Package: xl2tpd
Version: 1.2.6+dfsg-1
Severity: normal
Tags: upstream
When connecting to the xl2tpd server, the ipsec tunnel is established well
(with openswan) but when xl2tpd calls ppp, it doesn't take into account the ip
range parameter in the config and assigns an IP address 0.0.0.0 to the client.
If I try with manually setting up the IP on the client side, the connection
works fine.
Here.s xl2tpd.conf:
[global] ;
Global parameters:
ipsec saref = yes
listen-addr = 172.56.252.2
[lns default] ; Our
fallthrough LNS definition
exclusive = yes ; * Only permit one
tunnel per host
assign ip = yes
ip range = 172.56.252.207-208 ; * Allocate from this IP range
local ip = 172.56.252.206 ; * Our local IP to use
length bit = yes ; * Use length
bit in payload?
refuse pap = yes ; * Refuse PAP
authentication
refuse chap = yes ; * Refuse CHAP
authentication
require authentication = yes ; * Require peer to authenticate
ppp debug = yes ; * Turn on PPP debugging
pppoptfile = /etc/ppp/options.xl2tpd ; * ppp options file
Here.s the Syslog info:
XXX.XXX.XXX.XXX is my client address
The interesting line, when xl2tpd calls ppp : Jul 16 15:49:35 srvguigui
xl2tpd[1732]: "172.56.252.206:0.0.0.0"
Jul 16 15:49:34 srvguigui xl2tpd[1732]: Connection established to
XXX.XXX.XXX.XXX, 1701. Local: 1353, Remote: 2 (ref=0/0). LNS session is
'default'
Jul 16 15:49:35 srvguigui xl2tpd[1732]: start_pppd: I'm running:
Jul 16 15:49:35 srvguigui xl2tpd[1732]: "/usr/sbin/pppd"
Jul 16 15:49:35 srvguigui xl2tpd[1732]: "passive"
Jul 16 15:49:35 srvguigui xl2tpd[1732]: "nodetach"
Jul 16 15:49:35 srvguigui xl2tpd[1732]: "172.56.252.206:0.0.0.0"
Jul 16 15:49:35 srvguigui xl2tpd[1732]: "refuse-pap"
Jul 16 15:49:35 srvguigui xl2tpd[1732]: "refuse-chap"
Jul 16 15:49:35 srvguigui xl2tpd[1732]: "auth"
Jul 16 15:49:35 srvguigui xl2tpd[1732]: "debug"
Jul 16 15:49:35 srvguigui xl2tpd[1732]: "file"
Jul 16 15:49:35 srvguigui xl2tpd[1732]: "/etc/ppp/options.xl2tpd"
Jul 16 15:49:35 srvguigui xl2tpd[1732]: "/dev/pts/3"
Jul 16 15:49:35 srvguigui xl2tpd[1732]: Call established with XXX.XXX.XXX.XXX,
Local: 56822, Remote: 1, Serial: 0
Jul 16 15:49:35 srvguigui pppd[24344]: pppd 2.4.4 started by root, uid 0
Jul 16 15:49:35 srvguigui pppd[24344]: using channel 2
Jul 16 15:49:35 srvguigui pppd[24344]: Using interface ppp0
Jul 16 15:49:35 srvguigui pppd[24344]: Connect: ppp0 <--> /dev/pts/3
Jul 16 15:49:35 srvguigui pppd[24344]: sent [LCP ConfReq id=0x1 <asyncmap 0x0>
<auth eap> <magic 0x1945126> <pcomp> <accomp>]
Jul 16 15:49:36 srvguigui pppd[24344]: rcvd [LCP ConfNak id=0x1 <auth chap
MS-v2>]
Jul 16 15:49:36 srvguigui pppd[24344]: sent [LCP ConfReq id=0x2 <asyncmap 0x0>
<auth chap MS-v2> <magic 0x1945126> <pcomp> <accomp>]
Jul 16 15:49:36 srvguigui pppd[24344]: rcvd [LCP ConfAck id=0x2 <asyncmap 0x0>
<auth chap MS-v2> <magic 0x1945126> <pcomp> <accomp>]
