View All Products
Compute
Storage
Networking
Databases
Services
Developer Tools
Industries
Pricing
Community
Engage With Us
Community Questions 64Bit upgrade L2TP/IPsec Issue
Log in to Ask a Question

64Bit upgrade L2TP/IPsec Issue

networking

Recently switched from latest 32bit kernel to latest 64bit to take advantage of the Linode upgrade. All went well and is working except L2TP/IPSEC vpn.

Error log is show below. Research suggests a possible Openswan kernel issue? Looking for some resolution/troubleshooting advice.

Jun 20 01:25:20 lixxx-xxx pluto[8742]: "L2TP-PSK-NAT"[2] x.x.x.x #1: transition from state STATEMAINR2 to state STATEMAINR3

Jun 20 01:25:20 llixxx-xxx pluto[8742]: "L2TP-PSK-NAT"[2] x.x.x.x #1: new NAT mapping for #1, was x.x.x.x:500, now x.x.x.x:4500

Jun 20 01:25:20 lixxx-xxx pluto[8742]: "L2TP-PSK-NAT"[2] x.x.x.x #1: STATEMAINR3: sent MR3, ISAKMP SA established {auth=OAKLEYPRESHAREDKEY cipher=aes256 prf=oakleysha group=modp1024}

Jun 20 01:25:20 lixxx-xxx pluto[8742]: "L2TP-PSK-NAT"[2] x.x.x.x #1: Dead Peer Detection (RFC 3706): enabled

Jun 20 01:25:21 lixxx-xxx pluto[8742]: "L2TP-PSK-NAT"[2] x.x.x.x #1: the peer proposed: x.x.x.x/32:17/0 -> x.x.x.x/32:17/0

Jun 20 01:25:21 lixxx-xxx pluto[8742]: "L2TP-PSK-NAT"[2] x.x.x.x #1: NAT-Traversal: received 2 NAT-OA. using first, ignoring others

Jun 20 01:25:21 lixxx-xxx pluto[8742]: "L2TP-PSK-NAT"[2] x.x.x.x #2: ERROR: netlinkgetspi for esp.0@x.x.x.x failed with errno 22: Invalid argument

Jun 20 01:25:21 lixxx-xxx pluto[8742]: "L2TP-PSK-NAT"[2] x.x.x.x #2: responding to Quick Mode proposal {msgid:28ac3dab}

Jun 20 01:25:21 lixxx-xxx pluto[8742]: "L2TP-PSK-NAT"[2] x.x.x.x #2: us: x.x.x.x/32===x.x.x.x:17/%any

Jun 20 01:25:21 lixxx-xxx pluto[8742]: "L2TP-PSK-NAT"[2] x.x.x.x #2: them: x.x.x.x[x.x.x.x]:17/57006

Jun 20 01:25:21 lixxx-xxx pluto[8742]: "L2TP-PSK-NAT"[2] x.x.x.x #2: ERROR: netlink response for Add SA esp.eb79261@x.x.x.x included errno 22: Invalid argument

Jun 20 01:25:21 lixxx-xxx pluto[8742]: | setuphalfipsec_sa() hit fail:

Jun 20 01:25:21 lixxx-xxx pluto[8742]: | failed to install outgoing SA: 0

Jun 20 01:25:24 llixxx-xxx pluto[8742]: "L2TP-PSK-NAT"[2] x.x.x.x #2: discarding duplicate packet; already STATEQUICKR0

Jun 20 01:25:51 pluto[8742]: last message repeated 8 times

Jun 20 01:25:51 lixxx-xxx pluto[8742]: "L2TP-PSK-NAT"[2] x.x.x.x #1: received Delete SA payload: deleting ISAKMP State #1

Jun 20 01:25:51 lixxx-xxx pluto[8742]: packet from x.x.x.x:4500: received and ignored informational message

Thanks,

bltc

4 Replies

Probably a stupid question, but what does your ipsec verify look like?

I've seen multiple reports of similar issues, and they're all caused by the fact that userspace is 32 bit, and the kernel is 64 bit, resulting in misalignment of data passed between them. This occurs with a lot of userspace applications which directly interface with the kernel, including IPsec (not L2TP specific) and OpenISCSI. The only available solutions are to go back to a 32 bit kernel, or deploy a 64 bit distro. Personally, I'd recommend taking the time to go through the latter process, as it's much more future proof.

I was curious :) I'm working on trying to get IPsec/L2TP setup on Ubuntu 14.04 with the latest kernel (or even any of the old ones). I'm running into

Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.6.38/K3.13.7-x86_64-linode38 (netkey)
Checking for IPsec support in kernel                            [OK]
 SAref kernel support                                           [N/A]
 NETKEY:  Testing XFRM related proc values                      [OK]
    [OK]
    [OK]
Checking that pluto is running                                  [OK]
 Pluto listening for IKE on udp 500                             [OK]
 Pluto listening for NAT-T on udp 4500                          [OK]
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.6.38/K3.13.7-x86_64-linode38 (netkey)
Checking for IPsec support in kernel                            [OK]
 SAref kernel support                                           [N/A]
 NETKEY:  Testing XFRM related proc values                      [OK]
    [OK]
    [OK]
Checking that pluto is running                                  [OK]
 Pluto listening for IKE on udp 500                             [OK]
 Pluto listening for NAT-T on udp 4500                          [OK]
Two or more interfaces found, checking IP forwarding            [FAILED]
Checking NAT and MASQUERADEing                                  [OK]
Checking for 'ip' command                                       [OK]
Checking /bin/sh is not /bin/dash                               [WARNING]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]
Checking NAT and MASQUERADEing                                  [OK]
Checking for 'ip' command                                       [OK]
Checking /bin/sh is not /bin/dash                               [WARNING]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]

The problem being the "Two or more interfaces found, checking IP forwarding [FAILED]" test. I can't for the life of me figure out what's wrong. And scouring the web isn't producing any answers, only leading to reading the same question over and over from others who ended up stuck.

Ultimately, this is a you're stuck if you do, stuck if you don't scenario.

Rolled back to 12.04 LTS, which has an older package of OpenSwan… and bam:

Version check and ipsec on-path [OK]

Linux Openswan U2.6.37/K3.15.4-x86_64-linode45 (netkey)

Checking for IPsec support in kernel [OK]

SAref kernel support [N/A]

NETKEY: Testing XFRM related proc values [OK]

[OK]

[OK]

Checking that pluto is running [OK]

Pluto listening for IKE on udp 500 [OK]

Pluto listening for NAT-T on udp 4500 [OK]

Two or more interfaces found, checking IP forwarding [OK]

Checking NAT and MASQUERADEing [OK]

Checking for 'ip' command [OK]

Checking /bin/sh is not /bin/dash [WARNING]

Checking for 'iptables' command [OK]

Opportunistic Encryption Support [DISABLED]

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct