (Ethernet)

        RX packets 14060  bytes 14971920 (14.2 MiB)

        RX errors 0  dropped 3  overruns 0  frame 0

        TX packets 10353  bytes 1465328 (1.3 MiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

        device interrupt 20  memory #x########-######## 

 

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536

        inet 127.0.0.1  netmask 255.0.0.0

        inet6 ::1  prefixlen 128  scopeid 0x10<host>

        loop  txqueuelen 0  (Local Loopback)

        RX packets 40  bytes 16841 (16.4 KiB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 40  bytes 16841 (16.4 KiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

```

Log

```

Sep  2 08:55:31 sveta xl2tpd[4128]: xl2tpd version xl2tpd-1.3.1 started on sveta PID:4128

Sep  2 08:55:31 sveta xl2tpd[4128]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.

Sep  2 08:55:31 sveta xl2tpd[4128]: Forked by Scott Balmos and David Stipp, (C) 2001

Sep  2 08:55:31 sveta xl2tpd[4128]: Inherited by Jeff McAdams, (C) 2002

Sep  2 08:55:31 sveta xl2tpd[4128]: Forked again by Xelerance (www.xelerance.com) (C) 2006

Sep  2 08:55:31 sveta xl2tpd[4128]: Listening on IP address 0.0.0.0, port 1701

Sep  2 08:55:37 sveta charon: 09[IKE] sending keep alive to 17.11.7.5[4500]

Sep  2 08:55:49 sveta charon: 10[NET] received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes)

Sep  2 08:55:49 sveta charon: 10[ENC] parsed INFORMATIONAL_V1 request [Available On Request] [ HASH N(DPD) ]

Sep  2 08:55:49 sveta charon: 10[ENC] generating INFORMATIONAL_V1 request [Available On Request] [ HASH N(DPD_ACK) ]

Sep  2 08:55:49 sveta charon: 10[NET] sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (92 bytes)

Sep  2 08:55:59 sveta xl2tpd[4128]: Connecting to host vpn.office.com, port 1701

Sep  2 08:55:59 sveta xl2tpd[4128]: Connection established to 17.11.7.5, 1701.  Local: [Available On Request], Remote: [Available On Request] (ref=0/0).

Sep  2 08:55:59 sveta xl2tpd[4128]: Calling on tunnel [Available On Request]

Sep  2 08:55:59 sveta xl2tpd[4128]: Call established with 17.11.7.5, Local: [Available On Request], Remote: [Available On Request], Serial: 1 (ref=0/0)

Sep  2 08:55:59 sveta xl2tpd[4128]: start_pppd: I'm running: 

Sep  2 08:55:59 sveta xl2tpd[4128]: "/usr/sbin/pppd" 

Sep  2 08:55:59 sveta xl2tpd[4128]: "passive" 

Sep  2 08:55:59 sveta xl2tpd[4128]: "nodetach" 

Sep  2 08:55:59 sveta xl2tpd[4128]: ":" 

Sep  2 08:55:59 sveta xl2tpd[4128]: "name" 

Sep  2 08:55:59 sveta xl2tpd[4128]: "vpn.office.com\Uname" 

Sep  2 08:55:59 sveta xl2tpd[4128]: "plugin" 

Sep  2 08:55:59 sveta xl2tpd[4128]: "passwordfd.so" 

Sep  2 08:55:59 sveta xl2tpd[4128]: "passwordfd" 

Sep  2 08:55:59 sveta xl2tpd[4128]: "8" 

Sep  2 08:55:59 sveta xl2tpd[4128]: "file" 

Sep  2 08:55:59 sveta xl2tpd[4128]: "/etc/ppp/options.l2tpd.lns" 

Sep  2 08:55:59 sveta xl2tpd[4128]: "ipparam" 

Sep  2 08:55:59 sveta xl2tpd[4128]: "17.11.7.5" 

Sep  2 08:55:59 sveta xl2tpd[4128]: "plugin" 

Sep  2 08:55:59 sveta xl2tpd[4128]: "pppol2tp.so" 

Sep  2 08:55:59 sveta xl2tpd[4128]: "pppol2tp" 

Sep  2 08:55:59 sveta xl2tpd[4128]: "9" 

Sep  2 08:55:59 sveta pppd[4138]: Plugin passwordfd.so loaded.

Sep  2 08:55:59 sveta pppd[4138]: Can't open options file /etc/ppp/options.l2tpd.lns: No such file or directory

Sep  2 08:55:59 sveta xl2tpd[4128]: child_handler : pppd exited for call [Available On Request] with code 2

Sep  2 08:55:59 sveta xl2tpd[4128]: call_close: Call [Available On Request] to 17.11.7.5 disconnected

Sep  2 08:55:59 sveta xl2tpd[4128]: Terminating pppd: sending TERM signal to pid 4138

Sep  2 08:55:59 sveta xl2tpd[4128]: get_call: can't find call [Available On Request] in tunnel [Available On Request]

 (ref=0/0)

Sep  2 08:55:59 sveta xl2tpd[4128]: get_call: can't find call [Available On Request] in tunnel [Available On Request]

 (ref=0/0)

Sep  2 08:55:59 sveta xl2tpd[4128]: check_control: Received out of order control packet on tunnel [Available On Request] (got 3, expected 4)

Sep  2 08:55:59 sveta xl2tpd[4128]: handle_packet: bad control packet!

Sep  2 08:55:59 sveta charon: 13[NET] received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (68 bytes)

Sep  2 08:55:59 sveta charon: 13[ENC] parsed INFORMATIONAL_V1 request [Available On Request] [ HASH D ]

Sep  2 08:55:59 sveta charon: 13[IKE] received DELETE for ESP CHILD_SA with SPI ca6241bf

Sep  2 08:55:59 sveta charon: 13[IKE] closing CHILD_SA VPN.OFFICE.COM{1} with SPIs [Available On Request] (318 bytes) [Available On Request] (398 bytes) and TS 1.2.3.4/32[udp/l2tp] === 

17.11.7.5/32[udp/l2tp] 

Sep  2 08:55:59 sveta charon: 13[IKE] closing CHILD_SA VPN.OFFICE.COM{1} with SPIs [Available On Request] (318 bytes) [Available On Request] (398 bytes) and TS 1.2.3.4/32[udp/l2tp] === 

17.11.7.5/32[udp/l2tp] 

Sep  2 08:55:59 sveta charon: 08[NET] received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes)

Sep  2 08:55:59 sveta charon: 08[ENC] parsed INFORMATIONAL_V1 request [Available On Request] [ HASH D ]

Sep  2 08:55:59 sveta charon: 08[IKE] received DELETE for IKE_SA VPN.OFFICE.COM[1]

Sep  2 08:55:59 sveta charon: 08[IKE] deleting IKE_SA VPN.OFFICE.COM[1] between 1.2.3.4[1.2.3.4]...17.11.7.5[17.11.7.5]

Sep  2 08:55:59 sveta charon: 08[IKE] deleting IKE_SA VPN.OFFICE.COM[1] between 1.2.3.4[1.2.3.4]...17.11.7.5[17.11.7.5]

Sep  2 08:56:21 sveta kernel: [  387.050043] device bond0 entered promiscuous mode

Sep  2 08:56:41 sveta kernel: [  406.710209] device bond0 left promiscuous mode

Sep  2 08:56:51 sveta kernel: [  417.080010] device bond0 entered promiscuous mode

Sep  2 08:57:04 sveta xl2tpd[4128]: Maximum retries exceeded for tunnel [Available On Request].  Closing.

Sep  2 08:57:04 sveta xl2tpd[4128]: Connection [Available On Request] closed to 17.11.7.5, port 1701 (Timeout)

Sep  2 08:57:09 sveta xl2tpd[4128]: Unable to deliver closing message for tunnel [Available On Request]. Destroying anyway.

Sep  2 08:57:11 sveta kernel: [  436.160583] device bond0 left promiscuous mode

Sep  2 08:57:15 sveta kernel: [  441.038056] device bond0 entered promiscuous mode

Sep  2 08:57:21 sveta kernel: [  446.590475] device bond0 left promiscuous mode

Sep  2 08:57:36 sveta kernel: [  461.822270] device bond0 entered promiscuous mode

Sep  2 08:57:54 sveta kernel: [  479.973547] device bond0 left promiscuous mode

Sep  2 08:58:06 sveta kernel: [  491.341755] device bond0 entered promiscuous mode

Sep  2 08:58:13 sveta kernel: [  498.971002] device bond0 left promiscuous mode

```

----------

## salahx

We're making progress. According to the log, it seeing the l2tp server on the other end. That means the ipsec is up and configurated properly, and traffic is flowing across it..Now the problem is pppd. pppd is getting some extraneous options from somewhere. Namely, the nonexistent "/etc/ppp/options.l2tpd.lns" is causing pppd to exit. However it shouldn't even be looking for that. 

Very little configuration should be needed on the l2tp side,, but there may be one tweak we need:

```

[lac vpnclient]

lns = vpn.office.com

pppoptfile = /etc/ppp/options.xl2tpd.client

name = your-login-username 

```

Some Cisco access concentrators need the "name" thing, but normally, its not needed. However, adding it won't hurt. Everything else in /etc/xl2tpd/xl2tpd.conf should be gone or commented out.

----------

## Duco Ergo Sum

I discovered a typo in the /etc/ppp/options.xl2tpd.client path namely the missing 'x'.  Also I have added the user name as you have advised and no joy.

```

[lac vpnclient] 

lns = vpn.office.com 

pppoptfile = /etc/ppp/options.[b]x[/b]l2tpd.client 

name = Uname

```

pppoptfile = /etc/ppp/options.xl2tpd.client

```

ipcp-accept-local

ipcp-accept-remote

refuse-eap

require-mschap-v2

noccp

noauth

mtu 1410

mru 1410

nodefaultroute

usepeerdns

lock

```

Using a sparse xl2tpd.conf no comments just the config we need the following log entry is produced.

```

Sep  3 01:28:26 sveta xl2tpd[4750]: setsockopt recvref[30]: Protocol not available

Sep  3 01:28:26 sveta xl2tpd[4750]: Using l2tp kernel support.

Sep  3 01:28:26 sveta xl2tpd[4752]: xl2tpd version xl2tpd-1.3.1 started on sveta PID:4752

Sep  3 01:28:26 sveta xl2tpd[4752]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.

Sep  3 01:28:26 sveta xl2tpd[4752]: Forked by Scott Balmos and David Stipp, (C) 2001

Sep  3 01:28:26 sveta xl2tpd[4752]: Inherited by Jeff McAdams, (C) 2002

Sep  3 01:28:26 sveta xl2tpd[4752]: Forked again by Xelerance (www.xelerance.com) (C) 2006

Sep  3 01:28:26 sveta xl2tpd[4752]: Listening on IP address 0.0.0.0, port 1701

Sep  3 01:28:30 sveta xl2tpd[4752]: Connecting to host vpn.office.com, port 1701

Sep  3 01:28:35 sveta xl2tpd[4752]: Maximum retries exceeded for tunnel 41.  Closing.

Sep  3 01:28:35 sveta xl2tpd[4752]: Connection 0 closed to 17.11.7.5, port 1701 (Timeout)

Sep  3 01:28:35 sveta kernel: [ 5494.780053] device eno1 entered promiscuous mode

Sep  3 01:28:39 sveta kernel: [ 5498.420761] device eno1 left promiscuous mode

Sep  3 01:28:40 sveta xl2tpd[4752]: Unable to deliver closing message for tunnel 41. Destroying anyway.

```

I have even tried swapping the [lac vpnclien]' for [lac VPN.OFFICE.COM], it only served to prove that the config is read at the start up of xl2ptd.

----------

## salahx

The name used for the lac isn't important. Its not seeing the l2tp server again. Be sure the strongSwan connection is up, and try again. If it still won'r work, stop strongswan and xl2tp, in another windows do a "ip xfrm monitor", starts strongswan and xl2tpd. Connect via strongSwan and the window "ip xfrm monitor" should display some stuff. Make a connection with xl2tpd-connect and more stuff will appear in the other window (warning: this command outputs the secrets keys for the ipsec connection. The real keys have been replaced with 0's)

Something like this:

```

Updated src 192.168.10.108 dst 192.168.10.17

   proto esp spi 0xc3e3e289 reqid 4 mode transport

   replay-window 32 

   auth-trunc hmac(sha1) 0x000000000000000000000000000000000000000 96

   enc cbc(aes) 0x0000000000000000000000000000000

   sel src 192.168.10.108/32 dst 192.168.10.17/32 

src 192.168.10.17 dst 192.168.10.108

   proto esp spi 0xcdfbb1d9 reqid 4 mode transport

   replay-window 32 

   auth-trunc hmac(sha1) 0x000000000000000000000000000000000000000 96

   enc cbc(aes) 0x0000000000000000000000000000000

   sel src 192.168.10.17/32 dst 192.168.10.108/32 

src 192.168.10.17/32 dst 192.168.10.108/32 proto udp sport 1701 dport 1701 

   dir out action block priority 7936 ptype main 

src 192.168.10.108/32 dst 192.168.10.17/32 proto udp sport 1701 dport 1701 

   dir in action block priority 7936 ptype main 

Updated src 192.168.10.17/32 dst 192.168.10.108/32 proto udp sport 1701 dport 1701 

   dir out priority 1792 ptype main 

   tmpl src 0.0.0.0 dst 0.0.0.0

      proto esp reqid 4 mode transport

Updated src 192.168.10.108/32 dst 192.168.10.17/32 proto udp sport 1701 dport 1701 

   dir in priority 1792 ptype main 

   tmpl src 0.0.0.0 dst 0.0.0.0

      proto esp reqid 4 mode transport

Async event  (0x20)  timer expired 

   src 192.168.10.108 dst 192.168.10.17  reqid 0x4 protocol esp  SPI 0xc3e3e289

Async event  (0x20)  timer expired 

   src 192.168.10.108 dst 192.168.10.17  reqid 0x4 protocol esp  SPI 0xc3e3e289

Async event  (0x20)  timer expired 

   src 192.168.10.108 dst 192.168.10.17  reqid 0x4 protocol esp  SPI 0xc3e3e289

Async event  (0x20)  timer expired 

   src 192.168.10.17 dst 192.168.10.108  reqid 0x4 protocol esp  SPI 0xcdfbb1d9

Async event  (0x10)  replay update 

   src 192.168.10.17 dst 192.168.10.108  reqid 0x4 protocol esp  SPI 0xcdfbb1d9

Async event  (0x10)  replay update 

   src 192.168.10.108 dst 192.168.10.17  reqid 0x4 protocol esp  SPI 0xc3e3e289

Async event  (0x10)  replay update 

   src 192.168.10.17 dst 192.168.10.108  reqid 0x4 protocol esp  SPI 0xcdfbb1d9

Async event  (0x10)  replay update 

   src 192.168.10.108 dst 192.168.10.17  reqid 0x4 protocol esp  SPI 0xc3e3e289

Async event  (0x10)  replay update 

   src 192.168.10.17 dst 192.168.10.108  reqid 0x4 protocol esp  SPI 0xcdfbb1d9

Async event  (0x10)  replay update 

   src 192.168.10.108 dst 192.168.10.17  reqid 0x4 protocol esp  SPI 0xc3e3e289

Async event  (0x10)  replay update 

   src 192.168.10.108 dst 192.168.10.17  reqid 0x4 protocol esp  SPI 0xc3e3e289

....

```

----------

## Duco Ergo Sum

After the first failed attempt to connect with xl2tpd the ipsec connetion is taken down.  Thus all subsequent attempts to connect with xl2tpd fail.

# xl2tpd-control connect vpnclient vpn.office.com

00 OK

```

Updated src 17.11.7.5 dst 1.2.3.4

        proto esp spi SPI_VALUE_1 reqid 1 mode transport

        replay-window 32 

        auth-trunc hmac(sha1) [HIDDEN] 96

        enc cbc(des3_ede) [HIDDEN]

        encap type espinudp sport 4500 dport 4500 addr 0.0.0.0

        sel src 17.11.7.5/32 dst 1.2.3.4/32 

src 1.2.3.4 dst 17.11.7.5

        proto esp spi SPI_VALUE_2 reqid 1 mode transport

        replay-window 32 

        auth-trunc hmac(sha1) [HIDDEN] 96

        enc cbc(des3_ede) [HIDDEN]

        encap type espinudp sport 4500 dport 4500 addr 0.0.0.0

        sel src 1.2.3.4/32 dst 17.11.7.5/32 

src 1.2.3.4/32 dst 17.11.7.5/32 proto udp sport 1701 dport 1701 

        dir out action block priority 7936 ptype main 

src 17.11.7.5/32 dst 1.2.3.4/32 proto udp sport 1701 dport 1701 

        dir in action block priority 7936 ptype main 

Updated src 1.2.3.4/32 dst 17.11.7.5/32 proto udp sport 1701 dport 1701 

        dir out priority 1792 ptype main 

        tmpl src 0.0.0.0 dst 0.0.0.0

                proto esp reqid 1 mode transport

Updated src 17.11.7.5/32 dst 1.2.3.4/32 proto udp sport 1701 dport 1701 

        dir in priority 1792 ptype main 

        tmpl src 0.0.0.0 dst 0.0.0.0

                proto esp reqid 1 mode transport

Async event  (0x20)  timer expired 

        src 1.2.3.4 dst 17.11.7.5  reqid 0x1 protocol esp  SPI SPI_VALUE_2

Async event  (0x20)  timer expired 

        src 17.11.7.5 dst 1.2.3.4  reqid 0x1 protocol esp  SPI SPI_VALUE_1

Async event  (0x10)  replay update 

        src 1.2.3.4 dst 17.11.7.5  reqid 0x1 protocol esp  SPI SPI_VALUE_2

Async event  (0x10)  replay update 

        src 17.11.7.5 dst 1.2.3.4  reqid 0x1 protocol esp  SPI SPI_VALUE_1

Async event  (0x10)  replay update                                                                                 

        src 1.2.3.4 dst 17.11.7.5  reqid 0x1 protocol esp  SPI SPI_VALUE_2                                    

Async event  (0x10)  replay update                                                                                 

        src 17.11.7.5 dst 1.2.3.4  reqid 0x1 protocol esp  SPI SPI_VALUE_1                                    

Async event  (0x10)  replay update                                                                                 

        src 1.2.3.4 dst 17.11.7.5  reqid 0x1 protocol esp  SPI SPI_VALUE_2                                    

Async event  (0x10)  replay update                                                                                 

        src 17.11.7.5 dst 1.2.3.4  reqid 0x1 protocol esp  SPI SPI_VALUE_1                                    

Async event  (0x10)  replay update                                                                                 

        src 17.11.7.5 dst 1.2.3.4  reqid 0x1 protocol esp  SPI SPI_VALUE_1                                    

Async event  (0x20)  timer expired                                                                                 

        src 1.2.3.4 dst 17.11.7.5  reqid 0x1 protocol esp  SPI SPI_VALUE_2                                    

Async event  (0x20)  timer expired                                                                                 

        src 17.11.7.5 dst 1.2.3.4  reqid 0x1 protocol esp  SPI SPI_VALUE_1                                    

Async event  (0x20)  timer expired                                                                                 

        src 17.11.7.5 dst 1.2.3.4  reqid 0x1 protocol esp  SPI SPI_VALUE_1                                    

Async event  (0x20)  timer expired                                                                                 

        src 1.2.3.4 dst 17.11.7.5  reqid 0x1 protocol esp  SPI SPI_VALUE_2                                    

Async event  (0x10)  replay update                                                                                 

        src 17.11.7.5 dst 1.2.3.4  reqid 0x1 protocol esp  SPI SPI_VALUE_1                                    

Async event  (0x10)  replay update                                                                                 

        src 1.2.3.4 dst 17.11.7.5  reqid 0x1 protocol esp  SPI SPI_VALUE_2                                    

Async event  (0x10)  replay update                                                                                 

        src 17.11.7.5 dst 1.2.3.4  reqid 0x1 protocol esp  SPI SPI_VALUE_1                                    

Async event  (0x10)  replay update                                                                                 

        src 1.2.3.4 dst 17.11.7.5  reqid 0x1 protocol esp  SPI SPI_VALUE_2                                    

Deleted src 17.11.7.5 dst 1.2.3.4                                                                            

        proto esp spi SPI_VALUE_1 reqid 1 mode transport                                                            

        replay-window 32                                                                                           

        auth-trunc hmac(sha1) [HIDDEN] 96                                        

        enc cbc(des3_ede) [HIDDEN]                                       

        encap type espinudp sport 4500 dport 4500 addr 0.0.0.0                                                     

        sel src 17.11.7.5/32 dst 1.2.3.4/32                                                                  

Deleted src 1.2.3.4 dst 17.11.7.5                                                                            

        proto esp spi SPI_VALUE_2 reqid 1 mode transport                                                            

        replay-window 32                                                                                           

        auth-trunc hmac(sha1) [HIDDEN] 96                                        

        enc cbc(des3_ede) [HIDDEN]                                       

        encap type espinudp sport 4500 dport 4500 addr 0.0.0.0                                                     

        sel src 1.2.3.4/32 dst 17.11.7.5/32                                                                  

Updated src 1.2.3.4/32 dst 17.11.7.5/32 proto udp sport 1701 dport 1701 

        dir out action block priority 7936 ptype main 

Updated src 17.11.7.5/32 dst 1.2.3.4/32 proto udp sport 1701 dport 1701 

        dir in action block priority 7936 ptype main 

Deleted src 1.2.3.4/32 dst 17.11.7.5/32 proto udp sport 1701 dport 1701 

        dir out action block priority 7936 ptype main 

Deleted src 17.11.7.5/32 dst 1.2.3.4/32 proto udp sport 1701 dport 1701 

        dir in action block priority 7936 ptype main

```

# ipsec up VPN.OFFICE.COM

```

initiating Main Mode IKE_SA VPN.OFFICE.COM[4] to 17.11.7.5

generating ID_PROT request 0 [ SA V V V V ]

sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (184 bytes)

received packet: from 17.11.7.5[500] to 1.2.3.4[500] (116 bytes)

parsed ID_PROT response 0 [ SA V V ]

received draft-ietf-ipsec-nat-t-ike-02\n vendor ID

received FRAGMENTATION vendor ID

generating ID_PROT request 0 [ KE No NAT-D NAT-D ]

sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (244 bytes)

received packet: from 17.11.7.5[500] to 1.2.3.4[500] (304 bytes)

parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]

received Cisco Unity vendor ID

received XAuth vendor ID

received unknown vendor ID: [HIDDEN]

received unknown vendor ID: [HIDDEN]

local host is behind NAT, sending keep alives

generating ID_PROT request 0 [ ID HASH ]

sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (68 bytes)

received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes)

parsed ID_PROT response 0 [ ID HASH V ]

received DPD vendor ID

IKE_SA VPN.OFFICE.COM[4] established between 1.2.3.4[1.2.3.4]...17.11.7.5[17.11.7.5]

generating QUICK_MODE request QUICK_MODE_VALUE [ HASH SA No ID ID NAT-OA NAT-OA ]

sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (220 bytes)

received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (180 bytes)

parsed QUICK_MODE response QUICK_MODE_VALUE [ HASH SA No ID ID N((24576)) NAT-OA ]

received 28800s lifetime, configured 0s

CHILD_SA VPN.OFFICE.COM{4} established with SPIs [HIDDEN] [HIDDEN] and TS 1.2.3.4/32[udp/l2tp] === 17.11.7.5/32[udp/l2tp] 

connection 'VPN.OFFICE.COM' established successfully

```

# ipsec down VPN.OFFICE.COM

```

closing CHILD_SA VPN.OFFICE.COM{4} with SPIs [HIDDEN] (0 bytes) [HIDDEN] (0 bytes) and TS 1.2.3.4/32[udp/l2tp] === 17.11.7.5/32[udp/l2tp] 

IKE_SA [4] closed successfully

```

ip xfrm monitor for ipsec up / down cycle.  This is just to show when xl2tpd starts and stops above.

```

Updated src 17.11.7.5 dst 1.2.3.4

        proto esp spi [HIDDEN] reqid 4 mode transport

        replay-window 32 

        auth-trunc hmac(sha1) [HIDDEN] 96

        enc cbc(des3_ede) [HIDDEN]

        encap type espinudp sport 4500 dport 4500 addr 0.0.0.0

        sel src 17.11.7.5/32 dst 1.2.3.4/32 

src 1.2.3.4 dst 17.11.7.5

        proto esp spi [HIDDEN] reqid 4 mode transport

        replay-window 32 

        auth-trunc hmac(sha1) [HIDDEN] 96

        enc cbc(des3_ede) [HIDDEN]

        encap type espinudp sport 4500 dport 4500 addr 0.0.0.0

        sel src 1.2.3.4/32 dst 17.11.7.5/32 

src 1.2.3.4/32 dst 17.11.7.5/32 proto udp sport 1701 dport 1701 

        dir out action block priority 7936 ptype main 

src 17.11.7.5/32 dst 1.2.3.4/32 proto udp sport 1701 dport 1701 

        dir in action block priority 7936 ptype main 

Updated src 1.2.3.4/32 dst 17.11.7.5/32 proto udp sport 1701 dport 1701 

        dir out priority 1792 ptype main 

        tmpl src 0.0.0.0 dst 0.0.0.0

                proto esp reqid 4 mode transport

Updated src 17.11.7.5/32 dst 1.2.3.4/32 proto udp sport 1701 dport 1701 

        dir in priority 1792 ptype main 

        tmpl src 0.0.0.0 dst 0.0.0.0

                proto esp reqid 4 mode transport

Deleted src 17.11.7.5 dst 1.2.3.4

        proto esp spi [HIDDEN] reqid 4 mode transport

        replay-window 32 

        auth-trunc hmac(sha1) [HIDDEN] 96

        enc cbc(des3_ede) [HIDDEN]

        encap type espinudp sport 4500 dport 4500 addr 0.0.0.0

        sel src 17.11.7.5/32 dst 1.2.3.4/32 

Deleted src 1.2.3.4 dst 17.11.7.5

        proto esp spi [HIDDEN] reqid 4 mode transport

        replay-window 32 

        auth-trunc hmac(sha1) [HIDDEN] 96

        enc cbc(des3_ede) [HIDDEN]

        encap type espinudp sport 4500 dport 4500 addr 0.0.0.0

        sel src 1.2.3.4/32 dst 17.11.7.5/32 

Updated src 1.2.3.4/32 dst 17.11.7.5/32 proto udp sport 1701 dport 1701 

        dir out action block priority 7936 ptype main 

Updated src 17.11.7.5/32 dst 1.2.3.4/32 proto udp sport 1701 dport 1701 

        dir in action block priority 7936 ptype main 

Deleted src 1.2.3.4/32 dst 17.11.7.5/32 proto udp sport 1701 dport 1701 

        dir out action block priority 7936 ptype main 

Deleted src 17.11.7.5/32 dst 1.2.3.4/32 proto udp sport 1701 dport 1701 

        dir in action block priority 7936 ptype main

```

----------

## salahx

Ok, well at least that explains why sometime xl2tp fails to connect: after the first xl2tp connection fails (for whatever reason), all subsequent attempts will always fail because the ipsec responder (server) tears down the connection after l2tp fails. This is actually good news: This means ipsec is configured properly on our side.

So I need to know what causing the initial l2tp/ppp failure. So do an "strongswan up vpnclient" immediately followed by "xl2tp connect" (a shell script may be handy here, since i have a feeling if the l2tp connection isn't started "soon" after ipsec connect it'll disconnect it) and paste the xl2tpd/pppd logs

----------

## Duco Ergo Sum

I have to head to work now, so it will be a while before I can provide any more information.

ipsec up VNP.OFFICE.COM && xl2tpd-control connect vpnclient vpn.office.com

```

Updated src 17.11.7.5 dst 1.2.3.4

        proto esp spi SPI_VALUE_1 reqid 1 mode transport

        replay-window 32 

        auth-trunc hmac(sha1) [HIDDEN] 96

        enc cbc(des3_ede) [HIDDEN]

        encap type espinudp sport 4500 dport 4500 addr 0.0.0.0

        sel src 17.11.7.5/32 dst 1.2.3.4/32 

src 1.2.3.4 dst 17.11.7.5

        proto esp spi SPI_VALUE_2 reqid 1 mode transport

        replay-window 32 

        auth-trunc hmac(sha1) [HIDDEN] 96

        enc cbc(des3_ede) [HIDDEN]

        encap type espinudp sport 4500 dport 4500 addr 0.0.0.0

        sel src 1.2.3.4/32 dst 17.11.7.5/32 

src 1.2.3.4/32 dst 17.11.7.5/32 proto udp sport 1701 dport 1701 

        dir out action block priority 7936 ptype main 

src 17.11.7.5/32 dst 1.2.3.4/32 proto udp sport 1701 dport 1701 

        dir in action block priority 7936 ptype main 

Updated src 1.2.3.4/32 dst 17.11.7.5/32 proto udp sport 1701 dport 1701 

        dir out priority 1792 ptype main 

        tmpl src 0.0.0.0 dst 0.0.0.0

                proto esp reqid 1 mode transport

Updated src 17.11.7.5/32 dst 1.2.3.4/32 proto udp sport 1701 dport 1701 

        dir in priority 1792 ptype main 

        tmpl src 0.0.0.0 dst 0.0.0.0

                proto esp reqid 1 mode transport

Async event  (0x10)  replay update 

        src 1.2.3.4 dst 17.11.7.5  reqid 0x1 protocol esp  SPI SPI_VALUE_2

Async event  (0x10)  replay update 

        src 17.11.7.5 dst 1.2.3.4  reqid 0x1 protocol esp  SPI SPI_VALUE_1

Async event  (0x10)  replay update 

        src 1.2.3.4 dst 17.11.7.5  reqid 0x1 protocol esp  SPI SPI_VALUE_2

Async event  (0x10)  replay update 

        src 17.11.7.5 dst 1.2.3.4  reqid 0x1 protocol esp  SPI SPI_VALUE_1

Async event  (0x10)  replay update 

        src 1.2.3.4 dst 17.11.7.5  reqid 0x1 protocol esp  SPI SPI_VALUE_2

Async event  (0x10)  replay update 

        src 17.11.7.5 dst 1.2.3.4  reqid 0x1 protocol esp  SPI SPI_VALUE_1                                    

Async event  (0x10)  replay update                                                                                 

        src 1.2.3.4 dst 17.11.7.5  reqid 0x1 protocol esp  SPI SPI_VALUE_2                                    

Async event  (0x10)  replay update                                                                                 

        src 17.11.7.5 dst 1.2.3.4  reqid 0x1 protocol esp  SPI SPI_VALUE_1                                    

Async event  (0x10)  replay update                                                                                 

        src 17.11.7.5 dst 1.2.3.4  reqid 0x1 protocol esp  SPI SPI_VALUE_1                                    

Async event  (0x10)  replay update                                                                                 

        src 1.2.3.4 dst 17.11.7.5  reqid 0x1 protocol esp  SPI SPI_VALUE_2                                    

Async event  (0x10)  replay update                                                                                 

        src 17.11.7.5 dst 1.2.3.4  reqid 0x1 protocol esp  SPI SPI_VALUE_1                                    

Async event  (0x10)  replay update                                                                                 

        src 1.2.3.4 dst 17.11.7.5  reqid 0x1 protocol esp  SPI SPI_VALUE_2                                    

Async event  (0x10)  replay update                                                                                 

        src 17.11.7.5 dst 1.2.3.4  reqid 0x1 protocol esp  SPI SPI_VALUE_1                                    

Async event  (0x10)  replay update                                                                                 

        src 1.2.3.4 dst 17.11.7.5  reqid 0x1 protocol esp  SPI SPI_VALUE_2                                    

Async event  (0x10)  replay update                                                                                 

        src 17.11.7.5 dst 1.2.3.4  reqid 0x1 protocol esp  SPI SPI_VALUE_1                                    

Async event  (0x10)  replay update                                                                                 

        src 1.2.3.4 dst 17.11.7.5  reqid 0x1 protocol esp  SPI SPI_VALUE_2                                    

Async event  (0x10)  replay update                                                                                 

        src 17.11.7.5 dst 1.2.3.4  reqid 0x1 protocol esp  SPI SPI_VALUE_1                                    

Async event  (0x10)  replay update                                                                                 

        src 1.2.3.4 dst 17.11.7.5  reqid 0x1 protocol esp  SPI SPI_VALUE_2                                    

Async event  (0x10)  replay update                                                                                 

        src 17.11.7.5 dst 1.2.3.4  reqid 0x1 protocol esp  SPI SPI_VALUE_1                                    

Async event  (0x10)  replay update                                                                                 

        src 1.2.3.4 dst 17.11.7.5  reqid 0x1 protocol esp  SPI SPI_VALUE_2                                    

Async event  (0x10)  replay update                                                                                 

        src 17.11.7.5 dst 1.2.3.4  reqid 0x1 protocol esp  SPI SPI_VALUE_1                                    

Async event  (0x10)  replay update                                                                                 

        src 1.2.3.4 dst 17.11.7.5  reqid 0x1 protocol esp  SPI SPI_VALUE_2                                    

Async event  (0x10)  replay update                                                                                 

        src 17.11.7.5 dst 1.2.3.4  reqid 0x1 protocol esp  SPI SPI_VALUE_1                                    

Async event  (0x10)  replay update                                                                                 

        src 1.2.3.4 dst 17.11.7.5  reqid 0x1 protocol esp  SPI SPI_VALUE_2                                    

Async event  (0x10)  replay update                                                                                 

        src 17.11.7.5 dst 1.2.3.4  reqid 0x1 protocol esp  SPI SPI_VALUE_1                                    

Async event  (0x10)  replay update                                                                                 

        src 1.2.3.4 dst 17.11.7.5  reqid 0x1 protocol esp  SPI SPI_VALUE_2

Async event  (0x10)  replay update 

        src 1.2.3.4 dst 17.11.7.5  reqid 0x1 protocol esp  SPI SPI_VALUE_2

Deleted src 17.11.7.5 dst 1.2.3.4

        proto esp spi SPI_VALUE_1 reqid 1 mode transport

        replay-window 32 

        auth-trunc hmac(sha1) [HIDDEN] 96

        enc cbc(des3_ede) [HIDDEN]

        encap type espinudp sport 4500 dport 4500 addr 0.0.0.0

        sel src 17.11.7.5/32 dst 1.2.3.4/32 

Deleted src 1.2.3.4 dst 17.11.7.5

        proto esp spi SPI_VALUE_2 reqid 1 mode transport

```

```

Sep  3 10:19:50 sveta ipsec_starter[5910]: Starting strongSwan 5.1.3 IPsec [starter]...

Sep  3 10:19:50 sveta charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.1.3, Linux 3.14.14-gentoo, x86_64)

Sep  3 10:19:50 sveta charon: 00[CFG] attr-sql plugin: database URI not set

Sep  3 10:19:50 sveta charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'

Sep  3 10:19:50 sveta charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'

Sep  3 10:19:50 sveta charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'

Sep  3 10:19:50 sveta charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'

Sep  3 10:19:50 sveta charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'

Sep  3 10:19:50 sveta charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'

Sep  3 10:19:50 sveta charon: 00[CFG]   loaded IKE secret for %any

Sep  3 10:19:50 sveta charon: 00[CFG]   loaded EAP secret for Uname

Sep  3 10:19:50 sveta charon: 00[CFG] sql plugin: database URI not set

Sep  3 10:19:50 sveta charon: 00[CFG] opening triplet file /etc/ipsec.d/triplets.dat failed: No such file or directory

Sep  3 10:19:50 sveta charon: 00[CFG] eap-simaka-sql database URI missing

Sep  3 10:19:50 sveta charon: 00[CFG] loaded 0 RADIUS server configurations

Sep  3 10:19:50 sveta charon: 00[LIB] loaded plugins: charon curl ldap mysql sqlite aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey 

sshkey pem openssl gcrypt fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default farp stroke updown eap-identity eap-sim eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth 

eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls xauth-generic dhcp

Sep  3 10:19:50 sveta charon: 00[LIB] unable to load 13 plugin features (9 due to unmet dependencies)

Sep  3 10:19:50 sveta charon: 00[LIB] dropped capabilities, running as uid 116, gid 985

Sep  3 10:19:50 sveta charon: 00[JOB] spawning 16 worker threads

Sep  3 10:19:50 sveta ipsec_starter[5919]: charon (5920) started after 20 ms

Sep  3 10:19:50 sveta charon: 05[CFG] received stroke: add connection 'VNP.OFFICE.COM'

Sep  3 10:19:50 sveta charon: 05[CFG] left nor right host is our side, assuming left=local

Sep  3 10:19:50 sveta charon: 05[CFG] added configuration 'VNP.OFFICE.COM'

Sep  3 10:20:00 sveta xl2tpd[5960]: setsockopt recvref[30]: Protocol not available

Sep  3 10:20:00 sveta xl2tpd[5960]: Using l2tp kernel support.

Sep  3 10:20:00 sveta xl2tpd[5961]: xl2tpd version xl2tpd-1.3.1 started on sveta PID:5961

Sep  3 10:20:00 sveta xl2tpd[5961]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.

Sep  3 10:20:00 sveta xl2tpd[5961]: Forked by Scott Balmos and David Stipp, (C) 2001

Sep  3 10:20:00 sveta xl2tpd[5961]: Inherited by Jeff McAdams, (C) 2002

Sep  3 10:20:00 sveta xl2tpd[5961]: Forked again by Xelerance (www.xelerance.com) (C) 2006

Sep  3 10:20:00 sveta xl2tpd[5961]: Listening on IP address 0.0.0.0, port 1701

Sep  3 10:20:01 sveta cron[5968]: (root) CMD (test -x /usr/sbin/run-crons && /usr/sbin/run-crons)

Sep  3 10:20:08 sveta charon: 07[CFG] received stroke: initiate 'VNP.OFFICE.COM'

Sep  3 10:20:08 sveta charon: 09[IKE] initiating Main Mode IKE_SA VNP.OFFICE.COM[1] to 17.11.7.5

Sep  3 10:20:08 sveta charon: 09[IKE] initiating Main Mode IKE_SA VNP.OFFICE.COM[1] to 17.11.7.5

Sep  3 10:20:08 sveta charon: 09[ENC] generating ID_PROT request 0 [ SA V V V V ]

Sep  3 10:20:08 sveta charon: 09[NET] sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (184 bytes)

Sep  3 10:20:08 sveta charon: 10[NET] received packet: from 17.11.7.5[500] to 1.2.3.4[500] (116 bytes)

Sep  3 10:20:08 sveta charon: 10[ENC] parsed ID_PROT response 0 [ SA V V ]

Sep  3 10:20:08 sveta charon: 10[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID

Sep  3 10:20:08 sveta charon: 10[IKE] received FRAGMENTATION vendor ID

Sep  3 10:20:08 sveta charon: 10[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]

Sep  3 10:20:08 sveta charon: 10[NET] sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (244 bytes)

Sep  3 10:20:08 sveta charon: 11[NET] received packet: from 17.11.7.5[500] to 1.2.3.4[500] (304 bytes)

Sep  3 10:20:08 sveta charon: 11[ENC] parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]

Sep  3 10:20:08 sveta charon: 11[IKE] received Cisco Unity vendor ID

Sep  3 10:20:08 sveta charon: 11[IKE] received XAuth vendor ID

Sep  3 10:20:08 sveta charon: 11[ENC] received unknown vendor ID: [HIDDEN]

Sep  3 10:20:08 sveta charon: 11[ENC] received unknown vendor ID: [HIDDEN]

Sep  3 10:20:08 sveta charon: 11[IKE] local host is behind NAT, sending keep alives

Sep  3 10:20:08 sveta charon: 11[ENC] generating ID_PROT request 0 [ ID HASH ]

Sep  3 10:20:08 sveta charon: 11[NET] sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (68 bytes)

Sep  3 10:20:08 sveta charon: 12[NET] received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes)

Sep  3 10:20:08 sveta charon: 12[ENC] parsed ID_PROT response 0 [ ID HASH V ]

Sep  3 10:20:08 sveta charon: 12[IKE] received DPD vendor ID

Sep  3 10:20:08 sveta charon: 12[IKE] IKE_SA VNP.OFFICE.COM[1] established between 1.2.3.4[1.2.3.4]...17.11.7.5[17.11.7.5]

Sep  3 10:20:08 sveta charon: 12[IKE] IKE_SA VNP.OFFICE.COM[1] established between 1.2.3.4[1.2.3.4]...17.11.7.5[17.11.7.5]

Sep  3 10:20:08 sveta charon: 12[ENC] generating QUICK_MODE request QUICK_MODE_VALUE [ HASH SA No ID ID NAT-OA NAT-OA ]

Sep  3 10:20:08 sveta charon: 12[NET] sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (220 bytes)

Sep  3 10:20:08 sveta charon: 13[NET] received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (180 bytes)

Sep  3 10:20:08 sveta charon: 13[ENC] parsed QUICK_MODE response QUICK_MODE_VALUE [ HASH SA No ID ID N((24576)) NAT-OA ]

Sep  3 10:20:08 sveta charon: 13[IKE] received 28800s lifetime, configured 0s

Sep  3 10:20:08 sveta charon: 13[IKE] CHILD_SA VNP.OFFICE.COM{1} established with SPIs [HIDDEN] [HIDDEN] and TS 1.2.3.4/32[udp/l2tp] === 17.11.7.5/32[udp/l2tp] 

Sep  3 10:20:08 sveta charon: 13[IKE] CHILD_SA VNP.OFFICE.COM{1} established with SPIs [HIDDEN] [HIDDEN] and TS 1.2.3.4/32[udp/l2tp] === 17.11.7.5/32[udp/l2tp] 

Sep  3 10:20:08 sveta charon: 13[ENC] generating QUICK_MODE request QUICK_MODE_VALUE [ HASH ]

Sep  3 10:20:08 sveta charon: 13[NET] sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (60 bytes)

Sep  3 10:20:08 sveta xl2tpd[5961]: Connecting to host vpn.office.com, port 1701

Sep  3 10:20:08 sveta xl2tpd[5961]: Connection established to 17.11.7.5, 1701.  Local: [HIDDEN], Remote: [HIDDEN] (ref=0/0).

Sep  3 10:20:08 sveta xl2tpd[5961]: Calling on tunnel [HIDDEN]

Sep  3 10:20:08 sveta xl2tpd[5961]: Call established with 17.11.7.5, Local: [HIDDEN], Remote: [HIDDEN], Serial: 1 (ref=0/0)

Sep  3 10:20:08 sveta xl2tpd[5961]: start_pppd: I'm running: 

Sep  3 10:20:08 sveta xl2tpd[5961]: "/usr/sbin/pppd" 

Sep  3 10:20:08 sveta xl2tpd[5961]: "passive" 

Sep  3 10:20:08 sveta xl2tpd[5961]: "nodetach" 

Sep  3 10:20:08 sveta xl2tpd[5961]: ":" 

Sep  3 10:20:08 sveta xl2tpd[5961]: "name" 

Sep  3 10:20:08 sveta xl2tpd[5961]: "vpn.office.com" 

Sep  3 10:20:08 sveta xl2tpd[5961]: "file" 

Sep  3 10:20:08 sveta xl2tpd[5961]: "/etc/ppp/options.xl2tpd.lns" 

Sep  3 10:20:08 sveta xl2tpd[5961]: "ipparam" 

Sep  3 10:20:08 sveta xl2tpd[5961]: "17.11.7.5" 

Sep  3 10:20:08 sveta xl2tpd[5961]: "plugin" 

Sep  3 10:20:08 sveta xl2tpd[5961]: "pppol2tp.so" 

Sep  3 10:20:08 sveta xl2tpd[5961]: "pppol2tp" 

Sep  3 10:20:08 sveta xl2tpd[5961]: "8" 

Sep  3 10:20:08 sveta pppd[5985]: Plugin pppol2tp.so loaded.

Sep  3 10:20:08 sveta pppd[5985]: pppd 2.4.7 started by huoshe, uid 0

Sep  3 10:20:08 sveta pppd[5985]: Using interface ppp0

Sep  3 10:20:08 sveta pppd[5985]: Connect: ppp0 <--> 

Sep  3 10:20:08 sveta pppd[5985]: Overriding mtu 1500 to 1410

Sep  3 10:20:08 sveta pppd[5985]: Overriding mru 1500 to mtu value 1410

Sep  3 10:20:08 sveta NetworkManager[2719]: <warn> /sys/devices/virtual/net/ppp0: couldn't determine device driver; ignoring...

Sep  3 10:20:08 sveta xl2tpd[5961]: control_finish: Connection closed to 17.11.7.5, port 1701 (No Error), Local: [HIDDEN], Remote: [HIDDEN]

Sep  3 10:20:08 sveta xl2tpd[5961]: Terminating pppd: sending TERM signal to pid 5985

Sep  3 10:20:08 sveta pppd[5985]: Terminating on signal 15

Sep  3 10:20:08 sveta charon: 04[NET] received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (68 bytes)

Sep  3 10:20:08 sveta charon: 04[ENC] parsed INFORMATIONAL_V1 request [HIDDEN] [ HASH D ]

Sep  3 10:20:08 sveta charon: 04[IKE] received DELETE for ESP CHILD_SA with SPI 3212ae5c

Sep  3 10:20:08 sveta charon: 04[IKE] closing CHILD_SA VNP.OFFICE.COM{1} with SPIs [HIDDEN] (1031 bytes) [HIDDEN] (900 bytes) and TS 1.2.3.4/32[udp/l2tp] === 17.11.7.5/32[udp/l2tp] 

Sep  3 10:20:08 sveta charon: 04[IKE] closing CHILD_SA VNP.OFFICE.COM{1} with SPIs [HIDDEN] (1031 bytes) [HIDDEN] (900 bytes) and TS 1.2.3.4/32[udp/l2tp] === 17.11.7.5/32[udp/l2tp] 

Sep  3 10:20:08 sveta charon: 05[NET] received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes)

Sep  3 10:20:08 sveta charon: 05[ENC] parsed INFORMATIONAL_V1 request [HIDDEN] [ HASH D ]

Sep  3 10:20:08 sveta charon: 05[IKE] received DELETE for IKE_SA VNP.OFFICE.COM[1]

Sep  3 10:20:08 sveta charon: 05[IKE] deleting IKE_SA VNP.OFFICE.COM[1] between 1.2.3.4[1.2.3.4]...17.11.7.5[17.11.7.5]

Sep  3 10:20:08 sveta charon: 05[IKE] deleting IKE_SA VNP.OFFICE.COM[1] between 1.2.3.4[1.2.3.4]...17.11.7.5[17.11.7.5]

Sep  3 10:20:14 sveta pppd[5985]: Connection terminated.

Sep  3 10:20:14 sveta avahi-daemon[3046]: Withdrawing workstation service for ppp0.

Sep  3 10:20:14 sveta charon: 12[KNL] interface ppp0 deleted

Sep  3 10:20:14 sveta pppd[5985]: Modem hangup

Sep  3 10:20:14 sveta pppd[5985]: Exit.

Sep  3 10:21:31 sveta su[5887]: pam_unix(su:session): session closed for user root

Sep  3 10:21:47 sveta xl2tpd[5961]: Session 'vpnclient' not up

Sep  3 10:21:51 sveta charon: 08[CFG] received stroke: terminate 'VNP.OFFICE.COM'

Sep  3 10:21:51 sveta charon: 08[CFG] no IKE_SA named 'VNP.OFFICE.COM' found

Sep  3 10:21:56 sveta xl2tpd[5961]: death_handler: Fatal signal 15 received

Sep  3 10:22:01 sveta charon: 00[DMN] signal of type SIGINT received. Shutting down

Sep  3 10:22:01 sveta ipsec_starter[5919]: charon stopped after 200 ms

Sep  3 10:22:01 sveta ipsec_starter[5919]: ipsec starter stopped

```

----------

## salahx

Ok, ipsec and l2tp are working, the problem is now is pppd. Either its failing to authenticate OR there something in option file it doesn't like. You can add "debug" to the ppp option file or specify "ppp debug = yes" in xl2tpd.conf for more info (Warning: This discloses password hashes).

----------

## Duco Ergo Sum

I have set ppp debug to yes.

I have tried with mtu & mru commented out that didn't help.  I have also tried with noauth commented out again no progress.

ppp debug = y

Connection Log

```

Sep  4 00:33:16 sveta ipsec_starter[4013]: Starting strongSwan 5.1.3 IPsec [starter]...

Sep  4 00:33:16 sveta charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.1.3, Linux 3.14.14-gentoo, x86_64)

Sep  4 00:33:16 sveta charon: 00[CFG] attr-sql plugin: database URI not set

Sep  4 00:33:16 sveta charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'

Sep  4 00:33:16 sveta charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'

Sep  4 00:33:16 sveta charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'

Sep  4 00:33:16 sveta charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'

Sep  4 00:33:16 sveta charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'

Sep  4 00:33:16 sveta charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'

Sep  4 00:33:16 sveta charon: 00[CFG]   loaded IKE secret for %any

Sep  4 00:33:16 sveta charon: 00[CFG]   loaded EAP secret for user-name

Sep  4 00:33:16 sveta charon: 00[CFG] sql plugin: database URI not set

Sep  4 00:33:16 sveta charon: 00[CFG] opening triplet file /etc/ipsec.d/triplets.dat failed: No such file or directory

Sep  4 00:33:16 sveta charon: 00[CFG] eap-simaka-sql database URI missing

Sep  4 00:33:16 sveta charon: 00[CFG] loaded 0 RADIUS server configurations

Sep  4 00:33:16 sveta charon: 00[LIB] loaded plugins: charon curl ldap mysql sqlite aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey 

pem openssl gcrypt fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default farp stroke updown eap-identity eap-sim eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 

eap-gtc eap-mschapv2 eap-radius eap-tls xauth-generic dhcp

Sep  4 00:33:16 sveta charon: 00[LIB] unable to load 13 plugin features (9 due to unmet dependencies)

Sep  4 00:33:16 sveta charon: 00[LIB] dropped capabilities, running as uid 116, gid 985

Sep  4 00:33:16 sveta charon: 00[JOB] spawning 16 worker threads

Sep  4 00:33:16 sveta ipsec_starter[4022]: charon (4023) started after 40 ms

Sep  4 00:33:16 sveta charon: 04[CFG] received stroke: add connection 'VPN.OFFICE.COM'

Sep  4 00:33:16 sveta charon: 04[CFG] left nor right host is our side, assuming left=local

Sep  4 00:33:16 sveta charon: 04[CFG] added configuration 'VPN.OFFICE.COM'

Sep  4 00:33:23 sveta xl2tpd[4062]: setsockopt recvref[30]: Protocol not available

Sep  4 00:33:23 sveta xl2tpd[4062]: Using l2tp kernel support.

Sep  4 00:33:23 sveta xl2tpd[4063]: xl2tpd version xl2tpd-1.3.1 started on sveta PID:4063

Sep  4 00:33:23 sveta xl2tpd[4063]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.

Sep  4 00:33:23 sveta xl2tpd[4063]: Forked by Scott Balmos and David Stipp, (C) 2001

Sep  4 00:33:23 sveta xl2tpd[4063]: Inherited by Jeff McAdams, (C) 2002

Sep  4 00:33:23 sveta xl2tpd[4063]: Forked again by Xelerance (www.xelerance.com) (C) 2006

Sep  4 00:33:23 sveta xl2tpd[4063]: Listening on IP address 0.0.0.0, port 1701

Sep  4 00:33:39 sveta su[4074]: Successful su for root by huoshe

Sep  4 00:33:39 sveta su[4074]: + /dev/pts/2 huoshe:root

Sep  4 00:33:39 sveta su[4074]: pam_unix(su:session): session opened for user root by huoshe(uid=1000)

Sep  4 00:33:58 sveta charon: 13[CFG] received stroke: initiate 'VPN.OFFICE.COM'

Sep  4 00:33:58 sveta charon: 15[IKE] initiating Main Mode IKE_SA VPN.OFFICE.COM[1] to 17.11.7.5

Sep  4 00:33:58 sveta charon: 15[IKE] initiating Main Mode IKE_SA VPN.OFFICE.COM[1] to 17.11.7.5

Sep  4 00:33:58 sveta charon: 15[ENC] generating ID_PROT request 0 [ SA V V V V ]

Sep  4 00:33:58 sveta charon: 15[NET] sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (184 bytes)

Sep  4 00:33:58 sveta charon: 07[NET] received packet: from 17.11.7.5[500] to 1.2.3.4[500] (116 bytes)

Sep  4 00:33:58 sveta charon: 07[ENC] parsed ID_PROT response 0 [ SA V V ]

Sep  4 00:33:58 sveta charon: 07[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID

Sep  4 00:33:58 sveta charon: 07[IKE] received FRAGMENTATION vendor ID

Sep  4 00:33:58 sveta charon: 07[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]

Sep  4 00:33:58 sveta charon: 07[NET] sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (244 bytes)

Sep  4 00:33:58 sveta charon: 08[NET] received packet: from 17.11.7.5[500] to 1.2.3.4[500] (304 bytes)

Sep  4 00:33:58 sveta charon: 08[ENC] parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]

Sep  4 00:33:58 sveta charon: 08[IKE] received Cisco Unity vendor ID

Sep  4 00:33:58 sveta charon: 08[IKE] received XAuth vendor ID

Sep  4 00:33:58 sveta charon: 08[ENC] received unknown vendor ID: [HIDDEN]

Sep  4 00:33:58 sveta charon: 08[ENC] received unknown vendor ID: [HIDDEN]

Sep  4 00:33:58 sveta charon: 08[IKE] local host is behind NAT, sending keep alives

Sep  4 00:33:58 sveta charon: 08[ENC] generating ID_PROT request 0 [ ID HASH ]

Sep  4 00:33:58 sveta charon: 08[NET] sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (68 bytes)

Sep  4 00:33:58 sveta charon: 05[NET] received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes)

Sep  4 00:33:58 sveta charon: 05[ENC] parsed ID_PROT response 0 [ ID HASH V ]

Sep  4 00:33:58 sveta charon: 05[IKE] received DPD vendor ID

Sep  4 00:33:58 sveta charon: 05[IKE] IKE_SA VPN.OFFICE.COM[1] established between 1.2.3.4[1.2.3.4]...17.11.7.5[17.11.7.5]

Sep  4 00:33:58 sveta charon: 05[IKE] IKE_SA VPN.OFFICE.COM[1] established between 1.2.3.4[1.2.3.4]...17.11.7.5[17.11.7.5]

Sep  4 00:33:58 sveta charon: 05[ENC] generating QUICK_MODE request QUICK_VALUE [ HASH SA No ID ID NAT-OA NAT-OA ]

Sep  4 00:33:58 sveta charon: 05[NET] sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (220 bytes)

Sep  4 00:33:58 sveta charon: 04[NET] received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (180 bytes)

Sep  4 00:33:58 sveta charon: 04[ENC] parsed QUICK_MODE response QUICK_VALUE [ HASH SA No ID ID N((24576)) NAT-OA ]

Sep  4 00:33:58 sveta charon: 04[IKE] received 28800s lifetime, configured 0s

Sep  4 00:33:58 sveta charon: 04[IKE] CHILD_SA VPN.OFFICE.COM{1} established with SPIs [HIDDEN] [HIDDEN] and TS 1.2.3.4/32[udp/l2tp] === 17.11.7.5/32[udp/l2tp] 

Sep  4 00:33:58 sveta charon: 04[IKE] CHILD_SA VPN.OFFICE.COM{1} established with SPIs [HIDDEN] [HIDDEN] and TS 1.2.3.4/32[udp/l2tp] === 17.11.7.5/32[udp/l2tp] 

Sep  4 00:33:58 sveta charon: 04[ENC] generating QUICK_MODE request QUICK_VALUE [ HASH ]

Sep  4 00:33:58 sveta charon: 04[NET] sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (60 bytes)

Sep  4 00:33:58 sveta xl2tpd[4063]: Connecting to host vpn.office.com, port 1701

Sep  4 00:33:58 sveta xl2tpd[4063]: Connection established to 17.11.7.5, 1701.  Local: [HIDDEN], Remote: [HIDDEN] (ref=0/0).

Sep  4 00:33:58 sveta xl2tpd[4063]: Calling on tunnel [HIDDEN]

Sep  4 00:33:58 sveta xl2tpd[4063]: Call established with 17.11.7.5, Local: [HIDDEN], Remote: [HIDDEN], Serial: 1 (ref=0/0)

Sep  4 00:33:58 sveta xl2tpd[4063]: start_pppd: I'm running: 

Sep  4 00:33:58 sveta xl2tpd[4063]: "/usr/sbin/pppd" 

Sep  4 00:33:58 sveta xl2tpd[4063]: "passive" 

Sep  4 00:33:58 sveta xl2tpd[4063]: "nodetach" 

Sep  4 00:33:58 sveta xl2tpd[4063]: ":" 

Sep  4 00:33:58 sveta xl2tpd[4063]: "name" 

Sep  4 00:33:58 sveta xl2tpd[4063]: "vpn.office.com" 

Sep  4 00:33:58 sveta xl2tpd[4063]: "debug" 

Sep  4 00:33:58 sveta xl2tpd[4063]: "file" 

Sep  4 00:33:58 sveta xl2tpd[4063]: "/etc/ppp/options.xl2tpd.lns" 

Sep  4 00:33:58 sveta xl2tpd[4063]: "ipparam" 

Sep  4 00:33:58 sveta xl2tpd[4063]: "17.11.7.5" 

Sep  4 00:33:58 sveta xl2tpd[4063]: "plugin" 

Sep  4 00:33:58 sveta xl2tpd[4063]: "pppol2tp.so" 

Sep  4 00:33:58 sveta xl2tpd[4063]: "pppol2tp" 

Sep  4 00:33:58 sveta xl2tpd[4063]: "8" 

Sep  4 00:33:58 sveta pppd[4115]: Plugin pppol2tp.so loaded.

Sep  4 00:33:58 sveta pppd[4115]: pppd 2.4.7 started by huoshe, uid 0

Sep  4 00:33:58 sveta pppd[4115]: using channel 1

Sep  4 00:33:58 sveta pppd[4115]: Using interface ppp0

Sep  4 00:33:58 sveta pppd[4115]: Connect: ppp0 <--> 

Sep  4 00:33:58 sveta pppd[4115]: Overriding mtu 1500 to 1410

Sep  4 00:33:58 sveta pppd[4115]: PPPoL2TP options: debugmask 0

Sep  4 00:33:58 sveta pppd[4115]: Overriding mru 1500 to mtu value 1410

Sep  4 00:33:58 sveta pppd[4115]: sent [LCP ConfReq id=0x1 <mru 1410> <asyncmap 0x0> <magic PPP_Numbers>]

Sep  4 00:33:58 sveta NetworkManager[2719]: <warn> /sys/devices/virtual/net/ppp0: couldn't determine device driver; ignoring...

Sep  4 00:33:58 sveta pppd[4115]: rcvd [LCP ConfRej id=0x1 <mru 1410> <asyncmap 0x0>]

Sep  4 00:33:58 sveta pppd[4115]: sent [LCP ConfReq id=0x2 <magic PPP_Numbers>]

Sep  4 00:33:58 sveta pppd[4115]: rcvd [LCP ConfReq id=0x1 <auth chap MS-v2> <magic PPP_Mushrooms>]

Sep  4 00:33:58 sveta pppd[4115]: No auth is possible

Sep  4 00:33:58 sveta pppd[4115]: sent [LCP ConfRej id=0x1 <auth chap MS-v2>]

Sep  4 00:33:58 sveta pppd[4115]: rcvd [LCP ConfAck id=0x2 <magic PPP_Numbers>]

Sep  4 00:33:58 sveta pppd[4115]: rcvd [LCP ConfReq id=0x2 <auth chap MS-v2> <magic PPP_Mushrooms>]

Sep  4 00:33:58 sveta pppd[4115]: No auth is possible

Sep  4 00:33:58 sveta pppd[4115]: sent [LCP ConfRej id=0x2 <auth chap MS-v2>]

Sep  4 00:33:58 sveta pppd[4115]: rcvd [LCP ConfReq id=0x3 <auth chap MS-v2> <magic PPP_Mushrooms>]

Sep  4 00:33:58 sveta pppd[4115]: No auth is possible

Sep  4 00:33:58 sveta pppd[4115]: sent [LCP ConfRej id=0x3 <auth chap MS-v2>]

Sep  4 00:33:58 sveta pppd[4115]: rcvd [LCP ConfReq id=0x4 <auth chap MS-v2> <magic PPP_Mushrooms>]

Sep  4 00:33:58 sveta pppd[4115]: No auth is possible

Sep  4 00:33:58 sveta pppd[4115]: sent [LCP ConfRej id=0x4 <auth chap MS-v2>]

Sep  4 00:33:58 sveta pppd[4115]: rcvd [LCP ConfReq id=0x5 <auth chap MS-v2> <magic PPP_Mushrooms>]

Sep  4 00:33:58 sveta pppd[4115]: No auth is possible

Sep  4 00:33:58 sveta pppd[4115]: sent [LCP ConfRej id=0x5 <auth chap MS-v2>]

Sep  4 00:33:58 sveta pppd[4115]: rcvd [LCP ConfReq id=0x6 <auth chap MS-v2> <magic PPP_Mushrooms>]

Sep  4 00:33:58 sveta pppd[4115]: No auth is possible

Sep  4 00:33:58 sveta pppd[4115]: sent [LCP ConfRej id=0x6 <auth chap MS-v2>]

Sep  4 00:33:58 sveta pppd[4115]: rcvd [LCP ConfReq id=0x7 <auth chap MS-v2> <magic PPP_Mushrooms>]

Sep  4 00:33:58 sveta pppd[4115]: No auth is possible

Sep  4 00:33:58 sveta pppd[4115]: sent [LCP ConfRej id=0x7 <auth chap MS-v2>]

Sep  4 00:33:58 sveta pppd[4115]: rcvd [LCP ConfReq id=0x8 <auth chap MS-v2> <magic PPP_Mushrooms>]

Sep  4 00:33:58 sveta pppd[4115]: No auth is possible

Sep  4 00:33:58 sveta pppd[4115]: sent [LCP ConfRej id=0x8 <auth chap MS-v2>]

Sep  4 00:33:58 sveta pppd[4115]: rcvd [LCP ConfReq id=0x9 <auth chap MS-v2> <magic PPP_Mushrooms>]

Sep  4 00:33:58 sveta pppd[4115]: No auth is possible

Sep  4 00:33:58 sveta pppd[4115]: sent [LCP ConfRej id=0x9 <auth chap MS-v2>]

Sep  4 00:33:58 sveta pppd[4115]: rcvd [LCP ConfReq id=0xa <auth chap MS-v2> <magic PPP_Mushrooms>]

Sep  4 00:33:58 sveta pppd[4115]: No auth is possible

Sep  4 00:33:58 sveta pppd[4115]: sent [LCP ConfRej id=0xa <auth chap MS-v2>]

Sep  4 00:33:58 sveta pppd[4115]: rcvd [LCP ConfReq id=0xb <auth chap MS-v2> <magic PPP_Mushrooms>]

Sep  4 00:33:58 sveta pppd[4115]: No auth is possible

Sep  4 00:33:58 sveta pppd[4115]: sent [LCP ConfRej id=0xb <auth chap MS-v2>]

Sep  4 00:33:58 sveta pppd[4115]: rcvd [LCP ConfReq id=0xc <auth chap MS-v2> <magic PPP_Mushrooms>]

Sep  4 00:33:58 sveta pppd[4115]: No auth is possible

Sep  4 00:33:58 sveta pppd[4115]: sent [LCP ConfRej id=0xc <auth chap MS-v2>]

Sep  4 00:33:58 sveta pppd[4115]: rcvd [LCP ConfReq id=0xd <auth chap MS-v2> <magic PPP_Mushrooms>]

Sep  4 00:33:58 sveta pppd[4115]: No auth is possible

Sep  4 00:33:58 sveta pppd[4115]: sent [LCP ConfRej id=0xd <auth chap MS-v2>]

Sep  4 00:33:58 sveta pppd[4115]: rcvd [LCP ConfReq id=0xe <auth chap MS-v2> <magic PPP_Mushrooms>]

Sep  4 00:33:58 sveta pppd[4115]: No auth is possible

Sep  4 00:33:58 sveta pppd[4115]: sent [LCP ConfRej id=0xe <auth chap MS-v2>]

Sep  4 00:33:58 sveta pppd[4115]: rcvd [LCP ConfReq id=0xf <auth chap MS-v2> <magic PPP_Mushrooms>]

Sep  4 00:33:58 sveta pppd[4115]: No auth is possible

Sep  4 00:33:58 sveta pppd[4115]: sent [LCP ConfRej id=0xf <auth chap MS-v2>]

Sep  4 00:33:58 sveta pppd[4115]: rcvd [LCP ConfReq id=0x10 <auth chap MS-v2> <magic PPP_Mushrooms>]

Sep  4 00:33:58 sveta pppd[4115]: No auth is possible

Sep  4 00:33:58 sveta pppd[4115]: sent [LCP ConfRej id=0x10 <auth chap MS-v2>]

Sep  4 00:33:58 sveta pppd[4115]: rcvd [LCP ConfReq id=0x11 <auth chap MS-v2> <magic PPP_Mushrooms>]

Sep  4 00:33:58 sveta pppd[4115]: No auth is possible

Sep  4 00:33:58 sveta pppd[4115]: sent [LCP ConfRej id=0x11 <auth chap MS-v2>]

Sep  4 00:33:58 sveta pppd[4115]: rcvd [LCP ConfReq id=0x12 <auth chap MS-v2> <magic PPP_Mushrooms>]

Sep  4 00:33:58 sveta pppd[4115]: No auth is possible

Sep  4 00:33:58 sveta pppd[4115]: sent [LCP ConfRej id=0x12 <auth chap MS-v2>]

Sep  4 00:33:58 sveta xl2tpd[4063]: control_finish: Connection closed to 17.11.7.5, port 1701 (No Error), Local: [HIDDEN], Remote: [HIDDEN]

Sep  4 00:33:58 sveta xl2tpd[4063]: Terminating pppd: sending TERM signal to pid 4115

Sep  4 00:33:58 sveta pppd[4115]: Terminating on signal 15

Sep  4 00:33:58 sveta pppd[4115]: sent [LCP TermReq id=0x3 "User request"]

Sep  4 00:33:58 sveta charon: 11[NET] received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (68 bytes)

Sep  4 00:33:58 sveta charon: 11[ENC] parsed INFORMATIONAL_V1 request [HIDDEN] [ HASH D ]

Sep  4 00:33:58 sveta charon: 11[IKE] received DELETE for ESP CHILD_SA with SPI SPI_VALUE_3

Sep  4 00:33:58 sveta charon: 11[IKE] closing CHILD_SA VPN.OFFICE.COM{1} with SPIs [HIDDEN] (992 bytes) [HIDDEN] (878 bytes) and TS 1.2.3.4/32[udp/l2tp] === 17.11.7.5/32[udp/l2tp] 

Sep  4 00:33:58 sveta charon: 11[IKE] closing CHILD_SA VPN.OFFICE.COM{1} with SPIs [HIDDEN] (992 bytes) [HIDDEN] (878 bytes) and TS 1.2.3.4/32[udp/l2tp] === 17.11.7.5/32[udp/l2tp] 

Sep  4 00:33:58 sveta charon: 12[NET] received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes)

Sep  4 00:33:58 sveta charon: 12[ENC] parsed INFORMATIONAL_V1 request [HIDDEN] [ HASH D ]

Sep  4 00:33:58 sveta charon: 12[IKE] received DELETE for IKE_SA VPN.OFFICE.COM[1]

Sep  4 00:33:58 sveta charon: 12[IKE] deleting IKE_SA VPN.OFFICE.COM[1] between 1.2.3.4[1.2.3.4]...17.11.7.5[17.11.7.5]

Sep  4 00:33:58 sveta charon: 12[IKE] deleting IKE_SA VPN.OFFICE.COM[1] between 1.2.3.4[1.2.3.4]...17.11.7.5[17.11.7.5]

Sep  4 00:34:01 sveta pppd[4115]: sent [LCP TermReq id=0x4 "User request"]

Sep  4 00:34:04 sveta pppd[4115]: Connection terminated.

Sep  4 00:34:04 sveta avahi-daemon[3046]: Withdrawing workstation service for ppp0.

Sep  4 00:34:04 sveta charon: 13[KNL] interface ppp0 deleted

Sep  4 00:34:04 sveta pppd[4115]: Modem hangup

Sep  4 00:34:04 sveta pppd[4115]: Exit.

```

# ip xfrm monitor

```

Updated src 17.11.7.5 dst 1.2.3.4

        proto esp spi SPI_VALUE_1 reqid 1 mode transport

        replay-window 32 

        auth-trunc hmac(sha1) [HIDDEN] 96

        enc cbc(des3_ede) [HIDDEN]

        encap type espinudp sport 4500 dport 4500 addr 0.0.0.0

        sel src 17.11.7.5/32 dst 1.2.3.4/32 

src 1.2.3.4 dst 17.11.7.5

        proto esp spi SPI_VALUE_2 reqid 1 mode transport

        replay-window 32 

        auth-trunc hmac(sha1) [HIDDEN] 96

        enc cbc(des3_ede) [HIDDEN]

        encap type espinudp sport 4500 dport 4500 addr 0.0.0.0

        sel src 1.2.3.4/32 dst 17.11.7.5/32 

src 1.2.3.4/32 dst 17.11.7.5/32 proto udp sport 1701 dport 1701 

        dir out action block priority [HIDDEN] ptype main 

src 17.11.7.5/32 dst 1.2.3.4/32 proto udp sport 1701 dport 1701 

        dir in action block priority [HIDDEN] ptype main 

Updated src 1.2.3.4/32 dst 17.11.7.5/32 proto udp sport 1701 dport 1701 

        dir out priority 1792 ptype main 

        tmpl src 0.0.0.0 dst 0.0.0.0

                proto esp reqid 1 mode transport

Updated src 17.11.7.5/32 dst 1.2.3.4/32 proto udp sport 1701 dport 1701 

        dir in priority 1792 ptype main 

        tmpl src 0.0.0.0 dst 0.0.0.0

                proto esp reqid 1 mode transport

Async event  (0x10)  replay update 

        src 1.2.3.4 dst 17.11.7.5  reqid 0x1 protocol esp  SPI SPI_VALUE_2

Async event  (0x10)  replay update 

        src 17.11.7.5 dst 1.2.3.4  reqid 0x1 protocol esp  SPI SPI_VALUE_1

Async event  (0x10)  replay update 

        src 1.2.3.4 dst 17.11.7.5  reqid 0x1 protocol esp  SPI SPI_VALUE_2

Async event  (0x10)  replay update 

        src 17.11.7.5 dst 1.2.3.4  reqid 0x1 protocol esp  SPI SPI_VALUE_1

Async event  (0x10)  replay update 

        src 1.2.3.4 dst 17.11.7.5  reqid 0x1 protocol esp  SPI SPI_VALUE_2

Async event  (0x10)  replay update 

        src 17.11.7.5 dst 1.2.3.4  reqid 0x1 protocol esp  SPI SPI_VALUE_1                                    

Async event  (0x10)  replay update                                                                                 

        src 1.2.3.4 dst 17.11.7.5  reqid 0x1 protocol esp  SPI SPI_VALUE_2                                    

Async event  (0x10)  replay update                                                                                 

        src 17.11.7.5 dst 1.2.3.4  reqid 0x1 protocol esp  SPI SPI_VALUE_1                                    

Async event  (0x10)  replay update                                                                                 

        src 1.2.3.4 dst 17.11.7.5  reqid 0x1 protocol esp  SPI SPI_VALUE_2                                    

Async event  (0x10)  replay update                                                                                 

        src 17.11.7.5 dst 1.2.3.4  reqid 0x1 protocol esp  SPI SPI_VALUE_1                                    

Async event  (0x10)  replay update                                                                                 

        src 1.2.3.4 dst 17.11.7.5  reqid 0x1 protocol esp  SPI SPI_VALUE_2                                    

Async event  (0x10)  replay update                                                                                 

        src 17.11.7.5 dst 1.2.3.4  reqid 0x1 protocol esp  SPI SPI_VALUE_1                                    

Async event  (0x10)  replay update                                                                                 

        src 1.2.3.4 dst 17.11.7.5  reqid 0x1 protocol esp  SPI SPI_VALUE_2                                    

Async event  (0x10)  replay update                                                                                 

        src 17.11.7.5 dst 1.2.3.4  reqid 0x1 protocol esp  SPI SPI_VALUE_1                                    

Async event  (0x10)  replay update                                                                                 

        src 1.2.3.4 dst 17.11.7.5  reqid 0x1 protocol esp  SPI SPI_VALUE_2                                    

Async event  (0x10)  replay update                                                                                 

        src 17.11.7.5 dst 1.2.3.4  reqid 0x1 protocol esp  SPI SPI_VALUE_1                                    

Async event  (0x10)  replay update                                                                                 

        src 1.2.3.4 dst 17.11.7.5  reqid 0x1 protocol esp  SPI SPI_VALUE_2                                    

Async event  (0x10)  replay update                                                                                 

        src 17.11.7.5 dst 1.2.3.4  reqid 0x1 protocol esp  SPI SPI_VALUE_1                                    

Async event  (0x10)  replay update                                                                                 

        src 1.2.3.4 dst 17.11.7.5  reqid 0x1 protocol esp  SPI SPI_VALUE_2                                    

Async event  (0x10)  replay update                                                                                 

        src 17.11.7.5 dst 1.2.3.4  reqid 0x1 protocol esp  SPI SPI_VALUE_1                                    

Async event  (0x10)  replay update                                                                                 

        src 1.2.3.4 dst 17.11.7.5  reqid 0x1 protocol esp  SPI SPI_VALUE_2                                    

Async event  (0x10)  replay update                                                                                 

        src 17.11.7.5 dst 1.2.3.4  reqid 0x1 protocol esp  SPI SPI_VALUE_1                                    

Async event  (0x10)  replay update                                                                                 

        src 1.2.3.4 dst 17.11.7.5  reqid 0x1 protocol esp  SPI SPI_VALUE_2                                    

Async event  (0x10)  replay update                                                                                 

        src 17.11.7.5 dst 1.2.3.4  reqid 0x1 protocol esp  SPI SPI_VALUE_1                                    

Async event  (0x10)  replay update                                                                                 

        src 17.11.7.5 dst 1.2.3.4  reqid 0x1 protocol esp  SPI SPI_VALUE_1                                    

Async event  (0x10)  replay update                                                                                 

        src 1.2.3.4 dst 17.11.7.5  reqid 0x1 protocol esp  SPI SPI_VALUE_2

Deleted src 17.11.7.5 dst 1.2.3.4

        proto esp spi SPI_VALUE_1 reqid 1 mode transport

        replay-window 32 

        auth-trunc hmac(sha1) [HIDDEN] 96

        enc cbc(des3_ede) [HIDDEN]

        encap type espinudp sport 4500 dport 4500 addr 0.0.0.0

        sel src 17.11.7.5/32 dst 1.2.3.4/32 

Deleted src 1.2.3.4 dst 17.11.7.5

        proto esp spi SPI_VALUE_2 reqid 1 mode transport

        replay-window 32 

        auth-trunc hmac(sha1) [HIDDEN] 96

        enc cbc(des3_ede) [HIDDEN]

        encap type espinudp sport 4500 dport 4500 addr 0.0.0.0

        sel src 1.2.3.4/32 dst 17.11.7.5/32 

Updated src 1.2.3.4/32 dst 17.11.7.5/32 proto udp sport 1701 dport 1701 

        dir out action block priority [HIDDEN] ptype main 

Updated src 17.11.7.5/32 dst 1.2.3.4/32 proto udp sport 1701 dport 1701 

        dir in action block priority [HIDDEN] ptype main 

Deleted src 1.2.3.4/32 dst 17.11.7.5/32 proto udp sport 1701 dport 1701 

        dir out action block priority [HIDDEN] ptype main 

Deleted src 17.11.7.5/32 dst 1.2.3.4/32 proto udp sport 1701 dport 1701 

        dir in action block priority [HIDDEN] ptype main

```

Last edited by Duco Ergo Sum on Fri Sep 05, 2014 12:16 am; edited 1 time in total

----------

## salahx

Its definately a ppp auth problem. In this case, the client and server aren't agreeing on what auth to use. The server must not be required to authenticate to the client (so we need "noauth") while the client authenticate the server using mschap-v2. 

Since pppd defaults is not to require authentication, and to authenticate if asked, maybe (for now) commenting out "pppoptfile" might be enough to let it connect if all the defaults are good. Failing that. I'd try making "/etc/ppp/options.xl2tpd.lns" and empty file and connecting with that, and then if that doesn't work, slowly add on to the file (starting with "noauth") and see if it changes the output of pppd.

I no longer need any more dumps of "ip xfrm monitor" or strongSwan since we know those work, the important one is pppd. You may need to restart xl2tpd with every modification of "/etc/ppp/options.xl2tpd.lns" and definately need to restart if you modify xl2tpd.conf. Don't forget to bring up the ipsec connecitno wiot heveyr failed attempt, too (ipsec up VNP.OFFICE.COM && xl2tpd-control connect vpnclient vpn.office.com OFFICE-NAME\\your-login-username your-login-password. You may be able to drop the "OFFICE-NAME\\" part)

----------

## Duco Ergo Sum

I tried with:

```

ipsec up VNP.OFFICE.COM && xl2tpd-control connect vpnclient \\your-login-username your-login-password

```

options.xl2tpd.client

```

noauth

```

That seemed to create a connection for a short period.  So I then started playing with options and thus far have failed to repeat that momentary success.  At the moment I'm in the office and thus unable to experiment.  I will provide more info once I'm back at my PC.

----------

## salahx

The backslashes are only needed if the domain is included - so its either office-name "OFFICE-NAME\\your-login-username" or simply "your-login-username". Windows should take either one. If you have pppd debug enabled, you'll see a line with a hash and either "M=Access denied" or "M=Access granted". If you see the former, then at least its getting as far as trying to authenticate. If you see the latter, you connected sucesfully. If you see neither (like the earlier "No auth is possible") then something probably wrong in the options file.

----------

## Duco Ergo Sum

Trying to prove I think can think for myself I found  this post: https://forums.gentoo.org/viewtopic-t-324500-postdays-0-postorder-asc-highlight-openswan-start-100.html?sid=50b0048d9923e82f358e87c6b6df3b77.  This seems to explain things somewhat but not enough for me to understand what's going on here or to allow me to fix it.

ipsec up VPN.OFFICE.COM && xl2tpd-control connect vpnclient user-name Pass-Word

These lines from the log below, do turn up from time to time I'm not sure to reliably trigger them.

```

Sep  5 01:13:35 sveta xl2tpd[5546]: check_control: Received out of order control packet on tunnel 7854 (got 2, expected 3)

Sep  5 01:13:35 sveta xl2tpd[5546]: handle_packet: bad control packet!

```

xl2tpd.conf

```

[lac vpnclient]

lns = vpn.office.com

pppoptfile = /etc/ppp/options.xl2tpd.client

name = user-name

ppp debug = yes

refuse pap = yes

length bit = yes

require chap = yes

require authentication = yes

ppp debug = yes

```

option.xl2tpd.client

```

noauth

lock

refuse-eap

ipcp-accept-local

ipcp-accept-remote

noipdefault

noccp

idle 1800

mtu 1410

mru 1410

nodefaultroute

proxyarp

connect-delay 5000

```

Log

```

Sep  5 01:13:35 sveta xl2tpd[5546]: Calling on tunnel 60681

Sep  5 01:13:35 sveta xl2tpd[5546]: Call established with 17.11.7.5, Local: 12765, Remote: 7729, Serial: 2 (ref=0/0)

Sep  5 01:13:35 sveta xl2tpd[5546]: start_pppd: I'm running: 

Sep  5 01:13:35 sveta xl2tpd[5546]: "/usr/sbin/pppd" 

Sep  5 01:13:35 sveta xl2tpd[5546]: "passive" 

Sep  5 01:13:35 sveta xl2tpd[5546]: "nodetach" 

Sep  5 01:13:35 sveta xl2tpd[5546]: ":" 

Sep  5 01:13:35 sveta xl2tpd[5546]: "refuse-pap" 

Sep  5 01:13:35 sveta xl2tpd[5546]: "auth" 

Sep  5 01:13:35 sveta xl2tpd[5546]: "require-chap" 

Sep  5 01:13:35 sveta xl2tpd[5546]: "name" 

Sep  5 01:13:35 sveta xl2tpd[5546]: "user-name" 

Sep  5 01:13:35 sveta xl2tpd[5546]: "debug" 

Sep  5 01:13:35 sveta xl2tpd[5546]: "plugin" 

Sep  5 01:13:35 sveta xl2tpd[5546]: "passwordfd.so" 

Sep  5 01:13:35 sveta xl2tpd[5546]: "passwordfd" 

Sep  5 01:13:35 sveta xl2tpd[5546]: "9" 

Sep  5 01:13:35 sveta xl2tpd[5546]: "file" 

Sep  5 01:13:35 sveta xl2tpd[5546]: "/etc/ppp/options.xl2tpd.client" 

Sep  5 01:13:35 sveta xl2tpd[5546]: "ipparam" 

Sep  5 01:13:35 sveta xl2tpd[5546]: "17.11.7.5" 

Sep  5 01:13:35 sveta xl2tpd[5546]: "plugin" 

Sep  5 01:13:35 sveta xl2tpd[5546]: "pppol2tp.so" 

Sep  5 01:13:35 sveta xl2tpd[5546]: "pppol2tp" 

Sep  5 01:13:35 sveta xl2tpd[5546]: "10" 

Sep  5 01:13:35 sveta pppd[5722]: Plugin passwordfd.so loaded.

Sep  5 01:13:35 sveta pppd[5722]: Plugin pppol2tp.so loaded.

Sep  5 01:13:35 sveta pppd[5722]: pppd 2.4.7 started by huoshe, uid 0

Sep  5 01:13:35 sveta pppd[5722]: using channel 15

Sep  5 01:13:35 sveta pppd[5722]: Using interface ppp0

Sep  5 01:13:35 sveta pppd[5722]: Connect: ppp0 <--> 

Sep  5 01:13:35 sveta pppd[5722]: Overriding mtu 1500 to 1410

Sep  5 01:13:35 sveta pppd[5722]: PPPoL2TP options: debugmask 0

Sep  5 01:13:35 sveta pppd[5722]: Overriding mru 1500 to mtu value 1410

Sep  5 01:13:35 sveta pppd[5722]: sent [LCP ConfReq id=0x1 <mru 1410> <asyncmap 0x0> <magic mushroom>]

Sep  5 01:13:35 sveta NetworkManager[2714]: <warn> /sys/devices/virtual/net/ppp0: couldn't determine device driver; ignoring...

Sep  5 01:13:35 sveta xl2tpd[5546]: check_control: Received out of order control packet on tunnel 7854 (got 2, expected 3)

Sep  5 01:13:35 sveta xl2tpd[5546]: handle_packet: bad control packet!

Sep  5 01:13:35 sveta pppd[5722]: rcvd [LCP ConfReq id=0x1 <auth chap MS-v2> <magic carpet>]

Sep  5 01:13:35 sveta pppd[5722]: sent [LCP ConfAck id=0x1 <auth chap MS-v2> <magic carpet>]

Sep  5 01:13:35 sveta pppd[5722]: rcvd [LCP ConfRej id=0x1 <mru 1410> <asyncmap 0x0>]

Sep  5 01:13:35 sveta pppd[5722]: sent [LCP ConfReq id=0x2 <magic mushroom>]

Sep  5 01:13:35 sveta pppd[5722]: rcvd [CHAP Challenge id=0x1 <[HIDDEN]>, name = ""]

Sep  5 01:13:35 sveta pppd[5722]: Discarded non-LCP packet when LCP not open

Sep  5 01:13:35 sveta pppd[5722]: rcvd [LCP ConfAck id=0x2 <magic mushroom>]

Sep  5 01:13:35 sveta pppd[5722]: Overriding mtu 1500 to 1410

Sep  5 01:13:35 sveta pppd[5722]: PPPoL2TP options: debugmask 0

Sep  5 01:13:35 sveta pppd[5722]: Overriding mru 1500 to mtu value 1410

Sep  5 01:13:38 sveta pppd[5722]: rcvd [CHAP Challenge id=0x1 <[HIDDEN]>, name = ""]

Sep  5 01:13:38 sveta pppd[5722]: added response cache entry 0

Sep  5 01:13:38 sveta pppd[5722]: sent [CHAP Response id=0x1 <[HIDDEN]>, name = "user-namer"]

Sep  5 01:13:38 sveta pppd[5722]: rcvd [CHAP Success id=0x1 "S=[HIDDEN]"]

Sep  5 01:13:38 sveta pppd[5722]: response found in cache (entry 0)

Sep  5 01:13:38 sveta pppd[5722]: CHAP authentication succeeded

Sep  5 01:13:38 sveta pppd[5722]: sent [IPCP ConfReq id=0x1 <addr 0.0.0.0>]

Sep  5 01:13:38 sveta pppd[5722]: rcvd [IPCP TermAck id=0x1]

Sep  5 01:13:41 sveta pppd[5722]: sent [IPCP ConfReq id=0x1 <addr 0.0.0.0>]

Sep  5 01:13:41 sveta pppd[5722]: rcvd [IPCP ConfReq id=0x1 <addr 17.11.7.5>]

Sep  5 01:13:41 sveta pppd[5722]: sent [IPCP ConfAck id=0x1 <addr 17.11.7.5>]

Sep  5 01:13:41 sveta pppd[5722]: rcvd [IPCP ConfNak id=0x1 <addr 125.64.27.8>]

Sep  5 01:13:41 sveta pppd[5722]: sent [IPCP ConfReq id=0x2 <addr 125.64.27.8>]

Sep  5 01:13:41 sveta pppd[5722]: rcvd [IPCP ConfAck id=0x2 <addr 125.64.27.8>]

Sep  5 01:13:41 sveta charon: 06[KNL] 125.64.27.8 appeared on ppp0

Sep  5 01:13:41 sveta pppd[5722]: Cannot determine ethernet address for proxy ARP

Sep  5 01:13:41 sveta pppd[5722]: local  IP address 125.64.27.8

Sep  5 01:13:41 sveta pppd[5722]: remote IP address 17.11.7.5

Sep  5 01:13:41 sveta charon: 10[KNL] 125.64.27.8 disappeared from ppp0

Sep  5 01:13:41 sveta charon: 13[KNL] 125.64.27.8 appeared on ppp0

Sep  5 01:13:41 sveta charon: 07[KNL] interface ppp0 activated

Sep  5 01:13:41 sveta pppd[5722]: Script /etc/ppp/ip-up started (pid 5727)

Sep  5 01:13:41 sveta pppd[5722]: Script /etc/ppp/ip-up finished (pid 5727), status = 0x0

```

Last edited by Duco Ergo Sum on Fri Apr 17, 2015 8:53 am; edited 2 times in total

----------

## salahx

 *Duco Ergo Sum wrote:*   

> 
> 
> These lines from the log below, do turn up from time to time I'm not sure to reliably trigger them.
> 
> ```
> ...

 

They appear on my system too. They are harmless. Ignore them.

 *Duco Ergo Sum wrote:*   

> 
> 
> xl2tpd.conf
> 
> ```
> ...

 

Way overkill. THis is all you need:

```

[lac vpnclient]

lns = vpn.office.com

pppoptfile = /etc/ppp/options.xl2tpd.client

name = user-name

ppp debug = yes

```

The other stuff is overkill and maybe even activate harmful - we do NOT want to require authentication on our side! (IF you are not using the pppoptfile you may need "refuse authentication = yes")

 *Duco Ergo Sum wrote:*   

> 
> 
> option.xl2tpd.client
> 
> ```
> ...

 

Again, way overkill (in fact, even my example give for the server on the wiki page may be overkill). Most of these option aren't needed. The only one required is "noauth", and maybe "nodefaultroute" (this indicated we want a split tunnel, as opposed to a full tunnel). The other stuff should be negotiated by the server. 

 *Duco Ergo Sum wrote:*   

> 
> 
> Log
> 
> ```
> ...

 

The "CHAP authentication succeeded" means it connected, congratuatulations! You are now connected to the vpn!

----------

## Duco Ergo Sum

I will sanitize the config files in a couple of hours.

Now, I guess the question is now why can't I ping the other network?

tcpdump shows no activity and ip xfrm monitor only shoes the connections being made and broken.

----------

## salahx

Well, now that the VPN is connected, the problems is either DNS related or routing related. So try pinging some ip address on the other side (or connecting to service via IP) to rule out a routing issue (if you use tcpdump on ppp0, you should see the packets going back and forth). Otherwise, it may be a DNS problem - we may need to add some stuff (like userpeerdns) to our options file.

----------

## Duco Ergo Sum

It looks like a connection is made but it doesn't last.

```

# tcpdump -i ppp0 udp port 1701

error : ret -1

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on ppp0, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes

^C

0 packets captured

0 packets received by filter

0 packets dropped by kernel

```

```

tcpdump -i ppp0 proto 50     

tcpdump: ppp0: No such device exists

(SIOCGIFHWADDR: No such device)

```

```

# xl2tpd-control disconnect vpnclient

01 Session 'vpnclient' not up

```

```

Sep  5 08:27:30 sveta xl2tpd[4090]: Connecting to host vpn.office.com, port 1701

Sep  5 08:27:30 sveta xl2tpd[4090]: Connection established to 17.11.7.5, 1701.  Local: 50388, Remote: 7859 (ref=0/0).

Sep  5 08:27:30 sveta xl2tpd[4090]: Calling on tunnel 50388

Sep  5 08:27:30 sveta xl2tpd[4090]: Call established with 17.11.7.5, Local: 41470, Remote: 7734, Serial: 1 (ref=0/0)

Sep  5 08:27:30 sveta xl2tpd[4090]: start_pppd: I'm running: 

Sep  5 08:27:30 sveta xl2tpd[4090]: "/usr/sbin/pppd" 

Sep  5 08:27:30 sveta xl2tpd[4090]: "passive" 

Sep  5 08:27:30 sveta xl2tpd[4090]: "nodetach" 

Sep  5 08:27:30 sveta xl2tpd[4090]: ":" 

Sep  5 08:27:30 sveta xl2tpd[4090]: "name" 

Sep  5 08:27:30 sveta xl2tpd[4090]: "user-name"

Sep  5 08:27:30 sveta xl2tpd[4090]: "debug" 

Sep  5 08:27:30 sveta xl2tpd[4090]: "plugin" 

Sep  5 08:27:30 sveta xl2tpd[4090]: "passwordfd.so" 

Sep  5 08:27:30 sveta xl2tpd[4090]: "passwordfd" 

Sep  5 08:27:30 sveta xl2tpd[4090]: "8" 

Sep  5 08:27:30 sveta xl2tpd[4090]: "file" 

Sep  5 08:27:30 sveta xl2tpd[4090]: "/etc/ppp/options.xl2tpd.lns" 

Sep  5 08:27:30 sveta xl2tpd[4090]: "ipparam" 

Sep  5 08:27:30 sveta xl2tpd[4090]: "17.11.7.5" 

Sep  5 08:27:30 sveta xl2tpd[4090]: "plugin" 

Sep  5 08:27:30 sveta xl2tpd[4090]: "pppol2tp.so" 

Sep  5 08:27:30 sveta xl2tpd[4090]: "pppol2tp" 

Sep  5 08:27:30 sveta xl2tpd[4090]: "9" 

Sep  5 08:27:30 sveta pppd[4127]: Plugin passwordfd.so loaded.

Sep  5 08:27:30 sveta pppd[4127]: Plugin pppol2tp.so loaded.

Sep  5 08:27:30 sveta pppd[4127]: pppd 2.4.7 started by huoshe, uid 0

Sep  5 08:27:30 sveta pppd[4127]: using channel 1

Sep  5 08:27:30 sveta pppd[4127]: Using interface ppp0

Sep  5 08:27:30 sveta pppd[4127]: Connect: ppp0 <--> 

Sep  5 08:27:30 sveta pppd[4127]: PPPoL2TP options: debugmask 0

Sep  5 08:27:30 sveta pppd[4127]: sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic mushrooms>]

Sep  5 08:27:30 sveta NetworkManager[2712]: <warn> /sys/devices/virtual/net/ppp0: couldn't determine device driver; ignoring...

Sep  5 08:27:30 sveta pppd[4127]: rcvd [LCP ConfReq id=0x1 <auth chap MS-v2> <magic carpet>]

Sep  5 08:27:30 sveta pppd[4127]: sent [LCP ConfAck id=0x1 <auth chap MS-v2> <magic carpet>]

Sep  5 08:27:30 sveta pppd[4127]: rcvd [LCP ConfRej id=0x1 <asyncmap 0x0>]

Sep  5 08:27:30 sveta pppd[4127]: sent [LCP ConfReq id=0x2 <magic mushrooms>]

Sep  5 08:27:30 sveta pppd[4127]: rcvd [LCP ConfAck id=0x2 <magic mushrooms>]

Sep  5 08:27:30 sveta pppd[4127]: PPPoL2TP options: debugmask 0

Sep  5 08:27:30 sveta pppd[4127]: rcvd [CHAP Challenge id=0x1 <[HIDDEN]>, name = ""]

Sep  5 08:27:30 sveta pppd[4127]: added response cache entry 0

Sep  5 08:27:30 sveta pppd[4127]: sent [CHAP Response id=0x1 <[HIDDEN]>, name = "user-name"]

Sep  5 08:27:30 sveta pppd[4127]: rcvd [CHAP Success id=0x1 "S=[HIDDEN]"]

Sep  5 08:27:30 sveta pppd[4127]: response found in cache (entry 0)

Sep  5 08:27:30 sveta pppd[4127]: CHAP authentication succeeded

Sep  5 08:27:30 sveta pppd[4127]: sent [IPCP ConfReq id=0x1 <addr 1.2.3.4>]

Sep  5 08:27:30 sveta pppd[4127]: rcvd [IPCP TermAck id=0x1]

Sep  5 08:27:33 sveta pppd[4127]: sent [IPCP ConfReq id=0x1 <addr 1.2.3.4>]

Sep  5 08:27:33 sveta pppd[4127]: rcvd [IPCP ConfReq id=0x1 <addr 17.11.7.5>]

Sep  5 08:27:33 sveta pppd[4127]: sent [IPCP ConfAck id=0x1 <addr 17.11.7.5>]

Sep  5 08:27:33 sveta pppd[4127]: rcvd [IPCP ConfNak id=0x1 <addr 125.64.27.8>]

Sep  5 08:27:33 sveta pppd[4127]: sent [IPCP ConfReq id=0x2 <addr 125.64.27.8>]

Sep  5 08:27:34 sveta pppd[4127]: rcvd [IPCP ConfAck id=0x2 <addr 125.64.27.8>]

Sep  5 08:27:34 sveta charon: 15[KNL] 125.64.27.8 appeared on ppp0

Sep  5 08:27:34 sveta pppd[4127]: local  IP address 125.64.27.8

Sep  5 08:27:34 sveta pppd[4127]: remote IP address 17.11.7.5

Sep  5 08:27:34 sveta charon: 05[KNL] 125.64.27.8 disappeared from ppp0

Sep  5 08:27:34 sveta charon: 08[KNL] 125.64.27.8 appeared on ppp0

Sep  5 08:27:34 sveta pppd[4127]: Script /etc/ppp/ip-up started (pid 4131)

Sep  5 08:27:34 sveta charon: 10[KNL] interface ppp0 activated

Sep  5 08:27:34 sveta pppd[4127]: Script /etc/ppp/ip-up finished (pid 4131), status = 0x0

Sep  5 08:27:54 sveta charon: 11[IKE] sending keep alive to 17.11.7.5[4500]

Sep  5 08:28:14 sveta charon: 13[IKE] sending keep alive to 17.11.7.5[4500]

Sep  5 08:28:22 sveta kernel: [  515.062494] device ppp0 entered promiscuous mode

Sep  5 08:28:30 sveta kernel: [  523.463979] device ppp0 left promiscuous mode

Sep  5 08:28:34 sveta charon: 04[IKE] sending keep alive to 17.11.7.5[4500]

Sep  5 08:28:35 sveta xl2tpd[4090]: Maximum retries exceeded for tunnel 50388.  Closing.

Sep  5 08:28:35 sveta xl2tpd[4090]: Terminating pppd: sending TERM signal to pid 4127

Sep  5 08:28:35 sveta xl2tpd[4090]: Connection 7859 closed to 17.11.7.5, port 1701 (Timeout)

Sep  5 08:28:35 sveta pppd[4127]: Terminating on signal 15

Sep  5 08:28:35 sveta pppd[4127]: Connect time 1.1 minutes.

Sep  5 08:28:35 sveta pppd[4127]: Sent 81712 bytes, received 0 bytes.

Sep  5 08:28:35 sveta charon: 05[KNL] interface ppp0 deactivated

Sep  5 08:28:35 sveta charon: 06[KNL] 125.64.27.8 disappeared from ppp0

Sep  5 08:28:35 sveta pppd[4127]: Script /etc/ppp/ip-down started (pid 4139)

Sep  5 08:28:35 sveta pppd[4127]: PPPoL2TP options: debugmask 0

Sep  5 08:28:35 sveta pppd[4127]: sent [LCP TermReq id=0x3 "User request"]

Sep  5 08:28:35 sveta pppd[4127]: Script /etc/ppp/ip-down finished (pid 4139), status = 0x0

Sep  5 08:28:38 sveta pppd[4127]: sent [LCP TermReq id=0x4 "User request"]

Sep  5 08:28:40 sveta xl2tpd[4090]: Unable to deliver closing message for tunnel 50388. Destroying anyway.

Sep  5 08:28:41 sveta pppd[4127]: Connection terminated.

Sep  5 08:28:41 sveta charon: 11[KNL] interface ppp0 deleted

Sep  5 08:28:41 sveta avahi-daemon[3039]: Withdrawing workstation service for ppp0.

Sep  5 08:28:41 sveta pppd[4127]: Modem hangup

Sep  5 08:28:41 sveta pppd[4127]: Exit.

Sep  5 08:28:59 sveta charon: 15[IKE] sending keep alive to 17.11.7.5[4500]

Sep  5 08:29:19 sveta charon: 05[IKE] sending keep alive to 17.11.7.5[4500]

Sep  5 08:29:22 sveta xl2tpd[4090]: Session 'vpnclient' not up

Sep  5 08:29:39 sveta charon: 10[IKE] sending keep alive to 17.11.7.5[4500]

Sep  5 08:29:59 sveta charon: 11[IKE] sending keep alive to 17.11.7.5[4500]

Sep  5 08:30:01 sveta cron[4155]: (root) CMD (test -x /usr/sbin/run-crons && /usr/sbin/run-crons)

Sep  5 08:30:19 sveta charon: 12[IKE] sending keep alive to 17.11.7.5[4500]

Sep  5 08:30:39 sveta charon: 07[IKE] sending keep alive to 17.11.7.5[4500]

Sep  5 08:30:59 sveta charon: 15[IKE] sending keep alive to 17.11.7.5[4500]

Sep  5 08:31:19 sveta charon: 04[IKE] sending keep alive to 17.11.7.5[4500]

Sep  5 08:31:39 sveta charon: 06[IKE] sending keep alive to 17.11.7.5[4500]

Sep  5 08:31:49 sveta ntpd[3453]: peer 1.10.10.1 now invalid

Sep  5 08:31:59 sveta charon: 08[IKE] sending keep alive to 17.11.7.5[4500]

Sep  5 08:32:19 sveta charon: 10[IKE] sending keep alive to 17.11.7.5[4500]

Sep  5 08:32:39 sveta charon: 13[IKE] sending keep alive to 17.11.7.5[4500]

Sep  5 08:32:53 sveta ntpd[3453]: peer 5.10.10.5 now invalid

Sep  5 08:32:59 sveta charon: 12[IKE] sending keep alive to 17.11.7.5[4500]

Sep  5 08:33:19 sveta charon: 14[IKE] sending keep alive to 17.11.7.5[4500]

Sep  5 08:33:39 sveta charon: 15[IKE] sending keep alive to 17.11.7.5[4500]

Sep  5 08:33:59 sveta charon: 05[IKE] sending keep alive to 17.11.7.5[4500]

Sep  5 08:34:19 sveta charon: 08[IKE] sending keep alive to 17.11.7.5[4500]

Sep  5 08:34:39 sveta charon: 10[IKE] sending keep alive to 17.11.7.5[4500]

Sep  5 08:34:59 sveta charon: 13[IKE] sending keep alive to 17.11.7.5[4500]

Sep  5 08:35:16 sveta su[4009]: pam_unix(su:session): session closed for user root

Sep  5 08:35:19 sveta charon: 12[IKE] sending keep alive to 17.11.7.5[4500]

Sep  5 08:35:39 sveta charon: 07[IKE] sending keep alive to 17.11.7.5[4500]

Sep  5 08:35:59 sveta charon: 15[IKE] sending keep alive to 17.11.7.5[4500]

Sep  5 08:36:19 sveta charon: 04[IKE] sending keep alive to 17.11.7.5[4500]

Sep  5 08:36:39 sveta charon: 06[IKE] sending keep alive to 17.11.7.5[4500]

Sep  5 08:36:59 sveta charon: 09[IKE] sending keep alive to 17.11.7.5[4500]

Sep  5 08:37:19 sveta charon: 12[IKE] sending keep alive to 17.11.7.5[4500]

```

Even using the following command I can't reach my office desktop:

ipsec up VPN.OFFICE.COM && xl2tpd-control connect vpnclient user-name Pass-Word && ping 1.3.3.1

```

connection 'VPN.OFFICE.COM' established successfully

00 OK

PING 1.3.3.1 (1.3.3.1) 56(84) bytes of data.

^C

--- 1.3.3.1 ping statistics ---

9 packets transmitted, 0 received, 100% packet loss, time 8000ms

```

Also the ip represented by 125.64.27.8 has changed but I'd put that down to the DHCP lease expiring, that is my guess.

xl2tpd.Conf

```

[lac vpnclient]

lns = vpn.office.com

pppoptfile = /etc/ppp/options.xl2tpd.client

name = user-name

ppp debug = yes

```

options.xl2tpd.client

```

noauth

nodefaultroute

```

Last edited by Duco Ergo Sum on Sat Sep 06, 2014 2:39 am; edited 1 time in total

----------

## salahx

Try the following to options.xl2tpd.client:

```
noauth

nodefaultroute 

require-mppe

```

We add "require-mppe" as Windows normally requests it

----------

## Duco Ergo Sum

Hi have now added require-mppe and still no joy.

I have also added noccp as this makes the log a little tidier and doesn't seem affect the connection.

```

Sep  5 22:07:50 sveta pppd[6080]: MPPE required but peer refused

Sep  5 22:07:50 sveta pppd[6080]: PPPoL2TP options: debugmask 0

Sep  5 22:07:50 sveta pppd[6080]: sent [LCP TermReq id=0x3 "MPPE required but peer refused"]

Sep  5 22:07:50 sveta pppd[6080]: rcvd [LCP TermAck id=0x3]

Sep  5 22:07:50 sveta pppd[6080]: Connection terminated.

```

----------

## salahx

ok drop "require-mppe" from the option file as the other end doesn't support it.

LEts try this instead for xl2tpd.conf instead:

```

[lac vpnclient] 

lns = vpn.office.com 

pppoptfile = /etc/ppp/options.xl2tpd.client 

name = user-name 

ppp debug = yes

length bit = yes  

```

----------

## Duco Ergo Sum

"require-mppe" is dropped

```

[lac vpnclient]

lns = vpn.office.com

pppoptfile = /etc/ppp/options.xl2tpd.client

name = user-name

ppp debug = yes

length bit = yes

```

Same result as before.

In options.xl2tpd.client I have tried switching in and out the following parameters with no change in response characteristics:

```

ipcp-accept-local

ipcp-accept-remote

noccp

noauth

usepeerdns

debug

lock

name your_vpn_username

password your_password

```

----------

## Duco Ergo Sum

As of today, this evening at least.  This PC will loose its internet connection maybe for more than two weeks.  It was my hope to get this finished before that happens, indeed I had hoped to be connected already for some time.  None the less, it is the last line in the log below which I am guessing to be the root of my issues.

```

Sep  6 03:34:08 sveta pppd[8806]: response found in cache (entry 0)

Sep  6 03:34:08 sveta pppd[8806]: CHAP authentication succeeded

Sep  6 03:34:08 sveta pppd[8806]: sent [IPCP ConfReq id=0x1 <addr 1.2.3.4>]

Sep  6 03:34:08 sveta pppd[8806]: rcvd [IPCP TermAck id=0x1]

Sep  6 03:34:11 sveta pppd[8806]: sent [IPCP ConfReq id=0x1 <addr 1.2.3.4>]

Sep  6 03:34:11 sveta pppd[8806]: rcvd [IPCP ConfReq id=0x1 <addr 17.11.7.5>]

Sep  6 03:34:11 sveta pppd[8806]: sent [IPCP ConfAck id=0x1 <addr 17.11.7.5>]

Sep  6 03:34:11 sveta pppd[8806]: rcvd [IPCP ConfNak id=0x1 <addr 125.64.27.8>]

Sep  6 03:34:11 sveta pppd[8806]: sent [IPCP ConfReq id=0x2 <addr 125.64.27.8>]

Sep  6 03:34:11 sveta pppd[8806]: rcvd [IPCP ConfAck id=0x2 <addr 125.64.27.8>]

Sep  6 03:34:11 sveta charon: 05[KNL] 125.64.27.8 appeared on ppp0

Sep  6 03:34:11 sveta pppd[8806]: local  IP address 125.64.27.8

Sep  6 03:34:11 sveta pppd[8806]: remote IP address 17.11.7.5

Sep  6 03:34:11 sveta charon: 13[KNL] 125.64.27.8 disappeared from ppp0

```

I will continue to work on this as best I can maybe tethering to my mobile.  I am very grateful for all your help and am still hopeful we'll get this working before I loose connectivity for some time.

Thanks.

----------

## salahx

Actually, that normal. Mine looks the same:

```

Sep 05 23:15:10 localhost.localdomain pppd[966]: Using interface ppp0

Sep 05 23:15:10 localhost.localdomain pppd[966]: Connect: ppp0 <-->

Sep 05 23:15:10 localhost.localdomain pppd[966]: PPPoL2TP options: debugmask 0

Sep 05 23:15:10 localhost.localdomain pppd[966]: sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x8558051d>]

Sep 05 23:15:10 localhost.localdomain pppd[966]: rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x8558051d>]

Sep 05 23:15:13 localhost.localdomain pppd[966]: rcvd [LCP ConfReq id=0x1 <mru 1410> <asyncmap 0x0> <auth chap MS-v2> <magic 0xab156598>]

Sep 05 23:15:13 localhost.localdomain pppd[966]: sent [LCP ConfAck id=0x1 <mru 1410> <asyncmap 0x0> <auth chap MS-v2> <magic 0xab156598>]

Sep 05 23:15:13 localhost.localdomain pppd[966]: PPPoL2TP options: debugmask 0

Sep 05 23:15:13 localhost.localdomain pppd[966]: rcvd [CHAP Challenge id=0xd2 <[HIDDEN]>, name = "LinuxVPN"]

Sep 05 23:15:13 localhost.localdomain pppd[966]: sent [CHAP Response id=0xd2 <[HIDDEN]>, name = "TEST\\[HIDDEN]"] 

Sep 05 23:15:13 localhost.localdomain pppd[966]: rcvd [CHAP Success id=0xd2 "S=[HIDDEN] M=Access granted"]

Sep 05 23:15:13 localhost.localdomain pppd[966]: CHAP authentication succeeded

Sep 05 23:15:13 localhost.localdomain pppd[966]: sent [IPCP ConfReq id=0x1 <addr 0.0.0.0>]

Sep 05 23:15:13 localhost.localdomain pppd[966]: rcvd [IPCP ConfReq id=0x1 <addr 172.21.118.1>]

Sep 05 23:15:13 localhost.localdomain pppd[966]: sent [IPCP ConfAck id=0x1 <addr 172.21.118.1>]

Sep 05 23:15:13 localhost.localdomain pppd[966]: rcvd [IPCP ConfNak id=0x1 <addr 172.21.118.2>]

Sep 05 23:15:13 localhost.localdomain pppd[966]: sent [IPCP ConfReq id=0x2 <addr 172.21.118.2>]

Sep 05 23:15:13 localhost.localdomain pppd[966]: rcvd [IPCP ConfAck id=0x2 <addr 172.21.118.2>]

Sep 05 23:15:13 localhost.localdomain pppd[966]: local  IP address 172.21.118.2

Sep 05 23:15:13 localhost.localdomain pppd[966]: remote IP address 172.21.118.1

Sep 05 23:15:13 localhost.localdomain charon[850]: 15[KNL] 172.21.118.2 appeared on ppp0

Sep 05 23:15:13 localhost.localdomain charon[850]: 01[KNL] 172.21.118.2 disappeared from ppp0

Sep 05 23:15:13 localhost.localdomain charon[850]: 10[KNL] 172.21.118.2 appeared on ppp0

Sep 05 23:15:13 localhost.localdomain charon[850]: 04[KNL] interface ppp0 activated

Sep 05 23:15:13 localhost.localdomain pppd[966]: Script /etc/ppp/ip-up started (pid 969)

Sep 05 23:15:13 localhost.localdomain pppd[966]: Script /etc/ppp/ip-up finished (pid 969), status = 0x0

```

I'm using Gentoo as the server and Fedora has the client. Maybe if I have them switch roles I might have a better idea what's wrong on here...

----------

## salahx

Well it turns my hunch was right 

```

Sep 05 22:49:33 ardvarc xl2tpd[1094]: xl2tpd[1094]: Connection established to 192.168.10.108, 1701.  Local: 22935, Remote: 24408 (ref=0/0).

Sep 05 22:49:33 ardvarc xl2tpd[1094]: xl2tpd[1094]: Calling on tunnel 22935

Sep 05 22:49:33 ardvarc xl2tpd[1094]: xl2tpd[1094]: Call established with 192.168.10.108, Local: 47924, Remote: 24916, Serial: 2 (ref=0/0)

Sep 05 22:49:33 ardvarc xl2tpd[1094]: xl2tpd[1094]: start_pppd: I'm running:

Sep 05 22:49:33 ardvarc xl2tpd[1094]: xl2tpd[1094]: "/usr/sbin/pppd"

Sep 05 22:49:33 ardvarc xl2tpd[1094]: xl2tpd[1094]: "passive"

Sep 05 22:49:33 ardvarc xl2tpd[1094]: xl2tpd[1094]: "nodetach"

Sep 05 22:49:33 ardvarc xl2tpd[1094]: xl2tpd[1094]: ":"

Sep 05 22:49:33 ardvarc xl2tpd[1094]: xl2tpd[1094]: "name"

Sep 05 22:49:33 ardvarc xl2tpd[1094]: xl2tpd[1094]: "TEST\salahx"

Sep 05 22:49:33 ardvarc xl2tpd[1094]: xl2tpd[1094]: "debug"

Sep 05 22:49:33 ardvarc xl2tpd[1094]: xl2tpd[1094]: "plugin"

Sep 05 22:49:33 ardvarc xl2tpd[1094]: xl2tpd[1094]: "passwordfd.so"

Sep 05 22:49:33 ardvarc xl2tpd[1094]: xl2tpd[1094]: "passwordfd"

Sep 05 22:49:33 ardvarc xl2tpd[1094]: xl2tpd[1094]: "8"

Sep 05 22:49:33 ardvarc xl2tpd[1094]: xl2tpd[1094]: "ipparam"

Sep 05 22:49:33 ardvarc xl2tpd[1094]: xl2tpd[1094]: "192.168.10.108"

Sep 05 22:49:33 ardvarc xl2tpd[1094]: xl2tpd[1094]: "plugin"

Sep 05 22:49:33 ardvarc xl2tpd[1094]: xl2tpd[1094]: "pppol2tp.so"

Sep 05 22:49:33 ardvarc xl2tpd[1094]: xl2tpd[1094]: "pppol2tp"

Sep 05 22:49:33 ardvarc xl2tpd[1094]: xl2tpd[1094]: "9"

Sep 05 22:54:18 ardvarc pppd[3825]: Plugin passwordfd.so loaded.

Sep 05 22:54:18 ardvarc pppd[3825]: Plugin pppol2tp.so loaded.

Sep 05 22:54:18 ardvarc pppd[3825]: pppd 2.4.7 started by root, uid 0

Sep 05 22:54:18 ardvarc pppd[3825]: using channel 67

Sep 05 22:54:18 ardvarc pppd[3825]: Using interface ppp0

Sep 05 22:54:18 ardvarc pppd[3825]: Connect: ppp0 <-->

Sep 05 22:54:18 ardvarc pppd[3825]: PPPoL2TP options: debugmask 0

Sep 05 22:54:18 ardvarc pppd[3825]: sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0xc785c4bd>]

Sep 05 22:54:18 ardvarc systemd-sysctl[3829]: Overwriting earlier assignment of kernel/sysrq in file '/usr/lib64/sysctl.d/60-gentoo.conf'.

Sep 05 22:54:18 ardvarc NetworkManager[3845]: <warn> /sys/devices/virtual/net/ppp0: couldn't determine device driver; ignoring...

Sep 05 22:54:18 ardvarc pppd[3825]: rcvd [LCP ConfReq id=0x1 <mru 1410> <asyncmap 0x0> <auth chap MS-v2> <magic 0x21bb57b4>]

Sep 05 22:54:18 ardvarc pppd[3825]: sent [LCP ConfAck id=0x1 <mru 1410> <asyncmap 0x0> <auth chap MS-v2> <magic 0x21bb57b4>]

Sep 05 22:54:21 ardvarc pppd[3825]: sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0xc785c4bd>]

Sep 05 22:54:21 ardvarc pppd[3825]: rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0xc785c4bd>]

Sep 05 22:54:21 ardvarc pppd[3825]: PPPoL2TP options: debugmask 0

Sep 05 22:54:21 ardvarc pppd[3825]: rcvd [CHAP Challenge id=0xe8 <[HIDDEN]>, name = "LinuxVPN"]

Sep 05 22:54:21 ardvarc pppd[3825]: added response cache entry 0

Sep 05 22:54:21 ardvarc pppd[3825]: sent [CHAP Response id=0xe8 <[HIDDEN]>, name = "TEST\\[HIDDEN]"] 

Sep 05 22:54:21 ardvarc pppd[3825]: rcvd [CHAP Success id=0xe8 "S=[HIDDEN] M=Access granted"]

Sep 05 22:54:21 ardvarc pppd[3825]: response found in cache (entry 0)

Sep 05 22:54:21 ardvarc pppd[3825]: CHAP authentication succeeded

Sep 05 22:54:21 ardvarc pppd[3825]: sent [IPCP ConfReq id=0x1 <addr 192.168.10.17>]

Sep 05 22:54:21 ardvarc pppd[3825]: rcvd [IPCP ConfReq id=0x1 <addr 172.21.118.1>]

Sep 05 22:54:21 ardvarc pppd[3825]: sent [IPCP ConfAck id=0x1 <addr 172.21.118.1>]

Sep 05 22:54:21 ardvarc pppd[3825]: rcvd [IPCP ConfAck id=0x1 <addr 192.168.10.17>]

Sep 05 22:54:21 ardvarc charon[2094]: 12[KNL] 192.168.10.17 appeared on ppp0

Sep 05 22:54:21 ardvarc pppd[3825]: local  IP address 192.168.10.17

Sep 05 22:54:21 ardvarc pppd[3825]: remote IP address 172.21.118.1

Sep 05 22:54:21 ardvarc charon[2094]: 10[KNL] 192.168.10.17 disappeared from ppp0

Sep 05 22:54:21 ardvarc charon[2094]: 15[KNL] 192.168.10.17 appeared on ppp0

Sep 05 22:54:21 ardvarc charon[2094]: 06[KNL] interface ppp0 activated

Sep 05 22:54:21 ardvarc pppd[3825]: Script /etc/ppp/ip-up started (pid 3835)

Sep 05 22:54:21 ardvarc pppd[3825]: Script /etc/ppp/ip-up finished (pid 3835), status = 0x0

Sep 05 22:55:23 ardvarc xl2tpd[1094]: xl2tpd[1094]: Maximum retries exceeded for tunnel 34550.  Closing.

Sep 05 22:55:23 ardvarc xl2tpd[1094]: xl2tpd[1094]: Terminating pppd: sending TERM signal to pid 3825

Sep 05 22:55:23 ardvarc xl2tpd[1094]: xl2tpd[1094]: Connection 23032 closed to 192.168.10.108, port 1701 (Timeout)

Sep 05 22:55:23 ardvarc pppd[3825]: Terminating on signal 15

Sep 05 22:55:23 ardvarc pppd[3825]: Connect time 1.1 minutes.

Sep 05 22:55:23 ardvarc pppd[3825]: Sent 0 bytes, received 0 bytes.

Sep 05 22:55:23 ardvarc charon[2094]: 12[KNL] interface ppp0 deactivated

Sep 05 22:55:23 ardvarc charon[2094]: 11[KNL] 192.168.10.17 disappeared from ppp0

Sep 05 22:55:23 ardvarc pppd[3825]: Script /etc/ppp/ip-down started (pid 3979)

Sep 05 22:55:23 ardvarc pppd[3825]: PPPoL2TP options: debugmask 0

Sep 05 22:55:23 ardvarc pppd[3825]: sent [LCP TermReq id=0x2 "User request"]

Sep 05 22:55:23 ardvarc pppd[3825]: Script /etc/ppp/ip-down finished (pid 3979), status = 0x0

Sep 05 22:55:24 ardvarc xl2tpd[1094]: xl2tpd[1094]: check_control: Received out of order control packet on tunnel 23032 (got 4, expected 2)

Sep 05 22:55:24 ardvarc xl2tpd[1094]: xl2tpd[1094]: handle_packet: bad control packet!

Sep 05 22:55:24 ardvarc xl2tpd[1094]: xl2tpd[1094]: check_control: Received out of order control packet on tunnel 23032 (got 4, expected 2)

Sep 05 22:55:24 ardvarc xl2tpd[1094]: xl2tpd[1094]: handle_packet: bad control packet!

Sep 05 22:55:26 ardvarc pppd[3825]: sent [LCP TermReq id=0x3 "User request"]

Sep 05 22:55:28 ardvarc xl2tpd[1094]: xl2tpd[1094]: Unable to deliver closing message for tunnel 34550. Destroying anyway.

Sep 05 22:55:29 ardvarc pppd[3825]: Connection terminated.

Sep 05 22:55:29 ardvarc charon[2094]: 05[KNL] interface ppp0 deleted

Sep 05 22:55:29 ardvarc avahi-daemon[2943]: Withdrawing workstation service for ppp0.

Sep 05 22:55:29 ardvarc pppd[3825]: Modem hangup

Sep 05 22:55:29 ardvarc pppd[3825]: Exit.

```

It exhibits the SAME BEHAVIOR as you: pppd exists soon after it connects. So its not just you. I've notice Fedora produces different outut for xl2tpd than Gentoo, and Gentoo passes some extra option to pppd that Fedora does not. Now I need to figure out where it pulling these option from.

----------

## salahx

Ok I think I finally got it figure out. PPP is using the IP of the primary inteface  as the default for the local IP of the PPP link, when we want NO default. So one winds up with 2 interface with the same IP, which causes connectivity loss, which is why the connection dies. Thankfullly there is a ppp option "noipdefault" that tells pppd NOT to do this.

```

noipdefault

noauth

nodefaultroute 

```

Restart xl2tpd, reconnect and this time it should work! (It worked for me).

----------

## Duco Ergo Sum

Hi,

Unfortunately, still no dice.

