Project

General

Profile

Issue #3383

TPLink Router use strongSwan can connect l2tp/ipsec client but OpenWrt don't

Added by Leo Zhu 5 months ago. Updated 5 months ago.

Status:
Feedback
Priority:
Normal
Assignee:
-
Category:
configuration
Affected version:
5.8.3
Resolution:

Description

*Hi Everyone

I test a lot of time and find a very strange things, that TPLink router TL-WAR302 is using strongSwan V5.3.5.
I use Web interface to setup l2tp/ipsec as a client and it can connect but the speed is slow, because decryption need a lot of CPU resources.
Then I try to use same config for strongSwan with Openwrt x86 in a desktop, but it can't connect and this problem crashed me time and time again......:(

Please help me how to fix this issue, I should be grateful you time and time again!!!

I can make sure that VPN Server information is:
1.Server Domain Name (The Pub IP change everyday)
2.User ID
3.Password
4.PSK key
5.Encryption is 3des-sha1-modp1024

Here is my test step:*

A.I find a way to enable SSH login with Tplink, so I can see detail information

A.1 Tplink ipsec version

root@TP-LINK:~# ipsec version
Linux strongSwan U5.3.5/K3.3.8
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil, Switzerland
See 'ipsec --copyright' for copyright information.
root@TP-LINK:~# 

A.2 Tplink ipsec status

root@TP-LINK:~# ipsec up X_l2tp_client1
generating QUICK_MODE request 456438329 [ HASH SA No ID ID NAT-OA NAT-OA ]
sending packet: from 192.168.3.2[4500] to 122.100.200.154[4500] (260 bytes)
received packet: from 122.100.200.154[4500] to 192.168.3.2[4500] (172 bytes)
parsed QUICK_MODE response 456438329 [ HASH SA No ID ID NAT-OA NAT-OA ]
get the max number of child_sa successfully, the number is (5)
Initiating an new Quick Mode,total child sa =1 
connection 'X_l2tp_client1' established successfully
root@TP-LINK:~# ipsec statusall
Status of IKE charon daemon (weakSwan 5.3.5, Linux 3.3.8, mips):
  uptime: 2 minutes, since Mar 26 16:22:47 2020
  malloc: sbrk 147456, mmap 0, used 129296, free 18160
  worker threads: 59 of 64 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 9
  loaded plugins: charon aes des sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pgp dnskey pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-default stroke updown xauth-generic
Listening IP addresses:
  192.168.4.1
  192.168.3.2
  192.168.100.1
Connections:
X_l2tp_client1:  192.168.3.2...122.100.200.154  IKEv1, dpddelay=30s
X_l2tp_client1:   local:  [192.168.3.2] uses pre-shared key authentication
X_l2tp_client1:   remote: uses pre-shared key authentication
X_l2tp_client1:   child:  192.168.3.2/32[udp/l2f] === 122.100.200.154/32[udp/l2f] TRANSPORT, dpdaction=restart
Security Associations (1 up, 0 connecting):
X_l2tp_client1[2]: ESTABLISHED 5 seconds ago, 192.168.3.2[192.168.3.2]...122.100.200.154[192.168.1.107]
X_l2tp_client1[2]: IKEv1 SPIs: 92fac4374afc0ef0_i* ba1bd617239f68e6_r, pre-shared key reauthentication in 10 hours
X_l2tp_client1[2]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
X_l2tp_client1{3}:  INSTALLED, TRANSPORT, reqid 2, ESP in UDP SPIs: ccdd115f_i dde91265_o
X_l2tp_client1{3}:  3DES_CBC/HMAC_SHA1_96, 1011 bytes_i (16 pkts, 1s ago), 2456 bytes_o (27 pkts, 1s ago), rekeying in 10 hours
X_l2tp_client1{3}:   192.168.3.2/32[udp/l2f] === 122.100.200.154/32[udp/l2f]

B.Tplink Config File

B.1 Tplink ipsec.config

# basic configuration

config setup
        # plutodebug=all
        # crlcheckinterval=600
        # strictcrlpolicy=yes
        # cachecrls=yes
        # nat_traversal=yes
        # charonstart=no
        # plutostart=no
        uniqueids=no

conn %default
  authby=secret
# Add connections here.

# Sample VPN connections

#conn sample-self-signed
#      left=%defaultroute
#      leftsubnet=10.1.0.0/16
#      leftcert=selfCert.der
#      leftsendcert=never
#      right=192.168.0.2
#      rightsubnet=10.2.0.0/16
#      rightcert=peerCert.der
#      auto=start

#conn sample-with-ca-cert
#      left=%defaultroute
#      leftsubnet=10.1.0.0/16
#      leftcert=myCert.pem
#      right=192.168.0.2
#      rightsubnet=10.2.0.0/16
#      rightid="C=CH, O=Linux strongSwan CN=peer name" 
#      keyexchange=ikev2
#      auto=start

B.2 Tplink ipsec file

config connection
    option remote_network '---'
    option protocol '17'
    option ike_stage1 'ike_stage1_0th'
    option local_binding 'WAN1'
    option ip_pool '---'
    option local_binding_type 'if_name'
    option config_mode 'disable'
    option local_port '1701'
    option connection_type 'initiator'
    option remote_peer 'macau.dyndns.tv'
    option remote_port '1701'
    option textname 'X_l2tp_client1'
    option ike_stage2 'ike_stage2_0th'
    option remote_peer_type 'domain_name'
    option local_network '---'
    option name 'X_l2tp_client1'
    option local_id_type 'IP_ADDRESS'
    option remote_id_type 'IP_ADDRESS'
    option status 'disable'
    option tfc '5'

config ike_stage1
    option name 'ike_stage1_0th'
    list ike_proposal 'md5-3des-modp1024'
    list ike_proposal 'sha1-3des-modp1024'
    option exchange_mode 'main'
    option lifetime '38430'
    option ike_version 'ikev1'
    option ref '1'
    option dpd_enable 'enable'
    option dpd_interval '30'

config ike_proposal
    option encrypt '3des'
    option dh_group 'modp1024'
    option name 'md5-3des-modp1024'
    option ref '1'
    option auth 'md5'

config ike_proposal
    option encrypt '3des'
    option dh_group 'modp1024'
    option name 'sha1-3des-modp1024'
    option ref '1'
    option auth 'sha1'

config ike_stage2
    option pfs 'none'
    list ike_stage2_proposal 'esp-sha1-3des'
    list ike_stage2_proposal 'esp-md5-3des'
    list ike_stage2_proposal 'esp-md5-des'
    list ike_stage2_proposal 'esp-sha1-des'
    option name 'ike_stage2_0th'
    option compression 'disable'
    option mode 'transport'
    option ref '1'
    option lifetime '36225'

config ike_stage2_proposal
    option hash 'sha1'
    option name 'esp-sha1-3des'
    option encapsulation_mode 'esp'
    option ref '1'
    option encrypt '3des'

config ike_stage2_proposal
    option hash 'md5'
    option name 'esp-md5-3des'
    option encapsulation_mode 'esp'
    option ref '1'
    option encrypt '3des'

config ike_stage2_proposal
    option hash 'md5'
    option name 'esp-md5-des'
    option encapsulation_mode 'esp'
    option ref '1'
    option encrypt 'des'

config ike_stage2_proposal
    option hash 'sha1'
    option name 'esp-sha1-des'
    option encapsulation_mode 'esp'
    option ref '1'
    option encrypt 'des'

B.3 Tplink ipsec dns file


config domain
    option domain_name 'WAN1'
    #1: DOMAIN_NORMAL,2: DOMAIN_SPECIAL
    option domain_type '2'
    option binding_file 'ipsec'
    option binding_section_type 'connection'
    option binding_item  'X_l2tp_client1'
    option binding_field  'local_binding'
    option tunnel_local_binding  'WAN1'
    option old_ipaddr    '192.168.3.2'

config domain
    option domain_name 'macau.dyndns.tv'
    #1: DOMAIN_NORMAL,2: DOMAIN_SPECIAL
    option domain_type '1'
    option binding_file 'ipsec'
    option binding_section_type 'connection'
    option binding_item  'X_l2tp_client1'
    option binding_field  'remote_peer'
    option tunnel_local_binding  'WAN1'
    option old_ipaddr    'xx.xx.xx.xx'

B.4 Tplink ipsec secrets file

config authentication
    option remote_id_value 'macau.dyndns.tv'
    option name 'X_l2tp_client1'
    option local_id_type 'IP_ADDRESS_FROM_IFNAME'
    option local_id_value 'WAN1'
    option remote_id_type 'IP_ADDRESS_FROM_DNSNAME'
    option auth_mode 'pre_share_key'
    option psk 'pskkey'

B.5 Tplink ipsec l2tp-client file

config global 'global'
    option l2tphellointerval '60'
    option lcpechointerval '30'

config lac 'vpn_l2tp1'
    option id 'client1'
    option uplink '1000000'
    option username 'xxxxxxx'
    option olmode 'always_on'
    option remotesubnet '0.0.0.0/0'
    option presharekey 'pskkey'
    option tunnelname 'vpn_l2tp1'
    option downlink '1000000'
    option balance '1'
    option lns 'macau.dyndns.tv'
    option t_reference '0'
    option ipsecenc 'yes'
    option password 'xxxxx'
    option outif 'WAN1'
    option workmode 'nat'
    option enable 'no'

C.Openwrt Config File
C.1 ipsec.conf

# basic configuration

config setup
        strictcrlpolicy=yes
        uniqueids = no
        charondebug=all

# Add connections here.

conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev1
        ike=3des-sha1-modp1024!
        esp=3des-sha1-modp1024!

# Sample VPN connections

conn L2TP-PSK
        authby=secret
        leftauth=psk
        auto=add
        keyingtries=3
        dpddelay=30
        dpdtimeout=120
        dpdaction=restart
        rekey=yes
        ikelifetime=8h
        keylife=1h
        type=transport
        left=%defaultroute
        leftprotoport=17/1701
        right=macau.dyndns.tv
        rightauth=psk
        rightid=macau.dyndns.tv
        rightprotoport=17/1701
        auto=start
        dpddelay=30
        dpdtimeout=130
        dpdaction=restart

C.2 /etc/ipsec.secrets

# /etc/ipsec.secrets - strongSwan IPsec secrets file
 : PSK "pskkey" 

C.3 /etc/xl2tpd/xl2tpd.conf

[global]
port = 1701
auth file = /etc/xl2tpd/xl2tp-secrets
access control = no

[lac strong-vpn]
lns = macau.dyndns.tv
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd.client
length bit = yes
bps = 1000000

C.4 /etc/ppp/options.l2tpd.client

ipcp-accept-local
ipcp-accept-remote
require-mschap-v2
noccp
noauth
idle 1800
mtu 1400
mru 1400
defaultroute
replacedefaultroute
usepeerdns
debug
connect-delay 5000
name "xxxxxx" 
password "xxxxxx" 
lcp-echo-interval 20
lcp-echo-failure 5

