L2TP cannot connect with my client

skywhat · Post by **skywhat** » 2017/02/23 03:07:45

ipsec verify:

Verifying installed system and configuration files

Version check and ipsec on-path                         [OK]
Libreswan 3.15 (netkey) on 3.10.0-514.2.2.el7.x86_64
Checking for IPsec support in kernel                    [OK]
 NETKEY: Testing XFRM related proc values
         ICMP default/send_redirects                    [OK]
         ICMP default/accept_redirects                  [OK]
         XFRM larval drop                               [OK]
Pluto ipsec.conf syntax                                 [OK]
Hardware random device                                  [N/A]
Two or more interfaces found, checking IP forwarding    [OK]
Checking rp_filter                                      [OK]
Checking that pluto is running                          [OK]
 Pluto listening for IKE on udp 500                     [OK]
 Pluto listening for IKE/NAT-T on udp 4500              [OK]
 Pluto ipsec.secret syntax                              [OK]
Checking 'ip' command                                   [OK]
Checking 'iptables' command                             [OK]
Checking 'prelink' command does not interfere with FIPSChecking for obsolete ipsec.conf options                 [OK]
Opportunistic Encryption                                [DISABLED]

ipsec status:

Code: Select all

000 using kernel interface: netkey
000 interface lo/lo ::1@500
000 interface eth0/eth0 2400:8500:1302:825:150:95:146:154@500
000 interface eth0/eth0 2400:8500:1302:825:a150:95:146:1540@500
000 interface eth0/eth0 2400:8500:1302:825:a150:95:146:154f@500
000 interface eth0/eth0 2400:8500:1302:825:a150:95:146:154e@500
000 interface eth0/eth0 2400:8500:1302:825:a150:95:146:154d@500
000 interface eth0/eth0 2400:8500:1302:825:a150:95:146:154c@500
000 interface eth0/eth0 2400:8500:1302:825:a150:95:146:154b@500
000 interface eth0/eth0 2400:8500:1302:825:a150:95:146:154a@500
000 interface eth0/eth0 2400:8500:1302:825:a150:95:146:1549@500
000 interface eth0/eth0 2400:8500:1302:825:a150:95:146:1548@500
000 interface eth0/eth0 2400:8500:1302:825:a150:95:146:1547@500
000 interface eth0/eth0 2400:8500:1302:825:a150:95:146:1546@500
000 interface eth0/eth0 2400:8500:1302:825:a150:95:146:1545@500
000 interface eth0/eth0 2400:8500:1302:825:a150:95:146:1544@500
000 interface eth0/eth0 2400:8500:1302:825:a150:95:146:1543@500
000 interface eth0/eth0 2400:8500:1302:825:a150:95:146:1542@500
000 interface eth0/eth0 2400:8500:1302:825:a150:95:146:1541@500
000 interface lo/lo 127.0.0.1@4500
000 interface lo/lo 127.0.0.1@500
000 interface eth0/eth0 150.95.146.154@4500
000 interface eth0/eth0 150.95.146.154@500
000  
000  
000 fips mode=disabled;
000 SElinux=disabled
000  
000 config setup options:
000  
000 configdir=/etc, configfile=/etc/ipsec.conf, secrets=/etc/ipsec.secrets, ipsecdir=/etc/ipsec.d, dumpdir=/var/run/pluto/, statsbin=unset
000 sbindir=/usr/sbin, libexecdir=/usr/libexec/ipsec
000 pluto_version=3.15, pluto_vendorid=OE-Libreswan-3.15
000 nhelpers=-1, uniqueids=yes, perpeerlog=no, shuntlifetime=900s, xfrmlifetime=300s
000 ddos-cookies-treshold=50000, ddos-max-halfopen=25000, ddos-mode=auto
000 ikeport=500, strictcrlpolicy=no, crlcheckinterval=0, listen=<any>, nflog-all=0
000 secctx-attr-type=32001
000 myid = (none)
000 debug none
000  
000 nat-traversal=yes, keep-alive=20, nat-ikeport=4500
000 virtual-private (%priv):
000 - allowed subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 25.0.0.0/8, 100.64.0.0/10, fd00::/8, fe80::/10
000  
000 ESP algorithms supported:
000  
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=128, keysizemax=128
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=12, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=16, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm AH/ESP auth: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm AH/ESP auth: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm AH/ESP auth: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm AH/ESP auth: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384
000 algorithm AH/ESP auth: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512
000 algorithm AH/ESP auth: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160
000 algorithm AH/ESP auth: id=9, name=AUTH_ALGORITHM_AES_XCBC, keysizemin=128, keysizemax=128
000 algorithm AH/ESP auth: id=251, name=AUTH_ALGORITHM_NULL_KAME, keysizemin=0, keysizemax=0
000  
000 IKE algorithms supported:
000  
000 algorithm IKE encrypt: v1id=0, v1name=0??, v2id=16, v2name=AES_CCM_C, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=0, v1name=0??, v2id=15, v2name=AES_CCM_B, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=0, v1name=0??, v2id=14, v2name=AES_CCM_A, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=5, v1name=OAKLEY_3DES_CBC, v2id=3, v2name=3DES, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: v1id=24, v1name=OAKLEY_CAMELLIA_CTR, v2id=24, v2name=CAMELLIA_CTR, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=8, v1name=OAKLEY_CAMELLIA_CBC, v2id=23, v2name=CAMELLIA_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=20, v1name=OAKLEY_AES_GCM_C, v2id=20, v2name=AES_GCM_C, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=19, v1name=OAKLEY_AES_GCM_B, v2id=19, v2name=AES_GCM_B, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=18, v1name=OAKLEY_AES_GCM_A, v2id=18, v2name=AES_GCM_A, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=13, v1name=OAKLEY_AES_CTR, v2id=13, v2name=AES_CTR, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=7, v1name=OAKLEY_AES_CBC, v2id=12, v2name=AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65004, v1name=OAKLEY_SERPENT_CBC, v2id=65004, v2name=SERPENT_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65005, v1name=OAKLEY_TWOFISH_CBC, v2id=65005, v2name=TWOFISH_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65289, v1name=OAKLEY_TWOFISH_CBC_SSH, v2id=65289, v2name=TWOFISH_CBC_SSH, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashlen=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashlen=20
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashlen=32
000 algorithm IKE hash: id=5, name=OAKLEY_SHA2_384, hashlen=48
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashlen=64
000 algorithm IKE hash: id=9, name=DISABLED-OAKLEY_AES_XCBC, hashlen=16
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
000  
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0} 
000  
000 Connection list:
000  
000 "L2TP-PSK-NAT": 150.95.146.154<150.95.146.154>:17/1701...%virtual:17/%any===vhost:?; unrouted; eroute owner: #0
000 "L2TP-PSK-NAT":     oriented; my_ip=unset; their_ip=unset
000 "L2TP-PSK-NAT":   xauth info: us:none, them:none,  my_xauthuser=[any]; their_xauthuser=[any]
000 "L2TP-PSK-NAT":   modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset;
000 "L2TP-PSK-NAT":   labeled_ipsec:no;
000 "L2TP-PSK-NAT":   policy_label:unset;
000 "L2TP-PSK-NAT":   ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3;
000 "L2TP-PSK-NAT":   retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "L2TP-PSK-NAT":   sha2_truncbug:no; initial_contact:no; cisco_unity:no; send_vendorid:no;
000 "L2TP-PSK-NAT":   policy: PSK+ENCRYPT+DONT_REKEY+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW;
000 "L2TP-PSK-NAT":   conn_prio: 32,32; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; nflog-group: unset;
000 "L2TP-PSK-NAT":   dpd: action:clear; delay:40; timeout:130; nat-t: force_encaps:no; nat_keepalive:yes; ikev1_natt:both
000 "L2TP-PSK-NAT":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "L2TP-PSK-noNAT": 150.95.146.154<150.95.146.154>:17/1701...%any:17/%any; unrouted; eroute owner: #0
000 "L2TP-PSK-noNAT":     oriented; my_ip=unset; their_ip=unset
000 "L2TP-PSK-noNAT":   xauth info: us:none, them:none,  my_xauthuser=[any]; their_xauthuser=[any]
000 "L2TP-PSK-noNAT":   modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset;
000 "L2TP-PSK-noNAT":   labeled_ipsec:no;
000 "L2TP-PSK-noNAT":   policy_label:unset;
000 "L2TP-PSK-noNAT":   ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3;
000 "L2TP-PSK-noNAT":   retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "L2TP-PSK-noNAT":   sha2_truncbug:no; initial_contact:no; cisco_unity:no; send_vendorid:no;
000 "L2TP-PSK-noNAT":   policy: PSK+ENCRYPT+DONT_REKEY+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW;
000 "L2TP-PSK-noNAT":   conn_prio: 32,32; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; nflog-group: unset;
000 "L2TP-PSK-noNAT":   dpd: action:clear; delay:40; timeout:130; nat-t: force_encaps:no; nat_keepalive:yes; ikev1_natt:both
000 "L2TP-PSK-noNAT":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000  
000 Total IPsec connections: loaded 2, active 0
000  
000 State Information: DDoS cookies not required, Accepting new IKE connections
000 IKE SAs: total(0), half-open(0), open(0), authenticated(0), anonymous(0)
000 IPsec SAs: total(0), authenticated(0), anonymous(0)
000  
000 Bare Shunt list:
000

I am a rookie on this part. I would appreciate it if anyone could help me about this.
I cannot connect with my VPN account from any client.

skywhat · Post by **skywhat** » 2017/03/03 08:31:59

● xl2tpd.service - Level 2 Tunnel Protocol Daemon (L2TP)
Loaded: loaded (/usr/lib/systemd/system/xl2tpd.service; enabled; vendor preset: disabled)
Active: active (running) since Wed 2017-02-15 16:53:05 CST; 2 weeks 1 days ago
Process: 29638 ExecStartPre=/sbin/modprobe -q l2tp_ppp (code=exited, status=0/SUCCESS)
Main PID: 29640 (xl2tpd)
CGroup: /system.slice/xl2tpd.service
└─29640 /usr/sbin/xl2tpd -D

Mar 03 16:16:33 150-95-146-154 xl2tpd[29640]: xl2tpd[29640]: Can not find tunnel 34446 (refhim=0)
Mar 03 16:16:33 150-95-146-154 xl2tpd[29640]: xl2tpd[29640]: network_thread: unable to find call or tunnel to handle packet. call = 17622, tunnel = 34446 Dumping.
Mar 03 16:16:34 150-95-146-154 xl2tpd[29640]: xl2tpd[29640]: Can not find tunnel 19803 (refhim=0)
Mar 03 16:16:34 150-95-146-154 xl2tpd[29640]: xl2tpd[29640]: network_thread: unable to find call or tunnel to handle packet. call = 11868, tunnel = 19803 Dumping.
Mar 03 16:16:37 150-95-146-154 xl2tpd[29640]: xl2tpd[29640]: Can not find tunnel 34446 (refhim=0)
Mar 03 16:16:37 150-95-146-154 xl2tpd[29640]: xl2tpd[29640]: network_thread: unable to find call or tunnel to handle packet. call = 17622, tunnel = 34446 Dumping.
Mar 03 16:16:41 150-95-146-154 xl2tpd[29640]: xl2tpd[29640]: Can not find tunnel 34446 (refhim=0)
Mar 03 16:16:41 150-95-146-154 xl2tpd[29640]: xl2tpd[29640]: network_thread: unable to find call or tunnel to handle packet. call = 17622, tunnel = 34446 Dumping.
Mar 03 16:16:45 150-95-146-154 xl2tpd[29640]: xl2tpd[29640]: Can not find tunnel 34446 (refhim=0)
Mar 03 16:16:45 150-95-146-154 xl2tpd[29640]: xl2tpd[29640]: network_thread: unable to find call or tunnel to handle packet. call = 17622, tunnel = 34446 Dumping.

Post by **TrevorH** » 2017/03/03 08:44:40

I've moved your post from the CentOS 6 Networking forum to the CentOS 7 one as "Libreswan 3.15 (netkey) on 3.10.0-514.2.2.el7.x86_64" clearly shows that you're on 7.

Are you using NetworkManager or network? Did you use the NetworkManager GUI to set up your VPN config?

CentOS

L2TP cannot connect with my client

L2TP cannot connect with my client

Re: L2TP cannot connect with my client

Re: L2TP cannot connect with my client