```

noipdefault

noauth

nodefaultroute

debug

```

```

Sep  6 06:45:44 sveta pppd[4251]: rcvd [CHAP Success id=0x1 "S=[HIDDEN]"]

Sep  6 06:45:44 sveta pppd[4251]: response found in cache (entry 0)

Sep  6 06:45:44 sveta pppd[4251]: CHAP authentication succeeded

Sep  6 06:45:44 sveta pppd[4251]: sent [IPCP ConfReq id=0x1 <addr 0.0.0.0>]

Sep  6 06:45:45 sveta pppd[4251]: rcvd [IPCP TermAck id=0x1]

Sep  6 06:45:47 sveta pppd[4251]: sent [IPCP ConfReq id=0x1 <addr 0.0.0.0>]

Sep  6 06:45:48 sveta pppd[4251]: rcvd [IPCP ConfReq id=0x1 <addr 17.11.7.5>]

Sep  6 06:45:48 sveta pppd[4251]: sent [IPCP ConfAck id=0x1 <addr 17.11.7.5>]

Sep  6 06:45:48 sveta pppd[4251]: rcvd [IPCP ConfNak id=0x1 <addr 125.64.27.8>]

Sep  6 06:45:48 sveta pppd[4251]: sent [IPCP ConfReq id=0x2 <addr 125.64.27.8>]

Sep  6 06:45:48 sveta pppd[4251]: rcvd [IPCP ConfAck id=0x2 <addr 125.64.27.8>]

Sep  6 06:45:48 sveta charon: 10[KNL] 125.64.27.8 appeared on ppp0

Sep  6 06:45:48 sveta pppd[4251]: local  IP address 125.64.27.8

Sep  6 06:45:48 sveta charon: 09[KNL] 125.64.27.8 disappeared from ppp0

Sep  6 06:45:48 sveta pppd[4251]: remote IP address 17.11.7.5

Sep  6 06:45:48 sveta charon: 14[KNL] 125.64.27.8 appeared on ppp0

Sep  6 06:45:48 sveta charon: 15[KNL] interface ppp0 activated

Sep  6 06:45:48 sveta pppd[4251]: Script /etc/ppp/ip-up started (pid 4255)

Sep  6 06:45:48 sveta pppd[4251]: Script /etc/ppp/ip-up finished (pid 4255), status = 0x0

```

----------

## salahx

According to the output of pppd, it connected and it looks exactly like mine when it connect successfully,Is it still dropping?

If so, look at this line:

```

Sep  6 06:45:48 sveta pppd[4251]: local  IP address 125.64.27.8 

```

This value should NOT be the same as any other adapter in your system. If it is the same, then "noipdefault" didn't "take". Restart xl2tpd in that case.

----------

## Duco Ergo Sum

The local IP address is different.  My local network is on the range 10.x.x.x while the host network is on 172.x.x.x

It would appear that to get a connection, it has to be within moments of ipsec and the first connection attempt after xl2tpd.  I am still unable to communicate over the ppp0 device.  It kills the l2tp connection after a short time out.  Even before that time out, ping is unable to reach anything on the other side.

# tcpdump -i ppp0 proto 50

```

error : ret -1

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on ppp0, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes

^C

0 packets captured

0 packets received by filter

0 packets dropped by kernel

```

# tcpdump -i ppp0 udp port 1701

```

error : ret -1

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on ppp0, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes

^C

0 packets captured

0 packets received by filter

0 packets dropped by kernel

```

# ifconfig

```

bond0: flags=5123<UP,BROADCAST,MASTER,MULTICAST>  mtu 1500

        ether f6:ab:86:9a:72:b6  txqueuelen 0  (Ethernet)

        RX packets 0  bytes 0 (0.0 B)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 0  bytes 0 (0.0 B)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eno1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500

        inet 1.2.3.4  netmask 255.255.255.0  broadcast 10.1.1.255

        inet6 fd00::ca60:ff:fecc:4614  prefixlen 64  scopeid 0x0<global>

        inet6 fe80::ca60:ff:fecc:4614  prefixlen 64  scopeid 0x20<link>

        ether c8:60:00:cc:46:14  txqueuelen 1000  (Ethernet)

        RX packets 43497  bytes 53946072 (51.4 MiB)

        RX errors 0  dropped 2  overruns 0  frame 0

        TX packets 28720  bytes 2992069 (2.8 MiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

        device interrupt 20  memory [HIDDEN]-[HIDDEN]  

enp59s0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500

        ether c8:60:00:cc:49:fc  txqueuelen 1000  (Ethernet)

        RX packets 0  bytes 0 (0.0 B)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 0  bytes 0 (0.0 B)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

        device interrupt 19  memory [HIDDEN]-[HIDDEN]  

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536

        inet 127.0.0.1  netmask 255.0.0.0

        inet6 ::1  prefixlen 128  scopeid 0x10<host>

        loop  txqueuelen 0  (Local Loopback)

        RX packets 41  bytes 16913 (16.5 KiB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 41  bytes 16913 (16.5 KiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ppp0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500

        inet 125.64.27.8  netmask 255.255.255.255  destination 17.11.7.5

        ppp  txqueuelen 3  (Point-to-Point Protocol)

        RX packets 4  bytes 34 (34.0 B)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 4  bytes 40 (40.0 B)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

```

----------

## salahx

You won't see ESP or L2TP packets over the ppp interface, just regular traffic, as the IPSec and l2tp stuff is in outer layer. 

But if pppd is disconnecting still, i'm at a loss why. It works for me and i tried a few different l2tp connections scenarios. I don't think the problem is related to NAT since that would cause ipsec problems and the ipsec layer is working perfectly.

You can try the unstable version of xl2tpd (1.3.6) and see if that works better (it starts pppd with a few different options). At this point, I know we're close to get it to work, but I'm stumped as to why pppd is disconnected because everything look good.

----------

## Duco Ergo Sum

Well I'm stymied.  I have upgraded xl2tpd to 1.3.6 and still no change.  I must thank you for all your help.  Sadly I'm going have to take this machine off line for a while.  I'm not sure how long I hope to get back on line soon and working on this soon.  So close but so far!

Again thank you and I'll be back here as soon as I can.  I see myself living with out a PC for long... not happily anyway.

All the best.

----------

## Duco Ergo Sum

Hi,

I have my PC back.

Prior to my hiatus, I suspect that I may have been the architect of my PPP problems.  Once we got IPSEC working, thought it'd be a good idea to set iptables rules to block all l2tp connection outside the ipsec layer and thus used:

```

root # iptables -t filter -A INPUT -p udp -m policy --dir in --pol ipsec -m udp --dport l2tp -j ACCEPT 

root # iptables -t filter -A INPUT -p udp -m udp --dport l2tp -j REJECT --reject-with icmp-port-unreachable

root # iptables -t filter -A OUTPUT -p udp -m policy --dir out --pol ipsec -m udp --sport l2tp -j ACCEPT

root # iptables -t filter -A OUTPUT -p udp -m udp --sport l2tp -j REJECT --reject-with icmp-port-unreachable

```

Certainly, it looks like something is blocking traffic over the PPP connection.  My guess is that the firewall closes the connection after a period of disuse.

```

# ifconfig

bond0: flags=5123<UP,BROADCAST,MASTER,MULTICAST>  mtu 1500

        ether f2:ef:56:31:d0:d6  txqueuelen 0  (Ethernet)

        RX packets 0  bytes 0 (0.0 B)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 0  bytes 0 (0.0 B)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eno1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500

        inet 1.2.3.4  netmask 255.255.255.0  broadcast 10.1.1.255

        inet6 fe80::ca60:ff:fecc:4614  prefixlen 64  scopeid 0x20<link>

        ether c8:60:00:cc:46:14  txqueuelen 1000  (Ethernet)

        RX packets 11959  bytes 13352142 (12.7 MiB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 10046  bytes 1272844 (1.2 MiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

        device interrupt 20  memory #x########-######## 

enp59s0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500

        ether c8:60:00:cc:49:fc  txqueuelen 1000  (Ethernet)

        RX packets 0  bytes 0 (0.0 B)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 0  bytes 0 (0.0 B)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

        device interrupt 19  memory #x########-########  

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536

        inet 127.0.0.1  netmask 255.0.0.0

        inet6 ::1  prefixlen 128  scopeid 0x10<host>

        loop  txqueuelen 0  (Local Loopback)

        RX packets 40  bytes 16841 (16.4 KiB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 40  bytes 16841 (16.4 KiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ppp0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500

        inet 125.64.27.8  netmask 255.255.255.255  destination 17.11.7.5

        ppp  txqueuelen 3  (Point-to-Point Protocol)

        RX packets 4  bytes 34 (34.0 B)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 4  bytes 40 (40.0 B)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

# ping 3.5.8.13

PING 3.5.8.13 (3.5.8.13) 56(84) bytes of data.

^C

--- 3.5.8.13 ping statistics ---

8 packets transmitted, 0 received, 100% packet loss, time 6999ms

# ifconfig

bond0: flags=5123<UP,BROADCAST,MASTER,MULTICAST>  mtu 1500

        ether f2:ef:56:31:d0:d6  txqueuelen 0  (Ethernet)

        RX packets 0  bytes 0 (0.0 B)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 0  bytes 0 (0.0 B)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eno1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500

        inet 1.2.3.4  netmask 255.255.255.0  broadcast 10.1.1.255

        inet6 fe80::ca60:ff:fecc:4614  prefixlen 64  scopeid 0x20<link>

        ether c8:60:00:cc:46:14  txqueuelen 1000  (Ethernet)

        RX packets 11968  bytes 13352958 (12.7 MiB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 10063  bytes 1274476 (1.2 MiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

        device interrupt 20  memory #x########-######## 

enp59s0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500

        ether c8:60:00:cc:49:fc  txqueuelen 1000  (Ethernet)

        RX packets 0  bytes 0 (0.0 B)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 0  bytes 0 (0.0 B)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

        device interrupt 19  memory #x########-########  

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536

        inet 127.0.0.1  netmask 255.0.0.0

        inet6 ::1  prefixlen 128  scopeid 0x10<host>

        loop  txqueuelen 0  (Local Loopback)

        RX packets 40  bytes 16841 (16.4 KiB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 40  bytes 16841 (16.4 KiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ppp0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500

        inet 125.64.27.8  netmask 255.255.255.255  destination 17.11.7.5

        ppp  txqueuelen 3  (Point-to-Point Protocol)

        RX packets 4  bytes 34 (34.0 B)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 19  bytes 8917 (8.7 KiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

```

Yet, there appear to be no rules set:

```

# iptables -L -n

Chain INPUT (policy ACCEPT)

target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)

target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

```

This assertion is corroborated by:

```

# iptables -t filter -C INPUT -p udp -m policy --dir in --pol ipsec -m udp --dport l2tp -j ACCEPT

iptables: Bad rule (does a matching rule exist in that chain?).

# iptables -t filter -C INPUT -p udp -m udp --dport l2tp -j REJECT --reject-with icmp-port-unreachable 

iptables: No chain/target/match by that name.

# iptables -t filter -C OUTPUT -p udp -m policy --dir out --pol ipsec -m udp --sport l2tp -j ACCEPT

iptables: Bad rule (does a matching rule exist in that chain?).

# iptables -t filter -C OUTPUT -p udp -m udp --sport l2tp -j REJECT --reject-with icmp-port-unreachable

iptables: No chain/target/match by that name.

```

----------

## salahx

Strange because my iptables rules work (both client and server):

```

Chain INPUT (policy ACCEPT)

target     prot opt source               destination         

ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            policy match dir in pol ipsec udp dpt:1701

REJECT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:1701 reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)

target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination         

ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            policy match dir out pol ipsec udp spt:1701

REJECT     udp  --  0.0.0.0/0            0.0.0.0/0            udp spt:1701 reject-with icmp-port-unreachable

```

But I don 't think the firewall has anything to do it, otherwise no l2tp packets would pass at all, and we'd never reach the ppp phase. My best guess is the ppp interface is being misconfigured somehow, conflicting with another interface/route (since my machine has the same behavior when that happens. I'm guessing its a routing issue. I do see the ppp packet count increasing after you ping, so that's a good sign. 

One thing to try is "Ip route" to print out he routing table. It should have line like this:

```

10.137.219.1 dev ppp0  proto kernel  scope link  src 172.21.118.2

```

Which, for my test, 10.137.219.1 was the other end of the ppp connection, and 172.21.118.2 was the ip assigned by the server.

----------

## Duco Ergo Sum

Thanks,

```

# ip route

default via 10.1.1.### dev eno1  proto static                                                                      

default via 10.1.1.### dev eno1  metric 7                                                                          

10.1.1.###/24 dev eno1  proto kernel  scope link  src 1.2.3.4  metric 1                                             

17.11.7.5 dev ppp0  proto kernel  scope link  src 125.64.27.8                                                 

127.0.0.0/8 dev lo  scope host                                                                                     

127.0.0.0/8 via 127.0.0.1 dev lo

```

Which 17.11.7.5 is the other end of the ppp connection and 125.64.27.8 was the ip assigned by the server.  The ppp line here seems to be the same as yours.

----------

## salahx

Ok so its not a routingh problem. Since its been a while, the latest output of xl2tpd/pppd would be helpful to determine if we're dealing with the same problem. I'll also adjust my simulation at home to make the VM i created for that have a similar network setup to yours to see if that's what's causing it.

----------

## Duco Ergo Sum

Hi

Thanks for persevering with me.  Here is a copy of the logs and the output:

```

Sep 23 00:28:54 sveta xl2tpd[4113]: Connecting to host vpn.office.com, port 1701

Sep 23 00:28:54 sveta xl2tpd[4113]: Connection established to 17.11.7.5, 1701.  Local: 59263, Remote: 7959 (ref=0/0).

Sep 23 00:28:54 sveta xl2tpd[4113]: Calling on tunnel 59263

Sep 23 00:28:54 sveta xl2tpd[4113]: Call established with 17.11.7.5, Local: 15862, Remote: 7832, Serial: 1 (ref=0/0)

Sep 23 00:28:54 sveta xl2tpd[4113]: start_pppd: I'm running: 

Sep 23 00:28:54 sveta xl2tpd[4113]: "/usr/sbin/pppd" 

Sep 23 00:28:54 sveta xl2tpd[4113]: "passive" 

Sep 23 00:28:54 sveta xl2tpd[4113]: "nodetach" 

Sep 23 00:28:54 sveta xl2tpd[4113]: ":" 

Sep 23 00:28:54 sveta xl2tpd[4113]: "name" 

Sep 23 00:28:54 sveta xl2tpd[4113]: "user-name" 

Sep 23 00:28:54 sveta xl2tpd[4113]: "debug" 

Sep 23 00:28:54 sveta xl2tpd[4113]: "plugin" 

Sep 23 00:28:54 sveta xl2tpd[4113]: "passwordfd.so" 

Sep 23 00:28:54 sveta xl2tpd[4113]: "passwordfd" 

Sep 23 00:28:54 sveta xl2tpd[4113]: "8" 

Sep 23 00:28:54 sveta xl2tpd[4113]: "file" 

Sep 23 00:28:54 sveta xl2tpd[4113]: "/etc/ppp/options.xl2tpd.client" 

Sep 23 00:28:54 sveta xl2tpd[4113]: "plugin" 

Sep 23 00:28:54 sveta xl2tpd[4113]: "pppol2tp.so" 

Sep 23 00:28:54 sveta xl2tpd[4113]: "pppol2tp" 

Sep 23 00:28:54 sveta xl2tpd[4113]: "9" 

Sep 23 00:28:54 sveta pppd[4151]: Plugin passwordfd.so loaded.

Sep 23 00:28:54 sveta pppd[4151]: Plugin pppol2tp.so loaded.

Sep 23 00:28:54 sveta pppd[4151]: pppd 2.4.7 started by [HIDDEN], uid 0

Sep 23 00:28:54 sveta pppd[4151]: using channel 1

Sep 23 00:28:54 sveta pppd[4151]: Using interface ppp0

Sep 23 00:28:54 sveta pppd[4151]: Connect: ppp0 <--> 

Sep 23 00:28:54 sveta pppd[4151]: PPPoL2TP options: debugmask 0

Sep 23 00:28:54 sveta pppd[4151]: sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic [HIDDEN]>]

Sep 23 00:28:54 sveta NetworkManager[2671]: <warn> /sys/devices/virtual/net/ppp0: couldn't determine device driver; ignoring...

Sep 23 00:28:54 sveta pppd[4151]: rcvd [LCP ConfReq id=0x1 <auth chap MS-v2> <magic [HIDDEN]>]

Sep 23 00:28:54 sveta pppd[4151]: sent [LCP ConfAck id=0x1 <auth chap MS-v2> <magic [HIDDEN]>]

Sep 23 00:28:54 sveta pppd[4151]: rcvd [LCP ConfRej id=0x1 <asyncmap 0x0>]

Sep 23 00:28:54 sveta pppd[4151]: sent [LCP ConfReq id=0x2 <magic [HIDDEN]>]

Sep 23 00:28:54 sveta pppd[4151]: rcvd [LCP ConfAck id=0x2 <magic [HIDDEN]>]

Sep 23 00:28:54 sveta pppd[4151]: PPPoL2TP options: debugmask 0

Sep 23 00:28:54 sveta pppd[4151]: rcvd [CHAP Challenge id=0x1 <[HIDDEN]>, name = ""]

Sep 23 00:28:54 sveta pppd[4151]: added response cache entry 0

Sep 23 00:28:54 sveta pppd[4151]: sent [CHAP Response id=0x1 <[HIDDEN]>, name = "user-name"]

Sep 23 00:28:56 sveta pppd[4151]: rcvd [CHAP Success id=0x1 "S=[HIDDEN]"]

Sep 23 00:28:56 sveta pppd[4151]: response found in cache (entry 0)

Sep 23 00:28:56 sveta pppd[4151]: CHAP authentication succeeded

Sep 23 00:28:56 sveta pppd[4151]: sent [IPCP ConfReq id=0x1 <addr 0.0.0.0>]

Sep 23 00:28:56 sveta pppd[4151]: rcvd [IPCP TermAck id=0x1]

Sep 23 00:28:59 sveta pppd[4151]: sent [IPCP ConfReq id=0x1 <addr 0.0.0.0>]

Sep 23 00:28:59 sveta pppd[4151]: rcvd [IPCP ConfReq id=0x1 <addr 17.11.7.5>]

Sep 23 00:28:59 sveta pppd[4151]: sent [IPCP ConfAck id=0x1 <addr 17.11.7.5>]

Sep 23 00:28:59 sveta pppd[4151]: rcvd [IPCP ConfNak id=0x1 <addr 125.64.27.8>]

Sep 23 00:28:59 sveta pppd[4151]: sent [IPCP ConfReq id=0x2 <addr 125.64.27.8>]

Sep 23 00:28:59 sveta pppd[4151]: rcvd [IPCP ConfAck id=0x2 <addr 125.64.27.8>]

Sep 23 00:28:59 sveta charon: 04[KNL] 125.64.27.8 appeared on ppp0

Sep 23 00:28:59 sveta pppd[4151]: local  IP address 125.64.27.8

Sep 23 00:28:59 sveta pppd[4151]: remote IP address 17.11.7.5

Sep 23 00:28:59 sveta charon: 12[KNL] 125.64.27.8 disappeared from ppp0

Sep 23 00:28:59 sveta charon: 14[KNL] 125.64.27.8 appeared on ppp0

Sep 23 00:28:59 sveta pppd[4151]: Script /etc/ppp/ip-up started (pid 4155)

Sep 23 00:28:59 sveta charon: 10[KNL] interface ppp0 activated

Sep 23 00:28:59 sveta pppd[4151]: Script /etc/ppp/ip-up finished (pid 4155), status = 0x0

Sep 23 00:29:18 sveta charon: 14[IKE] sending keep alive to 17.11.7.5[4500]

Sep 23 00:29:38 sveta charon: 12[IKE] sending keep alive to 17.11.7.5[4500]

Sep 23 00:29:44 sveta su[4166]: Successful su for root by [HIDDEN]

Sep 23 00:29:44 sveta su[4166]: + /dev/pts/2 [HIDDEN]:root

Sep 23 00:29:44 sveta su[4166]: pam_unix(su:session): session opened for user root by [HIDDEN](uid=1000)

Sep 23 00:29:58 sveta charon: 10[IKE] sending keep alive to 17.11.7.5[4500]

Sep 23 00:29:59 sveta xl2tpd[4113]: Maximum retries exceeded for tunnel 59263.  Closing.

Sep 23 00:29:59 sveta xl2tpd[4113]: Terminating pppd: sending TERM signal to pid 4151

Sep 23 00:29:59 sveta xl2tpd[4113]: Connection 7959 closed to 17.11.7.5, port 1701 (Timeout)

Sep 23 00:29:59 sveta pppd[4151]: Terminating on signal 15

Sep 23 00:29:59 sveta pppd[4151]: Connect time 1.0 minutes.

Sep 23 00:29:59 sveta pppd[4151]: Sent 81712 bytes, received 0 bytes.

Sep 23 00:29:59 sveta charon: 05[KNL] interface ppp0 deactivated

Sep 23 00:29:59 sveta charon: 07[KNL] 125.64.27.8 disappeared from ppp0

Sep 23 00:29:59 sveta pppd[4151]: Script /etc/ppp/ip-down started (pid 4177)

Sep 23 00:29:59 sveta pppd[4151]: PPPoL2TP options: debugmask 0

Sep 23 00:29:59 sveta pppd[4151]: sent [LCP TermReq id=0x3 "User request"]

Sep 23 00:29:59 sveta pppd[4151]: Script /etc/ppp/ip-down finished (pid 4177), status = 0x0

Sep 23 00:30:01 sveta cron[4179]: (root) CMD (test -x /usr/sbin/run-crons && /usr/sbin/run-crons)

Sep 23 00:30:02 sveta pppd[4151]: sent [LCP TermReq id=0x4 "User request"]

Sep 23 00:30:04 sveta xl2tpd[4113]: Unable to deliver closing message for tunnel 59263. Destroying anyway.

Sep 23 00:30:05 sveta pppd[4151]: Connection terminated.

Sep 23 00:30:05 sveta charon: 04[KNL] interface ppp0 deleted

Sep 23 00:30:05 sveta avahi-daemon[2998]: Withdrawing workstation service for ppp0.

Sep 23 00:30:05 sveta pppd[4151]: Modem hangup

Sep 23 00:30:05 sveta pppd[4151]: Exit.

Sep 23 00:30:23 sveta charon: 05[IKE] sending keep alive to 17.11.7.5[4500]

Sep 23 00:30:43 sveta charon: 14[IKE] sending keep alive to 17.11.7.5[4500]

```

```

# ifconfig

bond0: flags=5123<UP,BROADCAST,MASTER,MULTICAST>  mtu 1500

        ether 1e:42:13:cb:10:e4  txqueuelen 0  (Ethernet)

        RX packets 0  bytes 0 (0.0 B)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 0  bytes 0 (0.0 B)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eno1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500

        inet 1.2.3.4  netmask 255.255.255.0  broadcast 10.1.1.255

        inet6 fe80::ca60:ff:fecc:4614  prefixlen 64  scopeid 0x20<link>

        ether c8:60:00:cc:46:14  txqueuelen 1000  (Ethernet)

        RX packets 49917  bytes 62529540 (59.6 MiB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 33988  bytes 3338778 (3.1 MiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

        device interrupt 20  memory #x########-########  

enp59s0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500

        ether c8:60:00:cc:49:fc  txqueuelen 1000  (Ethernet)

        RX packets 0  bytes 0 (0.0 B)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 0  bytes 0 (0.0 B)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

        device interrupt 19  memory #x########-########  

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536

        inet 127.0.0.1  netmask 255.0.0.0

        inet6 ::1  prefixlen 128  scopeid 0x10<host>

        loop  txqueuelen 0  (Local Loopback)

        RX packets 41  bytes 16913 (16.5 KiB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 41  bytes 16913 (16.5 KiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0                                                 

                                                                                                                   

sveta [HIDDEN] # ipsec up VPN.OFFICE.COM && xl2tpd-control connect vpnclient user-name password   

initiating Main Mode IKE_SA VPN.OFFICE.COM[1] to 17.11.7.5                                                 

generating ID_PROT request 0 [ SA V V V V ]                                                                        

sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (184 bytes)                                              

received packet: from 17.11.7.5[500] to 1.2.3.4[500] (116 bytes)                                             

parsed ID_PROT response 0 [ SA V V ]                                                                               

received draft-ietf-ipsec-nat-t-ike-02\n vendor ID                                                                 

received FRAGMENTATION vendor ID                                                                                   

generating ID_PROT request 0 [ KE No NAT-D NAT-D ]                                                                 

sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (244 bytes)                                              

received packet: from 17.11.7.5[500] to 1.2.3.4[500] (304 bytes)                                             

parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]                                                            

received Cisco Unity vendor ID                                                                                     

received XAuth vendor ID                                                                                           

received unknown vendor ID: [HIDDEN]                                        

received unknown vendor ID: [HIDDEN]                                        

local host is behind NAT, sending keep alives                                                                      

generating ID_PROT request 0 [ ID HASH ]                                                                           

sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (68 bytes)                                             

received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes)                                            

parsed ID_PROT response 0 [ ID HASH V ]                                                                            

received DPD vendor ID                                                                                             

IKE_SA VPN.OFFICE.COM[1] established between 1.2.3.4[1.2.3.4]...17.11.7.5[17.11.7.5]                

generating QUICK_MODE request [HIDDEN] [ HASH SA No ID ID NAT-OA NAT-OA ]                                        

sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (220 bytes)                                            

received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (180 bytes)                                           

parsed QUICK_MODE response [HIDDEN] [ HASH SA No ID ID N((24576)) NAT-OA ]                                       

received 28800s lifetime, configured 0s                                                                            

CHILD_SA VPN.OFFICE.COM{1} established with SPIs [HIDDEN] [HIDDEN] and TS 1.2.3.4/32[udp/l2tp] === 17.11.7.5/32[udp/l2tp]                                                                                                

generating QUICK_MODE request [HIDDEN] [ HASH ]                                                                  

connection 'VPN.OFFICE.COM' established successfully                                                            

00 OK                                                                                                              

sveta [HIDDEN] # ifconfig

bond0: flags=5123<UP,BROADCAST,MASTER,MULTICAST>  mtu 1500                                                         

        ether 1e:42:13:cb:10:e4  txqueuelen 0  (Ethernet)                                                          

        RX packets 0  bytes 0 (0.0 B)                                                                              

        RX errors 0  dropped 0  overruns 0  frame 0                                                                

        TX packets 0  bytes 0 (0.0 B)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eno1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500

        inet 1.2.3.4  netmask 255.255.255.0  broadcast 10.1.1.255

        inet6 fe80::ca60:ff:fecc:4614  prefixlen 64  scopeid 0x20<link>

        ether c8:60:00:cc:46:14  txqueuelen 1000  (Ethernet)

        RX packets 49939  bytes 62532463 (59.6 MiB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 34010  bytes 3341695 (3.1 MiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

        device interrupt 20  memory #x########-########  

enp59s0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500

        ether c8:60:00:cc:49:fc  txqueuelen 1000  (Ethernet)

        RX packets 0  bytes 0 (0.0 B)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 0  bytes 0 (0.0 B)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

        device interrupt 19  memory #x########-########  

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536

        inet 127.0.0.1  netmask 255.0.0.0

        inet6 ::1  prefixlen 128  scopeid 0x10<host>

        loop  txqueuelen 0  (Local Loopback)

        RX packets 41  bytes 16913 (16.5 KiB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 41  bytes 16913 (16.5 KiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ppp0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500

        inet 125.64.27.8  netmask 255.255.255.255  destination 17.11.7.5

        ppp  txqueuelen 3  (Point-to-Point Protocol)

        RX packets 4  bytes 34 (34.0 B)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 4  bytes 40 (40.0 B)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

sveta [HIDDEN] # ping 3.5.8.13

PING 3.5.8.13 (3.5.8.13) 56(84) bytes of data.

^C

--- 3.5.8.13 ping statistics ---

10 packets transmitted, 0 received, 100% packet loss, time 8999ms

sveta [HIDDEN] # ifconfig

bond0: flags=5123<UP,BROADCAST,MASTER,MULTICAST>  mtu 1500

        ether 1e:42:13:cb:10:e4  txqueuelen 0  (Ethernet)

        RX packets 0  bytes 0 (0.0 B)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 0  bytes 0 (0.0 B)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eno1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500

        inet 1.2.3.4  netmask 255.255.255.0  broadcast 10.1.1.255

        inet6 fe80::ca60:ff:fecc:4614  prefixlen 64  scopeid 0x20<link>

        ether c8:60:00:cc:46:14  txqueuelen 1000  (Ethernet)

        RX packets 49948  bytes 62533051 (59.6 MiB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 34023  bytes 3342919 (3.1 MiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

        device interrupt 20  memory #x########-########  

enp59s0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500

        ether c8:60:00:cc:49:fc  txqueuelen 1000  (Ethernet)

        RX packets 0  bytes 0 (0.0 B)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 0  bytes 0 (0.0 B)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

        device interrupt 19  memory #x########-########  

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536

        inet 127.0.0.1  netmask 255.0.0.0

        inet6 ::1  prefixlen 128  scopeid 0x10<host>

        loop  txqueuelen 0  (Local Loopback)

        RX packets 41  bytes 16913 (16.5 KiB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 41  bytes 16913 (16.5 KiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ppp0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500

        inet 125.64.27.8  netmask 255.255.255.255  destination 17.11.7.5

        ppp  txqueuelen 3  (Point-to-Point Protocol)

        RX packets 4  bytes 34 (34.0 B)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 19  bytes 8917 (8.7 KiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

```

----------

## Duco Ergo Sum

The only other information I can think of which might be pertinent is that my system has at least three NICs.

The first appears as eno0

The second and third are not used.  One of these is Wifi.

----------

## salahx

Well, after running a few simulation, I can't get it to disconnect, even with a similar network setup. Looking at the logs, the problems appears to be at the l2tp layer - soon after the connection the connection, the other side of the tunnel stops responding and the l2tp connection gets dropped. Since we know ipsec works and ppp seems fine, i'm beginning to think the problem here is l2tp.

There is an (undocumented) option to turn off kernel l2tp for xl2tp:

```

[global]

force userspace = yes

```

If this doesn't work, then the next step is to try a different l2tp implementation. There 2 others: rp-l2tp and openl2tp. The former is in portage, but dated. The latter is much newer but its not in portage, and i've never used it.. Neither is as convenient as xl2tpd.

----------

## Duco Ergo Sum

Hi,

When I set:

```

[global] 

force userspace = yes

```

xl2tpd fails.

```

# /etc/init.d/xl2tpd restart

 * Starting xl2tpd ...

 * start-stop-daemon: failed to start `/usr/sbin/xl2tpd'

 * Failed to start xl2tpd                                                                                    [ !! ]

 * ERROR: xl2tpd failed to start

```

I am able to emerge both rp-l2tp and openl2tp.  The latter is available via an overlay [booboo].

----------

## salahx

It shouldn't give that error. It works for me. Check the syntax of your xl2tpd.conf file. Its gonna be a day or so before i can setup another l2tp client as the Gentoo webservers are down:

It should look something like this:

```

[global]

force userspace = yes 

[lac vpnclient]

lns = vpn.office.com

pppoptfile = /etc/ppp/options.xl2tpd.client

name = user-name

ppp debug = yes

length bit = yes 

```

----------

## Duco Ergo Sum

You're right.

When I copied and pasted to the config file, I missed the '[global]' statement.  I was in a rush.  Apologies.

Testing again now with the correct syntax. xl2tpd does run but there is no change.  The logs are identical.

This might be infomative - http://serverfault.com/questions/550377/strongswan-xl2tpd-client-timeout-between-2-5-minutes

----------

## salahx

Oki then lets try it with openl2tp then. You'll need the "rpc" USE Flag set  as well. If you as using systemd, grab its unit file. Systemd users are need to start rpcbind manually. Either way, start the openl2tpd service. 

Once the service is started, run the "l2tpconfig" utility:

```
l2tp> system modify deny_remote_tunnel_creates=yes

l2tp> tunnel profile create dest_ipaddr=vpn.office.com

Created tunnel 47743

l2tp> tunnel show tunnel_id=47743

l2tp> session create tunnel_id=47743 user_name=your-login-username user_password=your-login-password

Created session 47743/20183

l2tp> session show tunnel_id=47743 session_id=20183

```

The tunnel and session ids are generated randomly. Note the "session show" discloses the username and password

To disconnect:

```
session delete tunnel_id=47743 session_id=20183

tunnel delete tunnel_id=47743

```

----------

## Duco Ergo Sum

A quick update:

# l2tpconfig

```

localhost: RPC: Program not registered

```

I think this may be due to the order in which I attempted to run these programs, l2tpconfig then rpcbind.  I'll find out after work.

----------

## Duco Ergo Sum

Hi

I have attempted to follow your example as closely as possible however still fail to get a connection or even a ppp0 interface.

