<html><body><div><br></div><div>Hi Jared.</div><div><br></div><div>This appears to be quite a common issue. If you search the archives, there's a mail which I sent the group to Prakesh Palanisamy, relating to CISCO IPsec termination with OpenSwan., <span style="line-height: 1.5;">the mail you need to refer to was 2nd September, if you want i'll gladly forward it to you if you can't find it.</span></div><div><span style="line-height: 1.5;"><br></span></div><div><br></div><div>Since you mail doesn't mention what vendor the remote device is, you're leaving OpenSwan to figure out what negotiation its going to make with the remote peer device, i'm pretty much guessing its a cisco, and unfortunately the only thing which seems to work (from my own experience) on Cisco's *ASA's and PIX's* is 3des-md5 for phase1/2.</div><div><br></div><div>Try and get the IPsec bit working first before you introduce the L2tp part and ensure the stability of the tunnel :)</div><div><br></div><div>Otherwise I'm shooting in the dark and 2nd guessing you so I could well be wrong.com. :)</div><div><br></div><div>H.t.H.</div><div><br></div><div>D.</div><div>On Sep 17, 2015, at 01:22 AM, Jared Rodecker <jared.rodecker@gmail.com> wrote:<br><br></div><div><blockquote type="cite"><div class="msg-quote"><div dir="ltr">Greetings:<div><br></div><div>I am new the list and hoping to get help resolving a problem I've add establishing a VPN connection between my Ubuntu 14.04 server instance (on AWS) and a VPN server that is hosted by a client of our firm.</div><div><br></div><div>I am able to connect to the VPN server on my MacBook by simply using the Control Panel/Network interface to set up a VPN connection with "L2TP over Ipsec" as my "VPN type" by providing the VPN IP address, username, password and secret. Each of those 4 values (IP, username, password, secret) was provided by our client and I have successfully connected many times from my local macbook.</div><div><br></div><div>I need to set up some things to run automatically from command line from a remote AWS server but part of this process involves setting up the appropriate VPN client on my Ubuntu server instance on AWS to be able to connect to our client's VPN server. I do not have access to a GUI and am instead using the command line. My AWS instance has both a "public" and "private" IP address but since I got very basic error messages about connectivity when using the "public" IP I am using the private IP in all of my config files. I follow the convention that LEFT = Private IP of my AWS instance from which I'm trying to establish the connection and RIGHT = IP of VPN server I'm trying to connect to (that is hosted externally my our client).</div><div><br></div><div>I have followed a variety of online examples and settled on the configuration that is summarized below. When I try to connect (by typing "ipsec auto --up VPNNAME) I get the following message:</div><div><br></div><div><p class=""><span class="">104 "sftravelvpn" #1: STATE_MAIN_I1: initiate</span></p><p class="">003 "sftravelvpn" #1: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000008]</p><p class=""><span class="">003 "sftravelvpn" #1: received Vendor ID payload [RFC 3947] method set to=115 </span></p><p class=""><span class="">003 "sftravelvpn" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 115</span></p><p class=""><span class="">003 "sftravelvpn" #1: ignoring Vendor ID payload [FRAGMENTATION]</span></p><p class=""><span class="">003 "sftravelvpn" #1: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]</span></p><p class=""><span class="">003 "sftravelvpn" #1: ignoring Vendor ID payload [IKE CGA version 1]</span></p><p class=""><span class="">106 "sftravelvpn" #1: STATE_MAIN_I2: sent MI2, expecting MR2</span></p><p class=""><span class="">003 "sftravelvpn" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): i am NATed</span></p><p class=""><span class="">108 "sftravelvpn" #1: STATE_MAIN_I3: sent MI3, expecting MR3</span></p><p class=""><span class="">004 "sftravelvpn" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}</span></p><p class=""><span class="">117 "sftravelvpn" #2: STATE_QUICK_I1: initiate</span></p><p class=""><span class="">010 "sftravelvpn" #2: STATE_QUICK_I1: retransmission; will wait 20s for response</span></p><p class=""><span class="">010 "sftravelvpn" #2: STATE_QUICK_I1: retransmission; will wait 40s for response</span></p><p class=""><span class="">031 "sftravelvpn" #2: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal</span></p><p class=""><span class="">000 "sftravelvpn" #2: starting keying attempt 2 of at most 3, but releasing whack</span></p><p class=""><span class=""><br></span></p><p class=""><span class="">It is the 2nd to last line "No accept response to our first Quick Mode message: perhaps no peer likes proposal" that I'm guessing is the clue to my problem. I have reviewed all of the archives for this list going back to Jan 2013 and have found several related posts but reading them and trying some things that were suggested has not worked yet.</span></p><p class=""><span class="">My config files are summarized below. Much thanks to anyone who can help point me in the right direction!</span></p><p class=""><span class="">For the config files I have masked my info as such:</span></p><p class="">IP of VPN server I'm trying to connect to: x.x.x.x</p><p class="">Private VPN of Ubuntu server instance on AWS: y.y.y.y</p><p class="">VPN password = VPNPWD</p><p class="">VPN user name = VPNUSER</p><p class="">VPN secret = VPNSECRET</p><p class=""><br></p><p class=""><br></p><p class="">File: /etc/rc.local</p><p class=""><span class="">for</span><span class=""> vpn </span><span class="">in</span><span class=""> /proc/sys/net/ipv4/conf/*; </span><span class="">do</span><span class="">echo</span><span class=""> 0 </span><span class="">></span><span class="">$vpn</span><span class="">/accept_redirects; </span><span class="">echo</span><span class=""> 0 </span><span class="">></span><span class="">$vpn</span><span class="">/send_redirects; </span><span class="">done</span></p><p class=""><span class="">iptables </span><span class="">-t</span><span class=""> nat </span><span class="">-A</span><span class=""> POSTROUTING </span><span class="">-j</span><span class=""> SNAT </span><span class="">--to-source</span><span class=""> x.x.x.x </span><span class="">-o</span><span class=""> eth+</span></p><p class=""><br></p><p class=""><span class="">exit</span><span class="">0</span></p><p class=""><br></p><p class=""><br></p><p class="">FILE: /etc/ipsec.conf</p><p class="">config setup<br></p><p class=""><span class=""> virtual_private=%v4:<a href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12" data-mce-href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12">10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12</a></span></p><p class=""><span class=""> nat_traversal=yes</span></p><p class=""><span class=""> protostack=netkey</span></p><p class=""><span class=""> oe=off</span></p><p class=""> plutoopts="--interface=eth0"</p><p class=""><br></p><p class=""><span class="">conn sftravelvpn</span></p><p class=""><span class=""> authby=secret</span></p><p class=""><span class=""> pfs=no</span></p><p class=""><span class=""> auto=add</span></p><p class=""><span class=""> keyingtries=3</span></p><p class=""><span class=""> dpddelay=30</span></p><p class=""><span class=""> dpdtimeout=120</span></p><p class=""><span class=""> dpdaction=clear</span></p><p class=""><span class=""> rekey=yes</span></p><p class=""><span class=""> ikelifetime=8h</span></p><p class=""><span class=""> keylife=1h</span></p><p class=""><span class=""> type=tunnel</span></p><p class=""><span class=""> left=y.y.y.y</span></p><p class=""><span class=""> leftnexthop=%defaultroute</span></p><p class=""><span class=""> leftprotoport=17/1701</span></p><p class=""><span class=""> right=x.x.x.x</span></p><p class=""><span class=""> rightprotoport=17/1701</span></p><p class=""><span class=""> rightnexthop=%defaultroute</span></p><p class=""><br></p><p class=""><br></p><p class="">File: /etc/ipsec.secrets</p><p class=""><br></p><p class=""><span class="">y.y.y.y x.x.x.x : PSK </span><span class="">"SECRET"</span></p><p class=""><br></p><p class="">File: /etc/xl2tpd/xl2tpd.conf</p><p class=""><br></p><p class=""><span class="">[global]</span></p><p class=""><span class="">ipsec saref = yes</span></p><p class=""><span class="">saref refinfo = 30</span></p><p class=""><br></p><p class=""><span class="">;debug avp = yes</span></p><p class=""><span class="">;debug network = yes</span></p><p class=""><span class="">;debug state = yes</span></p><p class=""><span class="">;debug tunnel = yes</span></p><p class=""><br></p><p class=""><span class="">[lns default]</span></p><p class=""><span class="">local ip = x.x.x.x</span></p><p class=""><span class="">refuse pap = yes</span></p><p class=""><span class="">require authentication = yes</span></p><p class=""><span class="">;ppp debug = yes</span></p><p class=""><span class="">pppoptfile = /etc/ppp/options.xl2tpd</span></p><p class=""><br></p><p class=""><span class="">length bit = yes</span></p><p class=""><br></p><p class="">File: /etc/ppp/options.xl2tpd</p><p class=""><br></p><p class=""><span class="">require-mschap-v2</span></p><p class=""><span class="">ms-dns 8.8.8.8</span></p><p class=""><span class="">ms-dns 8.8.4.4</span></p><p class=""><span class="">auth</span></p><p class=""><span class="">mtu 1200</span></p><p class=""><span class="">mru 1000</span></p><p class=""><span class="">crtscts</span></p><p class=""><span class="">hide-password</span></p><p class=""><span class="">modem</span></p><p class=""><span class="">name sftravelvpn</span></p><p class=""><span class="">proxyarp</span></p><p class=""><span class="">lcp-echo-interval 30</span></p><p class=""><br></p><p class=""><span class="">lcp-echo-failure 4</span></p><p class=""><br></p><p class="">File: /etc/ppp/chap-secrets</p><p class="">VPNUSER VPNPWD sftravelvpn VPNSECRET</p><p class=""><br></p><p class=""><br></p><p class="">Routing Rule:</p><p class="">sudo ip ro ad x.x.x.x via y.y.y.y</p><p class=""><br></p><p class=""><span class="">Then I restart services:</span></p><p class=""><br></p><p class=""><span class="">/etc/init.d/ipsec restart</span></p><p class=""><br></p><p class=""><span class="">/etc/init.d/xl2tpd restart</span></p><p class=""><span class=""><br></span></p><p class=""><span class="">Jared Rodecker</span></p><p class=""><span class=""><a href="mailto:jared.rodecker@gmail.com" data-mce-href="mailto:jared.rodecker@gmail.com">jared.rodecker@gmail.com</a></span></p><p class=""><span class=""><br></span></p><p class=""><span class=""><br></span></p></div></div><div class="_stretch"><span class="body-text-content">_______________________________________________<br><a href="mailto:Users@lists.openswan.org" data-mce-href="mailto:Users@lists.openswan.org">Users@lists.openswan.org</a><br><a href="https://lists.openswan.org/mailman/listinfo/users" data-mce-href="https://lists.openswan.org/mailman/listinfo/users">https://lists.openswan.org/mailman/listinfo/users</a><br>Micropayments: <a href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy" data-mce-href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a><br>Building and Integrating Virtual Private Networks with Openswan:<br><a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" data-mce-href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a></span></div></div></blockquote></div></body></html>