[Openswan Users] Openswan and iphone L2TP/IPsec configuration example
Philipp Weirauch
weirauch at checkmobile.de
Wed Nov 25 17:02:13 EST 2009
hi paul, hi all,
i used your config to connect with an iphone - only with different ips and passwords :-)
and i get the following in my /var/log/messages:
Nov 25 22:45:56 vpn pluto[19901]: "l2tp-psk"[4] 80.187.101.1 #2755: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Nov 25 22:45:56 vpn pluto[19901]: "l2tp-psk"[4] 80.187.101.1 #2755: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0x07bf04b4 <0x6b2e7b9d xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}
Nov 25 22:45:58 vpn xl2tpd[3198]: get_call: allocating new tunnel for host 80.187.101.1, port 49166.
Nov 25 22:45:58 vpn xl2tpd[3198]: control_finish: Peer requested tunnel 3 twice, ignoring second one.
Nov 25 22:45:58 vpn xl2tpd[3198]: build_fdset: closing down tunnel 49666
Nov 25 22:45:59 vpn xl2tpd[3198]: get_call: allocating new tunnel for host 80.187.101.1, port 49166.
Nov 25 22:45:59 vpn xl2tpd[3198]: control_finish: Peer requested tunnel 3 twice, ignoring second one.
Nov 25 22:45:59 vpn xl2tpd[3198]: build_fdset: closing down tunnel 26668
Nov 25 22:45:59 vpn xl2tpd[3198]: network_thread: select timeout
obviously the tunnel is established.
what is going wrong on the xl2tp side?
(using 2.6.24rc2 with NETKEY)
regards,
philipp
Am 25.11.2009 um 17:44 schrieb Paul Wouters:
> On Wed, 25 Nov 2009, Alexander Damhuis wrote:
>
>>> Why not use L2TP? People are using that on their iphones to Openswan without
>>> problems.
>>>
>>
>> I was trying that exactly and I fail with the L2TP portion of it right now - can you pinpoint me to useful info, configuration examples or someone, I could ask for examples?
>>
>> That would be very kind.
>
> Below is my ipsec.conf using PSK and xl2tpd.conf. This is using openswan 2.6.24rc2 with NETKEY.
>
> config setup
> nat_traversal=yes
> virtual_private=%v4:192.168.0.0/16,%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:193.110.157.60/32
> protostack=netkey
> interfaces="%defaultroute"
> oe=off
>
> conn l2tp-psk
> authby=secret
> pfs=no
> auto=add
> rekey=no
> #tempoverlapip=yes
> type=transport
> leftsendcert=always
> left=193.110.157.131
> leftprotoport=17/1701
> right=%any
> rightprotoport=17/%any
> rightsubnet=vhost:%priv,%no
>
>
> xl2tpd.conf:
>
> [global]
> listen-addr = 193.110.157.131
> debug tunnel = yes
>
> [lns default]
> ip range = 193.111.228.2-193.111.228.127
> local ip = 193.111.228.1
> require chap = yes
> refuse pap = yes
> require authentication = yes
> name = OpenswanVPN
> ppp debug = yes
> pppoptfile = /etc/ppp/options.xl2tpd
> length bit = yes
>
>
> /etc/ppp/options.xl2tpd is stock xl2tpd with only the nameservers changed
>
> Note that my public IP/interface is 193.110.157.131, and my "internal network"
> is 193.111.228.0/24. Most people will use RFC1918 where i have 193.111.228.x
> numbers.
>
> /etc/ppp/chap-secrets:
>
> # Secrets for authentication using PAP
> # client server secret IP addresses
> test * "test" 193.111.228.101
> * test "test" 193.111.228.101
> test1 * "test" 193.111.228.0/25
> * test1 "test" 193.111.228.0/25
> test2 * "test" 193.111.228.0/25
> * test2 "test" 193.111.228.0/25
>
> My public interface (193.110.157.131) is set to have an MTU of 1472.
>
> /etc/sysctl.conf contains:
> net.ipv4.ip_forward = 1
> net.ipv4.conf.default.rp_filter = 0
> net.ipv4.conf.all.send_redirects = 0
> net.ipv4.conf.default.send_redirects = 0
> net.ipv4.icmp_ignore_bogus_error_responses = 1
>
> That should get anyone going with a simple PSK/L2TP setup.
>
> Paul
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
P
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1656 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20091125/a6e5f4c1/attachment.bin
More information about the Users
mailing list