Recently switched from latest 32bit kernel to latest 64bit to take advantage of the Linode upgrade. All went well and is working except L2TP/IPSEC vpn.
Error log is show below. Research suggests a possible Openswan kernel issue? Looking for some resolution/troubleshooting advice.

Jun 20 01:25:20 lixxx-xxx pluto[8742]: "L2TP-PSK-NAT"[2] x.x.x.x #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jun 20 01:25:20 llixxx-xxx pluto[8742]: "L2TP-PSK-NAT"[2] x.x.x.x #1: new NAT mapping for #1, was x.x.x.x:500, now x.x.x.x:4500
Jun 20 01:25:20 lixxx-xxx pluto[8742]: "L2TP-PSK-NAT"[2] x.x.x.x #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1024}
Jun 20 01:25:20 lixxx-xxx pluto[8742]: "L2TP-PSK-NAT"[2] x.x.x.x #1: Dead Peer Detection (RFC 3706): enabled
Jun 20 01:25:21 lixxx-xxx pluto[8742]: "L2TP-PSK-NAT"[2] x.x.x.x #1: the peer proposed: x.x.x.x/32:17/0 -> x.x.x.x/32:17/0
Jun 20 01:25:21 lixxx-xxx pluto[8742]: "L2TP-PSK-NAT"[2] x.x.x.x #1: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
Jun 20 01:25:21 lixxx-xxx pluto[8742]: "L2TP-PSK-NAT"[2] x.x.x.x #2: ERROR: netlink_get_spi for esp.0@x.x.x.x failed with errno 22: Invalid argument
Jun 20 01:25:21 lixxx-xxx pluto[8742]: "L2TP-PSK-NAT"[2] x.x.x.x #2: responding to Quick Mode proposal {msgid:28ac3dab}
Jun 20 01:25:21 lixxx-xxx pluto[8742]: "L2TP-PSK-NAT"[2] x.x.x.x #2: us: x.x.x.x/32===x.x.x.x<x.x.x.x>:17/%any
Jun 20 01:25:21 lixxx-xxx pluto[8742]: "L2TP-PSK-NAT"[2] x.x.x.x #2: them: x.x.x.x[x.x.x.x]:17/57006
Jun 20 01:25:21 lixxx-xxx pluto[8742]: "L2TP-PSK-NAT"[2] x.x.x.x #2: ERROR: netlink response for Add SA esp.eb79261@x.x.x.x included errno 22: Invalid argument
Jun 20 01:25:21 lixxx-xxx pluto[8742]: | setup_half_ipsec_sa() hit fail:
Jun 20 01:25:21 lixxx-xxx pluto[8742]: | failed to install outgoing SA: 0
Jun 20 01:25:24 llixxx-xxx pluto[8742]: "L2TP-PSK-NAT"[2] x.x.x.x #2: discarding duplicate packet; already STATE_QUICK_R0
Jun 20 01:25:51 pluto[8742]: last message repeated 8 times
Jun 20 01:25:51 lixxx-xxx pluto[8742]: "L2TP-PSK-NAT"[2] x.x.x.x #1: received Delete SA payload: deleting ISAKMP State #1
Jun 20 01:25:51 lixxx-xxx pluto[8742]: packet from x.x.x.x:4500: received and ignored informational message

Thanks,

bltc

Probably a stupid question, but what does your

ipsec verify

look like?

_________________
There is not a thin line between love and hate. There is --- in fact --- a Great Wall of China with armed sentries posted every 20 feet between love and hate. ~House

I've seen multiple reports of similar issues, and they're all caused by the fact that userspace is 32 bit, and the kernel is 64 bit, resulting in misalignment of data passed between them. This occurs with a lot of userspace applications which directly interface with the kernel, including IPsec (not L2TP specific) and OpenISCSI. The only available solutions are to go back to a 32 bit kernel, or deploy a 64 bit distro. Personally, I'd recommend taking the time to go through the latter process, as it's much more future proof.

_________________
Disclaimer: I am no longer employed by Linode; opinions are my own alone.

I was curious I'm working on trying to get IPsec/L2TP setup on Ubuntu 14.04 with the latest kernel (or even any of the old ones). I'm running into

Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                [OK]
Linux Openswan U2.6.38/K3.13.7-x86_64-linode38 (netkey)
Checking for IPsec support in kernel                           [OK]
 SAref kernel support                                          [N/A]
 NETKEY:  Testing XFRM related proc values                     [OK]
   [OK]
   [OK]
Checking that pluto is running                                 [OK]
 Pluto listening for IKE on udp 500                            [OK]
 Pluto listening for NAT-T on udp 4500                         [OK]
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                [OK]
Linux Openswan U2.6.38/K3.13.7-x86_64-linode38 (netkey)
Checking for IPsec support in kernel                           [OK]
 SAref kernel support                                          [N/A]
 NETKEY:  Testing XFRM related proc values                     [OK]
   [OK]
   [OK]
Checking that pluto is running                                 [OK]
 Pluto listening for IKE on udp 500                            [OK]
 Pluto listening for NAT-T on udp 4500                         [OK]
Two or more interfaces found, checking IP forwarding           [FAILED]
Checking NAT and MASQUERADEing                                 [OK]
Checking for 'ip' command                                      [OK]
Checking /bin/sh is not /bin/dash                              [WARNING]
Checking for 'iptables' command                                [OK]
Opportunistic Encryption Support                               [DISABLED]
Checking NAT and MASQUERADEing                                 [OK]
Checking for 'ip' command                                      [OK]
Checking /bin/sh is not /bin/dash                              [WARNING]
Checking for 'iptables' command                                [OK]
Opportunistic Encryption Support                               [DISABLED]

The problem being the "Two or more interfaces found, checking IP forwarding [FAILED]" test. I can't for the life of me figure out what's wrong. And scouring the web isn't producing any answers, only leading to reading the same question over and over from others who ended up stuck.

Ultimately, this is a you're stuck if you do, stuck if you don't scenario.

_________________
There is not a thin line between love and hate. There is --- in fact --- a Great Wall of China with armed sentries posted every 20 feet between love and hate. ~House

Rolled back to 12.04 LTS, which has an older package of OpenSwan... and bam:

Version check and ipsec on-path [OK]
Linux Openswan U2.6.37/K3.15.4-x86_64-linode45 (netkey)
Checking for IPsec support in kernel [OK]
SAref kernel support [N/A]
NETKEY: Testing XFRM related proc values [OK]
[OK]
[OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [OK]
Checking for 'ip' command [OK]
Checking /bin/sh is not /bin/dash [WARNING]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]

_________________
There is not a thin line between love and hate. There is --- in fact --- a Great Wall of China with armed sentries posted every 20 feet between love and hate. ~House