l2tp VPNs

system · October 31, 2014, 9:09pm

Ok I’ve been trying this for 2 days now and not getting anywhere. I’ve tried l2tp, pptp, and openvpn. I just can’t seem to get them to work. I’ve now gone back to l2tp and my windows 8.1 comes back with a error of 789 . When I look at the /var/logs/messages I see

Oct 31 15:55:25 bryrouter xl2tpd[6559]: death_handler: Fatal signal 15 received
Oct 31 15:55:26 bryrouter xl2tpd[7968]: setsockopt recvref[22]: Protocol not available

Am I missing something?


 rule 21 {
     action accept
     description l2tp500
     destination {
         port 500
     }
     protocol udp
 }
 rule 22 {
     action accept
     description l2tp1701
     destination {
         port 1701
     }
     protocol udp
 }
 rule 23 {
     action accept
     description l2tp4500
     destination {
         port 4500
     }
     protocol udp


 ipsec {
     ipsec-interfaces {
         interface eth0
     }
     nat-networks {
         allowed-network 0.0.0.0/0 {
         }
     }
     nat-traversal enable
 }
 l2tp {
     remote-access {
         authentication {
             local-users {
                 username xxxx {
                     password xxxx
                 }
             }
             mode local
         }
         client-ip-pool {
             start 192.168.50.210
             stop 192.168.50.220
         }
         dns-servers {
             server-1 8.8.8.8
         }
         ipsec-settings {
             authentication {
                 mode pre-shared-secret
                 pre-shared-secret xxxxxxxx
             }
         }
         mtu 1492
         outside-address 70.x.x.x
         outside-nexthop 70.x.x.1
     }
 }

llgomezg · October 31, 2014, 9:33pm

Hello bmallone667:

It seems you’re missing the encryption configuration portion for the vpn:

 ipsec {
     esp-group ESP-1W {
         compression disable
         lifetime 3600
         mode tunnel
         pfs enable
         proposal 1 {
             encryption aes256
             hash sha1
         }
         proposal 2 {
             encryption aes256
             hash sha1
         }
     }
     ike-group IKE-1W {
         key-exchange ikev1
         lifetime 28800
         proposal 1 {
             encryption aes256
             hash sha1
         }
         proposal 2 {
             encryption aes256
             hash sha1
         }
     }

You should provide the standard that you would like to the encryption proposals (aes128, aes256 or 3des), and the hashing function preferred (md5, sha1, sha256, sha384 and the newest sha512).

You should use what you would like as the encryption standard, now VyOS

And I forgot the firewall rules for the incoming traffic that allow IPSEC VPN connections:

 rule 4000 {
     action accept
     description "Internet Key Exchange (IKE) for incoming VPNs connections"
     destination {
         port 500
     }
     protocol udp
 }
 rule 4010 {
     action accept
     description "NAT Traversal for incoming VPN connections"
     destination {
         port 4500
     }
     protocol udp
 }
 rule 4020 {
     action accept
     description "IPSEC for incoming VPN connections"
     destination {
         port 1701
     }
     ipsec {
         match-ipsec
     }
     protocol udp
 }
 rule 4030 {
     action accept
     description "Incoming ESP Protocol for VPN connections"
     protocol esp
     state {
         established enable
         new enable
         related enable
     }

Obviously, use your own rule numbers… Hope this helps…

JFL · November 1, 2014, 8:26am

for PPTP check http://blog.vyos.net/ post date october 16

system · November 1, 2014, 2:59pm

I got it working! I have a firewall rule set named FROM-EXTERNAL and that’s where I was putting all the rules. I forgot I had a rule set name TO-ROUTER which is really where the rules need to be!

I also noticed that my original pre-shared-key had the symbols of @ and ^ in it. If you don’t put quotes around keys with those symbols it seems to want to do some sort of linux command?

carl.byington · November 4, 2014, 4:13pm

Do you have any remote users on Windows 7 or 8, connecting over l2tp from typical home systems, where their home workstation ip address is natted to a public ip address, and where they can remain connected for more than about two hours? I seem to be hitting a problem with key lifetime, where the Windows machine cannot re-key.

The connection works fine for two hours, then drops.