[Openswan Users] Cannot connect to Openswan from iPad

Daniel Cave dan.cave at me.com
Tue Dec 4 11:26:21 EST 2012


I suspect the problem you're having applies to every iOS device, iphone/ipad/Mac.

I *think* there's an L2TP/Ipsec Patch which is on the OpenSwan site which applies to iOS devices. Have you patched your OpenSwan code or looked for the patch?

D


On 4 Dec 2012, at 16:19, Christo Romberg wrote:

> Hey guys,
> 
> I'm new to Openswan, and I'm having trouble getting it configured properly. I'm trying to get a home VPN system working, so that I can remotely access my files through my iPad when I'm on the go.
> 
> I've successfully installed OpenSWAN on a Debian Squeeze box, and configured it with the settings below.
> 
> The problem is that I cannot connect to the VPN server from my iPad.
> 
> Error message on the iPad:
> ---------------------------------------
> "The L2TP-VPN server did not respond. Try reconnecting. If the problem continues, verify your settings and contact your Administrator."
> 
> I've also tried with my MacBook, with the same error message as on the iPhone.
> 
> /var/log/auth.log
> -----------------------
> Dec  3 20:57:52 debian pluto[1999]: packet from 91.150.29.228:500: received Vendor ID payload [RFC 3947] method set to=109 
> Dec  3 20:57:52 debian pluto[1999]: packet from 91.150.29.228:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] method set to=110 
> Dec  3 20:57:52 debian pluto[1999]: packet from 91.150.29.228:500: ignoring unknown Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
> Dec  3 20:57:52 debian pluto[1999]: packet from 91.150.29.228:500: ignoring unknown Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
> Dec  3 20:57:52 debian pluto[1999]: packet from 91.150.29.228:500: ignoring unknown Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
> Dec  3 20:57:52 debian pluto[1999]: packet from 91.150.29.228:500: ignoring unknown Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
> Dec  3 20:57:52 debian pluto[1999]: packet from 91.150.29.228:500: ignoring unknown Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
> Dec  3 20:57:52 debian pluto[1999]: packet from 91.150.29.228:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 110
> Dec  3 20:57:52 debian pluto[1999]: packet from 91.150.29.228:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 110
> Dec  3 20:57:52 debian pluto[1999]: packet from 91.150.29.228:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 110
> Dec  3 20:57:52 debian pluto[1999]: packet from 91.150.29.228:500: received Vendor ID payload [Dead Peer Detection]
> Dec  3 20:57:52 debian pluto[1999]: "PSK"[1] 91.150.29.228 #1: responding to Main Mode from unknown peer 91.150.29.228
> Dec  3 20:57:52 debian pluto[1999]: "PSK"[1] 91.150.29.228 #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
> Dec  3 20:57:52 debian pluto[1999]: "PSK"[1] 91.150.29.228 #1: STATE_MAIN_R1: sent MR1, expecting MI2
> Dec  3 20:57:52 debian pluto[1999]: "PSK"[1] 91.150.29.228 #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): both are NATed
> Dec  3 20:57:52 debian pluto[1999]: "PSK"[1] 91.150.29.228 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
> Dec  3 20:57:52 debian pluto[1999]: "PSK"[1] 91.150.29.228 #1: STATE_MAIN_R2: sent MR2, expecting MI3
> Dec  3 20:57:52 debian pluto[1999]: "PSK"[1] 91.150.29.228 #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
> Dec  3 20:57:52 debian pluto[1999]: "PSK"[1] 91.150.29.228 #1: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.3'
> Dec  3 20:57:52 debian pluto[1999]: "PSK"[1] 91.150.29.228 #1: switched from "PSK" to "PSK"
> Dec  3 20:57:52 debian pluto[1999]: "PSK"[2] 91.150.29.228 #1: deleting connection "PSK" instance with peer 91.150.29.228 {isakmp=#0/ipsec=#0}
> Dec  3 20:57:52 debian pluto[1999]: "PSK"[2] 91.150.29.228 #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
> Dec  3 20:57:52 debian pluto[1999]: "PSK"[2] 91.150.29.228 #1: new NAT mapping for #1, was 91.150.29.228:500, now 91.150.29.228:4500
> Dec  3 20:57:52 debian pluto[1999]: "PSK"[2] 91.150.29.228 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1024}
> Dec  3 20:57:52 debian pluto[1999]: "PSK"[2] 91.150.29.228 #1: Dead Peer Detection (RFC 3706): enabled
> Dec  3 20:57:53 debian pluto[1999]: "PSK"[2] 91.150.29.228 #1: the peer proposed: 188.67.59.220/32:17/1701 -> 192.168.1.3/32:17/0
> Dec  3 20:57:53 debian pluto[1999]: "PSK"[2] 91.150.29.228 #2: responding to Quick Mode proposal {msgid:ac920da3}
> Dec  3 20:57:53 debian pluto[1999]: "PSK"[2] 91.150.29.228 #2:     us: 192.168.1.2<192.168.1.2>[+S=C]:17/1701---192.168.1.1
> Dec  3 20:57:53 debian pluto[1999]: "PSK"[2] 91.150.29.228 #2:   them: 91.150.29.228[192.168.1.3,+S=C]:17/51482===192.168.1.3/32
> Dec  3 20:57:53 debian pluto[1999]: "PSK"[2] 91.150.29.228 #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
> Dec  3 20:57:53 debian pluto[1999]: "PSK"[2] 91.150.29.228 #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
> Dec  3 20:57:54 debian pluto[1999]: "PSK"[2] 91.150.29.228 #2: Dead Peer Detection (RFC 3706): enabled
> Dec  3 20:57:54 debian pluto[1999]: "PSK"[2] 91.150.29.228 #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
> Dec  3 20:57:54 debian pluto[1999]: "PSK"[2] 91.150.29.228 #2: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP/NAT=>0x07ec4aca <0x04e10fd0 xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=91.150.29.228:4500 DPD=enabled}
> Dec  3 20:58:14 debian pluto[1999]: "PSK"[2] 91.150.29.228 #1: received Delete SA(0x07ec4aca) payload: deleting IPSEC State #2
> Dec  3 20:58:14 debian pluto[1999]: "PSK"[2] 91.150.29.228 #1: ERROR: netlink XFRM_MSG_DELPOLICY response for flow eroute_connection delete included errno 2: No such file or directory
> Dec  3 20:58:14 debian pluto[1999]: "PSK"[2] 91.150.29.228 #1: received and ignored informational message
> Dec  3 20:58:14 debian pluto[1999]: "PSK"[2] 91.150.29.228 #1: received Delete SA payload: deleting ISAKMP State #1
> Dec  3 20:58:14 debian pluto[1999]: "PSK"[2] 91.150.29.228: deleting connection "PSK" instance with peer 91.150.29.228 {isakmp=#0/ipsec=#0}
> Dec  3 20:58:14 debian pluto[1999]: packet from 91.150.29.228:4500: received and ignored informational message
> 
> 
> 
> ------------------------------------------------------------------------------------ IMPLEMENTATION  -----------------------------------------------------------
> ------------------------- 
> 
> ====================
>  NETWORK TOPOLOGY
> ====================
> 
> [Openswan-Server]  <-------------->  WAN-router  <-------------->  (Internet)  <-------------->  my iPad connected via 3G
> 192.168.1.2				     192.168.1.1 // 188.67.59.220						              91.150.29.228
> 							      						
> 
> ===============
> SYSTEM DETAILS
> ===============
> - Debian Squeeze v6.0.6-i386
> - OpenSWAN v1:2.6.28+dfsg-5+squeeze1
> 
> 
> 
> ===============
> CONFIGURATION
> ===============
> 
> /etc/ipsec.secrets:
> ---------------------------
> 192.168.1.2		%any  		0.0.0.0: 	PSK   "test" 
> 
> 
> /etc/ipsec.conf:
> ----------------------
> config setup
>         nat_traversal=yes
>         virtual_private=%v4:192.168.0.0/16,%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:!10.254.253.0/24
>         protostack=netkey
>         #protostack=mast  # used for SAref + MAST only
>         interfaces="%defaultroute" 
>         oe=off
> 
> conn l2tp-psk
>         authby=secret
>         pfs=no
>         auto=add
> 	# we cannot rekey for %any, let client rekey
>         rekey=no 
> 	keyingtries=3
>         # Apple iOS doesn't send delete notify so we need dead peer detection
>         # to detect vanishing clients
>         dpddelay=30
>         dpdtimeout=120
>         dpdaction=clear
>         ikelifetime=8h
>         keylife=1h
>         # overlapip=yes   # for SAref + MAST
>         # sareftrack=yes  # for SAref + MAST
>         type=transport
>         left=192.168.1.2
>         leftprotoport=17/1701
>         #
>         # The remote user.
>         #
>         right=%any
>         rightprotoport=17/%any
>         rightsubnet=vhost:%priv,%no
> 	forceencaps=yes
> 
> 
> /etc/xl2tpd/xl2tpd.conf
> -------------------------------
> [global]
> ; you cannot leave out listen-addr, causes possible wrong src ip on return packets
> listen-addr = 192.168.1.2
> ; ipsec saref = yes   ; For SAref + MAST only
> ; debug tunnel = yes
> 
> [lns default]
> ip range = 192.168.1.101-192.168.1.110
> local ip = 192.168.1.100
> assign ip = yes
> require chap = yes
> refuse pap = yes
> require authentication = yes
> name = OpenswanVPN
> ppp debug = yes
> pppoptfile = /etc/ppp/options.xl2tpd
> length bit = yes
> 
> 
> /etc/ppp/options.xl2tpd
> --------------------------------
> ipcp-accept-local
> ipcp-accept-remote
> ms-dns  192.168.1.1
> noccp
> auth
> crtscts
> idle 1800
> mtu 1200
> mru 1200
> nodefaultroute
> debug
> lock
> proxyarp
> connect-delay 5000
> 
> 
> /etc/ppp/chap-secrets:
> --------------------------------
> greg			*		"thesecret"		*
> 
> 
> /etc/sysctl.conf
> ----------------------
> net.ipv4.ip_forward = 1
> net.ipv4.conf.default.rp_filter = 0
> net.ipv4.conf.default.accept_source_route = 0
> net.ipv4.conf.all.send_redirects = 0
> net.ipv4.conf.default.send_redirects = 0
> net.ipv4.icmp_ignore_bogus_error_responses = 1
> 
> 
> ipsec verify
> -----------------
> "
> Version check and ipsec on-path                             				[OK]
> Linux Openswan U2.6.28/K2.6.32-5-686 (netkey)
> Checking for IPsec support in kernel                        				[OK]
> NETKEY detected, testing for disabled ICMP send_redirects   		[FAILED]
> 
>   Please disable /proc/sys/net/ipv4/conf/*/send_redirects
>   or NETKEY will cause the sending of bogus ICMP redirects!
> 
> NETKEY detected, testing for disabled ICMP accept_redirects 	[FAILED]
> 
>   Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
>   or NETKEY will accept bogus ICMP redirects!
> 
> Checking that pluto is running                              					[OK]
> Pluto listening for IKE on udp 500                          					[OK]
> Pluto listening for NAT-T on udp 4500                       				[OK]
> Two or more interfaces found, checking IP forwarding        		[FAILED]
> Checking for 'ip' command                                   					[OK]
> Checking for 'iptables' command                             					[OK]	
> Opportunistic Encryption Support                            					[DISABLED]
> "
> 
> 
> WAN-router configurations
> --------------------------------------
> I've configured the router to forward ports 500, 1701, and 4500 to 192.168.1.2.
> 
> 
> 
> 
> ------------------------------------------------------------------------------------ IMPLEMENTATION  ------------------------------------------------------------------------------------ 
> 
> 
> 
> 
> Thanks guys.
> 
> Have a great day,
> //Chris
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

Regards

Dan.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20121204/be4a678d/attachment-0001.html>


More information about the Users mailing list