Jul 16 15:49:37 srvguigui pppd[24344]: rcvd [LCP ConfReq id=0x1 <mru 1400>
<magic 0x75a53dc2> <pcomp> <accomp> <callback CBCP>]
Jul 16 15:49:37 srvguigui pppd[24344]: sent [LCP ConfRej id=0x1 <callback CBCP>]
Jul 16 15:49:38 srvguigui pppd[24344]: rcvd [LCP ConfReq id=0x2 <mru 1400>
<magic 0x75a53dc2> <pcomp> <accomp>]
Jul 16 15:49:38 srvguigui pppd[24344]: sent [LCP ConfAck id=0x2 <mru 1400>
<magic 0x75a53dc2> <pcomp> <accomp>]
Jul 16 15:49:38 srvguigui pppd[24344]: sent [LCP EchoReq id=0x0 magic=0x1945126]
Jul 16 15:49:38 srvguigui pppd[24344]: sent [CHAP Challenge id=0xf9
<f4a8dc42a69833747a641f92ce0a3f52>, name = "xl2tpd"]
Jul 16 15:49:38 srvguigui pppd[24344]: rcvd [LCP Ident id=0x3 magic=0x75a53dc2
"MSRASV5.10"]
Jul 16 15:49:38 srvguigui pppd[24344]: rcvd [LCP Ident id=0x4 magic=0x75a53dc2
"MSRAS-0-UKGVOIRIOT"]
Jul 16 15:49:38 srvguigui pppd[24344]: rcvd [LCP EchoRep id=0x0
magic=0x75a53dc2]
Jul 16 15:49:38 srvguigui pppd[24344]: rcvd [CHAP Response id=0xf9
<861274882a67081b2da56f25e79ffe62000000000000000091c1d5d4dd4a1f86ba2cd32e82431f6330a261c559033f5e00>,
name = "usertest"]
Jul 16 15:49:38 srvguigui pppd[24344]: sent [CHAP Success id=0xf9
"S=A8B110D80B67722D2531F4233A890D4584C44630 M=Access granted"]
Jul 16 15:49:38 srvguigui pppd[24344]: sent [CCP ConfReq id=0x1 <deflate 15>
<deflate(old#) 15> <bsd v1 15>]
Jul 16 15:49:38 srvguigui pppd[24344]: sent [IPCP ConfReq id=0x1 <compress VJ
0f 01> <addr 172.56.252.206>]
Jul 16 15:49:39 srvguigui pppd[24344]: rcvd [CCP ConfReq id=0x5 <mppe +H -M -S
-L -D +C>]
Jul 16 15:49:39 srvguigui pppd[24344]: sent [CCP ConfRej id=0x5 <mppe +H -M -S
-L -D +C>]
Jul 16 15:49:39 srvguigui pppd[24344]: rcvd [IPCP ConfReq id=0x6 <addr 0.0.0.0>
<ms-wins 0.0.0.0> <ms-wins 0.0.0.0>]
Jul 16 15:49:39 srvguigui pppd[24344]: sent [IPCP ConfRej id=0x6 <addr 0.0.0.0>
<ms-wins 0.0.0.0> <ms-wins 0.0.0.0>]
Jul 16 15:49:39 srvguigui pppd[24344]: rcvd [CCP ConfRej id=0x1 <deflate 15>
<deflate(old#) 15> <bsd v1 15>]
Jul 16 15:49:39 srvguigui pppd[24344]: sent [CCP ConfReq id=0x2]
Jul 16 15:49:39 srvguigui pppd[24344]: rcvd [IPCP ConfRej id=0x1 <compress VJ
0f 01>]
Jul 16 15:49:39 srvguigui pppd[24344]: sent [IPCP ConfReq id=0x2 <addr
172.56.252.206>]
Jul 16 15:49:39 srvguigui pppd[24344]: rcvd [CCP TermReq
id=0x7"u\37777777645=\37777777702\000<\37777777715t\000\000\002\37777777734"]
Jul 16 15:49:39 srvguigui pppd[24344]: sent [CCP TermAck id=0x7]
Jul 16 15:49:39 srvguigui pppd[24344]: rcvd [IPCP ConfReq id=0x8 <addr 0.0.0.0>]
Jul 16 15:49:39 srvguigui pppd[24344]: sent [IPCP ConfRej id=0x8 <addr 0.0.0.0>]
Jul 16 15:49:39 srvguigui pppd[24344]: rcvd [IPCP ConfAck id=0x2 <addr
172.56.252.206>]
Jul 16 15:49:39 srvguigui pppd[24344]: rcvd [IPCP TermReq id=0x9
"u\37777777645=\37777777702\000<\37777777715t\000\000\002\37777777742"]
