L2tp VPN Server HELP!

[Malekith]

Hi all,

I have been trying to get my raspberry pi to be an L2TP vpn server and have had no luck.

I was able to get this to work about 5 months ago but now it just wont work.

I have tried both of the tutorials below:
http://linux.tips/tutorials/how-to-setu ... #comment-2
http://willitscript.com/post/4035740864 ... vpn-server

and for some reason i cant get them to work.

i have checked the ipsec verify and all is good there, i alos checked the /var/log/auth.log and it seems to be getting a request from my iphone but just wont let it connect.

this is the /var/log/auth.log information:

Code: Select all

raspberrypi pluto[3498]: packet from xx.xxx.x.xxx:xxxxx received Vendor ID payload [RFC 3947] method set to=109
Apr  6 02:16:06 raspberrypi pluto[3498]: packet from xx.xxx.x.xxx:xxxxx: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] method set to=110
Apr  6 02:16:06 raspberrypi pluto[3498]: packet from xx.xxx.x.xxx:xxxxx: ignoring unknown Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
Apr  6 02:16:06 raspberrypi pluto[3498]: packet from xx.xxx.x.xxx:xxxxx: ignoring unknown Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
Apr  6 02:16:06 raspberrypi pluto[3498]: packet from xx.xxx.x.xxx:xxxxx: ignoring unknown Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
Apr  6 02:16:06 raspberrypi pluto[3498]: packet from xx.xxx.x.xxx:xxxxx: ignoring unknown Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
Apr  6 02:16:06 raspberrypi pluto[3498]: packet from xx.xxx.x.xxx:xxxxx: ignoring unknown Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
Apr  6 02:16:06 raspberrypi pluto[3498]: packet from xx.xxx.x.xxx:xxxxx: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 110
Apr  6 02:16:06 raspberrypi pluto[3498]: packet from xx.xxx.x.xxx:xxxxx: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 110
Apr  6 02:16:06 raspberrypi pluto[3498]: packet from xx.xxx.x.xxx:xxxxx: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 110
Apr  6 02:16:06 raspberrypi pluto[3498]: packet from xx.xxx.x.xxx:xxxxx: ignoring Vendor ID payload [FRAGMENTATION 80000000]
Apr  6 02:16:06 raspberrypi pluto[3498]: packet from xx.xxx.x.xxx:xxxxx: received Vendor ID payload [Dead Peer Detection]
Apr  6 02:16:06 raspberrypi pluto[3498]: "L2TP-PSK-NAT"[2] xx.xxx.x.xxx #2: responding to Main Mode from unknown peer xx.xxx.x.xxx
Apr  6 02:16:06 raspberrypi pluto[3498]: "L2TP-PSK-NAT"[2] xx.xxx.x.xxx #2: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Apr  6 02:16:06 raspberrypi pluto[3498]: "L2TP-PSK-NAT"[2] xx.xxx.x.xxx #2: STATE_MAIN_R1: sent MR1, expecting MI2
Apr  6 02:16:06 raspberrypi pluto[3498]: "L2TP-PSK-NAT"[2] xx.xxx.x.xxx #2: message ignored because it contains an unknown or unexpected payload type (ISAKMP_NEXT_SAK) at the outermost level
Apr  6 02:16:06 raspberrypi pluto[3498]: "L2TP-PSK-NAT"[2] xx.xxx.x.xxx #2: sending notification INVALID_PAYLOAD_TYPE to 49.196.7.220:36613
Apr  6 02:16:10 raspberrypi pluto[3498]: "L2TP-PSK-NAT"[2] xx.xxx.x.xxx #2: message ignored because it contains an unknown or unexpected payload type (ISAKMP_NEXT_SAK) at the outermost level
Apr  6 02:16:10 raspberrypi pluto[3498]: "L2TP-PSK-NAT"[2] xx.xxx.x.xxx #2: sending notification INVALID_PAYLOAD_TYPE to 49.196.7.220:36613
Apr  6 02:16:13 raspberrypi pluto[3498]: "L2TP-PSK-NAT"[2] xx.xxx.x.xxx #2: message ignored because it contains an unknown or unexpected payload type (ISAKMP_NEXT_SAK) at the outermost level
Apr  6 02:16:13 raspberrypi pluto[3498]: "L2TP-PSK-NAT"[2] xx.xxx.x.xxx #2: sending notification INVALID_PAYLOAD_TYPE to xx.xxx.x.xxx:xxxxx
Apr  6 02:16:16 raspberrypi pluto[3498]: "L2TP-PSK-NAT"[2] xx.xxx.x.xxx #2: message ignored because it contains an unknown or unexpected payload type (ISAKMP_NEXT_SAK) at the outermost level
Apr  6 02:16:16 raspberrypi pluto[3498]: "L2TP-PSK-NAT"[2] xx.xxx.x.xxx #2: sending notification INVALID_PAYLOAD_TYPE to 49.196.7.220:36613
Apr  6 02:16:16 raspberrypi pluto[3498]: "L2TP-PSK-NAT"[2] xx.xxx.x.xxx #2: message ignored because it contains an unknown or unexpected payload type (ISAKMP_NEXT_SAK) at the outermost level
Apr  6 02:16:16 raspberrypi pluto[3498]: "L2TP-PSK-NAT"[2] xx.xxx.x.xxx#2: sending notification INVALID_PAYLOAD_TYPE to xx.xxx.x.xxx:xxxxx
Apr  6 02:16:29 raspberrypi pluto[3498]: "L2TP-PSK-NAT"[2] xx.xxx.x.xxx #2: message ignored because it contains an unknown or unexpected payload type (ISAKMP_NEXT_SAK) at the outermost level
Apr  6 02:16:29 raspberrypi pluto[3498]: "L2TP-PSK-NAT"[2] xx.xxx.x.xxx #2: sending notification INVALID_PAYLOAD_TYPE to xx.xxx.x.xxx:xxxxx
Apr  6 02:16:36 raspberrypi pluto[3498]: "L2TP-PSK-NAT"[2] xx.xxx.x.xxx #2: message ignored because it contains an unknown or unexpected payload type (ISAKMP_NEXT_SAK) at the outermost level
Apr  6 02:16:36 raspberrypi pluto[3498]: "L2TP-PSK-NAT"[2] xx.xxx.x.xxx #2: sending notification INVALID_PAYLOAD_TYPE to xx.xxx.x.xxx:xxxxx

xx.xxx.x.xxx:xxxxx being my iphones ip address at the time.

i am running the latest rasbian wheezy from the raspberry pi website 06/04/2014.

can someone please shed some light on what my be going wrong?

thanks in advance!

[confounded]

I came across this issue tonight when I upgraded OpenSwan. I fixed it by reverting to the previous version:

Code: Select all

wget http://snapshot.raspbian.org/201403301125/raspbian/pool/main/o/openswan/openswan_2.6.37-3_armhf.deb

sudo dpkg -i openswan_2.6.37-3_armhf.deb

[gunner10]

Hi,

I'm having the exact same problem. I followed the same tutorial today from scratch for the first time and it doesn't work for me either. Error messages are the same.

I hope someone could help out with this.

Thanks

[gunner10]

Hi confounded,

I ran those commands as you suggested but I'm still not able to connect.

Here is my /var/log/auth.log while trying to connect from my ipad.

Code: Select all

Apr  9 01:46:51 raspberrypi pluto[2798]: packet from xxx.xxx.99.191:500: received Vendor ID payload [RFC 3947] method set to=109									
Apr  9 01:46:51 raspberrypi pluto[2798]: packet from xxx.xxx.99.191:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] method set to=110									
Apr  9 01:46:51 raspberrypi pluto[2798]: packet from xxx.xxx.99.191:500: ignoring unknown Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]									
Apr  9 01:46:51 raspberrypi pluto[2798]: packet from xxx.xxx.99.191:500: ignoring unknown Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]									
Apr  9 01:46:51 raspberrypi pluto[2798]: packet from xxx.xxx.99.191:500: ignoring unknown Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]									
Apr  9 01:46:51 raspberrypi pluto[2798]: packet from xxx.xxx.99.191:500: ignoring unknown Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]									
Apr  9 01:46:51 raspberrypi pluto[2798]: packet from xxx.xxx.99.191:500: ignoring unknown Vendor ID payload [9909b64eed937c6573de52ace952fa6b]									
Apr  9 01:46:51 raspberrypi pluto[2798]: packet from xxx.xxx.99.191:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 110									
Apr  9 01:46:51 raspberrypi pluto[2798]: packet from xxx.xxx.99.191:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 110									
Apr  9 01:46:51 raspberrypi pluto[2798]: packet from xxx.xxx.99.191:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 110									
Apr  9 01:46:51 raspberrypi pluto[2798]: packet from xxx.xxx.99.191:500: ignoring Vendor ID payload [FRAGMENTATION 80000000]									
Apr  9 01:46:51 raspberrypi pluto[2798]: packet from xxx.xxx.99.191:500: received Vendor ID payload [Dead Peer Detection]									
Apr  9 01:46:51 raspberrypi pluto[2798]: "L2TP-PSK-NAT"[11] xxx.xxx.99.191 #13: responding to Main Mode from unknown peer xxx.xxx.99.191									
Apr  9 01:46:51 raspberrypi pluto[2798]: "L2TP-PSK-NAT"[11] xxx.xxx.99.191 #13: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1									
Apr  9 01:46:51 raspberrypi pluto[2798]: "L2TP-PSK-NAT"[11] xxx.xxx.99.191 #13: STATE_MAIN_R1: sent MR1, expecting MI2									
Apr  9 01:46:52 raspberrypi pluto[2798]: "L2TP-PSK-NAT"[11] xxx.xxx.99.191 #13: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): both are NATed									
Apr  9 01:46:52 raspberrypi pluto[2798]: "L2TP-PSK-NAT"[11] xxx.xxx.99.191 #13: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2									
Apr  9 01:46:52 raspberrypi pluto[2798]: "L2TP-PSK-NAT"[11] xxx.xxx.99.191 #13: STATE_MAIN_R2: sent MR2, expecting MI3									
Apr  9 01:46:52 raspberrypi pluto[2798]: "L2TP-PSK-NAT"[11] xxx.xxx.99.191 #13: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000									
Apr  9 01:46:52 raspberrypi pluto[2798]: "L2TP-PSK-NAT"[11] xxx.xxx.99.191 #13: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.6'									
Apr  9 01:46:52 raspberrypi pluto[2798]: "L2TP-PSK-NAT"[11] xxx.xxx.99.191 #13: switched from "L2TP-PSK-NAT" to "L2TP-PSK-NAT"									
Apr  9 01:46:52 raspberrypi pluto[2798]: "L2TP-PSK-NAT"[12] xxx.xxx.99.191 #13: deleting connection "L2TP-PSK-NAT" instance with peer xxx.xxx.99.191 {isakmp=#0/ipsec=#0}									
Apr  9 01:46:52 raspberrypi pluto[2798]: "L2TP-PSK-NAT"[12] xxx.xxx.99.191 #13: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3									
Apr  9 01:46:52 raspberrypi pluto[2798]: "L2TP-PSK-NAT"[12] xxx.xxx.99.191 #13: new NAT mapping for #13, was xxx.xxx.99.191:500, now xxx.xxx.99.191:4500									
Apr  9 01:46:52 raspberrypi pluto[2798]: "L2TP-PSK-NAT"[12] xxx.xxx.99.191 #13: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1024}									
Apr  9 01:46:52 raspberrypi pluto[2798]: "L2TP-PSK-NAT"[12] xxx.xxx.99.191 #13: Dead Peer Detection (RFC 3706): enabled									
Apr  9 01:46:53 raspberrypi pluto[2798]: "L2TP-PSK-NAT"[12] xxx.xxx.99.191 #13: Applying workaround for Mac OS X NAT-OA bug, ignoring proposed subnet									
Apr  9 01:46:53 raspberrypi pluto[2798]: "L2TP-PSK-NAT"[12] xxx.xxx.99.191 #13: the peer proposed: xxx.xxx.172.52/32:17/1701 -> xxx.xxx.99.191/32:17/0									
Apr  9 01:46:53 raspberrypi pluto[2798]: "L2TP-PSK-NAT"[12] xxx.xxx.99.191 #14: responding to Quick Mode proposal {msgid:5d8a3f75}									
Apr  9 01:46:53 raspberrypi pluto[2798]: "L2TP-PSK-NAT"[12] xxx.xxx.99.191 #14:     us: 192.168.0.14<192.168.0.14>[+S=C]:17/1701									
Apr  9 01:46:53 raspberrypi pluto[2798]: "L2TP-PSK-NAT"[12] xxx.xxx.99.191 #14:   them: xxx.xxx.99.191[192.168.1.6,+S=C]:17/61932									
Apr  9 01:46:53 raspberrypi pluto[2798]: "L2TP-PSK-NAT"[12] xxx.xxx.99.191 #14: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1									
Apr  9 01:46:53 raspberrypi pluto[2798]: "L2TP-PSK-NAT"[12] xxx.xxx.99.191 #14: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2									
Apr  9 01:46:54 raspberrypi pluto[2798]: "L2TP-PSK-NAT"[12] xxx.xxx.99.191 #14: Dead Peer Detection (RFC 3706): enabled									
Apr  9 01:46:54 raspberrypi pluto[2798]: "L2TP-PSK-NAT"[12] xxx.xxx.99.191 #14: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2									
Apr  9 01:46:54 raspberrypi pluto[2798]: "L2TP-PSK-NAT"[12] xxx.xxx.99.191 #14: STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0x035f96cb <0x42727f16 xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=xxx.xxx.99.191:4500 DPD=enabled}									
Apr  9 01:47:14 raspberrypi pluto[2798]: "L2TP-PSK-NAT"[12] xxx.xxx.99.191 #13: received Delete SA(0x035f96cb) payload: deleting IPSEC State #14									
Apr  9 01:47:14 raspberrypi pluto[2798]: "L2TP-PSK-NAT"[12] xxx.xxx.99.191 #13: received and ignored informational message									
Apr  9 01:47:14 raspberrypi pluto[2798]: "L2TP-PSK-NAT"[12] xxx.xxx.99.191 #13: received Delete SA payload: deleting ISAKMP State #13									
Apr  9 01:47:14 raspberrypi pluto[2798]: "L2TP-PSK-NAT"[12] xxx.xxx.99.191: deleting connection "L2TP-PSK-NAT" instance with peer xxx.xxx.99.191 {isakmp=#0/ipsec=#0}									
Apr  9 01:47:14 raspberrypi pluto[2798]: packet from xxx.xxx.99.191:4500: received and ignored informational message

Any help or suggestions would be appreciated. Been trying to get a VPN setup working on my Pi for a few weeks now. Setup the L2TP VPN the other day from scratch and still can't get it working.

Thanks,

[Malekith]

Hi gunner10,

I used the code given by confounded, and was unable to get it to install,

I then found that i had to run:

Code: Select all

apt-get install -f

To get the old dependencies. Once i had done that i was able to run confounded's code to install openswan.

Please note that is you are using the http://willitscript.com/post/4035740864 ... vpn-server tutorial, or even the http://linux.tips/tutorials/how-to-setu ... #comment-2 tutorial you need to take out the openswan, from the line

Code: Select all

sudo apt-get install openswan xl2tpd ppp lsof

Therefore you should only run,

Code: Select all

sudo apt-get install xl2tpd ppp lsof

If you didnt take the openswan out you may have re-installed the newer version of openswan. I know that sounds silly but i'll admit i have done it before.

Once I finished the install, my vpn was back to normal, thanks confounded!!

Hope others are able to get this back up and running!

Regards,

[gunner10]

Hi Malekith,

After running confounded's code, did you then proceed to follow all the steps in the tutorial from scratch?

I just run the code, which looked to install fine. After that I haven't done anything.

I've only used this tutorial http://linux.tips/tutorials/how-to-setu ... #comment-2 but all the configuration was done before I ran confounded's code.

[Malekith]

Gunner10,

I used that tutorial to start off, but then decided to start from scratch using the will it script tutorial.

I ran the tutorial as normal, i may have not run the apt-get upgrade(sorry i cant remember) however at the start i did the following,

Code: Select all

apt-get install -f
wget http://snapshot.raspbian.org/201403301125/raspbian/pool/main/o/openswan/openswan_2.6.37-3_armhf.deb
sudo dpkg -i openswan_2.6.37-3_armhf.deb

sudo apt-get install xl2tpd ppp lsof

and then followed on with the installation.

Please note that with these tutorials you need to read everything and make sure you read the code that you are pasting in. The reason i say this is when pasting the code in, the IP addresses will be wrong. My IP range was different so i had to change parts of the code. Again i know this sounds silly, but i installed it with the wrong IP addresses because i was rushing it.

If you need more help, please ask and i will see what i can do. I'm no expert on Linux, but I've stuffed this up enough times to know some problems haha.

Regards,

[gunner10]

Thanks for all your help guys.

Ok so I've finally got it working.

What I did was follow the 'Adding Users' section in the Will It Script tutorial. Once I added the user account I was able to connect.

However, I had another user account setup only in the /etc/ppp/chap-secrets file which I setup when trying out PPTP VPN, I am able to use this account to authenticate also so I'm not sure what's going on.

I also added the 'sudo update-rc.d ipsec defaults' and 'sudo update-rc.d xl2tpd defaults' however after a 'sudo reboot' I can't connect until I run 'sudo /etc/init.d/ipsec restart' and 'sudo /etc/init.d/xl2tpd restart' so I'm not sure what's going on there.

The other issue I have which I'm not sure you can help with is I can't connect to the VPN from my Windows 7 machine. Any ideas?

[Malekith]

I havent actually tried to connect from a computer running windows, only from idevices.

are you using a domain? or are you just typing in your ip address?

In regards to the "sudo update-rc.d" i have not yet restarted my pi, i will do this tonight when i get home and see if it is the same for me.

Regards,

[gunner10]

I have dynamic dns setup on the router where the Pi is located and port forwarding set to forward the port to the Pi on the internal network.

So when I setup the VPN clients, I use my dynamic dns address.

I can see the windows client trying to connect in the auth.log, similar to when it wasn't working previously, but it doesn't connect. My iPhone and iPad connect fine now which is great.

[Malekith]

Hi Gunner10,

Last night i rebooted my raspberry pi and then tried to connect to the vpn. Mine was successful. I'm not sure why your set up is not saving the rc.d defaults. Hopefully someone with better knowledge of linux will be able to help you.

In regards to the connection from windows, i haven't been able to test this yet. I am hoping to test this today. Once i have the results ill let you know.

Regards,

[Malekith]

Hi Gunner10,

I tested the VPN through windows 7 yesterday, I too am unable to get it to connect. I am not sure what is stopping this from happening. Hopefully someone on this forum will be able to shed some light on the situation.

Regards,

[ijhammo]

I came across this issue tonight when I upgraded OpenSwan. I fixed it by reverting to the previous version:

Code: Select all

wget http://snapshot.raspbian.org/201403301125/raspbian/pool/main/o/openswan/openswan_2.6.37-3_armhf.deb

sudo dpkg -i openswan_2.6.37-3_armhf.deb

I can confirm this got it working again for me. Many thanks confounded

[Wezlo]

I did revert to a previous version, as per instructions, but as far as I can tell the older version is dependent on an older version of openssl which is still susceptible to heartbleed - am I wrong on this?

[Malekith]

I am not sure about that? can someone please advice on the heartbleed and openssl issue?

thanks

[DougieLawson]

I am not sure about that? can someone please advice on the heartbleed and openssl issue?

thanks

Search the forum. There's been plenty of threads about heartbleed. We don't need another.

[Pikantje]

Hi Guys,

I had my Pi just set up to function as a VPN server via openswan, and had tested it once; A couple of days later however it did not work anymore. Going through the forum I came across this item an read about doing a 'reverse' action, installing an older version of openswan:
wget http://snapshot.raspbian.org/2014033011 ... _armhf.deb
sudo dpkg -i openswan_2.6.37-3_armhf.deb
And indeed, this solved the problem. And the VPN still works, but with the old version.
Has anybody yet found out how to get the VPN working again using the most recent version op openswan?

Best regards,
Jan.

HELP HELP: still nobody with the same problem? I still have it.... Any help is appreciated!!!

[Pikantje]

Help help help.... Am I the only person having this problem? Any help appreciated.
regards,
Jan.

[Malekith]

Hi,

I have still not found out if the vpn is now working on the new OpenSwan. has anyone been able to test this?

regards,

[jhenkens]

Hey all,

I used to use a bunch of debian packages to get an L2TP VPN working, but it always sucked, even after days of configuration. This winter I found out about softether and have switched to using that as my VPN. It is much, much more solid. I have even put together some scripts which work in setting up the VPN from a scratch Raspbian install (I use raspbian-ua-netinst).

The only things you need to do beforehand are set up your user account (you shouldn't be using root for everything on your pi!), make sure the user account has sudo permissions, and then follow the readme.

https://gist.github.com/jhenkens/11190151

[simple-simon]

I attempted the willitscript tutorial with Wifi and came across a few issues, which I think I have solved, BUT and this is a big caveat I am a newbie so I don't know whether this is the right approach.

First problem was the version of openswan as posted above by confounded, which I could see the symptoms in /var/log/auth.log as :
message ignored because it contains an unknown or unexpected payload type (ISAKMP_NEXT_SAK) at the outermost level

Following confounded's advice fixed this but...

Second problem was IOS Client, which I could see in auth.log as:
ENCAPSULATION_MODE_UDP_TRANSPORT_RFC must only be used if NAT-Traversal is detected

This I found here: https://issues.apache.org/jira...
which meant putting

Code: Select all

 forceencaps=yes

in /etc/ipsec.conf under the connection (conn L2TP-PSK). This may disable all non IOS and Mac OSX client as I have seen some comments on this.

With those two the VPN sets up but then I lose connection to the network which appears to be when an ifplug event happens (not sure I understand that fully) but when this happens /etc/ifplugd/action.d/action_wpa is run. Some posts suggested renaming this file which looked a bit hacky to me so I tried changing my /etc/network/interfaces line which has wpa-roam… to wpa-conf (http://superuser.com/questions... - [ignore that it is for openvpn the event is the same]). This disabled my wifi completely. Finally I found that I needed to static my IP properly by finding this: http://raspberrypi.stackexchan... which gave me the right combination of wpa-conf and getting my static ip right.

I hope this helps.

One more thing I found this item (http://linux.tips/tutorials/ho... on putting settings in rc.local don't know whether it is right or not but I have done that and it seems to work.