How to fix these xl2tpd errors?

How to fix these xl2tpd errors? How to fix these xl2tpd errors? l2tp/ipsec connection. I use xl2tpd along with strongswan. Strongswan is rising, everything is ok. I see myself connected to the gateway via ipsec. Further xl2tpd, I receive errors.

Ubuntu 20.04 Server/Vpn gateway zyxel l2tp over ipsec/strongswan/xl2tpd

Jan 31 06:38:52 user xl2tpd[1087]: IPsec SAref does not work with L2TP kernel mode yet, enabling force userspace=yes
Jan 31 06:38:52 user xl2tpd[1087]: Not looking for kernel SAref support.
Jan 31 06:38:52 user xl2tpd[1087]: Not looking for kernel support.
Jan 31 06:38:52 user xl2tpd[1079]: Starting xl2tpd: xl2tpd.
Jan 31 06:38:52 user xl2tpd[1088]: xl2tpd version xl2tpd-1.3.12 started on user PID:1088
Jan 31 06:38:52 user xl2tpd[1088]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
Jan 31 06:38:52 user xl2tpd[1088]: Forked by Scott Balmos and David Stipp, (C) 2001
Jan 31 06:38:52 user xl2tpd[1088]: Inherited by Jeff McAdams, (C) 2002
Jan 31 06:38:52 user xl2tpd[1088]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016
Jan 31 06:38:52 user xl2tpd[1088]: Listening on IP address 0.0.0.0, port 1701
Jan 31 06:38:52 user xl2tpd[1088]: get_call: allocating new tunnel for host 111.111.111.111, port 1701.
Jan 31 06:38:52 user xl2tpd[1088]: Connecting to host 111.111.111.111, port 1701
Jan 31 06:38:52 user xl2tpd[1088]: control_finish: message type is (null)(0). Tunnel is 0, call is 0.
Jan 31 06:38:52 user xl2tpd[1088]: control_finish: sending SCCRQ
Jan 31 06:38:52 user xl2tpd[1088]: network_thread: recv packet from 111.111.111.111, size=77, tunnel=9959, call=0 ref=0 refhim=0
Jan 31 06:38:52 user xl2tpd[1088]: message_type_avp: message type 4 (Stop-Control-Connection-Notification)
Jan 31 06:38:52 user xl2tpd[1088]: assigned_tunnel_avp: using peer's tunnel 51533
Jan 31 06:38:52 user xl2tpd[1088]: result_code_avp: peer closing for reason 2 (General error--Error Code indicates the problem), error = 6 (No IPSec protection for the L2TP tunnel)
Jan 31 06:38:52 user xl2tpd[1088]: control_finish: message type is Stop-Control-Connection-Notification(4). Tunnel is 0, call is 0.
Jan 31 06:38:52 user xl2tpd[1088]: control_finish: Connection closed to 111.111.111.111, port 1701 (No IPSec protection for the L2TP tunnel), Local: 9959, Remote: 51533
Jan 31 06:38:52 user xl2tpd[1088]: build_fdset: closing down tunnel 9959
Jan 31 06:38:52 user xl2tpd[1088]: Will redial in 5 seconds

Comments

  • Zyxel_Tobias
    Zyxel_Tobias Posts: 200  Zyxel Employee
    5 Answers First Comment Friend Collector Sixth Anniversary
    Hi Nemesis,

    did you open Port 1701 UDP in WAN to ZyWALL rule, this is may need for User Auth Level?

    Regards,

    Tobias
  • Hi Tobias. Yes, port 1701 is specified in Configuration-Object-Service. I have previously made connections to the L2TPoverIPsec tunnel through the standard Win10 and Ubuntu 20.04 cores through the GUI. Everything works, everything is ok. But running L2TPoverIPsec on Ubuntu server 20.04 (without GUI) fails.
  • Zyxel_Tobias
    Zyxel_Tobias Posts: 200  Zyxel Employee
    5 Answers First Comment Friend Collector Sixth Anniversary
    Hi @Nemesis,

    please check out this article if it helps to double-check config:

    https://support.zyxel.eu/hc/en-us/articles/360004131900-L2TP-on-Linux-Ubuntu-setup

    If it still fails, please leave a comment under this article and our Support will be in touch with you for investigation.

    Regards,
    Tobias
  • Hi Tobias. The article is suitable for connecting via the GUI. I used this article to connect Ubuntu 20.04, everything works, everything is ok. At the moment I need to make a non-GUI connection for Ubuntu Server 20.04. Therefore, the article does not fit the solution of my question.
  • jasailafan
    jasailafan Posts: 193  Master Member
    5 Answers First Comment Friend Collector Sixth Anniversary
    Here is a document from zyxel support agent last year. See "Set up the Host to Network VPN Tunnel on the Ubuntu 18.04" for the commands on Ubuntu. 
  • When you troubleshoot L2TP/IPSec connections, it's useful to understand how an L2TP/IPSec connection proceeds. When you start the connection, an initial L2TP packet is sent to the server, requesting a connection. This packet causes the IPSec layer on your computer to negotiate with the VPN server to set up an IPSec protected session (a security association). Depending on many factors including link speed, the IPSec negotiations may take from a few seconds to around two minutes. When an IPSec security association (SA) has been established, the L2TP session starts. When it starts, you receive a prompt for your name and password (unless the connection has been set up to connect automatically in Windows Millennium Edition.) If the VPN server accepts your name and password, the session setup completes.
  • WJS
    WJS Posts: 156  Master Member
    5 Answers First Comment Friend Collector Third Anniversary
    Here are CentOS (without GUI) L2TP over IPsec post before. 
    https://community.zyxel.com/en/discussion/comment/37356#Comment_37356
    Maybe you can try that.
  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,511  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments
    Hi @Nemesis,
    It works in my lab Ubuntu 20.04. Tunnel can build up without issue.
    You can follow cfg below to setup on Ubuntu.
    ~~~~~~~~~~~~~~~~~~/etc/ipsec.conf~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    root@lab:/etc# cat /etc/ipsec.conf
    # ipsec.conf - strongSwan IPsec configuration file
    # basic configuration
    config setup

    conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev1
        authby=secret
        ike=3des-sha1-modp1024!
        esp=3des-sha1-modp1024!

    conn L2TP-PSK
        keyexchange=ikev1
        left=%defaultroute
        auto=add
        authby=secret
        type=transport
        leftprotoport=17/1701
        rightprotoport=17/1701
        # set this to the ip address of your vpn server
        right=10.214.48.22
    ~~~~~~~~~~~~~~~~/etc/ipsec.secrets~~~~~~~~~~~~~~~~~~~~~~~~~~
    root@lab:/etc# cat /etc/ipsec.secrets
    # This file holds shared secrets or RSA private keys for authentication.

    # RSA private key for this host, authenticating it to any other host
    # which knows the public part.
    include ipsec.d/ipsec.nm-l2tp.secrets
    : PSK "123456789"

    ~~~~~~~~~~~~~~~/etc/xl2tpd/xl2tpd.conf~~~~~~~~~~~~~~~~~~~~~~
    root@lab:/etc# cat /etc/xl2tpd/xl2tpd.conf
    [lac myVPN]
    ; set this to the ip address of your vpn server
    lns = 10.214.48.22
    ppp debug = yes
    pppoptfile = /etc/ppp/options.l2tpd.client
    length bit = yes
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    ~~~~~~~~~~~~~~~~~~/etc/ppp/options.l2tpd.client~~~~~~~~~~~~~~
    root@lab:/etc# cat /etc/ppp/options.l2tpd.client
    ipcp-accept-local
    ipcp-accept-remote
    refuse-eap
    require-mschap-v2
    noccp
    noauth
    logfile /var/log/xl2tpd.log
    idle 1800
    mtu 1410
    mru 1410
    defaultroute
    usepeerdns
    debug
    connect-delay 5000
    name test
    password test
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


    service restart
    sudo service strongswan restart
    sudo service xl2tpd restart
    sudo service ipsec restart

    L2TP tunnel buildup
    sudo ipsec up L2TP-PSK

  • @Zyxel_Cooldia
    Hello! Thank you very much IPsec is coming up. In your config I changed only "esp=3des-sha1! left=%any".
    IPsec is up. But how to connect L2TP? The new ppp0 interface does not rise for me. 
  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,511  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments
    edited March 2022
    Hi @Nemesis,
    Just found a mistake in previous update.
    xl2tpd.conf lac VPN tunnel name must maps to ipsec.conf conn name.
    Please modify xl2tpd.conf as below;

    ~~~~~~~~~~~~~~~/etc/xl2tpd/xl2tpd.conf~~~~~~~~~~~~~~~~~~~~~~
    root@lab:/etc# cat /etc/xl2tpd/xl2tpd.conf
    [lac L2TP-PSK]
    ; set this to the ip address of your vpn server
    lns = 10.214.48.22
    ppp debug = yes
    pppoptfile = /etc/ppp/options.l2tpd.client
    length bit = yes
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    After modified to corresponding lac VPN name in xl2tpd.conf, we can see ppp0 interface is up.

    USG IPSec VPN tunnel

    USG l2tp VPN tunnel


    Start the L2TP connection
    echo "c L2TP-PSK" > /var/run/xl2tpd/l2tp-control
    Start the IPsec connection
    ipsec up L2TP-PSK

    Disconnect the L2TP connection
    echo "d L2TP-PSK" > /var/run/xl2tpd/l2tp-control
    Disconnect the IPsec connection
    ipsec down L2TP-P





Security Highlight