Linux L2TP/IPSec vpn client cannot connect to any server

bertin · December 15, 2021, 3:42pm

Hello are using networkmanager to connect our Linux client to well, any, vpn l2tp/ipsec server…butr have had no connection. The following are the versions and logs. Thanks for your help

Colibri T30 1GB it v1.1b
Yocto BSP 2.8.7

Versions of daemons
NetworkManager : 1.4.4
NetworkManager-l2tp: 1.2.18
xl2tpd: 1.3.9
strongswan: 5.5.3
pppd: 2.4.7

We have included a recipe in our yocto image for NetworkManager-l2tp on their nm-1.2 branch (the main branch says the only support newer versions of NetworkManager than we have).

We try to connect to our windows 2008 server and see the following output
from nm-l2tp-server --debug

nm-l2tp[749] <debug> nm-l2tp-service (version 1.2.18) starting...
nm-l2tp[749] <debug>  uses default --bus-name "org.freedesktop.NetworkManager.l2tp"
nm-l2tp[749] <info>  ipsec enable flag: yes
** Message: Check port 1701
connection
	id : "vpn2" (s)
	uuid : "5c912719-67d6-4bdb-b5eb-d5f3db641814" (s)
	interface-name : NULL (sd)
	type : "vpn" (s)
	permissions : [] (s)
	autoconnect : TRUE (sd)
	autoconnect-priority : 0 (sd)
	timestamp : 0 (sd)
	read-only : FALSE (sd)
	zone : NULL (sd)
	master : NULL (sd)
	slave-type : NULL (sd)
	autoconnect-slaves : ((NMSettingConnectionAutoconnectSlaves) NM_SETTING_CONNECTION_AUTOCONNECT_SLAVES_DEFAULT) (sd)
	secondaries : [] (s)
	gateway-ping-timeout : 0 (sd)
	metered : ((NMMetered) NM_METERED_UNKNOWN) (sd)
	lldp : -1 (sd)
	stable-id : NULL (sd)


ipv6
	method : "auto" (s)
	dns : [] (s)
	dns-search : [] (s)
	dns-options : NULL (sd)
	dns-priority : 0 (sd)
	addresses : ((GPtrArray*) 0x3a008) (s)
	gateway : NULL (sd)
	routes : ((GPtrArray*) 0x42109c08) (s)
	route-metric : -1 (sd)
	ignore-auto-routes : FALSE (sd)
	ignore-auto-dns : FALSE (sd)
	dhcp-hostname : NULL (sd)
	dhcp-send-hostname : TRUE (sd)
	never-default : FALSE (sd)
	may-fail : TRUE (sd)
	dad-timeout : -1 (sd)
	dhcp-timeout : 0 (sd)
	ip6-privacy : ((NMSettingIP6ConfigPrivacy) NM_SETTING_IP6_CONFIG_PRIVACY_UNKNOWN) (sd)
	addr-gen-mode : 1 (sd)
	token : NULL (sd)


ipv4
	method : "auto" (s)
	dns : [] (s)
	dns-search : [] (s)
	dns-options : NULL (sd)
	dns-priority : 0 (sd)
	addresses : ((GPtrArray*) 0x421098a8) (s)
	gateway : NULL (sd)
	routes : ((GPtrArray*) 0x52548) (s)
	route-metric : -1 (sd)
	ignore-auto-routes : FALSE (sd)
	ignore-auto-dns : FALSE (sd)
	dhcp-hostname : NULL (sd)
	dhcp-send-hostname : TRUE (sd)
	never-default : FALSE (sd)
	may-fail : TRUE (sd)
	dad-timeout : -1 (sd)
	dhcp-timeout : 0 (sd)
	dhcp-client-id : NULL (sd)
	dhcp-fqdn : NULL (sd)


vpn
	service-type : "org.freedesktop.NetworkManager.l2tp" (s)
	user-name : "<redacted>" (s)
	persistent : FALSE (sd)
	data : ((GHashTable*) 0x4dac0) (s)
	secrets : ((GHashTable*) 0x4da50) (s)
	timeout : 0 (sd)


nm-l2tp[749] <info>  starting ipsec
Stopping strongSwan IPsec failed: starter is not running
Starting strongSwan ..3 IPsec [starter]...
Loading config setup
Loading conn '5c912719-67d6-4bdb-b5eb-d5f3db641814'
found netkey IPsec stack
nm-l2tp[749] <info>  Spawned ipsec up script with PID 817.
initiating Main Mode IKE_SA 5c912719-67d6-4bdb-b5eb-d5f3db641814[1] to redacted
generating ID_PROT request 0 [ SA V V V V V ]
sending packet: from <redacted>[500] to <redacted> (532 bytes)
received packet: from <redacted> to <redacted>[500] (212 bytes)
parsed ID_PROT response 0 [ SA V V V V V V ]
received MS NT5 ISAKMPOAKLEY vendor ID
received NAT-T (RFC 3947) vendor ID
received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
received FRAGMENTATION vendor ID
received unknown vendor ID: fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
received unknown vendor ID: e3:a5:96:6a:76:37:9f:e7:07:22:82:31:e5:ce::52
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from <redacted>[500] to <redacted> (212 bytes)
received packet: from <redacted> to <redacted>[500] (228 bytes)
parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
local host is behind NAT, sending keep alives
remote host is behind NAT
generating ID_PROT request 0 [ ID HASH ]
sending packet: from 10.42.78.122[4500] to redacted[4500] (76 bytes)
received packet: from redacted[4500] to 10.42.78.122[4500] (76 bytes)
parsed ID_PROT response 0 [ ID HASH ]
IKE_SA 5c912719-67d6-4bdb-b5eb-d5f3db641814[1] established between 10.42.78.122[10.42.78.122]...redacted[192.168.90.90]
scheduling reauthentication in 10221s
maximum IKE_SA lifetime 10761s
generating QUICK_MODE request 1672764256 [ HASH SA No ID ID NAT-OA NAT-OA ]
sending packet: from 10.42.78.122[4500] to redacted[4500] (252 bytes)
received packet: from redacted[4500] to 10.42.78.122[4500] (220 bytes)
parsed QUICK_MODE response 1672764256 [ HASH SA No ID ID NAT-OA NAT-OA ]
connection '5c912719-67d6-4bdb-b5eb-d5f3db641814' established successfully
nm-l2tp[749] <info>  strongSwan IPsec tunnel is up.
** Message: xl2tpd started with pid 844
xl2tpd[844]: setsockopt recvref[30]: Protocol not available
xl2tpd[844]: This binary does not support kernel L2TP.
xl2tpd[844]: xl2tpd version xl2tpd-1.3.9 started on colibri-t30 PID:844
xl2tpd[844]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
xl2tpd[844]: Forked by Scott Balmos and David Stipp, (C) 2001
xl2tpd[844]: Inherited by Jeff McAdams, (C) 2002
xl2tpd[844]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016
xl2tpd[844]: Listening on IP address 0.0.0.0, port 1701
xl2tpd[844]: get_call: allocating new tunnel for host redacted, port 1701.
xl2tpd[844]: Connecting to host redacted, port 1701
xl2tpd[844]: control_finish: message type is (null)(0).  Tunnel is 0, call is 0.
xl2tpd[844]: control_finish: sending SCCRQ
xl2tpd[844]: message_type_avp: message type 2 (Start-Control-Connection-Reply)
xl2tpd[844]: protocol_version_avp: peer is using version 1, revision 0.
xl2tpd[844]: framing_caps_avp: supported peer frames: sync
xl2tpd[844]: bearer_caps_avp: supported peer bearers:
xl2tpd[844]: firmware_rev_avp: peer reports firmware version 1537 (0x0601)
xl2tpd[844]: hostname_avp: peer reports hostname 'WS2008R2-WH1'
xl2tpd[844]: vendor_avp: peer reports vendor 'Microsoft'
xl2tpd[844]: assigned_tunnel_avp: using peer's tunnel 298
xl2tpd[844]: receive_window_size_avp: peer wants RWS of 8.  Will use flow control.
xl2tpd[844]: control_finish: message type is Start-Control-Connection-Reply(2).  Tunnel is 298, call is 0.
xl2tpd[844]: control_finish: sending SCCCN
xl2tpd[844]: Connection established to redacted, 1701.  Local: 29027, Remote: 298 (ref=0/0).
xl2tpd[844]: Calling on tunnel 29027
xl2tpd[844]: control_finish: message type is (null)(0).  Tunnel is 298, call is 0.
xl2tpd[844]: control_finish: sending ICRQ
xl2tpd[844]: message_type_avp: message type 11 (Incoming-Call-Reply)
xl2tpd[844]: assigned_call_avp: using peer's call 2
xl2tpd[844]: control_finish: message type is Incoming-Call-Reply(11).  Tunnel is 298, call is 2.
xl2tpd[844]: control_finish: Sending ICCN
xl2tpd[844]: Call established with redacted, Local: 21420, Remote: 2, Serial: 1 (ref=0/0)
** Message: nm-l2tp-ppp-plugin: (plugin_init): initializing
** Message: nm-l2tp-ppp-plugin: (nm_phasechange): status 3 / phase 'serial connection'
** Message: nm-l2tp-ppp-plugin: (nm_phasechange): status  / phase 'establish'
xl2tpd[844]: message_type_avp: message type 2 (Start-Control-Connection-Reply)
xl2tpd[844]: protocol_version_avp: peer is using version 1, revision 0.
xl2tpd[844]: framing_caps_avp: supported peer frames: sync
xl2tpd[844]: bearer_caps_avp: supported peer bearers:
xl2tpd[844]: firmware_rev_avp: peer reports firmware version 1537 (0x0601)
xl2tpd[844]: hostname_avp: peer reports hostname 'WS2008R2-WH1'
xl2tpd[844]: vendor_avp: peer reports vendor 'Microsoft'
xl2tpd[844]: assigned_tunnel_avp: using peer's tunnel 298
xl2tpd[844]: receive_window_size_avp: peer wants RWS of 8.  Will use flow control.
xl2tpd[844]: control_finish: message type is Start-Control-Connection-Reply(2).  Tunnel is 298, call is 0.
xl2tpd[844]: control_finish: sending SCCCN
xl2tpd[844]: Connection established to redacted, 1701.  Local: 29027, Remote: 298 (ref=0/0).
xl2tpd[844]: Calling on tunnel 29027
xl2tpd[844]: control_finish: message type is (null)(0).  Tunnel is 298, call is 0.
xl2tpd[844]: control_finish: sending ICRQ
xl2tpd[844]: message_type_avp: message type 2 (Start-Control-Connection-Reply)
xl2tpd[844]: protocol_version_avp: peer is using version 1, revision 0.
xl2tpd[844]: framing_caps_avp: supported peer frames: sync
xl2tpd[844]: bearer_caps_avp: supported peer bearers:
xl2tpd[844]: firmware_rev_avp: peer reports firmware version 1537 (0x0601)
xl2tpd[844]: hostname_avp: peer reports hostname 'WS2008R2-WH1'
xl2tpd[844]: vendor_avp: peer reports vendor 'Microsoft'
xl2tpd[844]: assigned_tunnel_avp: using peer's tunnel 298
xl2tpd[844]: receive_window_size_avp: peer wants RWS of 8.  Will use flow control.
xl2tpd[844]: control_finish: message type is Start-Control-Connection-Reply(2).  Tunnel is 298, call is 0.
xl2tpd[844]: control_finish: sending SCCCN
xl2tpd[844]: Connection established to redacted, 1701.  Local: 29027, Remote: 298 (ref=0/0).
xl2tpd[844]: Calling on tunnel 29027
xl2tpd[844]: control_finish: message type is (null)(0).  Tunnel is 298, call is 0.
xl2tpd[844]: control_finish: sending ICRQ
xl2tpd[844]: message_type_avp: message type 2 (Start-Control-Connection-Reply)
xl2tpd[844]: protocol_version_avp: peer is using version 1, revision 0.
xl2tpd[844]: framing_caps_avp: supported peer frames: sync
xl2tpd[844]: bearer_caps_avp: supported peer bearers:
xl2tpd[844]: firmware_rev_avp: peer reports firmware version 1537 (0x0601)
xl2tpd[844]: hostname_avp: peer reports hostname 'WS2008R2-WH1'
xl2tpd[844]: vendor_avp: peer reports vendor 'Microsoft'
xl2tpd[844]: assigned_tunnel_avp: using peer's tunnel 298
xl2tpd[844]: receive_window_size_avp: peer wants RWS of 8.  Will use flow control.
xl2tpd[844]: control_finish: message type is Start-Control-Connection-Reply(2).  Tunnel is 298, call is 0.
xl2tpd[844]: control_finish: sending SCCCN
xl2tpd[844]: Connection established to redacted5..210, 1701.  Local: 29027, Remote: 298 (ref=0/0).
xl2tpd[844]: Calling on tunnel 29027
xl2tpd[844]: control_finish: message type is (null)(0).  Tunnel is 298, call is 0.
xl2tpd[844]: control_finish: sending ICRQ
nm-l2tp[749] <warn>  Looks like pppd didn't initialize our dbus module
xl2tpd[844]: death_handler: Fatal signal 15 received
** Message: nm-l2tp-ppp-plugin: (nm_phasechange): status 11 / phase 'disconnect'
nm-l2tp[749] <info>  Terminated xl2tpd daemon with PID 844.
** Message: nm-l2tp-ppp-plugin: (nm_phasechange): status 1 / phase 'dead'
** Message: nm-l2tp-ppp-plugin: (nm_exit_notify): cleaning up
Stopping strongSwan IPsec...
** Message: ipsec shut down
nm-l2tp[749] <warn>  xl2tpd exited with error code 1
Stopping strongSwan IPsec failed: starter is not running
** Message: ipsec shut down

and the output from journalctl -b is

NetworkManager[323]: <info>  [1639572668.5147] audit: op="connection-activate" uuid="5c912719-67d6-4bdb-b5eb-d5f3db641814" name="vpn2" pid=759 uid=0 result="success"
NetworkManager[323]: <info>  [1639572668.5212] vpn-connection[0x28a0e8,5c912719-67d6-4bdb-b5eb-d5f3db641814,"vpn2",0]: Saw the service appear; activating connection
NetworkManager[323]: <info>  [1639572668.5634] vpn-connection[0x28a0e8,5c912719-67d6-4bdb-b5eb-d5f3db641814,"vpn2",0]: VPN connection: (ConnectInteractive) reply received
ipsec_starter[775]: Starting strongSwan 5.5.3 IPsec [starter]...
ipsec_starter[775]: Loading config setup
ipsec_starter[775]: Loading conn '5c912719-67d6-4bdb-b5eb-d5f3db641814'
ipsec_starter[775]: found netkey IPsec stack
ipsec_starter[792]: Attempting to start charon...
charon[794]: 00[DMN] Starting IKE charon daemon (strongSwan 5.5.3, Linux 3.1.10-2.8.7+g5e3cb65, armv7l)
charon[794]: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
charon[794]: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
charon[794]: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
charon[794]: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
charon[794]: 00[CFG] loading crls from '/etc/ipsec.d/crls'
charon[794]: 00[CFG] loading secrets from '/etc/ipsec.secrets'
charon[794]: 00[CFG]   loaded IKE secret for saphffm.no-ip.org
charon[794]: 00[CFG]   loaded EAP secret for st4
charon[794]: 00[CFG] loading secrets from '/etc/ipsec.d/ipsec.nm-l2tp.secrets'
charon[794]: 00[CFG]   loaded IKE secret for %any
charon[794]: 00[LIB] loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gm
charon[794]: 00[JOB] spawning 16 worker threads
charon[794]: 05[CFG] rereading secrets
charon[794]: 05[CFG] loading secrets from '/etc/ipsec.secrets'
charon[794]: 05[CFG]   loaded IKE secret for <redacted>
charon[794]: 05[CFG]   loaded EAP secret for <redacted>
charon[794]: 05[CFG] loading secrets from '/etc/ipsec.d/ipsec.nm-l2tp.secrets'
charon[794]: 05[CFG]   loaded IKE secret for %any
ipsec_starter[792]: charon (794) started after 200 ms
charon[794]: 07[CFG] received stroke: add connection '5c912719-67d6-4bdb-b5eb-d5f3db641814'
charon[794]: 07[CFG] conn 5c912719-67d6-4bdb-b5eb-d5f3db641814
charon[794]: 07[CFG]   left=%any
charon[794]: 07[CFG]   leftauth=psk
charon[794]: 07[CFG]   right=redacted
charon[794]: 07[CFG]   rightauth=psk
charon[794]: 07[CFG]   rightid=%any
charon[794]: 07[CFG]   ike=aes256-sha2_256-modp2048,aes256-sha2_256-modp1536,aes256-sha2_256-modp1024,aes256-sha1-modp2048,aes256-sha1-modp1536,aes256-sha1-modp1024,aes256-sha
charon[794]: 07[CFG]   esp=aes256-sha1,aes128-sha1,3des-sha1!
charon[794]: 07[CFG]   dpddelay=30
charon[794]: 07[CFG]   dpdtimeout=150
charon[794]: 07[CFG]   sha256_96=no
charon[794]: 07[CFG]   mediation=no
charon[794]: 07[CFG]   keyexchange=ikev1
charon[794]: 07[CFG] added configuration '5c912719-67d6-4bdb-b5eb-d5f3db641814'
charon[794]: 09[CFG] received stroke: initiate '5c912719-67d6-4bdb-b5eb-d5f3db641814'
charon[794]: 11[IKE] queueing ISAKMP_VENDOR task
charon[794]: 11[IKE] queueing ISAKMP_CERT_PRE task
charon[794]: 11[IKE] queueing MAIN_MODE task
charon[794]: 11[IKE] queueing ISAKMP_CERT_POST task
charon[794]: 11[IKE] queueing ISAKMP_NATD task
charon[794]: 11[IKE] queueing QUICK_MODE task
charon[794]: 11[IKE] activating new tasks
charon[794]: 11[IKE]   activating ISAKMP_VENDOR task
charon[794]: 11[IKE]   activating ISAKMP_CERT_PRE task
charon[794]: 11[IKE]   activating MAIN_MODE task
charon[794]: 11[IKE]   activating ISAKMP_CERT_POST task
charon[794]: 11[IKE]   activating ISAKMP_NATD task
charon[794]: 11[IKE] sending XAuth vendor ID
charon[794]: 11[IKE] sending DPD vendor ID
charon[794]: 11[IKE] sending FRAGMENTATION vendor ID
charon[794]: 11[IKE] sending NAT-T (RFC 3947) vendor ID
charon[794]: 11[IKE] sending draft-ietf-ipsec-nat-t-ike-02\n vendor ID
charon[794]: 11[IKE] initiating Main Mode IKE_SA 5c912719-67d6-4bdb-b5eb-d5f3db641814[1] to redacted
charon[794]: 11[IKE] initiating Main Mode IKE_SA 5c912719-67d6-4bdb-b5eb-d5f3db641814[1] to redacted
charon[794]: 11[IKE] IKE_SA 5c912719-67d6-4bdb-b5eb-d5f3db641814[1] state change: CREATED => CONNECTING
charon[794]: 11[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AE
charon[794]: 11[ENC] generating ID_PROT request 0 [ SA V V V V V ]
charon[794]: 11[NET] sending packet: from 10.42.78.122[500] to redacted[500] (532 bytes)
charon[794]: 12[NET] received packet: from redacted[500] to 10.42.78.122[500] (212 bytes)
charon[794]: 12[ENC] parsed ID_PROT response 0 [ SA V V V V V V ]
charon[794]: 12[IKE] received MS NT5 ISAKMPOAKLEY vendor ID
charon[794]: 12[IKE] received NAT-T (RFC 3947) vendor ID
charon[794]: 12[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
charon[794]: 12[IKE] received FRAGMENTATION vendor ID
charon[794]: 12[ENC] received unknown vendor ID: fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
charon[794]: 12[ENC] received unknown vendor ID: e3:a5:96:6a:76:37:9f:e7:07:22:82:31:e5:ce:86:52
charon[794]: 12[CFG] selecting proposal:
charon[794]: 12[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found
charon[794]: 12[CFG] selecting proposal:
charon[794]: 12[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found
charon[794]: 12[CFG] selecting proposal:
charon[794]: 12[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found
charon[794]: 12[CFG] selecting proposal:
charon[794]: 12[CFG]   no acceptable DIFFIE_HELLMAN_GROUP found
charon[794]: 12[CFG] selecting proposal:
charon[794]: 12[CFG]   no acceptable DIFFIE_HELLMAN_GROUP found
charon[794]: 12[CFG] selecting proposal:
charon[794]: 12[CFG]   no acceptable DIFFIE_HELLMAN_GROUP found
charon[794]: 12[CFG] selecting proposal:
charon[794]: 12[CFG]   proposal matches
charon[794]: 12[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384
charon[794]: 12[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AE
charon[794]: 12[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384
charon[794]: 12[IKE] reinitiating already active tasks
charon[794]: 12[IKE]   ISAKMP_VENDOR task
charon[794]: 12[IKE]   MAIN_MODE task
charon[794]: 12[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
charon[794]: 12[NET] sending packet: from 10.42.78.122[500] to redacted[500] (212 bytes)
charon[794]: 13[NET] received packet: from redacted[500] to 10.42.78.122[500] (228 bytes)
charon[794]: 13[ENC] parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
charon[794]: 13[IKE] local host is behind NAT, sending keep alives
charon[794]: 13[IKE] remote host is behind NAT
charon[794]: 13[IKE] reinitiating already active tasks
charon[794]: 13[IKE]   ISAKMP_VENDOR task
charon[794]: 13[IKE]   MAIN_MODE task
charon[794]: 13[ENC] generating ID_PROT request 0 [ ID HASH ]
charon[794]: 13[NET] sending packet: from 10.42.78.122[4500] to redacted[4500] (76 bytes)
charon[794]: 14[NET] received packet: from redacted[4500] to 10.42.78.122[4500] (76 bytes)
charon[794]: 14[ENC] parsed ID_PROT response 0 [ ID HASH ]
