<div dir="ltr"><div style="font-family:arial,sans-serif;font-size:13px">Dear All,</div><div style="font-family:arial,sans-serif;font-size:13px">I am using a EC2 Ubuntu 12.04 LTS instance in AWS. Openswan is listening to UDP ports but the ports have been filtered, can you help me to open them?</div>
<div style="font-family:arial,sans-serif;font-size:13px">I have tried to write a new ufw config but it didn't have any effect.</div><div><div><font face="arial, sans-serif">$ cat /etc/ufw/applications.d/openswan.common </font></div>
<div><font face="arial, sans-serif">[OpenswanL2TP]</font></div><div><font face="arial, sans-serif">title=L2TP</font></div><div><font face="arial, sans-serif">description=vpn is good thing.</font></div><div><font face="arial, sans-serif">ports=1701/udp</font></div>
<div><font face="arial, sans-serif"><br></font></div><div><font face="arial, sans-serif">[Openswannat-t-ike]</font></div><div><font face="arial, sans-serif">title=Openswan nat-t-ike</font></div><div><font face="arial, sans-serif">description=Openswannat-t-ike</font></div>
<div><font face="arial, sans-serif">ports=4500/udp</font></div><div><font face="arial, sans-serif"><br></font></div><div><font face="arial, sans-serif">[Openswanisakmp]</font></div><div><font face="arial, sans-serif">title=Openswanisakmp</font></div>
<div><font face="arial, sans-serif">description=Openswanisakmp</font></div><div><font face="arial, sans-serif">ports=500/udp</font></div></div><div><font face="arial, sans-serif"><br></font></div><div><div><font face="arial, sans-serif">$ sudo nmap -sU localhost</font></div>
<div><font face="arial, sans-serif"><br></font></div><div><font face="arial, sans-serif">Starting Nmap 5.21 ( <a href="http://nmap.org">http://nmap.org</a> ) at 2013-11-23 03:26 UTC</font></div><div><font face="arial, sans-serif">Nmap scan report for localhost (127.0.0.1)</font></div>
<div><font face="arial, sans-serif">Host is up (0.000018s latency).</font></div><div><font face="arial, sans-serif">Hostname localhost resolves to 2 IPs. Only scanned 127.0.0.1</font></div><div><font face="arial, sans-serif">Not shown: 996 closed ports</font></div>
<div><font face="arial, sans-serif">PORT STATE SERVICE</font></div><div><font face="arial, sans-serif">68/udp open|filtered dhcpc</font></div><div><font face="arial, sans-serif">500/udp open isakmp</font></div>
<div><font face="arial, sans-serif">1701/udp open|filtered L2TP</font></div><div><font face="arial, sans-serif">4500/udp open|filtered nat-t-ike</font></div></div><div><font face="arial, sans-serif"><br></font></div><div>
According to this(<a href="https://help.ubuntu.com/community/L2TPServer">https://help.ubuntu.com/community/L2TPServer</a>) I created a new init job.</div><div><div><br></div><div>$ cat /etc/init.d/ipsec.vpn </div><div><br>
</div><div>case "$1" in<span class="" style="white-space:pre"> </span></div><div>start)</div><div><span class="" style="white-space:pre"> </span>echo "Starting my Ipsec VPN"</div><div><span class="" style="white-space:pre"> </span>iptables -t nat -A POSTROUTING -o eth0 -s <a href="http://10.152.2.0/24">10.152.2.0/24</a> -j MASQUERADE</div>
<div><span class="" style="white-space:pre"> </span>echo 1 > /proc/sys/net/ipv4/ip_forward</div><div><span class="" style="white-space:pre"> </span>for each in /proc/sys/net/ipv4/conf/*</div><div><span class="" style="white-space:pre"> </span>do</div>
<div><span class="" style="white-space:pre"> </span> <span class="" style="white-space:pre"> </span>echo 0 > $each/accept_redirects</div><div><span class="" style="white-space:pre"> </span>echo 0 > $each/send_redirects</div>
<div><span class="" style="white-space:pre"> </span>done</div><div><span class="" style="white-space:pre"> </span>/etc/init.d/ipsec start</div><div><span class="" style="white-space:pre"> </span>/etc/init.d/xl2tpd start</div>
<div><span class="" style="white-space:pre"> </span>;;</div><div>stop)</div><div><span class="" style="white-space:pre"> </span>echo "Stopping my Ipsec VPN"</div><div><span class="" style="white-space:pre"> </span>iptables --table nat --flush</div>
<div><span class="" style="white-space:pre"> </span>echo 0 > /proc/sys/net/ipv4/ip_forward</div><div><span class="" style="white-space:pre"> </span>/etc/init.d/ipsec stop</div><div><span class="" style="white-space:pre"> </span>/etc/init.d/xl2tpd stop</div>
<div><span class="" style="white-space:pre"> </span>;;</div><div>restart)</div><div><span class="" style="white-space:pre"> </span>echo "Restarting my Ipsec VPN"</div><div><span class="" style="white-space:pre"> </span>iptables -t nat -A POSTROUTING -o eth0 -s <a href="http://10.152.2.0/24">10.152.2.0/24</a> -j MASQUERADE</div>
<div><span class="" style="white-space:pre"> </span>echo 1 > /proc/sys/net/ipv4/ip_forward</div><div><span class="" style="white-space:pre"> </span>for each in /proc/sys/net/ipv4/conf/*</div><div><span class="" style="white-space:pre"> </span>do</div>
<div><span class="" style="white-space:pre"> </span> <span class="" style="white-space:pre"> </span>echo 0 > $each/accept_redirects</div><div><span class="" style="white-space:pre"> </span> <span class="" style="white-space:pre"> </span>echo 0 > $each/send_redirects</div>
<div><span class="" style="white-space:pre"> </span>done</div><div><span class="" style="white-space:pre"> </span>/etc/init.d/ipsec restart</div><div><span class="" style="white-space:pre"> </span>/etc/init.d/xl2tpd restart </div>
<div><span class="" style="white-space:pre"> </span>;;</div><div>*)</div><div><span class="" style="white-space:pre"> </span>echo "Pay Attention!! Usage: /etc/init.d/ipsec.vpn {start|stop|restart}"</div><div><span class="" style="white-space:pre"> </span>exit 1</div>
<div><span class="" style="white-space:pre"> </span>;;</div><div>esac</div></div><div><br></div><div><br></div><div style="font-family:arial,sans-serif;font-size:13px">$ cat /etc/ipsec.conf </div><div style="font-family:arial,sans-serif;font-size:13px">
<br></div><div style="font-family:arial,sans-serif;font-size:13px">config setup</div><div style="font-family:arial,sans-serif;font-size:13px"> nat_traversal=yes</div><div style="font-family:arial,sans-serif;font-size:13px">
virtual_private=%v4:<a href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.152.2.0/24" target="_blank">10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.152.2.0/24</a></div><div style="font-family:arial,sans-serif;font-size:13px">
#contains the networks that are allowed as subnet= for the remote client. In other words, the address ranges that may live behind a NAT router through which a client connects.</div><div style="font-family:arial,sans-serif;font-size:13px">
oe=off</div><div style="font-family:arial,sans-serif;font-size:13px"> protostack=netkey</div><div style="font-family:arial,sans-serif;font-size:13px">conn L2TP-PSK-NAT</div><div style="font-family:arial,sans-serif;font-size:13px">
rightsubnet=vhost:%priv</div><div style="font-family:arial,sans-serif;font-size:13px"> also=L2TP-PSK-noNAT</div><div style="font-family:arial,sans-serif;font-size:13px">conn L2TP-PSK-noNAT</div><div style="font-family:arial,sans-serif;font-size:13px">
authby=secret</div><div style="font-family:arial,sans-serif;font-size:13px"> pfs=no</div><div style="font-family:arial,sans-serif;font-size:13px"> auto=add</div><div style="font-family:arial,sans-serif;font-size:13px">
keyingtries=3</div><div style="font-family:arial,sans-serif;font-size:13px"> rekey=no</div><div style="font-family:arial,sans-serif;font-size:13px"> # Apple iOS doesn't send delete notify so we need dead peer detection</div>
<div style="font-family:arial,sans-serif;font-size:13px"> # to detect vanishing clients</div><div style="font-family:arial,sans-serif;font-size:13px"> dpddelay=30</div><div style="font-family:arial,sans-serif;font-size:13px">
dpdtimeout=120</div><div style="font-family:arial,sans-serif;font-size:13px"> dpdaction=clear</div><div style="font-family:arial,sans-serif;font-size:13px"> # Set ikelifetime and keylife to same defaults windows has</div>
<div style="font-family:arial,sans-serif;font-size:13px"> ikelifetime=8h</div><div style="font-family:arial,sans-serif;font-size:13px"> keylife=1h</div><div style="font-family:arial,sans-serif;font-size:13px"> type=transport</div>
<div style="font-family:arial,sans-serif;font-size:13px"> # Replace IP address with your local IP (private, behind NAT IP is okay as well)</div><div style="font-family:arial,sans-serif;font-size:13px"> left=127.0.0.1</div>
<div style="font-family:arial,sans-serif;font-size:13px"> # For updated Windows 2000/XP clients,</div><div style="font-family:arial,sans-serif;font-size:13px"> # to support old clients as well, use leftprotoport=17/%any</div>
