OpenWrt Forum Archive

Topic: L2TP over IPsec with PSK using racoon/xl2tpd

The content of this topic has been archived between 26 Mar 2018 and 19 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

@morganfw

Can you verify the patch was installed correctly?  You can verify by checking for the existence of the following  file in your OpenWRT source tree:

  ".../trunk/package/network/services/ppp/patches/501-save_arg_for_o_special_OPT_A2STRVAL.patch"

I'm guessing you are using a patched version of "ipsec-tools" (not what exists in trunk).   If this is true, can you provide a link to the source you are using so I can build it for my architecture?

FWIW, I updated my options.xl2tpd file to use the parameters you are using (my VPN uses openswan instead of racoon); and I'm able to connect just fine with the "dump" option set.

Nathan

@nlh
I think patch is correctly installed:

$ less trunk/package/network/services/ppp/patches/501-save_arg_for_o_special_OPT_A2STRVAL.patch
--- /dev/null
+++ package/network/services/ppp/patches/501-save_arg_for_o_special_OPT_A2STRVAL.patch
@@ -0,0 +1,20 @@
+--- a/pppd/options.c
++++ b/pppd/options.c
+@@ -809,7 +809,16 @@ process_option(opt, cmd, argv)
+       parser = (int (*) __P((char **))) opt->addr;
+       if (!(*parser)(argv))
+           return 0;
+-      if (opt->flags & OPT_A2LIST) {
++      if (opt->flags & OPT_A2STRVAL) {
++          if (opt->flags & OPT_STATIC) {
++              strlcpy((char *)(opt->addr2), *argv, opt->upper_limit);
++          } else {
++              sv = strdup(*argv);
++              if (sv == NULL)
++                  novm("option argument");
++              *(char **)(opt->addr2) = sv;
++          }
++      } else if (opt->flags & OPT_A2LIST) {
+           struct option_value *ovp, *pp;
+
+           ovp = malloc(sizeof(*ovp) + strlen(*argv));

I'm using ipsec-tools source package provided by OpenWrt trunk svn

$ head -1 trunk/feeds.conf.default
src-svn packages svn://svn.openwrt.org/openwrt/packages

and stored on source tree

trunk/dl/ipsec-tools-0.8.1.tar.bz2

On my router Netgear WNDR3700

--> # racoon -V
@(#)ipsec-tools 0.8.1 (http://ipsec-tools.sourceforge.net)

Compiled with:
- OpenSSL 1.0.1f 6 Jan 2014 (http://www.openssl.org/)
- IPv6 support
- Dead Peer Detection
- IKE fragmentation
- Hybrid authentication
- NAT Traversal
- Admin port
- Monotonic clock

--> # xl2tpd -v

xl2tpd version:  xl2tpd-1.3.1

--> # which racoon
/usr/sbin/racoon

--> # which xl2tpd
/usr/sbin/xl2tpd

@morganfw

I finally got racoon configured, and am able to reproduce the crash without the patch.  With the patch, the crash no longer occurs.  I can only suggest that you clean the package first to make sure it gets rebuilt (as the patch didn't roll the version # on ppp).  You can just clean and re-build ppp; then scp the package to your router and install it to try it out.  Please try:

  make package/network/services/ppp/{clean,install}
  scp bin/<arch>/ppp_2.4.5-10_<arch>.ipk root@<router-ip>:/tmp/
  ssh -l root <router-ip>
  opkg install /tmp/ppp_2.4.5-10_<arch>.ipk

If this works, I'll re-submit the patch with a version # roll.

@morganfw

I may have found another related problem in pppd; try replacing the previous patch with this (in packages/network/services/ppp/patches).  I corrected a missing parameter in one of the calls to "printer" (wasn't causing a problem for me, but could be what is causing it to crash for you). (Be sure to include the last line that just has a single space in it).

--- a/pppd/options.c
+++ b/pppd/options.c
@@ -809,7 +809,16 @@ process_option(opt, cmd, argv)
     parser = (int (*) __P((char **))) opt->addr;
     if (!(*parser)(argv))
         return 0;
-    if (opt->flags & OPT_A2LIST) {
+    if (opt->flags & OPT_A2STRVAL) {
+        if (opt->flags & OPT_STATIC) {
+        strlcpy((char *)(opt->addr2), *argv, opt->upper_limit);
+        } else {
+        sv = strdup(*argv);
+        if (sv == NULL)
+            novm("option argument");
+        *(char **)(opt->addr2) = sv;
+        }
+    } else if (opt->flags & OPT_A2LIST) {
         struct option_value *ovp, *pp;
 
         ovp = malloc(sizeof(*ovp) + strlen(*argv));
@@ -994,7 +1003,7 @@ print_option(opt, mainopt, printer, arg)
             p = (char *) opt->addr2;
             if ((opt->flags & OPT_STATIC) == 0)
                 p = *(char **)p;
-            printer("%q", p);
+            printer(arg, "%q", p);
         } else if (opt->flags & OPT_A2LIST) {
             struct option_value *ovp;
 

(Last edited by nlh on 4 Apr 2014, 09:38)

morganfw wrote:

@nlh
I think patch is correctly installed:

After looking at this more closely, it doesn't look like the original patch was installed correctly.  That patch was meant to be applied to your tree (as are most on patchwork); so you should have done something like this:

  cd <...>/trunk
  wget -O tmp.patch http://patchwork.openwrt.org/patch/3245/raw/
  patch -p 0 < tmp.patch
  rm tmp.patch

You'd probably need to remove the previous patch file first if you were to try installing it again.

nlh wrote:
morganfw wrote:

@nlh
I think patch is correctly installed:

After looking at this more closely, it doesn't look like the original patch was installed correctly.  That patch was meant to be applied to your tree (as are most on patchwork); so you should have done something like this:

  cd <...>/trunk
  wget -O tmp.patch http://patchwork.openwrt.org/patch/3245/raw/
  patch -p 0 < tmp.patch
  rm tmp.patch

You'd probably need to remove the previous patch file first if you were to try installing it again.

@nlh
I've removed old patch, applied new with commands issued by you, I've rebuilds ppp, scped and reinstalled on my router, now VPN works fine also with dump options.

Thx a lot nlh for support! smile

morganfw wrote:

...

start() {
        wan_ip="$(uci get network.wan.ipaddr)"
        mkdir -m 0700 -p /var/racoon
       [ -f /etc/ipsec.conf ] && /usr/sbin/setkey -f /etc/ipsec.conf
        /etc/setkey.conf $wan_ip
        service_start /usr/sbin/racoon -f /etc/racoon.conf
}

This does not work. wan_ip will get an error when starting racoon ("uci: Entry not found"). At least when the wan port is using dhcp. I still use the following start() from arokh:

start() {
        . /lib/functions/network.sh
        network_get_ipaddr wan_ip wan

        [ -x /etc/setkey.conf ] && /etc/setkey.conf $wan_ip

        test -d /var/racoon || mkdir /var/racoon

        service_start /usr/sbin/racoon -f /etc/racoon.conf
}

which works fine. My next compile will also use the patch form nlh to make dump work without crashes, I will let you know.

Update: I worked it out.

I shut down the racoon service (left xl2tpd running):

/etc/init.d/racoon stop

I start up racoon in foreground mode to see what was going on:

racoon -d -v -F -f /etc/racoon.conf

I kept seeing the following error:

DEBUG: invalid length of payload

I looked it up and found a hint to double-check the PSK. Sure enough I'd accidentally added a space on the end when editing it in vi.

Restarted and it connected fine.

**Original**

I'm not able to get this to work with arokh's Optimized Build for WNDR3700. I try to connect using my iPhone and get the following error. Any ideas why phase 1 cannot complete...?

Tue Aug  5 21:31:45 2014 daemon.info racoon: INFO: respond new phase 1 negotiation: <routerIP>[500]<=><iPhoneIP>[39953]
Tue Aug  5 21:31:45 2014 daemon.info racoon: INFO: begin Identity Protection mode.
Tue Aug  5 21:31:45 2014 daemon.info racoon: INFO: received Vendor ID: RFC 3947
Tue Aug  5 21:31:45 2014 daemon.info racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
Tue Aug  5 21:31:45 2014 daemon.info racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
Tue Aug  5 21:31:45 2014 daemon.info racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
Tue Aug  5 21:31:45 2014 daemon.info racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
Tue Aug  5 21:31:45 2014 daemon.info racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
Tue Aug  5 21:31:45 2014 daemon.info racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
Tue Aug  5 21:31:45 2014 daemon.info racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Tue Aug  5 21:31:45 2014 daemon.info racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02

Tue Aug  5 21:31:45 2014 daemon.info racoon: [<routerIP>] INFO: Hashing <routerIP>[500] with algo #2 
Tue Aug  5 21:31:45 2014 daemon.info racoon: INFO: NAT-D payload #0 verified
Tue Aug  5 21:31:45 2014 daemon.info racoon: [<iPhoneIP>] INFO: Hashing <iPhoneIP>[39953] with algo #2 
Tue Aug  5 21:31:45 2014 daemon.info racoon: INFO: NAT-D payload #1 doesn't match
Tue Aug  5 21:31:45 2014 daemon.info racoon: INFO: NAT detected: PEER
Tue Aug  5 21:31:45 2014 daemon.info racoon: [<iPhoneIP>] INFO: Hashing <iPhoneIP>[39953] with algo #2 
Tue Aug  5 21:31:45 2014 daemon.info racoon: [<routerIP>] INFO: Hashing <routerIP>[500] with algo #2 
Tue Aug  5 21:31:45 2014 daemon.info racoon: INFO: Adding remote and local NAT-D payloads.
Tue Aug  5 21:31:45 2014 daemon.info racoon: [<iPhoneIP>] ERROR: couldn't find the pskey for <iPhoneIP>.
Tue Aug  5 21:31:45 2014 daemon.info racoon: [<iPhoneIP>] NOTIFY: Using default PSK.
Tue Aug  5 21:31:45 2014 daemon.info racoon: INFO: NAT-T: ports changed to: <iPhoneIP>[44957]<-><routerIP>[4500]
Tue Aug  5 21:31:45 2014 daemon.info racoon: INFO: KA list add: <routerIP>[4500]-><iPhoneIP>[44957]
Tue Aug  5 21:32:35 2014 daemon.info racoon: ERROR: phase1 negotiation failed due to time up. 0e5958bdca4c853a:a9a94e19a14242c3
Tue Aug  5 21:32:35 2014 daemon.info racoon: INFO: KA remove: <routerIP>[4500]-><iPhoneIP>[44957]

(Last edited by kop48 on 6 Aug 2014, 07:51)

Anyone still using this? I am smile

I just tried to get Racoon running again after support for UCI configuration was added to trunk (https://github.com/openwrt/packages/com … 6dbb5982b5)

I managed to get it working, but I needed to hack the startup file a lot. This is what I did:

Add the following configuration to /etc/config/racoon:

#/etc/config/racoon
#
# Copyright 2015 Vitaly Protsko <villy@sft.ru>

# * WARNING: this is "not working" example
# * Defaults are commented out
# * Resuting config will appear in /var/racoon/

config racoon
        option  debug           0
        option  ext_zone        'wan'
        option  int_zone        'lan'
        option  port            500
        option  natt_port       4500
        option  ipversion       4

# WARNING:      Only ONE tunnel with remote anonymous
#               can be configured and it can have only
#               ONE sainfo. Otherwise resulting racoon
#               configuration will be unusable
config tunnel 'Incoming'
        option enabled          '1'
        option remote           'anonymous'
        option pre_shared_key   'my_own_psk'
#psk is put in /var/racoon/psk.txt automatically
        option exchange_mode    'main'
        option prop_check       'obey'
        list p1_proposal        'anon_p1prop'
        list sainfo             'anon_sainf'

config p1_proposal 'anon_p1prop'
        option enc_alg          '3des'
        option hash_alg         'sha1'
        option auth_method      'pre_shared_key'
        option dh_group         '2'

config p2_proposal 'anon_p2prop'
        option enc_alg          'aes'
        option auth_alg         'hmac_sha1'
#       option comp_alg         'deflate' #is default

config sainfo 'anon_sainf'
        option p2_proposal      'anon_p2prop'

Next, I changed the following to /etc/init.d/racoon:

setup_sa():
Line 132, I believe this is a logic error:

- if [ -z "$client" ]; then
+ if [ ! -z "$client" ]; then

Then, comment out lines 168 to 190 (I don't want any of these in racoon.conf, and they give errors on startup

#  if [ "$remote" = "anonymous" ]; then
#    echo -e "mode_cfg {\n  auth_source system;\n  conf_source local;" >> $conf
#
#    config_get data "$1" dns4
#    test -n "$data" && echo "  dns4 $data;" >> $conf
#    config_get data "$1" defdomain
#    test -n "$data" && echo "  default_domain \"$data\";" >> $conf
#
#    data=${remnet%/*}
#    let "data=${data##*.}+1"
#    echo "  network4 ${remnet%.*}.$data;" >> $conf
#
#    let "data=255<<(24-${remnet#*/}+8)&255"
#    echo "  netmask4 255.255.255.$data;" >> $conf
#
#    echo -e "  split_network include $locnet;\n}" >> $conf
#
#  elif [ -z "$client" ]; then
#    manage_sa add $locnet $remnet $remote
#    test $? -gt 0 -o $errno -gt 0 && return $errno
#
#    manage_fw add $confIntZone $confExtZone $remnet
#  fi

setup_tunnel() is next:
I don't want peers_identifier in racoon.conf, so comment out line 246, and change line 250 to no_op:

#    echo -n "  peers_identifier " >> $conf
  fi

  if [ "$remote" = "anonymous" ]; then
    echo
  else

Finally, add the old behavior of 'setkey.conf' back to start_service(). I added it after line 425:

  config_foreach wait4wanzone racoon
  if [ $? -gt 0 ] || [ $errno -gt 0 ]; then
    $log "No active interfaces in $confExtZone zone found, exiting"
    exit $errno
  fi

# added to get setkey.conf working
  . /lib/functions/network.sh
  network_get_ipaddr wan_ip wan
  [ -x /etc/setkey.conf ] && /etc/setkey.conf $wan_ip

Of course, add /etc/setkey.conf as described in the first post in this topic.
After that, racoon starts up with a config that looks somewhat like the first post in this topic smile

I haven't checked the firewall rules though (they are added by the racoon startup script as well now), and there are some errors when shutting down racoon.

So, that's a lot of hacking, and I believe there are lots of bugs and improvements needed in the new racoon startup script. Still deciding on what to put in the bug report. But my VPN is working again!

strongSwan is where it's at bro, it supports IKEv2 and is faster/more secure/better in every way smile You don't even need l2tp.

Have a look at my config:

config setup
    uniqueids=never

conn %default
    auto=add
    dpdaction=clear
    left=%any
    leftsubnet=0.0.0.0/0
    rightdns=192.168.1.1
    rightsourceip=10.1.3.0/24
    right=%any

conn ikev1
    keyexchange=ikev1
    leftauth=psk
    rightauth=psk
    rightauth2=xauth

conn ikev2
    keyexchange=ikev2
    leftid=hostname.dyndns.org
    leftsendcert=always
    leftcert=serverCert.pem
    leftauth=pubkey
    rightauth=eap-mschapv2

Some other pieces like a vpn zone and certificates need to be in place but it's quite easy to set up and works great. racoon/ipsec-tools rarely sees new releases any more and seems more like legacy software.

(Last edited by arokh on 21 Jul 2015, 02:25)

Anyone still got this working with version 15.05? Maybe someone can help me out? Waiting for the reply... topic is old so i hope someone still get this to work.

This is the logging:

Mon Jun 13 10:27:38 2016 daemon.info racoon: 2016-06-13 10:27:38: INFO: respond new phase 1 negotiation: xxx.xxx.xxx.xxx[500]<=>yyy.yyy.yyy.yyy[500]
Mon Jun 13 10:27:38 2016 daemon.info racoon: 2016-06-13 10:27:38: INFO: begin Identity Protection mode.
Mon Jun 13 10:27:38 2016 daemon.info racoon: 2016-06-13 10:27:38: INFO: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY
Mon Jun 13 10:27:38 2016 daemon.info racoon: 2016-06-13 10:27:38: INFO: received Vendor ID: RFC 3947
Mon Jun 13 10:27:38 2016 daemon.info racoon: 2016-06-13 10:27:38: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02

Mon Jun 13 10:27:38 2016 daemon.info racoon: 2016-06-13 10:27:38: INFO: received Vendor ID: FRAGMENTATION
Mon Jun 13 10:27:38 2016 daemon.info racoon: 2016-06-13 10:27:38: [yyy.yyy.yyy.yyy] INFO: Selected NAT-T version: RFC 3947
Mon Jun 13 10:27:38 2016 daemon.info racoon: 2016-06-13 10:27:38: ERROR: invalid DH group 20.
Mon Jun 13 10:27:38 2016 daemon.info racoon: 2016-06-13 10:27:38: ERROR: invalid DH group 19.
Mon Jun 13 10:27:38 2016 daemon.info racoon: 2016-06-13 10:27:38: [xxx.xxx.xxx.xxx] INFO: Hashing xxx.xxx.xxx.xxx[500] with algo #2 
Mon Jun 13 10:27:38 2016 daemon.info racoon: 2016-06-13 10:27:38: INFO: NAT-D payload #0 verified
Mon Jun 13 10:27:38 2016 daemon.info racoon: 2016-06-13 10:27:38: [yyy.yyy.yyy.yyy] INFO: Hashing yyy.yyy.yyy.yyy[500] with algo #2 
Mon Jun 13 10:27:38 2016 daemon.info racoon: 2016-06-13 10:27:38: INFO: NAT-D payload #1 doesn't match
Mon Jun 13 10:27:38 2016 daemon.info racoon: 2016-06-13 10:27:38: INFO: NAT detected: PEER
Mon Jun 13 10:27:38 2016 daemon.info racoon: 2016-06-13 10:27:38: [yyy.yyy.yyy.yyy] INFO: Hashing yyy.yyy.yyy.yyy[500] with algo #2 
Mon Jun 13 10:27:38 2016 daemon.info racoon: 2016-06-13 10:27:38: [xxx.xxx.xxx.xxx] INFO: Hashing xxx.xxx.xxx.xxx[500] with algo #2 
Mon Jun 13 10:27:38 2016 daemon.info racoon: 2016-06-13 10:27:38: INFO: Adding remote and local NAT-D payloads.
Mon Jun 13 10:27:38 2016 daemon.info racoon: 2016-06-13 10:27:38: [yyy.yyy.yyy.yyy] ERROR: couldn't find the pskey for yyy.yyy.yyy.yyy.
Mon Jun 13 10:27:38 2016 daemon.info racoon: 2016-06-13 10:27:38: [yyy.yyy.yyy.yyy] NOTIFY: Using default PSK.
Mon Jun 13 10:27:38 2016 daemon.info racoon: 2016-06-13 10:27:38: INFO: NAT-T: ports changed to: yyy.yyy.yyy.yyy[4500]<->xxx.xxx.xxx.xxx[4500]
Mon Jun 13 10:27:38 2016 daemon.info racoon: 2016-06-13 10:27:38: INFO: KA list add: xxx.xxx.xxx.xxx[4500]->yyy.yyy.yyy.yyy[4500]
Mon Jun 13 10:27:38 2016 daemon.info racoon: 2016-06-13 10:27:38: INFO: ISAKMP-SA established xxx.xxx.xxx.xxx[4500]-yyy.yyy.yyy.yyy[4500] spi:eba5ffdae73725b9:d1601485f45ffd4f
Mon Jun 13 10:27:38 2016 daemon.info racoon: 2016-06-13 10:27:38: INFO: respond new phase 2 negotiation: xxx.xxx.xxx.xxx[4500]<=>yyy.yyy.yyy.yyy[4500]
Mon Jun 13 10:27:38 2016 daemon.info racoon: 2016-06-13 10:27:38: INFO: no policy found, try to generate the policy : 192.168.122.101/32[1701] xxx.xxx.xxx.xxx/32[1701] proto=udp dir=in
Mon Jun 13 10:27:38 2016 daemon.info racoon: 2016-06-13 10:27:38: INFO: Adjusting my encmode UDP-Transport->Transport
Mon Jun 13 10:27:38 2016 daemon.info racoon: 2016-06-13 10:27:38: INFO: Adjusting peer's encmode UDP-Transport(4)->Transport(2)
Mon Jun 13 10:27:38 2016 daemon.info racoon: 2016-06-13 10:27:38: INFO: IPsec-SA established: ESP/Transport xxx.xxx.xxx.xxx[4500]->yyy.yyy.yyy.yyy[4500] spi=124609881(0x76d6559)
Mon Jun 13 10:27:38 2016 daemon.info racoon: 2016-06-13 10:27:38: INFO: IPsec-SA established: ESP/Transport xxx.xxx.xxx.xxx[4500]->yyy.yyy.yyy.yyy[4500] spi=1589133704(0x5eb84188)
Mon Jun 13 10:27:39 2016 daemon.debug xl2tpd[1905]: control_finish: Peer requested tunnel 4 twice, ignoring second one.
Mon Jun 13 10:27:41 2016 daemon.debug xl2tpd[1905]: control_finish: Peer requested tunnel 4 twice, ignoring second one.
Mon Jun 13 10:27:43 2016 daemon.notice xl2tpd[1905]: Maximum retries exceeded for tunnel 22403.  Closing.
Mon Jun 13 10:27:43 2016 daemon.info xl2tpd[1905]: Connection 4 closed to yyy.yyy.yyy.yyy, port 1701 (Timeout)
Mon Jun 13 10:27:45 2016 daemon.debug xl2tpd[1905]: control_finish: Peer requested tunnel 4 twice, ignoring second one.
Mon Jun 13 10:27:48 2016 daemon.debug xl2tpd[1905]: Unable to deliver closing message for tunnel 22403. Destroying anyway.
Mon Jun 13 10:27:58 2016 daemon.notice xl2tpd[1905]: Maximum retries exceeded for tunnel 63019.  Closing.
Mon Jun 13 10:27:58 2016 daemon.info xl2tpd[1905]: Connection 4 closed to yyy.yyy.yyy.yyy, port 1701 (Timeout)
Mon Jun 13 10:28:03 2016 daemon.debug xl2tpd[1905]: control_finish: Peer requested tunnel 4 twice, ignoring second one.
Mon Jun 13 10:28:03 2016 daemon.debug xl2tpd[1905]: Unable to deliver closing message for tunnel 63019. Destroying anyway.
Mon Jun 13 10:28:13 2016 daemon.info racoon: 2016-06-13 10:28:13: INFO: deleting a generated policy.
Mon Jun 13 10:28:13 2016 daemon.info racoon: 2016-06-13 10:28:13: INFO: purged IPsec-SA proto_id=ESP spi=1589133704.
Mon Jun 13 10:28:13 2016 daemon.info racoon: 2016-06-13 10:28:13: INFO: ISAKMP-SA expired xxx.xxx.xxx.xxx[4500]-yyy.yyy.yyy.yyy[4500] spi:eba5ffdae73725b9:d1601485f45ffd4f
Mon Jun 13 10:28:13 2016 daemon.info racoon: 2016-06-13 10:28:13: INFO: ISAKMP-SA deleted xxx.xxx.xxx.xxx[4500]-yyy.yyy.yyy.yyy[4500] spi:eba5ffdae73725b9:d1601485f45ffd4f
Mon Jun 13 10:28:13 2016 daemon.info racoon: 2016-06-13 10:28:13: INFO: KA remove: xxx.xxx.xxx.xxx[4500]->yyy.yyy.yyy.yyy[4500]

(Last edited by Martijn85 on 15 Jun 2016, 10:31)

Thanks for arokh's tutorial.

(Last edited by caisepen on 6 Jul 2016, 16:28)

The discussion might have continued from here.