How to fix these xl2tpd errors?
How to fix these xl2tpd errors? How to fix these xl2tpd errors? l2tp/ipsec connection. I use xl2tpd along with strongswan. Strongswan is rising, everything is ok. I see myself connected to the gateway via ipsec. Further xl2tpd, I receive errors.
Ubuntu 20.04 Server/Vpn gateway zyxel l2tp over ipsec/strongswan/xl2tpd
Jan 31 06:38:52 user xl2tpd[1087]: IPsec SAref does not work with L2TP kernel mode yet, enabling force userspace=yes
Jan 31 06:38:52 user xl2tpd[1087]: Not looking for kernel SAref support.
Jan 31 06:38:52 user xl2tpd[1087]: Not looking for kernel support.
Jan 31 06:38:52 user xl2tpd[1079]: Starting xl2tpd: xl2tpd.
Jan 31 06:38:52 user xl2tpd[1088]: xl2tpd version xl2tpd-1.3.12 started on user PID:1088
Jan 31 06:38:52 user xl2tpd[1088]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
Jan 31 06:38:52 user xl2tpd[1088]: Forked by Scott Balmos and David Stipp, (C) 2001
Jan 31 06:38:52 user xl2tpd[1088]: Inherited by Jeff McAdams, (C) 2002
Jan 31 06:38:52 user xl2tpd[1088]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016
Jan 31 06:38:52 user xl2tpd[1088]: Listening on IP address 0.0.0.0, port 1701
Jan 31 06:38:52 user xl2tpd[1088]: get_call: allocating new tunnel for host 111.111.111.111, port 1701.
Jan 31 06:38:52 user xl2tpd[1088]: Connecting to host 111.111.111.111, port 1701
Jan 31 06:38:52 user xl2tpd[1088]: control_finish: message type is (null)(0). Tunnel is 0, call is 0.
Jan 31 06:38:52 user xl2tpd[1088]: control_finish: sending SCCRQ
Jan 31 06:38:52 user xl2tpd[1088]: network_thread: recv packet from 111.111.111.111, size=77, tunnel=9959, call=0 ref=0 refhim=0
Jan 31 06:38:52 user xl2tpd[1088]: message_type_avp: message type 4 (Stop-Control-Connection-Notification)
Jan 31 06:38:52 user xl2tpd[1088]: assigned_tunnel_avp: using peer's tunnel 51533
Jan 31 06:38:52 user xl2tpd[1088]: result_code_avp: peer closing for reason 2 (General error--Error Code indicates the problem), error = 6 (No IPSec protection for the L2TP tunnel)
Jan 31 06:38:52 user xl2tpd[1088]: control_finish: message type is Stop-Control-Connection-Notification(4). Tunnel is 0, call is 0.
Jan 31 06:38:52 user xl2tpd[1088]: control_finish: Connection closed to 111.111.111.111, port 1701 (No IPSec protection for the L2TP tunnel), Local: 9959, Remote: 51533
Jan 31 06:38:52 user xl2tpd[1088]: build_fdset: closing down tunnel 9959
Jan 31 06:38:52 user xl2tpd[1088]: Will redial in 5 seconds
Comments
-
Hi Nemesis,
did you open Port 1701 UDP in WAN to ZyWALL rule, this is may need for User Auth Level?
Regards,
Tobias0 -
Hi Tobias. Yes, port 1701 is specified in Configuration-Object-Service. I have previously made connections to the L2TPoverIPsec tunnel through the standard Win10 and Ubuntu 20.04 cores through the GUI. Everything works, everything is ok. But running L2TPoverIPsec on Ubuntu server 20.04 (without GUI) fails.
0 -
Hi @Nemesis,
please check out this article if it helps to double-check config:
https://support.zyxel.eu/hc/en-us/articles/360004131900-L2TP-on-Linux-Ubuntu-setup
If it still fails, please leave a comment under this article and our Support will be in touch with you for investigation.
Regards,
Tobias0 -
Hi Tobias. The article is suitable for connecting via the GUI. I used this article to connect Ubuntu 20.04, everything works, everything is ok. At the moment I need to make a non-GUI connection for Ubuntu Server 20.04. Therefore, the article does not fit the solution of my question.
0 -
Here is a document from zyxel support agent last year. See "Set up the Host to Network VPN Tunnel on the Ubuntu 18.04" for the commands on Ubuntu.0
-
When you troubleshoot L2TP/IPSec connections, it's useful to understand how an L2TP/IPSec connection proceeds. When you start the connection, an initial L2TP packet is sent to the server, requesting a connection. This packet causes the IPSec layer on your computer to negotiate with the VPN server to set up an IPSec protected session (a security association). Depending on many factors including link speed, the IPSec negotiations may take from a few seconds to around two minutes. When an IPSec security association (SA) has been established, the L2TP session starts. When it starts, you receive a prompt for your name and password (unless the connection has been set up to connect automatically in Windows Millennium Edition.) If the VPN server accepts your name and password, the session setup completes.
0 -
Here are CentOS (without GUI) L2TP over IPsec post before.
https://community.zyxel.com/en/discussion/comment/37356#Comment_37356
Maybe you can try that.0 -
Hi @Nemesis,
It works in my lab Ubuntu 20.04. Tunnel can build up without issue.
You can follow cfg below to setup on Ubuntu.~~~~~~~~~~~~~~~~~~/etc/ipsec.conf~~~~~~~~~~~~~~~~~~~~~~~~~~~~root@lab:/etc# cat /etc/ipsec.conf# ipsec.conf - strongSwan IPsec configuration file# basic configurationconfig setupconn %defaultikelifetime=60mkeylife=20mrekeymargin=3mkeyingtries=1keyexchange=ikev1authby=secretike=3des-sha1-modp1024!esp=3des-sha1-modp1024!conn L2TP-PSKkeyexchange=ikev1left=%defaultrouteauto=addauthby=secrettype=transportleftprotoport=17/1701rightprotoport=17/1701# set this to the ip address of your vpn serverright=10.214.48.22~~~~~~~~~~~~~~~~/etc/ipsec.secrets~~~~~~~~~~~~~~~~~~~~~~~~~~root@lab:/etc# cat /etc/ipsec.secrets# This file holds shared secrets or RSA private keys for authentication.# RSA private key for this host, authenticating it to any other host# which knows the public part.include ipsec.d/ipsec.nm-l2tp.secrets: PSK "123456789"~~~~~~~~~~~~~~~/etc/xl2tpd/xl2tpd.conf~~~~~~~~~~~~~~~~~~~~~~root@lab:/etc# cat /etc/xl2tpd/xl2tpd.conf[lac myVPN]; set this to the ip address of your vpn serverlns = 10.214.48.22ppp debug = yespppoptfile = /etc/ppp/options.l2tpd.clientlength bit = yes~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~/etc/ppp/options.l2tpd.client~~~~~~~~~~~~~~root@lab:/etc# cat /etc/ppp/options.l2tpd.clientipcp-accept-localipcp-accept-remoterefuse-eaprequire-mschap-v2noccpnoauthlogfile /var/log/xl2tpd.logidle 1800mtu 1410mru 1410defaultrouteusepeerdnsdebugconnect-delay 5000name testpassword test~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~service restartsudo service strongswan restartsudo service xl2tpd restartsudo service ipsec restartL2TP tunnel buildupsudo ipsec up L2TP-PSK0 -
@Zyxel_CooldiaHello! Thank you very much IPsec is coming up. In your config I changed only "esp=3des-sha1! left=%any".IPsec is up. But how to connect L2TP? The new ppp0 interface does not rise for me.0
-
Hi @Nemesis,
Just found a mistake in previous update.
xl2tpd.conf lac VPN tunnel name must maps to ipsec.conf conn name.
Please modify xl2tpd.conf as below;
~~~~~~~~~~~~~~~/etc/xl2tpd/xl2tpd.conf~~~~~~~~~~~~~~~~~~~~~~root@lab:/etc# cat /etc/xl2tpd/xl2tpd.conf[lac L2TP-PSK]; set this to the ip address of your vpn serverlns = 10.214.48.22ppp debug = yespppoptfile = /etc/ppp/options.l2tpd.clientlength bit = yes~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
After modified to corresponding lac VPN name in xl2tpd.conf, we can see ppp0 interface is up.
USG IPSec VPN tunnel
USG l2tp VPN tunnel
Start the L2TP connectionecho "c L2TP-PSK" > /var/run/xl2tpd/l2tp-controlStart the IPsec connection
ipsec up L2TP-PSK
Disconnect the L2TP connectionecho "d L2TP-PSK" > /var/run/xl2tpd/l2tp-controlDisconnect the IPsec connection
ipsec down L2TP-P0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 144 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 237 USG FLEX H Series
- 267 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.3K Consumer Product
- 247 Service & License
- 384 News and Release
- 83 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight