Stuck getting L2TP/IPSec working on Raspberry Pi

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
Capt.Insano
Posts: 4
Joined: Wed Sep 13, 2017 4:38 pm

Stuck getting L2TP/IPSec working on Raspberry Pi

Post by Capt.Insano » Wed Sep 13, 2017 5:07 pm

I have googled loads and read many articles on this topic but I cannot get my Windows 10 PC or Android phone to connect via L2TP/IPSec to my Raspberry Pi running SoftEther.

I have read through
https://www.softether.org/4-docs/2-howt ... VPN_Server
multiple times but I still cannot get a connection.

System:
Raspberry Pi 3 running Hassbian (Rasbian distro for HomeAssistant home automation software)
SoftEther Version: softether-vpnserver-v4.22-9634-beta-2016.11.27-linux-arm_eabi-32bit

I have used the windows management client to set a DDNS Hostname, I also ticked "Enable L2TP Server Function (L2TP over IPSec)" and I have set an IPSec Pre-Shared Key and I created a user with password authentication.

I did not change any other settings on the SoftEther server

I have also forwarded all of the following ports (TCP/UDP) on my router to my Raspberry Pi : 50, 500, 1701, 1723, 4500

On my windows 10 client I have used the following settings:

Server Name or Address: xxxxxxx.softether.net (DDNS setup during configuration)
Username: (username created above)
Password (password created above)

I changed adaptor settings and set security to L2TP/IPSec and I set the correct Pre-Shared Key as above.

I followed the android settings from here : https://www.softether.org/4-docs/2-howt ... ient_Setup

With either my Windows 10 PC or Android Phone I get no connection.
Windows PC:
Spends a lot of time on "Completing the connection" and then says "A connection to the remote computer could not be established. You might need to change the network settings for the connection"

Android Phone:
Just says "Unsuccessful"

In troubleshooting, I even changed the server address in the clients L2TP settings to be the local address of the raspberry pi but it still would not connect.

Are my ports right, Is there something I need to do with the raspberry pi iptables or is there something else I am missing?

Any help much appreciated.

Capt.Insano
Posts: 4
Joined: Wed Sep 13, 2017 4:38 pm

Re: Stuck getting L2TP/IPSec working on Raspberry Pi

Post by Capt.Insano » Fri Sep 15, 2017 8:25 am

Bump (due to amount of spam on these boards.)

Thanks again for any help

Capt.Insano
Posts: 4
Joined: Wed Sep 13, 2017 4:38 pm

Re: Stuck getting L2TP/IPSec working on Raspberry Pi

Post by Capt.Insano » Fri Sep 22, 2017 11:47 am

Bump again, (these boards are really full of spam!)

Any help at all would be appreciated

KASCON11
Posts: 2
Joined: Sun Oct 01, 2017 5:19 pm

Re: Stuck getting L2TP/IPSec working on Raspberry Pi

Post by KASCON11 » Sun Oct 01, 2017 9:12 pm

Did you ever get any help with this issue? I am having the same issue on a Windows PC and was thinking to switch to a raspberry Pi install.

softy
Posts: 4
Joined: Mon Oct 02, 2017 4:04 am

Re: Stuck getting L2TP/IPSec working on Raspberry Pi

Post by softy » Mon Oct 02, 2017 4:12 am

I have Softether running on a RasPi2! Works perfectly!

But one issue took time to solve, maybe you have the same issue.

So I have Softether on a RasPi, fine, and I use Windows 10 (totally unrelated though). Of course it's way more convenient to use the Windows SE-VPN Server Manager, right?

You can make all changes from Windows conveniently and see them right away! Wrong!

There was my problem! You can NOT use SE-VPN Server Manager tool to make changes on a Linux server! That includes the RasPi.

You need to use a terminal software such as Putty and login to Softether and make the changes that way.

Use:
sudo /usr/local/vpnserver/vpncmd

And now check your settings. Maybe there you find your error.

triwaves
Posts: 27
Joined: Mon May 16, 2016 3:11 pm

Re: Stuck getting L2TP/IPSec working on Raspberry Pi

Post by triwaves » Mon Oct 02, 2017 5:49 pm

softy wrote:

> There was my problem! You can NOT use SE-VPN Server Manager tool to make
> changes on a Linux server! That includes the RasPi.
>
> You need to use a terminal software such as Putty and login to Softether
> and make the changes that way.
>
Not sure I agree with that, I use a win 10 machine with the server manager running to configure multiple remote RPi servers all the time. You can of course use SSH and command line but don't need to.

Another way I use on a Linux machine is to install SEVPN manager on the Linux machine via wine. It works just fine if you are at a display on that machine or if you want to SSH in remotely.

Capt.Insano
Posts: 4
Joined: Wed Sep 13, 2017 4:38 pm

Re: Stuck getting L2TP/IPSec working on Raspberry Pi

Post by Capt.Insano » Mon Oct 02, 2017 8:05 pm

@softy: All changes I made via the Windows based management app seem to have been added to the VPN config.

See VPN Config below:
########################## START LOGS ###################################
VPN Server>ConfigGet
ConfigGet command - Get the current configuration of the VPN Server
Config name: "vpn_server.config", Size: 14392

# Software Configuration File
# ---------------------------
#
# You may edit this file when the VPN Server / Client / Bridge program is not ru nning.
#
# In prior to edit this file manually by your text editor,
# shutdown the VPN Server / Client / Bridge background service.
# Otherwise, all changes will be lost.
#
declare root
{
uint ConfigRevision 27
bool IPsecMessageDisplayed true
string Region AT
bool VgsMessageDisplayed false

declare DDnsClient
{
bool Disabled false
byte Key xxxxxxxxxxxxxxxxxxxxxx=
string LocalHostname hassbian
string ProxyHostName $
uint ProxyPort 0
uint ProxyType 0
string ProxyUsername $
}
declare IPsec
{
bool EtherIP_IPsec false
string IPsec_Secret wellesley
string L2TP_DefaultHub VPN
bool L2TP_IPsec true
bool L2TP_Raw false

declare EtherIP_IDSettingsList
{
}
}
declare ListenerList
{
declare Listener0
{
bool DisableDos false
bool Enabled true
uint Port 443
}
declare Listener1
{
bool DisableDos false
bool Enabled true
uint Port 992
}
declare Listener2
{
bool DisableDos false
bool Enabled true
uint Port 1194
}
declare Listener3
{
bool DisableDos false
bool Enabled true
uint Port 5555
}
}
declare LocalBridgeList
{
bool DoNotDisableOffloading false

declare LocalBridge0
{
string DeviceName wlan0
string HubName VPN
bool LimitBroadcast false
bool MonitorMode false
bool NoPromiscuousMode false
bool TapMode false
}
}
declare ServerConfiguration
{
bool AcceptOnlyTls true
uint64 AutoDeleteCheckDiskFreeSpaceMin 104857600
uint AutoDeleteCheckIntervalSecs 300
uint AutoSaveConfigSpan 300
bool BackupConfigOnlyWhenModified true
string CipherName DES-CBC3-SHA
uint CurrentBuild 9634
bool DisableCoreDumpOnUnix false
bool DisableDeadLockCheck false
bool DisableDosProction false
bool DisableGetHostNameWhenAcceptTcp false
bool DisableIntelAesAcceleration false
bool DisableIPv6Listener false
bool DisableNatTraversal false
bool DisableOpenVPNServer true
bool DisableSessionReconnect false
bool DisableSSTPServer true
bool DontBackupConfig false
bool EnableVpnAzure false
bool EnableVpnOverDns false
bool EnableVpnOverIcmp false
byte HashedPassword 7mnzzB+ZLx8ESM+NkDJtgzCUYBI=
string KeepConnectHost keepalive.softether.org
uint KeepConnectInterval 50
uint KeepConnectPort 80
uint KeepConnectProtocol 1
uint64 LoggerMaxLogSize 1073741823
uint MaxConcurrentDnsClientThreads 64
uint MaxConnectionsPerIP 256
uint MaxUnestablishedConnections 1000
bool NoHighPriorityProcess false
bool NoLinuxArpFilter false
bool NoSendSignature false
string OpenVPNDefaultClientOption dev-type$20tun,link-mtu$201500 ,tun-mtu$201500,cipher$20AES-128-CBC,auth$20SHA1,keysize$20128,key-method$202,tl s-client
string OpenVPN_UdpPortList 1194
bool SaveDebugLog false
byte ServerCert xxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxx
byte ServerKey xxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxx
uint ServerLogSwitchType 4
uint ServerType 0
bool Tls_Disable1_0 false
bool Tls_Disable1_1 false
bool Tls_Disable1_2 false
bool UseKeepConnect true
bool UseWebTimePage false
bool UseWebUI false

