Linode Forum :: 64Bit upgrade L2TP/IPsec Issue

Linode Forum https://forum.linode.com/

64Bit upgrade L2TP/IPsec Issue https://forum.linode.com/viewtopic.php?f=19&t=11119	Page 1 of 1

Author:	bltc1 [ Fri Jun 20, 2014 2:14 am ]
Post subject:	64Bit upgrade L2TP/IPsec Issue
Recently switched from latest 32bit kernel to latest 64bit to take advantage of the Linode upgrade. All went well and is working except L2TP/IPSEC vpn. Error log is show below. Research suggests a possible Openswan kernel issue? Looking for some resolution/troubleshooting advice. Jun 20 01:25:20 lixxx-xxx pluto[8742]: "L2TP-PSK-NAT"[2] x.x.x.x #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3 Jun 20 01:25:20 llixxx-xxx pluto[8742]: "L2TP-PSK-NAT"[2] x.x.x.x #1: new NAT mapping for #1, was x.x.x.x:500, now x.x.x.x:4500 Jun 20 01:25:20 lixxx-xxx pluto[8742]: "L2TP-PSK-NAT"[2] x.x.x.x #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1024} Jun 20 01:25:20 lixxx-xxx pluto[8742]: "L2TP-PSK-NAT"[2] x.x.x.x #1: Dead Peer Detection (RFC 3706): enabled Jun 20 01:25:21 lixxx-xxx pluto[8742]: "L2TP-PSK-NAT"[2] x.x.x.x #1: the peer proposed: x.x.x.x/32:17/0 -> x.x.x.x/32:17/0 Jun 20 01:25:21 lixxx-xxx pluto[8742]: "L2TP-PSK-NAT"[2] x.x.x.x #1: NAT-Traversal: received 2 NAT-OA. using first, ignoring others Jun 20 01:25:21 lixxx-xxx pluto[8742]: "L2TP-PSK-NAT"[2] x.x.x.x #2: ERROR: netlink_get_spi for esp.0@x.x.x.x failed with errno 22: Invalid argument Jun 20 01:25:21 lixxx-xxx pluto[8742]: "L2TP-PSK-NAT"[2] x.x.x.x #2: responding to Quick Mode proposal {msgid:28ac3dab} Jun 20 01:25:21 lixxx-xxx pluto[8742]: "L2TP-PSK-NAT"[2] x.x.x.x #2: us: x.x.x.x/32===x.x.x.x<x.x.x.x>:17/%any Jun 20 01:25:21 lixxx-xxx pluto[8742]: "L2TP-PSK-NAT"[2] x.x.x.x #2: them: x.x.x.x[x.x.x.x]:17/57006 Jun 20 01:25:21 lixxx-xxx pluto[8742]: "L2TP-PSK-NAT"[2] x.x.x.x #2: ERROR: netlink response for Add SA esp.eb79261@x.x.x.x included errno 22: Invalid argument Jun 20 01:25:21 lixxx-xxx pluto[8742]: \| setup_half_ipsec_sa() hit fail: Jun 20 01:25:21 lixxx-xxx pluto[8742]: \| failed to install outgoing SA: 0 Jun 20 01:25:24 llixxx-xxx pluto[8742]: "L2TP-PSK-NAT"[2] x.x.x.x #2: discarding duplicate packet; already STATE_QUICK_R0 Jun 20 01:25:51 pluto[8742]: last message repeated 8 times Jun 20 01:25:51 lixxx-xxx pluto[8742]: "L2TP-PSK-NAT"[2] x.x.x.x #1: received Delete SA payload: deleting ISAKMP State #1 Jun 20 01:25:51 lixxx-xxx pluto[8742]: packet from x.x.x.x:4500: received and ignored informational message Thanks, bltc

Author:	ShadowNetworks [ Tue Jul 08, 2014 11:07 pm ]
Post subject:	Re: 64Bit upgrade L2TP/IPsec Issue
Probably a stupid question, but what does your Code: ipsec verify look like?