```

l2tp> tunnel create profile_name="VPN.OFFICE.COM" tunnel_name="VPN.OFFICE.COM" dest_ipaddr=vpn.office.com

Created tunnel 30242

l2tp> tunnel show tunnel_id=30242

Tunnel 30242, from 1.2.3.4 to 17.11.7.5:-

  state: CLOSING

  created at:  Sep 26 20:41:01 2014

  created by admin: YES, tunnel mode: LAC

  peer tunnel id: 0, host name: NOT SET

  UDP ports: local 59310, peer 1701

  authorization mode: NONE, hide AVPs: OFF, allow PPP proxy: OFF

  session limit: 0, session count: 0

  tunnel profile: "VPN.OFFICE.COM", peer profile: default

  session profile: default, ppp profile: default

  hello timeout: 60, retry timeout: 1, idle timeout: 0

  rx window size: 10, tx window size: 10, max retries: 5

  use udp checksums: ON

  do pmtu discovery: OFF, mtu: 1460

  framing capability: SYNC ASYNC, bearer capability: DIGITAL ANALOG

  use tiebreaker: OFF

  trace flags: NONE

  peer protocol version: 0.0, firmware 0

  peer framing capability: NONE

  peer bearer capability: NONE

  peer rx window size: 0

  Transport status:-

    ns/nr: 1/0, peer 0/0

    cwnd: 1, ssthresh: 1, congpkt_acc: 0

  Transport statistics:-

    out-of-sequence control/data discards: 0/0

    zlbs tx/txfail/rx: 0/0/0

    retransmits: 6, duplicate pkt discards: 0, data pkt discards: 0

    hellos tx/txfail/rx: 0/0/0

    control rx packets: 0, rx bytes: 0

    control tx packets: 6, tx bytes: 834

    data rx packets: 0, rx bytes: 0, rx errors: 0

    data tx packets: 0, tx bytes: 0, tx errors: 0

    establish retries: 0

l2tp> session create user_name=USER user_password=PASSWORD tunnel_name="VPN.OFFICE.COM"

Created session 30242/42553

l2tp> session show tunnel_name="VPN.OFFICE.COM" session_id=42553

Session 42553 on tunnel 30242:-

  type: LAC Incoming Call, state: WAITTUNNEL

  created at:  Sep 26 20:41:22 2014

  created by admin: YES

  ppp user name: USER

  ppp user password: PASSWORD

  data sequencing required: OFF

  use data sequence numbers: OFF

  trace flags: NONE

  framing types: SYNC ASYNC

  bearer types: DIGITAL ANALOG

  call serial number: 3

  connect speed: 1000000

  use ppp proxy: NO

  Peer configuration data:-

    data sequencing required: OFF

    framing types:

    bearer types:

    call serial number: 3

  data rx packets: 0, rx bytes: 0, rx errors: 0

  data tx packets: 0, tx bytes: 0, tx errors: 0

l2tp> tunnel show tunnel_name="VPN.OFFICE.COM"

Tunnel 30242, from 1.2.3.4 to 17.11.7.5:-

  state: CLOSING

  created at:  Sep 26 20:41:01 2014

  created by admin: YES, tunnel mode: LAC

  peer tunnel id: 0, host name: NOT SET

  UDP ports: local 59310, peer 1701

  authorization mode: NONE, hide AVPs: OFF, allow PPP proxy: OFF

  session limit: 0, session count: 1

  tunnel profile: "VPN.OFFICE.COM", peer profile: default

  session profile: default, ppp profile: default

  hello timeout: 60, retry timeout: 1, idle timeout: 0

  rx window size: 10, tx window size: 10, max retries: 5

  use udp checksums: ON

  do pmtu discovery: OFF, mtu: 1460

  framing capability: SYNC ASYNC, bearer capability: DIGITAL ANALOG

  use tiebreaker: OFF

  trace flags: NONE

  peer protocol version: 0.0, firmware 0

  peer framing capability: NONE

  peer bearer capability: NONE

  peer rx window size: 0

  Transport status:-

    ns/nr: 1/0, peer 0/0

    cwnd: 1, ssthresh: 1, congpkt_acc: 0

  Transport statistics:-

    out-of-sequence control/data discards: 0/0

    zlbs tx/txfail/rx: 0/0/0

    retransmits: 6, duplicate pkt discards: 0, data pkt discards: 0

    hellos tx/txfail/rx: 0/0/0

    control rx packets: 0, rx bytes: 0

    control tx packets: 6, tx bytes: 834

    data rx packets: 0, rx bytes: 0, rx errors: 0

    data tx packets: 0, tx bytes: 0, tx errors: 0

    establish retries: 0

```

The tunnel option persist=yes doesn't help either.

----------

## salahx

It appears the ipsec connection is down. Bring back up the ipsec connection and try again.

----------

## Duco Ergo Sum

The IPsec appears to remain up:

```

# ipsec statusall

Status of IKE charon daemon (strongSwan 5.1.3, Linux 3.14.14-gentoo, x86_64):

  uptime: 72 minutes, since Sep 27 22:10:49 2014

  malloc: sbrk [HIDDEN], mmap 0, used [HIDDEN], free [HIDDEN]

  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 1

  loaded plugins: charon curl ldap mysql sqlite aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default farp stroke updown eap-identity eap-sim eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls xauth-generic dhcp

Listening IP addresses:

  1.2.3.4

Connections:

Xerox-XLS-Telford:  %any...vpn.office.com  IKEv1

Xerox-XLS-Telford:   local:  [1.2.3.4] uses pre-shared key authentication

Xerox-XLS-Telford:   remote: [17.11.7.5] uses pre-shared key authentication

Xerox-XLS-Telford:   child:  dynamic[udp/l2tp] === dynamic[udp/l2tp] TRANSPORT

Security Associations (1 up, 0 connecting):

Xerox-XLS-Telford[1]: ESTABLISHED 72 minutes ago, 1.2.3.4[1.2.3.4]...17.11.7.5[17.11.7.5]

Xerox-XLS-Telford[1]: IKEv1 SPIs: [HIDDEN]* [HIDDEN], rekeying disabled

Xerox-XLS-Telford[1]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024

Xerox-XLS-Telford{1}:  INSTALLED, TRANSPORT, ESP in UDP SPIs: [HIDDEN] [HIDDEN]

Xerox-XLS-Telford{1}:  3DES_CBC/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying disabled

Xerox-XLS-Telford{1}:   1.2.3.4/32[udp/l2tp] === 17.11.7.5/32[udp/l2tp]

```

Yet, I'm still missing something.

```

l2tp> tunnel create tunnel_name="VPN.OFFICE.COM" dest_ipaddr=vpn.office.comCreated tunnel 28351

l2tp> session create session_name="VPN.OFFICE.COM" user_name=USER_NAME user_password=USER_PASSWORD tunnel_name="VPN.OFFICE.COM"

Created session 15597 on tunnel "VPN.OFFICE.COM"

l2tp> session show tunnel_name="VPN.OFFICE.COM" session_name="VPN.OFFICE.COM"

Session 15597 on tunnel 28351:-

  type: LAC Incoming Call, state: WAITTUNNEL

  created at:  Sep 27 23:23:24 2014

  administrative name: "VPN.OFFICE.COM"

  created by admin: YES

  ppp user name: USER_NAME

  ppp user password: USER_PASSWORD

  data sequencing required: OFF

  use data sequence numbers: OFF

  trace flags: NONE

  framing types: SYNC ASYNC

  bearer types: DIGITAL ANALOG

  call serial number: 4

  connect speed: 1000000

  use ppp proxy: NO

  Peer configuration data:-

    data sequencing required: OFF

    framing types:

    bearer types:

    call serial number: 4

  data rx packets: 0, rx bytes: 0, rx errors: 0

  data tx packets: 0, tx bytes: 0, tx errors: 0

```

In the Openl2tp documentation it says that StrongSwan can do l2tp also.  I can not see any configuration info in the StrongSwan documentation.

----------

## salahx

StrongSwan doesn't do lt2tp (It has a NetworkManager plugin but only for IKEv2). Lets make sure the tunnel is getting established. AFter you create the tunnel, before the session, do a "show tunnel ..." command verify the tunnel sayas ESTABLISHED. IF not, we need to debug the tunnel first.

----------

## Duco Ergo Sum

Unfortunately, I don't seem to be able to establish a tunnel.

```

l2tp> tunnel create tunnel_name="VPN.OFFICE.COM" dest_ipaddr=vpn.office.com

Created tunnel 56457

l2tp> show tunnel tunnel_name="VPN.OFFICE.COM"

Error at or near 'show'

l2tp> show tunnel tunnel_id=56457

Error at or near 'show'

```

```

l2tp> tunnel create tunnel_name="VPN.OFFICE.COM"" dest_ipaddr=17.11.7.5                                     

Created tunnel 7747                                                                                                

l2tp> show tunnel tunnel_name="VPN.OFFICE.COM""                     

Error at or near 'show'                                                                                            

l2tp> show tunnel tunnel_id=7747                                      

Error at or near 'show'

```

----------

## salahx

May bad. Its "tunnel show .... " not "show tunnel ..." (There's a "tunnel list" command as well, to see all the open tunnels).

----------

## salahx

Actually, I notice above in the status no traffic was flowing over the ipsec connection. The same thing happens here too -  Once I put up the l2tp firewall, it stopped working. It turns out openl2tp works differenty with respect to the source port. xl2tps used port 1701, but openl2tp chooses a random one. The ipsec rule we have set up only work when both the source AND destination ports are 1701.

So at this point, we can fix this one of 2 ways:

1) Adjust your ipsec connection:  

```

conn vpn.office.com

        keyexchange=ikev1

        type=transport

        authby=secret

        ike=3des-sha1-modp1024

        rekey=no

        left=%defaultroute

        leftprotoport=udp/%any

        right=vpn.office.com

        rightprotoport=udp/l2tp

        rightid=17.11.7.5

        auto=add 

```

Reload strongswan and reconnect. After connecting you'll see a subtle change: "CHILD_SA vpn.office.com{1} established with SPIs...TS 1.2.3.4/32[udp] === 17.11.7.5/32[udp/l2tp]". Note that the server might adjust this - in that this won't work and we'll have to try #2. The advantage being we're not restricted to 1 tunnel per connection like Windows. 

2) Bind to port 1701 on the client side:

```

l2tp> tunnel tunnel create tunnel_name="VPN.OFFICE.COM"" dest_ipaddr=vpn.office.com  our_udp_port=1701

```

This is the way Windows does it.

----------

## Duco Ergo Sum

Old IPsec connection

```

# ipsec up VPN.OFFICE.COM

initiating Main Mode IKE_SA VPN.OFFICE.COM[1] to 17.11.7.5

generating ID_PROT request 0 [ SA V V V V ]

sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (184 bytes)

received packet: from 17.11.7.5[500] to 1.2.3.4[500] (116 bytes)

parsed ID_PROT response 0 [ SA V V ]

received draft-ietf-ipsec-nat-t-ike-02\n vendor ID

received FRAGMENTATION vendor ID

generating ID_PROT request 0 [ KE No NAT-D NAT-D ]

sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (244 bytes)

received packet: from 17.11.7.5[500] to 1.2.3.4[500] (304 bytes)

parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]

received Cisco Unity vendor ID

received XAuth vendor ID

received unknown vendor ID: [HIDDEN]

received unknown vendor ID: [HIDDEN]

local host is behind NAT, sending keep alives

generating ID_PROT request 0 [ ID HASH ]

sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (68 bytes)

received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes)

parsed ID_PROT response 0 [ ID HASH V ]

received DPD vendor ID

IKE_SA VPN.OFFICE.COM[1] established between 1.2.3.4[1.2.3.4]...17.11.7.5[17.11.7.5]

generating QUICK_MODE request [HIDDEN] [ HASH SA No ID ID NAT-OA NAT-OA ]

sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (220 bytes)

received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (180 bytes)

parsed QUICK_MODE response [HIDDEN] [ HASH SA No ID ID N((24576)) NAT-OA ]

received 28800s lifetime, configured 0s

CHILD_SA VPN.OFFICE.COM{1} established with SPIs [HIDDEN] [HIDDEN] and TS 1.2.3.4/32[udp/l2tp] === 17.11.7.5/32[udp/l2tp] 

connection 'VPN.OFFICE.COM' established successfully

l2tp> tunnel create tunnel_name="VPN OFFICE COM" dest_ipaddr=vpn.office.com

Created tunnel 24778

l2tp> tunnel show tunnel_name="VPN OFFICE COM"

Tunnel 24778, from 1.2.3.4 to 17.11.7.5:-

  state: CLOSING

  created at:  Sep 28 08:17:16 2014

  administrative name: '"VPN OFFICE COM"'                                                                       

  created by admin: YES, tunnel mode: LAC                                                                          

  peer tunnel id: 0, host name: NOT SET                                                                            

  UDP ports: local 37846, peer 1701                                                                                

  authorization mode: NONE, hide AVPs: OFF, allow PPP proxy: OFF                                                   

  session limit: 0, session count: 0                                                                               

  tunnel profile: default, peer profile: default                                                                   

  session profile: default, ppp profile: default                                                                   

  hello timeout: 60, retry timeout: 1, idle timeout: 0                                                             

  rx window size: 10, tx window size: 10, max retries: 5                                                           

  use udp checksums: ON                                                                                            

  do pmtu discovery: OFF, mtu: 1460                                                                                

  framing capability: SYNC ASYNC, bearer capability: DIGITAL ANALOG                                                

  use tiebreaker: OFF                                                                                              

  trace flags: NONE                                                                                                

  peer protocol version: 0.0, firmware 0                                                                           

  peer framing capability: NONE                                                                                    

  peer bearer capability: NONE                                                                                     

  peer rx window size: 0                                                                                           

  Transport status:-                                                                                               

    ns/nr: 1/0, peer 0/0                                                                                           

    cwnd: 1, ssthresh: 1, congpkt_acc: 0                                                                           

  Transport statistics:-                                                                                           

    out-of-sequence control/data discards: 0/0                                                                     

    zlbs tx/txfail/rx: 0/0/0                                                                                       

    retransmits: 6, duplicate pkt discards: 0, data pkt discards: 0                                                

    hellos tx/txfail/rx: 0/0/0                                                                                     

    control rx packets: 0, rx bytes: 0                                                                             

    control tx packets: 6, tx bytes: 834                                                                           

    data rx packets: 0, rx bytes: 0, rx errors: 0                                                                  

    data tx packets: 0, tx bytes: 0, tx errors: 0                                                                  

    establish retries: 0

```

New IPsec connection

```

# ipsec up VPN.OFFICE.COM

initiating Main Mode IKE_SA VPN.OFFICE.COM[1] to 17.11.7.5                                                 

generating ID_PROT request 0 [ SA V V V V ]                                                                        

sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (184 bytes)                                              

received packet: from 17.11.7.5[500] to 1.2.3.4[500] (116 bytes)                                             

parsed ID_PROT response 0 [ SA V V ]                                                                               

received draft-ietf-ipsec-nat-t-ike-02\n vendor ID

received FRAGMENTATION vendor ID

generating ID_PROT request 0 [ KE No NAT-D NAT-D ]

sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (244 bytes)

received packet: from 17.11.7.5[500] to 1.2.3.4[500] (304 bytes)

parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]

received Cisco Unity vendor ID

received XAuth vendor ID

received unknown vendor ID: [HIDDEN]

received unknown vendor ID: [HIDDEN]

local host is behind NAT, sending keep alives

generating ID_PROT request 0 [ ID HASH ]

sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (68 bytes)

received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes)

parsed ID_PROT response 0 [ ID HASH V ]

received DPD vendor ID

IKE_SA VPN.OFFICE.COM[1] established between 1.2.3.4[1.2.3.4]...17.11.7.5[17.11.7.5]

generating QUICK_MODE request [HIDDEN] [ HASH SA No ID ID NAT-OA NAT-OA ]

sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (220 bytes)

received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (180 bytes)

parsed QUICK_MODE response [HIDDEN] [ HASH SA No ID ID N((24576)) NAT-OA ]

received 28800s lifetime, configured 0s

CHILD_SA VPN.OFFICE.COM{1} established with SPIs [HIDDEN] [HIDDEN] and TS 1.2.3.4/32[udp/l2tp] === 17.11.7.5/32[udp/l2tp] 

generating QUICK_MODE request [HIDDEN] [ HASH ]

connection 'VPN.OFFICE.COM' established successfully

l2tp> tunnel create tunnel_name="VPN OFFICE COM" dest_ipaddr=vpn.office.com                                

Created tunnel 10765                                                                                               

l2tp> tunnel show tunnel_name="VPN OFFICE COM"                                

Tunnel 10765, from 1.2.3.4 to 17.11.7.5:-                                                                    

  state: WAITCTLREPLY                                                                                              

  created at:  Sep 28 08:22:52 2014                                                                                

  administrative name: '"VPN OFFICE COM"'                                                                       

  created by admin: YES, tunnel mode: LAC                                                                          

  peer tunnel id: 0, host name: NOT SET

  UDP ports: local 49627, peer 1701

  authorization mode: NONE, hide AVPs: OFF, allow PPP proxy: OFF

  session limit: 0, session count: 0

  tunnel profile: default, peer profile: default

  session profile: default, ppp profile: default

  hello timeout: 60, retry timeout: 1, idle timeout: 0

  rx window size: 10, tx window size: 10, max retries: 5

  use udp checksums: ON

  do pmtu discovery: OFF, mtu: 1460

  framing capability: SYNC ASYNC, bearer capability: DIGITAL ANALOG

  use tiebreaker: OFF

  trace flags: NONE

  peer protocol version: 0.0, firmware 0

  peer framing capability: NONE

  peer bearer capability: NONE

  peer rx window size: 0

  Transport status:-

    ns/nr: 1/0, peer 0/0

    cwnd: 1, ssthresh: 0, congpkt_acc: 0

  Transport statistics:-

    out-of-sequence control/data discards: 0/0

    zlbs tx/txfail/rx: 0/0/0

    retransmits: 0, duplicate pkt discards: 0, data pkt discards: 0

    hellos tx/txfail/rx: 0/0/0

    control rx packets: 0, rx bytes: 0

    control tx packets: 1, tx bytes: 139

    data rx packets: 0, rx bytes: 0, rx errors: 0

    data tx packets: 0, tx bytes: 0, tx errors: 0

    establish retries: 0

l2tp> session create session_name="VPN OFFICE COM" user_name=USER_NAME user_password=USER_PASSWORD tunnel_name="VPN OFFICE COM"

Created session 45480 on tunnel "VPN OFFICE COM"

l2tp> session show tunnel_name="VPN OFFICE COM" session_name="VPN OFFICE COM"

Session 45480 on tunnel 10765:-

  type: LAC Incoming Call, state: WAITTUNNEL

  created at:  Sep 28 08:23:09 2014

  administrative name: "VPN OFFICE COM"

  created by admin: YES

  ppp user name: USER_NAME

  ppp user password: USER_PASSWORD

  data sequencing required: OFF

  use data sequence numbers: OFF

  trace flags: NONE

  framing types: SYNC ASYNC

  bearer types: DIGITAL ANALOG

  call serial number: 1

  connect speed: 1000000

  use ppp proxy: NO

  Peer configuration data:-

    data sequencing required: OFF

    framing types:

    bearer types:

    call serial number: 1

  data rx packets: 0, rx bytes: 0, rx errors: 0

  data tx packets: 0, tx bytes: 0, tx errors: 0

```

There is one deviation from your IPsec connection:

```

rightprotoport=udp/%any

```

----------

## salahx

Didn't work, the server modified it:

```

CHILD_SA VPN.OFFICE.COM{1} established with SPIs [HIDDEN] [HIDDEN] and TS 1.2.3.4/32[udp/l2tp] === 17.11.7.5/32[udp/l2tp] 

```

We'll have to go with approach #2 and bind to port 1701.

----------

## Duco Ergo Sum

Looking on the bright side.  We now have the Established state.  Unfortunately, as far as I can tell we're getting the same behaviour as with xl2tp.

```

# ipsec up VPN.OFFICE.COM

initiating Main Mode IKE_SA VPN.OFFICE.COM[1] to 17.11.7.5

generating ID_PROT request 0 [ SA V V V V ]

sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (184 bytes)

received packet: from 17.11.7.5[500] to 1.2.3.4[500] (116 bytes)

parsed ID_PROT response 0 [ SA V V ]

received draft-ietf-ipsec-nat-t-ike-02\n vendor ID

received FRAGMENTATION vendor ID

generating ID_PROT request 0 [ KE No NAT-D NAT-D ]

sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (244 bytes)

received packet: from 17.11.7.5[500] to 1.2.3.4[500] (304 bytes)

parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]

received Cisco Unity vendor ID

received XAuth vendor ID

received unknown vendor ID: [HIDDEN]

received unknown vendor ID: [HIDDEN]

local host is behind NAT, sending keep alives

generating ID_PROT request 0 [ ID HASH ]

sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (68 bytes)

sending retransmit 1 of request message ID 0, seq 3

sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (68 bytes)

received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes)

parsed ID_PROT response 0 [ ID HASH V ]

received DPD vendor ID

IKE_SA VPN.OFFICE.COM[1] established between 1.2.3.4[1.2.3.4]...17.11.7.5[17.11.7.5]

generating QUICK_MODE request [HIDDEN] [ HASH SA No ID ID NAT-OA NAT-OA ]

sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (220 bytes)

received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (180 bytes)

parsed QUICK_MODE response [HIDDEN] [ HASH SA No ID ID N((24576)) NAT-OA ]

received 28800s lifetime, configured 0s

CHILD_SA VPN.OFFICE.COM{1} established with SPIs [HIDDEN] [HIDDEN] and TS 1.2.3.4/32[udp/l2tp] === 17.11.7.5/32[udp/l2tp] 

generating QUICK_MODE request [HIDDEN] [ HASH ]

connection 'VPN.OFFICE.COM' established successfully

sveta huoshe # l2tpconfig

l2tp> tunnel create tunnel_name="VPN OFFICE COM" dest_ipaddr=vpn.office.com our_udp_port=1701

Created tunnel 835

l2tp> tunnel show tunnel_name="VPN OFFICE COM"Tunnel 835, from 1.2.3.4 to 17.11.7.5:-

  state: ESTABLISHED

  created at:  Sep 28 23:44:09 2014

  administrative name: '"VPN OFFICE COM"'

  created by admin: YES, tunnel mode: LAC

  peer tunnel id: 7989, host name: NOT SET

  UDP ports: local 1701, peer 1701

  authorization mode: NONE, hide AVPs: OFF, allow PPP proxy: OFF

  session limit: 0, session count: 0

  tunnel profile: default, peer profile: default

  session profile: default, ppp profile: default

  hello timeout: 60, retry timeout: 1, idle timeout: 0

  rx window size: 10, tx window size: 10, max retries: 5

  use udp checksums: ON

  do pmtu discovery: OFF, mtu: 1460

  framing capability: SYNC ASYNC, bearer capability: DIGITAL ANALOG

  use tiebreaker: OFF

  trace flags: NONE

  peer vendor name: Cisco Systems, Inc.

  peer protocol version: 1.0, firmware 4384

  peer framing capability: SYNC ASYNC

  peer bearer capability: DIGITAL ANALOG

  peer rx window size: 16

  Transport status:-

    ns/nr: 2/1, peer 2/1

    cwnd: 3, ssthresh: 10, congpkt_acc: 0

  Transport statistics:-

    out-of-sequence control/data discards: 0/0

    zlbs tx/txfail/rx: 1/0/1

    retransmits: 0, duplicate pkt discards: 0, data pkt discards: 0

    hellos tx/txfail/rx: 0/0/0

    control rx packets: 2, rx bytes: 128

    control tx packets: 3, tx bytes: 171

    data rx packets: 0, rx bytes: 0, rx errors: 0

    data tx packets: 0, tx bytes: 0, tx errors: 0

    establish retries: 0

l2tp> session create session_name="VPN OFFICE COM" user_name=USER_NAME user_password=USER_PASSWORD tunnel_name="VPN OFFICE COM"

Created session 65073 on tunnel "VPN OFFICE COM"

l2tp> session show tunnel_name="VPN OFFICE COM" session_name="VPN OFFICE COM"

Session 65073 on tunnel 835:-

  type: LAC Incoming Call, state: ESTABLISHED

  created at:  Sep 28 23:44:18 2014

  administrative name: "VPN OFFICE COM"

  created by admin: YES, peer session id: 7862

  ppp user name: USER_NAME

  ppp user password: USER_PASSWORD

  ppp interface name: ppp0

  data sequencing required: OFF

  use data sequence numbers: OFF

  trace flags: NONE

  framing types: SYNC ASYNC

  bearer types: DIGITAL ANALOG

  call serial number: 1

  connect speed: 1000000

  use ppp proxy: NO

  Peer configuration data:-

    data sequencing required: OFF

    framing types:

    bearer types:

    call serial number: 1

  data rx packets: 9, rx bytes: 244, rx errors: 0

  data tx packets: 8, tx bytes: 286, tx errors: 0

# ifconfig

bond0: flags=5123<UP,BROADCAST,MASTER,MULTICAST>  mtu 1500

        ether [HIDDEN]  txqueuelen 0  (Ethernet)

        RX packets 0  bytes 0 (0.0 B)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 0  bytes 0 (0.0 B)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eno1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500

        inet 1.2.3.4  netmask 255.255.255.0  broadcast 10.1.1.255

        inet6 [HIDDEN]  prefixlen 64  scopeid 0x20<link>

        ether [HIDDEN]  txqueuelen 1000  (Ethernet)

        RX packets 14981  bytes 17385980 (16.5 MiB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 10522  bytes 1389109 (1.3 MiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

        device interrupt 20  memory [HIDDEN]  

enp59s0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500

        ether [HIDDEN]  txqueuelen 1000  (Ethernet)

        RX packets 0  bytes 0 (0.0 B)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 0  bytes 0 (0.0 B)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

        device interrupt 19  memory [HIDDEN]  

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536

        inet 127.0.0.1  netmask 255.0.0.0

        inet6 ::1  prefixlen 128  scopeid 0x10<host>

        loop  txqueuelen 0  (Local Loopback)

        RX packets 137  bytes 43277 (42.2 KiB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 137  bytes 43277 (42.2 KiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ppp0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500

        inet 125.64.27.8  netmask 255.255.255.255  destination 17.11.7.5

        ppp  txqueuelen 3  (Point-to-Point Protocol)

        RX packets 4  bytes 34 (34.0 B)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 19  bytes 8917 (8.7 KiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

sveta huoshe # ping 1.3.3.1

PING 1.3.3.1 (1.3.3.1) 56(84) bytes of data.

^C

--- 1.3.3.1 ping statistics ---

8 packets transmitted, 0 received, 100% packet loss, time 6999ms

```

----------

## salahx

OK, verify neither the session nor the tunnel go down by itself after a few seconds (The other end might time out after 15-30 minutes of idleness, so that's ok). If the tunnel stays up then its a network configuration problem. 

If the tunnel is stable, try the "tracepath" and/or "traceroute" utility and see if data is crossing the tunnel. Ping the other end of the tunnel. Use the "tcpdump -i eno1 proto 50" and "tcpdump -i ppp0" and verify you see traffic (you met get the "ret: -1" thing, i get too, but it should still work)

----------

## Duco Ergo Sum

No traffic pass through the tunnel and then it disappears after less than a minute.  After which to create an established tunnel, I need to restart ipsec and openl2tpd.

----------

## salahx

Does the whole tunnel disappear or just the session? What does the syslog showing from tunnel creation to destruction?

Lets modify the commands slightly to get more debug output, by adding trace_flags:

```

l2tp> tunnel create tunnel_name="VPN.OFFICE.COM"" dest_ipaddr=vpn.office.com  our_udp_port=1701 trace_flags=all

l2tp> session create session_name="VPN.OFFICE.COM" user_name=USER_NAME user_password=USER_PASSWORD tunnel_name="VPN.OFFICE.COM" trace_flags=all

```

This should result in (probably too much!) debug data being printed out in the syslog. Maybe it might provide a clue of why it keeps disconnecting.

----------

## Duco Ergo Sum

Both the tunnel and session disappear.  Below is my log.

I know that Windows is able to establish a stable connection.  Is there possibly, something going on at the other end which could be causing us issues?

One thing I found in Windows when the connection was up was that I could not view the internet.  At the time, I had little interest in debugging Windows as my goal is to have my regular system working.  Now, I'm wondering what those issues on Windows are and if or how they're connected...  These did not seem related when we started as then we weren't even able to get a connection.

```

Sep 29 08:06:37 sveta charon: 04[CFG] received stroke: initiate 'VPN.OFFICE.COM'

Sep 29 08:06:37 sveta charon: 06[IKE] initiating Main Mode IKE_SA VPN.OFFICE.COM[1] to 17.11.7.5

Sep 29 08:06:37 sveta charon: 06[IKE] initiating Main Mode IKE_SA VPN.OFFICE.COM[1] to 17.11.7.5

Sep 29 08:06:37 sveta charon: 06[ENC] generating ID_PROT request 0 [ SA V V V V ]

Sep 29 08:06:37 sveta charon: 06[NET] sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (184 bytes)

Sep 29 08:06:37 sveta charon: 05[NET] received packet: from 17.11.7.5[500] to 1.2.3.4[500] (116 bytes)

Sep 29 08:06:37 sveta charon: 05[ENC] parsed ID_PROT response 0 [ SA V V ]

Sep 29 08:06:37 sveta charon: 05[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID

Sep 29 08:06:37 sveta charon: 05[IKE] received FRAGMENTATION vendor ID

Sep 29 08:06:37 sveta charon: 05[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]

Sep 29 08:06:37 sveta charon: 05[NET] sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (244 bytes)

Sep 29 08:06:38 sveta charon: 07[NET] received packet: from 17.11.7.5[500] to 1.2.3.4[500] (304 bytes)

Sep 29 08:06:38 sveta charon: 07[ENC] parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]

Sep 29 08:06:38 sveta charon: 07[IKE] received Cisco Unity vendor ID

Sep 29 08:06:38 sveta charon: 07[IKE] received XAuth vendor ID

Sep 29 08:06:38 sveta charon: 07[ENC] received unknown vendor ID: [HIDDEN]

Sep 29 08:06:38 sveta charon: 07[ENC] received unknown vendor ID: [HIDDEN]

Sep 29 08:06:38 sveta charon: 07[IKE] local host is behind NAT, sending keep alives

Sep 29 08:06:38 sveta charon: 07[ENC] generating ID_PROT request 0 [ ID HASH ]

Sep 29 08:06:38 sveta charon: 07[NET] sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (68 bytes)

Sep 29 08:06:38 sveta charon: 08[NET] received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes)

Sep 29 08:06:38 sveta charon: 08[ENC] parsed ID_PROT response 0 [ ID HASH V ]

Sep 29 08:06:38 sveta charon: 08[IKE] received DPD vendor ID

Sep 29 08:06:38 sveta charon: 08[IKE] IKE_SA VPN.OFFICE.COM[1] established between 1.2.3.4[1.2.3.4]...17.11.7.5[17.11.7.5]

Sep 29 08:06:38 sveta charon: 08[IKE] IKE_SA VPN.OFFICE.COM[1] established between 1.2.3.4[1.2.3.4]...17.11.7.5[17.11.7.5]

Sep 29 08:06:38 sveta charon: 08[ENC] generating QUICK_MODE request [HIDDEN] [ HASH SA No ID ID NAT-OA NAT-OA ]

Sep 29 08:06:38 sveta charon: 08[NET] sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (220 bytes)

Sep 29 08:06:38 sveta charon: 09[NET] received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (180 bytes)

Sep 29 08:06:38 sveta charon: 09[ENC] parsed QUICK_MODE response [HIDDEN] [ HASH SA No ID ID N((24576)) NAT-OA ]

Sep 29 08:06:38 sveta charon: 09[IKE] received 28800s lifetime, configured 0s

Sep 29 08:06:38 sveta charon: 09[IKE] CHILD_SA VPN.OFFICE.COM{1} established with SPIs cadd4ef9_i 96a01b83_o and TS 1.2.3.4/32[udp/l2tp] === 17.11.7.5/32[udp/l2tp] 

Sep 29 08:06:38 sveta charon: 09[IKE] CHILD_SA VPN.OFFICE.COM{1} established with SPIs cadd4ef9_i 96a01b83_o and TS 1.2.3.4/32[udp/l2tp] === 17.11.7.5/32[udp/l2tp] 

Sep 29 08:06:38 sveta charon: 09[ENC] generating QUICK_MODE request [HIDDEN] [ HASH ]

Sep 29 08:06:38 sveta charon: 09[NET] sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (60 bytes)

Sep 29 08:07:02 sveta charon: 08[IKE] sending keep alive to 17.11.7.5[4500]

Sep 29 08:07:09 sveta openl2tpd[3726]: FSM: CCE(6362) event OPEN_REQ in state IDLE

Sep 29 08:07:09 sveta openl2tpd[3726]: PROTO: tunl 6362: sending SCCRQ

Sep 29 08:07:09 sveta openl2tpd[3726]: FSM: CCE(6362) state change: IDLE --> WAITCTLREPLY

Sep 29 08:07:09 sveta openl2tpd[3726]: FUNC: tunl 6362 created

Sep 29 08:07:09 sveta openl2tpd[3726]: PROTO: tunl 6362: SCCRP received from peer 7993

Sep 29 08:07:09 sveta openl2tpd[3726]: FSM: CCE(6362) event SCCRP_ACCEPT in state WAITCTLREPLY

Sep 29 08:07:09 sveta openl2tpd[3726]: PROTO: tunl 6362: sending SCCCN to peer 7993

Sep 29 08:07:09 sveta openl2tpd[3726]: FUNC: tunl 6362 up

Sep 29 08:07:09 sveta openl2tpd[3726]: FSM: CCE(6362) state change: WAITCTLREPLY --> ESTABLISHED

Sep 29 08:07:23 sveta openl2tpd[3726]: FSM: LAIC(6362/22446) event INCALL_IND in state IDLE

Sep 29 08:07:23 sveta openl2tpd[3726]: FSM: LAIC(6362/22446) state change: IDLE --> WAITTUNNEL

Sep 29 08:07:23 sveta openl2tpd[3726]: 6362/22446: creating UNIX pppd context

Sep 29 08:07:23 sveta openl2tpd[3726]: 6362/22446: using ppp profile 'default'

Sep 29 08:07:23 sveta openl2tpd[3726]: FSM: LAIC(6362/22446) event TUNNEL_OPEN_IND in state WAITTUNNEL

Sep 29 08:07:23 sveta openl2tpd[3726]: PROTO: tunl 6362/22446: sending ICRQ to peer 7993/0

Sep 29 08:07:23 sveta openl2tpd[3726]: FSM: LAIC(6362/22446) state change: WAITTUNNEL --> WAITREPLY

Sep 29 08:07:23 sveta openl2tpd[3726]: PROTO: tunl 6362/22446: ICRP received from peer 7993

Sep 29 08:07:23 sveta openl2tpd[3726]: FSM: LAIC(6362/22446) event ICRP_ACCEPT in state WAITREPLY

Sep 29 08:07:23 sveta openl2tpd[3726]: PROTO: tunl 6362/22446: sending ICCN to peer 7993/7866

Sep 29 08:07:23 sveta openl2tpd[3726]: 6362/22446: starting UNIX pppd

Sep 29 08:07:23 sveta openl2tpd[3726]: FSM: LAIC(6362/22446) state change: WAITREPLY --> ESTABLISHED

Sep 29 08:07:23 sveta pppd[4137]: Plugin pppol2tp.so loaded.

Sep 29 08:07:23 sveta pppd[4137]: Plugin openl2tp.so loaded.

Sep 29 08:07:23 sveta pppd[4137]: pppd 2.4.7 started by root, uid 0

Sep 29 08:07:23 sveta pppd[4137]: Using interface ppp0

Sep 29 08:07:23 sveta pppd[4137]: Connect: ppp0 <--> 

Sep 29 08:07:23 sveta kernel: [  224.927652] l2tp_ppp: sess 6362/22446: set debug=f

Sep 29 08:07:23 sveta kernel: [  224.927655] l2tp_ppp: sess 6362/22446: set mru=1500

Sep 29 08:07:23 sveta kernel: [  224.927665] 00000000: 00 02 1f 39 1e ba ff 03 c0 21 01 01 00 10 02 06  ...9.....!......

Sep 29 08:07:23 sveta kernel: [  224.927667] 00000010: 00 00 00 00 05 06 8c 1a 27 5e                    ........'^

Sep 29 08:07:23 sveta NetworkManager[2660]: <warn> /sys/devices/virtual/net/ppp0: couldn't determine device driver; ignoring...

Sep 29 08:07:23 sveta openl2tpd[3726]: PROTO: tunl 6362/22446: SLI received from peer 7993

Sep 29 08:07:23 sveta kernel: [  224.952793] 00000000: 00 02 1f 39 1e ba ff 03 c0 21 02 01 00 0f 03 05  ...9.....!......

Sep 29 08:07:23 sveta kernel: [  224.952795] 00000010: c2 23 81 05 06 44 4e a7 b6                       .#...DN..

Sep 29 08:07:23 sveta kernel: [  224.952971] 00000000: 00 02 1f 39 1e ba ff 03 c0 21 01 02 00 0a 05 06  ...9.....!......

Sep 29 08:07:23 sveta kernel: [  224.952975] 00000010: 8c 1a 27 5e                                      ..'^

Sep 29 08:07:23 sveta kernel: [  224.979713] l2tp_ppp: sess 6362/22446: set debug=f

Sep 29 08:07:23 sveta kernel: [  224.979716] l2tp_ppp: sess 6362/22446: set mru=1500

Sep 29 08:07:23 sveta kernel: [  224.980508] 00000000: 00 02 1f 39 1e ba ff 03 c2 23 02 01 00 3d 31 3c  ...9.....#...=1<

Sep 29 08:07:23 sveta kernel: [  224.980510] 00000010: b4 c6 92 21 ce 6f eb 5c cf 66 7c 5e 2b 9f 88 00  ...!.o.\.f|^+...

Sep 29 08:07:29 sveta charon: 10[IKE] sending keep alive to 17.11.7.5[4500]

Sep 29 08:07:29 sveta kernel: [  230.826791] l2tp_ppp: sess 6362/22446: get L2TP stats

Sep 29 08:07:34 sveta pppd[4137]: CHAP authentication succeeded

Sep 29 08:07:34 sveta kernel: [  235.594832] 00000000: 00 02 1f 39 1e ba ff 03 80 21 01 01 00 0a 03 06  ...9.....!......

Sep 29 08:07:34 sveta kernel: [  235.594835] 00000010: 00 00 00 00                                      ....

Sep 29 08:07:37 sveta kernel: [  238.594062] 00000000: 00 02 1f 39 1e ba ff 03 80 21 01 01 00 0a 03 06  ...9.....!......

Sep 29 08:07:37 sveta kernel: [  238.594067] 00000010: 00 00 00 00                                      ....

Sep 29 08:07:37 sveta kernel: [  238.620743] 00000000: 00 02 1f 39 1e ba ff 03 80 21 02 01 00 0a 03 06  ...9.....!......

Sep 29 08:07:37 sveta kernel: [  238.620745] 00000010: 5b 67 aa 85                                      [g..

Sep 29 08:07:37 sveta kernel: [  238.621115] 00000000: 00 02 1f 39 1e ba ff 03 80 21 01 02 00 0a 03 06  ...9.....!......

Sep 29 08:07:37 sveta kernel: [  238.621117] 00000010: ac 12 07 10                                      ....

Sep 29 08:07:37 sveta charon: 12[KNL] 125.64.27.8 appeared on ppp0

Sep 29 08:07:37 sveta pppd[4137]: local  IP address 125.64.27.8

Sep 29 08:07:37 sveta pppd[4137]: remote IP address 17.11.7.5

Sep 29 08:07:37 sveta openl2tpd[3726]: FUNC: tunl 6362/22446: using interface ppp0

Sep 29 08:07:37 sveta charon: 14[KNL] 125.64.27.8 disappeared from ppp0

Sep 29 08:07:37 sveta charon: 06[KNL] 125.64.27.8 appeared on ppp0

Sep 29 08:07:37 sveta charon: 07[KNL] interface ppp0 activated

Sep 29 08:07:49 sveta charon: 12[IKE] sending keep alive to 17.11.7.5[4500]

Sep 29 08:07:49 sveta kernel: [  249.990866] 00000000: 00 02 1f 39 1e ba ff 03 00 21 45 00 00 1d 94 77  ...9.....!E....w

Sep 29 08:07:49 sveta kernel: [  249.990869] 00000010: 40 00 40 11 95 67 0a 01 01 04 5b 67 aa 85 11 94  @.@..g....[g....

Sep 29 08:07:49 sveta kernel: [  249.991271] 00000000: 00 02 1f 39 1e ba ff 03 00 21 45 00 04 30 94 84  ...9.....!E..0..

Sep 29 08:07:49 sveta kernel: [  249.991273] 00000010: 00 00 40 11 d1 47 0a 01 01 04 5b 67 aa 85 11 94  ..@..G....[g....

Sep 29 08:08:09 sveta charon: 13[IKE] sending keep alive to 17.11.7.5[4500]

Sep 29 08:08:09 sveta kernel: [  269.971063] 00000000: 00 02 1f 39 1e ba ff 03 00 21 45 00 00 1d 94 86  ...9.....!E.....

Sep 29 08:08:09 sveta kernel: [  269.971066] 00000010: 40 00 40 11 95 58 0a 01 01 04 5b 67 aa 85 11 94  @.@..X....[g....

Sep 29 08:08:09 sveta kernel: [  269.971411] 00000010: 00 00 40 11 d1 89 0a 01 01 04 5b 67 aa 85 11 94  ..@.......[g....

Sep 29 08:08:09 sveta kernel: [  269.971470] 00000000: 00 02 1f 39 1e ba ff 03 00 21 45 00 04 30 94 93  ...9.....!E..0..

Sep 29 08:08:09 sveta kernel: [  269.971471] 00000010: 00 00 40 11 d1 38 0a 01 01 04 5b 67 aa 85 11 94  ..@..8....[g....

Sep 29 08:08:29 sveta charon: 06[IKE] sending keep alive to 17.11.7.5[4500]

Sep 29 08:08:29 sveta kernel: [  289.951275] 00000000: 00 02 1f 39 1e ba ff 03 00 21 45 00 00 1d 94 95  ...9.....!E.....

Sep 29 08:08:29 sveta kernel: [  289.951278] 00000010: 40 00 40 11 95 49 0a 01 01 04 5b 67 aa 85 11 94  @.@..I....[g....

Sep 29 08:08:29 sveta kernel: [  289.951683] 00000010: 00 00 40 11 d1 7a 0a 01 01 04 5b 67 aa 85 11 94  ..@..z....[g....

Sep 29 08:08:29 sveta kernel: [  289.951740] 00000000: 00 02 1f 39 1e ba ff 03 00 21 45 00 04 30 94 a2  ...9.....!E..0..

Sep 29 08:08:29 sveta kernel: [  289.951742] 00000010: 00 00 40 11 d1 29 0a 01 01 04 5b 67 aa 85 11 94  ..@..)....[g....

Sep 29 08:08:49 sveta charon: 07[IKE] sending keep alive to 17.11.7.5[4500]

Sep 29 08:08:49 sveta kernel: [  309.931513] 00000000: 00 02 1f 39 1e ba ff 03 00 21 45 00 00 1d 94 a4  ...9.....!E.....

Sep 29 08:08:49 sveta kernel: [  309.931907] 00000000: 00 02 1f 39 1e ba ff 03 00 21 45 00 04 30 94 b1  ...9.....!E..0..

Sep 29 08:08:49 sveta kernel: [  309.931908] 00000010: 00 00 40 11 d1 1a 0a 01 01 04 5b 67 aa 85 11 94  ..@.......[g....

Sep 29 08:09:09 sveta charon: 08[IKE] sending keep alive to 17.11.7.5[4500]

Sep 29 08:09:09 sveta kernel: [  329.911759] 00000000: 00 02 1f 39 1e ba ff 03 00 21 45 00 00 1d 94 b3  ...9.....!E.....

Sep 29 08:09:09 sveta kernel: [  329.912173] 00000000: 00 02 1f 39 1e ba ff 03 00 21 45 00 04 30 94 c0  ...9.....!E..0..

Sep 29 08:09:09 sveta kernel: [  329.912174] 00000010: 00 00 40 11 d1 0b 0a 01 01 04 5b 67 aa 85 11 94  ..@.......[g....

Sep 29 08:09:24 sveta openl2tpd[3726]: PROTO: tunl 6362: sending HELLO

Sep 29 08:09:24 sveta kernel: [  345.407261] 00000000: 00 02 1f 39 1e ba ff 03 00 21 45 00 00 58 94 c2  ...9.....!E..X..

Sep 29 08:09:24 sveta kernel: [  345.407264] 00000010: 40 00 40 11 94 e1 0a 01 01 04 5b 67 aa 85 11 94  @.@.......[g....

Sep 29 08:09:28 sveta kernel: [  349.153895] 00000000: 00 02 1f 39 1e ba ff 03 00 21 45 00 04 68 94 ed  ...9.....!E..h..

Sep 29 08:09:28 sveta kernel: [  349.153896] 00000010: 00 00 40 11 d0 a6 0a 01 01 04 5b 67 aa 85 11 94  ..@.......[g....

Sep 29 08:09:29 sveta charon: 04[IKE] sending keep alive to 17.11.7.5[4500]

Sep 29 08:09:29 sveta kernel: [  349.891975] 00000000: 00 02 1f 39 1e ba ff 03 00 21 45 00 00 1d 94 ef  ...9.....!E.....

Sep 29 08:09:29 sveta kernel: [  349.891978] 00000010: 40 00 40 11 94 ef 0a 01 01 04 5b 67 aa 85 11 94  @.@.......[g....

Sep 29 08:09:32 sveta kernel: [  352.900150] 00000000: 00 02 1f 39 1e ba ff 03 00 21 45 00 04 68 95 29  ...9.....!E..h.)

Sep 29 08:09:32 sveta kernel: [  352.900151] 00000010: 00 00 40 11 d0 6a 0a 01 01 04 5b 67 aa 85 11 94  ..@..j....[g....

Sep 29 08:09:33 sveta openl2tpd[3726]: FSM: CCE(6362) event XPRT_DOWN in state ESTABLISHED

Sep 29 08:09:33 sveta openl2tpd[3726]: PROTO: tunl 6362: sending STOPCCN to peer 7993

Sep 29 08:09:33 sveta openl2tpd[3726]: FUNC: tunl 6362 down

Sep 29 08:09:33 sveta openl2tpd[3726]: FSM: CCE(6362) state change: ESTABLISHED --> CLOSING

Sep 29 08:09:33 sveta openl2tpd[3726]: FSM: LAIC(6362/22446) event CLOSE_REQ in state ESTABLISHED

Sep 29 08:09:33 sveta openl2tpd[3726]: PROTO: tunl 6362/22446: sending CDN to peer 7993/7866

Sep 29 08:09:33 sveta openl2tpd[3726]: 6362/22446: stopping unix pppd pid 4137

Sep 29 08:09:33 sveta openl2tpd[3726]: 6362/22446: cleaning UNIX pppd context

Sep 29 08:09:33 sveta openl2tpd[3726]: FSM: LAIC(6362/22446) state change: ESTABLISHED --> IDLE

Sep 29 08:09:33 sveta pppd[4137]: Terminating on signal 15

Sep 29 08:09:33 sveta pppd[4137]: Connect time 2.0 minutes.

Sep 29 08:09:33 sveta pppd[4137]: Sent 111582 bytes, received 0 bytes.

Sep 29 08:09:33 sveta charon: 10[KNL] interface ppp0 deactivated

Sep 29 08:09:33 sveta charon: 09[KNL] 125.64.27.8 disappeared from ppp0

Sep 29 08:09:33 sveta kernel: [  354.149007] l2tp_ppp: sess 6362/22446: set debug=f

Sep 29 08:09:33 sveta kernel: [  354.149010] l2tp_ppp: sess 6362/22446: set mru=1500

Sep 29 08:09:33 sveta kernel: [  354.149017] 00000000: 00 02 1f 39 1e ba ff 03 c0 21 05 03 00 10 55 73  ...9.....!....Us

Sep 29 08:09:33 sveta kernel: [  354.149018] 00000010: 65 72 20 72 65 71 75 65 73 74                    er request

Sep 29 08:09:34 sveta openl2tpd[3726]: FSM: CCE(6362) event XPRT_DOWN in state CLOSING

Sep 29 08:09:36 sveta kernel: [  357.149089] 00000000: 00 02 1f 39 1e ba ff 03 c0 21 05 04 00 10 55 73  ...9.....!....Us

Sep 29 08:09:36 sveta kernel: [  357.149092] 00000010: 65 72 20 72 65 71 75 65 73 74                    er request

Sep 29 08:09:39 sveta pppd[4137]: Connection terminated.

Sep 29 08:09:39 sveta avahi-daemon[2987]: Withdrawing workstation service for ppp0.

Sep 29 08:09:39 sveta charon: 15[KNL] interface ppp0 deleted

Sep 29 08:09:39 sveta pppd[4137]: Modem hangup

Sep 29 08:09:39 sveta pppd[4137]: Exit.

Sep 29 08:09:53 sveta charon: 08[IKE] sending keep alive to 17.11.7.5[4500]

Sep 29 08:10:01 sveta cron[4182]: (root) CMD (test -x /usr/sbin/run-crons && /usr/sbin/run-crons)

Sep 29 08:10:13 sveta charon: 04[IKE] sending keep alive to 17.11.7.5[4500]

Sep 29 08:10:33 sveta charon: 10[IKE] sending keep alive to 17.11.7.5[4500]

Sep 29 08:10:33 sveta openl2tpd[3726]: FUNC: tunl 6362 deleted

Sep 29 08:10:33 sveta openl2tpd[3726]: FUNC: tunl 6362: deleting context

Sep 29 08:10:53 sveta charon: 13[IKE] sending keep alive to 17.11.7.5[4500]

Sep 29 08:11:13 sveta charon: 12[IKE] sending keep alive to 17.11.7.5[4500]

Sep 29 08:11:33 sveta charon: 14[IKE] sending keep alive to 17.11.7.5[4500]

Sep 29 08:11:53 sveta charon: 05[IKE] sending keep alive to 17.11.7.5[4500]

Sep 29 08:12:13 sveta charon: 06[IKE] sending keep alive to 17.11.7.5[4500]

Sep 29 08:12:33 sveta charon: 04[IKE] sending keep alive to 17.11.7.5[4500]

Sep 29 08:12:53 sveta charon: 10[IKE] sending keep alive to 17.11.7.5[4500]

Sep 29 08:13:13 sveta charon: 11[IKE] sending keep alive to 17.11.7.5[4500]

Sep 29 08:13:33 sveta charon: 12[IKE] sending keep alive to 17.11.7.5[4500]

Sep 29 08:13:53 sveta charon: 14[IKE] sending keep alive to 17.11.7.5[4500]

```

The lesser pruned log.

http://pastebin.com/DbfsLjBV

----------

## Duco Ergo Sum

I have tried to ping my work PC from windows without success.  The only discernible difference is that the connection appears to remain up until I tell it to disconnect.  Would this suggest that the problem may lie at the other end?  Or maybe I've managed to screw up two connections.

----------

## salahx

I suspect both are suffereing from the same problem. From the logs, it appears we send a L2TP HELLO message to the other end, get no response, so openl2tp figures the other side vanished and shuts down the connection. I don't know how complete Microsoft's L2TP implentation is, perhaps it never realizes the other side becomes inaccessible  so connection says up, but its useless.

I figure we must be doing everything right, something else is getting in the way. Either the problem is at the other end or something is getting in the way - I've seen some routers have broken NAT implementions  (my old D-link DIR-615), or mangle ipsec packets (a Zyxel P-330W)

----------

## Duco Ergo Sum

This makes more sense now.

```

 # tracepath 3.5.8.13

 1?: [LOCALHOST]                                         pmtu 1500

 1:  fritz.box                                             0.749ms 

 1:  fritz.box                                             0.656ms 

 2:  no reply

 3:  no reply

^C

 # traceroute 3.5.8.13

traceroute to 3.5.8.13 (3.5.8.13), 30 hops max, 60 byte packets

 1  fritz.box (10.1.1.253)  0.650 ms  0.705 ms  0.784 ms

 2  * * *

 3  * * *

 4  * * *

 5  * * *

 6  * * *

 7  * * *

 8  * * *

 9  * * *

10  * * *

11  * * *

12  * * *

13  * * *

14  * * *

15  * * *

16  * * *

17  * * *

18  * * *

19  * * *

20  * * *

21  * * *

22  * * *

23  * * *

24  * * *

25  * * *

26  * * *

27  * * *

28  * * *

29  * * *

30  * * *

```

----------

## salahx

Actually it DOES make sense. If we go back to the routing table earlier, the default route will be applied for 3.5.8.13/8 (of whatever the prefix length is) and the data won;t go over the tunnel. We would need to manually add route, or use a full tunnel. If the other end doesn't push a route, that would explain why neither Windows nor Linux can connect.

Now according to documentation, Windows by default create a full tunnel (The is controled via [VPN Connection X]->Properties->Networking->General->Advanced->"Use default gateway on remote network", whereas Linux creates a split tunnel. 

Its possible to do full tunneling using openl2tp too:

```

l2tp> tunnel create tunnel_name="test" ...

l2tp> ppp profile create profile_name="test" default_route=yes

l2tp> session create session create ppp_profile_name="test"  user_name="USERNAME"  user_password="PASSWORD"

```

But it doesn't work:

```

not replacing existing default route to....

```

We can, however, create routes manually. After connecting, create the route the server behind the vpn by hand:

```

# ip route add 3.0.0.0/8 dev ppp0

```

The try "ping", "tracepath", and "traceroute" and it should go through the VPN. Adjust the networks and masks as needed. IF there multiple network on the other side, you may need multiple "ip route" entries.

----------

## Duco Ergo Sum

I have tried various routing options below none have helped.

```

# ifconfig

bond0: flags=5123<UP,BROADCAST,MASTER,MULTICAST>  mtu 1500

        ether [HIDDEN]  txqueuelen 0  (Ethernet)

        RX packets 0  bytes 0 (0.0 B)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 0  bytes 0 (0.0 B)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eno1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500

        inet 1.2.3.4  netmask 255.255.255.0  broadcast 10.1.1.255

        inet6 [HIDDEN]  prefixlen 64  scopeid 0x20<link>

        ether [HIDDEN]  txqueuelen 1000  (Ethernet)

        RX packets 15932  bytes 18370533 (17.5 MiB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 11707  bytes 1517025 (1.4 MiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

        device interrupt 20  memory [HIDDEN]  

enp59s0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500

        ether c8:60:00:cc:49:fc  txqueuelen 1000  (Ethernet)

        RX packets 0  bytes 0 (0.0 B)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 0  bytes 0 (0.0 B)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

        device interrupt 19  memory [HIDDEN]  

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536

        inet 127.0.0.1  netmask 255.0.0.0

        inet6 ::1  prefixlen 128  scopeid 0x10<host>

        loop  txqueuelen 0  (Local Loopback)

        RX packets 53  bytes 18645 (18.2 KiB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 53  bytes 18645 (18.2 KiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ppp0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500

        inet 125.64.27.8  netmask 255.255.255.255  destination 17.11.7.5                                                         

        ppp  txqueuelen 3  (Point-to-Point Protocol)                                                                                  

        RX packets 4  bytes 34 (34.0 B)                                                                                               

        RX errors 0  dropped 0  overruns 0  frame 0                                                                                   

        TX packets 34  bytes 17794 (17.3 KiB)                                                                                         

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

# ip route list                                                                                                          

default via 10.1.1.253 dev eno1  proto static 

default via 10.1.1.253 dev eno1  metric 7 

10.1.1.0/24 dev eno1  proto kernel  scope link  src 1.2.3.4  metric 1 

17.11.7.5 dev ppp0  proto kernel  scope link  src 125.64.27.8 

127.0.0.0/8 dev lo  scope host

# ping -I ppp0 1.3.3.1

PING 1.3.3.1 (1.3.3.1) from 125.64.27.8 ppp0: 56(84) bytes of data.

^C

--- 1.3.3.1 ping statistics ---

9 packets transmitted, 0 received, 100% packet loss, time 7999ms

# ping -I ppp0 3.5.8.13

PING 3.5.8.13 (3.5.8.13) from 125.64.27.8 ppp0: 56(84) bytes of data.

^C

--- 3.5.8.13 ping statistics ---

13 packets transmitted, 0 received, 100% packet loss, time 12000ms

# ip route add 3.5.8.0/24 via 17.11.7.5

sveta huoshe # ping 3.5.8.13

PING 13.5.8.13 (3.5.8.13) 56(84) bytes of data.

^C

--- 3.5.8.13 ping statistics ---

11 packets transmitted, 0 received, 100% packet loss, time 9999ms

```

----------

## salahx

What does tracepath / traceroute show? It shouldn't show your router, instead the next "hop" should be the VPN gateway (17.11.7.5). IF it DOES show your router, then either we did something wrong somewhere or the router is getting in the way.  Is the RX packet counter (ip -s link show ppp0 ) increasing? IF possible, do a "tcpdump -i ppp0" to see if data is going through the tunnel. THe tracepath /tracerotue shoudl give up a clie as to where the routing issues lies. 

Don't forget when the interface goes down, all the routing rules associated with it get deleted. Thus have they have recreated every time.

----------

## Duco Ergo Sum

Hi.

I have confirmed last night that my brother has no issues accessing his office's VPN.  This rules out (I hope) our router and ISP.

I have also attempted to make this connection with a Win-7 laptop and it was much the same as Win-8.1

Below are my latest results.

```

ppp0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500

        inet 125.64.27.8  netmask 255.255.255.255  destination 17.11.7.5

        ppp  txqueuelen 3  (Point-to-Point Protocol)

        RX packets 4  bytes 34 (34.0 B)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 4  bytes 40 (40.0 B)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

sveta huoshe # ip route add 3.5.8.0/24 via 17.11.7.5

sveta huoshe # traceroute 3.5.8.13

traceroute to 3.5.8.13 (3.5.8.13), 30 hops max, 60 byte packets

 1  * * *

 2  * * *

 3  * * *

 4  * * *

 5  * * *

 6  * * *

 7  * * *

 8  * * *

 9  * * *

10  * * *

11  * * *

12  * * *

13  * * *

14  * * *

15  * * *

16  * * *

17  * * *

18  * * *

19  * * *

20  * * *

21  * * *

22  * * *

23  * * *

24  * * *

25  * * *

26  * * *

27  * * *

28  * * *

29  * * *

30  * * *

# tracepath 3.5.8.13

 1?: [LOCALHOST]                                         pmtu 1500

 1:  fritz.box                                             0.791ms 

 1:  fritz.box                                             0.694ms 

 2:  no reply

^C

sveta huoshe # ip route add 3.5.8.0/24 via 17.11.7.5

sveta huoshe # tracepath 3.5.8.13

 1?: [LOCALHOST]                                         pmtu 1500

 1:  no reply

 2:  no reply

^C

sveta huoshe # tcpdump -i ppp0

error : ret -1

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on ppp0, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes

09:29:00.969298 IP sveta.home.org.ipsec-nat-t > 17-11-7-5.no-dns-yet.some.domain.com.ipsec-nat-t: UDP-encap: ESP(spi=[HIDDEN],seq=[HIDDEN]f5c), length 1472

09:29:00.969362 IP sveta.home.org.ipsec-nat-t > 17-11-7-5.no-dns-yet.some.domain.com.ipsec-nat-t: UDP-encap: ESP(spi=[HIDDEN],seq=[HIDDEN]f5d), length 1472

09:29:00.969427 IP sveta.home.org.ipsec-nat-t > 17-11-7-5.no-dns-yet.some.domain.com.ipsec-nat-t: UDP-encap: ESP(spi=[HIDDEN],seq=[HIDDEN]f5e), length 1472

09:29:00.969491 IP sveta.home.org.ipsec-nat-t > 17-11-7-5.no-dns-yet.some.domain.com.ipsec-nat-t: UDP-encap: ESP(spi=[HIDDEN],seq=[HIDDEN]f5f), length 1472

09:29:00.969555 IP sveta.home.org.ipsec-nat-t > 17-11-7-5.no-dns-yet.some.domain.com.ipsec-nat-t: UDP-encap: ESP(spi=[HIDDEN],seq=[HIDDEN]f60), length 1472

09:29:00.969619 IP sveta.home.org.ipsec-nat-t > 17-11-7-5.no-dns-yet.some.domain.com.ipsec-nat-t: UDP-encap: ESP(spi=[HIDDEN],seq=[HIDDEN]f61), length 1472

# ping 3.5.8.13

PING 3.5.8.13 (3.5.8.13) 56(84) bytes of data.

^C

--- 3.5.8.13 ping statistics ---

7 packets transmitted, 0 received, 100% packet loss, time 5999ms

sveta huoshe # ifconfig

bond0: flags=5123<UP,BROADCAST,MASTER,MULTICAST>  mtu 1500

        ether [HIDDEN]  txqueuelen 0  (Ethernet)

        RX packets 0  bytes 0 (0.0 B)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 0  bytes 0 (0.0 B)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eno1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500

        inet 10.1.1.4  netmask 255.255.255.0  broadcast 10.1.1.255

        inet6 [HIDDEN]  prefixlen 64  scopeid 0x20<link>

        ether c8:60:00:cc:46:14  txqueuelen 1000  (Ethernet)

        RX packets 35473  bytes 37930082 (36.1 MiB)

        RX errors 0  dropped 6  overruns 0  frame 0

        TX packets 20150  bytes 2394850 (2.2 MiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

        device interrupt 20  memory [HIDDEN]  

enp59s0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500

        ether c8:60:00:cc:49:fc  txqueuelen 1000  (Ethernet)

        RX packets 0  bytes 0 (0.0 B)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 0  bytes 0 (0.0 B)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

        device interrupt 19  memory [HIDDEN]  

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536

        inet 127.0.0.1  netmask 255.0.0.0

        inet6 ::1  prefixlen 128  scopeid 0x10<host>

        loop  txqueuelen 0  (Local Loopback)

        RX packets 79  bytes 22245 (21.7 KiB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 79  bytes 22245 (21.7 KiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ppp0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500

        inet 125.64.27.8  netmask 255.255.255.255  destination 17.11.7.5

        ppp  txqueuelen 3  (Point-to-Point Protocol)

        RX packets 4  bytes 34 (34.0 B)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 718050  bytes 918718343 (876.1 MiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

```

----------

## salahx

Hmm, that tcpdump isn't right at all. We shouldn't see ipsec ESP packets going over ppp0, only over eno1. Unless this was a copy/paste error and its the wrong interface. If it really from eno1, then that what's were expecting and it means the route is working and the data is going to through the VPN, but the problem is the other side doesn't respond.

----------

## Duco Ergo Sum

I have just re-tested and that post is correct. IPsec going over the ppp0 interface.

```
# tcpdump -vvi ppp0

error : ret -1

tcpdump: listening on ppp0, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes

00:24:18.414826 IP (tos 0x0, ttl 64, id 47411, offset 0, flags [DF], proto UDP (17), length 29)

    sveta.home.org.ipsec-nat-t > 17-11-7-5.no-dns-yet.some.domain.com.ipsec-nat-t: [udp sum ok] isakmp-nat-keep-alive

00:24:18.414861 IP (tos 0x0, ttl 64, id 47412, offset 0, flags [none], proto UDP (17), length 112)

    sveta.home.org.ipsec-nat-t > 17-11-7-5.no-dns-yet.some.domain.com.ipsec-nat-t: [no cksum] UDP-encap: ESP(spi=[HIDDEN],seq=0x47), length 84

00:24:18.414873 IP (tos 0x0, ttl 64, id 47413, offset 0, flags [none], proto UDP (17), length 192)

    sveta.home.org.ipsec-nat-t > 17-11-7-5.no-dns-yet.some.domain.com.ipsec-nat-t: [no cksum] UDP-encap: ESP(spi=[HIDDEN],seq=0x48), length 164

00:24:18.414887 IP (tos 0x0, ttl 64, id 47414, offset 0, flags [none], proto UDP (17), length 272)

    sveta.home.org.ipsec-nat-t > 17-11-7-5.no-dns-yet.some.domain.com.ipsec-nat-t: [no cksum] UDP-encap: ESP(spi=[HIDDEN],seq=0x49), length 244

00:24:18.414904 IP (tos 0x0, ttl 64, id 47415, offset 0, flags [none], proto UDP (17), length 352)

    sveta.home.org.ipsec-nat-t > 17-11-7-5.no-dns-yet.some.domain.com.ipsec-nat-t: [no cksum] UDP-encap: ESP(spi=[HIDDEN],seq=0x4a), length 324

00:24:18.414925 IP (tos 0x0, ttl 64, id 47416, offset 0, flags [none], proto UDP (17), length 432)

    sveta.home.org.ipsec-nat-t > 17-11-7-5.no-dns-yet.some.domain.com.ipsec-nat-t: [no cksum] UDP-encap: ESP(spi=[HIDDEN],seq=0x4b), length 404

00:24:18.414949 IP (tos 0x0, ttl 64, id 47417, offset 0, flags [none], proto UDP (17), length 512)

    sveta.home.org.ipsec-nat-t > 17-11-7-5.no-dns-yet.some.domain.com.ipsec-nat-t: [no cksum] UDP-encap: ESP(spi=[HIDDEN],seq=0x4c), length 484

```

----------

## salahx

OK I finally understand what's going on here.

```

ppp0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500

        inet 125.64.27.8  netmask 255.255.255.255  destination 17.11.7.5                                                         

        ppp  txqueuelen 3  (Point-to-Point Protocol)                                                                                 

        RX packets 4  bytes 34 (34.0 B)                                                                                               

        RX errors 0  dropped 0  overruns 0  frame 0                                                                                   

        TX packets 34  bytes 17794 (17.3 KiB)                                                                                         

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

```

The "destination" part of the IP is the problem - its the same as the VPN server/ 17.11.7.5. When i configured my VPN server the same way, I see exactly what you see - IPSec packets over the tunnel and the connection disconnects after a few moments. When I connect a Windows client to the server, it says connected, and it doesn't send ipsec packets over the interface.

Linux gets confused here - there TWO routes it can reach 17.11.7.5 - either via eth0 (exterior) or ppp0 (interior). Under linux, it does the latter. In windows it does the former.

But we can get the Windows behavior under linux by adding an extra rule (enter this rule BEFORE you connect to the VPN):

```
ip route 17.11.7.5 via  1.2.3.4
```

This should make Linux choose the exterior route for the l2tp packets, like Windows does. This stop the connection from dropping.

Of course, we still need a route to get out packets into the VPN: 

```
ip route add 3.5.8.0/24 dev ppp0
```

----------

## Duco Ergo Sum

Unfortunately that hasn't worked.

If I set the rule:

```

ip route add 17.11.7.5 via  1.2.3.4

```

Before

```

ipsec up VPN.OFFICE.COM

```

Then the peer does not respond:

```

sending retransmit 5 of request message ID 0, seq 1

sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (184 bytes)

giving up after 5 retransmits

peer not responding, trying again (3/3)

initiating Main Mode IKE_SA VPN-OFFICE-COM[1] to 17.11.7.5

generating ID_PROT request 0 [ SA V V V V ]

sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (184 bytes)

sending retransmit 1 of request message ID 0, seq 1

sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (184 bytes)

sending retransmit 2 of request message ID 0, seq 1

sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (184 bytes)

sending retransmit 3 of request message ID 0, seq 1

sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (184 bytes)

```

If I add the route after the 'ipsec up' then Openl2tp is not able to create the ppp0 interface.

I have also tried this with:

```

ip route add 17.11.7.5 dev eno1

```

----------

## salahx

Ok, lets try the subtractive approach then. After you bring the connection up, do

```

ip route delete 17.11.7.5

```

You can then add the route into the VPN:

```

ip route add 3.5.8.0/24 dev ppp0

```

Note that because we delete the default ppp0 route, we have to specify it by device name.

----------

## Duco Ergo Sum

Well that's brought us a step closer.

```

ip route delete 17.11.7.5

```

Immediately after the sessions created and the ppp0 interface stays up.  Sadly however, no traffic crosses it yet.  I've tried defining a route as you've specified and using the 'ping -I ppp0' command but nothing.

tcpdumn doesn't show anything either.

----------

## salahx

ping -I should work regardless if a route exists or not. Delete the route without create a new one, verify with tcpdump that ICMP echo requests are being sent over the tunnel. You should see UDP packets over port 4500 on eno1 when you do the ping on ppp0.

One thing about IPSec/L2TP tunnels is there no facility for pushing routes (like, say, openVPN does) to clients. Thus in both Windows and Linux client any servers "behind" the VPN gateway will be inaccessible without adding a manual route.

----------

## Duco Ergo Sum

I would like to highlight the ip '1.2.3.8' in the 'ping -I ppp0' command trace.  For the purpose of this thread my PC is on '1.2.3.4'.  These packets appear to be being sent from an alternate source.  The 250.250.250.250 address is an IP which I don't recognise.  Port numbers are not given.

```

# ping -I ppp0 3.5.8.13

PING 3.5.8.13 (3.5.8.13) from 125.64.27.8 ppp0: 56(84) bytes of data.

^C

--- 3.5.8.13 ping statistics ---

8 packets transmitted, 0 received, 100% packet loss, time 6999ms

```

```

# tcpdump -i eno1

01:42:26.000837 IP 1.2.3.8.55537 > 250.250.250.250.1900: UDP, length 400

01:42:26.000856 IP 1.2.3.8.55537 > 250.250.250.250.1900: UDP, length 409

01:42:26.000894 IP 1.2.3.8.55537 > 250.250.250.250.1900: UDP, length 446

01:42:26.001418 IP 1.2.3.8.63179 > 250.250.250.250.1900: UDP, length 448

01:42:26.102554 IP 1.2.3.8.57712 > 250.250.250.250.1900: UDP, length 400

01:42:26.102571 IP 1.2.3.8.57712 > 250.250.250.250.1900: UDP, length 409

01:42:26.102672 IP 1.2.3.8.57712 > 250.250.250.250.1900: UDP, length 446

01:42:26.103141 IP 1.2.3.8.55508 > 250.250.250.250.1900: UDP, length 448

```

```

# ping 3.5.8.13

PING 3.5.8.13 (3.5.8.13) 56(84) bytes of data.

^C

--- 3.5.8.13 ping statistics ---

5 packets transmitted, 0 received, 100% packet loss, time 3999ms

```

```

# tcpdump -i eno1

01:42:26.536323 IP sveta.home.org > 3.5.8.13: ICMP echo request, id 6555, seq 2, length 64

01:42:27.536393 IP sveta.home.org > 3.5.8.13: ICMP echo request, id 6555, seq 3, length 64

01:42:28.536325 IP sveta.home.org > 3.5.8.13: ICMP echo request, id 6555, seq 4, length 64

01:42:29.536403 IP sveta.home.org > 3.5.8.13: ICMP echo request, id 6555, seq 5, length 64

```

```

# whois 250.250.250.250

No whois server is known for this kind of object.

```

```

# ping -I ppp0 3.5.8.13

PING 3.5.8.13 (3.5.8.13) from 125.64.27.8 ppp0: 56(84) bytes of data.

^C

--- 3.5.8.13 ping statistics ---

8 packets transmitted, 0 received, 100% packet loss, time 6999ms

```

```

# tcpdump -vv -i eno1

```

```

sveta.home.org.ipsec-nat-t > 17.11.7.5.no-dns-yet.some.domain.com.ipsec-nat-t: [no cksum] UDP-encap: ESP(spi=0x[HIDDEN],seq=0x8a), length 132

02:06:25.025877 IP (tos 0x0, ttl 4, id 34329, offset 0, flags [none], proto UDP (17), length 346)

    fritz.box.1900 > 250.250.250.250.1900: [udp sum ok] UDP, length 318

02:06:25.026581 IP (tos 0x0, ttl 4, id 34330, offset 0, flags [none], proto UDP (17), length 355)

    fritz.box.1900 > 250.250.250.250.1900: [udp sum ok] UDP, length 327

02:06:25.027424 IP (tos 0x0, ttl 4, id 34331, offset 0, flags [none], proto UDP (17), length 398)

    fritz.box.1900 > 250.250.250.250.1900: [udp sum ok] UDP, length 370

02:06:25.028663 IP (tos 0x0, ttl 4, id 34332, offset 0, flags [none], proto UDP (17), length 410)

    fritz.box.1900 > 250.250.250.250.1900: [udp sum ok] UDP, length 382

02:06:25.029898 IP (tos 0x0, ttl 4, id 34333, offset 0, flags [none], proto UDP (17), length 412)

    fritz.box.1900 > 250.250.250.250.1900: [udp sum ok] UDP, length 384

02:06:25.030951 IP (tos 0x0, ttl 4, id 34334, offset 0, flags [none], proto UDP (17), length 426)

    fritz.box.1900 > 250.250.250.250.1900: [udp sum ok] UDP, length 398

02:06:25.031996 IP (tos 0x0, ttl 4, id 34335, offset 0, flags [none], proto UDP (17), length 390)

    fritz.box.1900 > 250.250.250.250.1900: [udp sum ok] UDP, length 362

02:06:25.643365 IP (tos 0x0, ttl 64, id 55363, offset 0, flags [none], proto UDP (17), length 160)

    sveta.home.org.ipsec-nat-t > 17.11.7.5.no-dns-yet.some.domain.com.ipsec-nat-t: [no cksum] UDP-encap: ESP(spi=0x[HIDDEN],seq=0x8b), length 132

02:06:27.650271 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has fritz.box tell sveta.home.org, length 28

02:06:27.650659 ARP, Ethernet (len 6), IPv4 (len 4), Reply fritz.box is-at 24:65:11:8b:41:13 (oui Unknown), length 46

02:06:28.026000 IP (tos 0x0, ttl 4, id 34336, offset 0, flags [none], proto UDP (17), length 334)

    fritz.box.1900 > 250.250.250.250.1900: [udp sum ok] UDP, length 306

02:06:28.026620 IP (tos 0x0, ttl 4, id 34337, offset 0, flags [none], proto UDP (17), length 343)

    fritz.box.1900 > 250.250.250.250.1900: [udp sum ok] UDP, length 315

02:06:28.027266 IP (tos 0x0, ttl 4, id 34338, offset 0, flags [none], proto UDP (17), length 376)

    fritz.box.1900 > 250.250.250.250.1900: [udp sum ok] UDP, length 348

02:06:28.028470 IP (tos 0x0, ttl 4, id 34339, offset 0, flags [none], proto UDP (17), length 376)

    fritz.box.1900 > 250.250.250.250.1900: [udp sum ok] UDP, length 348

02:06:28.161487 IP (tos 0x0, ttl 4, id 34340, offset 0, flags [none], proto UDP (17), length 151)

    fritz.box.35798 > 250.250.250.250.1900: [udp sum ok] UDP, length 123

02:06:28.162268 IP6 (hlim 254, next-header UDP (17) payload length: 125) [HIDDEN] > ff02::c.1900: [udp sum ok] UDP, length 117

^C

43 packets captured

43 packets received by filter

0 packets dropped by kernel

```

Last edited by Duco Ergo Sum on Sat Oct 04, 2014 9:47 pm; edited 1 time in total

----------

## salahx

I see the similar thing, its normal. We need to filter out the "noise" in tcpdump.

```
tcpdump -i eno1 udp port 4500 or proto 50
```

When you do the ping you should see:

```
00:00:00:000000 IP sveta.home.org.ipsec-nat-t > 17.11.7.5.no-dns-yet.some.domain.com: ESP(spi=0xc086fccb,seq=0xc6c), length 148
```

OR

```
00:00:00.000000 IP sveta.home.org.ipsec-nat-t  > 17.11.7.5.no-dns-yet.some.domain.com.ipsec-nat-t: UDP-encap: ESP(spi=0xca66797d,seq=0xd3), length 148
```

and

```
tcpdump -i ppp0
```

should simultenously print out:

```
23:20:22.774538 IP 125.64.27.8 >3.5.8.13: ICMP echo request, id 27658, seq 1, length 64
```

You may or may not get a reply. Its not important yet we get one, though. traceroute/traceroute won't work yet since we don;t have route (traceroute has an -i option similar to ping -I option, but it didn;t produce any useful data for me).

If all this works, then we know the tunnel is established correctly. Then its a simple matter of adding the routing rules (Windows needs them too).

----------

## Duco Ergo Sum

I think the tunnel is established.

```

# ping -I ppp0 3.5.8.13

PING 3.5.8.13 (3.5.8.13) from 125.64.27.8 ppp0: 56(84) bytes of data.

^C

--- 3.5.8.13 ping statistics ---

12 packets transmitted, 0 received, 100% packet loss, time 10999ms

```

```

# tcpdump -i eno1 udp port 4500 or proto 50

error : ret -1

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eno1, link-type EN10MB (Ethernet), capture size 65535 bytes

22:33:44.409464 IP sveta.home.org.ipsec-nat-t > 17-11-7-5.no-dns-yet.some.domain.com.ipsec-nat-t: UDP-encap: ESP(spi=[HIDDEN],seq=0xf), length 132

22:33:45.408985 IP sveta.home.org.ipsec-nat-t > 17-11-7-5.no-dns-yet.some.domain.com.ipsec-nat-t: UDP-encap: ESP(spi=[HIDDEN],seq=0x10), length 132

22:33:46.408984 IP sveta.home.org.ipsec-nat-t > 17-11-7-5.no-dns-yet.some.domain.com.ipsec-nat-t: UDP-encap: ESP(spi=[HIDDEN],seq=0x11), length 132

22:33:47.408997 IP sveta.home.org.ipsec-nat-t > 17-11-7-5.no-dns-yet.some.domain.com.ipsec-nat-t: UDP-encap: ESP(spi=[HIDDEN],seq=0x12), length 132

22:33:48.409002 IP sveta.home.org.ipsec-nat-t > 17-11-7-5.no-dns-yet.some.domain.com.ipsec-nat-t: UDP-encap: ESP(spi=[HIDDEN],seq=0x13), length 132

22:33:49.408998 IP sveta.home.org.ipsec-nat-t > 17-11-7-5.no-dns-yet.some.domain.com.ipsec-nat-t: UDP-encap: ESP(spi=[HIDDEN],seq=0x14), length 132

22:33:50.408972 IP sveta.home.org.ipsec-nat-t > 17-11-7-5.no-dns-yet.some.domain.com.ipsec-nat-t: UDP-encap: ESP(spi=[HIDDEN],seq=0x15), length 132

22:33:51.408961 IP sveta.home.org.ipsec-nat-t > 17-11-7-5.no-dns-yet.some.domain.com.ipsec-nat-t: UDP-encap: ESP(spi=[HIDDEN],seq=0x16), length 132

22:33:52.409002 IP sveta.home.org.ipsec-nat-t > 17-11-7-5.no-dns-yet.some.domain.com.ipsec-nat-t: UDP-encap: ESP(spi=[HIDDEN],seq=0x17), length 132

22:33:53.408959 IP sveta.home.org.ipsec-nat-t > 17-11-7-5.no-dns-yet.some.domain.com.ipsec-nat-t: UDP-encap: ESP(spi=[HIDDEN],seq=0x18), length 132

22:33:54.408996 IP sveta.home.org.ipsec-nat-t > 17-11-7-5.no-dns-yet.some.domain.com.ipsec-nat-t: UDP-encap: ESP(spi=[HIDDEN],seq=0x19), length 132

22:33:55.408991 IP sveta.home.org.ipsec-nat-t > 17-11-7-5.no-dns-yet.some.domain.com.ipsec-nat-t: UDP-encap: ESP(spi=[HIDDEN],seq=0x1a), length 132

^C

12 packets captured

12 packets received by filter

0 packets dropped by kernel

```

```

# ping -I ppp0 3.5.8.13

PING 3.5.8.13 (3.5.8.13) from 125.64.27.8 ppp0: 56(84) bytes of data.

^C

--- 3.5.8.13 ping statistics ---

17 packets transmitted, 0 received, 100% packet loss, time 15999ms

```

```

# tcpdump -i ppp0

error : ret -1

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on ppp0, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes

22:36:09.938948 IP 125.64.27.8 > 3.5.8.13: ICMP echo request, id 4297, seq 3, length 64

22:36:10.939018 IP 125.64.27.8 > 3.5.8.13: ICMP echo request, id 4297, seq 4, length 64

22:36:11.939031 IP 125.64.27.8 > 3.5.8.13: ICMP echo request, id 4297, seq 5, length 64                                         

22:36:12.938930 IP 125.64.27.8 > 3.5.8.13: ICMP echo request, id 4297, seq 6, length 64                                         

22:36:13.938953 IP 125.64.27.8 > 3.5.8.13: ICMP echo request, id 4297, seq 7, length 64                                         

22:36:14.938950 IP 125.64.27.8 > 3.5.8.13: ICMP echo request, id 4297, seq 8, length 64                                         

22:36:15.939012 IP 125.64.27.8 > 3.5.8.13: ICMP echo request, id 4297, seq 9, length 64                                         

22:36:16.938958 IP 125.64.27.8 > 3.5.8.13: ICMP echo request, id 4297, seq 10, length 64                                        

22:36:17.939055 IP 125.64.27.8 > 3.5.8.13: ICMP echo request, id 4297, seq 11, length 64                                        

22:36:18.939045 IP 125.64.27.8 > 3.5.8.13: ICMP echo request, id 4297, seq 12, length 64                                        

22:36:19.938930 IP 125.64.27.8 > 3.5.8.13: ICMP echo request, id 4297, seq 13, length 64                                        

22:36:20.938929 IP 125.64.27.8 > 3.5.8.13: ICMP echo request, id 4297, seq 14, length 64                                        

22:36:21.939036 IP 125.64.27.8 > 3.5.8.13: ICMP echo request, id 4297, seq 15, length 64                                        

22:36:22.938933 IP 125.64.27.8 > 3.5.8.13: ICMP echo request, id 4297, seq 16, length 64                                        

22:36:23.939027 IP 125.64.27.8 > 3.5.8.13: ICMP echo request, id 4297, seq 17, length 64                                        

^C                                                                                                                                    

15 packets captured                                                                                                                   

15 packets received by filter                                                                                                         

0 packets dropped by kernel

```

----------

## salahx

Yes, the tunnel is established! Now its just a matter of setting the routes 

You can can try routing ALL traffic through the tunnel,. but its kinda tricky:

```

ip route add 17.11.7.5 via 1.2.3.4 dev eno1

ip route delete default

ip route add default via 125.64.27.8 dev ppp0

```

After you're done using the tunnel you'll have to restore the old default route manually.

----------

## Duco Ergo Sum

This is just a quick response.

Your proposal above kills ppp0.

I'm looking into a kind of 2 NICs idea but writing my response, I found I've made a big mistake and need to revisit everything I've done today.  So I will respond again after I've had a chance to go over this again.

----------

## Duco Ergo Sum

My theory at this point is that what might be happening is that when I ping across ppp0 packets are sent out with the local sub-net ip address of my PC.  They reach their destination and it responds, sending packets back but to another possible host else where.  Of cause my PC doesn't see anything because there's no traffic going it's way.

Maybe that's just my imagination... but with that in mind I found this http://kindlund.wordpress.com/2007/11/19/configuring-multiple-default-routes-in-linux/ and tried to configure ppp0 as a second independent network device.

```

# netstat -anr

Kernel IP routing table                                                                                                               

Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface                                                        

0.0.0.0         1.2.3.253      0.0.0.0         UG        0 0          0 eno1                                                         

0.0.0.0         1.2.3.253      0.0.0.0         UG        0 0          0 eno1                                                         

1.2.3.0        0.0.0.0         255.255.255.0   U         0 0          0 eno1                                                         

127.0.0.0       0.0.0.0         255.0.0.0       U         0 0          0 lo                                                           

127.0.0.0       127.0.0.1       255.0.0.0       UG        0 0          0 lo                                                           

                                                                                          

 # ip route add 3.5.8.0/24 dev ppp0 src 125.64.27.8 table VPN

 # ip route add default dev ppp0 table VPN

 # ip rule show

0:      from all lookup local                                                                                                         

220:    from all lookup 220                                                                                                           

32766:  from all lookup main                                                                                                          

32767:  from all lookup default                                                                                                       

 # ip rule add from 125.64.27.8/32 table VPN                                                                              

 # ip rule add to 125.64.27.8/32 table VPN

 # ip rule show

0:      from all lookup local                                                                                                         

218:    from all to 125.64.27.8 lookup VPN                                                                                            

219:    from 125.64.27.8 lookup VPN                                                                                                   

220:    from all lookup 220                                                                                                           

32766:  from all lookup main                                                                                                          

32767:  from all lookup default                                                                                                       

 # ping 3.5.8.13                                                                                                    

PING 3.5.8.13 (3.5.8.13) 56(84) bytes of data.                                                                            

^C                                                                                                                                    

--- 3.5.8.13 ping statistics ---                                                                                                

21 packets transmitted, 0 received, 100% packet loss, time 19999ms                                                                    

                                                                                                                                      

 # ip route flush cache                                                                                                   

 # ping 3.5.8.13                                                                                                   

PING 3.5.8.13 (3.5.8.13) 56(84) bytes of data.                                                                            

^C                                                                                                                                    

--- 3.5.8.13 ping statistics ---                                                                                                

6 packets transmitted, 0 received, 100% packet loss, time 4999ms                                                                      

                                                                                                                                      

 # netstat -anr                                                                                                           

Kernel IP routing table

Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface

0.0.0.0         1.2.3.253      0.0.0.0         UG        0 0          0 eno1

0.0.0.0         1.2.3.253      0.0.0.0         UG        0 0          0 eno1

1.2.3.0        0.0.0.0         255.255.255.0   U         0 0          0 eno1

127.0.0.0       0.0.0.0         255.0.0.0       U         0 0          0 lo

127.0.0.0       127.0.0.1       255.0.0.0       UG        0 0          0 lo

 # ip route show

default via 1.2.3.253 dev eno1  proto static 

default via 1.2.3.253 dev eno1  metric 7 

1.2.3.0/24 dev eno1  proto kernel  scope link  src 1.2.3.4  metric 1 

127.0.0.0/8 dev lo  scope host 

127.0.0.0/8 via 127.0.0.1 dev lo

```

While I acknowledge that the routes and rules which I've set above are only live for the session, I don't see them doing anything.  Thank you for your patience.

----------

## salahx

I suspect that, given that neither your Windows 7 nor 8.1 machines work either (just like our Linux machine, they make the tunnel but recieve no traffic), the remainder of the problem is on the other side, not us. We have a good tunnel, data crosses the tunnel.   but whatever is on the other side isn't getting the packets even though they cross the tunnel due to something on the other side of the tunnel.

At this point, i would recommend try to get the Windows machine working, since you'll probably need the help of the IT/HElpdesk people to remove the impedement.

----------

## Duco Ergo Sum

I am inclined to agree.

You're right, the ipsec/l2tp tunnel is established and stable.  It doesn't seem right to mark this topic as [Solved] as we can't get any traffic to flow over the link.

I will pursue the IT/Helpdesk and attempt to the Windows machines working.

--

A network engineer decided to join the Territorial Army. On his first weekend he was taken to the rifle range and handed a rifle complete with bullets. He was instructed to fire 10 shots at the target down the range.

After he'd fired several shots, the word came back from the target area that every shot had completely missed the target. The engineer looked at his rifle, then up at the target, looked down at his rifle again then back up at the target.

He put his finger over the end of the barrel and squeezed the trigger. His finger was blown clean off. After cursing, he yelled down towards the target area, "Well its leaving here just fine, The problem must be at your end !!!"

----------

## Duco Ergo Sum

Just when I thought I could let this all go.

I have discovered, that there is a firewall which rejects pings.  This I am assuming is a Windows firewall.  When I asked a colleague to ping my office PC from his PC in the office, he did not get a response.  Since then I have reconfigured the firewall on my office PC.

The interesting part of this is that as a result I have tested the network from Windows again, this time using the remote desktop application and this is able to connect.  This works for both Windows 8.1 and Windows 7.

Unfortunately, there does not appear to be any traffic when it comes to remote desktop from Linux.  I know that remote desktop works because I am able work around this little problem by connecting via a remote desktop to a local Windows Machine which is then able to connect to my office PC.

This shows that routing is not at issue nor is remote desktop.

----------

## Duco Ergo Sum

Okay.

Solved!

This last issue was a routing issue after all.

I had mixed up my assigned IP address range with the target address range.  I can now natively remote onto my PC.

My next task is to create a mechanism to bring this connection up on demand and drop it as easily.  Thank you for your invaluable help!  This has been one big learning experience for me.

The route which has worked looked like:

```

ip route add 3.5.8.0/24 dev ppp0 src 125.64.27.8

```

----------

## salahx

Well now that we know is disconnection problem has nothing to l2tp implementation you can switch back to xl2tpd if you like. Its a little easier to script. But openl2tp can be scripted to - just include the command after l2tpconfig ("l2tpconfig tunnel create tunnel_name="test" dest_ipaddr=17.11.7.5 our_udp_port=1701"). xl2tpd, openl2tpd, and strongswan all require root to bring up/tear down connection, but xl2tp is easier to restrict via "sudo" than openl2tp. On the other hand, if you're using sudo you can just create a script and run the whole script via sudo as well.

----------

## Duco Ergo Sum

I try to script to openl2tp and if that proves plausible, I'll stick with it.

Once I know what and how I'm going to do it, I'll post a summary here.

I can not thank you enough for your patience and time and effort and expertise and guidance and generosity.

----------

## Envek

Thank you, awesome people, for your thread. Troubleshooting in this thread is the only thing in whole Internet that helped me to set up L2TP-PSK client VPN connection.

BTW, can you suggest me how to set up autoconnection after system reboot (so, `ipsec up`, `xl2tpd-control connect` and if it is succeeded then `ip route add` will be executed)?

----------

