Building network-manager-l2tp on Centos 6.9 laptop

Issues related to configuring your network
TypoSpotter
Posts: 15
Joined: 2018/06/25 12:07:10

Re: Building network-manager-l2tp on Centos 6.9 laptop

Post by TypoSpotter » 2018/07/09 13:21:19

Ok, I had other work to do, but I'm back at this now.

I have on my list of things to do:
- when I am at home (and can therefore just plug into the router with a cable) disable NetworkManager and see if I get any success. That is not today unfortunately, but I will try this tomorrow if I get time
- get the log to be more verbose and/or give more logging information
- see if someone at the remote office is able to access the VPN server log

This afternoon, I'm going to focus on getting more logging.

I've added this to the xl2tpd.conf:

Code: Select all

[global]
debug avp = yes
debug network = yes
debug state = yes
debug packet = yes
debug tunnel = yes
I don't seem to be getting any additional logging, either in /var/log/messages or in /var/log/xl2tpd.log (specified in /etc/ppp/options.l2tpd.client)

Today I am NOT modprobing pppol2tp. I notice that the /var/log/xl2tpd.log output is different with and without modprobing, but I'm not sure it is significant.

The xl2tp.log output with modprobe pppol2tp looks like this:

Code: Select all

using channel 31
Using interface ppp0
Connect: ppp0 <--> 
Overriding mtu 1500 to 1410
PPPoL2TP options: debugmask 0
Overriding mru 1500 to mtu value 1410
sent [LCP ConfReq id=0x1 <mru 1410> <asyncmap 0x0> <magic 0x6c9617f1>]
Terminating on signal 15
sent [LCP TermReq id=0x2 "User request"]
sent [LCP TermReq id=0x3 "User request"]
Connection terminated.
Modem hangup
Without modprobing the xl2tpd.log output looks more like this:

Code: Select all

using channel 1
Using interface ppp0
Connect: ppp0 <--> /dev/pts/1
sent [LCP ConfReq id=0x1 <mru 1410> <asyncmap 0x0> <magic 0xf117567> <pcomp> <accomp>]
Terminating on signal 15
Modem hangup
Connection terminated.
Today my /var/log/messages looks like this (sometimes the call is established, but when it is the connection is terminated):

Code: Select all

Jul  9 14:14:18 HOSTNAME xl2tpd[4268]: Connecting to host WORKIPADDRESS, port 1701
Jul  9 14:14:49 HOSTNAME xl2tpd[4268]: Maximum retries exceeded for tunnel 51194.  Closing.
Jul  9 14:14:49 HOSTNAME xl2tpd[4268]: Connection 0 closed to WORKIPADDRESS, port 1701 (Timeout)
Jul  9 14:15:20 HOSTNAME xl2tpd[4268]: Will redial in 30 seconds
Jul  9 14:15:50 HOSTNAME xl2tpd[4268]: Connecting to host WORKIPADDRESS, port 1701
Jul  9 14:15:50 HOSTNAME xl2tpd[4268]: Connection established to WORKIPADDRESS, 1701.  Local: 8406, Remote: 12 (ref=0/0).
Jul  9 14:15:50 HOSTNAME xl2tpd[4268]: Calling on tunnel 8406
Jul  9 14:15:50 HOSTNAME xl2tpd[4268]: Call established with WORKIPADDRESS, Local: 45061, Remote: 1610, Serial: 3 (ref=0/0)
Jul  9 14:15:50 HOSTNAME pppd[4415]: Warning: can't open options file /root/.ppprc: Permission denied
Jul  9 14:15:50 HOSTNAME pppd[4415]: pppd 2.4.5 started by USER, uid 0
Jul  9 14:15:50 HOSTNAME pppd[4415]: Using interface ppp0
Jul  9 14:15:50 HOSTNAME pppd[4415]: Connect: ppp0 <--> /dev/pts/1
Jul  9 14:15:50 HOSTNAME xl2tpd[4268]: control_finish: Connection closed to WORKIPADDRESS, serial 3 ()
Jul  9 14:15:50 HOSTNAME pppd[4415]: Modem hangup
Jul  9 14:15:50 HOSTNAME pppd[4415]: Connection terminated.
Jul  9 14:15:50 HOSTNAME xl2tpd[4268]: control_finish: Connection closed to WORKIPADDRESS, port 1701 (), Local: 8406, Remote: 12
Jul  9 14:15:51 HOSTNAME pppd[4415]: Exit.
Jul  9 14:16:20 HOSTNAME xl2tpd[4268]: Connecting to host WORKIPADDRESS, port 1701
Jul  9 14:16:51 HOSTNAME xl2tpd[4268]: Maximum retries exceeded for tunnel 45903.  Closing.
Jul  9 14:16:51 HOSTNAME xl2tpd[4268]: Connection 0 closed to WORKIPADDRESS, port 1701 (Timeout)
Jul  9 14:17:22 HOSTNAME xl2tpd[4268]: Will redial in 30 seconds
- How do I get more info? (more verbose output or more debug output)

User avatar
TrevorH
Forum Moderator
Posts: 23452
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Building network-manager-l2tp on Centos 6.9 laptop

Post by TrevorH » 2018/07/09 14:00:16

I wonder if you might get better help directly from the libreswan mailing list/irc channel. My knowledge of VPN stops around about the time when I kick it hard enough and it starts working at which point I forget about it until it breaks again :-(
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

TypoSpotter
Posts: 15
Joined: 2018/06/25 12:07:10

Re: Building network-manager-l2tp on Centos 6.9 laptop

Post by TypoSpotter » 2018/07/09 14:41:02

Thanks for your help TrevorH.

I do seem to be learning new things, if anything.

I have worked out how to get debug logs from xl2tpd. If I start it using this command instead of the service xl2tpd start one:

Code: Select all

xl2tpd -D
I get a lot more info:

Code: Select all

xl2tpd[5147]: get_call: allocating new tunnel for host WORKIPADDR, port 1701.
xl2tpd[5147]: Connecting to host WORKIPADDR, port 1701
xl2tpd[5147]: control_finish: message type is (null)(0).  Tunnel is 0, call is 0.
xl2tpd[5147]: control_finish: sending SCCRQ
xl2tpd[5147]: network_thread: recv packet from WORKIPADDR, size = 104, tunnel = 20784, call = 0 ref=0 refhim=0
xl2tpd[5147]: message_type_avp: message type 2 (Start-Control-Connection-Reply)
xl2tpd[5147]: protocol_version_avp: peer is using version 1, revision 0.
xl2tpd[5147]: framing_caps_avp: supported peer frames: sync
xl2tpd[5147]: bearer_caps_avp: supported peer bearers: digital
xl2tpd[5147]: firmware_rev_avp: peer reports firmware version 1280 (0x0500)
xl2tpd[5147]: hostname_avp: peer reports hostname 'SERVER '
xl2tpd[5147]: vendor_avp: peer reports vendor 'DrayTek, l2tp'
xl2tpd[5147]: assigned_tunnel_avp: using peer's tunnel 12
xl2tpd[5147]: receive_window_size_avp: peer wants RWS of 8.  Will use flow control.
xl2tpd[5147]: control_finish: message type is Start-Control-Connection-Reply(2).  Tunnel is 12, call is 0.
xl2tpd[5147]: control_finish: sending SCCCN
xl2tpd[5147]: Connection established to WORKIPADDR, 1701.  Local: 20784, Remote: 12 (ref=0/0).
xl2tpd[5147]: Calling on tunnel 20784
xl2tpd[5147]: control_finish: message type is (null)(0).  Tunnel is 12, call is 0.
xl2tpd[5147]: control_finish: sending ICRQ
xl2tpd[5147]: network_thread: recv packet from WORKIPADDR, size = 28, tunnel = 20784, call = 46359 ref=0 refhim=0
xl2tpd[5147]: message_type_avp: message type 11 (Incoming-Call-Reply)
xl2tpd[5147]: assigned_call_avp: using peer's call 1653
xl2tpd[5147]: control_finish: message type is Incoming-Call-Reply(11).  Tunnel is 12, call is 1653.
xl2tpd[5147]: control_finish: Sending ICCN
xl2tpd[5147]: Call established with WORKIPADDR, Local: 46359, Remote: 1653, Serial: 1 (ref=0/0)
xl2tpd[5147]: network_thread: recv packet from WORKIPADDR, size = 38, tunnel = 20784, call = 46359 ref=0 refhim=0
xl2tpd[5147]: message_type_avp: message type 14 (Call-Disconnect-Notify)
xl2tpd[5147]: result_code_avp: peer closing for reason 1 (General request to clear control connection), error = 0 ()
xl2tpd[5147]: assigned_call_avp: using peer's call 1653
xl2tpd[5147]: control_finish: message type is Call-Disconnect-Notify(14).  Tunnel is 12, call is 1653.
xl2tpd[5147]: control_finish: Connection closed to WORKIPADDR, serial 1 ()
xl2tpd[5147]: network_thread: recv packet from WORKIPADDR, size = 38, tunnel = 20784, call = 0 ref=0 refhim=0
xl2tpd[5147]: message_type_avp: message type 4 (Stop-Control-Connection-Notification)
xl2tpd[5147]: assigned_tunnel_avp: using peer's tunnel 12
xl2tpd[5147]: result_code_avp: peer closing for reason 1 (General request to clear control connection), error = 0 ()
xl2tpd[5147]: control_finish: message type is Stop-Control-Connection-Notification(4).  Tunnel is 12, call is 0.
xl2tpd[5147]: control_finish: Connection closed to WORKIPADDR, port 1701 (), Local: 20784, Remote: 12
xl2tpd[5147]: build_fdset: closing down tunnel 20784
xl2tpd[5147]: network_thread: select returned error 4 (Interrupted system call)
xl2tpd[5147]: network_thread: select timeout
What it all means is another matter.
I'm going to go away and see where I get with this. But yes I will consider the mailing list/irc channel (but surely the xl2tpd one rather than the libreswan one?) if I don't get anywhere.

I've also been googling MTU, and perhaps I just have it set too high. I have problems even when connecting from Windows (getting disconnected regularly). Either the server or the internet connection to it might not be capable of handling the traffic. But I don't fully understand this, so I might well be talking a load of nonsense.

User avatar
TrevorH
Forum Moderator
Posts: 23452
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Building network-manager-l2tp on Centos 6.9 laptop

Post by TrevorH » 2018/07/09 15:00:04

If it helps any, my MTU defaults and is set to 1400
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

TypoSpotter
Posts: 15
Joined: 2018/06/25 12:07:10

Re: Building network-manager-l2tp on Centos 6.9 laptop

Post by TypoSpotter » 2018/07/09 15:43:05

This link is helpful for working out what the MTU should be:
https://www.draytek.com/es/faq/faq-conn ... my-router/

Except that the ping commands are in Windows syntax.

In Linux, -s (not -l) defines packet size, and "don't fragment" is the default option (so no -f, which means something different in Linux).

Code: Select all

ping 8.8.8.8 -s 1440
You can keep increasing the packet size until nothing comes back. I found I could go up to 1464 from a computer based at the remote office, and somewhat higher (about 1492 or thereabouts) from this Centos laptop. It suggests that 1410 in my file should have been ok.

However, I have found that when I ping while simultaneously having the laptop try to dial-in to the VPN (at any packet size), I am losing packets.

TypoSpotter
Posts: 15
Joined: 2018/06/25 12:07:10

Re: Building network-manager-l2tp on Centos 6.9 laptop

Post by TypoSpotter » 2018/09/04 13:32:59

A bit of an update:
I never got L2TP/IPSec working. I did notice that I was getting different results depending on whether I used: the client office's guest wi-fi network, my mobile hotspot wi-fi network, my home wi-fi. (My home wi-fi giving the best results but still failing.) At some point I was going to try to understand the L2TP control packets and try to work out the details of what went wrong, but just never got round to it.

All the remote Windows users (including myself) were having problems with the L2TP/IPSec VPN: we all were regularly being disconnected, several times a day. The IT support company upgraded the DrakTek router and did some other things and eventually just switched over to SSL VPN.

Great for Windows. But I am now back to square one with both Centos and Ubuntu. It is not so obvious how to connect to SSL VPN servers on Linux. But I guess it is not libreswan and xl2tpd.

(I have tried SoftEther, but I have noticed that while the SoftEther server does SSL, I can't seem to find anything in the client to tell it to use SSL. I looked at Fortinet client, but quickly realised it only connects to Fortigate servers. Draytek provides SmartVPN clients for Windows, Mac OS, iOS, and Android, but not Linux.)

Post Reply