Hi all,
I am using an L2TP/IPsec (transport mode) VPN connection from a client
behind a NAT running Debian with strongswan 5.6.0-2 and xl2tpd
1.3.10-1 to a Cisco Meraki MX60 with a public IP. The connection
works with kernel 4.13 but not with kernel 4.14. With 4.14 the IPsec
connection appears to be established correctly but xl2tpd is unable to
establish the L2TP connection. The relevant error from syslog is:
charon: 09[KNL] creating acquire job for policy 192.168.21.10/32[udp/l2f] ===
X.X.X.X/32[udp/l2f] with reqid {1}
charon: 12[CFG] trap not found, unable to acquire reqid 1
I have bisected the issue to commit c9f3f813d462. I have attached the
client ipsec.conf as well as the syslog during the connection attempt
for both c9f3f813d462 (bad) and cf3796675174 (good). Meraki IPs have
been redacted to protect the innocent.
I'd appreciate any assistance in fixing the issue. Let me know if
there's anything else I can do to help troubleshoot or test.
P.S. Please CC me, as I am not subscribed to netdev@. Thanks!
--
Thanks, | [email protected] | XMPP: [email protected]
Kevin | https://kevinlocke.name | IRC: kevinoid on freenode
conn hcs
# No response for IKEv2 packets. Use IKEv1.
keyexchange=ikev1
# l2tp-over-ipsec is transport mode
# See http://bugs.xelerance.com/view.php?id=466
type=transport
authby=secret
# No response to IKEv1 request with default ike/esp
# These value work
ike=aes128-sha1-modp1024,3des-sha1-modp1024!
esp=aes128-sha1-modp1024,3des-sha1-modp1024!
left=%defaultroute
leftprotoport=17/1701
right=X.X.X.X
rightprotoport=17/1701
auto=add
Nov 15 08:08:13 kevinolos systemd[1]: Started strongSwan IPsec IKEv1/IKEv2
daemon using ipsec.conf.
Nov 15 08:08:13 kevinolos ipsec[2553]: Starting strongSwan 5.6.0 IPsec
[starter]...
Nov 15 08:08:14 kevinolos kernel: [ 33.300756] NET: Registered protocol
family 15
Nov 15 08:08:14 kevinolos kernel: [ 33.366041] Initializing XFRM netlink
socket
Nov 15 08:08:14 kevinolos charon: 00[DMN] Starting IKE charon daemon
(strongSwan 5.6.0, Linux 4.14.0-rc7+, x86_64)
Nov 15 08:08:14 kevinolos charon: 00[CFG] PKCS11 module '<name>' lacks library
path
Nov 15 08:08:14 kevinolos kernel: [ 33.510756] AVX2 or AES-NI instructions
are not detected.
Nov 15 08:08:14 kevinolos kernel: [ 33.561330] alg: No test for
xcbc(camellia) (xcbc(camellia-asm))
Nov 15 08:08:14 kevinolos kernel: [ 33.597914] alg: No test for
rfc3686(ctr(camellia)) (rfc3686(ctr-camellia-aesni))
Nov 15 08:08:14 kevinolos kernel: [ 33.710137] AVX2 instructions are not
detected.
Nov 15 08:08:14 kevinolos charon: 00[CFG] loading ca certificates from
'/etc/ipsec.d/cacerts'
Nov 15 08:08:14 kevinolos charon: 00[CFG] loaded ca certificate "DC=com,
DC=XXX" from '/etc/ipsec.d/cacerts/hcs.pem'
Nov 15 08:08:14 kevinolos charon: 00[CFG] loading aa certificates from
'/etc/ipsec.d/aacerts'
Nov 15 08:08:14 kevinolos charon: 00[CFG] loading ocsp signer certificates from
'/etc/ipsec.d/ocspcerts'
Nov 15 08:08:14 kevinolos charon: 00[CFG] loading attribute certificates from
'/etc/ipsec.d/acerts'
Nov 15 08:08:14 kevinolos charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Nov 15 08:08:14 kevinolos ipsec[2553]: charon (2579) started after 480 ms
Nov 15 08:08:14 kevinolos charon: 00[CFG] loading secrets from
'/etc/ipsec.secrets'
Nov 15 08:08:14 kevinolos charon: 00[CFG] loaded IKE secret for X.X.X.X %any
Nov 15 08:08:14 kevinolos charon: 00[CFG] loaded 0 RADIUS server configurations
Nov 15 08:08:14 kevinolos charon: 00[CFG] HA config misses local/remote address
Nov 15 08:08:14 kevinolos charon: 00[LIB] loaded plugins: charon test-vectors
ldap pkcs11 aesni aes rc2 sha2 sha1 md5 rdrand random nonce x509 revocation
constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl
gcrypt af-alg fips-prf gmp curve25519 agent xcbc cmac hmac ctr ccm gcm curl
attr kernel-netlink resolve socket-default connmark farp stroke updown
eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls
eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify
certexpire led addrblock unity
Nov 15 08:08:14 kevinolos charon: 00[LIB] dropped capabilities, running as uid
0, gid 0
Nov 15 08:08:14 kevinolos charon: 00[JOB] spawning 16 worker threads
Nov 15 08:08:14 kevinolos charon: 09[CFG] received stroke: add connection 'hcs'
Nov 15 08:08:14 kevinolos charon: 09[CFG] added configuration 'hcs'