Author:	dwfreed [ Tue Jul 08, 2014 11:15 pm ]
Post subject:	Re: 64Bit upgrade L2TP/IPsec Issue
I've seen multiple reports of similar issues, and they're all caused by the fact that userspace is 32 bit, and the kernel is 64 bit, resulting in misalignment of data passed between them. This occurs with a lot of userspace applications which directly interface with the kernel, including IPsec (not L2TP specific) and OpenISCSI. The only available solutions are to go back to a 32 bit kernel, or deploy a 64 bit distro. Personally, I'd recommend taking the time to go through the latter process, as it's much more future proof.

Author:

ShadowNetworks [ Wed Jul 09, 2014 12:13 am ]

Post subject:

Re: 64Bit upgrade L2TP/IPsec Issue

I was curious

I'm working on trying to get IPsec/L2TP setup on Ubuntu 14.04 with the latest kernel (or even any of the old ones). I'm running into

Code:

Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                [OK]
Linux Openswan U2.6.38/K3.13.7-x86_64-linode38 (netkey)
Checking for IPsec support in kernel                           [OK]
 SAref kernel support                                          [N/A]
 NETKEY:  Testing XFRM related proc values                     [OK]
   [OK]
   [OK]
Checking that pluto is running                                 [OK]
 Pluto listening for IKE on udp 500                            [OK]
 Pluto listening for NAT-T on udp 4500                         [OK]
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                [OK]
Linux Openswan U2.6.38/K3.13.7-x86_64-linode38 (netkey)
Checking for IPsec support in kernel                           [OK]
 SAref kernel support                                          [N/A]
 NETKEY:  Testing XFRM related proc values                     [OK]
   [OK]
   [OK]
Checking that pluto is running                                 [OK]
 Pluto listening for IKE on udp 500                            [OK]
 Pluto listening for NAT-T on udp 4500                         [OK]
Two or more interfaces found, checking IP forwarding           [FAILED]
Checking NAT and MASQUERADEing                                 [OK]
Checking for 'ip' command                                      [OK]
Checking /bin/sh is not /bin/dash                              [WARNING]
Checking for 'iptables' command                                [OK]
Opportunistic Encryption Support                               [DISABLED]
Checking NAT and MASQUERADEing                                 [OK]
Checking for 'ip' command                                      [OK]
Checking /bin/sh is not /bin/dash                              [WARNING]
Checking for 'iptables' command                                [OK]
Opportunistic Encryption Support                               [DISABLED]

The problem being the "Two or more interfaces found, checking IP forwarding [FAILED]" test. I can't for the life of me figure out what's wrong. And scouring the web isn't producing any answers, only leading to reading the same question over and over from others who ended up stuck.

Ultimately, this is a you're stuck if you do, stuck if you don't scenario.

Author:	ShadowNetworks [ Wed Jul 09, 2014 5:01 pm ]
Post subject:	Re: 64Bit upgrade L2TP/IPsec Issue
Rolled back to 12.04 LTS, which has an older package of OpenSwan... and bam: Version check and ipsec on-path [OK] Linux Openswan U2.6.37/K3.15.4-x86_64-linode45 (netkey) Checking for IPsec support in kernel [OK] SAref kernel support [N/A] NETKEY: Testing XFRM related proc values [OK] [OK] [OK] Checking that pluto is running [OK] Pluto listening for IKE on udp 500 [OK] Pluto listening for NAT-T on udp 4500 [OK] Two or more interfaces found, checking IP forwarding [OK] Checking NAT and MASQUERADEing [OK] Checking for 'ip' command [OK] Checking /bin/sh is not /bin/dash [WARNING] Checking for 'iptables' command [OK] Opportunistic Encryption Support [DISABLED]

Page 1 of 1	All times are UTC-04:00
Powered by phpBB® Forum Software © phpBB Group http://www.phpbb.com/