<html><body><div style="color:#000; background-color:#fff; font-family:arial, helvetica, sans-serif;font-size:10pt">I am sure you guys have seen such a request many times over but I hope you can stoop to my mortal level.<br><div style="font-family: arial, helvetica, sans-serif; font-size: 10pt;"><div style="font-family: times new roman, new york, times, serif; font-size: 12pt;"><div id="yiv237434552"><div><div style="color:#000;background-color:#fff;font-family:arial, helvetica, sans-serif;font-size:10pt;"><div id="yiv237434552"><div><div style="color:#000;background-color:#fff;font-family:arial, helvetica, sans-serif;font-size:10pt;"><div id="yiv237434552yui_3_2_0_17_135007807801754"><span id="yiv237434552yui_3_2_0_17_135007807801767">On to the nity-grity. The NATed IP of the VPN server is 192.168.10.254. I am to my external router with DynDNS. I am trying to connect to the VPN server with a Windows 7
machine.<br><br>ipsec.conf<br>---------------<br>version 2.0<br><br># basic configuration<br>config setup<br> # Enable this if you're behind a router<br> nat_traversal=yes<br> # exclude networks used on server side so they don't conflict with your
NAT<br> virtual_private=%v4:10.0.0.0/8,%v4:!192.168.0.0/16,%v4:172.16.0.0/12<br> # which IPsec stack to use. netkey is Linux Kernel Impl<br> protostack=netkey<br><br>#conn PSK<br># also=L2TP-PSK-NAT<br><br>conn L2TP-PSK-NAT<br> rightsubnet=vhost:%priv<br> also=L2TP-PSK-noNAT<br><br>conn L2TP-PSK-noNAT<br> authby=secret<br> pfs=no<br> auto=add<br> forceencaps=yes<br> keyingtries=3<br> # we cannot rekey for %any, let client
rekey<br> rekey=no<br> # Set ikelifetime and keylife to same defaults windows has<br> ikelifetime=8h<br> keylife=1h<br> # l2tp-over-ipsec is transport mode<br> type=tunnel<br># left=192.168.10.254<br># leftnexthop=%defaultroute<br> left=%defaultroute<br> # For updated Windows 2000/XP clients,<br> # to support old clients as well, use leftprotoport=17/%any<br> leftprotoport=17/1701<br> # The remote
user.<br> right=%any<br> rightprotoport=17/%any<br><br>xl2tpd.conf<br>----------------<br>; Sample l2tpd configuration file<br>;<br>; This example file should give you some idea of how the options for l2tpd<br>; should work. The best place to look for a list of all options is in<br>; the source code itself, until I have the time to write better documetation :)<br>; Specifically, the file "file.c" contains a list of commands at the end.<br>;<br>; You most definitely don't have to spell out everything as it is done here<br>;<br>;
[global] ; Global parameters:<br>; port = 1701 ; * Bind to port 1701<br>; auth file = /etc/l2tpd/l2tp-secrets ; * Where our challenge secrets are<br>; access control =
yes ; * Refuse connections without IP match<br>; rand source = dev ; Source for entropy for random<br>; ; numbers, options are:<br>; ; dev - reads of
/dev/urandom<br>; ; sys - uses rand()<br>; ; egd - reads from egd socket<br>; ; egd is not yet implemented<br>;<br>; [lns
default] ; Our fallthrough LNS definition<br>; exclusive = no ; * Only permit one tunnel per host<br>; ip range = 192.168.0.1-192.168.0.20 ; * Allocate from this IP range<br>; no ip range = 192.168.0.3-192.168.0.9 ; * Except these hosts<br>; ip range =
192.168.0.5 ; * But this one is okay<br>; ip range = lac1-lac2 ; * And anything from lac1 to lac2's IP<br>; lac = 192.168.1.4 - 192.168.1.8 ; * These can connect as LAC's<br>; no lac = untrusted.marko.net ; * This guy can't connect<br>; hidden bit =
no ; * Use hidden AVP's?<br>; local ip = 192.168.1.2 ; * Our local IP to use<br>; length bit = yes ; * Use length bit in payload?<br>; require chap =
yes ; * Require CHAP auth. by peer<br>; refuse pap = yes ; * Refuse PAP authentication<br>; refuse chap = no ; * Refuse CHAP authentication<br>; refuse authentication =
no ; * Refuse authentication altogether<br>; require authentication = yes ; * Require peer to authenticate<br>; unix authentication = no ; * Use /etc/passwd for auth.<br>; name = myhostname ; * Report this as our hostname<br>; ppp debug =
no ; * Turn on PPP debugging<br>; pppoptfile = /etc/ppp/options.l2tpd.lns ; * ppp options file<br>; call rws = 10 ; * RWS for call (-1 is valid)<br>; tunnel rws =
4 ; * RWS for tunnel (must be > 0)<br>; flow bit = yes ; * Include sequence numbers<br>; challenge = yes ; * Challenge
authenticate peer ;<br>; rx bps = 10000000 ; Receive tunnel speed<br>; tx bps = 10000000 ; Transmit tunnel speed<br>; bps = 100000 ; Define both receive and transmit speed in one option<br><br>; [lac
marko] ; Example VPN LAC definition<br>; lns = lns.marko.net ; * Who is our LNS?<br>; lns = lns2.marko.net ; * A backup LNS (not yet used)<br>; redial =
yes ; * Redial if disconnected?<br>; redial timeout = 15 ; * Wait n seconds between redials<br>; max redials = 5 ; * Give up after n consecutive failures<br>; hidden bit =
yes ; * User hidden AVP's?<br>; local ip = 192.168.1.1 ; * Force peer to use this IP for us<br>; remote ip = 192.168.1.2 ; * Force peer to use this as their IP<br>; length bit =
no ; * Use length bit in payload?<br>; require pap = no ; * Require PAP auth. by peer<br>; require chap = yes ; * Require CHAP auth. by peer<br>; refuse pap =
yes ; * Refuse PAP authentication<br>; refuse chap = no ; * Refuse CHAP authentication<br>; refuse authentication = no ; * Refuse authentication altogether<br>; require authentication = yes ; * Require peer to
authenticate<br>; name = marko ; * Report this as our hostname<br>; ppp debug = no ; * Turn on PPP debugging<br>; pppoptfile = /etc/ppp/options.l2tpd.marko ; * ppp options file for this lac<br>; call rws =
10 ; * RWS for call (-1 is valid)<br>; tunnel rws = 4 ; * RWS for tunnel (must be > 0)<br>; flow bit = yes ; *
Include sequence numbers<br>; challenge = yes ; * Challenge authenticate peer<br>;<br>; [lac cisco] ; Another quick LAC<br>; lns = cisco.marko.net ; * Required, but can take from default<br>; require
authentication = yes<br><br>[global]<br>ipsec saref = yes<br><br>[lns default]<br># The range of ips to assign the client when connecting<br>ip range = 10.8.1.2-10.8.1.255<br>local ip = 10.8.1.1<br># We're going to us Chap-v2<br>refuse chap = yes<br>refuse pap = yes<br>require authentication = yes<br>ppp debug = yes<br>pppoptfile = /etc/ppp/options.xl2tpd<br>length bit = yes<br><br>options.xl2tpd<br>--------------------<br> require-mschap-v2<br>ms-dns 8.8.8.8<br>ms-dns 8.8.4.4<br>asyncmap 0<br>auth<br>crtscts<br>lock<br>hide-password<br>modem<br>debug<br>name l2tpd<br>proxyarp<br>lcp-echo-interval 30<br>lcp-echo-failure 4<br><br>a little snippet from auth.log with <span id="yiv237434552yui_3_2_0_17_135007807801767">OUTSIDEIP replacing my outside ip</span></span><br><span id="yiv237434552yui_3_2_0_17_135007807801767">---------------------------------------------------------------------------------------------------<br>pluto[4724]: packet from
192.168.10.1:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000008]<br>pluto[4724]: packet from 192.168.10.1:500: received Vendor ID payload [RFC 3947] method set to=115<br>pluto[4724]: packet from 192.168.10.1:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 115<br>pluto[4724]: packet from 192.168.10.1:500: ignoring Vendor ID payload [FRAGMENTATION]<br>pluto[4724]: packet from 192.168.10.1:500: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]<br>pluto[4724]: packet from 192.168.10.1:500: ignoring Vendor ID payload [Vid-Initial-Contact]<br>pluto[4724]: packet from 192.168.10.1:500: ignoring Vendor ID payload [IKE CGA version 1]<br>pluto[4724]: "L2TP-PSK-NAT"[6] 192.168.10.1 #17: responding to Main Mode from unknown peer 192.168.10.1<br>pluto[4724]: "L2TP-PSK-NAT"[6] 192.168.10.1 #17: OAKLEY_GROUP 20 not supported. Attribute OAKLEY_GROUP_DESCRIPTION<br>pluto[4724]:
"L2TP-PSK-NAT"[6] 192.168.10.1 #17: OAKLEY_GROUP 19 not supported. Attribute OAKLEY_GROUP_DESCRIPTION<br>pluto[4724]: "L2TP-PSK-NAT"[6] 192.168.10.1 #17: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1<br>pluto[4724]: "L2TP-PSK-NAT"[6] 192.168.10.1 #17: STATE_MAIN_R1: sent MR1, expecting MI2<br>pluto[4724]: "L2TP-PSK-NAT"[6] 192.168.10.1 #17: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): both are NATed<br>pluto[4724]: "L2TP-PSK-NAT"[6] 192.168.10.1 #17: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2<br>pluto[4724]: "L2TP-PSK-NAT"[6] 192.168.10.1 #17: STATE_MAIN_R2: sent MR2, expecting MI3<br>pluto[4724]: "L2TP-PSK-NAT"[6] 192.168.10.1 #17: Main mode peer ID is ID_IPV4_ADDR: '192.168.10.250'<br>pluto[4724]: "L2TP-PSK-NAT"[6] 192.168.10.1 #17: switched from "L2TP-PSK-NAT" to "L2TP-PSK-NAT"<br>pluto[4724]: "L2TP-PSK-NAT"[7] 192.168.10.1 #17: deleting connection "L2TP-PSK-NAT" instance with peer 192.168.10.1
{isakmp=#0/ipsec=#0}<br>pluto[4724]: "L2TP-PSK-NAT"[7] 192.168.10.1 #17: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3<br>pluto[4724]: "L2TP-PSK-NAT"[7] 192.168.10.1 #17: new NAT mapping for #17, was 192.168.10.1:500, now 192.168.10.1:4500<br>pluto[4724]: "L2TP-PSK-NAT"[7] 192.168.10.1 #17: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp2048}<br>pluto[4724]: "L2TP-PSK-NAT"[7] 192.168.10.1 #17: the peer proposed: OUTSIDEIP/32:17/1701 -> 192.168.10.250/32:17/0<br>pluto[4724]: "L2TP-PSK-NAT"[7] 192.168.10.1 #17: NAT-Traversal: received 2 NAT-OA. using first, ignoring others<br>pluto[4724]: "L2TP-PSK-NAT"[7] 192.168.10.1 #18: responding to Quick Mode proposal {msgid:00000001}<br>pluto[4724]: "L2TP-PSK-NAT"[7] 192.168.10.1 #18: us: 192.168.10.254:17/1701<br>pluto[4724]: "L2TP-PSK-NAT"[7] 192.168.10.1 #18: them:
192.168.10.1[192.168.10.250]:17/1701===192.168.10.250/32<br>pluto[4724]: "L2TP-PSK-NAT"[7] 192.168.10.1 #18: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1<br>pluto[4724]: "L2TP-PSK-NAT"[7] 192.168.10.1 #18: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2<br>pluto[4724]: "L2TP-PSK-NAT"[7] 192.168.10.1 #18: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2<br>pluto[4724]: "L2TP-PSK-NAT"[7] 192.168.10.1 #18: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP/NAT=>0x85909965 <0xd962c523 xfrm=AES_128-HMAC_SHA1 NATOA=192.168.10.250 NATD=192.168.10.1:4500 DPD=none}<br>pluto[4724]: "L2TP-PSK-NAT"[7] 192.168.10.1 #17: the peer proposed: </span><span id="yiv237434552yui_3_2_0_17_135007807801767"><span id="yiv237434552yui_3_2_0_17_135007807801767">OUTSIDEIP</span>/32:17/1701 -> 192.168.10.250/32:17/1701<br>pluto[4724]: "L2TP-PSK-NAT"[7] 192.168.10.1 #17: NAT-Traversal: received 2 NAT-OA. using first,
ignoring others<br>pluto[4724]: "L2TP-PSK-NAT"[7] 192.168.10.1 #19: responding to Quick Mode proposal {msgid:00000002}<br>pluto[4724]: "L2TP-PSK-NAT"[7] 192.168.10.1 #19: us: 192.168.10.254:17/1701<br>pluto[4724]: "L2TP-PSK-NAT"[7] 192.168.10.1 #19: them: 192.168.10.1[192.168.10.250]:17/1701===192.168.10.250/32<br>pluto[4724]: "L2TP-PSK-NAT"[7] 192.168.10.1 #19: keeping refhim=4294901761 during rekey<br>pluto[4724]: "L2TP-PSK-NAT"[7] 192.168.10.1 #19: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1<br>pluto[4724]: "L2TP-PSK-NAT"[7] 192.168.10.1 #19: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2<br>pluto[4724]: "L2TP-PSK-NAT"[7] 192.168.10.1 #19: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2<br>pluto[4724]: "L2TP-PSK-NAT"[7] 192.168.10.1 #19: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP/NAT=>0x1e9b7235 <0xad74b63b xfrm=AES_128-HMAC_SHA1
NATOA=192.168.10.250 NATD=192.168.10.1:4500 DPD=none}<br><br></span></div><div id="yiv237434552yui_3_2_0_17_135007807801757">Thank you,<br></div><div>Gabriel Smith</div></div></div></div></div></div></div><br><br> </div> </div> </div></body></html>