Problems connecting to VPN in Ubuntu 12.04

Asked by Julian Alarcon on 2012-01-05

I was tryng to start the connection to our VPN (running in a Vyatta appliance) using l2tp-ipsec-vpn in Ubuntu 12.04 (from official Ubuntu repos) but I got an error always, I tried to determinate where was the problem and copy the configurations file from an installation of l2tp-ipsec-vpn from the PPA repo that is working in Ubuntu 11.04, but it wasn't possible.

I check all configs and didn't find the problem, but when tried this tutorial (http://blog.tuvpn.com/2011/07/l2tpipsec-vpn-configuration-on-ubuntu-11-04-natty-narwhal/) in Ubuntu 10.04 all works almost fine! (just one thing, openswan and xl2tpd are not dependencies in l2tp-ipsec-vpn package from PPA repo to Ubuntu 10.04 but I just installed).

So, I need to find where is the problem to report it (I supposed that is the ppad deamon) but I need to make the connection step by step without using l2tp-ipsec-vpn, how can I do replicate the process made by l2tp-ipsec-vpn manually??

This is the log of l2tp-ipsec-vpn for the succesful connection on Ubuntu 10.04 and the error in Ubuntu 12.04:
pppd[19290]: LCP terminated by peer (peer refused to authenticate) ----------> this is the line where begin the error in Ubuntu 12.04

Ubuntu 10.04 log:

Jan 04 16:57:17.118 ipsec_setup: Starting Openswan IPsec U2.6.23/K2.6.32-37-generic...
Jan 04 16:57:17.333 ipsec__plutorun: Starting Pluto subsystem...
Jan 04 16:57:17.344 ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
Jan 04 16:57:17.371 recvref[22]: Protocol not available
Jan 04 16:57:17.374 xl2tpd[2658]: This binary does not support kernel L2TP.
Jan 04 16:57:17.376 Starting xl2tpd: xl2tpd.
Jan 04 16:57:17.378 xl2tpd[2667]: xl2tpd version xl2tpd-1.2.5 started on julian-laptop PID:2667
Jan 04 16:57:17.379 xl2tpd[2667]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
Jan 04 16:57:17.379 xl2tpd[2667]: Forked by Scott Balmos and David Stipp, (C) 2001
Jan 04 16:57:17.381 xl2tpd[2667]: Inherited by Jeff McAdams, (C) 2002
Jan 04 16:57:17.381 xl2tpd[2667]: Forked again by Xelerance (www.xelerance.com) (C) 2006
Jan 04 16:57:17.382 xl2tpd[2667]: Listening on IP address 0.0.0.0, port 1701
Jan 04 16:57:17.383 ipsec__plutorun: 002 added connection description "VPNNAME"
Jan 04 16:57:17.399 ipsec__plutorun: 003 NAT-Traversal: Trying new style NAT-T
Jan 04 16:57:17.401 ipsec__plutorun: 003 NAT-Traversal: ESPINUDP(1) setup failed for new style NAT-T family IPv4 (errno=19)
Jan 04 16:57:17.402 ipsec__plutorun: 003 NAT-Traversal: Trying old style NAT-T
Jan 04 16:57:17.796 104 "VPNNAME" #1: STATE_MAIN_I1: initiate
Jan 04 16:57:17.797 003 "VPNNAME" #1: ignoring unknown Vendor ID payload [882fe56d6fd20dbc2251613b2ebe5beb]
Jan 04 16:57:17.798 003 "VPNNAME" #1: received Vendor ID payload [Cisco-Unity]
Jan 04 16:57:17.798 003 "VPNNAME" #1: received Vendor ID payload [XAUTH]
Jan 04 16:57:17.799 003 "VPNNAME" #1: received Vendor ID payload [Dead Peer Detection]
Jan 04 16:57:17.800 003 "VPNNAME" #1: received Vendor ID payload [RFC 3947] method set to=109
Jan 04 16:57:17.800 106 "VPNNAME" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Jan 04 16:57:17.810 003 "VPNNAME" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): i am NATed
Jan 04 16:57:17.810 108 "VPNNAME" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Jan 04 16:57:17.810 004 "VPNNAME" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1536}
Jan 04 16:57:17.811 117 "VPNNAME" #2: STATE_QUICK_I1: initiate
Jan 04 16:57:17.811 004 "VPNNAME" #2: STATE_QUICK_I2: sent QI2, IPsec SA established transport mode {ESP=>0x2ec3745b <0xeeeb5513 xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=none}
Jan 04 16:57:17.846 xl2tpd[2667]: Connecting to host (IP OF VYATTA), port 1701
Jan 04 16:57:19.880 xl2tpd[2667]: Connection established to (cal: 24710, Remote: 42880 (ref=0/0).
Jan 04 16:57:19.898 xl2tpd[2667]: Calling on tunnel 24710
Jan 04 16:57:19.899 xl2tpd[2667]: check_control: Received out of order control packet on tunnel 42880 (got 0, expected 1)
Jan 04 16:57:19.900 xl2tpd[2667]: handle_packet: bad control packet!
Jan 04 16:57:19.902 xl2tpd[2667]: check_control: Received out of order control packet on tunnel 42880 (got 0, expected 1)
Jan 04 16:57:19.903 xl2tpd[2667]: handle_packet: bad control packet!
Jan 04 16:57:19.945 xl2tpd[2667]: Call established with (IP OF VYATTA), Local: 33244, Remote: 12658, Serial: 1 (ref=0/0)
Jan 04 16:57:19.946 xl2tpd[2667]: start_pppd: I'm running:
Jan 04 16:57:19.946 xl2tpd[2667]: "/usr/sbin/pppd"
Jan 04 16:57:19.947 xl2tpd[2667]: "passive"
Jan 04 16:57:19.947 xl2tpd[2667]: "nodetach"
Jan 04 16:57:19.947 xl2tpd[2667]: ":"
Jan 04 16:57:19.948 xl2tpd[2667]: "file"
Jan 04 16:57:19.948 xl2tpd[2667]: "/etc/ppp/VPNNAME.options.xl2tpd"
Jan 04 16:57:19.949 xl2tpd[2667]: "/dev/pts/3"
Jan 04 16:57:20.030 pppd[2718]: Plugin passprompt.so loaded.
Jan 04 16:57:20.031 pppd[2718]: pppd 2.4.5 started by root, uid 0
Jan 04 16:57:20.061 pppd[2718]: Using interface ppp0
Jan 04 16:57:20.062 pppd[2718]: Connect: ppp0 <--> /dev/pts/3
Jan 04 16:57:23.341 pppd[2718]: CHAP authentication succeeded: Access granted
Jan 04 16:57:23.358 pppd[2718]: CHAP authentication succeeded
Jan 04 16:57:24.680 pppd[2718]: local IP address 192.168.254.242
Jan 04 16:57:24.681 pppd[2718]: remote IP address 10.255.255.0

Ubuntu 12.04 log:
ipsec_setup: Starting Openswan IPsec U2.6.28/K3.2.0-7-generic...
Jan 5 08:25:45 VPNNAME26 ipsec__plutorun: Starting Pluto subsystem...
Jan 5 08:25:45 VPNNAME26 ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
recvref[22]: Protocol not available
xl2tpd[19235]: This binary does not support kernel L2TP.
Starting xl2tpd: xl2tpd.
xl2tpd[19237]: xl2tpd version xl2tpd-1.2.6 started on VPNNAME26 PID:19237
xl2tpd[19237]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
xl2tpd[19237]: Forked by Scott Balmos and David Stipp, (C) 2001
xl2tpd[19237]: Inherited by Jeff McAdams, (C) 2002
xl2tpd[19237]: Forked again by Xelerance (www.xelerance.com) (C) 2006
xl2tpd[19237]: Listening on IP address 0.0.0.0, port 1701
Jan 5 08:25:45 VPNNAME26 ipsec__plutorun: 002 added connection description "VPNNAME"
Jan 5 08:25:45 VPNNAME26 ipsec__plutorun: 003 NAT-Traversal: Trying new style NAT-T
Jan 5 08:25:45 VPNNAME26 ipsec__plutorun: 003 NAT-Traversal: ESPINUDP(1) setup failed for new style NAT-T family IPv4 (errno=19)
Jan 5 08:25:45 VPNNAME26 ipsec__plutorun: 003 NAT-Traversal: Trying old style NAT-T
104 "VPNNAME" #1: STATE_MAIN_I1: initiate
003 "VPNNAME" #1: ignoring unknown Vendor ID payload [882fe56d6fd20dbc2251613b2ebe5beb]
003 "VPNNAME" #1: received Vendor ID payload [Cisco-Unity]
003 "VPNNAME" #1: received Vendor ID payload [XAUTH]
003 "VPNNAME" #1: received Vendor ID payload [Dead Peer Detection]
003 "VPNNAME" #1: received Vendor ID payload [RFC 3947] method set to=109
106 "VPNNAME" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "VPNNAME" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): i am NATed
108 "VPNNAME" #1: STATE_MAIN_I3: sent MI3, expecting MR3
004 "VPNNAME" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1536}
117 "VPNNAME" #2: STATE_QUICK_I1: initiate
004 "VPNNAME" #2: STATE_QUICK_I2: sent QI2, IPsec SA established transport mode {ESP=>0xdc067c68 <0xc842fa73 xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=none}
xl2tpd[19237]: Connecting to host (IP OF VYATTA), port 1701
xl2tpd[19237]: Connection established to (IP OF VYATTA), 1701. Local: 45921, Remote: 36808 (ref=0/0).
xl2tpd[19237]: Calling on tunnel 45921
xl2tpd[19237]: check_control: Received out of order control packet on tunnel 36808 (got 0, expected 1)
xl2tpd[19237]: handle_packet: bad control packet!
xl2tpd[19237]: check_control: Received out of order control packet on tunnel 36808 (got 0, expected 1)
xl2tpd[19237]: handle_packet: bad control packet!
xl2tpd[19237]: Call established with (IP OF VYATTA), Local: 46647, Remote: 50214, Serial: 1 (ref=0/0)
xl2tpd[19237]: start_pppd: I'm running:
xl2tpd[19237]: "/usr/sbin/pppd"
xl2tpd[19237]: "passive"
xl2tpd[19237]: "nodetach"
xl2tpd[19237]: ":"
xl2tpd[19237]: "file"
xl2tpd[19237]: "/etc/ppp/VPNNAME.options.xl2tpd"
xl2tpd[19237]: "/dev/pts/5"
pppd[19290]: Plugin passprompt.so loaded.
pppd[19290]: pppd 2.4.5 started by root, uid 0
pppd[19290]: Using interface ppp0
pppd[19290]: Connect: ppp0 <--> /dev/pts/5
pppd[19290]: LCP terminated by peer (peer refused to authenticate)
xl2tpd[19237]: control_finish: Connection closed to (IP OF VYATTA), serial 1 ()
xl2tpd[19237]: Terminating pppd: sending TERM signal to pid 19290
pppd[19290]: Terminating on signal 15
pppd[19290]: Modem hangup
pppd[19290]: Connection terminated.
pppd[19290]: Exit.

Question information

Language:
English Edit question
Status:
Answered
For:
L2TP over IPsec VPN Manager Edit question
Assignee:
No assignee Edit question
Last query:
2012-01-05
Last reply:
2012-09-21

I just tested the PPA packages in Ubuntu 10.04, 11.04, 11.10 (replacing the xl2ptd package with the one from 11.04) and in all this just work!

The problem is in Ubuntu 12.04, I also use the package xl2tpd from 11.04 to avoid this problem: https://answers.launchpad.net/l2tp-ipsec-vpn/+question/175914

Werner Jaeger (werner-jaeger) said : #2

The following script resembles the connection process very closely.

Usage:

usage: ScriptName (start|stop|shutdown) ConnectionName

#!/bin/sh

setLogInfo()
{
  RETVAL=1

  LOG_DEV_LINE="defaultroutelogdev=`tty`"

  if test -f /var/run/pluto/ipsec.info; then
  RETVAL=0
  if test $LOG_DEV_LINE != "`tail -n 1 /var/run/pluto/ipsec.info`"; then
  echo $LOG_DEV_LINE >> /var/run/pluto/ipsec.info
  fi
  fi

  return $RETVAL
}

case "$1" in
    start)
  /etc/init.d/ipsec stop
  /etc/init.d/xl2tpd stop
  ipsec setup start
  /etc/init.d/xl2tpd start
               sleep 2
  ipsec auto --ready
  ipsec auto --up $2

  setLogInfo
  until test 0 -eq $?
  do
    setLogInfo
  done

  echo "c $2" > /var/run/xl2tpd/l2tp-control
  ;;

    stop)
  if test -f /var/run/ppp0.pid ; then
    setLogInfo
    /bin/kill -s HUP `cat /var/run/ppp0.pid`
  fi

  sleep 3
  ipsec auto --down $2
  ;;

    shutdown)
  if test -f /var/run/xl2tpd.pid ; then
    /etc/init.d/xl2tpd stop
  fi

  ipsec setup --stop
  ;;

  *)
  echo "usage: $0 (start|stop|shutdown)"
  ;;
esac

Joe (jherbert) said : #3

I have the same problem on 12.04 and have found the it appears that the application "/usr/bin/L2tpIPsecVpn" referanced in the configu file /etc/ppp/"connection_name".options.xl2tpd does not appear to be passing the password back during authentication hence authentication failure log entries. If you add the following line to the "connection_name".options.xl2tpd under the name entry;

password "your password"

the connection then works as expected. Obviously this is not very secure but I think proves the L2tpIPsecVPN app is not providing the correct password.

Dirk Bundies (dirk-bundies) said : #4

Hi,

I'm really disappointed, because I cannot connect to my companies VPN (PSK) with an ubuntu *12.04* client.
The VPN server itself is fine. It's a vigor router. I still can connect to it with my ubuntu 10.10 client (I'm using my own old-fashioned script (http://dialog-edv.de/public/db/ubuntu/vpn/)), it works from Windows, it works from an iPhone.

Today I set up a fresh install of ubuntu 12.04 i386, downloaded all updates, after this, I did this:

sudo apt-add-repository ppa:werner-jaeger/ppa-werner-vpn
sudo apt-get update
sudo apt-get install l2tp-ipsec-vpn
Then reboot, then configure the VPN connection -> no luck :-(

SYSLOG shows:
-------------------------------------------------------------------------------------
Sep 21 14:37:41 dirk-ThinkPad-R60 L2tpIPsecVpnControlDaemon: Opening client connection
Sep 21 14:37:41 dirk-ThinkPad-R60 L2tpIPsecVpnControlDaemon: Executing command invoke-rc.d xl2tpd stop
Sep 21 14:37:41 dirk-ThinkPad-R60 xl2tpd[4573]: death_handler: Fatal signal 15 received
Sep 21 14:37:41 dirk-ThinkPad-R60 L2tpIPsecVpnControlDaemon: Command invoke-rc.d xl2tpd stop finished with exit code 0
Sep 21 14:37:41 dirk-ThinkPad-R60 L2tpIPsecVpnControlDaemon: Opening client connection
Sep 21 14:37:41 dirk-ThinkPad-R60 L2tpIPsecVpnControlDaemon: Closing client connection
Sep 21 14:37:41 dirk-ThinkPad-R60 L2tpIPsecVpnControlDaemon: Executing command invoke-rc.d xl2tpd start
Sep 21 14:37:41 dirk-ThinkPad-R60 xl2tpd[4937]: setsockopt recvref[30]: Protocol not available
Sep 21 14:37:41 dirk-ThinkPad-R60 xl2tpd[4937]: This binary does not support kernel L2TP.
Sep 21 14:37:41 dirk-ThinkPad-R60 xl2tpd[4938]: xl2tpd version xl2tpd-1.3.1 started on dirk-ThinkPad-R60 PID:4938
Sep 21 14:37:41 dirk-ThinkPad-R60 xl2tpd[4938]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
Sep 21 14:37:41 dirk-ThinkPad-R60 xl2tpd[4938]: Forked by Scott Balmos and David Stipp, (C) 2001
Sep 21 14:37:41 dirk-ThinkPad-R60 xl2tpd[4938]: Inherited by Jeff McAdams, (C) 2002
Sep 21 14:37:41 dirk-ThinkPad-R60 xl2tpd[4938]: Forked again by Xelerance (www.xelerance.com) (C) 2006
Sep 21 14:37:41 dirk-ThinkPad-R60 xl2tpd[4938]: Listening on IP address 0.0.0.0, port 1701
Sep 21 14:37:41 dirk-ThinkPad-R60 L2tpIPsecVpnControlDaemon: Command invoke-rc.d xl2tpd start finished with exit code 0
Sep 21 14:37:41 dirk-ThinkPad-R60 xl2tpd[4938]: Connecting to host xx.xx.xx.xx, port 1701
Sep 21 14:37:41 dirk-ThinkPad-R60 L2tpIPsecVpnControlDaemon: Closing client connection
Sep 21 14:37:42 dirk-ThinkPad-R60 xl2tpd[4938]: Connection established to xx.xx.xx.xx, 1701. Local: 208, Remote: 12 (ref=0/0).
Sep 21 14:37:42 dirk-ThinkPad-R60 xl2tpd[4938]: Calling on tunnel 208
Sep 21 14:37:42 dirk-ThinkPad-R60 xl2tpd[4938]: receive_window_size_avp: RWS not appropriate for message Incoming-Call-Reply. Ignoring.
Sep 21 14:37:42 dirk-ThinkPad-R60 xl2tpd[4938]: Call established with xx.xx.xx.xx, Local: 29026, Remote: 1619, Serial: 1 (ref=0/0)
Sep 21 14:37:42 dirk-ThinkPad-R60 xl2tpd[4938]: start_pppd: I'm running:
Sep 21 14:37:42 dirk-ThinkPad-R60 xl2tpd[4938]: "/usr/sbin/pppd"
Sep 21 14:37:42 dirk-ThinkPad-R60 xl2tpd[4938]: "passive"
Sep 21 14:37:42 dirk-ThinkPad-R60 xl2tpd[4938]: "nodetach"
Sep 21 14:37:42 dirk-ThinkPad-R60 xl2tpd[4938]: ":"
Sep 21 14:37:42 dirk-ThinkPad-R60 xl2tpd[4938]: "file"
Sep 21 14:37:42 dirk-ThinkPad-R60 xl2tpd[4938]: "/etc/ppp/myvpn.options.xl2tpd"
Sep 21 14:37:42 dirk-ThinkPad-R60 xl2tpd[4938]: "ipparam"
Sep 21 14:37:42 dirk-ThinkPad-R60 xl2tpd[4938]: "xx.xx.xx.xx"
Sep 21 14:37:42 dirk-ThinkPad-R60 xl2tpd[4938]: "/dev/pts/2"
Sep 21 14:37:42 dirk-ThinkPad-R60 xl2tpd[4938]: control_finish: Connection closed to xx.xx.xx.xx, serial 1 ()
Sep 21 14:37:42 dirk-ThinkPad-R60 xl2tpd[4938]: Terminating pppd: sending TERM signal to pid 4939
Sep 21 14:37:42 dirk-ThinkPad-R60 xl2tpd[4938]: control_finish: Connection closed to xx.xx.xx.xx, port 1701 (), Local: 208, Remote: 12
-------------------------------------------------------------------------------------
 Then timeout, no connection

Kernel version is 3.2.0-30

This point is the only thing which prevents me from switching my laptop from 10.10 to ubuntu 12.04

Any help would be much appreciated! I also would use a script if it would work.

Thanks in advance for spending your time for an answer!

Dirk
Germany

coviex (coviex) said : #5

Thanks Joe (jherbert).
That password trick helped.
Btw I have just updated my system and bug is still there.

Ivan Radenkovic (radenkovich) said : #6

Thanks Joe (jherbert) and coviex.
The password trick also solved issue for me!

Arne (arneanonymous) said : #7

Password trick works for me to. This is obviously a bug. Has someone managed to report it?

ubu (ksubins321) said : #8

affects me on Ubuntu 14.04. The password trick works. This has been filed as a bug, here:

https://bugs.launchpad.net/l2tp-ipsec-vpn/+bug/999806

Can you help with this problem?

Provide an answer of your own, or ask Julian Alarcon for more information if necessary.

To post a message you must log in.