charon[794]: 14[IKE] IKE_SA 5c912719-67d6-4bdb-b5eb-d5f3db641814[1] established between 10.42.78.122[10.42.78.122]...redacted[192.168.90.90]
charon[794]: 14[IKE] IKE_SA 5c912719-67d6-4bdb-b5eb-d5f3db641814[1] established between 10.42.78.122[10.42.78.122]...redacted[192.168.90.90]
charon[794]: 14[IKE] IKE_SA 5c912719-67d6-4bdb-b5eb-d5f3db641814[1] state change: CONNECTING => ESTABLISHED
charon[794]: 14[IKE] scheduling reauthentication in 10221s
charon[794]: 14[IKE] maximum IKE_SA lifetime 10761s
charon[794]: 14[IKE] activating new tasks
charon[794]: 14[IKE]   activating QUICK_MODE task
charon[794]: 14[CFG] configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
charon[794]: 14[CFG] configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
charon[794]: 14[CFG] proposing traffic selectors for us:
charon[794]: 14[CFG]  10.42.78.122/32[udp/l2f]
charon[794]: 14[CFG] proposing traffic selectors for other:
charon[794]: 14[CFG]  redacted/32[udp/l2f]
charon[794]: 14[ENC] generating QUICK_MODE request 1672764256 [ HASH SA No ID ID NAT-OA NAT-OA ]
charon[794]: 14[NET] sending packet: from 10.42.78.122[4500] to redacted[4500] (252 bytes)
charon[794]: 15[NET] received packet: from redacted[4500] to 10.42.78.122[4500] (220 bytes)
charon[794]: 15[ENC] parsed QUICK_MODE response 1672764256 [ HASH SA No ID ID NAT-OA NAT-OA ]
charon[794]: 15[CFG] selecting proposal:
charon[794]: 15[CFG]   proposal matches
charon[794]: 15[CFG] received proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
charon[794]: 15[CFG] configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
charon[794]: 15[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
charon[794]: 15[IKE] changing received traffic selectors 80.187.101.122/32[udp/l2f]=== 192.168.90.90/32[udp/l2f] due to NAT
charon[794]: 15[IKE] CHILD_SA 5c912719-67d6-4bdb-b5eb-d5f3db641814{1} established with SPIs ce51b5d8_i 0ae49212_o and TS 10.42.78.122/32[udp/l2f] === redacted/32[udp/l2f]
charon[794]: 15[IKE] CHILD_SA 5c912719-67d6-4bdb-b5eb-d5f3db641814{1} established with SPIs ce51b5d8_i 0ae49212_o and TS 10.42.78.122/32[udp/l2f] === redacted/32[udp/l2f]
charon[794]: 15[IKE] reinitiating already active tasks
charon[794]: 15[IKE]   QUICK_MODE task
charon[794]: 15[ENC] generating QUICK_MODE request 1672764256 [ HASH ]
charon[794]: 15[NET] sending packet: from 10.42.78.122[4500] to redacted[4500] (60 bytes)
charon[794]: 15[IKE] activating new tasks
charon[794]: 15[IKE] nothing to initiate
NetworkManager[323]: <info>  [1639572673.9668] vpn-connection[0x28a0e8,5c912719-67d6-4bdb-b5eb-d5f3db641814,"vpn2",0]: VPN plugin: state changed: starting (3)
charon[794]: 05[NET] received packet: from redacted[4500] to 10.42.78.122[4500] (76 bytes)
charon[794]: 05[ENC] parsed QUICK_MODE response 1672764256 [ HASH N(INIT_CONTACT) ]
charon[794]: 05[IKE] ignoring fourth Quick Mode message
pppd[846]: Plugin /usr/lib/pppd/2.4.7/nm-l2tp-pppd-plugin.so loaded.
pppd[846]: pppd 2.4.7 started by root, uid 0
pppd[846]: Using interface ppp1
pppd[846]: Connect: ppp1 <--> /dev/pts/4
systemd-udevd[847]: link_config: autonegotiation is unset or enabled, the speed and duplex are not writable.
NetworkManager[323]: <info>  [1639572675.5872] manager: (ppp1): new Generic device (/org/freedesktop/NetworkManager/Devices/8)
systemd-udevd[847]: link_config: could not get ethtool features for ppp1
systemd-udevd[847]: Could not set offload features of ppp1: Operation not supported
NetworkManager[323]: <info>  [1639572675.7045] devices added (path: /sys/devices/virtual/net/ppp1, iface: ppp1)
NetworkManager[323]: <info>  [1639572675.7046] device added (path: /sys/devices/virtual/net/ppp1, iface: ppp1): no ifupdown configuration found.
dnsmasq[393]: reading /etc/resolv.conf
dnsmasq[393]: using nameserver 192.168.10.237#53
pppd[846]: Hangup (SIGHUP)
pppd[846]: Modem hangup
pppd[846]: Connection terminated.
charon[794]: 13[KNL] interface ppp1 deleted
dnsmasq[393]: reading /etc/resolv.conf
pppd[846]: Exit.
NetworkManager[323]: <warn>  [1639572688.0073] vpn-connection[0x28a0e8,5c912719-67d6-4bdb-b5eb-d5f3db641814,"vpn2",0]: VPN plugin: failed: connect-failed (1)
dnsmasq[393]: using nameserver 192.168.10.237#53
dnsmasq[393]: reading /etc/resolv.conf
dnsmasq[393]: using nameserver 192.168.10.237#53
NetworkManager[323]: <warn>  [1639572688.0518] vpn-connection[0x28a0e8,5c912719-67d6-4bdb-b5eb-d5f3db641814,"vpn2",0]: VPN plugin: failed: connect-failed (1)
NetworkManager[323]: <info>  [1639572688.0521] vpn-connection[0x28a0e8,5c912719-67d6-4bdb-b5eb-d5f3db641814,"vpn2",0]: VPN plugin: state changed: stopping (5)
charon[794]: 14[IKE] keeping connection path 10.42.78.122 - redacted
NetworkManager[323]: <info>  [1639572688.1814] devices removed (path: /sys/devices/virtual/net/ppp1, iface: ppp1)
charon[794]: 00[DMN] signal of type SIGINT received. Shutting down
charon[794]: 00[IKE] queueing QUICK_DELETE task
charon[794]: 00[IKE] queueing ISAKMP_DELETE task
charon[794]: 00[IKE] activating new tasks
charon[794]: 00[IKE]   activating QUICK_DELETE task
charon[794]: 00[IKE] closing CHILD_SA 5c912719-67d6-4bdb-b5eb-d5f3db641814{1} with SPIs ce51b5d8_i (788 bytes) 0ae49212_o (1872 bytes) and TS 10.42.78.122/32[udp/l2f] === 91.5
charon[794]: 00[IKE] closing CHILD_SA 5c912719-67d6-4bdb-b5eb-d5f3db641814{1} with SPIs ce51b5d8_i (788 bytes) 0ae49212_o (1872 bytes) and TS 10.42.78.122/32[udp/l2f] === 91.5
charon[794]: 00[IKE] sending DELETE for ESP CHILD_SA with SPI ce51b5d8
charon[794]: 00[ENC] generating INFORMATIONAL_V1 request 2746148567 [ HASH D ]
charon[794]: 00[NET] sending packet: from 10.42.78.122[4500] to redacted[4500] (76 bytes)
charon[794]: 00[IKE] activating new tasks
charon[794]: 00[IKE]   activating ISAKMP_DELETE task
charon[794]: 00[IKE] deleting IKE_SA 5c912719-67d6-4bdb-b5eb-d5f3db641814[1] between 10.42.78.122[10.42.78.122]...redacted[192.168.90.90]
charon[794]: 00[IKE] deleting IKE_SA 5c912719-67d6-4bdb-b5eb-d5f3db641814[1] between 10.42.78.122[10.42.78.122]...redacted[192.168.90.90]
charon[794]: 00[IKE] sending DELETE for IKE_SA 5c912719-67d6-4bdb-b5eb-d5f3db641814[1]
charon[794]: 00[IKE] IKE_SA 5c912719-67d6-4bdb-b5eb-d5f3db641814[1] state change: ESTABLISHED => DELETING
charon[794]: 00[ENC] generating INFORMATIONAL_V1 request 1411247294 [ HASH D ]
charon[794]: 00[NET] sending packet: from 10.42.78.122[4500] to redacted[4500] (92 bytes)
charon[794]: 00[IKE] IKE_SA 5c912719-67d6-4bdb-b5eb-d5f3db641814[1] state change: DELETING => DESTROYING
ipsec_starter[792]: child 794 (charon) has quit (exit code 0)
ipsec_starter[792]: 
ipsec_starter[792]: charon stopped after 200 ms
ipsec_starter[792]: ipsec starter stopped
NetworkManager[323]: <info>  [1639572688.4424] vpn-connection[0x28a0e8,5c912719-67d6-4bdb-b5eb-d5f3db641814,"vpn2",0]: VPN plugin: state changed: stopped (6)
NetworkManager[323]: <info>  [1639572688.4495] vpn-connection[0x28a0e8,5c912719-67d6-4bdb-b5eb-d5f3db641814,"vpn2",0]: VPN plugin: state change reason: unknown (0)
NetworkManager[323]: <warn>  [1639572688.5134] vpn-connection[0x28a0e8,5c912719-67d6-4bdb-b5eb-d5f3db641814,"vpn2",0]: VPN plugin: failed: connect-failed (1)

