You are not logged in.
Pages: 1
I have tried both command-line and graphical ways to connect l2tp-ipsec vpn server.
Here is my ipsec verify output.
[jay@alienware ~]$ ipsec verify
Checking if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Openswan U/K4.6.2-1-ARCH (netkey)
See `ipsec --copyright' for copyright information.
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [NOT DISABLED]
Disable /proc/sys/net/ipv4/conf/*/send_redirects or NETKEY will cause act on or cause sending of bogus ICMP redirects!
ICMP default/accept_redirects [NOT DISABLED]
Disable /proc/sys/net/ipv4/conf/*/accept_redirects or NETKEY will cause act on or cause sending of bogus ICMP redirects!
XFRM larval drop [OK]
Hardware random device check [N/A]
Two or more interfaces found, checking IP forwarding [FAILED]
Checking rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/all/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/default/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/enp59s0/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/wlp60s0/rp_filter [ENABLED]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for IKE on tcp 500 [NOT IMPLEMENTED]
Pluto listening for IKE/NAT-T on udp 4500 [OK]
Pluto listening for IKE/NAT-T on tcp 4500 [NOT IMPLEMENTED]
Pluto listening for IKE on tcp 10000 (cisco) [NOT IMPLEMENTED]
Checking NAT and MASQUERADEing [TEST INCOMPLETE]
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
ipsec verify: encountered errorsIt seems that some features of ipsec are not working, should I be worry about it?
First I exctaly followed wiki.
When I hit ipsec auto --up cci, I get this
[jay@alienware ~]$ sudo ipsec auto --up cci
[sudo] password for jay:
002 "cci" #1: initiating Main Mode
105 "cci" #1: STATE_MAIN_I1: initiate
003 "cci" #1: received Vendor ID payload [RFC 3947] method set to=115
003 "cci" #1: received Vendor ID payload [Dead Peer Detection]
002 "cci" #1: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
002 "cci" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
107 "cci" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "cci" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): i am NATed
002 "cci" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
109 "cci" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "cci" #1: received Vendor ID payload [Dead Peer Detection]
002 "cci" #1: Main mode peer ID is ID_IPV4_ADDR: '12.251.10.38'
002 "cci" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
004 "cci" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
002 "cci" #2: initiating Quick Mode PSK+ENCRYPT+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:8e145ef4 proposal=defaults pfsgroup=no-pfs}
118 "cci" #2: STATE_QUICK_I1: initiate
002 "cci" #2: byte 7 of ISAKMP NAT-OA Payload should have been zero, but was not
002 "cci" #2: byte 8 of ISAKMP NAT-OA Payload should have been zero, but was not
002 "cci" #2: byte 7 of ISAKMP NAT-OA Payload should have been zero, but was not
002 "cci" #2: byte 8 of ISAKMP NAT-OA Payload should have been zero, but was not
003 "cci" #2: NAT-Traversal: received 2 NAT-OA. ignored because peer is not NATed
002 "cci" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
004 "cci" #2: STATE_QUICK_I2: sent QI2, IPsec SA established transport mode {ESP=>0x0772780d <0x6e1154bc xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=none}But when I do ip link, I cannot see interface for ppp
[root@alienware jay]# echo "c cci" > /var/run/xl2tpd/l2tp-control
[root@alienware jay]# ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: enp59s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000
link/ether 84:7b:eb:3a:38:26 brd ff:ff:ff:ff:ff:ff
3: wlp60s0: <BROADCAST,MULTICAST> mtu 1500 qdisc mq state DOWN mode DEFAULT group default qlen 1000
link/ether 9c:b6:d0:0d:75:53 brd ff:ff:ff:ff:ff:ffhere is systemctl status, for openswan and xl2tpd
[root@alienware jay]# systemctl status openswan.service
● openswan.service - Openswan daemon
Loaded: loaded (/usr/lib/systemd/system/openswan.service; disabled; vendor preset: disabled)
Active: active (running) since Sun 2016-06-19 21:03:39 IST; 8min ago
Process: 1856 ExecStart=/usr/lib/systemd/scripts/ipsec --start (code=exited, status=0/SUCCESS)
Tasks: 13 (limit: 512)
CGroup: /system.slice/openswan.service
├─2175 /bin/sh /usr/lib/ipsec/_plutorun --debug --uniqueids yes --force_busy no --nocrsend no --strictcrlpolicy no --nat_traversal yes --keep_alive --protostack auto --force_keepalive no --disable_p
├─2176 logger -s -p daemon error -t ipsec__plutorun
├─2177 /bin/sh /usr/lib/ipsec/_plutorun --debug --uniqueids yes --force_busy no --nocrsend no --strictcrlpolicy no --nat_traversal yes --keep_alive --protostack auto --force_keepalive no --disable_p
├─2178 /bin/sh /usr/lib/ipsec/_plutoload --wait no --post
├─2181 /usr/lib/openswan/pluto --nofork --secretsfile /etc/ipsec.secrets --ipsecdir /etc/ipsec.d --use-auto --uniqueids --nat_traversal --virtual_private %v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0
├─2183 _pluto_adns -- <idle>
├─2184 /usr/lib/openswan/pluto -- pluto helper # 0
├─2185 /usr/lib/openswan/pluto -- pluto helper # 1
├─2186 /usr/lib/openswan/pluto -- pluto helper # 2
├─2187 /usr/lib/openswan/pluto -- pluto helper # 3
├─2188 /usr/lib/openswan/pluto -- pluto helper # 4
├─2189 /usr/lib/openswan/pluto -- pluto helper # 5
└─2190 /usr/lib/openswan/pluto -- pluto helper # 6
Jun 19 21:07:37 alienware pluto[2181]: "cci" #2: byte 8 of ISAKMP NAT-OA Payload should have been zero, but was not
Jun 19 21:07:37 alienware pluto[2181]: "cci" #2: byte 7 of ISAKMP NAT-OA Payload should have been zero, but was not
Jun 19 21:07:37 alienware pluto[2181]: "cci" #2: byte 8 of ISAKMP NAT-OA Payload should have been zero, but was not
Jun 19 21:07:37 alienware pluto[2181]: "cci" #2: NAT-Traversal: received 2 NAT-OA. ignored because peer is not NATed
Jun 19 21:07:37 alienware pluto[2181]: | creating SPD to 12.251.10.38->spi=00010000@192.168.0.100 proto=4
Jun 19 21:07:37 alienware pluto[2181]: | warning: NETKEY/XFRM in transport mode accepts ALL encrypted protoport packets between the hosts in violation of RFC 4301, Section 5.2
Jun 19 21:07:37 alienware pluto[2181]: | creating SPD to 192.168.0.100->spi=0772780d@12.251.10.38 proto=50
Jun 19 21:07:37 alienware pluto[2181]: | warning: NETKEY/XFRM in transport mode accepts ALL encrypted protoport packets between the hosts in violation of RFC 4301, Section 5.2
Jun 19 21:07:37 alienware pluto[2181]: "cci" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jun 19 21:07:37 alienware pluto[2181]: "cci" #2: STATE_QUICK_I2: sent QI2, IPsec SA established transport mode {ESP=>0x0772780d <0x6e1154bc xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=none}[root@alienware jay]# systemctl status xl2tpd.service
● xl2tpd.service - Level 2 Tunnel Protocol Daemon (L2TP)
Loaded: loaded (/usr/lib/systemd/system/xl2tpd.service; disabled; vendor preset: disabled)
Active: active (running) since Sun 2016-06-19 21:07:07 IST; 6min ago
Main PID: 2344 (xl2tpd)
Tasks: 1 (limit: 512)
CGroup: /system.slice/xl2tpd.service
└─2344 /usr/bin/xl2tpd -D
Jun 19 21:08:19 alienware xl2tpd[2344]: xl2tpd[2344]: write_packet: tty is not open yet.
Jun 19 21:08:22 alienware xl2tpd[2344]: xl2tpd[2344]: write_packet: tty is not open yet.
Jun 19 21:08:25 alienware xl2tpd[2344]: xl2tpd[2344]: write_packet: tty is not open yet.
Jun 19 21:08:28 alienware xl2tpd[2344]: xl2tpd[2344]: write_packet: tty is not open yet.
Jun 19 21:08:31 alienware xl2tpd[2344]: xl2tpd[2344]: write_packet: tty is not open yet.
Jun 19 21:08:34 alienware xl2tpd[2344]: xl2tpd[2344]: write_packet: tty is not open yet.
Jun 19 21:08:37 alienware xl2tpd[2344]: xl2tpd[2344]: write_packet: tty is not open yet.
Jun 19 21:08:40 alienware xl2tpd[2344]: xl2tpd[2344]: write_packet: tty is not open yet.
Jun 19 21:08:43 alienware xl2tpd[2344]: xl2tpd[2344]: write_packet: tty is not open yet.
Jun 19 21:10:18 alienware xl2tpd[2344]: xl2tpd[2344]: Session 'cci' already active!Later I tried the gui way with the help of NetworkManager
Which also falied with the following notification
Activation of network connection failed
[root@alienware jay]# systemctl status NetworkManager
● NetworkManager.service - Network Manager
Loaded: loaded (/usr/lib/systemd/system/NetworkManager.service; disabled; vendor preset: disabled)
Active: active (running) since Sun 2016-06-19 20:54:22 IST; 22min ago
Main PID: 1660 (NetworkManager)
Tasks: 3 (limit: 512)
CGroup: /system.slice/NetworkManager.service
└─1660 /usr/bin/NetworkManager --no-daemon
Jun 19 21:16:05 alienware NetworkManager[1660]: ** (nm-l2tp-service:2475): WARNING **: Looks like pppd didn't initialize our dbus module
Jun 19 21:16:05 alienware NetworkManager[1660]: ** Message: Terminated xl2tpd daemon with PID 2485.
Jun 19 21:16:05 alienware NetworkManager[1660]: xl2tpd[2485]: death_handler: Fatal signal 15 received
Jun 19 21:16:05 alienware NetworkManager[1660]: xl2tpd[2485]: Connection 0 closed to 12.251.10.38, port 1701 (Server closing)
Jun 19 21:16:05 alienware NetworkManager[1660]: <warn> [1466351165.4341] vpn-connection[0x1ee15b0,5d7fab9e-0953-4014-a77c-a9b0d3167a5f,"cci",0]: VPN plugin: failed: (7) (7)
Jun 19 21:16:05 alienware NetworkManager[1660]: <warn> [1466351165.4342] vpn-connection[0x1ee15b0,5d7fab9e-0953-4014-a77c-a9b0d3167a5f,"cci",0]: VPN plugin: failed: connect-failed (1)
Jun 19 21:16:05 alienware NetworkManager[1660]: <info> [1466351165.4343] vpn-connection[0x1ee15b0,5d7fab9e-0953-4014-a77c-a9b0d3167a5f,"cci",0]: VPN plugin: state changed: stopping (5)
Jun 19 21:16:05 alienware NetworkManager[1660]: <info> [1466351165.4347] vpn-connection[0x1ee15b0,5d7fab9e-0953-4014-a77c-a9b0d3167a5f,"cci",0]: VPN plugin: state changed: stopped (6)
Jun 19 21:16:05 alienware NetworkManager[1660]: <info> [1466351165.4365] vpn-connection[0x1ee15b0,5d7fab9e-0953-4014-a77c-a9b0d3167a5f,"cci",0]: VPN plugin: state change reason: unknown (0)
Jun 19 21:16:05 alienware NetworkManager[1660]: <info> [1466351165.4384] vpn-connection[0x1ee15b0,5d7fab9e-0953-4014-a77c-a9b0d3167a5f,"cci",0]: VPN service disappearedLast edited by jayendra (2016-06-21 05:29:30)
Offline
Today I got something different error for NetworkManager
[jay@alienware ~]$ sudo systemctl status NetworkManager
● NetworkManager.service - Network Manager
Loaded: loaded (/usr/lib/systemd/system/NetworkManager.service; enabled; vendor preset: disabled)
Active: active (running) since Mon 2016-06-20 07:38:26 IST; 4min 16s ago
Main PID: 1680 (NetworkManager)
CGroup: /system.slice/NetworkManager.service
└─1680 /usr/bin/NetworkManager --no-daemon
Jun 20 07:42:33 alienware NetworkManager[1680]: <info> [1466388753.6104] vpn-connection[0x27d4200,803d4cf2-1154-473b-b0d4-a0c888b7c32e,"cci",0]: Started the VPN service, PID 1811
Jun 20 07:42:33 alienware NetworkManager[1680]: <info> [1466388753.6245] vpn-connection[0x27d4200,803d4cf2-1154-473b-b0d4-a0c888b7c32e,"cci",0]: Saw the service appear; activating connection
Jun 20 07:42:33 alienware NetworkManager[1680]: <info> [1466388753.7061] vpn-connection[0x27d4200,803d4cf2-1154-473b-b0d4-a0c888b7c32e,"cci",0]: VPN connection: (ConnectInteractive) reply received
Jun 20 07:42:33 alienware NetworkManager[1680]: ** Message: ipsec enable flag: yes
Jun 20 07:42:33 alienware NetworkManager[1680]: ** Message: Check port 1701
Jun 20 07:42:33 alienware NetworkManager[1680]: ** Message: starting ipsec
Jun 20 07:42:33 alienware NetworkManager[1680]: /sbin/ipsec: unknown IPsec command `restart' (`ipsec --help' for list)
Jun 20 07:42:33 alienware NetworkManager[1680]: <warn> [1466388753.7320] vpn-connection[0x27d4200,803d4cf2-1154-473b-b0d4-a0c888b7c32e,"cci",0]: VPN connection: failed to connect: 'Could not restart the ipsec s
Jun 20 07:42:33 alienware NetworkManager[1680]: <info> [1466388753.7329] vpn-connection[0x27d4200,803d4cf2-1154-473b-b0d4-a0c888b7c32e,"cci",0]: VPN plugin: state changed: stopped (6)
Jun 20 07:42:33 alienware NetworkManager[1680]: <info> [1466388753.7337] vpn-connection[0x27d4200,803d4cf2-1154-473b-b0d4-a0c888b7c32e,"cci",0]: VPN service disappearedOffline
Switching to libreswan from openswan, solved my issue.
Offline
Pages: 1