Thank you for your help,<br><br>I was not able to find the patch on the Openswan website, so I decided to give strongSwan a go and got it working ok with that package instead.<br><br>Thank you all for your kind help,<br><br>
Have a good evening,<br>//Chris<br><div class="gmail_extra"><br><br><div class="gmail_quote">2012/12/6 Elison Niven <span dir="ltr"><<a href="mailto:elison.niven@elitecore.com" target="_blank">elison.niven@elitecore.com</a>></span><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Any other clients apart from Apple iPhone and Macbook are able to connect?<br>
What do your xl2tpd and pppd logs say?<div class="im"><br>
<br>
On Thursday 06 December 2012 03:38:29 PM IST, Christo Romberg wrote:<br>
</div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im">
Nice, thank you for your input! I will check and test the L2TP/IPSec<br>
patch on the OpenSwan site and I'll report back.<br>
<br>
Thanks again,<br>
//Chris<br>
<br>
<br></div>
2012/12/4 Daniel Cave <<a href="mailto:dan.cave@me.com" target="_blank">dan.cave@me.com</a> <mailto:<a href="mailto:dan.cave@me.com" target="_blank">dan.cave@me.com</a>>><div class="im"><br>
<br>
I suspect the problem you're having applies to every iOS device,<br>
iphone/ipad/Mac.<br>
<br>
I *think* there's an L2TP/Ipsec Patch which is on the OpenSwan<br>
site which applies to iOS devices. Have you patched your OpenSwan<br>
code or looked for the patch?<br>
<br>
D<br>
<br>
<br>
On 4 Dec 2012, at 16:19, Christo Romberg wrote:<br>
<br>
</div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im">
Hey guys,<br>
<br>
I'm new to Openswan, and I'm having trouble getting it configured<br>
properly. I'm trying to get a home VPN system working, so that I<br>
can remotely access my files through my iPad when I'm on the go.<br>
<br>
I've successfully installed OpenSWAN on a Debian Squeeze box, and<br>
configured it with the settings below.<br>
<br>
The problem is that I cannot connect to the VPN server from my iPad.<br>
<br></div>
*Error message on the iPad:*<br>
*-----------------------------<u></u>----------*<br>
"/The L2TP-VPN server did not respond. Try reconnecting. If the<div class="im"><br>
problem continues, verify your settings and contact your<br></div>
Administrator./"<div class="im"><br>
<br>
I've also tried with my MacBook, with the same error message as<br>
on the iPhone.<br></div>
*<br>
*<br>
*/var/log/auth.log*<br>
*-----------------------*<br>
/Dec 3 20:57:52 debian pluto[1999]: packet from<br>
<a href="http://91.150.29.228:500" target="_blank">91.150.29.228:500</a> <<a href="http://91.150.29.228:500/" target="_blank">http://91.150.29.228:500/</a>>: received Vendor ID<br>
payload [RFC 3947] method set to=109 /<br>
/Dec 3 20:57:52 debian pluto[1999]: packet from<br>
<a href="http://91.150.29.228:500" target="_blank">91.150.29.228:500</a> <<a href="http://91.150.29.228:500/" target="_blank">http://91.150.29.228:500/</a>>: received Vendor ID<br>
payload [draft-ietf-ipsec-nat-t-ike] method set to=110 /<br>
/Dec 3 20:57:52 debian pluto[1999]: packet from<br>
<a href="http://91.150.29.228:500" target="_blank">91.150.29.228:500</a> <<a href="http://91.150.29.228:500/" target="_blank">http://91.150.29.228:500/</a>>: ignoring unknown<br>
Vendor ID payload [<u></u>8f8d83826d246b6fc7a8a6a428c11d<u></u>e8]/<br>
/Dec 3 20:57:52 debian pluto[1999]: packet from<br>
<a href="http://91.150.29.228:500" target="_blank">91.150.29.228:500</a> <<a href="http://91.150.29.228:500/" target="_blank">http://91.150.29.228:500/</a>>: ignoring unknown<br>
Vendor ID payload [<u></u>439b59f8ba676c4c7737ae22eab8f5<u></u>82]/<br>
/Dec 3 20:57:52 debian pluto[1999]: packet from<br>
<a href="http://91.150.29.228:500" target="_blank">91.150.29.228:500</a> <<a href="http://91.150.29.228:500/" target="_blank">http://91.150.29.228:500/</a>>: ignoring unknown<br>
Vendor ID payload [<u></u>4d1e0e136deafa34c4f3ea9f02ec72<u></u>85]/<br>
/Dec 3 20:57:52 debian pluto[1999]: packet from<br>
<a href="http://91.150.29.228:500" target="_blank">91.150.29.228:500</a> <<a href="http://91.150.29.228:500/" target="_blank">http://91.150.29.228:500/</a>>: ignoring unknown<br>
Vendor ID payload [<u></u>80d0bb3def54565ee84645d4c85ce3<u></u>ee]/<br>
/Dec 3 20:57:52 debian pluto[1999]: packet from<br>
<a href="http://91.150.29.228:500" target="_blank">91.150.29.228:500</a> <<a href="http://91.150.29.228:500/" target="_blank">http://91.150.29.228:500/</a>>: ignoring unknown<br>
Vendor ID payload [<u></u>9909b64eed937c6573de52ace952fa<u></u>6b]/<br>
/Dec 3 20:57:52 debian pluto[1999]: packet from<br>
<a href="http://91.150.29.228:500" target="_blank">91.150.29.228:500</a> <<a href="http://91.150.29.228:500/" target="_blank">http://91.150.29.228:500/</a>>: received Vendor ID<div class="im"><br>
payload [draft-ietf-ipsec-nat-t-ike-<u></u>03] meth=108, but already<br></div>
using method 110/<br>
/Dec 3 20:57:52 debian pluto[1999]: packet from<br>
<a href="http://91.150.29.228:500" target="_blank">91.150.29.228:500</a> <<a href="http://91.150.29.228:500/" target="_blank">http://91.150.29.228:500/</a>>: received Vendor ID<div class="im"><br>
payload [draft-ietf-ipsec-nat-t-ike-<u></u>02] meth=107, but already<br></div>
using method 110/<br>
/Dec 3 20:57:52 debian pluto[1999]: packet from<br>
<a href="http://91.150.29.228:500" target="_blank">91.150.29.228:500</a> <<a href="http://91.150.29.228:500/" target="_blank">http://91.150.29.228:500/</a>>: received Vendor ID<div class="im"><br>
payload [draft-ietf-ipsec-nat-t-ike-<u></u>02_n] meth=106, but already<br></div>
using method 110/<br>
/Dec 3 20:57:52 debian pluto[1999]: packet from<br>
<a href="http://91.150.29.228:500" target="_blank">91.150.29.228:500</a> <<a href="http://91.150.29.228:500/" target="_blank">http://91.150.29.228:500/</a>>: received Vendor ID<br>
payload [Dead Peer Detection]/<br>
/Dec 3 20:57:52 debian pluto[1999]: "PSK"[1] 91.150.29.228 #1:<br>
responding to Main Mode from unknown peer <a href="http://91.150.29.228/" target="_blank">91.150.29.228/</a><br>
/Dec 3 20:57:52 debian pluto[1999]: "PSK"[1] 91.150.29.228 #1:<br>
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1/<br>
/Dec 3 20:57:52 debian pluto[1999]: "PSK"[1] 91.150.29.228 #1:<br>
STATE_MAIN_R1: sent MR1, expecting MI2/<br>
/Dec 3 20:57:52 debian pluto[1999]: "PSK"[1] 91.150.29.228 #1:<div class="im"><br>
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X):<br></div>
both are NATed/<br>
/Dec 3 20:57:52 debian pluto[1999]: "PSK"[1] 91.150.29.228 #1:<br>
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2/<br>
/Dec 3 20:57:52 debian pluto[1999]: "PSK"[1] 91.150.29.228 #1:<br>
STATE_MAIN_R2: sent MR2, expecting MI3/<br>
/Dec 3 20:57:52 debian pluto[1999]: "PSK"[1] 91.150.29.228 #1:<div class="im"><br>
ignoring informational payload, type IPSEC_INITIAL_CONTACT<br></div>
msgid=00000000/<br>
/Dec 3 20:57:52 debian pluto[1999]: "PSK"[1] 91.150.29.228 #1:<br>
Main mode peer ID is ID_IPV4_ADDR: '192.168.1.3'/<br>
/Dec 3 20:57:52 debian pluto[1999]: "PSK"[1] 91.150.29.228 #1:<br>
switched from "PSK" to "PSK"/<br>
/Dec 3 20:57:52 debian pluto[1999]: "PSK"[2] 91.150.29.228 #1:<div class="im"><br>
deleting connection "PSK" instance with peer 91.150.29.228<br></div>
{isakmp=#0/ipsec=#0}/<br>
/Dec 3 20:57:52 debian pluto[1999]: "PSK"[2] 91.150.29.228 #1:<br>
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3/<br>
/Dec 3 20:57:52 debian pluto[1999]: "PSK"[2] 91.150.29.228 #1:<div class="im"><br>
new NAT mapping for #1, was <a href="http://91.150.29.228:500" target="_blank">91.150.29.228:500</a><br></div>
<<a href="http://91.150.29.228:500/" target="_blank">http://91.150.29.228:500/</a>>, now <a href="http://91.150.29.228:4500" target="_blank">91.150.29.228:4500</a><br>
<<a href="http://91.150.29.228:4500/" target="_blank">http://91.150.29.228:4500/</a>>/<br>
/Dec 3 20:57:52 debian pluto[1999]: "PSK"[2] 91.150.29.228 #1:<div class="im"><br>
STATE_MAIN_R3: sent MR3, ISAKMP SA established<br>
{auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha<br></div>
group=modp1024}/<br>
/Dec 3 20:57:52 debian pluto[1999]: "PSK"[2] 91.150.29.228 #1:<br>
Dead Peer Detection (RFC 3706): enabled/<br>
/Dec 3 20:57:53 debian pluto[1999]: "PSK"[2] 91.150.29.228 #1:<div class="im"><br>
the peer proposed: <a href="http://188.67.59.220/32:17/1701" target="_blank">188.67.59.220/32:17/1701</a><br></div>
<<a href="http://188.67.59.220/32:17/1701" target="_blank">http://188.67.59.220/32:17/<u></u>1701</a>> -> <a href="http://192.168.1.3/32:17/0" target="_blank">192.168.1.3/32:17/0</a><br>
<<a href="http://192.168.1.3/32:17/0" target="_blank">http://192.168.1.3/32:17/0</a>>/<br>
/Dec 3 20:57:53 debian pluto[1999]: "PSK"[2] 91.150.29.228 #2:<br>
responding to Quick Mode proposal {msgid:ac920da3}/<br>
/Dec 3 20:57:53 debian pluto[1999]: "PSK"[2] 91.150.29.228 #2:<br>
us: 192.168.1.2<192.168.1.2>[+S=C]<u></u>:17/1701---192.168.1.1/<br>
/Dec 3 20:57:53 debian pluto[1999]: "PSK"[2] 91.150.29.228 #2:<br>
them: 91.150.29.228[192.168.1.3,+S=<u></u>C]:17/51482===<a href="http://192.168.1.3/32" target="_blank">192.168.1.3/32</a><br>
<<a href="http://192.168.1.3/32" target="_blank">http://192.168.1.3/32</a>>/<br>
/Dec 3 20:57:53 debian pluto[1999]: "PSK"[2] 91.150.29.228 #2:<br>
transition from state STATE_QUICK_R0 to state STATE_QUICK_R1/<br>
/Dec 3 20:57:53 debian pluto[1999]: "PSK"[2] 91.150.29.228 #2:<br>
STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2/<br>
/Dec 3 20:57:54 debian pluto[1999]: "PSK"[2] 91.150.29.228 #2:<br>
Dead Peer Detection (RFC 3706): enabled/<br>
/Dec 3 20:57:54 debian pluto[1999]: "PSK"[2] 91.150.29.228 #2:<br>
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2/<br>
/Dec 3 20:57:54 debian pluto[1999]: "PSK"[2] 91.150.29.228 #2:<div class="im"><br>
STATE_QUICK_R2: IPsec SA established tunnel mode<br>
{ESP/NAT=>0x07ec4aca <0x04e10fd0 xfrm=AES_256-HMAC_SHA1<br></div>
NATOA=none NATD=<a href="http://91.150.29.228:4500" target="_blank">91.150.29.228:4500</a> <<a href="http://91.150.29.228:4500/" target="_blank">http://91.150.29.228:4500/</a>><br>
DPD=enabled}/<br>
/Dec 3 20:58:14 debian pluto[1999]: "PSK"[2] 91.150.29.228 #1:<br>
received Delete SA(0x07ec4aca) payload: deleting IPSEC State #2/<br>
/Dec 3 20:58:14 debian pluto[1999]: "PSK"[2] 91.150.29.228 #1:<div class="im"><br>
ERROR: netlink XFRM_MSG_DELPOLICY response for flow<br></div>
eroute_connection delete included errno 2: No such file or directory/<br>
/Dec 3 20:58:14 debian pluto[1999]: "PSK"[2] 91.150.29.228 #1:<br>
received and ignored informational message/<br>
/Dec 3 20:58:14 debian pluto[1999]: "PSK"[2] 91.150.29.228 #1:<br>
received Delete SA payload: deleting ISAKMP State #1/<br>
/Dec 3 20:58:14 debian pluto[1999]: "PSK"[2] 91.150.29.228<br>
<<a href="http://91.150.29.228/" target="_blank">http://91.150.29.228/</a>>: deleting connection "PSK" instance with<br>
peer 91.150.29.228 {isakmp=#0/ipsec=#0}/<br>
/Dec 3 20:58:14 debian pluto[1999]: packet from<br>
<a href="http://91.150.29.228:4500" target="_blank">91.150.29.228:4500</a> <<a href="http://91.150.29.228:4500/" target="_blank">http://91.150.29.228:4500/</a>>: received and<br>
ignored informational message/<br>
<br>
<br>
<br>
*-----------------------------<u></u>-------------**---------------<u></u>---------------------------**<u></u>IMPLEMENTATION<br>
------------------------------<u></u>------------**----------------<u></u>-<br>
------------------------- *<br>
<br>
====================<br>
* NETWORK TOPOLOGY*<br>
====================<br>
<br>
*[Openswan-Server]* <--------------> *WAN-router<br>
* <--------------> *(Internet) <*--------------> *my iPad<br>
connected via 3G*<br>
*192.168.1.2 192.168.1.1 //** 188.67.59.220***/*91.150.29.<u></u>228*/<br>
**<br>
<br>
===============<br>
*SYSTEM DETAILS*<div class="im"><br>
===============<br>
- Debian Squeeze v6.0.6-i386<br>
- OpenSWAN v1:2.6.28+dfsg-5+squeeze1<br>
<br>
<br>
<br>
===============<br></div>
*CONFIGURATION*<br>
===============<br>
<br>
*/etc/ipsec.secrets:*<br>
*---------------------------*<br>
192.168.1.2%any 0.0.0.0 <<a href="http://0.0.0.0/" target="_blank">http://0.0.0.0/</a>>: PSK "test"<br>
<br>
<br>
*/etc/ipsec.conf:*<br>
*----------------------*<div class="im"><br>
config setup<br>
nat_traversal=yes<br>
<br>