Jul 16 15:49:39 srvguigui pppd[24344]: sent [IPCP TermAck id=0x9]
Jul 16 15:49:40 srvguigui pppd[24344]: rcvd [LCP TermReq id=0xa
"u\37777777645=\37777777702\000<\37777777715t\000\000\000\000"]
Jul 16 15:49:40 srvguigui pppd[24344]: LCP terminated by peer
(uM-%=M-B^@<m-...@^@^...@^@)
Jul 16 15:49:40 srvguigui pppd[24344]: sent [LCP TermAck id=0xa]
Jul 16 15:49:41 srvguigui xl2tpd[1732]: control_finish: Connection closed to
XXX.XXX.XXX.XXX, serial 0 ()
Jul 16 15:49:41 srvguigui xl2tpd[1732]: Terminating pppd: sending TERM signal
to pid 24344
Jul 16 15:49:41 srvguigui pppd[24344]: Terminating on signal 15
Jul 16 15:49:41 srvguigui pppd[24344]: Modem hangup
Jul 16 15:49:41 srvguigui pppd[24344]: Connection terminated.
Jul 16 15:49:41 srvguigui pppd[24344]: Connect time 0.1 minutes.
Jul 16 15:49:41 srvguigui pppd[24344]: Sent 95 bytes, received 109 bytes.
Jul 16 15:49:41 srvguigui pppd[24344]: Exit.
Jul 16 15:49:41 srvguigui xl2tpd[1732]: pppd 24344 successfully terminated
Jul 16 15:49:41 srvguigui xl2tpd[1732]: control_finish: Connection closed to
XXX.XXX.XXX.XXX, port 1701 (), Local: 1353, Remote: 2
-- System Information:
Debian Release: squeeze/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.32-5-486
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages xl2tpd depends on:
ii libc6 2.11.2-2 Embedded GNU C Library: Shared lib
ii libpcap0.8 1.1.1-2 system interface for user-level pa
ii ppp 2.4.4rel-10.1 Point-to-Point Protocol (PPP) - da
xl2tpd recommends no packages.
xl2tpd suggests no packages.
-- Configuration Files:
/etc/init.d/xl2tpd changed:
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
DAEMON=/usr/sbin/xl2tpd
NAME=xl2tpd
DESC=xl2tpd
test -x $DAEMON || exit 0
if [ -f /etc/default/xl2tpd ] ; then
. /etc/default/xl2tpd
fi
if !([ -f /var/run/xl2tpd/l2tp-control ]); then
touch /var/run/xl2tpd/l2tp-control
fi
PIDFILE=/var/run/$NAME.pid
set -e
case "$1" in
start)
echo -n "Starting $DESC: "
test -d ${XL2TPD_RUN_DIR:-/var/run/xl2tpd} || mkdir -p
${XL2TPD_RUN_DIR:-/var/run/xl2tpd}
start-stop-daemon --start --quiet --pidfile $PIDFILE \
--exec $DAEMON -- $DAEMON_OPTS
echo "$NAME."
;;
stop)
echo -n "Stopping $DESC: "
start-stop-daemon --oknodo --stop --quiet --pidfile $PIDFILE \
--exec $DAEMON
echo "$NAME."
;;
force-reload)
test -d ${XL2TPD_RUN_DIR:-/var/run/xl2tpd} || mkdir -p
${XL2TPD_RUN_DIR:-/var/run/xl2tpd}
# check whether $DAEMON is running. If so, restart
start-stop-daemon --stop --test --quiet --pidfile \
$PIDFILE --exec $DAEMON \
&& $0 restart \
|| exit 0
;;
restart)
test -d ${XL2TPD_RUN_DIR:-/var/run/xl2tpd} || mkdir -p
${XL2TPD_RUN_DIR:-/var/run/xl2tpd}
echo -n "Restarting $DESC: "
start-stop-daemon --stop --quiet --pidfile \
$PIDFILE --exec $DAEMON
sleep 1
start-stop-daemon --start --quiet --pidfile \
$PIDFILE --exec $DAEMON -- $DAEMON_OPTS
echo "$NAME."
