Thursday, January 27, 2011

IPsec/L2TP VPN with OSX client: xl2tpd reports "maximum retries exceeded"

I'm following this guide for getting an IPsec/L2TP VPN server set up on a Gentoo machine, and I'm having trouble getting an OS X client to connect. From the logs, I believe I'm making an IPsec connection OK, but xl2tpd is refusing to go any further in the connection process. My setup (names changed):

  • Home server is directly connected to the Internet - no NAT - at example.com
    • vpn.example.com is an alias for example.com
    • Both addresses are provided through a dynamic DNS service - example.com's IP is not fixed
    • Home server's internal subnet is 192.168.1.0/24
  • OS X client runs 10.5.6 and has a dynamic IP (is a "roadwarrior")

My config files are as follows:

ipsec.conf

version 2.0

config setup
        nat_traversal=no
        nhelpers=0

include /etc/ipsec/ipsec.d/examples/no_oe.conf

conn L2TP-PSK-NAT
        rightsubnet=vhost:%priv
        also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
        authby=secret
        pfs=no
        auto=add
        keyingtries=3
        rekey=no
        type=transport
        left=%defaultroute
        leftprotoport=17/1701
        right=%any
        # Using the magic port of "0" means "any one single port". This is
        # a work around required for Apple OSX clients that use a randomly
        # high port, but propose "0" instead of their port.
        rightprotoport=17/0

ipsec.secrets

: PSK "testkey"

xl2tpd.conf

[global]
port = 1701
access control = no
debug avp = yes
debug network = yes
debug state = yes
debug tunnel = yes

[lns default]
ip range = 172.21.118.2-172.21.118.254
local ip = 172.21.118.1
require chap = yes
refuse pap = yes
name = LinuxVPN
pppoptfile = /etc/ppp/options.xl2tpd
ppp debug = yes
length bit = yes

options.xl2tpd

ipcp-accept-local
ipcp-accept-remote
ms-dns  192.168.1.27
noccp
noauth
crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
lock
proxyarp
connect-delay 5000
silent

And the log entries:

*snip*
Sep 05 13:40:32 [pluto] "L2TP-PSK-noNAT"[14] 137.112.114.88 #28: STATE_QUICK_R2: IPsec SA established {ESP=>0x0cb56f8c <0x319c29ff xfrm=AES_128-HMAC_SHA1 NATD=none DPD=none}
Sep 05 13:40:39 [xl2tpd] Maximum retries exceeded for tunnel 23214.  Closing._
Sep 05 13:40:46 [xl2tpd] Connection 70 closed to 137.112.114.88, port 63835 (Timeout)_
*snip*

Why can't I get xl2tpd to accept the connection? I can't even find the relevant xl2tpd log files to continue debugging - all I get are those two lines in the syslog.

From serverfault Tim

  • Figured it out. I'm no expert, so I don't know why this works, but I was able to get a connection by adding the following lines to the conn L2TP-PSK-noNAT section of ipsec.conf:

    leftnexthop=%defaultroute
rightnexthop=%defaultroute
    From Tim
Posted by Mu Cat at 6:55 AM

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)