saijanani.tx · December 22, 2021, 6:23pm

Hello @bertin ,

Could you please check your NAT connections in the Windows sever and make sure it is not restricted to local networks?
And this thread here seems to be related.

Best Regards,
Janani

BadTalent · February 20, 2023, 10:02am

@bertin Sorry for reviving this old post. I am currently working on getting a L2TP VPN working. Like you i am having issues also.
I Currently have been able to get the VPN connected. HOWEVER about 60 seconds later xl2tpd is showing the following message.

Feb 16 14:18:29 device-06738443 charon[3706]: 06[NET] received packet: from x.x.x.x[4500] to 192.168.0.68[4500] (92 bytes)
Feb 16 14:18:29 device-06738443 charon[3706]: 06[ENC] parsed INFORMATIONAL_V1 request 19398925 [ HASH N(DPD) ]
Feb 16 14:18:29 device-06738443 charon[3706]: 06[ENC] generating INFORMATIONAL_V1 request 631293376 [ HASH N(DPD_ACK) ]
Feb 16 14:18:29 device-06738443 charon[3706]: 06[NET] sending packet: from 192.168.0.68[4500] to x.x.x.x[4500] (92 bytes)
Feb 16 14:18:30 device-06738443 NetworkManager[3739]: xl2tpd[3739]: Maximum retries exceeded for tunnel 9669.  Closing.
Feb 16 14:18:30 device-06738443 NetworkManager[3739]: xl2tpd[3739]: Connection 45335 closed to x.x.x.x, port 1701 (Timeout)
Feb 16 14:18:30 device-06738443 pppd[3740]: Modem hangup
Feb 16 14:18:30 device-06738443 NetworkManager[3739]: xl2tpd[3739]: get_call: can't find call 56508 in tunnel 9669

I wonder if you could shed some light on what you installed on your SOM and if there is any packages perhaps i am missing.
Here is a link to my BB recipe:

Versions

NetworkManager 1.22.10
NetworkManager-L2TP: 1.20.8
xl2tpd: 1.3.16
strongswan: 5.8.4
pppd: 2.4.7

kevin.tx · February 20, 2023, 1:56pm

Hi @BadTalent ,

Can you maybe state the BSP version that you’re using?

Best Regards
Kevin

BadTalent · February 20, 2023, 2:33pm

@kevin.tx The release is based of the latest TorizonCore 5.7 LTS.

content of /etc/issue/

TorizonCore with PREEMPT_RT 5.7.1-devel-20230217164607+build.0

content of /etc/os-release

ID=torizon-rt
NAME="TorizonCore with PREEMPT_RT"
VERSION="5.7.1-devel-20230217164607+build.0 (dunfell)"
VERSION_ID=5.7.1-devel-20230217164607-build.0
PRETTY_NAME="TorizonCore with PREEMPT_RT 5.7.1-devel-20230217164607+build.0 (dunfell)"
DISTRO_CODENAME="dunfell"
BUILD_ID="0"
ANSI_COLOR="1;34"
VARIANT="<COMPANY NAME>"

I have made the following changes to the kernel as well.

CONFIG_L2TP=m
CONFIG_L2TP_DEBUGFS=m
CONFIG_L2TP_V3=y
CONFIG_L2TP_IP=m
CONFIG_L2TP_ETH=m

I should also note that i am running this on the Apalis IMX8QM SOM.

henrique.tx · March 1, 2023, 9:09pm

Hi @BadTalent !

Even though the problem is related, your BSP/TorizonCore is way newer than the one from this thread. Newer kernel, newer driver/modules.

Therefore your problem is (probably) not the same as this one. And the troubleshooting is (probably) different.

So, please create a new question.

Moreover, for your new question, please state if you can reproduce your issue on a TorizonCore image without the PREEMPT_RT patch. This is very helpful.

Best regards,