Discussion:
[Openswan Users] Unauthorized remote IP address
Jax
2007-03-24 13:35:36 UTC
Permalink
Hi folks!

I have a l2tp/ipsec vpn _CLIENT_ setup with the ipsec part already
completed and working (Openswan+L2TPD as client). L2tp successfully
authenticate but after that it drops the connection with:

pppd[27766]: local IP address 10.0.0.1
pppd[27766]: remote IP address 10.20.30.1
pppd[27766]: Script /etc/ppp/ip-up started (pid 5314)
pppd[27766]: rcvd [IPCP TermReq id=0x2 "Unauthorized remote IP address"]
pppd[27766]: IPCP terminated by peer (Unauthorized remote IP address)

There are no restrictions in chap-secrets or elsewhere. In l2tpd.conf

access control = no

So I just don't see how can I ignore this and force the connection. For
second guess it caused by a mechanism in l2tpd which deny the connection
if the LAN ip in the same subnet. Any ideas how can I solve this?

Regards,

Jax
Paul Wouters
2007-03-24 17:50:08 UTC
Permalink
Post by Jax
I have a l2tp/ipsec vpn _CLIENT_ setup with the ipsec part already
completed and working (Openswan+L2TPD as client). L2tp successfully
pppd[27766]: local IP address 10.0.0.1
pppd[27766]: remote IP address 10.20.30.1
pppd[27766]: Script /etc/ppp/ip-up started (pid 5314)
pppd[27766]: rcvd [IPCP TermReq id=0x2 "Unauthorized remote IP address"]
pppd[27766]: IPCP terminated by peer (Unauthorized remote IP address)
There are no restrictions in chap-secrets or elsewhere. In l2tpd.conf
access control = no
So I just don't see how can I ignore this and force the connection. For
second guess it caused by a mechanism in l2tpd which deny the connection
if the LAN ip in the same subnet. Any ideas how can I solve this?
That's at the pppd level. Check if you enforce local and/or remote IP addresses
in your pppd options files anywhere.

Paul
--
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
Jacco de Leeuw
2007-03-24 19:14:45 UTC
Permalink
There are no restrictions in chap-secrets
Actually, I recommend restricting the passwords to only those IP addresses
that are specified in 'ip range' in l2tpd.conf.

Can you show the chap-secrets file?
In l2tpd.conf
access control = no
That is at the L2TP level, which is ignored by Windows/Mac clients anyway.

Jacco
--
Jacco de Leeuw mailto:***@dds.nl
Zaandam, The Netherlands http://www.jacco2.dds.nl
Jacco de Leeuw
2007-03-25 20:35:53 UTC
Permalink
Post by Jax
pppd[27766]: local IP address 10.0.0.1
pppd[27766]: remote IP address 10.20.30.1
pppd[27766]: Script /etc/ppp/ip-up started (pid 5314)
pppd[27766]: rcvd [IPCP TermReq id=0x2 "Unauthorized remote IP address"]
What's odd is that your local IP address is assigned by the server itself
and the next thing it does is reject the address because it is "unauthorized".

What is the server running? Are you sure that 10.0.0.1 is the client address
and 10.20.30.1 is the server address, and not vice versa?

Jacco
--
Jacco de Leeuw mailto:***@dds.nl
Zaandam, The Netherlands http://www.jacco2.dds.nl
Paul Wouters
2007-03-25 21:33:59 UTC
Permalink
Post by Jacco de Leeuw
Post by Jax
pppd[27766]: local IP address 10.0.0.1
pppd[27766]: remote IP address 10.20.30.1
pppd[27766]: Script /etc/ppp/ip-up started (pid 5314)
pppd[27766]: rcvd [IPCP TermReq id=0x2 "Unauthorized remote IP address"]
What's odd is that your local IP address is assigned by the server itself
and the next thing it does is reject the address because it is "unauthorized".
What is the server running? Are you sure that 10.0.0.1 is the client address
and 10.20.30.1 is the server address, and not vice versa?
Isnt it the other way around? The server claims its local id of 10.0.0.1, but
the incoming client rejects the servers ip, and sends to the server (rcvd!)
the ppp notification "Unauthorized remote IP address"

Paul
Jax
2007-03-25 22:21:31 UTC
Permalink
Post by Jacco de Leeuw
Post by Jax
pppd[27766]: local IP address 10.0.0.1
pppd[27766]: remote IP address 10.20.30.1
pppd[27766]: Script /etc/ppp/ip-up started (pid 5314)
pppd[27766]: rcvd [IPCP TermReq id=0x2 "Unauthorized remote IP address"]
What's odd is that your local IP address is assigned by the server itself
and the next thing it does is reject the address because it is
"unauthorized".
What is the server running? Are you sure that 10.0.0.1 is the client address
and 10.20.30.1 is the server address, and not vice versa?
Ok I forget to tell you that the machine has a 10.0.0.1 lan address. The
10.20.30.1 is the other side (vpn server). As I told you before I use
this box for _client_ which connects to an external server. It just
happend to be the other ip from the 10.x.x.x pool, because I'm not an
admin of the remote vpn server.

So is there any way to solve this without giving an other lan ip for
this box instead of 10.0.0.1 and with it for any other box.
Post by Jacco de Leeuw
Jacco
Jax
Jacco de Leeuw
2007-03-26 07:21:50 UTC
Permalink
Post by Jax
Post by Jax
pppd[27766]: local IP address 10.0.0.1
pppd[27766]: remote IP address 10.20.30.1
pppd[27766]: Script /etc/ppp/ip-up started (pid 5314)
pppd[27766]: rcvd [IPCP TermReq id=0x2 "Unauthorized remote IP address"]
Ok I forget to tell you that the machine has a 10.0.0.1 lan address. The
10.20.30.1 is the other side (vpn server). As I told you before I use
this box for _client_ which connects to an external server.
Sorry, are you saying that the above comes from the server log?
The server is running Linux/Openswan too? Then we'd have to take
a look at the server's l2tpd.conf and chap-secrets.

Jacco
--
Jacco de Leeuw mailto:***@dds.nl
Zaandam, The Netherlands http://www.jacco2.dds.nl
Jax
2007-03-26 17:15:34 UTC
Permalink
Post by Jacco de Leeuw
Post by Jax
Post by Jax
pppd[27766]: local IP address 10.0.0.1
pppd[27766]: remote IP address 10.20.30.1
pppd[27766]: Script /etc/ppp/ip-up started (pid 5314)
pppd[27766]: rcvd [IPCP TermReq id=0x2 "Unauthorized remote IP address"]
Ok I forget to tell you that the machine has a 10.0.0.1 lan address.
The 10.20.30.1 is the other side (vpn server). As I told you before I
use this box for _client_ which connects to an external server.
Sorry, are you saying that the above comes from the server log?
The server is running Linux/Openswan too? Then we'd have to take
a look at the server's l2tpd.conf and chap-secrets.
I don't know what is running on the server and I don't have any kind of
access to that server. I guess the solution is to force pppd for not use
the local ip 10.0.0.1 rather a 10.20.30.2.
Post by Jacco de Leeuw
Jacco
Jax
Jacco de Leeuw
2007-03-26 19:51:52 UTC
Permalink
Post by Jax
I don't know what is running on the server
Have you looked at the Openswan log? That should give an indication
of what it is running.

Jacco
--
Jacco de Leeuw mailto:***@dds.nl
Zaandam, The Netherlands http://www.jacco2.dds.nl
Jax
2007-03-27 22:08:30 UTC
Permalink
Post by Jacco de Leeuw
Post by Jax
I don't know what is running on the server
Have you looked at the Openswan log? That should give an indication
of what it is running.
Does it matter what is the openswan version on the other side when the
ipsec connection works?

However I setup the ips in the l2tpd.conf under lac

local ip = 10.20.30.2
remote ip = 10.20.30.1

And it's overwrite the ipcp address but still got the unauthorized
message :(
Post by Jacco de Leeuw
Jacco
Jax
Paul Wouters
2007-03-28 05:36:20 UTC
Permalink
Post by Jax
Does it matter what is the openswan version on the other side when the
ipsec connection works?
However I setup the ips in the l2tpd.conf under lac
local ip = 10.20.30.2
remote ip = 10.20.30.1
Don't use "remote ip" at all. Only use "local ip" on an l2tp server end.
For a client, don't use local/remote ip at all, just have the
lns = remote_public_ip

Paul
--
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
Jax
2007-03-28 16:45:38 UTC
Permalink
Post by Paul Wouters
Post by Jax
Does it matter what is the openswan version on the other side when the
ipsec connection works?
However I setup the ips in the l2tpd.conf under lac
local ip = 10.20.30.2
remote ip = 10.20.30.1
Don't use "remote ip" at all. Only use "local ip" on an l2tp server end.
For a client, don't use local/remote ip at all, just have the
lns = remote_public_ip
OK you didn't understand 2 things here, what I heighten in my mails:

- I use l2tpd as a client (why? because there is no other console based l2tp client for linux, btw I use the newer version (yes 0.70 backport to sarge))
- I don't have access to the server, so the l2tpd server on the other side is not a question

Yes I tried all possible variations now, and it has nothing to do with the lan ip range (as I thought), because I reconfigured the lan interface for a while and it come again with the unauthorized remote ip.
Post by Paul Wouters
Paul
Jax

Jax
2007-03-27 11:05:20 UTC
Permalink
Post by Jax
Post by Jacco de Leeuw
Post by Jax
Post by Jax
pppd[27766]: local IP address 10.0.0.1
pppd[27766]: remote IP address 10.20.30.1
pppd[27766]: Script /etc/ppp/ip-up started (pid 5314)
pppd[27766]: rcvd [IPCP TermReq id=0x2 "Unauthorized remote IP address"]
Ok I forget to tell you that the machine has a 10.0.0.1 lan address.
The 10.20.30.1 is the other side (vpn server). As I told you before I
use this box for _client_ which connects to an external server.
Sorry, are you saying that the above comes from the server log?
The server is running Linux/Openswan too? Then we'd have to take
a look at the server's l2tpd.conf and chap-secrets.
I don't know what is running on the server and I don't have any kind of
access to that server. I guess the solution is to force pppd for not use
the local ip 10.0.0.1 rather a 10.20.30.2.
Post by Jacco de Leeuw
Jacco
Jax
no. the solution is to NOT specify an IP and let the server give you one,
ipcp-accept-local
ipcp-accept-remote
I pasted all of my config files before, including options.l2tp client
and these options are in, although I tried to comment them out does not
help.

I guess the remote server is l2tpd too:
l2tpd[19369]: vendor_avp: peer reports vendor 'l2tpd.org'
See the example configs in openswan-2/testing/pluto/l2tp-01 (on openswan 2.5.x or higher,
2.4.x doesnt not have that testcase)
Paul
Jax
Loading...