virtual_private=%v4:<a href="http://192.168.0.0/16,%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:!10.254.253.0/24" target="_blank">192.168.0.<u></u>0/16,%v4:10.0.0.0/8,%v4:172.<u></u>16.0.0/12,%v4:25.0.0.0/8,%v4:!<u></u>10.254.253.0/24</a><br>
</div>
<<a href="http://192.168.0.0/16,%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:%2110.254.253.0/24" target="_blank">http://192.168.0.0/16,%v4:10.<u></u>0.0.0/8,%v4:172.16.0.0/12,%v4:<u></u>25.0.0.0/8,%v4:%2110.254.253.<u></u>0/24</a>><div>
<div class="h5"><br>
protostack=netkey<br>
#protostack=mast # used for SAref + MAST only<br>
interfaces="%defaultroute"<br>
oe=off<br>
<br>
conn l2tp-psk<br>
authby=secret<br>
pfs=no<br>
auto=add<br>
# we cannot rekey for %any, let client rekey<br>
rekey=no<br>
keyingtries=3<br>
# Apple iOS doesn't send delete notify so we need dead<br>
peer detection<br>
# to detect vanishing clients<br>
dpddelay=30<br>
dpdtimeout=120<br>
dpdaction=clear<br>
ikelifetime=8h<br>
keylife=1h<br>
# overlapip=yes # for SAref + MAST<br>
# sareftrack=yes # for SAref + MAST<br>
type=transport<br>
left=192.168.1.2<br>
leftprotoport=17/1701<br>
#<br>
# The remote user.<br>
#<br>
right=%any<br>
rightprotoport=17/%any<br>
rightsubnet=vhost:%priv,%no<br>
forceencaps=yes<br>
<br>
<br></div></div>
*/<br>
*/etc/xl2tpd/xl2tpd.conf*<br>
*-----------------------------<u></u>--*<div class="im"><br>
/<br>
[global]<br>
; you cannot leave out listen-addr, causes possible wrong src ip<br>
on return packets<br>
listen-addr = 192.168.1.2<br>
; ipsec saref = yes ; For SAref + MAST only<br>
; debug tunnel = yes<br>
<br>
[lns default]<br>
ip range = 192.168.1.101-192.168.1.110<br>
local ip = 192.168.1.100<br>
assign ip = yes<br>
require chap = yes<br>
refuse pap = yes<br>
require authentication = yes<br>
name = OpenswanVPN<br>
ppp debug = yes<br>
pppoptfile = /etc/ppp/options.xl2tpd<br>
length bit = yes<br>
<br>
<br></div>
*<br>
*<br>
*/etc/ppp/options.xl2tpd*<br>
*-----------------------------<u></u>---*<div class="im"><br>
/<br>
ipcp-accept-local<br>
ipcp-accept-remote<br>
ms-dns 192.168.1.1<br>
noccp<br>
auth<br>
crtscts<br>
idle 1800<br>
mtu 1200<br>
mru 1200<br>
nodefaultroute<br>
debug<br>
lock<br>
proxyarp<br>
connect-delay 5000<br>
/<br></div>
*<br>
*<br>
*<br>
*<br>
*<br>
*/etc/ppp/chap-secrets:*<br>
**<br>
*-----------------------------<u></u>---*<br>
**<br>
greg*"thesecret"*<br>
<br>
<br>
*/etc/sysctl.conf*<br>
/<br>
*----------------------*<div class="im"><br>
net.ipv4.ip_forward = 1<br>
net.ipv4.conf.default.rp_<u></u>filter = 0<br>
net.ipv4.conf.default.accept_<u></u>source_route = 0<br>
net.ipv4.conf.all.send_<u></u>redirects = 0<br>
net.ipv4.conf.default.send_<u></u>redirects = 0<br>
net.ipv4.icmp_ignore_bogus_<u></u>error_responses = 1<br></div>
/<br>
*<br>
*<br>
/<br>
/<br>
/<br>
*ipsec verify*<br>
*-----------------*<br>
"<br>
/Version check and ipsec on-path [OK]/<br>
/Linux Openswan U2.6.28/K2.6.32-5-686 (netkey)/<br>
/Checking for IPsec support in kernel [OK]/<br>
/NETKEY detected, testing for disabled ICMP send_redirects [FAILED]/<br>
/<br>
/<br>
/ Please disable /proc/sys/net/ipv4/conf/*/<u></u>send_redirects/<br>
