Why does error 789 occur?

Sergey Poroshenko2018-09-26 10:39:35

Debian

Sergey Poroshenko, 2018-09-26 10:39:35

Good day.
I can’t understand why xl2tpd + openswan doesn’t work ...
There are 2 systems (both servers on debian 9.5), I set up one for a long time and it works, and now I bought a vps outside of Russia, I do everything according to the same instructions , but nothing works.
Before checking the login / password does not reach and error 789 crashes
. Help me figure it out.
my_ext_ip is my server's external IP
config files:

/etc/ipsec.conf

config setup
 nat_traversal = yes
 virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
 oe=off
 protostack=netkey
 nhelpers=0
conn L2TP-PSK-NAT
 rightsubnet=vhost:%priv
 also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
 authby=secret
 pfs=no
 auto=add
 keyingtries=3
 rekey=no
 dpddelay=30
 dpdtimeout=120
 dpdaction=clear
 ikelifetime=8h
 keylife=1h
 type=transport
 left=my_ext_ip
 leftprotoport=17/1701
 right=%any
 rightprotoport=17/%any
 forceencaps=yes

/etc/ipsec.secret

my_ext_ip %any: PSK "my_pass"

/etc/sysctl.conf

net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.ens3.send_redirects = 0
net.ipv4.conf.ens3.accept_redirects = 0

/etc/xl2tpd/xl2tpd.conf

[global]
listen-addr = my_ext_ip
port = 1701
ipsec saref = no
debug tunnel = yes
debug avp = yes
debug packet = yes
debug network = yes
debug state = yes
auth file = /etc/ppp/chap-secrets
;
[lns default]
ip range = 172.16.254.1-172.16.254.253 ; Диапазон IP-адресов, которые выдаются подключающимся клиентам
local ip = 172.16.254.254 ; Локальный IP-адрес сервера для VPN-клиентов
refuse chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
name = VPN
assign ip = yes

/etc/ppp/chap-secrets.conf

webporoh        VPN     my_pass   *
test     VPN     testtest        *

/etc/ppp/options.xl2tpd

require-mschap-v2
refuse-mschap
ms-dns 8.8.8.8
ms-dns 8.8.4.4
asyncmap 0
auth
crtscts
idle 1800
mtu 1200
mru 1200
lock
hide-password
local
debug
name VPN
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4

grep pluto /var/log/auth.log

[email protected]:~# grep pluto /var/log/auth.log
Sep 26 08:53:42 he3apa3a ipsec__plutorun: Starting Pluto subsystem...
Sep 26 08:53:42 he3apa3a pluto[20631]: Starting Pluto (Openswan Version 2.6.50.1; Vendor ID OSWI~E[im}hv) pid:20631
Sep 26 08:53:42 he3apa3a pluto[20631]: LEAK_DETECTIVE support [disabled]
Sep 26 08:53:42 he3apa3a pluto[20631]: OCF support for IKE [disabled]
Sep 26 08:53:42 he3apa3a pluto[20631]: SAref support [disabled]: Protocol not available
Sep 26 08:53:42 he3apa3a pluto[20631]: SAbind support [disabled]: Protocol not available
Sep 26 08:53:42 he3apa3a pluto[20631]: NSS support [disabled]
Sep 26 08:53:42 he3apa3a pluto[20631]: HAVE_STATSD notification support not compiled in
Sep 26 08:53:42 he3apa3a pluto[20631]: Setting NAT-Traversal port-4500 floating to on
Sep 26 08:53:42 he3apa3a pluto[20631]:    port floating activation criteria nat_t=1/port_float=1
Sep 26 08:53:42 he3apa3a pluto[20631]:    NAT-Traversal support  [enabled]
Sep 26 08:53:42 he3apa3a pluto[20631]: using /dev/urandom as source of random entropy
Sep 26 08:53:42 he3apa3a pluto[20631]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Sep 26 08:53:42 he3apa3a pluto[20631]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
Sep 26 08:53:42 he3apa3a pluto[20631]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
Sep 26 08:53:42 he3apa3a pluto[20631]: no helpers will be started, all cryptographic operations will be done inline
Sep 26 08:53:42 he3apa3a pluto[20631]: Using Linux XFRM/NETKEY IPsec interface code on 4.9.0-6-amd64
Sep 26 08:53:42 he3apa3a pluto[20631]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
Sep 26 08:53:42 he3apa3a pluto[20631]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Sep 26 08:53:42 he3apa3a pluto[20631]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)
Sep 26 08:53:42 he3apa3a pluto[20631]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Sep 26 08:53:42 he3apa3a pluto[20631]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
Sep 26 08:53:42 he3apa3a pluto[20631]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Sep 26 08:53:42 he3apa3a pluto[20631]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)
Sep 26 08:53:42 he3apa3a pluto[20631]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Sep 26 08:53:42 he3apa3a pluto[20631]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)
Sep 26 08:53:42 he3apa3a pluto[20631]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Sep 26 08:53:42 he3apa3a pluto[20631]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
Sep 26 08:53:42 he3apa3a pluto[20631]: adding connection: "L2TP-PSK-NAT"
Sep 26 08:53:42 he3apa3a pluto[20631]: adding connection: "L2TP-PSK-noNAT"
Sep 26 08:53:42 he3apa3a pluto[20631]: listening for IKE messages
Sep 26 08:53:42 he3apa3a pluto[20631]: adding interface ens3/ens3 my_ext_ip:500 (AF_INET)
Sep 26 08:53:42 he3apa3a pluto[20631]: adding interface ens3/ens3 my_ext_ip:4500
Sep 26 08:53:42 he3apa3a pluto[20631]: adding interface lo/lo 127.0.0.1:500 (AF_INET)
Sep 26 08:53:42 he3apa3a pluto[20631]: adding interface lo/lo 127.0.0.1:4500
Sep 26 08:53:42 he3apa3a pluto[20631]: adding interface lo/lo ::1:500 (AF_INET6)
Sep 26 08:53:42 he3apa3a pluto[20631]: loading secrets from "/etc/ipsec.secrets"
Sep 26 09:52:47 he3apa3a ipsec__plutorun: Starting Pluto subsystem...
Sep 26 09:52:47 he3apa3a pluto[3983]: Starting Pluto (Openswan Version 2.6.50.1; Vendor ID OSWI~E[im}hv) pid:3983
Sep 26 09:52:47 he3apa3a pluto[3983]: LEAK_DETECTIVE support [disabled]
Sep 26 09:52:47 he3apa3a pluto[3983]: OCF support for IKE [disabled]
Sep 26 09:52:47 he3apa3a pluto[3983]: SAref support [disabled]: Protocol not available
Sep 26 09:52:47 he3apa3a pluto[3983]: SAbind support [disabled]: Protocol not available
Sep 26 09:52:47 he3apa3a pluto[3983]: NSS support [disabled]
Sep 26 09:52:47 he3apa3a pluto[3983]: HAVE_STATSD notification support not compiled in
Sep 26 09:52:47 he3apa3a pluto[3983]: Setting NAT-Traversal port-4500 floating to on
Sep 26 09:52:47 he3apa3a pluto[3983]:    port floating activation criteria nat_t=1/port_float=1
Sep 26 09:52:47 he3apa3a pluto[3983]:    NAT-Traversal support  [enabled]
Sep 26 09:52:47 he3apa3a pluto[3983]: using /dev/urandom as source of random entropy
Sep 26 09:52:47 he3apa3a pluto[3983]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Sep 26 09:52:47 he3apa3a pluto[3983]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
Sep 26 09:52:47 he3apa3a pluto[3983]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
Sep 26 09:52:47 he3apa3a pluto[3983]: no helpers will be started, all cryptographic operations will be done inline
Sep 26 09:52:47 he3apa3a pluto[3983]: Using Linux XFRM/NETKEY IPsec interface code on 4.9.0-8-amd64
Sep 26 09:52:47 he3apa3a pluto[3983]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
Sep 26 09:52:47 he3apa3a pluto[3983]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Sep 26 09:52:47 he3apa3a pluto[3983]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)
Sep 26 09:52:47 he3apa3a pluto[3983]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Sep 26 09:52:47 he3apa3a pluto[3983]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
Sep 26 09:52:47 he3apa3a pluto[3983]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Sep 26 09:52:47 he3apa3a pluto[3983]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)
Sep 26 09:52:47 he3apa3a pluto[3983]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Sep 26 09:52:47 he3apa3a pluto[3983]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)
Sep 26 09:52:47 he3apa3a pluto[3983]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Sep 26 09:52:47 he3apa3a pluto[3983]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
Sep 26 09:52:47 he3apa3a pluto[3983]: adding connection: "L2TP-PSK-NAT"
Sep 26 09:52:47 he3apa3a pluto[3983]: adding connection: "L2TP-PSK-noNAT"
Sep 26 09:52:47 he3apa3a pluto[3983]: listening for IKE messages
Sep 26 09:52:47 he3apa3a pluto[3983]: adding interface ens3/ens3 my_ext_ip:500 (AF_INET)
Sep 26 09:52:47 he3apa3a pluto[3983]: adding interface ens3/ens3 my_ext_ip:4500
Sep 26 09:52:47 he3apa3a pluto[3983]: adding interface lo/lo 127.0.0.1:500 (AF_INET)
Sep 26 09:52:47 he3apa3a pluto[3983]: adding interface lo/lo 127.0.0.1:4500
Sep 26 09:52:47 he3apa3a pluto[3983]: adding interface lo/lo ::1:500 (AF_INET6)
Sep 26 09:52:47 he3apa3a pluto[3983]: loading secrets from "/etc/ipsec.secrets"

All settings on both servers are identical , but I connect to one in a matter of seconds, but I can’t connect to this one in any way ...
Tell me where to dig ...

Answer the question

In order to leave comments, you need to log in

1 answer(s)

Pavel Gruznykh, 2018-09-26
@pavelcarcass

Fix error 789 in Windows 7:

REGEDIT4
[HKEY_LOCAL_MACHINESystemCurrentControlSetServicesRasmanParameters]  
"ProhibitIpSec"=dword:00000001
"AllowL2TPWeakCrypto"=dword:00000001