R80.20 Take 118 and L2TP

Luis_Dominguez1 — Tue, 24 Mar 2020 21:15:55 GMT

Greetings Checkmates!

I've been wrestling with setting up an old CentOS 6.10 system running libreswan 3.15.9, ppp 2.4.5, and xl2tpd 1.3.8. I'm limited to those version due to the OS. I have some people in my company who have CAD/CAM running so haven't upgraded their OS.

I can get the tunnel up as seen when running vpn tu, but in the log entries on the firewall and pluto.log show authentication failures during PAP.

Peer NN.NN.NN.NN, user md5 c0f974e8cabb5078:

IKE SA <7857acc160da6eca,d4bfea45568f1456>
INBOUND:
1. 0x11ca57c4 (i: 0)
OUTBOUND:
1. 0xfa8a7f13 (i: 0)

Log entries:

Id: 0aff5c3e-2e25-0000-5e7a-73d800000000
Marker: @A@@B@1585029603@C@2249474
Log Server Origin: 10.182.222.158
Domain: CheDC-Lab-CMA
Time: 2020-03-24T20:55:52Z
Id Generated By Indexer: false
First: false
Sequencenum: 3
Category: Session
Event Type: Login
Name: L2TP
Login Option: vpn
Failed Login Factor Number:0
User DN: Unknown
User Groups: All Users
Re-authentication every: 8 hours
Login Timestamp: 2020-03-24T20:55:52Z
Source: NN.NN.NN.NN
IP Protocol: 6
Destination Port: 443
Data Protocol: IPSec
Methods: AES-256 + SHA256
Status: Success
Suppressed Logs: 0
Mobile Access Session UID: 5E7A73D8-0000-0000-0AFF-5C3E2E250000
Data Encryption: AES-128 + SHA256 + Group 14, Pre shared secrets
Last Update Time: 2020-03-24T20:55:52Z
Action: Log In
Type: Log
Blade: Mobile Access
Origin: arch-seclab-fw2
Service: TCP/443
Product Family: Access

Id: 92ad616c-4950-0000-49b5-0804b3bc06a5
Marker: @A@@B@1585029603@C@2249525
Log Server Origin: 10.182.222.158
Domain: CheDC-Lab-CMA
Time: 2020-03-24T20:55:55Z
Interface Direction: inbound
Interface Name: daemon
Id Generated By Indexer:false
First: false
Sequencenum: 4
Source: NN.NN.NN.NN
User: L2TP-Client
Session: <NN.NN.NN.NN:1701 46012 44434>
Ppp: Authentication failed for user L2TP-Client, reason --- Access denied. Invalid creds?
Scheme: L2TP
Authentication Method: Password Authentication Protocol (PAP)
Machine: <L2TP>
Reject Category: Remote Access Client authentication failure
VPN Feature: L2TP
Action: Reject
Type: Log
Blade: VPN
Origin: arch-seclab-fw2
Interface: daemon
Description:

I'm leaving out the *.secrets files. They follow the documented formats.

/etc/ipsec.conf

config setup

protostack=netkey

logfile=/var/log/pluto.log

dumpdir=/var/run/pluto/

virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10

include /etc/ipsec.d/*.conf

/etc/ipsec.d/ra.conf

conn hughes

auto=add

type=transport

authby=secret

keyingtries=0

left=%defaultroute

right=VPN IP address

rightid=VPN IP adress

rightprotoport=udp/l2tp

pfs=no

ike=aes128-sha256;modp2048

phase2alg=aes256-sha256;modp2048

salifetime=1h

ikelifetime=8h

ikev2=no

/etc/xl2tpd/xl2tpd.conf

[global]

access control = yes

port = 1701

ipsec saref = no

;

[lac hughes-L2TP]

lns = VPN IP address

name = L2TP-Client

pppoptfile = /etc/ppp/options.xl2tpd.client

autodial = yes

runnel rws = 8

tx bps = 100000000

rx bps = 100000000

/ppp/options.xl2tpd.client

nodetach

usepeerdns

noipdefault

nodefaultroute

noauth

noccp

refuse-eap

refuse-chap

refuse-mschap

refuse-mschap-v2

lcp-echo-failure 0

lcp-echo-interval 0

mru 1400

mtu 1400

user L2TP-Client

password mypassword

I have a case opened with CP support, and they're trying to help but can't do too much with the old CentOS version I'm running.

Any help is greatly appreciated!

Luis

topic R80.20 Take 118 and L2TP in SASE and Remote Access

R80.20 Take 118 and L2TP

Re: R80.20 Take 118 and L2TP