/ or NETKEY will cause the sending of bogus ICMP redirects!/<br>
/<br>
/<br>
/NETKEY detected, testing for disabled ICMP accept_redirects<br>
[FAILED]/<br>
/<br>
/<br>
/ Please disable /proc/sys/net/ipv4/conf/*/<u></u>accept_redirects/<br>
/ or NETKEY will accept bogus ICMP redirects!/<br>
/<br>
/<br>
/Checking that pluto is running [OK]/<br>
/Pluto listening for IKE on udp 500 [OK]/<br>
/Pluto listening for NAT-T on udp 4500 [OK]/<br>
/Two or more interfaces found, checking IP forwarding [FAILED]/<br>
/Checking for 'ip' command [OK]/<br>
/Checking for 'iptables' command [OK]/<br>
/Opportunistic Encryption Support [DISABLED]/<br>
"<br>
/<br>
/<br>
/<br>
/<br>
/<br>
*WAN-router configurations*<br>
/*----------------------------<u></u>----------*/<br>
I've configured the router to forward ports /500/, /1701/, and<br>
/4500/ to /192.168.1.2./<br>
<br>
<br>
/<br>
/<br>
/<br>
/<br>
*-----------------------------<u></u>-------------**---------------<u></u>---------------------------***<u></u>**IMPLEMENTATION*<br>
------------------------------<u></u>------------**----------------<u></u>--------------------------<br>
*<br>
*<br>
*<br>
*<br>
<br>
<br>
*<div class="im"><br>
Thanks guys.<br>
<br>
Have a great day,<br>
//Chris<br>
______________________________<u></u>_________________<br></div>
<a href="mailto:Users@lists.openswan.org" target="_blank">Users@lists.openswan.org</a> <mailto:<a href="mailto:Users@lists.openswan.org" target="_blank">Users@lists.openswan.<u></u>org</a>><div class="im"><br>
<a href="https://lists.openswan.org/mailman/listinfo/users" target="_blank">https://lists.openswan.org/<u></u>mailman/listinfo/users</a><br>
Micropayments:<br>
<a href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy" target="_blank">https://flattr.com/thing/<u></u>38387/IPsec-for-Linux-made-<u></u>easy</a><br>
Building and Integrating Virtual Private Networks with Openswan:<br>
<a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" target="_blank">http://www.amazon.com/gp/<u></u>product/1904811256/104-<u></u>3099591-2946327?n=283155</a><br>
</div></blockquote><div class="im">
<br>
Regards<br>
<br>
Dan.<br>
<br>
<br>
<br>
<br>
--<br>
Christo Romberg<br>
<br>
<br>
______________________________<u></u>_________________<br>
<a href="mailto:Users@lists.openswan.org" target="_blank">Users@lists.openswan.org</a><br>
<a href="https://lists.openswan.org/mailman/listinfo/users" target="_blank">https://lists.openswan.org/<u></u>mailman/listinfo/users</a><br>
Micropayments: <a href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy" target="_blank">https://flattr.com/thing/<u></u>38387/IPsec-for-Linux-made-<u></u>easy</a><br>
Building and Integrating Virtual Private Networks with Openswan:<br>
<a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" target="_blank">http://www.amazon.com/gp/<u></u>product/1904811256/104-<u></u>3099591-2946327?n=283155</a><br>
</div></blockquote>
<br>
--<br>
Best Regards,<br>
Elison Niven<br>
</blockquote></div><br><br clear="all"><br>-- <br>Christo Romberg<br>
</div>