linux - Unable to connect to L2TP VPN
2014-04
I've been trying to set up a L2TP/IPSec server on my Ubuntu install using this guide.
While trying to connect I ran sudo tail -f /var/log/auth.log
, the output of which is below:
Feb 8 10:35:41 prometheus pluto[6167]: "L2TP-PSK-noNAT"[20] [my ip] #20: responding to Main Mode from unknown peer [my ip]
Feb 8 10:35:41 prometheus pluto[6167]: "L2TP-PSK-noNAT"[20] [my ip] #20: Can't authenticate: no preshared key found for `[server ip]' and `%any'. Attribute OAKLEY_AUTHENTICATION_METHOD
Feb 8 10:35:41 pluto[6167]: last message repeated 5 times
Feb 8 10:35:41 prometheus pluto[6167]: "L2TP-PSK-noNAT"[20] [my ip] #20: no acceptable Oakley Transform
Feb 8 10:35:41 prometheus pluto[6167]: "L2TP-PSK-noNAT"[20] [my ip] #20: sending notification NO_PROPOSAL_CHOSEN to [my ip]:500
Feb 8 10:35:41 prometheus pluto[6167]: "L2TP-PSK-noNAT"[20] [my ip]: deleting connection "L2TP-PSK-noNAT" instance with peer [my ip] {isakmp=#0/ipsec=#0}
/etc/ipsec.conf
version 2.0
config setup
dumpdir=/var/run/pluto/
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
oe=off
protostack=netkey
keep_alive=10
include /etc/ipsec.d/*.conf
/etc/ipsec.d/road-warrior.conf
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=[server ip]
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
/etc/ipsec.d/road-warrior.secrets
[server ip] %any: PSK "psk"
Output of ipsec verify
Version check and ipsec on-path [OK]
Linux Openswan U2.6.37/K3.12.9-x86_64-linode37 (netkey)
Checking for IPsec support in kernel [OK]
SAref kernel support [N/A]
NETKEY: Testing XFRM related proc values [OK]
[OK]
[OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [OK]
Checking for 'ip' command [OK]
Checking /bin/sh is not /bin/dash [WARNING]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
/etc/xl2tpd/xl2tpd.conf
[global]
ipsec saref = yes
[lns default]
ip range = 10.10.10.2-10.10.10.200
local ip = 10.10.10.1
refuse chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
/etc/ppp/options.xl2tpd
require-mschap-v2
ms-dns 4.2.2.1
ms-dns 4.2.2.2
asyncmap 0
auth
crtscts
lock
hide-password
modem
debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
/etc/ppp/chap-secrets
# Secrets for authentication using CHAP
# client server secret IP addresses
user1 l2tpd user1password *
user2 l2tpd user2password *
Can anyone help?
I'm trying to connect to my corporate VPN using a laptop running Ubuntu 10.04. It's a company laptop but as I have chosen to run Linux rather than "a proper" OS, I'm mostly on-my-own as far as getting these things working. Normally that's OK because I am almost always successful - except this problem has had me stumped for several weeks now.
The problem is that I am unable to access the VPN from my home network. I am using the Gnome Network Manager interface to configure the PPTP connection but no matter what combination of options, domain\username formats, encryption options or authentication methods I select, I get the exact same behaviour, which is essentially a 10-second wait, and then a failure message.
I checked /var/log/daemon.log:
Aug 15 22:27:46 pc770-ubu NetworkManager: <info> Starting VPN service 'org.freedesktop.NetworkManager.pptp'...
Aug 15 22:27:46 pc770-ubu NetworkManager: <info> VPN service 'org.freedesktop.NetworkManager.pptp' started (org.freedesktop.NetworkManager.pptp), PID 4595
Aug 15 22:27:46 pc770-ubu NetworkManager: <info> VPN service 'org.freedesktop.NetworkManager.pptp' just appeared, activating connections
Aug 15 22:27:50 pc770-ubu NetworkManager: <info> VPN plugin state changed: 3
Aug 15 22:27:50 pc770-ubu NetworkManager: <info> VPN connection 'VPN' (Connect) reply received.
Aug 15 22:27:50 pc770-ubu NetworkManager: SCPlugin-Ifupdown: devices added (path: /sys/devices/virtual/net/ppp0, iface: ppp0)
Aug 15 22:27:50 pc770-ubu NetworkManager: SCPlugin-Ifupdown: device added (path: /sys/devices/virtual/net/ppp0, iface: ppp0): no ifupdown configuration found.
Aug 15 22:27:50 pc770-ubu pptp[4602]: nm-pptp-service-4595 log[main:pptp.c:314]: The synchronous pptp option is NOT activated
Aug 15 22:27:50 pc770-ubu pptp[4609]: nm-pptp-service-4595 log[ctrlp_rep:pptp_ctrl.c:251]: Sent control packet type is 1 'Start-Control-Connection-Request'
Aug 15 22:27:50 pc770-ubu pptp[4609]: nm-pptp-service-4595 log[ctrlp_disp:pptp_ctrl.c:739]: Received Start Control Connection Reply
Aug 15 22:27:50 pc770-ubu pptp[4609]: nm-pptp-service-4595 log[ctrlp_disp:pptp_ctrl.c:773]: Client connection established.
Aug 15 22:27:51 pc770-ubu pptp[4609]: nm-pptp-service-4595 log[ctrlp_rep:pptp_ctrl.c:251]: Sent control packet type is 7 'Outgoing-Call-Request'
Aug 15 22:27:51 pc770-ubu pptp[4609]: nm-pptp-service-4595 log[ctrlp_disp:pptp_ctrl.c:858]: Received Outgoing Call Reply.
Aug 15 22:27:51 pc770-ubu pptp[4609]: nm-pptp-service-4595 log[ctrlp_disp:pptp_ctrl.c:897]: Outgoing call established (call ID 0, peer's call ID 17382).
[ ** TEN SECOND DELAY ** ]
Aug 15 22:28:21 pc770-ubu NetworkManager: <info> VPN plugin failed: 1
Aug 15 22:28:21 pc770-ubu NetworkManager: SCPlugin-Ifupdown: devices removed (path: /sys/devices/virtual/net/ppp0, iface: ppp0)
Aug 15 22:28:21 pc770-ubu pptp[4602]: nm-pptp-service-4595 warn[decaps_hdlc:pptp_gre.c:204]: short read (-1): Input/output error
Aug 15 22:28:21 pc770-ubu pptp[4602]: nm-pptp-service-4595 warn[decaps_hdlc:pptp_gre.c:216]: pppd may have shutdown, see pppd log
Aug 15 22:28:21 pc770-ubu pptp[4609]: nm-pptp-service-4595 log[callmgr_main:pptp_callmgr.c:234]: Closing connection (unhandled)
Aug 15 22:28:21 pc770-ubu pptp[4609]: nm-pptp-service-4595 log[ctrlp_rep:pptp_ctrl.c:251]: Sent control packet type is 12 'Call-Clear-Request'
Aug 15 22:28:21 pc770-ubu pptp[4609]: nm-pptp-service-4595 log[call_callback:pptp_callmgr.c:79]: Closing connection (call state)
Aug 15 22:28:21 pc770-ubu NetworkManager: <info> VPN plugin failed: 1
Aug 15 22:28:21 pc770-ubu NetworkManager: <info> VPN plugin failed: 1
Aug 15 22:28:21 pc770-ubu NetworkManager: <info> VPN plugin state changed: 6
Aug 15 22:28:21 pc770-ubu NetworkManager: <info> VPN plugin state change reason: 0
Aug 15 22:28:21 pc770-ubu NetworkManager: <WARN> connection_state_changed(): Could not process the request because no VPN connection was active.
