Page 1 of 3

Building network-manager-l2tp on Centos 6.9 laptop

Posted: 2018/06/25 12:38:41
by TypoSpotter
Hi,
I have a Dell Precision M6800 laptop with Centos 6 (Gnome desktop) installed (not enough disk space to install Centos 7).

I am trying to find a way to connect it to a remote office via L2TP/IPSEC VPN.
I have first tried connecting by installing Strongswan and xl2tpd, and setting up the relevant configuration files. That hasn't worked, but that hasn't worked yet.
Another approach is trying to build the Network Manager L2TP plugin: https://github.com/nm-l2tp/network-manager-l2tp
Has anyone here successfully done this on Centos 6?

It won't build on Centos 6 at the moment, as some of the pre-requisites are versions that are not yet available in the repos. I have managed to build a lot of these by building from source (glib-2.32, pcre, autoconf, automake, dbus-glib). However I am stuck on updating NetworkManager from 0.8.1 to 0.9.8.

On running the NetworkManager autogen.sh I get this error:

Code: Select all

checking for GUDEV... configure: error: Package requirements (gudev-1.0 >= 165) were not met:

Requested 'gudev-1.0 >= 165' but version of gudev-1.0 is 147
So I've downloaded libgudev-219 and tried to configure it, which gives me this error:

Code: Select all

configure: error: Package requirements (libudev >= 199) were not met:

Requested 'libudev >= 199' but version of libudev is 147
But now I'm stuck. libudev is part of systemd, so I can't find anywhere to just download libudev.

Has anyone got further than I have with building this?

Re: Building network-manager-l2tp on Centos 6.9 laptop

Posted: 2018/06/25 16:28:11
by TrevorH
You don't need NetworkManager to make an l2tp connection. I've done it with just libreswan and xl2tpd and a bunch of text files. Both libreswan and xl2tpd are in the CentOS 6 repos already and I just tested it on CentOS 6.10 to find out if it would talk to my Work's Cisco Meraki and it does.

I have

Code: Select all

# cat /etc/ipsec.d/Work.conf 
config setup
        keep-alive=300

conn Work
        authby=secret
        pfs=yes
        auto=add
        keyingtries=%forever
        dpddelay=30
        dpdtimeout=120
        dpdaction=restart
        rekey=yes
        rekeymargin=1h
        ikelifetime=8h
        keylife=1h
        type=transport
        left=%defaultroute
        leftprotoport=udp/l2tp
        right=my.work.ip.address
        rightprotoport=udp/l2tp
        ike=aes_ctr,aes_cbc,camellia_cbc,serpent_cbc,twofish_cbc,3des,3DES-SHA1;MODP1024
        phase2alg=aes-HMAC_SHA1,3DES-HMAC_SHA1
        sha2-truncbug=yes

Code: Select all

# cat /etc/ipsec.d/Work.secrets 
%any my.work.ip.address : PSK "OurGroupPassword"

Code: Select all

# cat /etc/xl2tpd/xl2tpd.conf
[lac Work]
lns = my.work.ip.address
ppp debug = yes
pppoptfile=/etc/ppp/options.ppp
length bit = yes
redial = yes

Code: Select all

# cat /etc/ppp/options.ppp
ipcp-accept-local
ipcp-accept-remote
refuse-eap
require-mschap-v2
noccp
noauth
idle 86400
mtu 1410
mru 1410
nodefaultroute
debug
connect-delay 5000
name username
password password
To fire that up it needs

service ipsec start
service xl2tpd start
ipsec auto --up Work
xl2tpd-control connect Work

then give it a few seconds to negotiate and set it up and then ip a should show that you have an ip on ppp0.

Re: Building network-manager-l2tp on Centos 6.9 laptop

Posted: 2018/06/26 21:00:51
by TypoSpotter
Hi TrevorH
I did mention I initially tried strongswan and xl2tpd.

Here are my files:

Code: Select all

cat /etc/xl2tpd/xl2tpd.conf 
;
; This is a minimal sample xl2tpd configuration file for use
; with L2TP over IPsec.
;
; The idea is to provide an L2TP daemon to which remote Windows L2TP/IPsec
; clients connect. In this example, the internal (protected) network 
; is 192.168.1.0/24.  A special IP range within this network is reserved
; for the remote clients: 192.168.1.128/25
; (i.e. 192.168.1.128 ... 192.168.1.254)
;
; The listen-addr parameter can be used if you want to bind the L2TP daemon
; to a specific IP address instead of to all interfaces. For instance,
; you could bind it to the interface of the internal LAN (e.g. 192.168.1.98
; in the example below). Yet another IP address (local ip, e.g. 192.168.1.99)
; will be used by xl2tpd as its address on pppX interfaces.

[global]
; listen-addr = 192.168.1.98
;
; requires openswan-2.5.18 or higher - Also does not yet work in combination
; with kernel mode l2tp as present in linux 2.6.23+
; ipsec saref = yes
; Use refinfo of 22 if using an SAref kernel patch based on openswan 2.6.35 or
;  when using any of the SAref kernel patches for kernels up to 2.6.35.
; saref refinfo = 30
;
; force userspace = yes
;
; debug tunnel = yes

[lns default]
ip range = 192.168.0.2-192.168.0.254
local ip = 192.168.0.1
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

[lac work]
lns = my.work.ip.addr
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd.client
length bit = yes

Code: Select all

cat /etc/ppp/options.xl2tpd 
ipcp-accept-local
ipcp-accept-remote
ms-dns  8.8.8.8
# ms-dns  192.168.1.1
# ms-dns  192.168.1.3
# ms-wins 192.168.1.2
# ms-wins 192.168.1.4
noccp
auth
crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
lock
proxyarp
connect-delay 5000

Code: Select all

cat /etc/strongswan/ipsec.conf 
# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
	# strictcrlpolicy=yes
	# uniqueids = no

# Add connections here.

# Sample VPN connections

#conn sample-self-signed
#      leftsubnet=10.1.0.0/16
#      leftcert=selfCert.der
#      leftsendcert=never
#      right=192.168.0.2
#      rightsubnet=10.2.0.0/16
#      rightcert=peerCert.der
#      auto=start

#conn sample-with-ca-cert
#      leftsubnet=10.1.0.0/16
#      leftcert=myCert.pem
#      right=192.168.0.2
#      rightsubnet=10.2.0.0/16
#      rightid="C=CH, O=Linux strongSwan CN=peer name"
#      auto=start

conn %default
  ikelifetime=60m
  keylife=20m
  rekeymargin=3m
  keyingtries=1
  keyexchange=ikev1
  authby=secret
  ike=aes128-sha1-modp1024,3des-sha1-modp1024!
  esp=aes128-sha1-modp1024,3des-sha1-modp1024!

conn work
  keyexchange=ikev1
  left=%defaultroute
  auto=add
  authby=secret
  type=transport
  leftprotoport=17/1701
  rightprotoport=17/1701
  right=my.work.ip.addr

Code: Select all

cat /etc/strongswan/ipsec.secrets 
: PSK "Presharedkey"
Last time I tried to connect it didn't work. It seemed the issue was xl2tpd and not strongswan: I started strongswan first and all the messages suggested everything was fine. Then I started xl2tpd and the message log gave some errors. I will try this again and post the errors.

Thanks.

Re: Building network-manager-l2tp on Centos 6.9 laptop

Posted: 2018/06/26 21:50:41
by TypoSpotter
Here is my attempt:
(my instructions differ from yours and come from here: https://github.com/hwdsl2/setup-ipsec-v ... pn-clients
I am going to investigate some of these differences in a minute)

