[Openswan Users] Openswan finally refuses connection during or after phase 2

thomas4437 at gmx.de thomas4437 at gmx.de
Thu Oct 27 15:07:19 EDT 2011 

Hi all!

I'm trying to connect my iPod touch via an arbitrary HotSpot with my VPN server running Debian stable (just to gain secure access to the web, not to access the remote network).

The setup structure is as following:

iPod (iOS 5) === NAT1 === internet === NAT2 === server (Win 7) as VM host === VM (Squeeze) as VPN server

iPod has a dynamically assigned private IP.
NAT1 may or may not incorporate a firewall (I tried both cases). I usually don't have administrative access to this device.
NAT2 incorporates a firewall. Ports 500 and 4500 UDP are forwarded to the VPN. The IP of its local interface is 192.168.23.1, the WAN IP is dynamically allocated (known to me of course)
VM-Host-Server has a reserved IP (192.168.23.20) from DHCP.
VM VPN has a reserved IP from DHCP. It's bridged by the VM host therefor residing in the same subnet (192.168.23.21).

I tried setting all up by following this guide:
http://wiki.debian.org/HowTo/iPhoneVPNServer

My current configuration of openswan looks like this after messing around with it for quite some weeks now leaving me more and more confused over time:

ipsec.conf
===========
version	2.0

config setup
	nat_traversal=yes
	virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.23.0/24
	oe=off
	protostack=netkey
	uniqueids=no

conn road_warrior
        rekey=no
        authby=secret
        esp=aes128-sha1
        ike=aes128-sha-modp1024
	type=transport
        pfs=no
        keyingtries=3
        dpddelay=30
        dpdtimeout=120
        dpdaction=clear
        compress=yes
	forceencaps=yes
        #
        left=192.168.23.21
        leftprotoport=17/1701
        leftnexthop=192.168.23.1
        #
        right=%any
        rightprotoport=17/%any
        rightsubnet=vhost:%no,%priv
        #
        auto=add


ipsec.secrets
==============
include /var/lib/openswan/ipsec.secrets.inc # empty
192.168.23.21: PSK "mykey"


The best I got out of it is this:
tcpdump -i eth1 -n -p udp port 500 or udp port 4500
(running on VPN server)

13:25:50.615292 IP 85.214.218.91.500 > 192.168.23.21.500: isakmp: phase 1 I ident
13:25:50.616181 IP 192.168.23.21.500 > 85.214.218.91.500: isakmp: phase 1 R ident
13:25:51.014320 IP 85.214.218.91.500 > 192.168.23.21.500: isakmp: phase 1 I ident
13:25:51.015111 IP 192.168.23.21.500 > 85.214.218.91.500: isakmp: phase 1 R ident
13:25:51.640807 IP 85.214.218.91.4500 > 192.168.23.21.4500: NONESP-encap: isakmp: phase 1 I ident[E]
13:25:51.641311 IP 192.168.23.21.4500 > 85.214.218.91.4500: NONESP-encap: isakmp: phase 1 R ident[E]
13:25:52.387368 IP 85.214.218.91.4500 > 192.168.23.21.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
13:25:52.388040 IP 192.168.23.21.4500 > 85.214.218.91.4500: NONESP-encap: isakmp: phase 2/others R oakley-quick[E]
13:25:53.148062 IP 85.214.218.91.4500 > 192.168.23.21.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
13:25:53.158208 IP 85.214.218.91.4500 > 192.168.23.21.4500: UDP-encap: ESP(spi=0x07456c49,seq=0x1), length 132
13:25:53.692220 IP 85.214.218.91.4500 > 192.168.23.21.4500: UDP-encap: ESP(spi=0x07456c49,seq=0x2), length 132
13:25:55.759901 IP 85.214.218.91.4500 > 192.168.23.21.4500: UDP-encap: ESP(spi=0x07456c49,seq=0x3), length 132
13:25:59.887790 IP 85.214.218.91.4500 > 192.168.23.21.4500: UDP-encap: ESP(spi=0x07456c49,seq=0x4), length 132
13:26:03.325189 IP 85.214.218.91.4500 > 192.168.23.21.4500: UDP-encap: ESP(spi=0x07456c49,seq=0x5), length 132
13:26:07.043907 IP 85.214.218.91.4500 > 192.168.23.21.4500: UDP-encap: ESP(spi=0x07456c49,seq=0x6), length 132
# from here on the iPod gui says sth like "L2TP server not answering", the keep alives keep going
13:26:11.173170 IP 192.168.23.21.4500 > 85.214.218.91.4500: isakmp-nat-keep-alive
13:26:11.173235 IP 192.168.23.21.4500 > 85.214.218.91.4500: isakmp-nat-keep-alive
13:26:11.180820 IP 85.214.218.91.4500 > 192.168.23.21.4500: UDP-encap: ESP(spi=0x07456c49,seq=0x7), length 132
13:26:12.499883 IP 85.214.218.91.4500 > 192.168.23.21.4500: isakmp-nat-keep-alive
13:26:23.185437 IP 192.168.23.21.4500 > 85.214.218.91.4500: NONESP-encap: isakmp: phase 2/others R inf[E]
13:26:31.193634 IP 192.168.23.21.4500 > 85.214.218.91.4500: isakmp-nat-keep-alive
13:26:31.193699 IP 192.168.23.21.4500 > 85.214.218.91.4500: isakmp-nat-keep-alive
13:26:51.213917 IP 192.168.23.21.4500 > 85.214.218.91.4500: isakmp-nat-keep-alive
13:26:51.213981 IP 192.168.23.21.4500 > 85.214.218.91.4500: isakmp-nat-keep-alive
13:26:53.216372 IP 192.168.23.21.4500 > 85.214.218.91.4500: NONESP-encap: isakmp: phase 2/others R inf[E]
...

I'm sure there's not much missing or wrong but I'm stuck - and tired.
Can anyone of you show me what I'm missing, where I'm wrong, how to further debug, which configuration options to dismiss or the like?

Any help is much appreciated.

Thank you all, cheers,
Thomas
-- 
NEU: FreePhone - 0ct/min Handyspartarif mit Geld-zurück-Garantie!		
Jetzt informieren: http://www.gmx.net/de/go/freephone

More information about the Users mailing list