[Openswan Users] Cannot connect to Openswan from iPad
Christo Romberg
coromberg at gmail.com
Tue Dec 4 11:19:08 EST 2012
Hey guys,
I'm new to Openswan, and I'm having trouble getting it configured properly.
I'm trying to get a home VPN system working, so that I can remotely access
my files through my iPad when I'm on the go.
I've successfully installed OpenSWAN on a Debian Squeeze box, and
configured it with the settings below.
The problem is that I cannot connect to the VPN server from my iPad.
*Error message on the iPad:*
*---------------------------------------*
"*The L2TP-VPN server did not respond. Try reconnecting. If the problem
continues, verify your settings and contact your Administrator.*"
I've also tried with my MacBook, with the same error message as on the
iPhone.
*
*
*/var/log/auth.log*
*-----------------------*
*Dec 3 20:57:52 debian pluto[1999]: packet from 91.150.29.228:500:
received Vendor ID payload [RFC 3947] method set to=109 *
*Dec 3 20:57:52 debian pluto[1999]: packet from 91.150.29.228:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] method set to=110 *
*Dec 3 20:57:52 debian pluto[1999]: packet from 91.150.29.228:500:
ignoring unknown Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]*
*Dec 3 20:57:52 debian pluto[1999]: packet from 91.150.29.228:500:
ignoring unknown Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]*
*Dec 3 20:57:52 debian pluto[1999]: packet from 91.150.29.228:500:
ignoring unknown Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]*
*Dec 3 20:57:52 debian pluto[1999]: packet from 91.150.29.228:500:
ignoring unknown Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]*
*Dec 3 20:57:52 debian pluto[1999]: packet from 91.150.29.228:500:
ignoring unknown Vendor ID payload [9909b64eed937c6573de52ace952fa6b]*
*Dec 3 20:57:52 debian pluto[1999]: packet from 91.150.29.228:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but
already using method 110*
*Dec 3 20:57:52 debian pluto[1999]: packet from 91.150.29.228:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but
already using method 110*
*Dec 3 20:57:52 debian pluto[1999]: packet from 91.150.29.228:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but
already using method 110*
*Dec 3 20:57:52 debian pluto[1999]: packet from 91.150.29.228:500:
received Vendor ID payload [Dead Peer Detection]*
*Dec 3 20:57:52 debian pluto[1999]: "PSK"[1] 91.150.29.228 #1: responding
to Main Mode from unknown peer 91.150.29.228*
*Dec 3 20:57:52 debian pluto[1999]: "PSK"[1] 91.150.29.228 #1: transition
from state STATE_MAIN_R0 to state STATE_MAIN_R1*
*Dec 3 20:57:52 debian pluto[1999]: "PSK"[1] 91.150.29.228 #1:
STATE_MAIN_R1: sent MR1, expecting MI2*
*Dec 3 20:57:52 debian pluto[1999]: "PSK"[1] 91.150.29.228 #1:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): both are
NATed*
*Dec 3 20:57:52 debian pluto[1999]: "PSK"[1] 91.150.29.228 #1: transition
from state STATE_MAIN_R1 to state STATE_MAIN_R2*
*Dec 3 20:57:52 debian pluto[1999]: "PSK"[1] 91.150.29.228 #1:
STATE_MAIN_R2: sent MR2, expecting MI3*
*Dec 3 20:57:52 debian pluto[1999]: "PSK"[1] 91.150.29.228 #1: ignoring
informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000*
*Dec 3 20:57:52 debian pluto[1999]: "PSK"[1] 91.150.29.228 #1: Main mode
peer ID is ID_IPV4_ADDR: '192.168.1.3'*
*Dec 3 20:57:52 debian pluto[1999]: "PSK"[1] 91.150.29.228 #1: switched
from "PSK" to "PSK"*
*Dec 3 20:57:52 debian pluto[1999]: "PSK"[2] 91.150.29.228 #1: deleting
connection "PSK" instance with peer 91.150.29.228 {isakmp=#0/ipsec=#0}*
*Dec 3 20:57:52 debian pluto[1999]: "PSK"[2] 91.150.29.228 #1: transition
from state STATE_MAIN_R2 to state STATE_MAIN_R3*
*Dec 3 20:57:52 debian pluto[1999]: "PSK"[2] 91.150.29.228 #1: new NAT
mapping for #1, was 91.150.29.228:500, now 91.150.29.228:4500*
*Dec 3 20:57:52 debian pluto[1999]: "PSK"[2] 91.150.29.228 #1:
STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=aes_256 prf=oakley_sha group=modp1024}*
*Dec 3 20:57:52 debian pluto[1999]: "PSK"[2] 91.150.29.228 #1: Dead Peer
Detection (RFC 3706): enabled*
*Dec 3 20:57:53 debian pluto[1999]: "PSK"[2] 91.150.29.228 #1: the peer
proposed: 188.67.59.220/32:17/1701 -> 192.168.1.3/32:17/0*
*Dec 3 20:57:53 debian pluto[1999]: "PSK"[2] 91.150.29.228 #2: responding
to Quick Mode proposal {msgid:ac920da3}*
*Dec 3 20:57:53 debian pluto[1999]: "PSK"[2] 91.150.29.228 #2: us:
192.168.1.2<192.168.1.2>[+S=C]:17/1701---192.168.1.1*
*Dec 3 20:57:53 debian pluto[1999]: "PSK"[2] 91.150.29.228 #2: them:
91.150.29.228[192.168.1.3,+S=C]:17/51482===192.168.1.3/32*
*Dec 3 20:57:53 debian pluto[1999]: "PSK"[2] 91.150.29.228 #2: transition
from state STATE_QUICK_R0 to state STATE_QUICK_R1*
*Dec 3 20:57:53 debian pluto[1999]: "PSK"[2] 91.150.29.228 #2:
STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2*
*Dec 3 20:57:54 debian pluto[1999]: "PSK"[2] 91.150.29.228 #2: Dead Peer
Detection (RFC 3706): enabled*
*Dec 3 20:57:54 debian pluto[1999]: "PSK"[2] 91.150.29.228 #2: transition
from state STATE_QUICK_R1 to state STATE_QUICK_R2*
*Dec 3 20:57:54 debian pluto[1999]: "PSK"[2] 91.150.29.228 #2:
STATE_QUICK_R2: IPsec SA established tunnel mode {ESP/NAT=>0x07ec4aca
<0x04e10fd0 xfrm=AES_256-HMAC_SHA1 NATOA=none
NATD=91.150.29.228:4500DPD=enabled}
*
*Dec 3 20:58:14 debian pluto[1999]: "PSK"[2] 91.150.29.228 #1: received
Delete SA(0x07ec4aca) payload: deleting IPSEC State #2*
*Dec 3 20:58:14 debian pluto[1999]: "PSK"[2] 91.150.29.228 #1: ERROR:
netlink XFRM_MSG_DELPOLICY response for flow eroute_connection delete
included errno 2: No such file or directory*
*Dec 3 20:58:14 debian pluto[1999]: "PSK"[2] 91.150.29.228 #1: received
and ignored informational message*
*Dec 3 20:58:14 debian pluto[1999]: "PSK"[2] 91.150.29.228 #1: received
Delete SA payload: deleting ISAKMP State #1*
*Dec 3 20:58:14 debian pluto[1999]: "PSK"[2] 91.150.29.228: deleting
connection "PSK" instance with peer 91.150.29.228 {isakmp=#0/ipsec=#0}*
*Dec 3 20:58:14 debian pluto[1999]: packet from 91.150.29.228:4500:
received and ignored informational message*
*------------------------------------------**
------------------------------------------** IMPLEMENTATION
------------------------------------------**-----------------
------------------------- *
====================
* NETWORK TOPOLOGY*
====================
*[Openswan-Server]* <--------------> *WAN-router * <-------------->
*(Internet)
<*--------------> *my iPad connected via 3G*
*192.168.1.2 192.168.1.1 //** 188.67.59.220** **
91.150.29.228*
* *
===============
*SYSTEM DETAILS*
===============
- Debian Squeeze v6.0.6-i386
- OpenSWAN v1:2.6.28+dfsg-5+squeeze1
===============
*CONFIGURATION*
===============
*/etc/ipsec.secrets:*
*---------------------------*
192.168.1.2 %any 0.0.0.0: PSK "test"
*/etc/ipsec.conf:*
*----------------------*
config setup
nat_traversal=yes
virtual_private=%v4:
192.168.0.0/16,%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:!10.254.253.0/24
protostack=netkey
#protostack=mast # used for SAref + MAST only
interfaces="%defaultroute"
oe=off
conn l2tp-psk
authby=secret
pfs=no
auto=add
# we cannot rekey for %any, let client rekey
rekey=no
keyingtries=3
# Apple iOS doesn't send delete notify so we need dead peer
detection
# to detect vanishing clients
dpddelay=30
dpdtimeout=120
dpdaction=clear
ikelifetime=8h
keylife=1h
# overlapip=yes # for SAref + MAST
# sareftrack=yes # for SAref + MAST
type=transport
left=192.168.1.2
leftprotoport=17/1701
#
# The remote user.
#
right=%any
rightprotoport=17/%any
rightsubnet=vhost:%priv,%no
forceencaps=yes
*
/etc/xl2tpd/xl2tpd.conf
-------------------------------
[global]
; you cannot leave out listen-addr, causes possible wrong src ip on return
packets
listen-addr = 192.168.1.2
; ipsec saref = yes ; For SAref + MAST only
; debug tunnel = yes
[lns default]
ip range = 192.168.1.101-192.168.1.110
local ip = 192.168.1.100
assign ip = yes
require chap = yes
refuse pap = yes
require authentication = yes
name = OpenswanVPN
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
*
*
/etc/ppp/options.xl2tpd
--------------------------------
ipcp-accept-local
ipcp-accept-remote
ms-dns 192.168.1.1
noccp
auth
crtscts
idle 1800
mtu 1200
mru 1200
nodefaultroute
debug
lock
proxyarp
connect-delay 5000
*
*
*
*
*
*/etc/ppp/chap-secrets:*
*
--------------------------------
*
greg * "thesecret" *
*/etc/sysctl.conf*
*
----------------------
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.icmp_ignore_bogus_error_responses = 1
*
*
*
*
*
*
ipsec verify
-----------------
"
Version check and ipsec on-path [OK]
Linux Openswan U2.6.28/K2.6.32-5-686 (netkey)
Checking for IPsec support in kernel [OK]
NETKEY detected, testing for disabled ICMP send_redirects [FAILED]
Please disable /proc/sys/net/ipv4/conf/*/send_redirects
or NETKEY will cause the sending of bogus ICMP redirects!
NETKEY detected, testing for disabled ICMP accept_redirects [FAILED]
Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
or NETKEY will accept bogus ICMP redirects!
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Two or more interfaces found, checking IP forwarding [FAILED]
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
"
*
*
*
*
*
*WAN-router configurations*
*--------------------------------------*
I've configured the router to forward ports *500*, *1701*, and *4500* to *
192.168.1.2.*
*
*
*
*
*------------------------------------------**
------------------------------------------** **IMPLEMENTATION
------------------------------------------**
------------------------------------------ *
*
*
*
*
Thanks guys.
Have a great day,
//Chris
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20121204/d02282af/attachment-0001.html>
More information about the Users
mailing list