L2TP/IPSec connection does not working

Support for security such as Firewalls and securing linux
Post Reply
yurybx
Posts: 8
Joined: 2019/03/05 13:09:37

L2TP/IPSec connection does not working

Post by yurybx » 2019/03/05 13:33:55

Hi all!
I am trying to set up L2TP/IPSec client on СentOS 7. The connection establishes, but the traffic does not go and it breaks immediately. On the other side everything is fine, since from Windows the connection with the same parameters works fine. Also, my router is not to blame, because the Windows machine is on the same network as the CentOS machine. What is the matter, can not understand. Help is needed!
All the settings I do according to the instructions from the service provider (one-to-one configuration): http://vpninfo.uz.gov.ua/instructions/l ... suse/13.2/
In my logs, the disconnection occurs after 4 attempts to send keep-alive packets: "Maximum retries exceeded for tunnel 19104. Closing."
The providers’s server log is similar: "IKE lost contact with remote peer, deleting connection (keepalive type: DPD)"
Here is the full my log (195.149.70.70 - is the provaider's IP):

Code: Select all

Mar 05 14:49:01 centos.localdomain charon[13114]: 00[DMN] Starting IKE charon daemon (strongSwan 5.7.2, Linux 3.10.0-957.el7.x86_64, x86_64)
Mar 05 14:49:01 centos.localdomain charon[13114]: 00[CFG] PKCS11 module '<name>' lacks library path
Mar 05 14:49:01 centos.localdomain charon[13114]: 00[LIB] openssl FIPS mode(2) - enabled
Mar 05 14:49:01 centos.localdomain charon[13114]: 00[CFG] loading ca certificates from '/etc/strongswan/ipsec.d/cacerts'
Mar 05 14:49:01 centos.localdomain charon[13114]: 00[CFG] loading aa certificates from '/etc/strongswan/ipsec.d/aacerts'
Mar 05 14:49:01 centos.localdomain charon[13114]: 00[CFG] loading ocsp signer certificates from '/etc/strongswan/ipsec.d/ocspcerts'
Mar 05 14:49:01 centos.localdomain charon[13114]: 00[CFG] loading attribute certificates from '/etc/strongswan/ipsec.d/acerts'
Mar 05 14:49:01 centos.localdomain charon[13114]: 00[CFG] loading crls from '/etc/strongswan/ipsec.d/crls'
Mar 05 14:49:01 centos.localdomain charon[13114]: 00[CFG] loading secrets from '/etc/strongswan/ipsec.secrets'
Mar 05 14:49:01 centos.localdomain charon[13114]: 00[CFG]   loaded IKE secret for 195.149.70.70
Mar 05 14:49:01 centos.localdomain charon[13114]: 00[CFG] opening triplet file /etc/strongswan/ipsec.d/triplets.dat failed: No such file or directory
Mar 05 14:49:01 centos.localdomain charon[13114]: 00[CFG] loaded 0 RADIUS server configurations
Mar 05 14:49:01 centos.localdomain charon[13114]: 00[CFG] HA config misses local/remote address
Mar 05 14:49:01 centos.localdomain charon[13114]: 00[CFG] no script for ext-auth script defined, disabled
Mar 05 14:49:01 centos.localdomain charon[13114]: 00[LIB] loaded plugins: charon pkcs11 tpm aesni aes des rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp curve25519 chapoly xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-sim eap-aka eap-aka-3gpp eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp led duplicheck counters
Mar 05 14:49:01 centos.localdomain charon[13114]: 00[JOB] spawning 16 worker threads
Mar 05 14:49:01 centos.localdomain ipsec_starter[13113]: charon (13114) started after 60 ms
Mar 05 14:49:01 centos.localdomain charon[13114]: 05[CFG] received stroke: add connection 'vpn-uz'
Mar 05 14:49:01 centos.localdomain charon[13114]: 05[CFG] added configuration 'vpn-uz'
Mar 05 14:49:01 centos.localdomain charon[13114]: 07[CFG] received stroke: initiate 'vpn-uz'
Mar 05 14:49:01 centos.localdomain charon[13114]: 07[IKE] initiating Main Mode IKE_SA vpn-uz[1] to 195.149.70.70
Mar 05 14:49:01 centos.localdomain charon[13114]: 07[IKE] initiating Main Mode IKE_SA vpn-uz[1] to 195.149.70.70
Mar 05 14:49:01 centos.localdomain charon[13114]: 07[ENC] generating ID_PROT request 0 [ SA V V V V V ]
Mar 05 14:49:01 centos.localdomain charon[13114]: 07[NET] sending packet: from 10.1.1.99[500] to 195.149.70.70[500] (240 bytes)
Mar 05 14:49:01 centos.localdomain charon[13114]: 09[NET] received packet: from 195.149.70.70[500] to 10.1.1.99[500] (128 bytes)
Mar 05 14:49:01 centos.localdomain charon[13114]: 09[ENC] parsed ID_PROT response 0 [ SA V V ]
Mar 05 14:49:01 centos.localdomain charon[13114]: 09[IKE] received NAT-T (RFC 3947) vendor ID
Mar 05 14:49:01 centos.localdomain charon[13114]: 09[IKE] received FRAGMENTATION vendor ID
Mar 05 14:49:01 centos.localdomain charon[13114]: 09[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Mar 05 14:49:01 centos.localdomain charon[13114]: 09[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
Mar 05 14:49:01 centos.localdomain charon[13114]: 09[NET] sending packet: from 10.1.1.99[500] to 195.149.70.70[500] (244 bytes)
Mar 05 14:49:01 centos.localdomain charon[13114]: 10[NET] received packet: from 195.149.70.70[500] to 10.1.1.99[500] (304 bytes)
Mar 05 14:49:01 centos.localdomain charon[13114]: 10[ENC] parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]
Mar 05 14:49:01 centos.localdomain charon[13114]: 10[IKE] received Cisco Unity vendor ID
Mar 05 14:49:01 centos.localdomain charon[13114]: 10[IKE] received XAuth vendor ID
Mar 05 14:49:01 centos.localdomain charon[13114]: 10[ENC] received unknown vendor ID: 9e:a3:1f:5c:29:95:06:fb:d6:be:3d:4f:93:af:cf:88
Mar 05 14:49:01 centos.localdomain charon[13114]: 10[ENC] received unknown vendor ID: 1f:07:f7:0e:aa:65:14:d3:b0:fa:96:54:2a:50:01:00
Mar 05 14:49:01 centos.localdomain charon[13114]: 10[IKE] local host is behind NAT, sending keep alives
Mar 05 14:49:01 centos.localdomain charon[13114]: 10[ENC] generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
Mar 05 14:49:01 centos.localdomain charon[13114]: 10[NET] sending packet: from 10.1.1.99[4500] to 195.149.70.70[4500] (108 bytes)
Mar 05 14:49:01 centos.localdomain charon[13114]: 11[NET] received packet: from 195.149.70.70[4500] to 10.1.1.99[4500] (92 bytes)
Mar 05 14:49:01 centos.localdomain charon[13114]: 11[ENC] parsed ID_PROT response 0 [ ID HASH V ]
Mar 05 14:49:01 centos.localdomain charon[13114]: 11[IKE] received DPD vendor ID
Mar 05 14:49:01 centos.localdomain charon[13114]: 11[IKE] IKE_SA vpn-uz[1] established between 10.1.1.99[10.1.1.99]...195.149.70.70[195.149.70.70]
Mar 05 14:49:01 centos.localdomain charon[13114]: 11[IKE] IKE_SA vpn-uz[1] established between 10.1.1.99[10.1.1.99]...195.149.70.70[195.149.70.70]
Mar 05 14:49:01 centos.localdomain charon[13114]: 11[IKE] scheduling reauthentication in 9948s
Mar 05 14:49:01 centos.localdomain charon[13114]: 11[IKE] maximum IKE_SA lifetime 10488s
Mar 05 14:49:01 centos.localdomain charon[13114]: 11[ENC] generating QUICK_MODE request 285943041 [ HASH SA No ID ID NAT-OA NAT-OA ]
Mar 05 14:49:01 centos.localdomain charon[13114]: 11[NET] sending packet: from 10.1.1.99[4500] to 195.149.70.70[4500] (220 bytes)
Mar 05 14:49:01 centos.localdomain charon[13114]: 13[NET] received packet: from 195.149.70.70[4500] to 10.1.1.99[4500] (188 bytes)
Mar 05 14:49:01 centos.localdomain charon[13114]: 13[ENC] parsed QUICK_MODE response 285943041 [ HASH SA No ID ID NAT-OA NAT-OA ]
Mar 05 14:49:01 centos.localdomain charon[13114]: 13[CFG] selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
Mar 05 14:49:01 centos.localdomain charon[13114]: 13[IKE] CHILD_SA vpn-uz{1} established with SPIs c21c85e0_i 039295c3_o and TS 10.1.1.99/32[udp] === 195.149.70.70/32[udp/l2tp]
Mar 05 14:49:01 centos.localdomain charon[13114]: 13[IKE] CHILD_SA vpn-uz{1} established with SPIs c21c85e0_i 039295c3_o and TS 10.1.1.99/32[udp] === 195.149.70.70/32[udp/l2tp]
Mar 05 14:49:01 centos.localdomain vpn[13137]: + 195.149.70.70 195.149.70.70 -- 10.1.1.99
Mar 05 14:49:01 centos.localdomain charon[13114]: 13[ENC] generating QUICK_MODE request 285943041 [ HASH ]
Mar 05 14:49:01 centos.localdomain charon[13114]: 13[NET] sending packet: from 10.1.1.99[4500] to 195.149.70.70[4500] (60 bytes)
Mar 05 14:49:09 centos.localdomain xl2tpd[3928]: xl2tpd[3928]: magic_lac_dial: LAC vpn-uz not activexl2tpd[3928]: Connecting to host 195.149.70.70, port 1701
Mar 05 14:49:09 centos.localdomain xl2tpd[3928]: xl2tpd[3928]: Connection established to 195.149.70.70, 1701.  Local: 19104, Remote: 61134 (ref=0/0).
Mar 05 14:49:09 centos.localdomain xl2tpd[3928]: xl2tpd[3928]: Calling on tunnel 19104
Mar 05 14:49:09 centos.localdomain xl2tpd[3928]: xl2tpd[3928]: Call established with 195.149.70.70, Local: 3220, Remote: 56436, Serial: 23 (ref=0/0)
Mar 05 14:49:09 centos.localdomain pppd[13138]: Plugin pppol2tp.so loaded.
Mar 05 14:49:09 centos.localdomain pppd[13138]: pppd 2.4.5 started by root, uid 0
Mar 05 14:49:09 centos.localdomain pppd[13138]: using channel 9
Mar 05 14:49:09 centos.localdomain pppd[13138]: Using interface ppp0
Mar 05 14:49:09 centos.localdomain pppd[13138]: Connect: ppp0 <-->
Mar 05 14:49:09 centos.localdomain pppd[13138]: Overriding mtu 1500 to 1400
Mar 05 14:49:09 centos.localdomain pppd[13138]: PPPoL2TP options: debugmask 0
Mar 05 14:49:09 centos.localdomain pppd[13138]: Overriding mru 1500 to mtu value 1400
Mar 05 14:49:09 centos.localdomain pppd[13138]: sent [LCP ConfReq id=0x1 <mru 1400> <asyncmap 0x0> <magic 0xef4a94e>]
Mar 05 14:49:09 centos.localdomain NetworkManager[3449]: <info>  [1551790149.9643] manager: (ppp0): new Ppp device (/org/freedesktop/NetworkManager/Devices/11)
Mar 05 14:49:09 centos.localdomain pppd[13138]: rcvd [LCP ConfReq id=0x1 <auth chap MS-v2> <magic 0x7b1ceee0>]
Mar 05 14:49:09 centos.localdomain pppd[13138]: sent [LCP ConfAck id=0x1 <auth chap MS-v2> <magic 0x7b1ceee0>]
Mar 05 14:49:09 centos.localdomain pppd[13138]: rcvd [LCP ConfRej id=0x1 <mru 1400> <asyncmap 0x0>]
Mar 05 14:49:09 centos.localdomain pppd[13138]: sent [LCP ConfReq id=0x2 <magic 0xef4a94e>]
Mar 05 14:49:09 centos.localdomain pppd[13138]: rcvd [LCP ConfAck id=0x2 <magic 0xef4a94e>]
Mar 05 14:49:09 centos.localdomain pppd[13138]: Overriding mtu 1500 to 1400
Mar 05 14:49:09 centos.localdomain pppd[13138]: PPPoL2TP options: debugmask 0
Mar 05 14:49:09 centos.localdomain pppd[13138]: Overriding mru 1500 to mtu value 1400
Mar 05 14:49:09 centos.localdomain pppd[13138]: rcvd [CHAP Challenge id=0x1 <1037d8903f04f6e4184600f42a68cb1f>, name = ""]
Mar 05 14:49:09 centos.localdomain pppd[13138]: sent [CHAP Response id=0x1 <2d63da3ed23e1058b5a4cdfed8c75a57000000000000000098cb33e5571a022d521a4b27366f957eb2c9e3f5374033a100>, name = "mylogin"]
Mar 05 14:49:09 centos.localdomain pppd[13138]: rcvd [CHAP Success id=0x1 "S=E4CAD92D1C0F6316BE583DE762FF842790E5DB27"]
Mar 05 14:49:09 centos.localdomain pppd[13138]: CHAP authentication succeeded
Mar 05 14:49:09 centos.localdomain pppd[13138]: sent [IPCP ConfReq id=0x1 <addr 0.0.0.0> <ms-dns1 0.0.0.0> <ms-dns2 0.0.0.0>]
Mar 05 14:49:10 centos.localdomain pppd[13138]: rcvd [IPCP ConfReq id=0x1 <addr 195.149.70.70>]
Mar 05 14:49:10 centos.localdomain pppd[13138]: sent [IPCP ConfAck id=0x1 <addr 195.149.70.70>]
Mar 05 14:49:10 centos.localdomain pppd[13138]: rcvd [IPCP ConfNak id=0x1 <addr 10.10.181.222> <ms-dns1 10.10.255.4> <ms-dns2 10.10.255.5>]
Mar 05 14:49:10 centos.localdomain pppd[13138]: sent [IPCP ConfReq id=0x2 <addr 10.10.181.222> <ms-dns1 10.10.255.4> <ms-dns2 10.10.255.5>]
Mar 05 14:49:10 centos.localdomain pppd[13138]: rcvd [IPCP ConfAck id=0x2 <addr 10.10.181.222> <ms-dns1 10.10.255.4> <ms-dns2 10.10.255.5>]
Mar 05 14:49:10 centos.localdomain pppd[13138]: local  IP address 10.10.181.222
Mar 05 14:49:10 centos.localdomain pppd[13138]: remote IP address 195.149.70.70
Mar 05 14:49:10 centos.localdomain pppd[13138]: primary   DNS address 10.10.255.4
Mar 05 14:49:10 centos.localdomain pppd[13138]: secondary DNS address 10.10.255.5
Mar 05 14:49:10 centos.localdomain NetworkManager[3449]: <info>  [1551790150.0126] device (ppp0): state change: unmanaged -> unavailable (reason 'connection-assumed', sys-iface-state: 'external')
Mar 05 14:49:10 centos.localdomain NetworkManager[3449]: <info>  [1551790150.0134] device (ppp0): state change: unavailable -> disconnected (reason 'none', sys-iface-state: 'external')
Mar 05 14:49:10 centos.localdomain charon[13114]: 06[KNL] 10.10.181.222 appeared on ppp0
Mar 05 14:49:10 centos.localdomain charon[13114]: 08[KNL] 10.10.181.222 disappeared from ppp0
Mar 05 14:49:10 centos.localdomain charon[13114]: 10[KNL] 10.10.181.222 appeared on ppp0
Mar 05 14:49:10 centos.localdomain charon[13114]: 12[KNL] interface ppp0 activated
Mar 05 14:49:10 centos.localdomain pppd[13138]: Script /etc/ppp/ip-up started (pid 13151)
Mar 05 14:49:10 centos.localdomain pppd[13138]: Script /etc/ppp/ip-up finished (pid 13151), status = 0x0
Mar 05 14:49:29 centos.localdomain charon[13114]: 14[IKE] sending keep alive to 195.149.70.70[4500]
Mar 05 14:49:49 centos.localdomain charon[13114]: 09[IKE] sending keep alive to 195.149.70.70[4500]
Mar 05 14:50:09 centos.localdomain charon[13114]: 06[IKE] sending keep alive to 195.149.70.70[4500]
Mar 05 14:50:29 centos.localdomain charon[13114]: 06[IKE] sending keep alive to 195.149.70.70[4500]
Mar 05 14:50:41 centos.localdomain xl2tpd[3928]: xl2tpd[3928]: Maximum retries exceeded for tunnel 19104.  Closing.
Mar 05 14:50:41 centos.localdomain xl2tpd[3928]: xl2tpd[3928]: Connection 61134 closed to 195.149.70.70, port 1701 (Timeout)
Mar 05 14:50:41 centos.localdomain pppd[13138]: Terminating on signal 15
Mar 05 14:50:41 centos.localdomain pppd[13138]: Connect time 1.6 minutes.
Mar 05 14:50:41 centos.localdomain pppd[13138]: Sent 93405 bytes, received 0 bytes.
Mar 05 14:50:41 centos.localdomain NetworkManager[3449]: <info>  [1551790241.0074] device (ppp0): state change: disconnected -> unmanaged (reason 'connection-assumed', sys-iface-state: 'external')
Mar 05 14:50:41 centos.localdomain charon[13114]: 16[KNL] interface ppp0 deactivated
Mar 05 14:50:41 centos.localdomain charon[13114]: 05[KNL] 10.10.181.222 disappeared from ppp0
Mar 05 14:50:41 centos.localdomain pppd[13138]: Script /etc/ppp/ip-down started (pid 13155)
Mar 05 14:50:41 centos.localdomain pppd[13138]: Overriding mtu 1500 to 1400
Mar 05 14:50:41 centos.localdomain pppd[13138]: PPPoL2TP options: debugmask 0
Mar 05 14:50:41 centos.localdomain pppd[13138]: Overriding mru 1500 to mtu value 1400
Mar 05 14:50:41 centos.localdomain pppd[13138]: sent [LCP TermReq id=0x3 "User request"]
Mar 05 14:50:41 centos.localdomain pppd[13138]: Script /etc/ppp/ip-down finished (pid 13155), status = 0x0
Mar 05 14:50:44 centos.localdomain pppd[13138]: sent [LCP TermReq id=0x4 "User request"]
Mar 05 14:50:47 centos.localdomain pppd[13138]: Connection terminated.
Mar 05 14:50:47 centos.localdomain charon[13114]: 08[KNL] interface ppp0 deleted
Mar 05 14:50:47 centos.localdomain pppd[13138]: Modem hangup
Mar 05 14:50:47 centos.localdomain pppd[13138]: Exit.
Mar 05 14:50:50 centos.localdomain kernel: device eth0 left promiscuous mode
Here is the provider's full log (1.1.1.1 is my router's IP):

