[Openswan Users] NAT-T detection and iPhone

Gerald Vogt vogt at spamcop.net
Tue Feb 22 03:09:12 EST 2011 

Hi!

Before I continue searching forever: does anyone know whether the
iPhone (iOS 4.2.1) always want to use encapsulation mode for a
IPSec/L2TP connection? I am trying to get it connect to a server with
openswan 2.6.32 (and today with 2.6.33), public IP addresses on both
ends, i.e. without encapsulation. So far, the only way to get it
connected was to use "forceencaps=yes". But I would like to get rid of
that to have Windows connect without registry change...

Reading the logs makes me think whether the iPhone always wants
encapsulation regardless of it's IP address...

Thanks!

Cheers, Gerald

connection:

conn L2TP-PSK
        dpddelay=40
        dpdtimeout=130
        dpdaction=clear
        authby=secret
        pfs=no
        rekey=no
        keyingtries=3
        type=transport
        left=%defaultroute
        leftprotoport=17/1701
        right=%any
        rightprotoport=17/%any
#       rightsubnet=vhost:%priv,%no
#        forceencaps=yes
        auto=add

Log extract:

Feb 22 08:55:36 vpn pluto[5140]: "L2TP-PSK"[1] aaa.bbb.18.53 #1:
responding to Main Mode from unknown peer aaa.bbb.18.53
Feb 22 08:55:36 vpn pluto[5140]: "L2TP-PSK"[1] aaa.bbb.18.53 #1:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Feb 22 08:55:36 vpn pluto[5140]: "L2TP-PSK"[1] aaa.bbb.18.53 #1:
STATE_MAIN_R1: sent MR1, expecting MI2
Feb 22 08:55:36 vpn pluto[5140]: "L2TP-PSK"[1] aaa.bbb.18.53 #1:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): no
NAT detected
Feb 22 08:55:36 vpn pluto[5140]: "L2TP-PSK"[1] aaa.bbb.18.53 #1:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Feb 22 08:55:36 vpn pluto[5140]: "L2TP-PSK"[1] aaa.bbb.18.53 #1:
STATE_MAIN_R2: sent MR2, expecting MI3
Feb 22 08:55:36 vpn pluto[5140]: "L2TP-PSK"[1] aaa.bbb.18.53 #1:
ignoring informational payload, type IPSEC_INITIAL_CONTACT
msgid=00000000
Feb 22 08:55:36 vpn pluto[5140]: "L2TP-PSK"[1] aaa.bbb.18.53 #1: Main
mode peer ID is ID_IPV4_ADDR: 'aaa.bbb.18.53'
Feb 22 08:55:36 vpn pluto[5140]: "L2TP-PSK"[1] aaa.bbb.18.53 #1:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Feb 22 08:55:36 vpn pluto[5140]: "L2TP-PSK"[1] aaa.bbb.18.53 #1: new
NAT mapping for #1, was aaa.bbb.18.53:500, now aaa.bbb.18.53:4500
Feb 22 08:55:36 vpn pluto[5140]: "L2TP-PSK"[1] aaa.bbb.18.53 #1:
STATE_MAIN_R3: sent MR3, ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha
group=modp1024}
Feb 22 08:55:36 vpn pluto[5140]: "L2TP-PSK"[1] aaa.bbb.18.53 #1: Dead
Peer Detection (RFC 3706): enabled
Feb 22 08:55:37 vpn pluto[5140]: "L2TP-PSK"[1] aaa.bbb.18.53 #1: the
peer proposed: aaa.bbb.30.106/32:17/1701 -> aaa.bbb.18.53/32:17/0
Feb 22 08:55:37 vpn pluto[5140]: "L2TP-PSK"[1] aaa.bbb.18.53 #2:
ENCAPSULATION_MODE_UDP_TRANSPORT_RFC must only be used if
NAT-Traversal is detected
Feb 22 08:55:37 vpn pluto[5140]: "L2TP-PSK"[1] aaa.bbb.18.53 #2:
sending encrypted notification BAD_PROPOSAL_SYNTAX to
aaa.bbb.18.53:4500

More information about the Users mailing list