C.5 ipsec statusall

root@OpenWrt:~# ipsec up L2TP-PSK
initiating Main Mode IKE_SA L2TP-PSK[2] to 122.100.200.154
generating ID_PROT request 0 [ SA V V V V V ]
sending packet: from 172.17.17.157[500] to 122.100.200.154[500] (176 bytes)
received packet: from 122.100.200.154[500] to 172.17.17.157[500] (386 bytes)
parsed ID_PROT response 0 [ SA V V V V V V V V V V ]
received unknown vendor ID: f7:58:f2:26:68:75:0f:03:b0:8d:f6:eb:e1:d0:04:03
received draft-ietf-ipsec-nat-t-ike-02 vendor ID
received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
received draft-ietf-ipsec-nat-t-ike-03 vendor ID
received NAT-T (RFC 3947) vendor ID
received XAuth vendor ID
received DPD vendor ID
received unknown vendor ID: af:ca:d7:13:68:a1:f1:c9:6b:86:96:fc:77:57
received unknown vendor ID: f9:19:6d:f8:6b:81:2f:b0:f6:80:26:d8:87:6d:cb:7b:00:04:32:00
received unknown vendor ID: ac:40:f8:c4:38:99:27:c6:e8:ac:24:53:1b:b7:8b:2b:90:d4:3c:21:fd:c5:fd:f6:c1:d4:2f:86:c3:c0:60:ef:e6:a0:6b:94:ac:2c:f3:0a:74:3c:2c:20:db:0b:69:b6:45:a1:0f:88:37:19:4a:94:14:2f:5b:cf:50:61:e9:46:37:fe:06:8d:c8:57:2f:39:b9:71:82:31:57:57:69:80:4c:84:74:aa:84:0b:f9:d8:09:38:1e:bb:33:4e:13:2b:43:cd:ff:95:a9:6a:78:67:a9:2c:17:73:6e:c1:3f:a7:29:87:5d:b1:0c:28:f4:1a:dd:ae:7f:40:4a:2e:7a:9c
selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 172.17.17.157[500] to 122.100.200.154[500] (244 bytes)
received packet: from 122.100.200.154[500] to 172.17.17.157[500] (228 bytes)
parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
local host is behind NAT, sending keep alives
remote host is behind NAT
generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
sending packet: from 172.17.17.157[4500] to 122.100.200.154[4500] (100 bytes)
received packet: from 122.100.200.154[4500] to 172.17.17.157[4500] (68 bytes)
parsed ID_PROT response 0 [ ID HASH ]
IDir '192.168.1.107' does not match to 'macau.dyndns.tv'
deleting IKE_SA L2TP-PSK[2] between 172.17.17.157[172.17.17.157]...122.100.200.154[%any]
sending DELETE for IKE_SA L2TP-PSK[2]
generating INFORMATIONAL_V1 request 667142032 [ HASH D ]
sending packet: from 172.17.17.157[4500] to 122.100.200.154[4500] (84 bytes)
establishing connection 'L2TP-PSK' failed
root@OpenWrt:~# 