Code: Select all

Mar  5 14:07:58 10.1.255.11 ASA %ASA-6-603106: L2TP Tunnel created, tunnel_id is 60657, remote_peer_ip is 1.1.1.1
Mar  5 14:07:58 10.1.255.11 ASA %ASA-7-713204: Group = DefaultRAGroup, Username = mylogin, IP = 1.1.1.1, Adding static route for client address: 10.10.181.222
Mar  5 14:08:12 10.1.255.11 ASA %ASA-7-715036: Group = DefaultRAGroup, Username = mylogin, IP = 1.1.1.1, Sending keep-alive of type DPD R-U-THERE (seq number 0x14f5d486)
Mar  5 14:08:12 10.1.255.11 ASA %ASA-7-715046: Group = DefaultRAGroup, Username = mylogin, IP = 1.1.1.1, constructing blank hash payload
Mar  5 14:08:12 10.1.255.11 ASA %ASA-7-715046: Group = DefaultRAGroup, Username = mylogin, IP = 1.1.1.1, constructing qm hash payload
Mar  5 14:08:12 10.1.255.11 ASA %ASA-7-713236: IP = 1.1.1.1, IKE_DECODE SENDING Message (msgid=b797a22) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Mar  5 14:08:14 10.1.255.11 ASA %ASA-7-715036: Group = DefaultRAGroup, Username = mylogin, IP = 1.1.1.1, Sending keep-alive of type DPD R-U-THERE (seq number 0x14f5d487)
Mar  5 14:08:14 10.1.255.11 ASA %ASA-7-715046: Group = DefaultRAGroup, Username = mylogin, IP = 1.1.1.1, constructing blank hash payload
Mar  5 14:08:14 10.1.255.11 ASA %ASA-7-715046: Group = DefaultRAGroup, Username = mylogin, IP = 1.1.1.1, constructing qm hash payload
Mar  5 14:08:14 10.1.255.11 ASA %ASA-7-713236: IP = 1.1.1.1, IKE_DECODE SENDING Message (msgid=4a4f8f79) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Mar  5 14:08:16 10.1.255.11 ASA %ASA-7-715036: Group = DefaultRAGroup, Username = mylogin, IP = 1.1.1.1, Sending keep-alive of type DPD R-U-THERE (seq number 0x14f5d488)
Mar  5 14:08:16 10.1.255.11 ASA %ASA-7-715046: Group = DefaultRAGroup, Username = mylogin, IP = 1.1.1.1, constructing blank hash payload
Mar  5 14:08:16 10.1.255.11 ASA %ASA-7-715046: Group = DefaultRAGroup, Username = mylogin, IP = 1.1.1.1, constructing qm hash payload
Mar  5 14:08:16 10.1.255.11 ASA %ASA-7-713236: IP = 1.1.1.1, IKE_DECODE SENDING Message (msgid=1781835a) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Mar  5 14:08:18 10.1.255.11 ASA %ASA-3-713123: Group = DefaultRAGroup, Username = mylogin, IP = 1.1.1.1, IKE lost contact with remote peer, deleting connection (keepalive type: DPD)
Mar  5 14:08:18 10.1.255.11 ASA %ASA-7-713906: Group = DefaultRAGroup, Username = mylogin, IP = 1.1.1.1, IKE SA MM:a030d784 rcv'd Terminate: state MM_ACTIVE  flags 0x0001b042, refcnt 1, tuncnt 1
Mar  5 14:08:18 10.1.255.11 ASA %ASA-6-603107: L2TP Tunnel deleted, tunnel_id = 60657, remote_peer_ip = 1.1.1.1
Mar  5 14:08:18 10.1.255.11 ASA %ASA-7-713906: Group = DefaultRAGroup, Username = mylogin, IP = 1.1.1.1, sending delete/delete with reason message
Mar  5 14:08:18 10.1.255.11 ASA %ASA-7-715046: Group = DefaultRAGroup, Username = mylogin, IP = 1.1.1.1, constructing blank hash payload
Mar  5 14:08:18 10.1.255.11 ASA %ASA-7-715046: Group = DefaultRAGroup, Username = mylogin, IP = 1.1.1.1, constructing IPSec delete payload
Mar  5 14:08:18 10.1.255.11 ASA %ASA-7-715046: Group = DefaultRAGroup, Username = mylogin, IP = 1.1.1.1, constructing qm hash payload
Mar  5 14:08:18 10.1.255.11 ASA %ASA-7-713236: IP = 1.1.1.1, IKE_DECODE SENDING Message (msgid=1b96c90d) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 68
Mar  5 14:08:18 10.1.255.11 ASA %ASA-7-713906: Group = DefaultRAGroup, Username = mylogin, IP = 1.1.1.1, Active unit receives a delete event for remote peer 1.1.1.1.
Mar  5 14:08:18 10.1.255.11 ASA %ASA-7-713906: Group = DefaultRAGroup, Username = mylogin, IP = 1.1.1.1, IKE SA MM:a030d784 terminating:  flags 0x0101b002, refcnt 0, tuncnt 1
Mar  5 14:08:18 10.1.255.11 ASA %ASA-7-715009: Group = DefaultRAGroup, Username = mylogin, IP = 1.1.1.1, IKE Deleting SA: Remote Proxy 1.1.1.1, Local Proxy 195.149.70.70
Mar  5 14:08:18 10.1.255.11 ASA %ASA-7-713906: Group = DefaultRAGroup, Username = mylogin, IP = 1.1.1.1, IKE SA MM:a030d784 terminating:  flags 0x0101b002, refcnt 0, tuncnt 0
Mar  5 14:08:18 10.1.255.11 ASA %ASA-7-713906: Group = DefaultRAGroup, Username = mylogin, IP = 1.1.1.1, sending delete/delete with reason message
Mar  5 14:08:18 10.1.255.11 ASA %ASA-6-602304: IPSEC: An outbound remote access SA (SPI= 0xC4C794AA) between 195.149.70.70 and 1.1.1.1 (user= mylogin) has been deleted.
Mar  5 14:08:18 10.1.255.11 ASA %ASA-6-602304: IPSEC: An inbound remote access SA (SPI= 0xC6AE4588) between 195.149.70.70 and 1.1.1.1 (user= mylogin) has been deleted.
Mar  5 14:08:18 10.1.255.11 ASA %ASA-7-715046: Group = DefaultRAGroup, Username = mylogin, IP = 1.1.1.1, constructing blank hash payload
Mar  5 14:08:18 10.1.255.11 ASA %ASA-7-715046: Group = DefaultRAGroup, Username = mylogin, IP = 1.1.1.1, constructing IKE delete payload
Mar  5 14:08:18 10.1.255.11 ASA %ASA-7-715046: Group = DefaultRAGroup, Username = mylogin, IP = 1.1.1.1, constructing qm hash payload
Mar  5 14:08:18 10.1.255.11 ASA %ASA-7-713236: IP = 1.1.1.1, IKE_DECODE SENDING Message (msgid=714b69b3) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Mar  5 14:08:18 10.1.255.11 ASA %ASA-5-713259: Group = DefaultRAGroup, Username = mylogin, IP = 1.1.1.1, Session is being torn down. Reason: L2TP initiated
Mar  5 14:08:18 10.1.255.11 ASA %ASA-4-113019: Group = DefaultRAGroup, Username = mylogin, IP = 1.1.1.1, Session disconnected. Session Type: L2TPOverIPsecOverNatT, Duration: 0h:00m:22s, Bytes xmt: 995, Bytes rcv: 811, Reason: L2TP initiated
Mar  5 14:09:29 10.1.255.11 ASA %ASA-6-302015: Built inbound UDP connection 1883360612 for outside:1.1.1.1/52401 (1.1.1.1/52401) to identity:195.149.70.70/4500 (195.149.70.70/4500)
Mar  5 14:09:29 10.1.255.11 ASA %ASA-7-710005: UDP request discarded from 1.1.1.1/52401 to outside:195.149.70.70/4500
Mar  5 14:09:29 10.1.255.11 ASA %ASA-6-302016: Teardown UDP connection 1883360612 for outside:1.1.1.1/52401 to identity:195.149.70.70/4500 duration 0:00:00 bytes 84
Mar  5 14:09:30 10.1.255.11 ASA %ASA-6-302015: Built inbound UDP connection 1883360931 for outside:1.1.1.1/52401 (1.1.1.1/52401) to identity:195.149.70.70/4500 (195.149.70.70/4500)
Mar  5 14:09:30 10.1.255.11 ASA %ASA-7-710005: UDP request discarded from 1.1.1.1/52401 to outside:195.149.70.70/4500
Mar  5 14:09:30 10.1.255.11 ASA %ASA-6-302016: Teardown UDP connection 1883360931 for outside:1.1.1.1/52401 to identity:195.149.70.70/4500 duration 0:00:00 bytes 100
Mar  5 14:09:32 10.1.255.11 ASA %ASA-6-302015: Built inbound UDP connection 1883361548 for outside:1.1.1.1/52401 (1.1.1.1/52401) to identity:195.149.70.70/4500 (195.149.70.70/4500)
Mar  5 14:09:32 10.1.255.11 ASA %ASA-7-710005: UDP request discarded from 1.1.1.1/52401 to outside:195.149.70.70/4500
Mar  5 14:09:32 10.1.255.11 ASA %ASA-6-302016: Teardown UDP connection 1883361548 for outside:1.1.1.1/52401 to identity:195.149.70.70/4500 duration 0:00:00 bytes 100
Mar  5 14:09:32 10.1.255.11 ASA %ASA-6-302015: Built inbound UDP connection 1883361551 for outside:1.1.1.1/52401 (1.1.1.1/52401) to identity:195.149.70.70/4500 (195.149.70.70/4500)
Mar  5 14:09:32 10.1.255.11 ASA %ASA-7-710005: UDP request discarded from 1.1.1.1/52401 to outside:195.149.70.70/4500
Mar  5 14:09:32 10.1.255.11 ASA %ASA-6-302016: Teardown UDP connection 1883361551 for outside:1.1.1.1/52401 to identity:195.149.70.70/4500 duration 0:00:00 bytes 84
Mar  5 14:09:36 10.1.255.11 ASA %ASA-6-302015: Built inbound UDP connection 1883362552 for outside:1.1.1.1/52401 (1.1.1.1/52401) to identity:195.149.70.70/4500 (195.149.70.70/4500)
Mar  5 14:09:36 10.1.255.11 ASA %ASA-7-710005: UDP request discarded from 1.1.1.1/52401 to outside:195.149.70.70/4500
Mar  5 14:09:36 10.1.255.11 ASA %ASA-6-302016: Teardown UDP connection 1883362552 for outside:1.1.1.1/52401 to identity:195.149.70.70/4500 duration 0:00:00 bytes 100
Mar  5 14:09:44 10.1.255.11 ASA %ASA-6-302015: Built inbound UDP connection 1883365224 for outside:1.1.1.1/52401 (1.1.1.1/52401) to identity:195.149.70.70/4500 (195.149.70.70/4500)
Mar  5 14:09:44 10.1.255.11 ASA %ASA-7-710005: UDP request discarded from 1.1.1.1/52401 to outside:195.149.70.70/4500
Mar  5 14:09:44 10.1.255.11 ASA %ASA-6-302016: Teardown UDP connection 1883365224 for outside:1.1.1.1/52401 to identity:195.149.70.70/4500 duration 0:00:00 bytes 100
Mar  5 14:09:58 10.1.255.11 ASA %ASA-6-302016: Teardown UDP connection 1883332033 for outside:1.1.1.1/50358 to identity:195.149.70.70/500 duration 0:02:01 bytes 916
Mar  5 14:09:59 10.1.255.11 ASA %ASA-6-302015: Built inbound UDP connection 1883369498 for outside:1.1.1.1/52401 (1.1.1.1/52401) to identity:195.149.70.70/4500 (195.149.70.70/4500)
Mar  5 14:09:59 10.1.255.11 ASA %ASA-7-710005: UDP request discarded from 1.1.1.1/52401 to outside:195.149.70.70/4500
Moderator edit: moved to equivalent CentOS 7 forum as this is not about CentOS 6.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: L2TP/IPSec connection does not working