<div style="font-family:arial,sans-serif;font-size:13px"> leftprotoport=17/1701</div><div style="font-family:arial,sans-serif;font-size:13px"> right=%any</div><div style="font-family:arial,sans-serif;font-size:13px">
rightprotoport=17/%any</div><div style="font-family:arial,sans-serif;font-size:13px"> #force all to be nat'ed. because of iOS</div><div style="font-family:arial,sans-serif;font-size:13px"> forceencaps=yes</div>
<div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px">$ sudo cat /etc/ipsec.secrets</div><div style="font-family:arial,sans-serif;font-size:13px"><br>
</div>
<div style="font-family:arial,sans-serif;font-size:13px"># This file holds shared secrets or RSA private keys for inter-Pluto</div><div style="font-family:arial,sans-serif;font-size:13px"># authentication. See ipsec_pluto(8) manpage, and HTML documentation.</div>
<div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px"># RSA private key for this host, authenticating it to any other host</div><div style="font-family:arial,sans-serif;font-size:13px">
# which knows the public part. Suitable public keys, for ipsec.conf, DNS,</div><div style="font-family:arial,sans-serif;font-size:13px"># or configuration of other implementations, can be extracted conveniently</div><div style="font-family:arial,sans-serif;font-size:13px">
# with "ipsec showhostkey".</div><div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px"># this file is managed with debconf and will contain the automatically created RSA keys</div>
<div style="font-family:arial,sans-serif;font-size:13px">#include /var/lib/openswan/ipsec.secrets.inc</div><div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px">
127.0.0.1 %any: PSK "PASSWORD"</div><div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px">$ sudo ipsec verify</div><div style="font-family:arial,sans-serif;font-size:13px">
Checking your system to see if IPsec got installed and started correctly:</div><div style="font-family:arial,sans-serif;font-size:13px">Version check and ipsec on-path <span style="white-space:pre-wrap"> </span>[OK]</div>
<div style="font-family:arial,sans-serif;font-size:13px">Linux Openswan U2.6.37/K3.2.0-54-virtual (netkey)</div><div style="font-family:arial,sans-serif;font-size:13px">Checking for IPsec support in kernel <span style="white-space:pre-wrap"> </span>[OK]</div>
<div style="font-family:arial,sans-serif;font-size:13px"> SAref kernel support <span style="white-space:pre-wrap"> </span>[N/A]</div><div style="font-family:arial,sans-serif;font-size:13px">
NETKEY: Testing XFRM related proc values <span style="white-space:pre-wrap"> </span>[OK]</div><div style="font-family:arial,sans-serif;font-size:13px"><span style="white-space:pre-wrap"> </span>[OK]</div>
<div style="font-family:arial,sans-serif;font-size:13px"><span style="white-space:pre-wrap"> </span>[OK]</div><div style="font-family:arial,sans-serif;font-size:13px">Checking that pluto is running <span style="white-space:pre-wrap"> </span>[OK]</div>
<div style="font-family:arial,sans-serif;font-size:13px"> Pluto listening for IKE on udp 500 <span style="white-space:pre-wrap"> </span>[OK]</div><div style="font-family:arial,sans-serif;font-size:13px">
Pluto listening for NAT-T on udp 4500 <span style="white-space:pre-wrap"> </span>[OK]</div><div style="font-family:arial,sans-serif;font-size:13px">Checking for 'ip' command <span style="white-space:pre-wrap"> </span>[OK]</div>
<div style="font-family:arial,sans-serif;font-size:13px">Checking /bin/sh is not /bin/dash <span style="white-space:pre-wrap"> </span>[WARNING]</div><div style="font-family:arial,sans-serif;font-size:13px">
Checking for 'iptables' command <span style="white-space:pre-wrap"> </span>[OK]</div><div style="font-family:arial,sans-serif;font-size:13px">Opportunistic Encryption Support <span style="white-space:pre-wrap"> </span>[DISABLED]</div>
<div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px">$ cat /etc/xl2tpd/xl2tpd.conf</div><div style="font-family:arial,sans-serif;font-size:13px"> [global]<span style="white-space:pre-wrap"> </span>; Global parameters:</div>
<div style="font-family:arial,sans-serif;font-size:13px">ipsec saref = no</div><div style="font-family:arial,sans-serif;font-size:13px"><br></div><div><div><font face="arial, sans-serif">[lns default]<span class="" style="white-space:pre"> </span>; Our fallthrough LNS definition</font></div>
<div><font face="arial, sans-serif">ip range = 10.152.2.2-10.152.2.254</font></div><div><font face="arial, sans-serif">local ip = 10.152.2.1</font></div><div><font face="arial, sans-serif">require chap = yes</font></div>
<div>
<font face="arial, sans-serif">refuse pap = yes</font></div><div><font face="arial, sans-serif">require authentication = yes</font></div><div><font face="arial, sans-serif">ppp debug = yes</font></div><div><font face="arial, sans-serif">pppoptfile = /etc/ppp/options.xl2tpd</font></div>
<div><font face="arial, sans-serif">length bit = yes</font></div><div><font face="arial, sans-serif">unix authentication = yes</font></div><div style="font-family:arial,sans-serif;font-size:13px"><br></div></div><div style="font-family:arial,sans-serif;font-size:13px">
<br></div><div style="font-family:arial,sans-serif;font-size:13px">Here is the log: </div><div style="font-family:arial,sans-serif;font-size:13px"><br></div><div><div><font face="arial, sans-serif">Nov 23 03:29:07 ip-10-185-160-186 ipsec_setup: Stopping Openswan IPsec...</font></div>
<div><font face="arial, sans-serif">Nov 23 03:29:08 ip-10-185-160-186 kernel: [1559520.098812] NET: Unregistered protocol family 15</font></div><div><font face="arial, sans-serif">Nov 23 03:29:08 ip-10-185-160-186 ipsec_setup: ...Openswan IPsec stopped</font></div>
<div><font face="arial, sans-serif">Nov 23 03:29:08 ip-10-185-160-186 kernel: [1559520.148547] NET: Registered protocol family 15</font></div><div><font face="arial, sans-serif">Nov 23 03:29:08 ip-10-185-160-186 ipsec_setup: Starting Openswan IPsec U2.6.37/K3.2.0-54-virtual...</font></div>
<div><font face="arial, sans-serif">Nov 23 03:29:08 ip-10-185-160-186 ipsec_setup: Using NETKEY(XFRM) stack</font></div><div><font face="arial, sans-serif">Nov 23 03:29:09 ip-10-185-160-186 kernel: [1559520.248456] Initializing XFRM netlink socket</font></div>
<div><font face="arial, sans-serif">Nov 23 03:29:09 ip-10-185-160-186 ipsec_setup: ...Openswan IPsec started</font></div><div><font face="arial, sans-serif">Nov 23 03:29:09 ip-10-185-160-186 xl2tpd[2095]: death_handler: Fatal signal 15 received</font></div>
<div><font face="arial, sans-serif">Nov 23 03:29:09 ip-10-185-160-186 ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d</font></div><div><font face="arial, sans-serif">Nov 23 03:29:09 ip-10-185-160-186 pluto: adjusting ipsec.d to /etc/ipsec.d</font></div>
<div><font face="arial, sans-serif">Nov 23 03:29:09 ip-10-185-160-186 ipsec__plutorun: 002 added connection description "L2TP-PSK-NAT"</font></div><div><font face="arial, sans-serif">Nov 23 03:29:09 ip-10-185-160-186 ipsec__plutorun: 002 added connection description "L2TP-PSK-noNAT"</font></div>
<div><font face="arial, sans-serif">Nov 23 03:29:10 ip-10-185-160-186 xl2tpd[2319]: IPsec SAref does not work with L2TP kernel mode yet, enabling forceuserspace=yes</font></div><div><font face="arial, sans-serif">Nov 23 03:29:10 ip-10-185-160-186 xl2tpd[2319]: setsockopt recvref[30]: Protocol not available</font></div>
<div><font face="arial, sans-serif">Nov 23 03:29:10 ip-10-185-160-186 xl2tpd[2319]: This binary does not support kernel L2TP.</font></div><div><font face="arial, sans-serif">Nov 23 03:29:10 ip-10-185-160-186 xl2tpd[2320]: xl2tpd version xl2tpd-1.3.1 started on ip-10-185-160-186 PID:2320</font></div>
<div><font face="arial, sans-serif">Nov 23 03:29:10 ip-10-185-160-186 xl2tpd[2320]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.</font></div><div><font face="arial, sans-serif">Nov 23 03:29:10 ip-10-185-160-186 xl2tpd[2320]: Forked by Scott Balmos and David Stipp, (C) 2001</font></div>
<div><font face="arial, sans-serif">Nov 23 03:29:10 ip-10-185-160-186 xl2tpd[2320]: Inherited by Jeff McAdams, (C) 2002</font></div><div><font face="arial, sans-serif">Nov 23 03:29:10 ip-10-185-160-186 xl2tpd[2320]: Forked again by Xelerance (<a href="http://www.xelerance.com">www.xelerance.com</a>) (C) 2006</font></div>
<div><font face="arial, sans-serif">Nov 23 03:29:10 ip-10-185-160-186 xl2tpd[2320]: Listening on IP address 0.0.0.0, port 1701</font></div><div style="font-family:arial,sans-serif;font-size:13px"><br></div></div><div style="font-family:arial,sans-serif;font-size:13px">
<br></div><div style="font-family:arial,sans-serif;font-size:13px">please give me hint,</div><div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px">Thanks</div>
<div style="font-family:arial,sans-serif;font-size:13px">Regards</div><div style="font-family:arial,sans-serif;font-size:13px">Mohsen</div></div>