<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">I suspect the problem you're having applies to every iOS device, iphone/ipad/Mac.<div><br></div><div>I *think* there's an L2TP/Ipsec Patch which is on the OpenSwan site which applies to iOS devices. Have you patched your OpenSwan code or looked for the patch?</div><div><br></div><div>D</div><div><br></div><div><br><div><div>On 4 Dec 2012, at 16:19, Christo Romberg wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite">Hey guys,<div><br></div><div>I'm new to Openswan, and I'm having trouble
getting it configured properly. I'm trying to get a home VPN system
working, so that I can remotely access my files through my iPad when I'm
on the go.</div><div><br></div><div>I've successfully installed OpenSWAN on a Debian Squeeze box, and configured it with the settings below.<br><br>The problem is that I cannot connect to the VPN server from my iPad.<br>
<div><br></div><div><b>Error message on the iPad:</b></div><div><b>---------------------------------------</b></div><div>"<span><i>The
L2TP-VPN server did not respond. Try reconnecting. If the problem
continues, verify your settings and contact your Administrator.</i></span>"</div><div><br></div><div>I've also tried with my MacBook, with the same error message as on the iPhone.</div><div><b><br></b></div><div>
<b>/var/log/auth.log</b></div><div><b>-----------------------</b></div><div><div><i>Dec 3 20:57:52 debian pluto[1999]: packet from <a href="http://91.150.29.228:500/" target="_blank">91.150.29.228:500</a>: received Vendor ID payload [RFC 3947] method set to=109 </i></div>
<div><i>Dec 3 20:57:52 debian pluto[1999]: packet from <a href="http://91.150.29.228:500/" target="_blank">91.150.29.228:500</a>: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] method set to=110 </i></div><div><i>Dec 3 20:57:52 debian pluto[1999]: packet from <a href="http://91.150.29.228:500/" target="_blank">91.150.29.228:500</a>: ignoring unknown Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]</i></div>
<div><i>Dec 3 20:57:52 debian pluto[1999]: packet from <a href="http://91.150.29.228:500/" target="_blank">91.150.29.228:500</a>: ignoring unknown Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]</i></div><div><i>Dec 3 20:57:52 debian pluto[1999]: packet from <a href="http://91.150.29.228:500/" target="_blank">91.150.29.228:500</a>: ignoring unknown Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]</i></div>
<div><i>Dec 3 20:57:52 debian pluto[1999]: packet from <a href="http://91.150.29.228:500/" target="_blank">91.150.29.228:500</a>: ignoring unknown Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]</i></div><div><i>Dec 3 20:57:52 debian pluto[1999]: packet from <a href="http://91.150.29.228:500/" target="_blank">91.150.29.228:500</a>: ignoring unknown Vendor ID payload [9909b64eed937c6573de52ace952fa6b]</i></div>
<div><i>Dec 3 20:57:52 debian pluto[1999]: packet from <a href="http://91.150.29.228:500/" target="_blank">91.150.29.228:500</a>: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 110</i></div>
<div><i>Dec 3 20:57:52 debian pluto[1999]: packet from <a href="http://91.150.29.228:500/" target="_blank">91.150.29.228:500</a>: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 110</i></div>
<div><i>Dec 3 20:57:52 debian pluto[1999]: packet from <a href="http://91.150.29.228:500/" target="_blank">91.150.29.228:500</a>: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 110</i></div>
<div><i>Dec 3 20:57:52 debian pluto[1999]: packet from <a href="http://91.150.29.228:500/" target="_blank">91.150.29.228:500</a>: received Vendor ID payload [Dead Peer Detection]</i></div><div><i>Dec 3 20:57:52 debian pluto[1999]: "PSK"[1] 91.150.29.228 #1: responding to Main Mode from unknown peer 91.150.29.228</i></div>
<div><i>Dec 3 20:57:52 debian pluto[1999]: "PSK"[1] 91.150.29.228 #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1</i></div><div><i>Dec 3 20:57:52 debian pluto[1999]: "PSK"[1] 91.150.29.228 #1: STATE_MAIN_R1: sent MR1, expecting MI2</i></div>
<div><i>Dec
3 20:57:52 debian pluto[1999]: "PSK"[1] 91.150.29.228 #1:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): both
are NATed</i></div><div><i>Dec 3 20:57:52 debian pluto[1999]: "PSK"[1] 91.150.29.228 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2</i></div><div><i>Dec 3 20:57:52 debian pluto[1999]: "PSK"[1] 91.150.29.228 #1: STATE_MAIN_R2: sent MR2, expecting MI3</i></div>
<div><i>Dec
3 20:57:52 debian pluto[1999]: "PSK"[1] 91.150.29.228 #1: ignoring
informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000</i></div><div><i>Dec 3 20:57:52 debian pluto[1999]: "PSK"[1] 91.150.29.228 #1: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.3'</i></div>
<div><i>Dec 3 20:57:52 debian pluto[1999]: "PSK"[1] 91.150.29.228 #1: switched from "PSK" to "PSK"</i></div><div><i>Dec
3 20:57:52 debian pluto[1999]: "PSK"[2] 91.150.29.228 #1: deleting
connection "PSK" instance with peer 91.150.29.228 {isakmp=#0/ipsec=#0}</i></div><div><i>Dec 3 20:57:52 debian pluto[1999]: "PSK"[2] 91.150.29.228 #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3</i></div>
<div><i>Dec 3 20:57:52 debian pluto[1999]: "PSK"[2] 91.150.29.228 #1: new NAT mapping for #1, was <a href="http://91.150.29.228:500/" target="_blank">91.150.29.228:500</a>, now <a href="http://91.150.29.228:4500/" target="_blank">91.150.29.228:4500</a></i></div>
<div><i>Dec
3 20:57:52 debian pluto[1999]: "PSK"[2] 91.150.29.228 #1:
STATE_MAIN_R3: sent MR3, ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1024}</i></div><div><i>Dec 3 20:57:52 debian pluto[1999]: "PSK"[2] 91.150.29.228 #1: Dead Peer Detection (RFC 3706): enabled</i></div><div><i>Dec 3 20:57:53 debian pluto[1999]: "PSK"[2] 91.150.29.228 #1: the peer proposed: <a href="http://188.67.59.220/32:17/1701" target="_blank">188.67.59.220/32:17/1701</a> -> <a href="http://192.168.1.3/32:17/0" target="_blank">192.168.1.3/32:17/0</a></i></div>
<div><i>Dec 3 20:57:53 debian pluto[1999]: "PSK"[2] 91.150.29.228 #2: responding to Quick Mode proposal {msgid:ac920da3}</i></div><div><i>Dec 3 20:57:53 debian pluto[1999]: "PSK"[2] 91.150.29.228 #2: us: 192.168.1.2<192.168.1.2>[+S=C]:17/1701---192.168.1.1</i></div>
<div><i>Dec 3 20:57:53 debian pluto[1999]: "PSK"[2] 91.150.29.228 #2: them: 91.150.29.228[192.168.1.3,+S=C]:17/51482===<a href="http://192.168.1.3/32" target="_blank">192.168.1.3/32</a></i></div><div><i>Dec 3 20:57:53 debian pluto[1999]: "PSK"[2] 91.150.29.228 #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1</i></div>
<div><i>Dec
3 20:57:53 debian pluto[1999]: "PSK"[2] 91.150.29.228 #2:
STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2</i></div><div><i>Dec 3 20:57:54 debian pluto[1999]: "PSK"[2] 91.150.29.228 #2: Dead Peer Detection (RFC 3706): enabled</i></div><div><i>Dec 3 20:57:54 debian pluto[1999]: "PSK"[2] 91.150.29.228 #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2</i></div>
<div><i>Dec
3 20:57:54 debian pluto[1999]: "PSK"[2] 91.150.29.228 #2:
STATE_QUICK_R2: IPsec SA established tunnel mode {ESP/NAT=>0x07ec4aca
<0x04e10fd0 xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=<a href="http://91.150.29.228:4500/" target="_blank">91.150.29.228:4500</a> DPD=enabled}</i></div><div><i>Dec 3 20:58:14 debian pluto[1999]: "PSK"[2] 91.150.29.228 #1: received Delete SA(0x07ec4aca) payload: deleting IPSEC State #2</i></div>
<div><i>Dec
3 20:58:14 debian pluto[1999]: "PSK"[2] 91.150.29.228 #1: ERROR:
netlink XFRM_MSG_DELPOLICY response for flow eroute_connection delete
included errno 2: No such file or directory</i></div><div><i>Dec 3 20:58:14 debian pluto[1999]: "PSK"[2] 91.150.29.228 #1: received and ignored informational message</i></div><div><i>Dec 3 20:58:14 debian pluto[1999]: "PSK"[2] 91.150.29.228 #1: received Delete SA payload: deleting ISAKMP State #1</i></div>
<div><i>Dec 3 20:58:14 debian pluto[1999]: "PSK"[2] <a href="http://91.150.29.228/" target="_blank">91.150.29.228</a>: deleting connection "PSK" instance with peer 91.150.29.228 {isakmp=#0/ipsec=#0}</i></div>
<div><i>Dec 3 20:58:14 debian pluto[1999]: packet from <a href="http://91.150.29.228:4500/" target="_blank">91.150.29.228:4500</a>: received and ignored informational message</i></div></div><br><br><br></div><div><b>------------------------------------------</b><b>------------------------------------------</b><b> IMPLEMENTATION ------------------------------------------</b><b>-----------------<br>
------------------------- </b></div><div><br></div><div><div><div>====================</div><div><b> NETWORK TOPOLOGY</b></div><div>====================</div></div><div><br></div><div><b>[Openswan-Server]</b> <--------------> <b>WAN-router </b> <--------------> <b>(Internet) <</b>--------------> <b>my iPad connected via 3G</b></div>
