How to fix these xl2tpd errors?

Nemesis

How to fix these xl2tpd errors? How to fix these xl2tpd errors? l2tp/ipsec connection. I use xl2tpd along with strongswan. Strongswan is rising, everything is ok. I see myself connected to the gateway via ipsec. Further xl2tpd, I receive errors.

Ubuntu 20.04 Server/Vpn gateway zyxel l2tp over ipsec/strongswan/xl2tpd

Jan 31 06:38:52 user xl2tpd[1087]: IPsec SAref does not work with L2TP kernel mode yet, enabling force userspace=yes
Jan 31 06:38:52 user xl2tpd[1087]: Not looking for kernel SAref support.
Jan 31 06:38:52 user xl2tpd[1087]: Not looking for kernel support.
Jan 31 06:38:52 user xl2tpd[1079]: Starting xl2tpd: xl2tpd.
Jan 31 06:38:52 user xl2tpd[1088]: xl2tpd version xl2tpd-1.3.12 started on user PID:1088
Jan 31 06:38:52 user xl2tpd[1088]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
Jan 31 06:38:52 user xl2tpd[1088]: Forked by Scott Balmos and David Stipp, (C) 2001
Jan 31 06:38:52 user xl2tpd[1088]: Inherited by Jeff McAdams, (C) 2002
Jan 31 06:38:52 user xl2tpd[1088]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016
Jan 31 06:38:52 user xl2tpd[1088]: Listening on IP address 0.0.0.0, port 1701
Jan 31 06:38:52 user xl2tpd[1088]: get_call: allocating new tunnel for host 111.111.111.111, port 1701.
Jan 31 06:38:52 user xl2tpd[1088]: Connecting to host 111.111.111.111, port 1701
Jan 31 06:38:52 user xl2tpd[1088]: control_finish: message type is (null)(0). Tunnel is 0, call is 0.
Jan 31 06:38:52 user xl2tpd[1088]: control_finish: sending SCCRQ
Jan 31 06:38:52 user xl2tpd[1088]: network_thread: recv packet from 111.111.111.111, size=77, tunnel=9959, call=0 ref=0 refhim=0
Jan 31 06:38:52 user xl2tpd[1088]: message_type_avp: message type 4 (Stop-Control-Connection-Notification)
Jan 31 06:38:52 user xl2tpd[1088]: assigned_tunnel_avp: using peer's tunnel 51533
Jan 31 06:38:52 user xl2tpd[1088]: result_code_avp: peer closing for reason 2 (General error--Error Code indicates the problem), error = 6 (No IPSec protection for the L2TP tunnel)
Jan 31 06:38:52 user xl2tpd[1088]: control_finish: message type is Stop-Control-Connection-Notification(4). Tunnel is 0, call is 0.
Jan 31 06:38:52 user xl2tpd[1088]: control_finish: Connection closed to 111.111.111.111, port 1701 (No IPSec protection for the L2TP tunnel), Local: 9959, Remote: 51533
Jan 31 06:38:52 user xl2tpd[1088]: build_fdset: closing down tunnel 9959
Jan 31 06:38:52 user xl2tpd[1088]: Will redial in 5 seconds

Zyxel_Tobias

Hi Nemesis,

did you open Port 1701 UDP in WAN to ZyWALL rule, this is may need for User Auth Level?

Regards,

Tobias

Nemesis

Hi Tobias. Yes, port 1701 is specified in Configuration-Object-Service. I have previously made connections to the L2TPoverIPsec tunnel through the standard Win10 and Ubuntu 20.04 cores through the GUI. Everything works, everything is ok. But running L2TPoverIPsec on Ubuntu server 20.04 (without GUI) fails.

Zyxel_Tobias

Hi @Nemesis,

please check out this article if it helps to double-check config:

https://support.zyxel.eu/hc/en-us/articles/360004131900-L2TP-on-Linux-Ubuntu-setup

If it still fails, please leave a comment under this article and our Support will be in touch with you for investigation.

Regards,
Tobias

Nemesis

Hi Tobias. The article is suitable for connecting via the GUI. I used this article to connect Ubuntu 20.04, everything works, everything is ok. At the moment I need to make a non-GUI connection for Ubuntu Server 20.04. Therefore, the article does not fit the solution of my question.

jasailafan

@Nemesis

Here is a document from zyxel support agent last year. See "Set up the Host to Network VPN Tunnel on the Ubuntu 18.04" for the commands on Ubuntu. 

Vernon

When you troubleshoot L2TP/IPSec connections, it's useful to understand how an L2TP/IPSec connection proceeds. When you start the connection, an initial L2TP packet is sent to the server, requesting a connection. This packet causes the IPSec layer on your computer to negotiate with the VPN server to set up an IPSec protected session (a security association). Depending on many factors including link speed, the IPSec negotiations may take from a few seconds to around two minutes. When an IPSec security association (SA) has been established, the L2TP session starts. When it starts, you receive a prompt for your name and password (unless the connection has been set up to connect automatically in Windows Millennium Edition.) If the VPN server accepts your name and password, the session setup completes.

WJS

Here are CentOS (without GUI) L2TP over IPsec post before. 
https://community.zyxel.com/en/discussion/comment/37356#Comment_37356
Maybe you can try that.

Zyxel_Cooldia

Hi @Nemesis,
It works in my lab Ubuntu 20.04. Tunnel can build up without issue.
You can follow cfg below to setup on Ubuntu.

~~~~~~~~~~~~~~~~~~/etc/ipsec.conf~~~~~~~~~~~~~~~~~~~~~~~~~~~~

root@lab:/etc# cat /etc/ipsec.conf

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup

conn %default

    ikelifetime=60m

    keylife=20m

    rekeymargin=3m

    keyingtries=1

    keyexchange=ikev1

    authby=secret

    ike=3des-sha1-modp1024!

    esp=3des-sha1-modp1024!

conn L2TP-PSK

    keyexchange=ikev1

    left=%defaultroute

    auto=add

    authby=secret

    type=transport

    leftprotoport=17/1701

    rightprotoport=17/1701

    # set this to the ip address of your vpn server

    right=10.214.48.22

~~~~~~~~~~~~~~~~/etc/ipsec.secrets~~~~~~~~~~~~~~~~~~~~~~~~~~

root@lab:/etc# cat /etc/ipsec.secrets

# This file holds shared secrets or RSA private keys for authentication.

# RSA private key for this host, authenticating it to any other host

# which knows the public part.

include ipsec.d/ipsec.nm-l2tp.secrets

: PSK "123456789"

~~~~~~~~~~~~~~~/etc/xl2tpd/xl2tpd.conf~~~~~~~~~~~~~~~~~~~~~~

root@lab:/etc# cat /etc/xl2tpd/xl2tpd.conf

[lac myVPN]

; set this to the ip address of your vpn server

lns = 10.214.48.22

ppp debug = yes

pppoptfile = /etc/ppp/options.l2tpd.client

length bit = yes

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~~~~~~~~~~~~~~~~/etc/ppp/options.l2tpd.client~~~~~~~~~~~~~~

root@lab:/etc# cat /etc/ppp/options.l2tpd.client

ipcp-accept-local

ipcp-accept-remote

refuse-eap

require-mschap-v2

noccp

noauth

logfile /var/log/xl2tpd.log

idle 1800

mtu 1410

mru 1410

defaultroute

usepeerdns

debug

connect-delay 5000

name test

password test

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

service restart

sudo service strongswan restart

sudo service xl2tpd restart

sudo service ipsec restart

L2TP tunnel buildup

sudo ipsec up L2TP-PSK

Nemesis

@Zyxel_Cooldia

Hello! Thank you very much IPsec is coming up. In your config I changed only "esp=3des-sha1! left=%any".

IPsec is up. But how to connect L2TP? The new ppp0 interface does not rise for me. 

Zyxel_Cooldia

Hi @Nemesis,
Just found a mistake in previous update.
xl2tpd.conf lac VPN tunnel name must maps to ipsec.conf conn name.
Please modify xl2tpd.conf as below;

~~~~~~~~~~~~~~~/etc/xl2tpd/xl2tpd.conf~~~~~~~~~~~~~~~~~~~~~~

root@lab:/etc# cat /etc/xl2tpd/xl2tpd.conf

[lac L2TP-PSK]

; set this to the ip address of your vpn server

lns = 10.214.48.22

ppp debug = yes

pppoptfile = /etc/ppp/options.l2tpd.client

length bit = yes

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

After modified to corresponding lac VPN name in xl2tpd.conf, we can see ppp0 interface is up.

USG IPSec VPN tunnel

USG l2tp VPN tunnel


Start the L2TP connection

echo "c L2TP-PSK" > /var/run/xl2tpd/l2tp-control

Start the IPsec connection
ipsec up L2TP-PSK

Disconnect the L2TP connection

echo "d L2TP-PSK" > /var/run/xl2tpd/l2tp-control

Disconnect the IPsec connection
ipsec down L2TP-P