Post by TrevorH » 2019/03/05 15:59:38

My only question would be "why strongswan and not the libreswan that we ship as part of the distro?"
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

yurybx
Posts: 8
Joined: 2019/03/05 13:09:37

Re: L2TP/IPSec connection does not working

Post by yurybx » 2019/03/06 13:24:39

I used Strongswan because its configuration is described in the instructions from the service provider.
But today I installed Libreswan and got the same problem: connection establishes, but the traffic does not go, and connection breaks. How to understand the reason? In Windows everything works fine. Please, help!
In log I see six messages "network_thread: select timeout", after which "Maximum retries exceeded for tunnel. Closing.".
Here is full log:

Code: Select all

Mar 06 15:11:32 centos.localdomain polkitd[3403]: Registered Authentication Agent for unix-process:17848:1533013 (system bus name :1.124 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Mar 06 15:11:32 centos.localdomain systemd[1]: Starting Internet Key Exchange (IKE) Protocol Daemon for IPsec...
Mar 06 15:11:32 centos.localdomain ipsec[18125]: nflog ipsec capture disabled
Mar 06 15:11:32 centos.localdomain pluto[18137]: FIPS Product: NO
Mar 06 15:11:32 centos.localdomain pluto[18137]: FIPS Kernel: NO
Mar 06 15:11:32 centos.localdomain pluto[18137]: FIPS Mode: NO
Mar 06 15:11:32 centos.localdomain pluto[18137]: NSS DB directory: sql:/etc/ipsec.d
Mar 06 15:11:32 centos.localdomain pluto[18137]: Initializing NSS
Mar 06 15:11:32 centos.localdomain pluto[18137]: Opening NSS database "sql:/etc/ipsec.d" read-only
Mar 06 15:11:32 centos.localdomain pluto[18137]: NSS initialized
Mar 06 15:11:32 centos.localdomain pluto[18137]: NSS crypto library initialized
Mar 06 15:11:32 centos.localdomain pluto[18137]: FIPS HMAC integrity support [enabled]
Mar 06 15:11:32 centos.localdomain pluto[18137]: FIPS mode disabled for pluto daemon
Mar 06 15:11:32 centos.localdomain pluto[18137]: FIPS HMAC integrity verification self-test passed
Mar 06 15:11:32 centos.localdomain pluto[18137]: libcap-ng support [enabled]
Mar 06 15:11:32 centos.localdomain pluto[18137]: Linux audit support [enabled]
Mar 06 15:11:32 centos.localdomain pluto[18137]: Linux audit activated
Mar 06 15:11:32 centos.localdomain pluto[18137]: Starting Pluto (Libreswan Version 3.25 XFRM(netkey) KLIPS FORK PTHREAD_SETSCHEDPRIO GCC_EXCEPTIONS NSS (AVA copy) (IPsec profile) DNSSEC SYSTEMD_WATCHDOG FIPS_CHECK LABELED_IPSEC SECCOMP LIBCAP_NG LINUX_AUDIT XAUTH_PAM NETWORKMANAGER CURL(non-NSS) LDAP(non-NSS)) pid:18137
Mar 06 15:11:32 centos.localdomain pluto[18137]: core dump dir: /run/pluto
Mar 06 15:11:32 centos.localdomain pluto[18137]: secrets file: /etc/ipsec.secrets
Mar 06 15:11:32 centos.localdomain pluto[18137]: leak-detective enabled
Mar 06 15:11:32 centos.localdomain pluto[18137]: NSS crypto [enabled]
Mar 06 15:11:32 centos.localdomain pluto[18137]: XAUTH PAM support [enabled]
Mar 06 15:11:32 centos.localdomain pluto[18137]: NAT-Traversal support  [enabled]
Mar 06 15:11:32 centos.localdomain pluto[18137]: Initializing libevent in pthreads mode: headers: 2.0.21-stable (2001500); library: 2.0.21-stable (2001500)
Mar 06 15:11:32 centos.localdomain pluto[18137]: Encryption algorithms:
Mar 06 15:11:32 centos.localdomain pluto[18137]:   AES_CCM_16          IKEv1:     ESP     IKEv2:     ESP     FIPS  {256,192,*128}  (aes_ccm aes_ccm_c)
Mar 06 15:11:32 centos.localdomain pluto[18137]:   AES_CCM_12          IKEv1:     ESP     IKEv2:     ESP     FIPS  {256,192,*128}  (aes_ccm_b)
Mar 06 15:11:32 centos.localdomain pluto[18137]:   AES_CCM_8           IKEv1:     ESP     IKEv2:     ESP     FIPS  {256,192,*128}  (aes_ccm_a)
Mar 06 15:11:32 centos.localdomain pluto[18137]:   3DES_CBC            IKEv1: IKE ESP     IKEv2: IKE ESP     FIPS  [*192]  (3des)
Mar 06 15:11:32 centos.localdomain pluto[18137]:   CAMELLIA_CTR        IKEv1:     ESP     IKEv2:     ESP           {256,192,*128}
Mar 06 15:11:32 centos.localdomain pluto[18137]:   CAMELLIA_CBC        IKEv1: IKE ESP     IKEv2: IKE ESP           {256,192,*128}  (camellia)
Mar 06 15:11:32 centos.localdomain pluto[18137]:   AES_GCM_16          IKEv1:     ESP     IKEv2: IKE ESP     FIPS  {256,192,*128}  (aes_gcm aes_gcm_c)
Mar 06 15:11:32 centos.localdomain pluto[18137]:   AES_GCM_12          IKEv1:     ESP     IKEv2: IKE ESP     FIPS  {256,192,*128}  (aes_gcm_b)
Mar 06 15:11:32 centos.localdomain pluto[18137]:   AES_GCM_8           IKEv1:     ESP     IKEv2: IKE ESP     FIPS  {256,192,*128}  (aes_gcm_a)
Mar 06 15:11:32 centos.localdomain pluto[18137]:   AES_CTR             IKEv1: IKE ESP     IKEv2: IKE ESP     FIPS  {256,192,*128}  (aesctr)
Mar 06 15:11:32 centos.localdomain pluto[18137]:   AES_CBC             IKEv1: IKE ESP     IKEv2: IKE ESP     FIPS  {256,192,*128}  (aes)
Mar 06 15:11:32 centos.localdomain pluto[18137]:   SERPENT_CBC         IKEv1: IKE ESP     IKEv2: IKE ESP           {256,192,*128}  (serpent)
Mar 06 15:11:32 centos.localdomain pluto[18137]:   TWOFISH_CBC         IKEv1: IKE ESP     IKEv2: IKE ESP           {256,192,*128}  (twofish)
Mar 06 15:11:32 centos.localdomain pluto[18137]:   TWOFISH_SSH         IKEv1: IKE         IKEv2: IKE ESP           {256,192,*128}  (twofish_cbc_ssh)
Mar 06 15:11:32 centos.localdomain pluto[18137]:   CAST_CBC            IKEv1:     ESP     IKEv2:     ESP           {*128}  (cast)
Mar 06 15:11:32 centos.localdomain pluto[18137]:   NULL_AUTH_AES_GMAC  IKEv1:     ESP     IKEv2:     ESP           {256,192,*128}  (aes_gmac)
Mar 06 15:11:32 centos.localdomain pluto[18137]:   NULL                IKEv1:     ESP     IKEv2:     ESP           []
Mar 06 15:11:32 centos.localdomain pluto[18137]: Hash algorithms:
Mar 06 15:11:32 centos.localdomain pluto[18137]:   MD5                 IKEv1: IKE         IKEv2:
Mar 06 15:11:32 centos.localdomain pluto[18137]:   SHA1                IKEv1: IKE         IKEv2:             FIPS  (sha)
Mar 06 15:11:32 centos.localdomain pluto[18137]:   SHA2_256            IKEv1: IKE         IKEv2:             FIPS  (sha2 sha256)
Mar 06 15:11:32 centos.localdomain pluto[18137]:   SHA2_384            IKEv1: IKE         IKEv2:             FIPS  (sha384)
Mar 06 15:11:32 centos.localdomain pluto[18137]:   SHA2_512            IKEv1: IKE         IKEv2:             FIPS  (sha512)
Mar 06 15:11:32 centos.localdomain pluto[18137]: PRF algorithms:
Mar 06 15:11:32 centos.localdomain pluto[18137]:   HMAC_MD5            IKEv1: IKE         IKEv2: IKE               (md5)
Mar 06 15:11:32 centos.localdomain pluto[18137]:   HMAC_SHA1           IKEv1: IKE         IKEv2: IKE         FIPS  (sha sha1)
Mar 06 15:11:32 centos.localdomain pluto[18137]:   HMAC_SHA2_256       IKEv1: IKE         IKEv2: IKE         FIPS  (sha2 sha256 sha2_256)
Mar 06 15:11:32 centos.localdomain pluto[18137]:   HMAC_SHA2_384       IKEv1: IKE         IKEv2: IKE         FIPS  (sha384 sha2_384)
Mar 06 15:11:32 centos.localdomain pluto[18137]:   HMAC_SHA2_512       IKEv1: IKE         IKEv2: IKE         FIPS  (sha512 sha2_512)
Mar 06 15:11:32 centos.localdomain pluto[18137]:   AES_XCBC            IKEv1:             IKEv2: IKE         FIPS  (aes128_xcbc)
Mar 06 15:11:32 centos.localdomain pluto[18137]: Integrity algorithms:
Mar 06 15:11:32 centos.localdomain pluto[18137]:   HMAC_MD5_96         IKEv1: IKE ESP AH  IKEv2: IKE ESP AH        (md5 hmac_md5)
Mar 06 15:11:32 centos.localdomain pluto[18137]:   HMAC_SHA1_96        IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  (sha sha1 sha1_96 hmac_sha1)
Mar 06 15:11:32 centos.localdomain pluto[18137]:   HMAC_SHA2_512_256   IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  (sha512 sha2_512 hmac_sha2_512)
Mar 06 15:11:32 centos.localdomain pluto[18137]:   HMAC_SHA2_384_192   IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  (sha384 sha2_384 hmac_sha2_384)
Mar 06 15:11:32 centos.localdomain pluto[18137]:   HMAC_SHA2_256_128   IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  (sha2 sha256 sha2_256 hmac_sha2_256)
Mar 06 15:11:32 centos.localdomain pluto[18137]:   AES_XCBC_96         IKEv1:     ESP AH  IKEv2: IKE ESP AH  FIPS  (aes_xcbc aes128_xcbc aes128_xcbc_96)
Mar 06 15:11:32 centos.localdomain pluto[18137]:   AES_CMAC_96         IKEv1:     ESP AH  IKEv2:     ESP AH  FIPS  (aes_cmac)
Mar 06 15:11:32 centos.localdomain pluto[18137]:   NONE                IKEv1:     ESP     IKEv2:     ESP     FIPS  (null)
Mar 06 15:11:32 centos.localdomain pluto[18137]: DH algorithms:
Mar 06 15:11:32 centos.localdomain pluto[18137]:   NONE                IKEv1:             IKEv2: IKE ESP AH        (null dh0)
Mar 06 15:11:32 centos.localdomain pluto[18137]:   MODP1024            IKEv1: IKE ESP AH  IKEv2: IKE ESP AH        (dh2)
Mar 06 15:11:32 centos.localdomain pluto[18137]:   MODP1536            IKEv1: IKE ESP AH  IKEv2: IKE ESP AH        (dh5)
Mar 06 15:11:32 centos.localdomain pluto[18137]:   MODP2048            IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  (dh14)
Mar 06 15:11:32 centos.localdomain pluto[18137]:   MODP3072            IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  (dh15)
Mar 06 15:11:32 centos.localdomain pluto[18137]:   MODP4096            IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  (dh16)
Mar 06 15:11:32 centos.localdomain pluto[18137]:   MODP6144            IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  (dh17)
Mar 06 15:11:32 centos.localdomain pluto[18137]:   MODP8192            IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  (dh18)
Mar 06 15:11:32 centos.localdomain pluto[18137]:   DH19                IKEv1: IKE         IKEv2: IKE ESP AH  FIPS  (ecp_256)
Mar 06 15:11:32 centos.localdomain pluto[18137]:   DH20                IKEv1: IKE         IKEv2: IKE ESP AH  FIPS  (ecp_384)
Mar 06 15:11:32 centos.localdomain pluto[18137]:   DH21                IKEv1: IKE         IKEv2: IKE ESP AH  FIPS  (ecp_521)
Mar 06 15:11:32 centos.localdomain pluto[18137]:   DH22                IKEv1: IKE ESP AH  IKEv2: IKE ESP AH
Mar 06 15:11:32 centos.localdomain pluto[18137]:   DH23                IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS
Mar 06 15:11:32 centos.localdomain pluto[18137]:   DH24                IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS
Mar 06 15:11:32 centos.localdomain pluto[18137]: starting up 2 crypto helpers
Mar 06 15:11:32 centos.localdomain pluto[18137]: started thread for crypto helper 0
Mar 06 15:11:32 centos.localdomain pluto[18137]: started thread for crypto helper 1
Mar 06 15:11:32 centos.localdomain pluto[18137]: Using Linux XFRM/NETKEY IPsec interface code on 3.10.0-957.el7.x86_64
Mar 06 15:11:32 centos.localdomain pluto[18137]: | selinux support is enabled.
Mar 06 15:11:32 centos.localdomain pluto[18137]: systemd watchdog for ipsec service configured with timeout of 200000000 usecs
Mar 06 15:11:32 centos.localdomain pluto[18137]: watchdog: sending probes every 100 secs
Mar 06 15:11:32 centos.localdomain polkitd[3403]: Unregistered Authentication Agent for unix-process:17848:1533013 (system bus name :1.124, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
Mar 06 15:11:32 centos.localdomain systemd[1]: Started Internet Key Exchange (IKE) Protocol Daemon for IPsec.
Mar 06 15:11:32 centos.localdomain pluto[18137]: added connection description "vpn-uz"
Mar 06 15:11:32 centos.localdomain pluto[18137]: listening for IKE messages
Mar 06 15:11:32 centos.localdomain pluto[18137]: adding interface eth0/eth0 10.1.1.99:500
Mar 06 15:11:32 centos.localdomain pluto[18137]: adding interface eth0/eth0 10.1.1.99:4500
Mar 06 15:11:32 centos.localdomain pluto[18137]: adding interface lo/lo 127.0.0.1:500
Mar 06 15:11:32 centos.localdomain pluto[18137]: adding interface lo/lo 127.0.0.1:4500
Mar 06 15:11:32 centos.localdomain pluto[18137]: adding interface lo/lo ::1:500
Mar 06 15:11:32 centos.localdomain pluto[18137]: | setup callback for interface lo:500 fd 20
Mar 06 15:11:32 centos.localdomain pluto[18137]: | setup callback for interface lo:4500 fd 19
Mar 06 15:11:32 centos.localdomain pluto[18137]: | setup callback for interface lo:500 fd 18
Mar 06 15:11:32 centos.localdomain pluto[18137]: | setup callback for interface eth0:4500 fd 17
Mar 06 15:11:32 centos.localdomain pluto[18137]: | setup callback for interface eth0:500 fd 16
Mar 06 15:11:32 centos.localdomain pluto[18137]: loading secrets from "/etc/ipsec.secrets"
Mar 06 15:11:35 centos.localdomain pluto[18137]: "vpn-uz" #1: initiating Main Mode
Mar 06 15:11:35 centos.localdomain pluto[18137]: "vpn-uz" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Mar 06 15:11:35 centos.localdomain pluto[18137]: "vpn-uz" #1: ignoring unknown Vendor ID payload [9fea2e495916f833caf906fd49bea62e]
Mar 06 15:11:35 centos.localdomain pluto[18137]: "vpn-uz" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Mar 06 15:11:35 centos.localdomain pluto[18137]: | protocol/port in Phase 1 ID Payload is 17/0. accepted with port_floating NAT-T
Mar 06 15:11:35 centos.localdomain pluto[18137]: "vpn-uz" #1: Peer ID is ID_IPV4_ADDR: '195.149.70.70'
Mar 06 15:11:35 centos.localdomain pluto[18137]: "vpn-uz" #1: STATE_MAIN_I4: ISAKMP SA established {auth=PRESHARED_KEY cipher=aes_128 integ=sha group=MODP1024}