declare GlobalParams
{
uint FIFO_BUDGET 1000000
uint HUB_ARP_SEND_INTERVAL 5000
uint IP_TABLE_EXPIRE_TIME 60000
uint IP_TABLE_EXPIRE_TIME_DHCP 300000
uint MAC_TABLE_EXPIRE_TIME 600000
uint MAX_BUFFERING_PACKET_SIZE 480000
uint MAX_HUB_LINKS 1024
uint MAX_IP_TABLES 65536
uint MAX_MAC_TABLES 65536
uint MAX_SEND_SOCKET_QUEUE_NUM 128
uint MAX_SEND_SOCKET_QUEUE_SIZE 320000
uint MAX_STORED_QUEUE_NUM 384
uint MEM_FIFO_REALLOC_MEM_SIZE 65536
uint MIN_SEND_SOCKET_QUEUE_SIZE 80000
uint QUEUE_BUDGET 1024
uint SELECT_TIME 256
uint SELECT_TIME_FOR_NAT 30
uint STORM_CHECK_SPAN 500
uint STORM_DISCARD_VALUE_END 1024
uint STORM_DISCARD_VALUE_START 3
}
declare ServerTraffic
{
declare RecvTraffic
{
uint64 BroadcastBytes 1469370844
uint64 BroadcastCount 19640549
uint64 UnicastBytes 2196415295
uint64 UnicastCount 8946767
}
declare SendTraffic
{
uint64 BroadcastBytes 71612
uint64 BroadcastCount 598
uint64 UnicastBytes 58024312
uint64 UnicastCount 1233268
}
}
declare SyslogSettings
{
string HostName $
uint Port 514
uint SaveType 0
}
}
declare VirtualHUB
{
declare VPN
{
uint64 CreatedTime 1505284751651
byte HashedPassword xxxxxxxxxxxxxxxxxxxxxxxxxx
uint64 LastCommTime 1506941371097
uint64 LastLoginTime 1505289831639
uint NumLogin 0
bool Online true
bool RadiusConvertAllMsChapv2AuthRequestToEap false
string RadiusRealm $
uint RadiusRetryInterval 0
uint RadiusServerPort 1812
string RadiusSuffixFilter $
bool RadiusUsePeapInsteadOfEap false
byte SecurePassword xxxxxxxxxxxxxxxxxxxxxxxxxx
uint Type 0