Aug 15 22:28:34 pc770-ubu NetworkManager: <debug> [1281868114.002900] ensure_killed(): waiting for vpn service pid 4595 to exit
Aug 15 22:28:34 pc770-ubu NetworkManager: <debug> [1281868114.002975] ensure_killed(): vpn service pid 4595 cleaned up
I was unable to determine how to enable extra debugging info in this log, so instead I manually created a very similar config for pppd and then started this with 'pon' (I've also verified that this manual configuration does connect to the VPN when I'm inside the corporate firewall):
$ sudo pon vpn debug dump logfd 2 nodetach
pppd options in effect:
debug # (from command line)
nodetach # (from command line)
logfd 2 # (from command line)
linkname vpn # (from /etc/ppp/peers/vpn)
dump # (from command line)
noauth # (from /etc/ppp/options.pptp)
refuse-pap # (from /etc/ppp/options.pptp)
refuse-chap # (from /etc/ppp/options.pptp)
refuse-mschap # (from /etc/ppp/options.pptp)
refuse-eap # (from /etc/ppp/options.pptp)
name gnet\\dantliff # (from /etc/ppp/peers/vpn)
remotename vpn # (from /etc/ppp/peers/vpn)
# (from /etc/ppp/options.pptp)
pty pptp ***.***.***.*** --nolaunchpppd # (from /etc/ppp/peers/vpn)
crtscts # (from /etc/ppp/options)
# (from /etc/ppp/options)
asyncmap 0 # (from /etc/ppp/options)
lcp-echo-failure 4 # (from /etc/ppp/options)
lcp-echo-interval 30 # (from /etc/ppp/options)
hide-password # (from /etc/ppp/options)
ipparam vpn # (from /etc/ppp/peers/vpn)
proxyarp # (from /etc/ppp/options)
usepeerdns # (from /etc/ppp/peers/vpn)
nobsdcomp # (from /etc/ppp/options.pptp)
nodeflate # (from /etc/ppp/options.pptp)
require-mppe # (from /etc/ppp/peers/vpn)
noipx # (from /etc/ppp/options)
using channel 7
Using interface ppp0
Connect: ppp0 <--> /dev/pts/1
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x78e7bd1c> <pcomp> <accomp>]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x78e7bd1c> <pcomp> <accomp>]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x78e7bd1c> <pcomp> <accomp>]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x78e7bd1c> <pcomp> <accomp>]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x78e7bd1c> <pcomp> <accomp>]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x78e7bd1c> <pcomp> <accomp>]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x78e7bd1c> <pcomp> <accomp>]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x78e7bd1c> <pcomp> <accomp>]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x78e7bd1c> <pcomp> <accomp>]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x78e7bd1c> <pcomp> <accomp>]
LCP: timeout sending Config-Requests
Connection terminated.
Modem hangup
Waiting for 1 child processes...
script pptp ***.***.***.*** --nolaunchpppd , pid 4631
Script pptp ***.***.***.*** --nolaunchpppd finished (pid 4631), status = 0x0
I ran Wireshark to watch the traffic and it seems that no LCP replies are coming back to the client.
A bit more info:
the laptop is connecting to the Internet via a WiFi access point (bridge mode), then an ADSL router. PPTP pass-through is enabled on the ADSL router and Access Point.
if I connect the laptop to the ADSL with an ethernet cable (to eliminate the WiFi), there is no improvement.
another laptop (running Mac OSX) is able to connect to the VPN, via WiFi or cable.
another client, Windows7, is able to connect to the VPN via cable.
an iPhone is able to connect to the VPN via WiFi.
this laptop is able to connect to the VPN from inside the corporate firewall.
So I've got three other devices that are able to connect to the target PPTP VPN, and a laptop that can't, except when I move the laptop inside the target network, it can connect.
Any ideas what else I can try? I've tried methodically selecting various VPN options with no change in result. I've also read several Ubuntu Forum posts suggesting turning off EAP and that doesn't help either. I'm now at a loss how to fix this, and what will happen next is I'll be told by Management "we told you so", drop Linux and switch to a "proper" OS like Windows instead, which I really don't want to do.
Never found a solution - switched to OpenVPN instead and that works fine.
I was experiencing the same problem and I think I have it solved. I had checked off "Use this connection only for resources on its network" (click Routes on the IPv4 Settings tab). Once I removed this option, my connection was able to tunnel into my VPN. My settings are as follows in the PPTP Advanced Options screen... All authentication options unchecked with the exception of MSCHAPv2.
MSCHAPv2 - not checked *
MPPE - checked *
Security - All Available *
Allow stateful encryption - not checked *
The following 3 options - checked *
ECHO packets - not checked *
I hope that ends up working for you and that you are able to keep your Ubuntu installation!
Rob
I'm running Ubuntu 10.04, I have setup 2 VPN connections one to my office and on to my client's office. The connection to my office don't work but the connection to my Client's office does.
I believe the problem is on the Microsoft Server.
You should adjust your configuration like this
I concluded that the cause of this problem is the network I am connected to, rather than anything in my own laptop or the workplace VPN. (AirPort Wi-Fi dropping VPN-related packets? Ugh!)
This post and my own observations support this conclusion.
Finally I realized that I had checked the GRE/PPTP box under Tracking/NAT helpers (in Tomato WebGUI, go to Advanced->Conntrack/Netfilter, then scroll down to Tracking/NAT helpers) but the default state was unchecked.
So I unchecked it, and VPN started working again!
I have the same issues with my company laptop. I've been using Debian Lenny for about a year. I get around those Linux limitations by running Microsoft Windows in a VirtualBox VM. I can VPN into our corporate office inside the VM. That lets me access the corporate network from inside the VM, but not from the Linux host.