<div><b>192.168.1.2<span style="white-space:pre-wrap">                                </span> 192.168.1.1 //</b><b> 188.67.59.220</b><b><span style="white-space:pre-wrap">                                                </span> </b><i><b>91.150.29.228</b></i></div><div><b><span style="white-space:pre-wrap">        </span><span style="white-space:pre-wrap">                                                </span> <span style="white-space:pre-wrap">                                                </span></b></div>
</div><div><br></div><div><div>===============</div><div><b>SYSTEM DETAILS</b></div><div>===============</div><div>- Debian Squeeze v6.0.6-i386</div><div>- OpenSWAN v1:2.6.28+dfsg-5+squeeze1</div></div><div><br></div><div>
<br></div><div><br></div><div>===============</div><div><b>CONFIGURATION</b></div><div>===============</div><div><br></div><div><div><div><b>/etc/ipsec.secrets:</b></div><div><b>---------------------------</b></div></div>
<div>192.168.1.2<span style="white-space:pre-wrap">                </span>%any <span style="white-space:pre-wrap">                </span><a href="http://0.0.0.0/" target="_blank">0.0.0.0</a>: <span style="white-space:pre-wrap">        </span>PSK "test" </div>
</div><div><br></div><div><br></div><div><b>/etc/ipsec.conf:</b></div><div><b>----------------------</b></div><div><div>config setup</div><div> nat_traversal=yes</div><div> virtual_private=%v4:<a href="http://192.168.0.0/16,%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:%2110.254.253.0/24" target="_blank">192.168.0.0/16,%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:!10.254.253.0/24</a></div>
<div> protostack=netkey</div><div> #protostack=mast # used for SAref + MAST only</div><div> interfaces="%defaultroute" </div><div> oe=off</div><div><br></div><div>conn l2tp-psk</div>
<div> authby=secret</div><div> pfs=no</div><div> auto=add</div><div><span style="white-space:pre-wrap">        </span># we cannot rekey for %any, let client rekey</div><div> rekey=no </div><div><span style="white-space:pre-wrap">        </span>keyingtries=3</div>
<div> # Apple iOS doesn't send delete notify so we need dead peer detection</div><div> # to detect vanishing clients</div><div> dpddelay=30</div><div> dpdtimeout=120</div><div> dpdaction=clear</div>
<div><div> ikelifetime=8h</div><div> keylife=1h</div></div><div> # overlapip=yes # for SAref + MAST</div><div> # sareftrack=yes # for SAref + MAST</div><div> type=transport</div><div>
left=192.168.1.2</div><div> leftprotoport=17/1701</div><div> #</div><div> # The remote user.</div><div> #</div><div> right=%any</div><div> rightprotoport=17/%any</div><div>
rightsubnet=vhost:%priv,%no</div><div><span style="font-weight:bold;white-space:pre-wrap">        </span>forceencaps=yes</div></div><div><br></div><div><br></div><div><b><span style="font-weight:normal"><i><div style="font-style:normal">
<b>/etc/xl2tpd/xl2tpd.conf</b></div><div style="font-style:normal"><b>-------------------------------</b></div></i></span><div style="font-weight:normal"><div><div><div>[global]</div><div>; you cannot leave out listen-addr, causes possible wrong src ip on return packets</div>
<div>listen-addr = 192.168.1.2</div><div>; ipsec saref = yes ; For SAref + MAST only</div><div>; debug tunnel = yes</div><div><br></div><div>[lns default]</div><div>ip range = 192.168.1.101-192.168.1.110</div><div>local ip = 192.168.1.100</div>
<div>assign ip = yes</div><div>require chap = yes</div><div>refuse pap = yes</div><div>require authentication = yes</div><div>name = OpenswanVPN</div><div>ppp debug = yes</div><div>pppoptfile = /etc/ppp/options.xl2tpd</div>
<div>length bit = yes</div></div></div><div><br></div><div><br></div></div></b></div><div><b><div style="font-weight:normal"><b>/etc/ppp/options.xl2tpd</b></div><div style="font-weight:normal"><b>--------------------------------</b></div>
<div style="font-weight:normal"><div><i><div><div>ipcp-accept-local</div><div>ipcp-accept-remote</div><div>ms-dns 192.168.1.1</div><div>noccp</div><div>auth</div><div>crtscts</div><div>idle 1800</div><div>mtu 1200</div><div>
mru 1200</div><div>nodefaultroute</div><div>debug</div><div>lock</div><div>proxyarp</div><div>connect-delay 5000</div></div></i></div></div></b></div><div><b><br></b></div><div><b><br></b></div><div><b>/etc/ppp/chap-secrets:</b></div>
<div><b><span style="font-weight:normal"><b><div style="font-weight:normal"><b>--------------------------------</b></div></b></span></b></div><div>greg<span style="white-space:pre-wrap">                        </span>*<span style="white-space:pre-wrap">                </span>"thesecret"<span style="white-space:pre-wrap">                </span>*</div>
