Unable to connect to work L2TP/IPSec VPN with ubuntu 12.04

Bug #999806 reported by bing on 2012-05-15
64
This bug affects 14 people
Affects Status Importance Assigned to Milestone
L2TP over IPsec VPN Manager
Undecided
Unassigned

Bug Description

Hello,

I just installed l2tp-ipsec-vpn 1.0.6-1, l2tp-ipsec-vpn-daemon 0.9.8-1, xl2tpd 1.3.1+dfsg-1, and ppp 2.4.5-5ubuntu1 in ubuntu 12.04 amd64 and am unable to connect to my work L2TP/IPSec VPN.

Here are the logs from l2tp-ipsec-vpn, and they aren't too informative.

May 15 11:07:19.827 ipsec_setup: Stopping Openswan IPsec...
May 15 11:07:20.938 ipsec_setup: ERROR: Module xfrm4_mode_transport is in use
May 15 11:07:21.024 ipsec_setup: ERROR: Module esp4 is in use
May 15 11:07:21.221 Stopping xl2tpd: xl2tpd.
May 15 11:07:21.222 xl2tpd[2824]: death_handler: Fatal signal 15 received
May 15 11:07:21.223 pppd[2874]: Modem hangup
May 15 11:07:21.223 pppd[2874]: Connection terminated.
May 15 11:07:21.242 ipsec_setup: Starting Openswan IPsec U2.6.37/K3.2.0-24-generic...
May 15 11:07:21.244 pppd[2874]: Exit.
May 15 11:07:21.445 ipsec__plutorun: Starting Pluto subsystem...
May 15 11:07:21.453 ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
May 15 11:07:21.472 recvref[30]: Protocol not available
May 15 11:07:21.472 xl2tpd[3447]: This binary does not support kernel L2TP.
May 15 11:07:21.472 xl2tpd[3450]: xl2tpd version xl2tpd-1.3.1 started on biho-ThinkPad-W700 PID:3450
May 15 11:07:21.472 xl2tpd[3450]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
May 15 11:07:21.473 xl2tpd[3450]: Forked by Scott Balmos and David Stipp, (C) 2001
May 15 11:07:21.474 xl2tpd[3450]: Inherited by Jeff McAdams, (C) 2002
May 15 11:07:21.474 xl2tpd[3450]: Forked again by Xelerance (www.xelerance.com) (C) 2006
May 15 11:07:21.474 xl2tpd[3450]: Listening on IP address 0.0.0.0, port 1701
May 15 11:07:21.474 Starting xl2tpd: xl2tpd.
May 15 11:07:21.514 ipsec__plutorun: 002 added connection description "VPN"
May 15 11:07:21.561 104 "VPN" #1: STATE_MAIN_I1: initiate
May 15 11:07:21.562 003 "VPN" #1: received Vendor ID payload [RFC 3947] method set to=109
May 15 11:07:21.562 003 "VPN" #1: ignoring Vendor ID payload [Cisco IKE Fragmentation]
May 15 11:07:21.562 106 "VPN" #1: STATE_MAIN_I2: sent MI2, expecting MR2
May 15 11:07:21.562 003 "VPN" #1: received Vendor ID payload [Cisco-Unity]
May 15 11:07:21.563 003 "VPN" #1: received Vendor ID payload [XAUTH]
May 15 11:07:21.563 003 "VPN" #1: ignoring unknown Vendor ID payload [3a15d9c7957f87ca797bfda12a778ce3]
May 15 11:07:21.563 003 "VPN" #1: ignoring Vendor ID payload [Cisco VPN 3000 Series]
May 15 11:07:21.563 003 "VPN" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): i am NATed
May 15 11:07:21.564 108 "VPN" #1: STATE_MAIN_I3: sent MI3, expecting MR3
May 15 11:07:21.564 003 "VPN" #1: received Vendor ID payload [Dead Peer Detection]
May 15 11:07:21.564 004 "VPN" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha group=modp1024}
May 15 11:07:21.564 117 "VPN" #2: STATE_QUICK_I1: initiate
May 15 11:07:21.565 003 "VPN" #2: NAT-Traversal: received 2 NAT-OA. ignored because peer is not NATed
May 15 11:07:21.565 003 "VPN" #2: our client subnet returned doesn't match my proposal - us:10.xxx.xxx.xxx/32 vs them:xxx.xxx.xxx.xxx/32
May 15 11:07:21.565 003 "VPN" #2: Allowing questionable proposal anyway [ALLOW_MICROSOFT_BAD_PROPOSAL]
May 15 11:07:21.565 003 "VPN" #2: our client peer returned port doesn't match my proposal - us:1701 vs them:0
May 15 11:07:21.566 003 "VPN" #2: Allowing bad L2TP/IPsec proposal (see bug #849) anyway
May 15 11:07:21.566 004 "VPN" #2: STATE_QUICK_I2: sent QI2, IPsec SA established transport mode {ESP=>0x39cc0ba5 <0x0d4c7c1e xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}
May 15 11:07:21.568 xl2tpd[3450]: Connecting to host vpn.xxx.xxx, port 1701
May 15 11:07:22.571 xl2tpd[3450]: Connection established to xxx.xxx.xxx.xxx, 1701. Local: 19495, Remote: 64 (ref=0/0).
May 15 11:07:22.571 xl2tpd[3450]: Calling on tunnel 19495
May 15 11:07:22.572 xl2tpd[3450]: Call established with xxx.xxx.xxx.xxx, Local: 61127, Remote: 64, Serial: 1 (ref=0/0)
May 15 11:07:22.576 xl2tpd[3450]: start_pppd: I'm running:
May 15 11:07:22.577 xl2tpd[3450]: "/usr/sbin/pppd"
May 15 11:07:22.578 xl2tpd[3450]: "passive"
May 15 11:07:22.581 xl2tpd[3450]: "nodetach"
May 15 11:07:22.581 xl2tpd[3450]: ":"
May 15 11:07:22.581 xl2tpd[3450]: "file"
May 15 11:07:22.582 xl2tpd[3450]: "/etc/ppp/xxx.options.xl2tpd"
May 15 11:07:22.582 xl2tpd[3450]: "ipparam"
May 15 11:07:22.582 xl2tpd[3450]: "xxx.xxx.xxx.xxx"
May 15 11:07:22.582 xl2tpd[3450]: "/dev/pts/0"
May 15 11:07:22.583 pppd[3491]: Plugin passprompt.so loaded.
May 15 11:07:22.583 pppd[3491]: pppd 2.4.5 started by root, uid 0
May 15 11:07:22.583 pppd[3491]: Using interface ppp0
May 15 11:07:22.583 pppd[3491]: Connect: ppp0 <--> /dev/pts/0

Just a note. I have a personal laptop and a work laptop both were on Kubuntu 12.04, both recently updated to 12.10. I still get this issue myself on my home laptop but my work laptop has always been able to connect fine. The only difference between them which really seems to be of significance is that the work laptop is a 32 bit architecture while the home laptop (which is the one experiencing this) is an amd64 architecture. Following is the last snippet of log which I get on my home machine which the above doesn't show.

Oct 21 21:51:26 [hostname] NetworkManager[1308]: SCPlugin-Ifupdown: devices added (path: /sys/devices/virtual/net/ppp0, iface: ppp0)
Oct 21 21:51:26 [hostname] NetworkManager[1308]: SCPlugin-Ifupdown: device added (path: /sys/devices/virtual/net/ppp0, iface: ppp0): no ifupdown configuration found.
Oct 21 21:51:26 [hostname] NetworkManager[1308]: <warn> /sys/devices/virtual/net/ppp0: couldn't determine device driver; ignoring...
Oct 21 21:51:30 [hostname] xl2tpd[12431]: control_finish: Connection closed to [target IP], port 1701 (No Error), Local: 33088, Remote: 208
Oct 21 21:51:30 [hostname] xl2tpd[12431]: Terminating pppd: sending TERM signal to pid 12480
Oct 21 21:51:30 [hostname] pppd[12480]: Terminating on signal 15
Oct 21 21:51:30 [hostname] pppd[12480]: Modem hangup
Oct 21 21:51:30 [hostname] pppd[12480]: Connection terminated.
Oct 21 21:51:30 [hostname] NetworkManager[1308]: SCPlugin-Ifupdown: devices removed (path: /sys/devices/virtual/net/ppp0, iface: ppp0)
Oct 21 21:51:30 [hostname] pppd[12480]: Exit.
Oct 21 21:54:43 [hostname] kernel: Kernel logging (proc) stopped.
Oct 21 21:54:43 [hostname] rsyslogd: [origin software="rsyslogd" swVersion="5.8.6" x-pid="9563" x-info="http://www.rsyslog.com"] exiting on signal 15.

Nothing really helpful here either, but who knows. Only thing I've noticed is that this is an amd64 issue which doesn't happen on my x86 machine with identical connection configuration and visually compared identical configuration files.

Another note, found a post online (don't remember where) which said adding a 'password "secret"' line to the /etc/ppp/<connectionname>.options.l2tpd file just under the name line (secret being the password to authenticate to the vpn) allowed it to work.

I've confirmed that this is the case. When the line is in the config file the connection works, without it it fails. This isn't very secure since the password is stored in plain text in this workaround, but hopefully it will help determine where the actual problem lies.

following is the scrubbed config file I'm successfully connecting with on my amd64 platform:

# /etc/ppp/<connectionName>.options.xl2tpd - Options used by PPP when a connection is made by an L2TP daemon
# $Id$

# Manual: PPPD(8)

# Created: Mon Oct 22 10:27:44 2012
# by: The L2TP IPsec VPN Manager application version 1.0.9
#
# WARNING! All changes made in this file will be lost!

#debug
#dump
#record /var/log/pppd

plugin passprompt.so
ipcp-accept-local
ipcp-accept-remote
idle 72000
ktune
noproxyarp
asyncmap 0
noauth
crtscts
lock
hide-password
modem
noipx

ipparam L2tpIPsecVpn-<connectionName>

promptprog "/usr/bin/L2tpIPsecVpn"

refuse-eap
refuse-pap
refuse-chap
refuse-mschap

remotename ""
name "<username>"
password "<secret>"

usepeerdns
nobsdcomp
nodeflate
novj

Thanks for your notes.
I have the same issue with ubuntu 12.10 quantal.
The password "<secret>" workaround worked for quantal.

ubu (ksubins321) wrote :

hi all,

any updates on this bug? I'm still using the l2tp client on my ubuntu 14.04 and it breaks for the same issue. But adding "password" in clear-text fixes it, but not the best way.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers