Cannot connect to checkpoint vpn: "Maximum retries exceeded for tunnel. Closing."

Asked by Paolo Stefani on 2011-09-01

Hi
it seems that something is going wrong when I try to connect to a checkpoint firewall from my Ubuntu 11.04 laptop.

Here the connection failure log:

ipsec_setup: Starting Openswan IPsec U2.6.28/K2.6.38-11-generic...
Sep 1 10:41:24 ba ipsec__plutorun: Starting Pluto subsystem...
Sep 1 10:41:24 ba ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
recvref[22]: Protocol not available
xl2tpd[11486]: This binary does not support kernel L2TP.
Starting xl2tpd: xl2tpd.
xl2tpd[11489]: xl2tpd version xl2tpd-1.2.6 started on ba PID:11489
xl2tpd[11489]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
xl2tpd[11489]: Forked by Scott Balmos and David Stipp, (C) 2001
xl2tpd[11489]: Inherited by Jeff McAdams, (C) 2002
xl2tpd[11489]: Forked again by Xelerance (www.xelerance.com) (C) 2006
xl2tpd[11489]: Listening on IP address 0.0.0.0, port 1701
Sep 1 10:41:24 ba ipsec__plutorun: 002 added connection description "WORK"
003 NAT-Traversal: Trying new style NAT-T
003 NAT-Traversal: ESPINUDP(1) setup failed for new style NAT-T family IPv4 (errno=19)
003 NAT-Traversal: Trying old style NAT-T
104 "WORK" #1: STATE_MAIN_I1: initiate
003 "WORK" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
106 "WORK" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "WORK" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: i am NATed
108 "WORK" #1: STATE_MAIN_I3: sent MI3, expecting MR3
004 "WORK" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
117 "WORK" #2: STATE_QUICK_I1: initiate
003 "WORK" #2: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME msgid=107fc743
004 "WORK" #2: STATE_QUICK_I2: sent QI2, IPsec SA established transport mode {ESP=>0x2123226d <0x4ab10bb1 xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=none}
xl2tpd[11489]: Connecting to host xxx.xxx.xxx.xxx, port 1701
xl2tpd[11489]: Maximum retries exceeded for tunnel 8540. Closing.

Here the ipsec.conf generated by L2TP IPsec VPN Manager:

# /etc/ipsec.conf - Openswan IPsec configuration file
# $Id$

# Manual: ipsec.conf(5)

# Created: Thu Sep 1 09:57:10 2011
# by: The L2TP IPsec VPN Manager application version 1.0.0
#
# WARNING! All changes made in this file will be lost!

version 2.0 # conforms to second version of ipsec.conf specification

config setup
 # plutodebug="parsing emitting control private"
 plutodebug=none
 strictcrlpolicy=no
 nat_traversal=yes
 interfaces=%defaultroute
 oe=off
 # which IPsec stack to use. netkey,klips,mast,auto or none
 protostack=netkey

conn %default
 keyingtries=3
 pfs=no
 rekey=yes
 type=transport
 left=%defaultroute
 leftprotoport=17/1701
 rightprotoport=17/1701

# Add connections here.

conn WORK
   authby=secret

 right=xxx.xxx.xxx.xxx
 rightid=""
 auto=add

Here the xl2tpd.conf file:

; /etc/xl2tpd/xl2tpd.conf - configuration file for use with L2TP over IPsec.
; $Id$

; Manual: xl2tpd.conf(5)

; Created: Thu Sep 1 09:57:10 2011
; by: The L2TP IPsec VPN Manager application version 1.0.0
;
; WARNING! All changes made in this file will be lost!

[global]
; listen-addr = 192.168.178.28
debug avp = no
debug network = no
debug packet = no
debug state = no
debug tunnel = no

[lac WORK]
lns = xxx.xxx.xxx.xxx
pppoptfile = /etc/ppp/WORK.options.xl2tpd
length bit = no
redial = no

Can someone help me to solve the problem?
Thanks
Paolo

Question information

Language:
English Edit question
Status:
Answered
For:
L2TP over IPsec VPN Manager Edit question
Assignee:
No assignee Edit question
Last query:
2011-09-01
Last reply:
2012-10-15
Werner Jaeger (werner-jaeger) said : #1

Hi Paolo,

all I can tell from the provided log entries is that IPSec negotiation succeeded (IPsec SA established transport mode),

So it is very likely that the point to point negotiation failed.

To figure out the reason you could manually set all debug properties in /etc/xl2tpd/xl2tpd.conf to yes and uncomment the debug statement in /etc/ppp/TSI1.options.xl2tpd.

The debug log entries should normally (depends on your syslog configuration) go to /var/log/debug.

There is a great article at http://pptpclient.sourceforge.net/howto-diagnosis.phtml that might help you to interpret
the debug log entries.

If you don't mind to send me the debug output (after you anonymized security relevant entries) I'm happy to help.

Cheers
 Werner

Paolo Stefani (transalp98) said : #3

Hi Werner,
thanks a lot for your reply.

You are correct, IPsec gets its job done, I have checked also
on the firewall console and it's everything ok, the culprit
seems to be xl2tpd, beyond a reasonable doubt:)

If I try: sudo /usr/sbin/xl2tpd -D
this is what I have:

xl2tpd[17301]: setsockopt recvref[22]: Protocol not available
xl2tpd[17301]: This binary does not support kernel L2TP.
xl2tpd[17301]: xl2tpd version xl2tpd-1.2.6 started on ba PID:17301
xl2tpd[17301]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
xl2tpd[17301]: Forked by Scott Balmos and David Stipp, (C) 2001
xl2tpd[17301]: Inherited by Jeff McAdams, (C) 2002
xl2tpd[17301]: Forked again by Xelerance (www.xelerance.com) (C) 2006
xl2tpd[17301]: Listening on IP address 192.168.1.109, port 1701

As soon as I try to connect this comes out:

xl2tpd[17301]: network_thread: select returned error 4 (Interrupted system call)
xl2tpd[17301]: death_handler: Fatal signal 15 received

Probably because of this error I cannot even get the debug log..

I'll try to figure what's happening even if i don't see too much light at the end of the tunnel :)

Thanks again,
cheers
Paolo

Richard van der Hoff (richvdh) said : #4

You may well have solved this problem yourself by now, but I had the same problem with trying to get xl2tpd to connect to a Checkpoint VPN server, and it turned out to be a bug in xl2tpd: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=680146.

You can get a patched version from my ppa: https://launchpad.net/~richvdh/+archive/xl2tpd

Can you help with this problem?

Provide an answer of your own, or ask Paolo Stefani for more information if necessary.

To post a message you must log in.