I’ve been trying to get an IPsec/L2TP VPN server going on spade. This kind of VPN involves several layers (ipsec, l2tp and ppp) which all seem to fail independently and differently depending on how I test a configuration. So far it’s been a 4-day epic.
I figured I should establish that L2TP worked in a trivial case before trying to glue it together with ipsec. So I installed xl2tpd on scuff and tried to connect over the local network.
Here are some lessons learnt:
- Bringing LACs up is a bit convoluted (you write “c lacname” to the control file).
- The xl2tpd.conf file sets PPP and L2TP parameters. These shouldn’t be confused:
auth file,hostnameandchallengeare L2TP things. - As a consequence, always use
/etc/ppp/chap-secrets, not the l2tp secrets file. - xl2tpd has a bug that means
refuse authenticationin a LAC does the opposite of what you think it should do.
When you write refuse authentication = no in a LAC section, xl2tpd adds refuse-chap and refuse-pap to the PPP options unconditionally. This results in a lot of “peer refused to authenticate” PPP errors. The bug is present in version 1.2.0 and Debian’s dfsg-1 release. I made some noise on their list and a bug report.
I guess hardly anybody manually creates L2TP client connections, because this would be really obvious (at least that there was something wrong, finding the problem took me a day of tcpdumps, source perusal and log file reading).
Update: patch accepted in xl2tpd 1.2.2