<html><head><meta http-equiv="Content-Type" content="text/html charset=windows-1252"><meta http-equiv="Content-Type" content="text/html charset=windows-1252"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">Hi,<div><br></div><div>I stumbled over this script: <a href="https://gist.github.com/hwdsl2/9030462">https://gist.github.com/hwdsl2/9030462</a> (<a href="http://blog.ls20.com/ipsec-l2tp-vpn-auto-setup-for-ubuntu-12-04-on-amazon-ec2/">http://blog.ls20.com/ipsec-l2tp-vpn-auto-setup-for-ubuntu-12-04-on-amazon-ec2/</a>)</div><div><br></div><div>Using the following ipsec.conf my openswan setup works perfectly. iOS5, iOS7, OS X 10.9 simultaneous internal and external connections. Some fine tuning is still needed, but at least it works :)</div><div><br></div><div>ipsec.conf</div><div><br></div><div><div>config setup</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>dumpdir=/var/run/pluto/</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>nat_traversal=yes</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.42.0/24</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>oe=off</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>protostack=netkey</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>nhelpers=0</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>interfaces=%defaultroute</div><div> </div><div>conn vpnpsk</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>connaddrfamily=ipv4</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>auto=add</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>left=privateIP</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>leftid=publicIP</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>leftsubnet=privateIP subnet</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>leftnexthop=%defaultroute</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>leftprotoport=17/1701</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>rightprotoport=17/%any</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>right=%any</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>rightsubnetwithin=0.0.0.0/0</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>forceencaps=yes</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>authby=secret</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>pfs=no</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>type=transport</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>auth=esp</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>ike=3des-sha1,aes-sha1</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>phase2alg=3des-sha1,aes-sha1</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>rekey=no</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>keyingtries=5</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>dpddelay=30</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>dpdtimeout=120</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>dpdaction=clear</div></div><div><br></div><div><br></div><div><br></div><div><div><br><div>Begin forwarded message:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;"><span style="font-family:'Helvetica'; color:rgba(0, 0, 0, 1.0);"><b>From: </b></span><span style="font-family:'Helvetica';">Stian Skarsbø Solheim <<a href="mailto:lists@m3ua.net">lists@m3ua.net</a>><br></span></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;"><span style="font-family:'Helvetica'; color:rgba(0, 0, 0, 1.0);"><b>Subject: </b></span><span style="font-family:'Helvetica';"><b>[Openswan Users] Roadwarrior cannot connect from the outside</b><br></span></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;"><span style="font-family:'Helvetica'; color:rgba(0, 0, 0, 1.0);"><b>Date: </b></span><span style="font-family:'Helvetica';">5 Jun 2014 08:16:16 GMT+2<br></span></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;"><span style="font-family:'Helvetica'; color:rgba(0, 0, 0, 1.0);"><b>To: </b></span><span style="font-family:'Helvetica';"><a href="mailto:users@lists.openswan.org">users@lists.openswan.org</a><br></span></div><br><div>Hi all,<br><br>Following a number of tutorials on the interwebs I have (finnaly!) gotten openswan/xl2tpd/pppd up and running on my Ubuntu 12.04 LTS box.<br><br>From my internal lan I can connect with iOS7, iOS5 (trusty old iPad 1), and OS X 10.9. However, when I try to connect from the cellular network (iPhone) I get the “L2TP server is not responding” error.<br><br>My setup is your normal home cable situation:<br><br>Internet <—> Cable Modem (bridge) <—> Home router (NAT) <—> openSwan server<br><br><br>Here is my ipsec.conf:<br><br>version 2.0<br><br>config setup<span class="Apple-tab-span" style="white-space:pre"> </span><br> nat_traversal=yes<br><span class="Apple-tab-span" style="white-space:pre"> </span>virtual_private=%v4:10.0.0.0/8,%v4:192.168.1.0/16,%v4:172.16.0.0/12<br><span class="Apple-tab-span" style="white-space:pre"> </span>oe=off<br><span class="Apple-tab-span" style="white-space:pre"> </span>protostack=netkey<br><span class="Apple-tab-span" style="white-space:pre"> </span>listen=10.1.2.3<br><br>conn L2TP-PSK-NAT<br> rightsubnet=vhost:%priv<br> also=L2TP-PSK-noNAT<br><br>conn L2TP-PSK-noNAT<br> authby=secret<br> pfs=no<br> auto=add<br> keyingtries=3<br> rekey=no<br> type=transport<br> left=10.1.2.3<br> leftnexthop=10.1.2.1<br> leftprotoport=17/1701<br> right=%any<br> rightprotoport=17/%any<br> dpddelay=15<br> dpdtimeout=30<br> dpdaction=clear<br><br><br>In /var/log/auth.log when connecting from the outside I get this:<br><br>I see that the client is offering up 10.235.73.47 as its address and I suspect this is the culprit. Does anyone know a way around this? Thankful for any pointers :)<br><br>Jun 5 07:56:23 ltsbox pluto[798]: packet from 126.11.18.148:500: received Vendor ID payload [RFC 3947] method set to=115 <br>Jun 5 07:56:23 ltsbox pluto[798]: packet from 126.11.18.148:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] meth=114, but already using method 115<br>Jun 5 07:56:23 ltsbox pluto[798]: packet from 126.11.18.148:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-08] meth=113, but already using method 115<br>Jun 5 07:56:23 ltsbox pluto[798]: packet from 126.11.18.148:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-07] meth=112, but already using method 115<br>Jun 5 07:56:23 ltsbox pluto[798]: packet from 126.11.18.148:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-06] meth=111, but already using method 115<br>Jun 5 07:56:23 ltsbox pluto[798]: packet from 126.11.18.148:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-05] meth=110, but already using method 115<br>Jun 5 07:56:23 ltsbox pluto[798]: packet from 126.11.18.148:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-04] meth=109, but already using method 115<br>Jun 5 07:56:23 ltsbox pluto[798]: packet from 126.11.18.148:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 115<br>Jun 5 07:56:23 ltsbox pluto[798]: packet from 126.11.18.148:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 115<br>Jun 5 07:56:23 ltsbox pluto[798]: packet from 126.11.18.148:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 115<br>Jun 5 07:56:23 ltsbox pluto[798]: packet from 126.11.18.148:500: ignoring Vendor ID payload [FRAGMENTATION 80000000]<br>Jun 5 07:56:23 ltsbox pluto[798]: packet from 126.11.18.148:500: received Vendor ID payload [Dead Peer Detection]<br>Jun 5 07:56:23 ltsbox pluto[798]: "L2TP-PSK-NAT"[24] 126.11.18.148 #25: responding to Main Mode from unknown peer 126.11.18.148<br>Jun 5 07:56:23 ltsbox pluto[798]: "L2TP-PSK-NAT"[24] 126.11.18.148 #25: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1<br>Jun 5 07:56:23 ltsbox pluto[798]: "L2TP-PSK-NAT"[24] 126.11.18.148 #25: STATE_MAIN_R1: sent MR1, expecting MI2<br>Jun 5 07:56:24 ltsbox pluto[798]: "L2TP-PSK-NAT"[24] 126.11.18.148 #25: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): both are NATed<br>Jun 5 07:56:24 ltsbox pluto[798]: "L2TP-PSK-NAT"[24] 126.11.18.148 #25: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2<br>Jun 5 07:56:24 ltsbox pluto[798]: "L2TP-PSK-NAT"[24] 126.11.18.148 #25: STATE_MAIN_R2: sent MR2, expecting MI3<br>Jun 5 07:56:25 ltsbox pluto[798]: "L2TP-PSK-NAT"[24] 126.11.18.148 #25: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000<br>Jun 5 07:56:25 ltsbox pluto[798]: "L2TP-PSK-NAT"[24] 126.11.18.148 #25: Main mode peer ID is ID_IPV4_ADDR: '10.235.73.47'<br>Jun 5 07:56:25 ltsbox pluto[798]: "L2TP-PSK-NAT"[24] 126.11.18.148 #25: switched from "L2TP-PSK-NAT" to "L2TP-PSK-NAT"<br>Jun 5 07:56:25 ltsbox pluto[798]: "L2TP-PSK-NAT"[25] 126.11.18.148 #25: deleting connection "L2TP-PSK-NAT" instance with peer 126.11.18.148 {isakmp=#0/ipsec=#0}<br>Jun 5 07:56:25 ltsbox pluto[798]: "L2TP-PSK-NAT"[25] 126.11.18.148 #25: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3<br>Jun 5 07:56:25 ltsbox pluto[798]: "L2TP-PSK-NAT"[25] 126.11.18.148 #25: new NAT mapping for #25, was 126.11.18.148:500, now 126.11.18.148:4500<br>Jun 5 07:56:25 ltsbox pluto[798]: "L2TP-PSK-NAT"[25] 126.11.18.148 #25: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1024}<br>Jun 5 07:56:25 ltsbox pluto[798]: "L2TP-PSK-NAT"[25] 126.11.18.148 #25: Dead Peer Detection (RFC 3706): enabled<br>Jun 5 07:56:27 ltsbox pluto[798]: "L2TP-PSK-NAT"[25] 126.11.18.148 #25: the peer proposed: 87.115.5.45/32:17/1701 -> 10.235.73.47/32:17/0<br>Jun 5 07:56:27 ltsbox pluto[798]: "L2TP-PSK-NAT"[25] 126.11.18.148 #25: NAT-Traversal: received 2 NAT-OA. using first, ignoring others<br>Jun 5 07:56:27 ltsbox pluto[798]: "L2TP-PSK-NAT"[25] 126.11.18.148 #26: responding to Quick Mode proposal {msgid:789f60f3}<br>Jun 5 07:56:27 ltsbox pluto[798]: "L2TP-PSK-NAT"[25] 126.11.18.148 #26: us: 10.1.2.3<10.1.2.3>:17/1701---10.1.2.1<br>Jun 5 07:56:27 ltsbox pluto[798]: "L2TP-PSK-NAT"[25] 126.11.18.148 #26: them: 126.11.18.148[10.235.73.47]:17/54988===10.235.73.47/32<br>Jun 5 07:56:27 ltsbox pluto[798]: "L2TP-PSK-NAT"[25] 126.11.18.148 #26: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1<br>Jun 5 07:56:27 ltsbox pluto[798]: "L2TP-PSK-NAT"[25] 126.11.18.148 #26: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2<br>Jun 5 07:56:28 ltsbox pluto[798]: "L2TP-PSK-NAT"[25] 126.11.18.148 #26: Dead Peer Detection (RFC 3706): enabled<br>Jun 5 07:56:28 ltsbox pluto[798]: "L2TP-PSK-NAT"[25] 126.11.18.148 #26: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2<br>Jun 5 07:56:28 ltsbox pluto[798]: "L2TP-PSK-NAT"[25] 126.11.18.148 #26: STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0x07d16b80 <0xd7ba0515 xfrm=AES_256-HMAC_SHA1 NATOA=10.235.73.47 NATD=126.11.18.148:4500 DPD=enabled}<br>Jun 5 07:56:48 ltsbox pluto[798]: "L2TP-PSK-NAT"[25] 126.11.18.148 #25: received Delete SA(0x07d16b80) payload: deleting IPSEC State #26<br>Jun 5 07:56:48 ltsbox pluto[798]: "L2TP-PSK-NAT"[25] 126.11.18.148 #25: ERROR: netlink XFRM_MSG_DELPOLICY response for flow eroute_connection delete included errno 2: No such file or directory<br>Jun 5 07:56:48 ltsbox pluto[798]: "L2TP-PSK-NAT"[25] 126.11.18.148 #25: received and ignored informational message<br>Jun 5 07:56:48 ltsbox pluto[798]: "L2TP-PSK-NAT"[25] 126.11.18.148 #25: received Delete SA payload: deleting ISAKMP State #25<br>Jun 5 07:56:48 ltsbox pluto[798]: "L2TP-PSK-NAT"[25] 126.11.18.148: deleting connection "L2TP-PSK-NAT" instance with peer 126.11.18.148 {isakmp=#0/ipsec=#0}<br>Jun 5 07:56:48 ltsbox pluto[798]: packet from 126.11.18.148:4500: received and ignored informational message<br><br><br><br>Br<br>Stian Skarsbø Solheim<br>_______________________________________________<br><a href="mailto:Users@lists.openswan.org">Users@lists.openswan.org</a><br><a href="https://lists.openswan.org/mailman/listinfo/users">https://lists.openswan.org/mailman/listinfo/users</a><br>Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy<br>Building and Integrating Virtual Private Networks with Openswan:<br>http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155<br></div></blockquote></div><br></div></body></html>