C.6 logread

Thu Mar 26 01:18:49 2020 daemon.notice netifd: Interface 'client' is setting up now
Thu Mar 26 01:18:49 2020 daemon.notice xl2tpd[4343]: Connecting to host macau.dyndns.tv, port 1701
Thu Mar 26 01:18:51 2020 daemon.info : 11[CFG] received stroke: initiate 'L2TP-PSK'
Thu Mar 26 01:18:51 2020 daemon.info : 05[IKE] initiating Main Mode IKE_SA L2TP-PSK[2] to 122.100.200.154
Thu Mar 26 01:18:51 2020 authpriv.info : 05[IKE] initiating Main Mode IKE_SA L2TP-PSK[2] to 122.100.200.154
Thu Mar 26 01:18:51 2020 daemon.info : 05[ENC] generating ID_PROT request 0 [ SA V V V V V ]
Thu Mar 26 01:18:51 2020 daemon.info : 05[NET] sending packet: from 172.17.17.157[500] to 122.100.200.154[500] (176 bytes)
Thu Mar 26 01:18:51 2020 daemon.info : 16[NET] received packet: from 122.100.200.154[500] to 172.17.17.157[500] (386 bytes)
Thu Mar 26 01:18:51 2020 daemon.info : 16[ENC] parsed ID_PROT response 0 [ SA V V V V V V V V V V ]
Thu Mar 26 01:18:51 2020 daemon.info : 16[ENC] received unknown vendor ID: f7:58:f2:26:68:75:0f:03:b0:8d:f6:eb:e1:d0:04:03
Thu Mar 26 01:18:51 2020 daemon.info : 16[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Thu Mar 26 01:18:51 2020 daemon.info : 16[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Thu Mar 26 01:18:51 2020 daemon.info : 16[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Thu Mar 26 01:18:51 2020 daemon.info : 16[IKE] received NAT-T (RFC 3947) vendor ID
Thu Mar 26 01:18:51 2020 daemon.info : 16[IKE] received XAuth vendor ID
Thu Mar 26 01:18:51 2020 daemon.info : 16[IKE] received DPD vendor ID
Thu Mar 26 01:18:51 2020 daemon.info : 16[ENC] received unknown vendor ID: af:ca:d7:13:68:a1:f1:c9:6b:86:96:fc:77:57
Thu Mar 26 01:18:51 2020 daemon.info : 16[ENC] received unknown vendor ID: f9:19:6d:f8:6b:81:2f:b0:f6:80:26:d8:87:6d:cb:7b:00:04:32:00
Thu Mar 26 01:18:51 2020 daemon.info : 16[ENC] received unknown vendor ID: ac:40:f8:c4:38:99:27:c6:e8:ac:24:53:1b:b7:8b:2b:90:d4:3c:21:fd:c5:fd:f6:c1:d4:2f:86:c3:c0:60:ef:e6:a0:6b:94:ac:2c:f3:0a:74:3c:2c:20:db:0b:69:b6:45:a1:0f:88:37:19:4a:94:14:2f:5b:cf:50:61:e9:46:37:fe:06:8d:c8:57:2f:39:b9:71:82:31:57:57:69:80:4c:84:74:aa:84:0b:f9:d8:09:38:1e:bb:33:4e:13:2b:43:cd:ff:95:a9:6a:78:67:a9:2c:17:73:6e:c1:3f:a7:29:87:5d:b1:0c:28:f4:1a:dd:ae:7f:40:4a:2e:7a:9c
Thu Mar 26 01:18:51 2020 daemon.info : 16[CFG] selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Thu Mar 26 01:18:51 2020 daemon.info : 16[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
Thu Mar 26 01:18:51 2020 daemon.info : 16[NET] sending packet: from 172.17.17.157[500] to 122.100.200.154[500] (244 bytes)
Thu Mar 26 01:18:52 2020 daemon.info : 04[NET] received packet: from 122.100.200.154[500] to 172.17.17.157[500] (228 bytes)
Thu Mar 26 01:18:52 2020 daemon.info : 04[ENC] parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
Thu Mar 26 01:18:52 2020 daemon.info : 04[IKE] local host is behind NAT, sending keep alives
Thu Mar 26 01:18:52 2020 daemon.info : 04[IKE] remote host is behind NAT
Thu Mar 26 01:18:52 2020 daemon.info : 04[ENC] generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
Thu Mar 26 01:18:52 2020 daemon.info : 04[NET] sending packet: from 172.17.17.157[4500] to 122.100.200.154[4500] (100 bytes)
Thu Mar 26 01:18:52 2020 daemon.info : 03[NET] received packet: from 122.100.200.154[4500] to 172.17.17.157[4500] (68 bytes)
Thu Mar 26 01:18:52 2020 daemon.info : 03[ENC] parsed ID_PROT response 0 [ ID HASH ]
Thu Mar 26 01:18:52 2020 daemon.info : 03[IKE] IDir '192.168.1.107' does not match to 'macau.dyndns.tv'
Thu Mar 26 01:18:52 2020 daemon.info : 03[IKE] deleting IKE_SA L2TP-PSK[2] between 172.17.17.157[172.17.17.157]...122.100.200.154[%any]
Thu Mar 26 01:18:52 2020 authpriv.info : 03[IKE] deleting IKE_SA L2TP-PSK[2] between 172.17.17.157[172.17.17.157]...122.100.200.154[%any]
Thu Mar 26 01:18:52 2020 daemon.info : 03[IKE] sending DELETE for IKE_SA L2TP-PSK[2]
Thu Mar 26 01:18:52 2020 daemon.info : 03[ENC] generating INFORMATIONAL_V1 request 667142032 [ HASH D ]
Thu Mar 26 01:18:52 2020 daemon.info : 03[NET] sending packet: from 172.17.17.157[4500] to 122.100.200.154[4500] (84 bytes)
Thu Mar 26 01:18:55 2020 daemon.info xl2tpd[4343]: Disconnecting from 122.100.200.154, Local: 6273, Remote: 0
Thu Mar 26 01:18:55 2020 daemon.info xl2tpd[4343]: Connection 0 closed to 122.100.200.154, port 1701 (Goodbye!)
Thu Mar 26 01:18:55 2020 daemon.notice netifd: Interface 'client' is now down
Thu Mar 26 01:18:55 2020 daemon.notice netifd: Interface 'client' is setting up now
Thu Mar 26 01:18:55 2020 daemon.notice xl2tpd[4343]: Connecting to host macau.dyndns.tv, port 1701
Thu Mar 26 01:19:01 2020 daemon.info xl2tpd[4343]: Disconnecting from 122.100.200.154, Local: 23040, Remote: 0
Thu Mar 26 01:19:01 2020 daemon.info xl2tpd[4343]: Connection 0 closed to 122.100.200.154, port 1701 (Goodbye!)
Thu Mar 26 01:19:01 2020 daemon.notice netifd: Interface 'client' is now down
Thu Mar 26 01:19:01 2020 daemon.notice netifd: Interface 'client' is setting up now
Thu Mar 26 01:19:01 2020 daemon.notice xl2tpd[4343]: Connecting to host macau.dyndns.tv, port 1701
Thu Mar 26 01:19:07 2020 daemon.info xl2tpd[4343]: Disconnecting from 122.100.200.154, Local: 20173, Remote: 0
Thu Mar 26 01:19:07 2020 daemon.info xl2tpd[4343]: Connection 0 closed to 122.100.200.154, port 1701 (Goodbye!)
Thu Mar 26 01:19:07 2020 daemon.notice netifd: Interface 'client' is now down
Thu Mar 26 01:19:07 2020 daemon.notice netifd: Interface 'client' is setting up now
Thu Mar 26 01:19:07 2020 daemon.notice xl2tpd[4343]: Connecting to host macau.dyndns.tv, port 1701
Thu Mar 26 01:19:13 2020 daemon.info xl2tpd[4343]: Disconnecting from 122.100.200.154, Local: 40354, Remote: 0
Thu Mar 26 01:19:13 2020 daemon.info xl2tpd[4343]: Connection 0 closed to 122.100.200.154, port 1701 (Goodbye!)
Thu Mar 26 01:19:13 2020 daemon.notice netifd: Interface 'client' is now down
Thu Mar 26 01:19:13 2020 daemon.notice netifd: Interface 'client' is setting up now
Thu Mar 26 01:19:13 2020 daemon.notice xl2tpd[4343]: Connecting to host macau.dyndns.tv, port 1701
Thu Mar 26 01:19:19 2020 daemon.info xl2tpd[4343]: Disconnecting from 122.100.200.154, Local: 41828, Remote: 0
Thu Mar 26 01:19:19 2020 daemon.info xl2tpd[4343]: Connection 0 closed to 122.100.200.154, port 1701 (Goodbye!)
Thu Mar 26 01:19:19 2020 daemon.notice netifd: Interface 'client' is now down
Thu Mar 26 01:19:19 2020 daemon.notice netifd: Interface 'client' is setting up now
Thu Mar 26 01:19:19 2020 daemon.notice xl2tpd[4343]: Connecting to host macau.dyndns.tv, port 1701
Thu Mar 26 01:19:20 2020 daemon.debug xl2tpd[4343]: Unable to deliver closing message for tunnel 12982. Destroying anyway.
Thu Mar 26 01:19:25 2020 daemon.info xl2tpd[4343]: Disconnecting from 122.100.200.154, Local: 20587, Remote: 0
Thu Mar 26 01:19:25 2020 daemon.info xl2tpd[4343]: Connection 0 closed to 122.100.200.154, port 1701 (Goodbye!)
Thu Mar 26 01:19:25 2020 daemon.notice netifd: Interface 'client' is now down
Thu Mar 26 01:19:25 2020 daemon.notice netifd: Interface 'client' is setting up now
Thu Mar 26 01:19:25 2020 daemon.notice xl2tpd[4343]: Connecting to host macau.dyndns.tv, port 1701
Thu Mar 26 01:19:26 2020 daemon.debug xl2tpd[4343]: Unable to deliver closing message for tunnel 6273. Destroying anyway.
Thu Mar 26 01:19:31 2020 daemon.info xl2tpd[4343]: Disconnecting from 122.100.200.154, Local: 51927, Remote: 0
Thu Mar 26 01:19:31 2020 daemon.info xl2tpd[4343]: Connection 0 closed to 122.100.200.154, port 1701 (Goodbye!)
Thu Mar 26 01:19:31 2020 daemon.notice netifd: Interface 'client' is now down
Thu Mar 26 01:19:31 2020 daemon.notice netifd: Interface 'client' is setting up now
Thu Mar 26 01:19:32 2020 daemon.notice xl2tpd[4343]: Connecting to host macau.dyndns.tv, port 1701
Thu Mar 26 01:19:32 2020 daemon.debug xl2tpd[4343]: Unable to deliver closing message for tunnel 23040. Destroying anyway.
Thu Mar 26 01:19:38 2020 daemon.info xl2tpd[4343]: Disconnecting from 122.100.200.154, Local: 69, Remote: 0
Thu Mar 26 01:19:38 2020 daemon.info xl2tpd[4343]: Connection 0 closed to 122.100.200.154, port 1701 (Goodbye!)
Thu Mar 26 01:19:38 2020 daemon.notice netifd: Interface 'client' is now down
Thu Mar 26 01:19:38 2020 daemon.notice netifd: Interface 'client' is setting up now
Thu Mar 26 01:19:38 2020 daemon.notice xl2tpd[4343]: Connecting to host macau.dyndns.tv, port 1701
Thu Mar 26 01:19:38 2020 daemon.debug xl2tpd[4343]: Unable to deliver closing message for tunnel 20173. Destroying anyway.
Thu Mar 26 01:19:40 2020 daemon.info dnsmasq-dhcp[3360]: DHCPINFORM(br-lan) 192.168.1.198 d8:9d:67:d0:eb:0b
Thu Mar 26 01:19:40 2020 daemon.info dnsmasq-dhcp[3360]: DHCPACK(br-lan) 192.168.1.198 d8:9d:67:d0:eb:0b ICNNBKLEOZHU
Thu Mar 26 01:19:44 2020 daemon.info xl2tpd[4343]: Disconnecting from 122.100.200.154, Local: 35789, Remote: 0
Thu Mar 26 01:19:44 2020 daemon.info xl2tpd[4343]: Connection 0 closed to 122.100.200.154, port 1701 (Goodbye!)
Thu Mar 26 01:19:44 2020 daemon.notice netifd: Interface 'client' is now down
Thu Mar 26 01:19:44 2020 daemon.notice netifd: Interface 'client' is setting up now
Thu Mar 26 01:19:44 2020 daemon.notice xl2tpd[4343]: Connecting to host macau.dyndns.tv, port 1701
Thu Mar 26 01:19:44 2020 daemon.debug xl2tpd[4343]: Unable to deliver closing message for tunnel 40354. Destroying anyway.
Thu Mar 26 01:19:50 2020 daemon.info xl2tpd[4343]: Disconnecting from 122.100.200.154, Local: 24917, Remote: 0
Thu Mar 26 01:19:50 2020 daemon.info xl2tpd[4343]: Connection 0 closed to 122.100.200.154, port 1701 (Goodbye!)
Thu Mar 26 01:19:50 2020 daemon.notice netifd: Interface 'client' is now down
Thu Mar 26 01:19:50 2020 daemon.notice netifd: Interface 'client' is setting up now
Thu Mar 26 01:19:50 2020 daemon.notice xl2tpd[4343]: Connecting to host macau.dyndns.tv, port 1701
Thu Mar 26 01:19:50 2020 daemon.debug xl2tpd[4343]: Unable to deliver closing message for tunnel 41828. Destroying anyway.
root@OpenWrt:~# 

