9/23/2011

IPSEC/L2TP VPN with OSX client: xl2tpd reports “maximum retries exceeded”

set up a vpn server for my own use, everything went just fine at the beginning,
but these days vpn dial-in don't work on my Mac OS X client, every
time I'm trying to connect my vpn the OS X client keep saying "can not
make connection to the server blah blah.."
here is my server side info:
Ubuntu 10.04 server
IPSEC supported by openswan: Linux Openswan U2.6.23/K2.6.32-317-ec2 (net key)
L2TP supported by xl2tpd v1.3.0
after the connection get failed, I found there's something like this
in my auth.log:
......

Sep 22 16:07:36 ip-xx pluto[14024]: "L2TP-PSK-NAT"[16] 114.xx.193.xx
#57: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Sep 22 16:07:36 ip-xx pluto[14024]: "L2TP-PSK-NAT"[16] 114.xx.193.xx
#57: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting
QI2
Sep 22 16:07:36 ip-xx pluto[14024]: "L2TP-PSK-NAT"[16] 114.xx.193.xx
#57: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Sep 22 16:07:36 ip-xx pluto[14024]: "L2TP-PSK-NAT"[16] 114.xx.193.xx
#57: STATE_QUICK_R2: IPsec SA established transport mode
{ESP=>0x0687f589 <0x85b637f3 ......="......" dpd="none}" natd="114.xx.193.xx:4500" natoa="none" pre="pre" xfrm="AES_256-HMAC_SHA1">
it seems like the client made the ipsec connection successfully, so I
tried to restart the xl2tpd server with the "-D" parameter, then I got
the error like this:
.....
xl2tpd[17006]: Listening on IP address 0.0.0.0, port 1701
xl2tpd[17006]: control_finish: Peer requested tunnel 16 twice,
ignoring second one.
xl2tpd[17006]: control_finish: Peer requested tunnel 16 twice,
ignoring second one.
xl2tpd[17006]: Maximum retries exceeded for tunnel 28197. Closing.
xl2tpd[17006]: Connection 16 closed to 114.xx.193.xx, port 53911 (Timeout)
xl2tpd[17006]: control_finish: Peer requested tunnel 16 twice,
ignoring second one.
xl2tpd[17006]: Unable to deliver closing message for tunnel 28197.
Destroying anyway.
xl2tpd[17006]: control_finish: Peer requested tunnel 16 twice,
ignoring second one.
xl2tpd[17006]: Maximum retries exceeded for tunnel 4768. Closing.
xl2tpd[17006]: Connection 16 closed to 114.xx.193.xx, port 53911 (Timeout)
xl2tpd[17006]: Unable to deliver closing message for tunnel 4768.
Destroying anyway.
.....
I tried google the error message then got this article: http://serverfault.com/questions/178309/ipsec-l2tp-vpn-with-osx-client-xl2tpd-reports-maximum-retries-exceeded saying that just need to add the following lines to the conn L2TP-PSK-noNAT section of ipsec.conf:
leftnexthop=%defaultroute
rightnexthop=%defaultroute
now my vpn works great!