Mar 06 15:11:35 centos.localdomain pluto[18137]: "vpn-uz" #2: initiating Quick Mode PSK+ENCRYPT+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO {using isakmp#1 msgid:33c49e21 proposal=AES_CBC_128-HMAC_SHA1_96 pfsgroup=no-pfs}
Mar 06 15:11:35 centos.localdomain pluto[18137]: "vpn-uz" #2: NAT-Traversal: received 2 NAT-OA. Ignored because peer is not NATed
Mar 06 15:11:35 centos.localdomain pluto[18137]: "vpn-uz" #2: our client subnet returned doesn't match my proposal - us:10.1.1.99/32 vs them:91.91.91.91/32
Mar 06 15:11:35 centos.localdomain pluto[18137]: "vpn-uz" #2: Allowing questionable proposal anyway [ALLOW_MICROSOFT_BAD_PROPOSAL]
Mar 06 15:11:35 centos.localdomain pluto[18137]: "vpn-uz" #2: our client peer returned port doesn't match my proposal - us:1701 vs them:0
Mar 06 15:11:35 centos.localdomain pluto[18137]: "vpn-uz" #2: Allowing bad L2TP/IPsec proposal (see bug #849) anyway
Mar 06 15:11:35 centos.localdomain pluto[18137]: "vpn-uz" #2: STATE_QUICK_I2: sent QI2, IPsec SA established transport mode {ESP/NAT=>0xef0c6478 <0x53718d77 xfrm=AES_CBC_128-HMAC_SHA1_96 NATOA=none NATD=195.149.70.70:4500 DPD=active}
Mar 06 15:11:49 centos.localdomain polkitd[3403]: Registered Authentication Agent for unix-process:18180:1534750 (system bus name :1.125 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Mar 06 15:11:49 centos.localdomain systemd[1]: Starting Level 2 Tunnel Protocol Daemon (L2TP)...
Mar 06 15:11:49 centos.localdomain systemd[1]: Started Level 2 Tunnel Protocol Daemon (L2TP).
Mar 06 15:11:49 centos.localdomain polkitd[3403]: Unregistered Authentication Agent for unix-process:18180:1534750 (system bus name :1.125, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
Mar 06 15:11:49 centos.localdomain xl2tpd[18187]: xl2tpd[18187]: Not looking for kernel SAref support.
Mar 06 15:11:49 centos.localdomain xl2tpd[18187]: xl2tpd[18187]: Using l2tp kernel support.
Mar 06 15:11:49 centos.localdomain xl2tpd[18187]: xl2tpd[18187]: xl2tpd version xl2tpd-1.3.8 started on centos.localdomain PID:18187
Mar 06 15:11:49 centos.localdomain xl2tpd[18187]: xl2tpd[18187]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
Mar 06 15:11:49 centos.localdomain xl2tpd[18187]: xl2tpd[18187]: Forked by Scott Balmos and David Stipp, (C) 2001
Mar 06 15:11:49 centos.localdomain xl2tpd[18187]: xl2tpd[18187]: Inherited by Jeff McAdams, (C) 2002
Mar 06 15:11:49 centos.localdomain xl2tpd[18187]: xl2tpd[18187]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016
Mar 06 15:11:49 centos.localdomain xl2tpd[18187]: xl2tpd[18187]: Listening on IP address 0.0.0.0, port 1701
Mar 06 15:11:55 centos.localdomain xl2tpd[18187]: xl2tpd[18187]: get_call: allocating new tunnel for host 195.149.70.70, port 1701.
Mar 06 15:11:55 centos.localdomain xl2tpd[18187]: xl2tpd[18187]: Connecting to host 195.149.70.70, port 1701
Mar 06 15:11:55 centos.localdomain xl2tpd[18187]: xl2tpd[18187]: control_finish: message type is (null)(0).  Tunnel is 0, call is 0.
Mar 06 15:11:55 centos.localdomain xl2tpd[18187]: xl2tpd[18187]: control_finish: sending SCCRQ
Mar 06 15:11:55 centos.localdomain xl2tpd[18187]: xl2tpd[18187]: network_thread: recv packet from 195.149.70.70, size = 106, tunnel = 37745, call = 0 ref=0 refhim=0
Mar 06 15:11:55 centos.localdomain xl2tpd[18187]: xl2tpd[18187]: message_type_avp: message type 2 (Start-Control-Connection-Reply)
Mar 06 15:11:55 centos.localdomain xl2tpd[18187]: xl2tpd[18187]: protocol_version_avp: peer is using version 1, revision 0.
Mar 06 15:11:55 centos.localdomain xl2tpd[18187]: xl2tpd[18187]: framing_caps_avp: supported peer frames: async sync
Mar 06 15:11:55 centos.localdomain xl2tpd[18187]: xl2tpd[18187]: bearer_caps_avp: supported peer bearers: analog digital
Mar 06 15:11:55 centos.localdomain xl2tpd[18187]: xl2tpd[18187]: firmware_rev_avp: peer reports firmware version 4384 (0x1120)
Mar 06 15:11:55 centos.localdomain xl2tpd[18187]: xl2tpd[18187]: hostname_avp: peer reports hostname 'ASA'
Mar 06 15:11:55 centos.localdomain xl2tpd[18187]: xl2tpd[18187]: vendor_avp: peer reports vendor 'Cisco Systems, Inc.'
Mar 06 15:11:55 centos.localdomain xl2tpd[18187]: xl2tpd[18187]: assigned_tunnel_avp: using peer's tunnel 5240
Mar 06 15:11:55 centos.localdomain xl2tpd[18187]: xl2tpd[18187]: receive_window_size_avp: peer wants RWS of 16.  Will use flow control.
Mar 06 15:11:55 centos.localdomain xl2tpd[18187]: xl2tpd[18187]: control_finish: message type is Start-Control-Connection-Reply(2).  Tunnel is 5240, call is 0.
Mar 06 15:11:55 centos.localdomain xl2tpd[18187]: xl2tpd[18187]: control_finish: sending SCCCN
Mar 06 15:11:55 centos.localdomain xl2tpd[18187]: xl2tpd[18187]: Connection established to 195.149.70.70, 1701.  Local: 37745, Remote: 5240 (ref=0/0).
Mar 06 15:11:55 centos.localdomain xl2tpd[18187]: xl2tpd[18187]: Calling on tunnel 37745
Mar 06 15:11:55 centos.localdomain xl2tpd[18187]: xl2tpd[18187]: control_finish: message type is (null)(0).  Tunnel is 5240, call is 0.
Mar 06 15:11:55 centos.localdomain xl2tpd[18187]: xl2tpd[18187]: control_finish: sending ICRQ
Mar 06 15:11:55 centos.localdomain xl2tpd[18187]: xl2tpd[18187]: network_thread: recv packet from 195.149.70.70, size = 12, tunnel = 37745, call = 0 ref=0 refhim=0
Mar 06 15:11:55 centos.localdomain xl2tpd[18187]: xl2tpd[18187]: network_thread: recv packet from 195.149.70.70, size = 28, tunnel = 37745, call = 56148 ref=0 refhim=0
Mar 06 15:11:55 centos.localdomain xl2tpd[18187]: xl2tpd[18187]: message_type_avp: message type 11 (Incoming-Call-Reply)
Mar 06 15:11:55 centos.localdomain xl2tpd[18187]: xl2tpd[18187]: assigned_call_avp: using peer's call 440
Mar 06 15:11:55 centos.localdomain xl2tpd[18187]: xl2tpd[18187]: control_finish: message type is Incoming-Call-Reply(11).  Tunnel is 5240, call is 440.
Mar 06 15:11:55 centos.localdomain xl2tpd[18187]: xl2tpd[18187]: control_finish: Sending ICCN
Mar 06 15:11:55 centos.localdomain xl2tpd[18187]: xl2tpd[18187]: Call established with 195.149.70.70, Local: 56148, Remote: 440, Serial: 1 (ref=0/0)
Mar 06 15:11:55 centos.localdomain pppd[18191]: Plugin pppol2tp.so loaded.
Mar 06 15:11:55 centos.localdomain xl2tpd[18187]: xl2tpd[18187]: network_thread: recv packet from 195.149.70.70, size = 12, tunnel = 37745, call = 56148 ref=0 refhim=0
Mar 06 15:11:55 centos.localdomain xl2tpd[18187]: xl2tpd[18187]: network_thread: recv packet from 195.149.70.70, size = 36, tunnel = 37745, call = 56148 ref=0 refhim=0
Mar 06 15:11:55 centos.localdomain xl2tpd[18187]: xl2tpd[18187]: message_type_avp: message type 16 (Set-Link-Info)
Mar 06 15:11:55 centos.localdomain xl2tpd[18187]: xl2tpd[18187]: ignore_avp : Ignoring AVP
Mar 06 15:11:55 centos.localdomain xl2tpd[18187]: xl2tpd[18187]: control_finish: message type is Set-Link-Info(16).  Tunnel is 5240, call is 440.
Mar 06 15:11:55 centos.localdomain pppd[18191]: pppd 2.4.5 started by root, uid 0
Mar 06 15:11:55 centos.localdomain pppd[18191]: using channel 11
Mar 06 15:11:55 centos.localdomain pppd[18191]: Using interface ppp0
Mar 06 15:11:55 centos.localdomain pppd[18191]: Connect: ppp0 <-->
Mar 06 15:11:55 centos.localdomain pppd[18191]: Overriding mtu 1500 to 1400
Mar 06 15:11:55 centos.localdomain pppd[18191]: PPPoL2TP options: debugmask 0
Mar 06 15:11:55 centos.localdomain pppd[18191]: Overriding mru 1500 to mtu value 1400
Mar 06 15:11:55 centos.localdomain pppd[18191]: sent [LCP ConfReq id=0x1 <mru 1400> <asyncmap 0x0> <magic 0xda60f330>]
Mar 06 15:11:55 centos.localdomain NetworkManager[3449]: <info>  [1551877915.7877] manager: (ppp0): new Ppp device (/org/freedesktop/NetworkManager/Devices/14)
Mar 06 15:11:55 centos.localdomain pppd[18191]: rcvd [LCP ConfReq id=0x1 <auth chap MS-v2> <magic 0x1b9a472e>]
Mar 06 15:11:55 centos.localdomain pppd[18191]: sent [LCP ConfAck id=0x1 <auth chap MS-v2> <magic 0x1b9a472e>]
Mar 06 15:11:55 centos.localdomain pppd[18191]: rcvd [LCP ConfRej id=0x1 <mru 1400> <asyncmap 0x0>]
Mar 06 15:11:55 centos.localdomain pppd[18191]: sent [LCP ConfReq id=0x2 <magic 0xda60f330>]
Mar 06 15:11:55 centos.localdomain pppd[18191]: rcvd [LCP ConfAck id=0x2 <magic 0xda60f330>]
Mar 06 15:11:55 centos.localdomain pppd[18191]: Overriding mtu 1500 to 1400
Mar 06 15:11:55 centos.localdomain pppd[18191]: PPPoL2TP options: debugmask 0
Mar 06 15:11:55 centos.localdomain pppd[18191]: Overriding mru 1500 to mtu value 1400
Mar 06 15:11:55 centos.localdomain pppd[18191]: rcvd [CHAP Challenge id=0x1 <f868820f2689668ec8315af73a6fda8b>, name = ""]
Mar 06 15:11:55 centos.localdomain pppd[18191]: sent [CHAP Response id=0x1 <2da953b0d75dd5de5f6122836e5b061100000000000000004141c1653a2703eee519b9ed9a9dc272d03506cc16a23aca00>, name = "mylogin"]
Mar 06 15:11:55 centos.localdomain pppd[18191]: rcvd [CHAP Success id=0x1 "S=6B9418B235F952273A5B02662947E6821B256B70"]
Mar 06 15:11:55 centos.localdomain pppd[18191]: CHAP authentication succeeded
Mar 06 15:11:55 centos.localdomain pppd[18191]: sent [IPCP ConfReq id=0x1 <addr 0.0.0.0> <ms-dns1 0.0.0.0> <ms-dns2 0.0.0.0>]
Mar 06 15:11:55 centos.localdomain pppd[18191]: rcvd [IPCP TermAck id=0x1]
Mar 06 15:11:56 centos.localdomain xl2tpd[18187]: xl2tpd[18187]: network_thread: select timeout
Mar 06 15:11:56 centos.localdomain xl2tpd[18187]: xl2tpd[18187]: network_thread: select timeout
Mar 06 15:11:56 centos.localdomain xl2tpd[18187]: xl2tpd[18187]: network_thread: select timeout
Mar 06 15:11:56 centos.localdomain xl2tpd[18187]: xl2tpd[18187]: network_thread: select timeout
Mar 06 15:11:58 centos.localdomain pppd[18191]: sent [IPCP ConfReq id=0x1 <addr 0.0.0.0> <ms-dns1 0.0.0.0> <ms-dns2 0.0.0.0>]
Mar 06 15:11:58 centos.localdomain pppd[18191]: rcvd [IPCP ConfReq id=0x1 <addr 195.149.70.70>]
Mar 06 15:11:58 centos.localdomain pppd[18191]: sent [IPCP ConfAck id=0x1 <addr 195.149.70.70>]
Mar 06 15:11:58 centos.localdomain pppd[18191]: rcvd [IPCP ConfNak id=0x1 <addr 10.10.181.222> <ms-dns1 10.10.255.4> <ms-dns2 10.10.255.5>]
Mar 06 15:11:58 centos.localdomain pppd[18191]: sent [IPCP ConfReq id=0x2 <addr 10.10.181.222> <ms-dns1 10.10.255.4> <ms-dns2 10.10.255.5>]
Mar 06 15:11:58 centos.localdomain pppd[18191]: rcvd [IPCP ConfAck id=0x2 <addr 10.10.181.222> <ms-dns1 10.10.255.4> <ms-dns2 10.10.255.5>]
Mar 06 15:11:58 centos.localdomain pppd[18191]: local  IP address 10.10.181.222
Mar 06 15:11:58 centos.localdomain pppd[18191]: remote IP address 195.149.70.70
Mar 06 15:11:58 centos.localdomain pppd[18191]: primary   DNS address 10.10.255.4
Mar 06 15:11:58 centos.localdomain pppd[18191]: secondary DNS address 10.10.255.5
Mar 06 15:11:58 centos.localdomain NetworkManager[3449]: <info>  [1551877918.8575] device (ppp0): state change: unmanaged -> unavailable (reason 'connection-assumed', sys-iface-state: 'external')
Mar 06 15:11:58 centos.localdomain NetworkManager[3449]: <info>  [1551877918.8590] device (ppp0): state change: unavailable -> disconnected (reason 'none', sys-iface-state: 'external')
Mar 06 15:11:58 centos.localdomain pppd[18191]: Script /etc/ppp/ip-up started (pid 18204)
Mar 06 15:11:58 centos.localdomain pppd[18191]: Script /etc/ppp/ip-up finished (pid 18204), status = 0x0
Mar 06 15:12:55 centos.localdomain xl2tpd[18187]: xl2tpd[18187]: network_thread: select timeout
Mar 06 15:12:56 centos.localdomain xl2tpd[18187]: xl2tpd[18187]: network_thread: select timeout
Mar 06 15:12:58 centos.localdomain xl2tpd[18187]: xl2tpd[18187]: network_thread: select timeout
Mar 06 15:13:02 centos.localdomain xl2tpd[18187]: xl2tpd[18187]: network_thread: select timeout
Mar 06 15:13:10 centos.localdomain xl2tpd[18187]: xl2tpd[18187]: network_thread: select timeout
Mar 06 15:13:26 centos.localdomain xl2tpd[18187]: xl2tpd[18187]: network_thread: select timeout
Mar 06 15:13:26 centos.localdomain xl2tpd[18187]: xl2tpd[18187]: Maximum retries exceeded for tunnel 37745.  Closing.
Mar 06 15:13:26 centos.localdomain xl2tpd[18187]: xl2tpd[18187]: Connection 5240 closed to 195.149.70.70, port 1701 (Timeout)
Mar 06 15:13:26 centos.localdomain pppd[18191]: Terminating on signal 15
Mar 06 15:13:26 centos.localdomain pppd[18191]: Connect time 1.5 minutes.
Mar 06 15:13:26 centos.localdomain pppd[18191]: Sent 161077 bytes, received 0 bytes.
Mar 06 15:13:26 centos.localdomain NetworkManager[3449]: <info>  [1551878006.7561] device (ppp0): state change: disconnected -> unmanaged (reason 'connection-assumed', sys-iface-state: 'external')
Mar 06 15:13:26 centos.localdomain pppd[18191]: Script /etc/ppp/ip-down started (pid 18208)
Mar 06 15:13:26 centos.localdomain pppd[18191]: Overriding mtu 1500 to 1400
Mar 06 15:13:26 centos.localdomain pppd[18191]: PPPoL2TP options: debugmask 0
Mar 06 15:13:26 centos.localdomain pppd[18191]: Overriding mru 1500 to mtu value 1400
Mar 06 15:13:26 centos.localdomain pppd[18191]: sent [LCP TermReq id=0x3 "User request"]
Mar 06 15:13:26 centos.localdomain pppd[18191]: Script /etc/ppp/ip-down finished (pid 18208), status = 0x0
Mar 06 15:13:27 centos.localdomain xl2tpd[18187]: xl2tpd[18187]: network_thread: select timeout
Mar 06 15:13:29 centos.localdomain xl2tpd[18187]: xl2tpd[18187]: network_thread: select timeout
Mar 06 15:13:29 centos.localdomain pppd[18191]: sent [LCP TermReq id=0x4 "User request"]
Mar 06 15:13:32 centos.localdomain pppd[18191]: Connection terminated.
Mar 06 15:13:32 centos.localdomain pppd[18191]: Modem hangup
Mar 06 15:13:32 centos.localdomain pppd[18191]: Exit.
/etc/ipsec.conf

Code: Select all

config setup
        plutodebug="all crypt"
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
        protostack=netkey

conn vpn-uz
        ikev2=never
        type=transport
        authby=secret
        pfs=no
        ike=aes128-sha1-modp1024
        esp=aes128-sha1
        left=%defaultroute
        leftprotoport=17/1701
        right=195.149.70.70
        rightprotoport=17/1701
        auto=add
        keyingtries=3
        dpddelay=30
        dpdtimeout=120
        dpdaction=clear
        rekey=yes
        ikelifetime=8h
        keylife=1h
/etc/xl2tpd/xl2tpd.conf

Code: Select all

[global]
debug tunnel = yes
debug avp = yes
debug network = yes
debug packet = yes
debug state = yes

[lns default]
ip range = 192.168.1.128-192.168.1.254
local ip = 192.168.1.99
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

[lac vpn-uz]
lns = 195.149.70.70
redial = yes
require chap = yes
require pap = no
require authentication = no
ppp debug = yes
pppoptfile = /etc/ppp/options.vpn-uz
autodial = no
/etc/ppp/options.vpn-uz

Code: Select all

ipcp-accept-local
noccp
noauth
idle 1800
mtu 1400
mru 1400
nodefaultroute
debug
noproxyarp
usepeerdns
user mylogin

poky
Posts: 108
Joined: 2013/03/27 12:18:03

Re: L2TP/IPSec connection does not working

Post by poky » 2019/03/07 16:52:51

I configured L2TP/IPSec connection by NetworkManager GUI.

yurybx
Posts: 8
Joined: 2019/03/05 13:09:37

Re: L2TP/IPSec connection does not working

Post by yurybx » 2019/03/08 11:06:07

Yesterday I found out that an error appears in the logs on the server side: IKE lost contact with remote peer, deleting connection. I also learned that the L2TP/IPSec-server is Cisco ASA 5550. Therefore, I wrote a post to the Cisco community, but still have not received a response. I'm at a dead end.

yurybx
Posts: 8
Joined: 2019/03/05 13:09:37

Re: L2TP/IPSec connection does not working

Post by yurybx » 2019/03/18 08:26:42

I did it!
I just added the line

Code: Select all

:10.0.0.1
to the "/etc/ppp/options.vpn-uz", and it all worked!

Post Reply