From owner-freebsd-net@FreeBSD.ORG  Thu Mar 17 03:59:33 2011
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 8A694106564A
	for <freebsd-net@freebsd.org>; Thu, 17 Mar 2011 03:59:33 +0000 (UTC)
	(envelope-from mike@sentex.net)
Received: from smarthost1.sentex.ca (smarthost1-6.sentex.ca
	[IPv6:2607:f3e0:0:1::12])
	by mx1.freebsd.org (Postfix) with ESMTP id 41AA58FC12
	for <freebsd-net@freebsd.org>; Thu, 17 Mar 2011 03:59:33 +0000 (UTC)
Received: from [IPv6:2607:f3e0:0:4:f025:8813:7603:7e4a] (saphire3.sentex.ca
	[IPv6:2607:f3e0:0:4:f025:8813:7603:7e4a])
	by smarthost1.sentex.ca (8.14.4/8.14.4) with ESMTP id p2H3xUCl053939
	(version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO);
	Wed, 16 Mar 2011 23:59:31 -0400 (EDT) (envelope-from mike@sentex.net)
Message-ID: <4D81871B.1030506@sentex.net>
Date: Wed, 16 Mar 2011 23:59:23 -0400
From: Mike Tancsa <mike@sentex.net>
Organization: Sentex Communications
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US;
	rv:1.9.2.13) Gecko/20101207 Thunderbird/3.1.7
MIME-Version: 1.0
To: Da Rock <freebsd-net@herveybayaustralia.com.au>
References: <4D8164CA.80501@herveybayaustralia.com.au>
In-Reply-To: <4D8164CA.80501@herveybayaustralia.com.au>
X-Enigmail-Version: 1.1.1
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.67 on IPv6:2607:f3e0:0:1::12
Cc: freebsd-net@freebsd.org
Subject: Re: mpd- no ng_l2tp coming up
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Mar 2011 03:59:33 -0000

On 3/16/2011 9:32 PM, Da Rock wrote:
> I'm running into all sorts of issues setting up l2tp networking. I think
> I have the IPSEC part worked out, but testing parts at a time l2tp dies
> in a hole.

Try without IPSEC first to make sure you have the l2tp portion correct.
Also, make sure no firewall rules are getting in the way.

I have this simple mpd5 config file to act as an l2tp server in my test
environment


startup:
        # configure mpd users
        set user admin xxx admin
        # configure the console
        set console self 127.0.0.1 5005
        set console open
        # configure the web server
        set web self 192.168.255.254 5006
        set web open
        log +IPV6CP
        log +IPV6CP2

default:
        load l2tpserver



l2tpserver:
# Define dynamic IP address pool.
        set ippool add pool1 xx.159.245.1 xx.159.245.5
        set ippool add pool1 10.241.241.20 10.241.241.99
        set ippool add rfc1918 172.11.22.140 172.11.22.180



# Create clonable bundle template named B
        create bundle template B
        set iface idle 1800
        set iface enable tcpmssfix
        set ipcp disable vjcomp
        set bundle enable ipv6cp
        set ipcp deny vjcomp
        set ipcp ranges xx.43.128.6/32 ippool pool1
        set ipcp dns yy.211.164.51 zz.212.134.12
        #set ipcp nbns 127.0.0.1
# Set bundle template to use
        create link template L l2tp
        set l2tp hostname sentex
        set l2tp disable dataseq
        set link action bundle B
# Enable peer authentication
        set link disable eap
        set link enable pap
        set link disable acfcomp
        set link disable protocomp
        set link disable check-magic
        set link deny acfcomp
        set link keep-alive 10 60
        set link deny protocomp
        #load radius
        set link mtu 1492
        set link mru 1492
        set link enable incoming
        set link disable peer-as-calling




For the client, mpd5 works with the following config

l2tp_client:
#
# PPPoE client: only outgoing calls, auto reconnect,
# ipcp-negotiated address, one-sided authentication,
# default route points on ISP's end
#

        create bundle static B1
        set iface route default
        set ipcp ranges 0.0.0.0/0 0.0.0.0/0

        create link static L1 l2tp
        set link action bundle B1
        set auth authname testaccount-in-mpd-secret-file
        set auth password thepass
        set link max-redial 0
        set link mtu 1460
        set link keep-alive 20 75
        set l2tp peer 64.7.128.195
        open


> I also had an unscheduled reboot (power failure) and that showed up a
> warning: "attempt to domain_add(netgraph) after domainfinalize()" which
> I could never quite figure was fatal or not.

Thats ok. Its not an issue and is more informational than anything

> It appears the control connection is setup and then fails for some
> inexplicable reason. The client (android) logs show the same, but it is
> definitely the server that kills the connection. Anything I've missed?

Make sure there are no firewall rules getting in the way.  And if
possible, use a client that you know "works".  The above server works
with Windows clients with IPSEC disabled.  Start there, or with a
FreeBSD client.


	---Mike
-- 
-------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike@sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada   http://www.tancsa.com/