Nov 15 08:08:15 kevinolos charon: 04[CFG] received stroke: initiate 'hcs'
Nov 15 08:08:15 kevinolos charon: 06[IKE] initiating Main Mode IKE_SA hcs[1] to
X.X.X.X
Nov 15 08:08:15 kevinolos charon: 06[ENC] generating ID_PROT request 0 [ SA V V
V V V ]
Nov 15 08:08:15 kevinolos charon: 06[NET] sending packet: from
192.168.21.10[500] to X.X.X.X[500] (212 bytes)
Nov 15 08:08:15 kevinolos charon: 05[NET] received packet: from X.X.X.X[500] to
192.168.21.10[500] (156 bytes)
Nov 15 08:08:16 kevinolos charon: 05[ENC] parsed ID_PROT response 0 [ SA V V V
V ]
Nov 15 08:08:16 kevinolos charon: 05[IKE] received XAuth vendor ID
Nov 15 08:08:16 kevinolos charon: 05[IKE] received NAT-T (RFC 3947) vendor ID
Nov 15 08:08:16 kevinolos charon: 05[IKE] received DPD vendor ID
Nov 15 08:08:16 kevinolos charon: 05[IKE] received FRAGMENTATION vendor ID
Nov 15 08:08:16 kevinolos charon: 05[ENC] generating ID_PROT request 0 [ KE No
NAT-D NAT-D ]
Nov 15 08:08:16 kevinolos charon: 05[NET] sending packet: from
192.168.21.10[500] to X.X.X.X[500] (244 bytes)
Nov 15 08:08:16 kevinolos charon: 07[NET] received packet: from X.X.X.X[500] to
192.168.21.10[500] (228 bytes)
Nov 15 08:08:16 kevinolos charon: 07[ENC] parsed ID_PROT response 0 [ KE No
NAT-D NAT-D ]
Nov 15 08:08:16 kevinolos charon: 07[IKE] local host is behind NAT, sending
keep alives
Nov 15 08:08:16 kevinolos charon: 07[ENC] generating ID_PROT request 0 [ ID
HASH N(INITIAL_CONTACT) ]
Nov 15 08:08:16 kevinolos charon: 07[NET] sending packet: from
192.168.21.10[4500] to X.X.X.X[4500] (100 bytes)
Nov 15 08:08:17 kevinolos charon: 08[NET] received packet: from X.X.X.X[4500]
to 192.168.21.10[4500] (92 bytes)
Nov 15 08:08:17 kevinolos charon: 08[ENC] parsed ID_PROT response 0 [ ID HASH V
]
Nov 15 08:08:17 kevinolos charon: 08[IKE] received DPD vendor ID
Nov 15 08:08:17 kevinolos charon: 08[IKE] IKE_SA hcs[1] established between
192.168.21.10[192.168.21.10]...X.X.X.X[X.X.X.X]
Nov 15 08:08:17 kevinolos charon: 08[IKE] scheduling reauthentication in 10245s
Nov 15 08:08:17 kevinolos charon: 08[IKE] maximum IKE_SA lifetime 10785s
Nov 15 08:08:17 kevinolos charon: 08[ENC] generating QUICK_MODE request
288079573 [ HASH SA No KE ID ID NAT-OA NAT-OA ]
Nov 15 08:08:17 kevinolos charon: 08[NET] sending packet: from
192.168.21.10[4500] to X.X.X.X[4500] (356 bytes)
Nov 15 08:08:17 kevinolos charon: 10[NET] received packet: from X.X.X.X[4500]
to 192.168.21.10[4500] (308 bytes)
Nov 15 08:08:17 kevinolos charon: 10[ENC] parsed QUICK_MODE response 288079573
[ HASH SA No KE ID ID NAT-OA NAT-OA ]
Nov 15 08:08:17 kevinolos ipsec[2553]: 00[DMN] Starting IKE charon daemon
(strongSwan 5.6.0, Linux 4.14.0-rc7+, x86_64)
Nov 15 08:08:17 kevinolos ipsec[2553]: 00[CFG] PKCS11 module '<name>' lacks
library path
Nov 15 08:08:17 kevinolos ipsec[2553]: 00[CFG] loading ca certificates from
'/etc/ipsec.d/cacerts'
Nov 15 08:08:17 kevinolos ipsec[2553]: 00[CFG] loaded ca certificate "DC=com,
DC=XXX" from '/etc/ipsec.d/cacerts/hcs.pem'
Nov 15 08:08:17 kevinolos ipsec[2553]: 00[CFG] loading aa certificates from
'/etc/ipsec.d/aacerts'
Nov 15 08:08:17 kevinolos ipsec[2553]: 00[CFG] loading ocsp signer certificates
from '/etc/ipsec.d/ocspcerts'
Nov 15 08:08:17 kevinolos ipsec[2553]: 00[CFG] loading attribute certificates
from '/etc/ipsec.d/acerts'
Nov 15 08:08:17 kevinolos ipsec[2553]: 00[CFG] loading crls from
'/etc/ipsec.d/crls'
Nov 15 08:08:17 kevinolos ipsec[2553]: 00[CFG] loading secrets from
'/etc/ipsec.secrets'
Nov 15 08:08:17 kevinolos ipsec[2553]: 00[CFG] loaded IKE secret for X.X.X.X
%any
Nov 15 08:08:17 kevinolos ipsec[2553]: 00[CFG] loaded 0 RADIUS server
configurations
Nov 15 08:08:17 kevinolos ipsec[2553]: 00[CFG] HA config misses local/remote
address
Nov 15 08:08:17 kevinolos ipsec[2553]: 00[LIB] loaded plugins: charon
test-vectors ldap pkcs11 aesni aes rc2 sha2 sha1 md5 rdrand random nonce x509
revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem
openssl gcrypt af-alg fips-prf gmp curve25519 agent xcbc cmac hmac ctr ccm gcm
curl attr kernel-netlink resolve socket-default connmark farp stroke updown
eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls
eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify
certexpire led addrblock unity
Nov 15 08:08:17 kevinolos ipsec[2553]: 00[LIB] dropped capabilities, running as
uid 0, gid 0
Nov 15 08:08:17 kevinolos ipsec[2553]: 00[JOB] spawning 16 worker threads
Nov 15 08:08:17 kevinolos ipsec[2553]: 09[CFG] received stroke: add connection
'hcs'
Nov 15 08:08:17 kevinolos ipsec[2553]: 09[CFG] added configuration 'hcs'
Nov 15 08:08:17 kevinolos ipsec[2553]: 04[CFG] received stroke: initiate 'hcs'
Nov 15 08:08:17 kevinolos ipsec[2553]: 06[IKE] initiating Main Mode IKE_SA
hcs[1] to X.X.X.X
Nov 15 08:08:17 kevinolos ipsec[2553]: 06[ENC] generating ID_PROT request 0 [
SA V V V V V ]
Nov 15 08:08:17 kevinolos ipsec[2553]: 06[NET] sending packet: from
192.168.21.10[500] to X.X.X.X[500] (212 bytes)
Nov 15 08:08:17 kevinolos ipsec[2553]: 05[NET] received packet: from
X.X.X.X[500] to 192.168.21.10[500] (156 bytes)
Nov 15 08:08:17 kevinolos ipsec[2553]: 05[ENC] parsed ID_PROT response 0 [ SA V
V V V ]
Nov 15 08:08:17 kevinolos ipsec[2553]: 05[IKE] received XAuth vendor ID
Nov 15 08:08:17 kevinolos ipsec[2553]: 05[IKE] received NAT-T (RFC 3947) vendor
ID
Nov 15 08:08:17 kevinolos ipsec[2553]: 05[IKE] received DPD vendor ID
Nov 15 08:08:17 kevinolos ipsec[2553]: 05[IKE] received FRAGMENTATION vendor ID
Nov 15 08:08:17 kevinolos ipsec[2553]: 05[ENC] generating ID_PROT request 0 [
KE No NAT-D NAT-D ]
Nov 15 08:08:17 kevinolos ipsec[2553]: 05[NET] sending packet: from
192.168.21.10[500] to X.X.X.X[500] (244 bytes)
Nov 15 08:08:17 kevinolos ipsec[2553]: 07[NET] received packet: from
X.X.X.X[500] to 192.168.21.10[500] (228 bytes)
Nov 15 08:08:17 kevinolos ipsec[2553]: 07[ENC] parsed ID_PROT response 0 [ KE
No NAT-D NAT-D ]
Nov 15 08:08:17 kevinolos ipsec[2553]: 07[IKE] local host is behind NAT,
sending keep alives
Nov 15 08:08:17 kevinolos ipsec[2553]: 07[ENC] generating ID_PROT request 0 [
ID HASH N(INITIAL_CONTACT) ]
Nov 15 08:08:17 kevinolos ipsec[2553]: 07[NET] sending packet: from
192.168.21.10[4500] to X.X.X.X[4500] (100 bytes)
Nov 15 08:08:17 kevinolos ipsec[2553]: 08[NET] received packet: from
X.X.X.X[4500] to 192.168.21.10[4500] (92 bytes)
Nov 15 08:08:17 kevinolos ipsec[2553]: 08[ENC] parsed ID_PROT response 0 [ ID
HASH V ]
Nov 15 08:08:17 kevinolos ipsec[2553]: 08[IKE] received DPD vendor ID
Nov 15 08:08:17 kevinolos ipsec[2553]: 08[IKE] IKE_SA hcs[1] established
between 192.168.21.10[192.168.21.10]...X.X.X.X[X.X.X.X]
Nov 15 08:08:17 kevinolos ipsec[2553]: 08[IKE] scheduling reauthentication in
10245s
Nov 15 08:08:17 kevinolos ipsec[2553]: 08[IKE] maximum IKE_SA lifetime 10785s
Nov 15 08:08:17 kevinolos ipsec[2553]: 08[ENC] generating QUICK_MODE request
288079573 [ HASH SA No KE ID ID NAT-OA NAT-OA ]
Nov 15 08:08:17 kevinolos ipsec[2553]: 08[NET] sending packet: from
192.168.21.10[4500] to X.X.X.X[4500] (356 bytes)
Nov 15 08:08:17 kevinolos ipsec[2553]: 10[NET] received packet: from
X.X.X.X[4500] to 192.168.21.10[4500] (308 bytes)
Nov 15 08:08:17 kevinolos charon: 10[IKE] CHILD_SA hcs{1} established with SPIs
c7ff3092_i 0f8d840d_o and TS 192.168.21.10/32[udp/l2f] === X.X.X.X/32[udp/l2f]
Nov 15 08:08:17 kevinolos charon: 10[ENC] generating QUICK_MODE request
288079573 [ HASH ]
Nov 15 08:08:17 kevinolos charon: 10[NET] sending packet: from
192.168.21.10[4500] to X.X.X.X[4500] (60 bytes)
Nov 15 08:08:17 kevinolos kernel: [ 36.924216] alg: No test for
echainiv(authenc(hmac(sha1),cbc(des3_ede)))
(echainiv(authenc(hmac(sha1-generic),cbc(des3_ede-generic))))
Nov 15 08:08:18 kevinolos systemd[1]: Starting LSB: layer 2 tunelling protocol
daemon...
Nov 15 08:08:18 kevinolos xl2tpd[2969]: setsockopt recvref[30]: Protocol not
available
Nov 15 08:08:18 kevinolos kernel: [ 37.356110] PPP generic driver version
2.4.2
Nov 15 08:08:18 kevinolos kernel: [ 37.361628] NET: Registered protocol
family 24
Nov 15 08:08:18 kevinolos kernel: [ 37.382853] l2tp_core: L2TP core driver,
V2.0
Nov 15 08:08:18 kevinolos kernel: [ 37.389878] l2tp_netlink: L2TP netlink
interface
Nov 15 08:08:18 kevinolos xl2tpd[2969]: Using l2tp kernel support.
Nov 15 08:08:18 kevinolos xl2tpd[2965]: Starting xl2tpd: xl2tpd.
Nov 15 08:08:18 kevinolos systemd[1]: Started LSB: layer 2 tunelling protocol
daemon.
Nov 15 08:08:18 kevinolos xl2tpd[2982]: xl2tpd version xl2tpd-1.3.10 started on
kevinolos PID:2982
Nov 15 08:08:18 kevinolos xl2tpd[2982]: Written by Mark Spencer, Copyright (C)
1998, Adtran, Inc.
Nov 15 08:08:18 kevinolos xl2tpd[2982]: Forked by Scott Balmos and David Stipp,
(C) 2001
Nov 15 08:08:18 kevinolos xl2tpd[2982]: Inherited by Jeff McAdams, (C) 2002
Nov 15 08:08:18 kevinolos xl2tpd[2982]: Forked again by Xelerance
(www.xelerance.com) (C) 2006-2016
Nov 15 08:08:18 kevinolos xl2tpd[2982]: Listening on IP address 0.0.0.0, port
1701
Nov 15 08:08:18 kevinolos kernel: [ 37.397585] l2tp_ppp: PPPoL2TP kernel
driver, V2.0
Nov 15 08:08:18 kevinolos xl2tpd[2982]: get_call: allocating new tunnel for
host X.X.X.X, port 1701.
Nov 15 08:08:18 kevinolos xl2tpd[2982]: Connecting to host X.X.X.X, port 1701
Nov 15 08:08:18 kevinolos xl2tpd[2982]: control_finish: message type is
(null)(0). Tunnel is 0, call is 0.
Nov 15 08:08:18 kevinolos xl2tpd[2982]: control_finish: sending SCCRQ
Nov 15 08:08:18 kevinolos charon: 09[KNL] creating acquire job for policy
192.168.21.10/32[udp/l2f] === X.X.X.X/32[udp/l2f] with reqid {1}
Nov 15 08:08:18 kevinolos charon: 12[CFG] trap not found, unable to acquire
reqid 1
Nov 15 08:08:19 kevinolos xl2tpd[2982]: network_thread: select timeout
Nov 15 08:08:24 kevinolos xl2tpd[2982]: network_thread: select timeout
Nov 15 08:08:28 kevinolos xl2tpd[2982]: network_thread: select timeout
Nov 15 08:08:36 kevinolos xl2tpd[2982]: network_thread: select timeout
Nov 15 08:08:44 kevinolos charon: 05[IKE] sending keep alive to X.X.X.X[4500]
Nov 15 08:08:52 kevinolos xl2tpd[2982]: network_thread: select timeout
Nov 15 08:08:52 kevinolos xl2tpd[2982]: Maximum retries exceeded for tunnel
33232. Closing.
Nov 15 08:08:52 kevinolos xl2tpd[2982]: Connection 0 closed to X.X.X.X, port
1701 (Timeout)
Nov 15 08:08:53 kevinolos xl2tpd[2982]: network_thread: select timeout
Nov 15 08:45:06 kevinolos systemd[1]: Started strongSwan IPsec IKEv1/IKEv2
daemon using ipsec.conf.
Nov 15 08:45:06 kevinolos ipsec[2575]: Starting strongSwan 5.6.0 IPsec
[starter]...
Nov 15 08:45:06 kevinolos kernel: [ 33.001700] NET: Registered protocol
family 15
Nov 15 08:45:06 kevinolos kernel: [ 33.076243] Initializing XFRM netlink
socket
Nov 15 08:45:06 kevinolos charon: 00[DMN] Starting IKE charon daemon
(strongSwan 5.6.0, Linux 4.14.0-rc7+, x86_64)
Nov 15 08:45:06 kevinolos charon: 00[CFG] PKCS11 module '<name>' lacks library
path
Nov 15 08:45:06 kevinolos kernel: [ 33.208442] AVX2 or AES-NI instructions
are not detected.
Nov 15 08:45:06 kevinolos kernel: [ 33.258101] alg: No test for
xcbc(camellia) (xcbc(camellia-asm))
Nov 15 08:45:06 kevinolos kernel: [ 33.285984] alg: No test for
rfc3686(ctr(camellia)) (rfc3686(ctr-camellia-aesni))
Nov 15 08:45:07 kevinolos kernel: [ 33.400437] AVX2 instructions are not
detected.
Nov 15 08:45:07 kevinolos charon: 00[CFG] loading ca certificates from
'/etc/ipsec.d/cacerts'
Nov 15 08:45:07 kevinolos charon: 00[CFG] loaded ca certificate "DC=com,
DC=XXX" from '/etc/ipsec.d/cacerts/hcs.pem'
Nov 15 08:45:07 kevinolos charon: 00[CFG] loading aa certificates from
'/etc/ipsec.d/aacerts'
Nov 15 08:45:07 kevinolos charon: 00[CFG] loading ocsp signer certificates from
'/etc/ipsec.d/ocspcerts'
Nov 15 08:45:07 kevinolos charon: 00[CFG] loading attribute certificates from
'/etc/ipsec.d/acerts'
Nov 15 08:45:07 kevinolos charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Nov 15 08:45:07 kevinolos charon: 00[CFG] loading secrets from
'/etc/ipsec.secrets'
Nov 15 08:45:07 kevinolos charon: 00[CFG] loaded IKE secret for X.X.X.X %any
Nov 15 08:45:07 kevinolos charon: 00[CFG] loaded 0 RADIUS server configurations
Nov 15 08:45:07 kevinolos charon: 00[CFG] HA config misses local/remote address
Nov 15 08:45:07 kevinolos charon: 00[LIB] loaded plugins: charon test-vectors
ldap pkcs11 aesni aes rc2 sha2 sha1 md5 rdrand random nonce x509 revocation
constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl
gcrypt af-alg fips-prf gmp curve25519 agent xcbc cmac hmac ctr ccm gcm curl
attr kernel-netlink resolve socket-default connmark farp stroke updown
eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls
eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify
certexpire led addrblock unity
Nov 15 08:45:07 kevinolos charon: 00[LIB] dropped capabilities, running as uid
0, gid 0
Nov 15 08:45:07 kevinolos charon: 00[JOB] spawning 16 worker threads
Nov 15 08:45:07 kevinolos ipsec[2575]: charon (2601) started after 460 ms
Nov 15 08:45:07 kevinolos charon: 09[CFG] received stroke: add connection 'hcs'
Nov 15 08:45:07 kevinolos charon: 09[CFG] added configuration 'hcs'
Nov 15 08:45:08 kevinolos charon: 14[CFG] received stroke: initiate 'hcs'
Nov 15 08:45:08 kevinolos charon: 05[IKE] initiating Main Mode IKE_SA hcs[1] to
X.X.X.X
Nov 15 08:45:08 kevinolos charon: 05[ENC] generating ID_PROT request 0 [ SA V V
V V V ]
Nov 15 08:45:08 kevinolos charon: 05[NET] sending packet: from
192.168.21.10[500] to X.X.X.X[500] (212 bytes)
Nov 15 08:45:08 kevinolos charon: 06[NET] received packet: from X.X.X.X[500] to
192.168.21.10[500] (156 bytes)
Nov 15 08:45:08 kevinolos charon: 06[ENC] parsed ID_PROT response 0 [ SA V V V
V ]
Nov 15 08:45:08 kevinolos charon: 06[IKE] received XAuth vendor ID
Nov 15 08:45:08 kevinolos charon: 06[IKE] received NAT-T (RFC 3947) vendor ID
Nov 15 08:45:08 kevinolos charon: 06[IKE] received DPD vendor ID
Nov 15 08:45:08 kevinolos charon: 06[IKE] received FRAGMENTATION vendor ID
Nov 15 08:45:08 kevinolos charon: 06[ENC] generating ID_PROT request 0 [ KE No
NAT-D NAT-D ]
Nov 15 08:45:08 kevinolos charon: 06[NET] sending packet: from
192.168.21.10[500] to X.X.X.X[500] (244 bytes)
Nov 15 08:45:08 kevinolos charon: 07[NET] received packet: from X.X.X.X[500] to
192.168.21.10[500] (228 bytes)
Nov 15 08:45:08 kevinolos charon: 07[ENC] parsed ID_PROT response 0 [ KE No
NAT-D NAT-D ]
Nov 15 08:45:08 kevinolos charon: 07[IKE] local host is behind NAT, sending
keep alives
Nov 15 08:45:08 kevinolos charon: 07[ENC] generating ID_PROT request 0 [ ID
HASH N(INITIAL_CONTACT) ]
Nov 15 08:45:08 kevinolos charon: 07[NET] sending packet: from
192.168.21.10[4500] to X.X.X.X[4500] (100 bytes)
Nov 15 08:45:09 kevinolos charon: 04[NET] received packet: from X.X.X.X[4500]
to 192.168.21.10[4500] (92 bytes)
Nov 15 08:45:09 kevinolos charon: 04[ENC] parsed ID_PROT response 0 [ ID HASH V
]
Nov 15 08:45:09 kevinolos charon: 04[IKE] received DPD vendor ID
Nov 15 08:45:09 kevinolos charon: 04[IKE] IKE_SA hcs[1] established between
192.168.21.10[192.168.21.10]...X.X.X.X[X.X.X.X]
Nov 15 08:45:09 kevinolos charon: 04[IKE] scheduling reauthentication in 9798s
Nov 15 08:45:09 kevinolos charon: 04[IKE] maximum IKE_SA lifetime 10338s
Nov 15 08:45:09 kevinolos charon: 04[ENC] generating QUICK_MODE request
2907729242 [ HASH SA No KE ID ID NAT-OA NAT-OA ]
Nov 15 08:45:09 kevinolos charon: 04[NET] sending packet: from
192.168.21.10[4500] to X.X.X.X[4500] (356 bytes)
Nov 15 08:45:09 kevinolos charon: 08[NET] received packet: from X.X.X.X[4500]
to 192.168.21.10[4500] (308 bytes)
Nov 15 08:45:09 kevinolos ipsec[2575]: 00[DMN] Starting IKE charon daemon
(strongSwan 5.6.0, Linux 4.14.0-rc7+, x86_64)
Nov 15 08:45:09 kevinolos ipsec[2575]: 00[CFG] PKCS11 module '<name>' lacks
library path
Nov 15 08:45:09 kevinolos ipsec[2575]: 00[CFG] loading ca certificates from
'/etc/ipsec.d/cacerts'
Nov 15 08:45:09 kevinolos ipsec[2575]: 00[CFG] loaded ca certificate "DC=com,
DC=XXX" from '/etc/ipsec.d/cacerts/hcs.pem'
Nov 15 08:45:09 kevinolos ipsec[2575]: 00[CFG] loading aa certificates from
'/etc/ipsec.d/aacerts'
Nov 15 08:45:09 kevinolos ipsec[2575]: 00[CFG] loading ocsp signer certificates
from '/etc/ipsec.d/ocspcerts'
Nov 15 08:45:09 kevinolos ipsec[2575]: 00[CFG] loading attribute certificates
from '/etc/ipsec.d/acerts'
Nov 15 08:45:09 kevinolos ipsec[2575]: 00[CFG] loading crls from
'/etc/ipsec.d/crls'
Nov 15 08:45:09 kevinolos ipsec[2575]: 00[CFG] loading secrets from
'/etc/ipsec.secrets'
Nov 15 08:45:09 kevinolos ipsec[2575]: 00[CFG] loaded IKE secret for X.X.X.X
%any
Nov 15 08:45:09 kevinolos ipsec[2575]: 00[CFG] loaded 0 RADIUS server
configurations
Nov 15 08:45:09 kevinolos ipsec[2575]: 00[CFG] HA config misses local/remote
address
Nov 15 08:45:09 kevinolos ipsec[2575]: 00[LIB] loaded plugins: charon
test-vectors ldap pkcs11 aesni aes rc2 sha2 sha1 md5 rdrand random nonce x509
revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem
openssl gcrypt af-alg fips-prf gmp curve25519 agent xcbc cmac hmac ctr ccm gcm
curl attr kernel-netlink resolve socket-default connmark farp stroke updown
eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls
eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify
certexpire led addrblock unity
Nov 15 08:45:09 kevinolos ipsec[2575]: 00[LIB] dropped capabilities, running as
uid 0, gid 0
Nov 15 08:45:09 kevinolos ipsec[2575]: 00[JOB] spawning 16 worker threads
Nov 15 08:45:09 kevinolos ipsec[2575]: 09[CFG] received stroke: add connection
'hcs'
Nov 15 08:45:09 kevinolos ipsec[2575]: 09[CFG] added configuration 'hcs'
Nov 15 08:45:09 kevinolos ipsec[2575]: 14[CFG] received stroke: initiate 'hcs'
Nov 15 08:45:09 kevinolos ipsec[2575]: 05[IKE] initiating Main Mode IKE_SA
hcs[1] to X.X.X.X
Nov 15 08:45:09 kevinolos ipsec[2575]: 05[ENC] generating ID_PROT request 0 [
SA V V V V V ]
Nov 15 08:45:09 kevinolos ipsec[2575]: 05[NET] sending packet: from
192.168.21.10[500] to X.X.X.X[500] (212 bytes)
Nov 15 08:45:09 kevinolos ipsec[2575]: 06[NET] received packet: from
X.X.X.X[500] to 192.168.21.10[500] (156 bytes)
Nov 15 08:45:09 kevinolos ipsec[2575]: 06[ENC] parsed ID_PROT response 0 [ SA V
V V V ]
Nov 15 08:45:09 kevinolos ipsec[2575]: 06[IKE] received XAuth vendor ID
Nov 15 08:45:09 kevinolos ipsec[2575]: 06[IKE] received NAT-T (RFC 3947) vendor
ID
Nov 15 08:45:09 kevinolos ipsec[2575]: 06[IKE] received DPD vendor ID
Nov 15 08:45:09 kevinolos ipsec[2575]: 06[IKE] received FRAGMENTATION vendor ID
Nov 15 08:45:09 kevinolos ipsec[2575]: 06[ENC] generating ID_PROT request 0 [
KE No NAT-D NAT-D ]
Nov 15 08:45:09 kevinolos ipsec[2575]: 06[NET] sending packet: from
192.168.21.10[500] to X.X.X.X[500] (244 bytes)
Nov 15 08:45:09 kevinolos ipsec[2575]: 07[NET] received packet: from
X.X.X.X[500] to 192.168.21.10[500] (228 bytes)
Nov 15 08:45:09 kevinolos ipsec[2575]: 07[ENC] parsed ID_PROT response 0 [ KE
No NAT-D NAT-D ]
Nov 15 08:45:09 kevinolos ipsec[2575]: 07[IKE] local host is behind NAT,
sending keep alives
Nov 15 08:45:09 kevinolos ipsec[2575]: 07[ENC] generating ID_PROT request 0 [
ID HASH N(INITIAL_CONTACT) ]
Nov 15 08:45:09 kevinolos ipsec[2575]: 07[NET] sending packet: from
192.168.21.10[4500] to X.X.X.X[4500] (100 bytes)
Nov 15 08:45:09 kevinolos ipsec[2575]: 04[NET] received packet: from
X.X.X.X[4500] to 192.168.21.10[4500] (92 bytes)
Nov 15 08:45:09 kevinolos ipsec[2575]: 04[ENC] parsed ID_PROT response 0 [ ID
HASH V ]
Nov 15 08:45:09 kevinolos ipsec[2575]: 04[IKE] received DPD vendor ID
Nov 15 08:45:09 kevinolos ipsec[2575]: 04[IKE] IKE_SA hcs[1] established
between 192.168.21.10[192.168.21.10]...X.X.X.X[X.X.X.X]
Nov 15 08:45:09 kevinolos ipsec[2575]: 04[IKE] scheduling reauthentication in
9798s
Nov 15 08:45:09 kevinolos ipsec[2575]: 04[IKE] maximum IKE_SA lifetime 10338s
Nov 15 08:45:09 kevinolos ipsec[2575]: 04[ENC] generating QUICK_MODE request
2907729242 [ HASH SA No KE ID ID NAT-OA NAT-OA ]
Nov 15 08:45:09 kevinolos ipsec[2575]: 04[NET] sending packet: from
192.168.21.10[4500] to X.X.X.X[4500] (356 bytes)
Nov 15 08:45:09 kevinolos ipsec[2575]: 08[NET] received packet: from
X.X.X.X[4500] to 192.168.21.10[4500] (308 bytes)
Nov 15 08:45:09 kevinolos charon: 08[ENC] parsed QUICK_MODE response 2907729242
[ HASH SA No KE ID ID NAT-OA NAT-OA ]
Nov 15 08:45:09 kevinolos kernel: [ 36.082809] alg: No test for
echainiv(authenc(hmac(sha1),cbc(des3_ede)))
(echainiv(authenc(hmac(sha1-generic),cbc(des3_ede-generic))))
Nov 15 08:45:09 kevinolos charon: 08[IKE] CHILD_SA hcs{1} established with SPIs
c7544d81_i 0b0924f0_o and TS 192.168.21.10/32[udp/l2f] === X.X.X.X/32[udp/l2f]
Nov 15 08:45:09 kevinolos charon: 08[ENC] generating QUICK_MODE request
2907729242 [ HASH ]
Nov 15 08:45:09 kevinolos charon: 08[NET] sending packet: from
192.168.21.10[4500] to X.X.X.X[4500] (60 bytes)
Nov 15 08:45:10 kevinolos systemd[1]: Starting LSB: layer 2 tunelling protocol
daemon...
Nov 15 08:45:10 kevinolos xl2tpd[2950]: setsockopt recvref[30]: Protocol not
available
Nov 15 08:45:10 kevinolos kernel: [ 36.581960] PPP generic driver version
2.4.2
Nov 15 08:45:10 kevinolos kernel: [ 36.588380] NET: Registered protocol
family 24
Nov 15 08:45:10 kevinolos kernel: [ 36.618253] l2tp_core: L2TP core driver,
V2.0
Nov 15 08:45:10 kevinolos kernel: [ 36.628997] l2tp_netlink: L2TP netlink
interface
Nov 15 08:45:10 kevinolos xl2tpd[2950]: Using l2tp kernel support.
Nov 15 08:45:10 kevinolos xl2tpd[2946]: Starting xl2tpd: xl2tpd.
Nov 15 08:45:10 kevinolos systemd[1]: Started LSB: layer 2 tunelling protocol
daemon.
Nov 15 08:45:10 kevinolos xl2tpd[2963]: xl2tpd version xl2tpd-1.3.10 started on
kevinolos PID:2963
Nov 15 08:45:10 kevinolos xl2tpd[2963]: Written by Mark Spencer, Copyright (C)
1998, Adtran, Inc.
Nov 15 08:45:10 kevinolos xl2tpd[2963]: Forked by Scott Balmos and David Stipp,
(C) 2001
Nov 15 08:45:10 kevinolos xl2tpd[2963]: Inherited by Jeff McAdams, (C) 2002
Nov 15 08:45:10 kevinolos xl2tpd[2963]: Forked again by Xelerance
(www.xelerance.com) (C) 2006-2016
Nov 15 08:45:10 kevinolos xl2tpd[2963]: Listening on IP address 0.0.0.0, port
1701
Nov 15 08:45:10 kevinolos xl2tpd[2963]: get_call: allocating new tunnel for
host X.X.X.X, port 1701.
Nov 15 08:45:10 kevinolos kernel: [ 36.641197] l2tp_ppp: PPPoL2TP kernel
driver, V2.0
Nov 15 08:45:10 kevinolos xl2tpd[2963]: Connecting to host X.X.X.X, port 1701
Nov 15 08:45:10 kevinolos xl2tpd[2963]: control_finish: message type is
(null)(0). Tunnel is 0, call is 0.
Nov 15 08:45:10 kevinolos xl2tpd[2963]: control_finish: sending SCCRQ
Nov 15 08:45:10 kevinolos xl2tpd[2963]: network_thread: recv packet from
X.X.X.X, size = 138, tunnel = 48606, call = 0 ref=0 refhim=0
Nov 15 08:45:10 kevinolos xl2tpd[2963]: control_finish: message type is
Start-Control-Connection-Reply(2). Tunnel is 25588, call is 0.
Nov 15 08:45:10 kevinolos xl2tpd[2963]: control_finish: sending SCCCN
Nov 15 08:45:10 kevinolos xl2tpd[2963]: Connection established to X.X.X.X,
1701. Local: 48606, Remote: 25588 (ref=0/0).
Nov 15 08:45:10 kevinolos xl2tpd[2963]: Calling on tunnel 48606
Nov 15 08:45:10 kevinolos xl2tpd[2963]: control_finish: message type is
(null)(0). Tunnel is 25588, call is 0.
Nov 15 08:45:10 kevinolos xl2tpd[2963]: control_finish: sending ICRQ
Nov 15 08:45:10 kevinolos xl2tpd[2963]: network_thread: recv packet from
X.X.X.X, size = 28, tunnel = 48606, call = 18273 ref=0 refhim=0
Nov 15 08:45:10 kevinolos xl2tpd[2963]: control_finish: message type is
Incoming-Call-Reply(11). Tunnel is 25588, call is 62433.
Nov 15 08:45:10 kevinolos xl2tpd[2963]: control_finish: Sending ICCN
Nov 15 08:45:10 kevinolos xl2tpd[2963]: Call established with X.X.X.X, Local:
18273, Remote: 62433, Serial: 1 (ref=0/0)
Nov 15 08:45:10 kevinolos xl2tpd[2963]: start_pppd: I'm running:
Nov 15 08:45:10 kevinolos xl2tpd[2963]: "/usr/sbin/pppd"
Nov 15 08:45:10 kevinolos xl2tpd[2963]: "plugin"
Nov 15 08:45:10 kevinolos xl2tpd[2963]: "pppol2tp.so"
Nov 15 08:45:10 kevinolos xl2tpd[2963]: "pppol2tp"
Nov 15 08:45:10 kevinolos xl2tpd[2963]: "7"
Nov 15 08:45:10 kevinolos xl2tpd[2963]: "passive"
Nov 15 08:45:10 kevinolos xl2tpd[2963]: "nodetach"
Nov 15 08:45:10 kevinolos xl2tpd[2963]: ":"
Nov 15 08:45:10 kevinolos xl2tpd[2963]: "name"
Nov 15 08:45:10 kevinolos xl2tpd[2963]: "XXXX"
Nov 15 08:45:10 kevinolos xl2tpd[2963]: "file"
Nov 15 08:45:10 kevinolos xl2tpd[2963]: "/etc/ppp/options.hcs.client"
Nov 15 08:45:10 kevinolos pppd[2965]: Plugin pppol2tp.so loaded.
Nov 15 08:45:10 kevinolos pppd[2965]: pppd 2.4.7 started by root, uid 0
Nov 15 08:45:10 kevinolos pppd[2965]: using channel 1
Nov 15 08:45:10 kevinolos pppd[2965]: Using interface ppp0
Nov 15 08:45:10 kevinolos pppd[2965]: Connect: ppp0 <-->
Nov 15 08:45:10 kevinolos pppd[2965]: Overriding mtu 1500 to 1410
Nov 15 08:45:10 kevinolos pppd[2965]: PPPoL2TP options: debugmask 0
Nov 15 08:45:10 kevinolos pppd[2965]: Overriding mru 1500 to mtu value 1410
Nov 15 08:45:10 kevinolos pppd[2965]: sent [LCP ConfReq id=0x1 <mru 1410>
<asyncmap 0x0> <magic 0x94b5e8dd>]
Nov 15 08:45:10 kevinolos systemd-udevd[2966]: link_config: autonegotiation is
unset or enabled, the speed and duplex are not writable.
Nov 15 08:45:10 kevinolos pppd[2965]: rcvd [LCP ConfReq id=0x1 <mru 1400>
<asyncmap 0x0> <auth pap> <magic 0xd6aff44f>]
Nov 15 08:45:10 kevinolos pppd[2965]: sent [LCP ConfAck id=0x1 <mru 1400>
<asyncmap 0x0> <auth pap> <magic 0xd6aff44f>]
Nov 15 08:45:10 kevinolos xl2tpd[2963]: network_thread: recv packet from
X.X.X.X, size = 12, tunnel = 48606, call = 0 ref=0 refhim=0
Nov 15 08:45:11 kevinolos xl2tpd[2963]: network_thread: select timeout
Nov 15 08:45:11 kevinolos xl2tpd[2963]: network_thread: select timeout
Nov 15 08:45:11 kevinolos xl2tpd[2963]: network_thread: select timeout
Nov 15 08:45:11 kevinolos xl2tpd[2963]: network_thread: select timeout
Nov 15 08:45:16 kevinolos pppd[2965]: sent [LCP ConfReq id=0x1 <mru 1410>
<asyncmap 0x0> <magic 0x94b5e8dd>]
Nov 15 08:45:16 kevinolos pppd[2965]: rcvd [LCP ConfAck id=0x1 <mru 1410>
<asyncmap 0x0> <magic 0x94b5e8dd>]
Nov 15 08:45:16 kevinolos xl2tpd[2963]: network_thread: recv packet from
X.X.X.X, size = 36, tunnel = 48606, call = 18273 ref=0 refhim=0
Nov 15 08:45:16 kevinolos xl2tpd[2963]: control_finish: message type is
Set-Link-Info(16). Tunnel is 25588, call is 62433.
Nov 15 08:45:16 kevinolos pppd[2965]: PPPoL2TP options: debugmask 0
Nov 15 08:45:16 kevinolos pppd[2965]: sent [LCP EchoReq id=0x0 magic=0x94b5e8dd]
Nov 15 08:45:16 kevinolos pppd[2965]: sent [PAP AuthReq id=0x1 user="klocke"
password=<hidden>]
Nov 15 08:45:16 kevinolos pppd[2965]: rcvd [LCP EchoReq id=0x0 magic=0xd6aff44f]
Nov 15 08:45:16 kevinolos pppd[2965]: sent [LCP EchoRep id=0x0 magic=0x94b5e8dd]
Nov 15 08:45:16 kevinolos pppd[2965]: rcvd [LCP EchoRep id=0x0 magic=0xd6aff44f]
Nov 15 08:45:18 kevinolos pppd[2965]: rcvd [PAP AuthAck id=0x1 "Session started
successfully"]
Nov 15 08:45:18 kevinolos pppd[2965]: Remote message: Session started
successfully
Nov 15 08:45:18 kevinolos pppd[2965]: PAP authentication succeeded
Nov 15 08:45:18 kevinolos pppd[2965]: sent [IPCP ConfReq id=0x1 <addr 0.0.0.0>]
Nov 15 08:45:18 kevinolos pppd[2965]: rcvd [IPCP ConfReq id=0x1 <addr Y.Y.Y.Y>]
Nov 15 08:45:18 kevinolos pppd[2965]: sent [IPCP ConfAck id=0x1 <addr Y.Y.Y.Y>]
Nov 15 08:45:18 kevinolos pppd[2965]: rcvd [IPCP ConfNak id=0x1 <addr Z.Z.Z.Z>]
Nov 15 08:45:18 kevinolos pppd[2965]: sent [IPCP ConfReq id=0x2 <addr Z.Z.Z.Z>]
Nov 15 08:45:18 kevinolos pppd[2965]: rcvd [IPCP ConfAck id=0x2 <addr Z.Z.Z.Z>]
Nov 15 08:45:18 kevinolos charon: 06[KNL] Z.Z.Z.Z appeared on ppp0
Nov 15 08:45:18 kevinolos charon: 04[KNL] Z.Z.Z.Z disappeared from ppp0
Nov 15 08:45:18 kevinolos charon: 08[KNL] Z.Z.Z.Z appeared on ppp0
Nov 15 08:45:18 kevinolos pppd[2965]: local IP address Z.Z.Z.Z
Nov 15 08:45:18 kevinolos pppd[2965]: remote IP address Y.Y.Y.Y
Nov 15 08:45:18 kevinolos charon: 10[KNL] interface ppp0 activated
Nov 15 08:45:18 kevinolos pppd[2965]: Script /etc/ppp/ip-up started (pid 2982)
Nov 15 08:45:18 kevinolos pppd[2965]: Script /etc/ppp/ip-up finished (pid
2982), status = 0x0
Nov 15 08:45:51 kevinolos charon: 08[IKE] sending keep alive to X.X.X.X[4500]
Nov 15 08:46:10 kevinolos xl2tpd[2963]: network_thread: select timeout
Nov 15 08:46:10 kevinolos xl2tpd[2963]: network_thread: recv packet from
X.X.X.X, size = 12, tunnel = 48606, call = 0 ref=0 refhim=0
Nov 15 08:46:11 kevinolos xl2tpd[2963]: network_thread: select timeout
Nov 15 08:46:30 kevinolos charon: 11[IKE] sending keep alive to X.X.X.X[4500]
Nov 15 08:46:50 kevinolos charon: 12[IKE] sending keep alive to X.X.X.X[4500]
Nov 15 08:47:10 kevinolos xl2tpd[2963]: network_thread: select timeout
Nov 15 08:47:11 kevinolos xl2tpd[2963]: network_thread: recv packet from
X.X.X.X, size = 12, tunnel = 48606, call = 0 ref=0 refhim=0
Nov 15 08:47:11 kevinolos xl2tpd[2963]: network_thread: select timeout
Nov 15 08:47:30 kevinolos charon: 07[IKE] sending keep alive to X.X.X.X[4500]
Nov 15 08:47:50 kevinolos charon: 06[IKE] sending keep alive to X.X.X.X[4500]