declare AccessList
{
}
declare AdminOption
{
uint allow_hub_admin_change_option 0
uint deny_bridge 0
uint deny_change_user_password 0
uint deny_empty_password 0
uint deny_hub_admin_change_ext_option 0
uint deny_qos 0
uint deny_routing 0
uint max_accesslists 0
uint max_bitrates_download 0
uint max_bitrates_upload 0
uint max_groups 0
uint max_multilogins_per_user 0
uint max_sessions 0
uint max_sessions_bridge 0
uint max_sessions_client 0
uint max_sessions_client_bridge_apply 0
uint max_users 0
uint no_access_list_include_file 0
uint no_cascade 0
uint no_change_access_control_list 0
uint no_change_access_list 0
uint no_change_admin_password 0
uint no_change_cert_list 0
uint no_change_crl_list 0
uint no_change_groups 0
uint no_change_log_config 0
uint no_change_log_switch_type 0
uint no_change_msg 0
uint no_change_users 0
uint no_delay_jitter_packet_loss 0
uint no_delete_iptable 0
uint no_delete_mactable 0
uint no_disconnect_session 0
uint no_enum_session 0
uint no_offline 0
uint no_online 0
uint no_query_session 0
uint no_read_log_file 0
uint no_securenat 0
uint no_securenat_enabledhcp 0
uint no_securenat_enablenat 0
}
declare CascadeList
{
}
declare LogSetting
{
uint PacketLogSwitchType 4
uint PACKET_LOG_ARP 0
uint PACKET_LOG_DHCP 1
uint PACKET_LOG_ETHERNET 0
uint PACKET_LOG_ICMP 0
uint PACKET_LOG_IP 0
uint PACKET_LOG_TCP 0
uint PACKET_LOG_TCP_CONN 1
uint PACKET_LOG_UDP 0
bool SavePacketLog true
bool SaveSecurityLog true
uint SecurityLogSwitchType 4
}
declare Message
{
}
declare Option
{
uint AccessListIncludeFileCacheLifetime 30
uint AdjustTcpMssValue 0
bool ApplyIPv4AccessListOnArpPacket false
bool AssignVLanIdByRadiusAttribute false
bool BroadcastLimiterStrictMode false
uint BroadcastStormDetectionThreshold 0
uint ClientMinimumRequiredBuild 0
bool DenyAllRadiusLoginWithNoVlanAssign false
uint DetectDormantSessionInterval 0
bool DisableAdjustTcpMss false
bool DisableCheckMacOnLocalBridge false
bool DisableCorrectIpOffloadChecksum false
bool DisableHttpParsing false
bool DisableIPParsing false
bool DisableIpRawModeSecureNAT false
bool DisableKernelModeSecureNAT false
bool DisableUdpAcceleration false
bool DisableUdpFilterForLocalBridgeNic false
bool DisableUserModeSecureNAT false
bool DoNotSaveHeavySecurityLogs false
bool DropArpInPrivacyFilterMode true
bool DropBroadcastsInPrivacyFilterMode true
bool FilterBPDU false
bool FilterIPv4 false
bool FilterIPv6 false
bool FilterNonIP false
bool FilterOSPF false
bool FilterPPPoE false
uint FloodingSendQueueBufferQuota 33554432
bool ManageOnlyLocalUnicastIPv6 true
bool ManageOnlyPrivateIP true
uint MaxLoggedPacketsPerMinute 0
uint MaxSession 0
bool NoArpPolling false
bool NoDhcpPacketLogOutsideHub true
bool NoEnum false
bool NoIpTable false
bool NoIPv4PacketLog false
bool NoIPv6AddrPolling false
bool NoIPv6DefaultRouterInRAWhenIPv6 true
bool NoIPv6PacketLog false
bool NoLookBPDUBridgeId false
bool NoMacAddressLog true
bool NoManageVlanId false
bool NoPhysicalIPOnPacketLog false
bool NoSpinLockForPacketDelay false
bool RemoveDefGwOnDhcpForLocalhost true
uint RequiredClientId 0
uint SecureNAT_MaxDnsSessionsPerIp 0
uint SecureNAT_MaxIcmpSessionsPerIp 0
uint SecureNAT_MaxTcpSessionsPerIp 0
uint SecureNAT_MaxTcpSynSentPerIp 0
uint SecureNAT_MaxUdpSessionsPerIp 0
bool SecureNAT_RandomizeAssignIp false
bool SuppressClientUpdateNotification false
bool UseHubNameAsDhcpUserClassOption false
bool UseHubNameAsRadiusNasId false
string VlanTypeId 0x8100
bool YieldAfterStorePacket false
}
declare SecureNAT
{
bool Disabled true
bool SaveLog true

declare VirtualDhcpServer
{
string DhcpDnsServerAddress 192.168.30.1
string DhcpDnsServerAddress2 0.0.0.0
string DhcpDomainName $
bool DhcpEnabled true
uint DhcpExpireTimeSpan 7200
string DhcpGatewayAddress 192.168.30.1
string DhcpLeaseIPEnd 192.168.30.200
string DhcpLeaseIPStart 192.168.30.10
string DhcpPushRoutes $
string DhcpSubnetMask 255.255.255.0
}
declare VirtualHost
{
string VirtualHostIp 192.168.30.1
string VirtualHostIpSubnetMask 255.255.2 55.0
string VirtualHostMacAddress 00-AC-C4-39 -92-5F
}
declare VirtualRouter
{
bool NatEnabled true
uint NatMtu 1500
uint NatTcpTimeout 1800
uint NatUdpTimeout 60
}
}
declare SecurityAccountDatabase
{
declare CertList
{
}
declare CrlList
{
}
declare GroupList
{
}
declare IPAccessControlList
{
}
declare UserList
{
declare user
{
byte AuthNtLmSecureHash xxxxxxxxxxx
byte AuthPassword
xxxxxxxxxxxxxxxxx
uint AuthType 1
uint64 CreatedTime 1505284945866
uint64 ExpireTime 0
uint64 LastLoginTime 15052898316 39
string Note $
uint NumLogin 0
string RealName User
uint64 UpdatedTime 1505284945866

declare Traffic
{
declare RecvTraffic
{
uint64 Broadcast Bytes 67660
uint64 Broadcast Count 586
uint64 UnicastBy tes 0
uint64 UnicastCo unt 0
}
declare SendTraffic
{
uint64 Broadcast Bytes 3952
uint64 Broadcast Count 12
uint64 UnicastBy tes 0
uint64 UnicastCo unt 0
}
}
}
}
}
declare Traffic
{
declare RecvTraffic
{
uint64 BroadcastBytes 1469370844
uint64 BroadcastCount 19640549
uint64 UnicastBytes 2196415295
uint64 UnicastCount 8946767
}
declare SendTraffic
{
uint64 BroadcastBytes 71612
uint64 BroadcastCount 598
uint64 UnicastBytes 58024312
uint64 UnicastCount 1233268
}
}
}
}
declare VirtualLayer3SwitchList
{
}
}


The command completed successfully.

VPN Server>

########################## END LOGS ###################################


Any ideas?

softy
Posts: 4
Joined: Mon Oct 02, 2017 4:04 am

Re: Stuck getting L2TP/IPSec working on Raspberry Pi

Post by softy » Tue Oct 03, 2017 7:01 am

triwaves wrote:
> softy wrote:
>
> > There was my problem! You can NOT use SE-VPN Server Manager tool to make
> > changes on a Linux server! That includes the RasPi.
> >
> > You need to use a terminal software such as Putty and login to Softether
> > and make the changes that way.
> >
> Not sure I agree with that

Not sure I disagree with you. But I tried some time and it didn't work. Then I read somewhere (on the internet, so it can't be wrong, right?) that remote from Win ain't working, so I SSH to the RasPi and did the settings there - and it worked first try!

But maybe it was something unrelated.

PS: I wish somebody would do something about the SPAM issue here.

thisjun
Posts: 2458
Joined: Mon Feb 24, 2014 11:03 am

Re: Stuck getting L2TP/IPSec working on Raspberry Pi

Post by thisjun » Thu Oct 26, 2017 5:56 am

Could you show the server log when the connection failed?

Post Reply