Code: Select all

# service strongswan start
Starting strongswan: Starting strongSwan 5.4.0 IPsec [starter]...
insmod /lib/modules/2.6.32-696.30.1.el6.x86_64/kernel/net/key/af_key.ko 
insmod /lib/modules/2.6.32-696.30.1.el6.x86_64/kernel/net/ipv4/ah4.ko 
insmod /lib/modules/2.6.32-696.30.1.el6.x86_64/kernel/net/ipv4/esp4.ko 
insmod /lib/modules/2.6.32-696.30.1.el6.x86_64/kernel/net/xfrm/xfrm_ipcomp.ko 
insmod /lib/modules/2.6.32-696.30.1.el6.x86_64/kernel/net/ipv4/ipcomp.ko 
insmod /lib/modules/2.6.32-696.30.1.el6.x86_64/kernel/net/ipv4/tunnel4.ko 
insmod /lib/modules/2.6.32-696.30.1.el6.x86_64/kernel/net/ipv4/xfrm4_tunnel.ko 
                                                           [  OK  ]
# mkdir -p /var/run/xl2tpd
# touch /var/run/xl2tpd/l2tp-control
# service xl2tpd start
Starting xl2tpd:                                           [  OK  ]
# strongswan up work
initiating Main Mode IKE_SA work[1] to my.work.ip.addr
generating ID_PROT request 0 [ SA V V V V ]
sending packet: from 192.168.0.13[500] to my.work.ip.addr[500] (188 bytes)
received packet: from my.work.ip.addr[500] to 192.168.0.13[500] (124 bytes)
parsed ID_PROT response 0 [ SA V V ]
received DPD vendor ID
received NAT-T (RFC 3947) vendor ID
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 192.168.0.13[500] to my.work.ip.addr[500] (244 bytes)
received packet: from my.work.ip.addr[500] to 192.168.0.13[500] (228 bytes)
parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
local host is behind NAT, sending keep alives
remote host is behind NAT
generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
sending packet: from 192.168.0.13[4500] to my.work.ip.addr[4500] (108 bytes)
received packet: from my.work.ip.addr[4500] to 192.168.0.13[4500] (92 bytes)
parsed ID_PROT response 0 [ ID HASH N(INITIAL_CONTACT) ]
IDir '192.168.3.1' does not match to 'my.work.ip.addr'
deleting IKE_SA work[1] between 192.168.0.13[192.168.0.13]...my.work.ip.addr[%any]
sending DELETE for IKE_SA work[1]
generating INFORMATIONAL_V1 request 2576914902 [ HASH D ]
sending packet: from 192.168.0.13[4500] to my.work.ip.addr[4500] (92 bytes)
connection 'work' established successfully
# echo "c work" > /var/run/xl2tpd/l2tp-control 
At this point ip a does not show a ppp0 ip address.

Code: Select all

more /var/log/messages
...
Jun 26 22:08:20 hostname charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.4.0, Linux 2.6.32-696.30.1.el6.x86_64, x86_64)
Jun 26 22:08:20 hostname charon: 00[LIB] openssl FIPS mode(2) - enabled 
Jun 26 22:08:20 hostname charon: 00[CFG] loading ca certificates from '/etc/strongswan/ipsec.d/cacerts'
Jun 26 22:08:20 hostname charon: 00[CFG] loading aa certificates from '/etc/strongswan/ipsec.d/aacerts'
Jun 26 22:08:20 hostname charon: 00[CFG] loading ocsp signer certificates from '/etc/strongswan/ipsec.d/ocspcerts'
Jun 26 22:08:20 hostname charon: 00[CFG] loading attribute certificates from '/etc/strongswan/ipsec.d/acerts'
Jun 26 22:08:20 hostname charon: 00[CFG] loading crls from '/etc/strongswan/ipsec.d/crls'
Jun 26 22:08:20 hostname charon: 00[CFG] loading secrets from '/etc/strongswan/ipsec.secrets'
Jun 26 22:08:20 hostname charon: 00[CFG]   loaded IKE secret for %any
Jun 26 22:08:20 hostname charon: 00[LIB] loaded plugins: charon aes des rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp xcbc cmac hmac ctr cc
m gcm curl attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp
Jun 26 22:08:20 hostname charon: 00[JOB] spawning 16 worker threads
Jun 26 22:08:20 hostname charon: 06[CFG] received stroke: add connection 'work'
Jun 26 22:08:20 hostname charon: 06[CFG] added configuration 'work'
Jun 26 22:11:23 hostname NetworkManager[2520]: <info> (eth0): supplicant connection state:  completed -> group handshake
Jun 26 22:11:23 hostname NetworkManager[2520]: <info> (eth0): supplicant connection state:  group handshake -> completed
Jun 26 22:12:34 hostname xl2tpd[3513]: setsockopt recvref[30]: Protocol not available
Jun 26 22:12:34 hostname kernel: PPP generic driver version 2.4.2
Jun 26 22:12:34 hostname kernel: NET: Registered protocol family 24
Jun 26 22:12:34 hostname xl2tpd[3513]: L2TP kernel support not detected (try modprobing l2tp_ppp and pppol2tp)
Jun 26 22:12:34 hostname xl2tpd[3518]: xl2tpd version xl2tpd-1.3.8 started on hostname PID:3518
Jun 26 22:12:34 hostname xl2tpd[3518]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
Jun 26 22:12:34 hostname xl2tpd[3518]: Forked by Scott Balmos and David Stipp, (C) 2001
Jun 26 22:12:34 hostname xl2tpd[3518]: Inherited by Jeff McAdams, (C) 2002
Jun 26 22:12:34 hostname xl2tpd[3518]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016
Jun 26 22:12:34 hostname xl2tpd[3518]: Listening on IP address 0.0.0.0, port 1701
Jun 26 22:13:28 hostname charon: 13[CFG] received stroke: initiate 'work'
Jun 26 22:13:28 hostname charon: 04[IKE] initiating Main Mode IKE_SA work[1] to my.work.ip.addr
Jun 26 22:13:28 hostname charon: 04[ENC] generating ID_PROT request 0 [ SA V V V V ]
Jun 26 22:13:28 hostname charon: 04[NET] sending packet: from 192.168.0.13[500] to my.work.ip.addr[500] (188 bytes)
Jun 26 22:13:28 hostname charon: 08[NET] received packet: from my.work.ip.addr[500] to 192.168.0.13[500] (124 bytes)
Jun 26 22:13:28 hostname charon: 08[ENC] parsed ID_PROT response 0 [ SA V V ]
Jun 26 22:13:28 hostname charon: 08[IKE] received DPD vendor ID
Jun 26 22:13:28 hostname charon: 08[IKE] received NAT-T (RFC 3947) vendor ID
Jun 26 22:13:28 hostname charon: 08[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
Jun 26 22:13:28 hostname charon: 08[NET] sending packet: from 192.168.0.13[500] to my.work.ip.addr[500] (244 bytes)