History

#1 Updated by Tobias Brunner 5 months ago

  • Category set to configuration
  • Status changed from New to Feedback

Why didn't you read the log first?

IDir '192.168.1.107' does not match to 'macau.dyndns.tv'

#2 Updated by Leo Zhu 5 months ago

Tobias Brunner wrote:

Why didn't you read the log first?

[...]

From openwrt, but this ip is nonexistent!
I don't know why openwrt get it!
It make me misunderstand!!!

#3 Updated by Leo Zhu 5 months ago

Tobias Brunner wrote:

Why didn't you read the log first?

[...]

I check tplink log this ip is get when I connect vpn from tplink router, but why openwrt get this???

#4 Updated by Tobias Brunner 5 months ago

I don't know why openwrt get it!

It receives it from the responder, which apparently uses it's physical IP address as its own identity. But that doesn't match the identity you configured via rightid. So either change the latter to that IP address or configure the responder so it doesn't use it as identity.

#5 Updated by Leo Zhu 5 months ago

Thanks,Tobias! You save my life.
I understand you meaning but I don't how to do? What config I need to change?
left subnet or right subnet or rightid?
Can you show me how to do?
Please give me a e.g!
Sorry to disturb you many times, I'm new guy for this.
Thank you very much!

#6 Updated by Leo Zhu 5 months ago

Tobias Brunner wrote:

I don't know why openwrt get it!

It receives it from the responder, which apparently uses it's physical IP address as its own identity. But that doesn't match the identity you configured via rightid. So either change the latter to that IP address or configure the responder so it doesn't use it as identity.

Hi, Tobias
Sorry,I'm so stupid, You told me how to do it alreday, but I still ask you how to do......
Whatever, I change rightid as IP but I get another error as follw you see!
Please help me! I thnik I got the key almost, Just need one step!!!
Thanks again!

Thu Mar 26 18:21:59 2020 authpriv.info ipsec_starter[3866]: Starting strongSwan 5.8.2 IPsec [starter]...
Thu Mar 26 18:21:59 2020 daemon.info : 00[DMN] Starting IKE charon daemon (strongSwan 5.8.2, Linux 4.14.167, x86_64)
Thu Mar 26 18:21:59 2020 daemon.info : 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Thu Mar 26 18:21:59 2020 daemon.info : 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Thu Mar 26 18:21:59 2020 daemon.info : 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Thu Mar 26 18:21:59 2020 daemon.info : 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Thu Mar 26 18:21:59 2020 daemon.info : 00[CFG] loading crls from '/etc/ipsec.d/crls'
Thu Mar 26 18:21:59 2020 daemon.info : 00[CFG] loading secrets from '/etc/ipsec.secrets'
Thu Mar 26 18:21:59 2020 daemon.info : 00[CFG]   loaded IKE secret for %any
Thu Mar 26 18:21:59 2020 daemon.info : 00[LIB] loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pgp dnskey sshkey pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-default connmark stroke updown xauth-generic
Thu Mar 26 18:21:59 2020 daemon.info : 00[JOB] spawning 16 worker threads
Thu Mar 26 18:21:59 2020 authpriv.info ipsec_starter[3877]: charon (3878) started after 20 ms
Thu Mar 26 18:21:59 2020 daemon.info : 16[CFG] received stroke: add connection 'L2TP-PSK'
Thu Mar 26 18:21:59 2020 daemon.info : 16[CFG] added configuration 'L2TP-PSK'
Thu Mar 26 18:21:59 2020 daemon.info : 03[CFG] received stroke: initiate 'L2TP-PSK'
Thu Mar 26 18:21:59 2020 daemon.info : 03[IKE] initiating Main Mode IKE_SA L2TP-PSK[1] to 122.100.137.249
Thu Mar 26 18:21:59 2020 authpriv.info : 03[IKE] initiating Main Mode IKE_SA L2TP-PSK[1] to 122.100.137.249
Thu Mar 26 18:21:59 2020 daemon.info : 03[ENC] generating ID_PROT request 0 [ SA V V V V V ]
Thu Mar 26 18:21:59 2020 daemon.info : 03[NET] sending packet: from 172.17.17.157[500] to 122.100.137.249[500] (176 bytes)
Thu Mar 26 18:21:59 2020 daemon.info : 07[NET] received packet: from 122.100.137.249[500] to 172.17.17.157[500] (386 bytes)
Thu Mar 26 18:21:59 2020 daemon.info : 07[ENC] parsed ID_PROT response 0 [ SA V V V V V V V V V V ]
Thu Mar 26 18:21:59 2020 daemon.info : 07[ENC] received unknown vendor ID: f7:58:f2:26:68:75:0f:03:b0:8d:f6:eb:e1:d0:04:03
Thu Mar 26 18:21:59 2020 daemon.info : 07[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Thu Mar 26 18:21:59 2020 daemon.info : 07[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Thu Mar 26 18:21:59 2020 daemon.info : 07[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Thu Mar 26 18:21:59 2020 daemon.info : 07[IKE] received NAT-T (RFC 3947) vendor ID
Thu Mar 26 18:21:59 2020 daemon.info : 07[IKE] received XAuth vendor ID
Thu Mar 26 18:21:59 2020 daemon.info : 07[IKE] received DPD vendor ID
Thu Mar 26 18:21:59 2020 daemon.info : 07[ENC] received unknown vendor ID: af:ca:d7:13:68:a1:f1:c9:6b:86:96:fc:77:57
Thu Mar 26 18:21:59 2020 daemon.info : 07[ENC] received unknown vendor ID: f9:19:6d:f8:6b:81:2f:b0:f6:80:26:d8:87:6d:cb:7b:00:04:32:00
Thu Mar 26 18:21:59 2020 daemon.info : 07[ENC] received unknown vendor ID: ac:40:f8:c4:38:99:27:c6:e8:ac:24:53:1b:b7:8b:2b:90:d4:3c:21:fd:c5:fd:f6:c1:d4:2f:86:c3:c0:60:ef:e6:a0:6b:94:ac:2c:f3:0a:b9:db:18:67:48:19:91:6b:4d:d4:71:4f:fe:51:c1:5d:24:fe:a7:6e:7f:56:f3:c1:37:26:48:6a:89:c3:6f:98:31:60:a0:02:3f:18:48:e2:a3:52:5c:4d:b3:74:ca:ee:13:fb:d2:c2:ea:7b:73:e0:5d:86:ac:f7:59:6c:e2:ab:1f:95:1e:a9:38:e0:f2:4c:ea:a7:f1:82:9a:ab:3d:ea:23:39:c1:37:c1:e1:59:71
Thu Mar 26 18:21:59 2020 daemon.info : 07[CFG] selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Thu Mar 26 18:21:59 2020 daemon.info : 07[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
Thu Mar 26 18:21:59 2020 daemon.info : 07[NET] sending packet: from 172.17.17.157[500] to 122.100.137.249[500] (244 bytes)
Thu Mar 26 18:21:59 2020 daemon.info : 06[NET] received packet: from 122.100.137.249[500] to 172.17.17.157[500] (228 bytes)
Thu Mar 26 18:21:59 2020 daemon.info : 06[ENC] parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
Thu Mar 26 18:21:59 2020 daemon.info : 06[IKE] local host is behind NAT, sending keep alives
Thu Mar 26 18:21:59 2020 daemon.info : 06[IKE] remote host is behind NAT
Thu Mar 26 18:21:59 2020 daemon.info : 06[ENC] generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
Thu Mar 26 18:21:59 2020 daemon.info : 06[NET] sending packet: from 172.17.17.157[4500] to 122.100.137.249[4500] (100 bytes)
Thu Mar 26 18:21:59 2020 daemon.info : 10[NET] received packet: from 122.100.137.249[4500] to 172.17.17.157[4500] (68 bytes)
Thu Mar 26 18:21:59 2020 daemon.info : 10[ENC] parsed ID_PROT response 0 [ ID HASH ]
Thu Mar 26 18:21:59 2020 daemon.info : 10[IKE] IKE_SA L2TP-PSK[1] established between 172.17.17.157[172.17.17.157]...122.100.137.249[192.168.1.107]
Thu Mar 26 18:21:59 2020 authpriv.info : 10[IKE] IKE_SA L2TP-PSK[1] established between 172.17.17.157[172.17.17.157]...122.100.137.249[192.168.1.107]
Thu Mar 26 18:21:59 2020 daemon.info : 10[IKE] scheduling reauthentication in 28474s
Thu Mar 26 18:21:59 2020 daemon.info : 10[IKE] maximum IKE_SA lifetime 28654s
Thu Mar 26 18:21:59 2020 daemon.info : 10[ENC] generating QUICK_MODE request 4275983281 [ HASH SA No KE ID ID NAT-OA NAT-OA ]
Thu Mar 26 18:21:59 2020 daemon.info : 10[NET] sending packet: from 172.17.17.157[4500] to 122.100.137.249[4500] (324 bytes)
Thu Mar 26 18:21:59 2020 daemon.info : 13[NET] received packet: from 122.100.137.249[4500] to 172.17.17.157[4500] (84 bytes)
Thu Mar 26 18:21:59 2020 daemon.info : 13[ENC] parsed INFORMATIONAL_V1 request 365621840 [ HASH N(NO_PROP) ]
Thu Mar 26 18:21:59 2020 daemon.info : 13[IKE] received NO_PROPOSAL_CHOSEN error notify
Thu Mar 26 18:22:00 2020 authpriv.info ipsec_starter[3896]: Starting strongSwan 5.8.2 IPsec [starter]...
Thu Mar 26 18:22:00 2020 authpriv.info ipsec_starter[3896]: charon is already running (/var/run/charon.pid exists) -- skipping daemon start
Thu Mar 26 18:22:00 2020 authpriv.info ipsec_starter[3896]: starter is already running (/var/run/starter.charon.pid exists) -- no fork done
Thu Mar 26 18:22:01 2020 daemon.info : 09[CFG] received stroke: initiate 'L2TP-PSK'
Thu Mar 26 18:22:01 2020 daemon.info : 12[ENC] generating QUICK_MODE request 80784077 [ HASH SA No KE ID ID NAT-OA NAT-OA ]
Thu Mar 26 18:22:01 2020 daemon.info : 12[NET] sending packet: from 172.17.17.157[4500] to 122.100.137.249[4500] (324 bytes)
Thu Mar 26 18:22:01 2020 daemon.info : 11[NET] received packet: from 122.100.137.249[4500] to 172.17.17.157[4500] (84 bytes)
Thu Mar 26 18:22:01 2020 daemon.info : 11[ENC] parsed INFORMATIONAL_V1 request 1490701314 [ HASH N(NO_PROP) ]
Thu Mar 26 18:22:01 2020 daemon.info : 11[IKE] received NO_PROPOSAL_CHOSEN error notify
Thu Mar 26 18:22:05 2020 daemon.info dnsmasq-dhcp[3369]: DHCPINFORM(br-lan) 192.168.1.198 d8:9d:67:d0:eb:0b
Thu Mar 26 18:22:05 2020 daemon.info dnsmasq-dhcp[3369]: DHCPACK(br-lan) 192.168.1.198 d8:9d:67:d0:eb:0b ICNNBKLEOZHU
Thu Mar 26 18:22:05 2020 authpriv.info ipsec_starter[3902]: Starting strongSwan 5.8.2 IPsec [starter]...
Thu Mar 26 18:22:05 2020 authpriv.info ipsec_starter[3902]: charon is already running (/var/run/charon.pid exists) -- skipping daemon start
Thu Mar 26 18:22:05 2020 authpriv.info ipsec_starter[3902]: starter is already running (/var/run/starter.charon.pid exists) -- no fork done
root@OpenWrt:~# 

#7 Updated by Tobias Brunner 5 months ago

Thu Mar 26 18:21:59 2020 daemon.info : 10[ENC] generating QUICK_MODE request 4275983281 [ HASH SA No KE ID ID NAT-OA NAT-OA ]
Thu Mar 26 18:21:59 2020 daemon.info : 10[NET] sending packet: from 172.17.17.157[4500] to 122.100.137.249[4500] (324 bytes)
Thu Mar 26 18:21:59 2020 daemon.info : 13[NET] received packet: from 122.100.137.249[4500] to 172.17.17.157[4500] (84 bytes)
Thu Mar 26 18:21:59 2020 daemon.info : 13[ENC] parsed INFORMATIONAL_V1 request 365621840 [ HASH N(NO_PROP) ]
Thu Mar 26 18:21:59 2020 daemon.info : 13[IKE] received NO_PROPOSAL_CHOSEN error notify

As you can see, the ESP proposal doesn't match. It's probably the DH group you added to the proposal. So try setting esp=3des-sha1!.

#8 Updated by Leo Zhu 5 months ago

Tobias Brunner wrote:

[...]

As you can see, the ESP proposal doesn't match. It's probably the DH group you added to the proposal. So try setting esp=3des-sha1!.

Thanks, Tobias! You are awesome!!!

The connection established successfully!

root@OpenWrt:~# ipsec up L2TP-PSK
sending retransmit 2 of request message ID 0, seq 3
sending packet: from 172.17.17.157[4500] to 122.100.137.249[4500] (100 bytes)
received packet: from 122.100.137.249[4500] to 172.17.17.157[4500] (68 bytes)
parsed ID_PROT response 0 [ ID HASH ]
IKE_SA L2TP-PSK[1] established between 172.17.17.157[172.17.17.157]...122.100.137.249[192.168.1.107]
scheduling reauthentication in 28538s
maximum IKE_SA lifetime 28718s
generating QUICK_MODE request 506475714 [ HASH SA No ID ID NAT-OA NAT-OA ]
sending packet: from 172.17.17.157[4500] to 122.100.137.249[4500] (188 bytes)
received packet: from 122.100.137.249[4500] to 172.17.17.157[4500] (172 bytes)
parsed QUICK_MODE response 506475714 [ HASH SA No ID ID NAT-OA NAT-OA ]
selected proposal: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
CHILD_SA L2TP-PSK{1} established with SPIs cae1f9e8_i 33dc7496_o and TS 172.17.17.157/32[udp/l2f] === 122.100.137.249/32[udp/l2f]
connection 'L2TP-PSK' established successfully

But why the ipsec status still down?

root@OpenWrt:~# ipsec statusall
Status of IKE charon daemon (strongSwan 5.8.2, Linux 4.14.167, x86_64):
  uptime: 2 minutes, since Mar 27 00:36:16 2020
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
  loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pgp dnskey sshkey pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-default connmark stroke updown xauth-generic
Listening IP addresses:
  192.168.3.1
  172.17.17.157
  192.168.1.1
  fdb4:2533:309c::1
Connections:
    L2TP-PSK:  %any...macau.dyndns.tv  IKEv1, dpddelay=30s
    L2TP-PSK:   local:  [172.17.17.157] uses pre-shared key authentication
    L2TP-PSK:   remote: [192.168.1.107] uses pre-shared key authentication
    L2TP-PSK:   child:  dynamic[udp/l2f] === dynamic[udp/l2f] TRANSPORT, dpdaction=restart
Security Associations (0 up, 0 connecting):
  none

I check the log is this that I couldn't find any suitable secret (password)

Fri Mar 27 00:36:30 2020 daemon.notice netifd: Interface 'client' is setting up now
Fri Mar 27 00:36:30 2020 daemon.notice xl2tpd[13025]: Connecting to host macau.dyndns.tv, port 1701
Fri Mar 27 00:36:31 2020 daemon.notice xl2tpd[13025]: Connection established to 122.100.137.249, 1701.  Local: 36290, Remote: 29254 (ref=0/0).
Fri Mar 27 00:36:31 2020 daemon.notice xl2tpd[13025]: Calling on tunnel 36290
Fri Mar 27 00:36:31 2020 daemon.notice xl2tpd[13025]: Call established with 122.100.137.249, Local: 42420, Remote: 60881, Serial: 1 (ref=0/0)
Fri Mar 27 00:36:31 2020 daemon.debug xl2tpd[13025]: start_pppd: I'm running:
Fri Mar 27 00:36:31 2020 daemon.debug xl2tpd[13025]: "/usr/sbin/pppd" 
Fri Mar 27 00:36:31 2020 daemon.debug xl2tpd[13025]: "plugin" 
Fri Mar 27 00:36:31 2020 daemon.debug xl2tpd[13025]: "pppol2tp.so" 
Fri Mar 27 00:36:31 2020 daemon.debug xl2tpd[13025]: "pppol2tp" 
Fri Mar 27 00:36:31 2020 daemon.debug xl2tpd[13025]: "8" 
Fri Mar 27 00:36:31 2020 daemon.debug xl2tpd[13025]: "passive" 
Fri Mar 27 00:36:31 2020 daemon.debug xl2tpd[13025]: "nodetach" 
Fri Mar 27 00:36:31 2020 daemon.debug xl2tpd[13025]: ":" 
Fri Mar 27 00:36:31 2020 daemon.debug xl2tpd[13025]: "file" 
Fri Mar 27 00:36:31 2020 daemon.debug xl2tpd[13025]: "/tmp/l2tp/options.client" 
Fri Mar 27 00:36:31 2020 daemon.info pppd[13278]: Plugin pppol2tp.so loaded.
Fri Mar 27 00:36:31 2020 daemon.err pppd[13278]: The remote system is required to authenticate itself
Fri Mar 27 00:36:31 2020 daemon.err pppd[13278]: but I couldn't find any suitable secret (password) for it to use to do so.
Fri Mar 27 00:36:31 2020 daemon.debug xl2tpd[13025]: child_handler : pppd exited for call 60881 with code 1
Fri Mar 27 00:36:31 2020 daemon.info xl2tpd[13025]: call_close: Call 42420 to 122.100.137.249 disconnected
Fri Mar 27 00:36:31 2020 daemon.debug xl2tpd[13025]: write_packet: tty is not open yet.
Fri Mar 27 00:36:31 2020 daemon.info xl2tpd[13025]: control_finish: Connection closed to 122.100.137.249, port 1701 (), Local: 36290, Remote: 29254
Fri Mar 27 00:36:31 2020 daemon.debug xl2tpd[13025]: Terminating pppd: sending TERM signal to pid 13278
Fri Mar 27 00:36:33 2020 daemon.info : 09[NET] received packet: from 122.100.137.249[4500] to 172.17.17.157[4500] (84 bytes)
Fri Mar 27 00:36:33 2020 daemon.info : 09[ENC] parsed INFORMATIONAL_V1 request 3653063745 [ HASH D ]
Fri Mar 27 00:36:33 2020 daemon.info : 09[IKE] received DELETE for IKE_SA L2TP-PSK[1]
Fri Mar 27 00:36:33 2020 daemon.info : 09[IKE] deleting IKE_SA L2TP-PSK[1] between 172.17.17.157[172.17.17.157]...122.100.137.249[192.168.1.107]
Fri Mar 27 00:36:33 2020 authpriv.info : 09[IKE] deleting IKE_SA L2TP-PSK[1] between 172.17.17.157[172.17.17.157]...122.100.137.249[192.168.1.107]
Fri Mar 27 00:36:36 2020 daemon.notice netifd: Interface 'client' is now down
Fri Mar 27 00:36:36 2020 daemon.notice netifd: Interface 'client' is setting up now
Fri Mar 27 00:36:36 2020 daemon.notice xl2tpd[13025]: Connecting to host macau.dyndns.tv, port 1701
Fri Mar 27 00:36:42 2020 daemon.info xl2tpd[13025]: Disconnecting from 122.100.137.249, Local: 37865, Remote: 0
Fri Mar 27 00:36:42 2020 daemon.info xl2tpd[13025]: Connection 0 closed to 122.100.137.249, port 1701 (Goodbye!)
Fri Mar 27 00:36:42 2020 daemon.notice netifd: Interface 'client' is now down

But the user name and passward is correct, for both of /tmp/l2tp/options.client and /etc/ppp/options.l2tpd.client
Would you teach me how to do it one more?

/tmp/l2tp/options.client

usepeerdns
nodefaultroute
ipparam "client" 
ifname "l2tp-client" 
ip-up-script /lib/netifd/ppp-up
ipv6-up-script /lib/netifd/ppp-up
ip-down-script /lib/netifd/ppp-down
ipv6-down-script /lib/netifd/ppp-down
# Don't wait for LCP term responses; exit immediately when killed.
lcp-max-terminate 0

user "xxxxxx" password "xxxxxx" 

mtu 1400 mru 1400
noccp refuse-eap require-chap debug

/etc/ppp/options.l2tpd.client

ipcp-accept-local
ipcp-accept-remote
require-mschap-v2
noccp
noauth
idle 1800
mtu 1400
mru 1400
defaultroute
replacedefaultroute
usepeerdns
debug
connect-delay 5000
name "xxxxxx" 
password "xxxxxx" 
lcp-echo-interval 20
lcp-echo-failure 5

#9 Updated by Tobias Brunner 5 months ago

I check the log is this that I couldn't find any suitable secret (password)
[...]

Yes, looks like the L2TP/PPP client has no suitable password.

But the user name and passward is correct, for both of /tmp/l2tp/options.client and /etc/ppp/options.l2tpd.client
Would you teach me how to do it one more?

Sorry, I can't help you with that. Never used L2TP or any of these tools. Check the man pages or ask their support for help.

#10 Updated by Leo Zhu 5 months ago

Tobias Brunner wrote:

I check the log is this that I couldn't find any suitable secret (password)
[...]

Yes, looks like the L2TP/PPP client has no suitable password.

But the user name and passward is correct, for both of /tmp/l2tp/options.client and /etc/ppp/options.l2tpd.client
Would you teach me how to do it one more?

Sorry, I can't help you with that. Never used L2TP or any of these tools. Check the man pages or ask their support for help.

OK,I understand! Thanks for your help!!!
Thanks again!!!

Also available in: Atom PDF