<div><br></div><div><br></div><div><b>/etc/sysctl.conf</b></div><div><i><div style="font-style:normal"><b>----------------------</b></div><div style="font-style:normal"><div>net.ipv4.ip_forward = 1</div><div>net.ipv4.conf.default.rp_filter = 0</div>
<div>net.ipv4.conf.default.accept_source_route = 0</div><div>net.ipv4.conf.all.send_redirects = 0</div><div>net.ipv4.conf.default.send_redirects = 0</div><div>net.ipv4.icmp_ignore_bogus_error_responses = 1</div></div></i></div>
<div><b><br></b></div><div><i><br></i></div><div><i><div style="font-style:normal"><b>ipsec verify</b></div><div style="font-style:normal"><b>-----------------</b></div><div style="font-style:normal">"</div><div style="font-style:normal">
<div><i>Version check and ipsec on-path <span style="white-space:pre-wrap">                                </span>[OK]</i></div><div><i>Linux Openswan U2.6.28/K2.6.32-5-686 (netkey)</i></div><div><i>Checking for IPsec support in kernel <span style="white-space:pre-wrap">                                </span>[OK]</i></div>
<div><i>NETKEY detected, testing for disabled ICMP send_redirects <span style="white-space:pre-wrap">                </span>[FAILED]</i></div><div><i><br></i></div><div><i> Please disable /proc/sys/net/ipv4/conf/*/send_redirects</i></div>
<div><i> or NETKEY will cause the sending of bogus ICMP redirects!</i></div><div><i><br></i></div><div><i>NETKEY detected, testing for disabled ICMP accept_redirects <span style="white-space:pre-wrap">        </span>[FAILED]</i></div>
<div><i><br></i></div><div><i> Please disable /proc/sys/net/ipv4/conf/*/accept_redirects</i></div><div><i> or NETKEY will accept bogus ICMP redirects!</i></div><div><i><br></i></div><div><i>Checking that pluto is running <span style="white-space:pre-wrap">                                        </span>[OK]</i></div>
<div><i>Pluto listening for IKE on udp 500 <span style="white-space:pre-wrap">                                        </span>[OK]</i></div><div><i>Pluto listening for NAT-T on udp 4500 <span style="white-space:pre-wrap">                                </span>[OK]</i></div>
<div><i>Two or more interfaces found, checking IP forwarding <span style="white-space:pre-wrap">                </span>[FAILED]</i></div><div><i>Checking for 'ip' command <span style="white-space:pre-wrap">                                        </span>[OK]</i></div>
<div><i>Checking for 'iptables' command <span style="white-space:pre-wrap">                                        </span>[OK]<span style="white-space:pre-wrap">        </span></i></div><div><i>Opportunistic Encryption Support <span style="white-space:pre-wrap">                                        </span>[DISABLED]</i></div>
</div><div style="font-style:normal">"</div></i></div><div><i><br></i></div><div><i><br></i></div><div><b>WAN-router configurations</b></div><div><i><b>--------------------------------------</b></i></div><div>I've configured the router to forward ports <i>500</i>, <i>1701</i>, and <i>4500</i> to <i>192.168.1.2.</i></div>
<div><br></div><div><br></div><div><i><br></i></div><div><i><br></i></div><div><b>------------------------------------------</b><b>------------------------------------------</b><b> </b><b><b>IMPLEMENTATION</b> ------------------------------------------</b><b>------------------------------------------ </b></div>
<div><b><br></b></div><div><b><br><br><br></b></div><div>Thanks guys.</div><div><br></div><div>Have a great day,</div><div>//Chris</div>
_______________________________________________<br><a href="mailto:Users@lists.openswan.org">Users@lists.openswan.org</a><br>https://lists.openswan.org/mailman/listinfo/users<br>Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy<br>Building and Integrating Virtual Private Networks with Openswan:<br>http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155<br></blockquote></div><br><div>
<span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; font-size: medium; "><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; font-size: medium; "><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; font-size: medium; "><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div>Regards</div><div><br></div><div>Dan.</div></div></span></span></span>
</div>
<br></div></body></html>