Jun 26 22:13:28 hostname charon: 03[NET] received packet: from my.work.ip.addr[500] to 192.168.0.13[500] (228 bytes)
Jun 26 22:13:28 hostname charon: 03[ENC] parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
Jun 26 22:13:28 hostname charon: 03[IKE] local host is behind NAT, sending keep alives
Jun 26 22:13:28 hostname charon: 03[IKE] remote host is behind NAT
Jun 26 22:13:28 hostname charon: 03[ENC] generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
Jun 26 22:13:28 hostname charon: 03[NET] sending packet: from 192.168.0.13[4500] to my.work.ip.addr[4500] (108 bytes)
Jun 26 22:13:28 hostname charon: 11[NET] received packet: from my.work.ip.addr[4500] to 192.168.0.13[4500] (92 bytes)
Jun 26 22:13:28 hostname charon: 11[ENC] parsed ID_PROT response 0 [ ID HASH N(INITIAL_CONTACT) ]
Jun 26 22:13:28 hostname charon: 11[IKE] IDir '192.168.3.1' does not match to 'my.work.ip.addr'
Jun 26 22:13:28 hostname charon: 11[IKE] deleting IKE_SA work[1] between 192.168.0.13[192.168.0.13]...my.work.ip.addr[%any]
Jun 26 22:13:28 hostname charon: 11[IKE] sending DELETE for IKE_SA work[1]
Jun 26 22:13:28 hostname charon: 11[ENC] generating INFORMATIONAL_V1 request 2576914902 [ HASH D ]
Jun 26 22:13:28 hostname charon: 11[NET] sending packet: from 192.168.0.13[4500] to my.work.ip.addr[4500] (92 bytes)
Jun 26 22:18:52 hostname xl2tpd[3518]: Connecting to host my.work.ip.addr, port 1701
Jun 26 22:18:52 hostname xl2tpd[3518]: Connection established to my.work.ip.addr, 1701.  Local: 34400, Remote: 12 (ref=0/0).
Jun 26 22:18:52 hostname xl2tpd[3518]: Calling on tunnel 34400
Jun 26 22:18:52 hostname xl2tpd[3518]: Call established with my.work.ip.addr, Local: 7162, Remote: 702, Serial: 1 (ref=0/0)
Jun 26 22:18:52 hostname pppd[3529]: Warning: can't open options file /root/.ppprc: Permission denied
Jun 26 22:18:52 hostname xl2tpd[3518]: control_finish: Connection closed to my.work.ip.addr, serial 1 ()
Jun 26 22:18:52 hostname xl2tpd[3518]: control_finish: Connection closed to my.work.ip.addr, port 1701 (), Local: 34400, Remote: 12
Jun 26 22:21:23 hostname NetworkManager[2520]: <info> (eth0): supplicant connection state:  completed -> group handshake
Jun 26 22:21:23 hostname NetworkManager[2520]: <info> (eth0): supplicant connection state:  group handshake -> completed
Jun 26 22:21:57 hostname xl2tpd[3518]: Connecting to host my.work.ip.addr, port 1701
Jun 26 22:21:57 hostname xl2tpd[3518]: Connection established to my.work.ip.addr, 1701.  Local: 32686, Remote: 12 (ref=0/0).
Jun 26 22:21:57 hostname xl2tpd[3518]: Calling on tunnel 32686
Jun 26 22:21:57 hostname xl2tpd[3518]: Call established with my.work.ip.addr, Local: 19569, Remote: 703, Serial: 2 (ref=0/0)
Jun 26 22:21:57 hostname pppd[3532]: Warning: can't open options file /root/.ppprc: Permission denied
Jun 26 22:21:57 hostname pppd[3532]: pppd 2.4.5 started by user, uid 0
Jun 26 22:21:57 hostname xl2tpd[3518]: control_finish: Connection closed to my.work.ip.addr, serial 2 ()
Jun 26 22:21:57 hostname pppd[3532]: Couldn't get channel number: Input/output error
Jun 26 22:21:58 hostname pppd[3532]: Exit.
Jun 26 22:23:28 hostname xl2tpd[3518]: Maximum retries exceeded for tunnel 32686.  Closing.
Jun 26 22:23:28 hostname xl2tpd[3518]: Connection 12 closed to my.work.ip.addr, port 1701 (Timeout)
I noticed I forgot to modprobe the appropriate modules, so I try again:

Code: Select all

# modprobe l2tp_ppp
FATAL: Module l2tp_ppp not found.
# modprobe pppol2tp
# service xl2tpd restart
Stopping xl2tpd:                                           [  OK  ]
Starting xl2tpd:                                           [  OK  ]
# echo "c work" > /var/run/xl2tpd/l2tp-control
Again no ppp0 ip address from ip a

Code: Select all

Jun 26 22:32:22 hostname kernel: PPPoL2TP kernel driver, V1.0
Jun 26 22:32:52 hostname xl2tpd[3518]: death_handler: Fatal signal 15 received
Jun 26 22:32:52 hostname xl2tpd[3561]: setsockopt recvref[30]: Protocol not available
Jun 26 22:32:52 hostname xl2tpd[3561]: Using l2tp kernel support.
Jun 26 22:32:52 hostname xl2tpd[3562]: xl2tpd version xl2tpd-1.3.8 started on hostname PID:3562
Jun 26 22:32:52 hostname xl2tpd[3562]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
Jun 26 22:32:52 hostname xl2tpd[3562]: Forked by Scott Balmos and David Stipp, (C) 2001
Jun 26 22:32:52 hostname xl2tpd[3562]: Inherited by Jeff McAdams, (C) 2002
Jun 26 22:32:52 hostname xl2tpd[3562]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016
Jun 26 22:32:52 hostname xl2tpd[3562]: Listening on IP address 0.0.0.0, port 1701
Jun 26 22:33:13 hostname xl2tpd[3562]: Connecting to host my.work.ip.addr, port 1701
Jun 26 22:33:13 hostname xl2tpd[3562]: Connection established to my.work.ip.addr, 1701.  Local: 59127, Remote: 12 (ref=0/0).
Jun 26 22:33:13 hostname xl2tpd[3562]: Calling on tunnel 59127
Jun 26 22:33:13 hostname xl2tpd[3562]: Call established with my.work.ip.addr, Local: 1582, Remote: 704, Serial: 1 (ref=0/0)
Jun 26 22:33:13 hostname pppd[3564]: Warning: can't open options file /root/.ppprc: Permission denied
Jun 26 22:33:13 hostname pppd[3564]: Plugin pppol2tp.so loaded.
Jun 26 22:33:13 hostname pppd[3564]: pppd 2.4.5 started by user, uid 0
Jun 26 22:33:13 hostname pppd[3564]: Using interface ppp0
Jun 26 22:33:13 hostname pppd[3564]: Connect: ppp0 <--> 
Jun 26 22:33:13 hostname pppd[3564]: Overriding mtu 1500 to 1410
Jun 26 22:33:13 hostname pppd[3564]: Overriding mru 1500 to mtu value 1410
Jun 26 22:33:13 hostname xl2tpd[3562]: control_finish: Connection closed to my.work.ip.addr, serial 1 ()
Jun 26 22:33:13 hostname pppd[3564]: Terminating on signal 15
Jun 26 22:33:19 hostname pppd[3564]: Connection terminated.
Jun 26 22:33:19 hostname charon: 06[KNL] interface ppp0 deleted
Jun 26 22:33:19 hostname pppd[3564]: Modem hangup
Jun 26 22:33:19 hostname pppd[3564]: Exit.
Jun 26 22:34:44 hostname xl2tpd[3562]: Maximum retries exceeded for tunnel 59127.  Closing.
Jun 26 22:34:44 hostname xl2tpd[3562]: Connection 12 closed to my.work.ip.addr, port 1701 (Timeout)

Re: Building network-manager-l2tp on Centos 6.9 laptop

Posted: 2018/06/26 22:01:33
by TypoSpotter
Sorry, wrong options file!

Code: Select all

# cat /etc/ppp/options.l2tpd.client
ipcp-accept-local
ipcp-accept-remote
#ms-dns  8.8.8.8
# ms-dns  192.168.1.1
# ms-dns  192.168.1.3
# ms-wins 192.168.1.2
# ms-wins 192.168.1.4
refuse-eap
require-mschap-v2
noccp
noauth
#crtscts
idle 1800
mtu 1410
mru 1410
defaultroute
usepeerdns
debug
logfile /var/log/xl2tpd.log
#lock
#proxyarp
connect-delay 5000
name user
password password

Re: Building network-manager-l2tp on Centos 6.9 laptop

Posted: 2018/06/27 00:32:07
by TrevorH
The major difference is that I'm using the preferred libreswan and you're using strongswan.

Re: Building network-manager-l2tp on Centos 6.9 laptop

Posted: 2018/06/27 13:07:11
by TypoSpotter
Hi TrevorH. Thanks for your reply
Ok then, I shall re-try using libreswan.

