it's l2tpd...
Alex ----- Original Message ----- From: "Cressatti, Dominique" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, September 25, 2003 7:43 PM Subject: RE: l2tpd & Cisco (either a bug in l2tpd , either in Cisco) Which version are you using? plain l2tpd or rp-l2tp ? While I prefer l2tpd (and use it in production) I know that though rp-l2tp lack many features that l2tpd has, rp-l2tp is better coded (though the code make high use of OOP and not easy to understand by a casual C coder). If you don't use it may be you should give a go at rp-l2tp. Dom > -----Original Message----- > From: Alexandru Coseru [mailto:[EMAIL PROTECTED] > Sent: 25 September 2003 17:27 > To: [EMAIL PROTECTED] > Subject: l2tpd & Cisco (either a bug in l2tpd , either in Cisco) > > I've traced the packets with tcpdump.. > A serious challenge problem occured... Actually , it seems that l2tpd doesn't send a correct packet , or Cisco doesn't recognize it.. > > > Here is the dump with linux on my box: > > > 20:38:57.714971 cdma-3g1x-176-105.zappmobile.ro.l2tp > 93.38.97.39.l2tp: l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP() *BEARER_CAP() |... > 20:38:57.719261 193.138.97.25.l2tp > cdma-3g1x-176-105.zappmobile.ro.l2tp: l2tp:[TLS](9055/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP() |... (DF) > 20:38:58.723563 193.138.97.25.l2tp > cdma-3g1x-176-105.zappmobile.ro.l2tp: l2tp:[TLS](9055/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP() |... (DF) > 20:38:59.708557 cdma-3g1x-176-105.zappmobile.ro.l2tp > 93.38.97.39.l2tp: l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP() *BEARER_CAP() |... > 20:38:59.711237 193.138.97.25.l2tp > cdma-3g1x-176-105.zappmobile.ro.l2tp: l2tp:[TLS](9055/0)Ns=0,Nr=1 ZLB (DF) > 20:38:59.723544 193.138.97.25.l2tp > cdma-3g1x-176-105.zappmobile.ro.l2tp: l2tp:[TLS](9055/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP() |... (DF) > 20:39:00.723590 193.138.97.25.l2tp > cdma-3g1x-176-105.zappmobile.ro.l2tp: l2tp:[TLS](9055/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP() |... (DF) > 20:39:01.723630 193.138.97.25.l2tp > cdma-3g1x-176-105.zappmobile.ro.l2tp: l2tp:[TLS](9055/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP() |... (DF) > 20:39:02.733793 193.138.97.25.l2tp > cdma-3g1x-176-105.zappmobile.ro.l2tp: l2tp:[TLS](9055/0)Ns=1,Nr=1 *MSGTYPE(StopCCN) *ASSND_TUN_ID(9650) *RESULT_CODE(1/0 Timeout) (DF) > 20:39:03.719606 cdma-3g1x-176-105.zappmobile.ro.l2tp > 93.38.97.39.l2tp: l2tp:[TLS](0/0)Ns=1,Nr=0 *MSGTYPE(StopCCN) *ASSND_TUN_ID(9055) |... > 20:39:03.743539 193.138.97.25.l2tp > cdma-3g1x-176-105.zappmobile.ro.l2tp: l2tp:[TLS](9055/0)Ns=1,Nr=1 *MSGTYPE(StopCCN) *ASSND_TUN_ID(9650) *RESULT_CODE(1/0 Timeout) (DF) > 20:39:04.743571 193.138.97.25.l2tp > cdma-3g1x-176-105.zappmobile.ro.l2tp: l2tp:[TLS](9055/0)Ns=1,Nr=1 *MSGTYPE(StopCCN) *ASSND_TUN_ID(9650) *RESULT_CODE(1/0 Timeout) (DF) > 20:39:05.743643 193.138.97.25.l2tp > cdma-3g1x-176-105.zappmobile.ro.l2tp: l2tp:[TLS](9055/0)Ns=1,Nr=1 *MSGTYPE(StopCCN) *ASSND_TUN_ID(9650) *RESULT_CODE(1/0 Timeout) (DF) > 20:39:06.743656 193.138.97.25.l2tp > cdma-3g1x-176-105.zappmobile.ro.l2tp: l2tp:[TLS](9055/0)Ns=1,Nr=1 *MSGTYPE(StopCCN) *ASSND_TUN_ID(9650) *RESULT_CODE(1/0 Timeout) (DF) > > > > > > > > > > Now , when I've replaced my linux box with a CISCO as5300: > > > > 18:10:08.415406 cdma-3g1x-176-105.zappmobile.ro.l2tp > 93.38.97.39.l2tp: l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP() *BEARER_CAP() |... > 18:10:08.417991 93.38.97.39.l2tp > cdma-3g1x-176-105.zappmobile.ro.l2tp: l2tp:[TLS](19412/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP() *BEARER_CAP() |... [tos 0xc0] > 18:10:08.488531 cdma-3g1x-176-105.zappmobile.ro.l2tp > 93.38.97.39.l2tp: l2tp:[TLS](39348/0)Ns=1,Nr=1 *MSGTYPE(SCCCN) *CHALLENGE_RESP(570bb6ffbd772b4312fe940f83eea853) > 18:10:08.488549 cdma-3g1x-176-105.zappmobile.ro.l2tp > 93.38.97.39.l2tp: l2tp:[TLS](39348/0)Ns=2,Nr=1 *MSGTYPE(ICRQ) *ASSND_SESS_ID(1988) *CALL_SER_NUM(334101314) *BEARER_TYPE() |...> > 18:10:08.489931 93.38.97.39.l2tp > cdma-3g1x-176-105.zappmobile.ro.l2tp: l2tp:[TLS](19412/0)Ns=1,Nr=2 ZLB [tos 0xc0] > 18:10:08.490749 93.38.97.39.l2tp > cdma-3g1x-176-105.zappmobile.ro.l2tp: l2tp:[TLS](19412/1988)Ns=1,Nr=3 *MSGTYPE(ICRP) *ASSND_SESS_ID(17) [tos 0xc0] > 18:10:08.564244 cdma-3g1x-176-105.zappmobile.ro.l2tp > 93.38.97.39.l2tp: l2tp:[TLS](39348/17)Ns=3,Nr=2 *MSGTYPE(ICCN) *TX_CONN_SPEED(0) *FRAMING_TYPE(S) |... > 18:10:08.565959 93.38.97.39.l2tp > cdma-3g1x-176-105.zappmobile.ro.l2tp: l2tp:[TLS](19412/0)Ns=2,Nr=4 ZLB [tos 0xc0] > 18:10:08.702892 93.38.97.39.l2tp > cdma-3g1x-176-105.zappmobile.ro.l2tp: l2tp:[L](19412/1988) {Succ(1), Msg=} > 18:10:08.703099 93.38.97.39.l2tp > cdma-3g1x-176-105.zappmobile.ro.l2tp: l2tp:[L](19412/1988) {Conf-Req(1), IP-Comp VJ-Comp, IP-Addr=93.38.97.39} > 18:10:08.703261 93.38.97.39.l2tp > cdma-3g1x-176-105.zappmobile.ro.l2tp: l2tp:[L](19412/1988) {Conf-Req(1), MPPC} > 18:10:08.914152 cdma-3g1x-176-105.zappmobile.ro.l2tp > 93.38.97.39.l2tp: l2tp:[O](39348/17) {Conf-Req(4), MPPC} > 18:10:08.915455 93.38.97.39.l2tp > cdma-3g1x-176-105.zappmobile.ro.l2tp: l2tp:[L](19412/1988) {Conf-Ack(4), MPPC} > 18:10:08.973531 cdma-3g1x-176-105.zappmobile.ro.l2tp > 93.38.97.39.l2tp: l2tp:[O](39348/17) {Conf-Req(5), IP-Comp VJ-Comp, IP-Addr=0.0.0.0, Pri-DNS=0.0.0.0, Pri-NBNS=0.0.0.0, Sec-DNS=0.0.0.0, Sec-NBNS=0.0.0.0} > 18:10:08.978174 93.38.97.39.l2tp > cdma-3g1x-176-105.zappmobile.ro.l2tp: l2tp:[L](19412/1988) {Conf-Rej(5), Pri-NBNS=0.0.0.0, Sec-NBNS=0.0.0.0} > 18:10:09.014178 cdma-3g1x-176-105.zappmobile.ro.l2tp > 93.38.97.39.l2tp: l2tp:[O](39348/17) {Conf-Ack(1), MPPC} > 18:10:09.214760 cdma-3g1x-176-105.zappmobile.ro.l2tp > 93.38.97.39.l2tp: l2tp:[O](39348/17) {Conf-Req(6), IP-Comp VJ-Comp, IP-Addr=0.0.0.0, Pri-DNS=0.0.0.0, Sec-DNS=0.0.0.0} > 18:10:09.216125 93.38.97.39.l2tp > cdma-3g1x-176-105.zappmobile.ro.l2tp: l2tp:[L](19412/1988) {Conf-Nak(6), IP-Addr=193.138.97.50, Pri-DNS=93.38.97.33, Sec-DNS=distinct} > 18:10:09.474985 cdma-3g1x-176-105.zappmobile.ro.l2tp > 93.38.97.39.l2tp: l2tp:[O](39348/17) {Conf-Req(7), IP-Comp VJ-Comp, IP-Addr=93.38.97.50, Pri-DNS=93.38.97.33, Sec-DNS=distinct} > 18:10:09.476485 93.38.97.39.l2tp > cdma-3g1x-176-105.zappmobile.ro.l2tp: l2tp:[L](19412/1988) {Conf-Ack(7), IP-Comp VJ-Comp, IP-Addr=93.38.97.50, Pri-DNS=93.38.97.33, Sec-DNS=distinct} > 18:10:10.314644 cdma-3g1x-176-105.zappmobile.ro.l2tp > 93.38.97.39.l2tp: l2tp:[O](39348/17) {} > 18:10:10.535429 cdma-3g1x-176-105.zappmobile.ro.l2tp > 93.38.97.39.l2tp: l2tp:[O](39348/17) {} > 18:10:10.701403 93.38.97.39.l2tp > cdma-3g1x-176-105.zappmobile.ro.l2tp: l2tp:[L](19412/1988) {Conf-Req(2), IP-Comp VJ-Comp, IP-Addr=93.38.97.39} > 18:10:10.735067 cdma-3g1x-176-105.zappmobile.ro.l2tp > 93.38.97.39.l2tp: l2tp:[O](39348/17) {} > 18:10:10.735074 cdma-3g1x-176-105.zappmobile.ro.l2tp > 93.38.97.39.l2tp: l2tp:[O](39348/17) {} > 18:10:10.735081 cdma-3g1x-176-105.zappmobile.ro.l2tp > 93.38.97.39.l2tp: l2tp:[O](39348/17) {} > 18:10:10.955555 cdma-3g1x-176-105.zappmobile.ro.l2tp > 93.38.97.39.l2tp: l2tp:[O](39348/17) {Conf-Req(8), IP-Comp VJ-Comp, IP-Addr=93.38.97.50, Pri-DNS=93.38.97.33, Sec-DNS=distinct} > > > > > > > > > Of I can see , there is a challenge problem.... > > > Anybody know something ? > > Regards > Alex > > > > > > ----- Original Message ----- > From: Alexandru Coseru <mailto:[EMAIL PROTECTED]> > To: > Sent: Thursday, September 25, 2003 4:45 PM > Subject: l2tpd & Cisco > > > Hello .. > > I'm having some trouble with a cisco.. > It seems that cisco in not receiving what i'm sending (i've looked with tcpdump and the packets are going to the right direction)...It keeps retrying until it gets disconnected... > > > > Anybody ca give me some hints ? > > > > Regards > Alex > > > Here is the debug part.. > > > Sep 25 17:52:01 distinct l2tpd[7108]: This binary does not support kernel L2TP.> > Sep 25 17:52:01 distinct l2tpd[7108]: l2tpd version 0.69 started on distinct PID:7108 > Sep 25 17:52:01 distinct l2tpd[7108]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc. > Sep 25 17:52:01 distinct l2tpd[7108]: Forked by Scott Balmos and David Stipp, (C) 2001 > Sep 25 17:52:01 distinct l2tpd[7108]: Inhereted by Jeff McAdams, (C) 2002 > Sep 25 17:52:01 distinct l2tpd[7108]: Linux version 2.4.19-16mdk on a i686, port 1701 > Sep 25 17:52:12 distinct l2tpd[7108]: ourtid = 57158, entropy_buf = df46 > Sep 25 17:52:12 distinct l2tpd[7108]: check_control: control, cid = 0, Ns = 0, Nr = 0 > Sep 25 17:52:12 distinct l2tpd[7108]: handle_avps: handling avp's for tunnel 57158, call 0 > Sep 25 17:52:12 distinct l2tpd[7108]: message_type_avp: message type 1 (Start-Control-Connection-Request) > Sep 25 17:52:12 distinct l2tpd[7108]: protocol_version_avp: peer is using version 1, revision 0. > Sep 25 17:52:12 distinct l2tpd[7108]: framing_caps_avp: supported peer frames: > Sep 25 17:52:12 distinct l2tpd[7108]: bearer_caps_avp: supported peer bearers: > Sep 25 17:52:12 distinct l2tpd[7108]: firmware_rev_avp: peer reports firmware version 4400 (0x1130) > Sep 25 17:52:12 distinct l2tpd[7108]: hostname_avp: peer reports hostname 'bu-psd1' > Sep 25 17:52:12 distinct l2tpd[7108]: vendor_avp: peer reports vendor 'Cisco Systems, Inc.\200^H' > Sep 25 17:52:12 distinct l2tpd[7108]: assigned_tunnel_avp: using peer's tunnel 26108 > Sep 25 17:52:12 distinct l2tpd[7108]: receive_window_size_avp: peer wants RWS of 20050. Will use flow control. > Sep 25 17:52:12 distinct l2tpd[7108]: challenge_avp: challenge avp found > Sep 25 17:52:13 distinct l2tpd[7108]: ourtid = 6617, entropy_buf = 19d9 > Sep 25 17:52:13 distinct l2tpd[7108]: check_control: control, cid = 0, Ns = 0, Nr = 0 > Sep 25 17:52:13 distinct l2tpd[7108]: handle_avps: handling avp's for tunnel 6617, call 0 > Sep 25 17:52:13 distinct l2tpd[7108]: message_type_avp: message type 1 (Start-Control-Connection-Request) > Sep 25 17:52:13 distinct l2tpd[7108]: protocol_version_avp: peer is using version 1, revision 0. > Sep 25 17:52:13 distinct l2tpd[7108]: framing_caps_avp: supported peer frames: > Sep 25 17:52:13 distinct l2tpd[7108]: bearer_caps_avp: supported peer bearers: > Sep 25 17:52:13 distinct l2tpd[7108]: firmware_rev_avp: peer reports firmware version 4400 (0x1130) > Sep 25 17:52:13 distinct l2tpd[7108]: hostname_avp: peer reports hostname 'bu-psd1' > Sep 25 17:52:13 distinct l2tpd[7108]: vendor_avp: peer reports vendor 'Cisco Systems, Inc.\200^H' > Sep 25 17:52:13 distinct l2tpd[7108]: assigned_tunnel_avp: using peer's tunnel 26108 > Sep 25 17:52:13 distinct l2tpd[7108]: receive_window_size_avp: peer wants RWS of 20050. Will use flow control. > Sep 25 17:52:13 distinct l2tpd[7108]: challenge_avp: challenge avp found > Sep 25 17:52:13 distinct l2tpd[7108]: control_finish: Peer requested tunnel 26108 twice, ignoring second one. > Sep 25 17:52:15 distinct l2tpd[7108]: ourtid = 22708, entropy_buf = 58b4 > Sep 25 17:52:15 distinct l2tpd[7108]: ourcid = 61206, entropy_buf = ef16 > Sep 25 17:52:15 distinct l2tpd[7108]: check_control: control, cid = 0, Ns = 0, Nr = 0 > Sep 25 17:52:15 distinct l2tpd[7108]: handle_avps: handling avp's for tunnel 22708, call 61206 > Sep 25 17:52:15 distinct l2tpd[7108]: message_type_avp: message type 1 (Start-Control-Connection-Request) > Sep 25 17:52:15 distinct l2tpd[7108]: protocol_version_avp: peer is using version 1, revision 0. > Sep 25 17:52:15 distinct l2tpd[7108]: framing_caps_avp: supported peer frames: > Sep 25 17:52:15 distinct l2tpd[7108]: bearer_caps_avp: supported peer bearers: > Sep 25 17:52:15 distinct l2tpd[7108]: firmware_rev_avp: peer reports firmware version 4400 (0x1130) > Sep 25 17:52:15 distinct l2tpd[7108]: hostname_avp: peer reports hostname 'bu-psd1' > Sep 25 17:52:15 distinct l2tpd[7108]: vendor_avp: peer reports vendor 'Cisco Systems, Inc.> \200^H' > Sep 25 17:52:15 distinct l2tpd[7108]: assigned_tunnel_avp: using peer's tunnel 26108 > Sep 25 17:52:15 distinct l2tpd[7108]: receive_window_size_avp: peer wants RWS of 20050. Will use flow control. > Sep 25 17:52:15 distinct l2tpd[7108]: challenge_avp: challenge avp found > Sep 25 17:52:15 distinct l2tpd[7108]: control_finish: Peer requested tunnel 26108 twice, ignoring second one. > Sep 25 17:52:17 distinct l2tpd[7108]: control_xmit: Maximum retries exceeded for tunnel 57158. Closing. > Sep 25 17:52:17 distinct l2tpd[7108]: call_close : Connection 26108 closed to 180.197.176.105, port 1701 (Timeout) > Sep 25 17:52:19 distinct l2tpd[7108]: ourtid = 20513, entropy_buf = 5021 > Sep 25 17:52:19 distinct l2tpd[7108]: check_control: control, cid = 0, Ns = 1, Nr = 0 > Sep 25 17:52:19 distinct l2tpd[7108]: check_control: Received out of order control packet on tunnel -1 (1 != 0) > Sep 25 17:52:19 distinct l2tpd[7108]: handle_packet: bad control packet! > Sep 25 17:52:22 distinct l2tpd[7108]: control_xmit: Unable to deliver closing message for tunnel 57158. Destroying anyway. > Sep 25 17:53:34 distinct l2tpd[7108]: death_handler: Fatal signal 2 received > > > > > > Here is l2tpd.conf > > > [global] ; Global parameters: > port = 1701 ; * Bind to port 1701 > auth file = l2tp-secrets ; * Where our challenge secrets are > access control = no ; * Refuse connections without IP match > rand source = dev ; Source for entropy for random > ; ; numbers, options are: > ; ; dev - reads of /dev/urandom > ; ; sys - uses rand() > ; ; egd - reads from egd socket > ; ; egd is not yet implemented > ; > [lns distinctmedia] ; Our fallthrough LNS definition > ip range = 192.168.0.1-192.168.0.20 ; * Allocate from this IP range > no ip range = 192.168.0.3-192.168.0.9 ; * Except these hosts > ip range = 192.168.0.5 ; * But this one is okay > lac = 180.197.176.105 ; * These can connect as LAC's > hidden bit = no ; * Use hidden AVP's? > refuse pap = yes ; * Refuse PAP authentication > refuse chap = no ; * Refuse CHAP authentication > ppp debug = yes ; * Turn on PPP debugging > call rws = -1 ; * RWS for call (-1 is valid) > tunnel rws = 14 ; * RWS for tunnel (must be > 0) > flow bit = yes ; * Include sequence numbers > >