;;
*)
N=/etc/init.d/$NAME
echo "Usage: $N {start|stop|restart|force-reload}" >&2
exit 1
;;
esac
exit 0
/etc/xl2tpd/xl2tpd.conf changed:
;
; Sample l2tpd configuration file
;
; This example file should give you some idea of how the options for l2tpd
; should work. The best place to look for a list of all options is in
; the source code itself, until I have the time to write better documetation :)
; Specifically, the file "file.c" contains a list of commands at the end.
;
; You most definitely don't have to spell out everything as it is done here
;
[global] ;
Global parameters:
ipsec saref = yes
listen-addr = 172.56.252.2
; port = 1701 ; * Bind to
port 1701
; auth file = /etc/l2tpd/l2tp-secrets ; * Where our challenge secrets are
; access control = yes ; * Refuse connections
without IP match
; rand source = dev ; Source for entropy for random
; ; numbers, options are:
; ; dev - reads of /dev/urandom
; ; sys - uses rand()
; ; egd - reads from egd socket
; ; egd is not yet implemented
;
[lns default] ; Our
fallthrough LNS definition
exclusive = yes ; * Only permit one
tunnel per host
assign ip = yes
ip range = 172.56.252.207 ; * Allocate from this IP range
; no ip range = 192.168.0.3-192.168.0.9 ; * Except these hosts
; ip range = 192.168.0.5 ; * But this one is okay
; ip range = lac1-lac2 ; * And anything from
lac1 to lac2's IP
; lac = 192.168.1.4 - 192.168.1.8 ; * These can connect as LAC's
; no lac = untrusted.marko.net ; * This guy can't connect
; hidden bit = no ; * Use hidden
AVP's?
local ip = 172.56.252.206 ; * Our local IP to use
length bit = yes ; * Use length
bit in payload?
; require chap = yes ; * Require CHAP auth.
by peer
refuse pap = yes ; * Refuse PAP
authentication
refuse chap = yes ; * Refuse CHAP
authentication
; refuse authentication = no ; * Refuse authentication
altogether
require authentication = yes ; * Require peer to authenticate
; unix authentication = no ; * Use /etc/passwd for
auth.
; name = myhostname ; * Report this
as our hostname
ppp debug = yes ; * Turn on PPP debugging
pppoptfile = /etc/ppp/options.xl2tpd ; * ppp options file
; call rws = 10 ; * RWS for
call (-1 is valid)
; tunnel rws = 4 ; * RWS for
tunnel (must be > 0)
; flow bit = yes ; * Include
sequence numbers
; challenge = yes ; * Challenge
authenticate peer ;
;
; [lac marko] ; Example VPN
LAC definition
; lns = lns.marko.net ; * Who is our LNS?
; lns = lns2.marko.net ; * A backup LNS (not
yet used)
; redial = yes ; * Redial if
disconnected?
; redial timeout = 15 ; * Wait n seconds
between redials
; max redials = 5 ; * Give up
after n consecutive failures
; hidden bit = yes ; * User hidden
AVP's?
; local ip = 192.168.1.1 ; * Force peer to use
this IP for us
; remote ip = 192.168.1.2 ; * Force peer to use
this as their IP
; length bit = no ; * Use length
bit in payload?
; require pap = no ; * Require PAP
auth. by peer
; require chap = yes ; * Require CHAP auth.
by peer
; refuse pap = yes ; * Refuse PAP
authentication
; refuse chap = no ; * Refuse CHAP
authentication
; refuse authentication = no ; * Refuse authentication
altogether
; require authentication = yes ; * Require peer to authenticate
; name = marko ; * Report this
as our hostname
; ppp debug = no ; * Turn on PPP
debugging
; pppoptfile = /etc/ppp/options.l2tpd.marko ; * ppp options file for this
lac
; call rws = 10 ; * RWS for
call (-1 is valid)
; tunnel rws = 4 ; * RWS for
tunnel (must be > 0)
; flow bit = yes ; * Include
sequence numbers
; challenge = yes ; * Challenge
authenticate peer
;
; [lac cisco] ; Another quick
LAC
; lns = cisco.marko.net ; * Required, but can
take from default
; require authentication = yes
-- no debconf information
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