Code: Select all

# cat /etc/ipsec.d/Work.conf 
config setup
        keep-alive=300

conn Work
        authby=secret
        pfs=yes
        auto=add
        keyingtries=%forever
        dpddelay=30
        dpdtimeout=120
        dpdaction=restart
        rekey=yes
        rekeymargin=1h
        ikelifetime=8h
        keylife=1h
        type=transport
        left=%defaultroute
        leftprotoport=udp/l2tp
        right=I HAVE CHANGED THIS TO MY WORK IP ADDRESS
        rightprotoport=udp/l2tp
        ike=aes_ctr,aes_cbc,camellia_cbc,serpent_cbc,twofish_cbc,3des,3DES-SHA1;MODP1024
        phase2alg=aes-HMAC_SHA1,3DES-HMAC_SHA1
        sha2-truncbug=yes
So my Work.conf is exactly the same as yours, except I have entered in my work ip address.

Code: Select all

# cat /etc/ipsec.d/Work.secrets 
%any I HAVE ENTERED MY WORK IP ADDRESS : PSK "I HAVE ENTERED MY WORK PSK"

Code: Select all

# cat /etc/xl2tpd/xl2tpd.conf
[lns default]
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

[lac Work]
lns = I HAVE ENTERED MY WORK IP ADDRESS
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd.client
length bit = yes
redial = yes

Code: Select all

# cat /etc/ppp/options.l2tpd.client 
ipcp-accept-local
ipcp-accept-remote
#ms-dns  8.8.8.8
# ms-dns  192.168.1.1
# ms-dns  192.168.1.3
# ms-wins 192.168.1.2
# ms-wins 192.168.1.4
refuse-eap
require-mschap-v2
noccp
noauth
#crtscts
idle 86400
mtu 1410
mru 1410
nodefaultroute
#usepeerdns
debug
logfile /var/log/xl2tpd.log
#lock
#proxyarp
connect-delay 5000
name USER
password PASSWORD

Code: Select all

# service ipsec start
Starting pluto IKE daemon for IPsec: .                     [  OK  ]
# service xl2tpd start
Starting xl2tpd:                                           [  OK  ]
# ipsec auto --up Work
002 "Work" #1: initiating Main Mode
104 "Work" #1: STATE_MAIN_I1: initiate
010 "Work" #1: STATE_MAIN_I1: retransmission; will wait 500ms for response
010 "Work" #1: STATE_MAIN_I1: retransmission; will wait 1000ms for response
010 "Work" #1: STATE_MAIN_I1: retransmission; will wait 2000ms for response
010 "Work" #1: STATE_MAIN_I1: retransmission; will wait 4000ms for response
010 "Work" #1: STATE_MAIN_I1: retransmission; will wait 8000ms for response
010 "Work" #1: STATE_MAIN_I1: retransmission; will wait 16000ms for response
010 "Work" #1: STATE_MAIN_I1: retransmission; will wait 32000ms for response
031 "Work" #1: max number of retransmissions (8) reached STATE_MAIN_I1.  No response (or no acceptable response) to our first IKEv1 message
000 "Work" #1: starting keying attempt 2 of an unlimited number, but releasing whack
# xl2tpd-control connect Work
#
Still getting the same thing:
ip a gives no ppp0 ip address, and

Code: Select all

# tail -f /var/log/messages
...
Jun 27 14:00:02 HOSTNAME xl2tpd[3844]: Connecting to host WORKIPADDRESS, port 1701
Jun 27 14:00:02 HOSTNAME xl2tpd[3844]: Connection established to WORKIPADDRESS, 1701.  Local: 21257, Remote: 13 (ref=0/0).
Jun 27 14:00:02 HOSTNAME xl2tpd[3844]: Calling on tunnel 21257
Jun 27 14:00:02 HOSTNAME xl2tpd[3844]: Call established with WORKIPADDRESS, Local: 47596, Remote: 768, Serial: 7 (ref=0/0)
Jun 27 14:00:02 HOSTNAME pppd[3924]: Warning: can't open options file /root/.ppprc: Permission denied
Jun 27 14:00:02 HOSTNAME pppd[3924]: Plugin pppol2tp.so loaded.
Jun 27 14:00:02 HOSTNAME pppd[3924]: pppd 2.4.5 started by USER, uid 0
Jun 27 14:00:02 HOSTNAME pppd[3924]: Using interface ppp0
Jun 27 14:00:02 HOSTNAME pppd[3924]: Connect: ppp0 <--> 
Jun 27 14:00:02 HOSTNAME pppd[3924]: Overriding mtu 1500 to 1410
Jun 27 14:00:02 HOSTNAME pppd[3924]: Overriding mru 1500 to mtu value 1410
Jun 27 14:00:02 HOSTNAME xl2tpd[3844]: control_finish: Connection closed to WORKIPADDRESS, serial 7 ()
Jun 27 14:00:02 HOSTNAME xl2tpd[3844]: control_finish: Connection closed to WORKIPADDRESS, port 1701 (), Local: 21257, Remote: 13
Jun 27 14:00:02 HOSTNAME pppd[3924]: Terminating on signal 15
Jun 27 14:00:02 HOSTNAME pppd[3924]: Modem hangup
Jun 27 14:00:02 HOSTNAME pppd[3924]: Connection terminated.
Jun 27 14:00:02 HOSTNAME pppd[3924]: Exit.
Still doesn't appear to be working.

Re: Building network-manager-l2tp on Centos 6.9 laptop

Posted: 2018/06/27 13:15:05
by TrevorH
Your ipsec auto --up Work is not working. Whenever I see any of those retransmission errors, I know that things are going to either be flakey or just not work at all. You might try it without the sha2truncbug option - that's one that I needed to fix the retransmission errors that you're getting but maybe whatever you're talking to doesn't need it. It's the ipsec options that you need to look at for this, it's not got as far as letting you use xl2tpd yet. You may also need different options on the ike= and phase2alg= lines. If that doesn't help, run the ipsec auto --up then run and paste the output from ipsec status and perhaps we can see what's wrong from that.

Re: Building network-manager-l2tp on Centos 6.9 laptop

Posted: 2018/06/27 14:33:18
by TypoSpotter
Thanks for your suggestion TrevorH.
I've made a bit of progress by changing the ike= line. ("man ipsec.conf" came in very handy, as did looking in the profile.cfg produced by the Windows laptop running Draytek SmartVPN when connected)

I now get this:

Code: Select all

# ipsec auto --up Work
002 "Work" #1: initiating Main Mode
104 "Work" #1: STATE_MAIN_I1: initiate
003 "Work" #1: received Vendor ID payload [Dead Peer Detection]
003 "Work" #1: received Vendor ID payload [RFC 3947]
002 "Work" #1: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
002 "Work" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
106 "Work" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "Work" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal) sender port 500: I am behind NAT+peer behind NAT
002 "Work" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
108 "Work" #1: STATE_MAIN_I3: sent MI3, expecting MR3
002 "Work" #1: Main mode peer ID is ID_IPV4_ADDR: '192.168.3.1'
003 "Work" #1: we require IKEv1 peer to have ID 'WORKIPADDRESS', but peer declares '192.168.3.1'
218 "Work" #1: STATE_MAIN_I3: INVALID_ID_INFORMATION
002 "Work" #1: sending encrypted notification INVALID_ID_INFORMATION to WORKIPADDRESS:4500
Then it just hangs.

The VPN server (which is a Draytek modem) is outside of my control, so I'm not able to fix the server declaring the wrong IP address even if I knew how.
Is there anything I can do about this? Can I get libreswan to accept the mismatching IP address?

I will add at this point that Windows 7 running Draytek SmartVPN Client connects to this server fine, and so does an Ubuntu 16 laptop with the NetworkManager L2TP plugin that I initially asked about building at the top of this thread.

Re: Building network-manager-l2tp on Centos 6.9 laptop

Posted: 2018/06/27 15:00:04
by TrevorH
Does https://bugzilla.redhat.com/show_bug.cgi?id=1408616 help at all?

I'm pretty sure that you won't get the NM bits to build on CentOS 6 as its copy of NM is so old and dates back to before it became more or less useful. There's no systemd, no recent NM and all the rest of the el6 package set date from around 2010 when it was first released.