[Openswan Users] Cannot connect to Openswan from iPad
Daniel Cave
dan.cave at me.com
Tue Dec 4 11:26:21 EST 2012
I suspect the problem you're having applies to every iOS device, iphone/ipad/Mac.
I *think* there's an L2TP/Ipsec Patch which is on the OpenSwan site which applies to iOS devices. Have you patched your OpenSwan code or looked for the patch?
D
On 4 Dec 2012, at 16:19, Christo Romberg wrote:
> Hey guys,
>
> I'm new to Openswan, and I'm having trouble getting it configured properly. I'm trying to get a home VPN system working, so that I can remotely access my files through my iPad when I'm on the go.
>
> I've successfully installed OpenSWAN on a Debian Squeeze box, and configured it with the settings below.
>
> The problem is that I cannot connect to the VPN server from my iPad.
>
> Error message on the iPad:
> ---------------------------------------
> "The L2TP-VPN server did not respond. Try reconnecting. If the problem continues, verify your settings and contact your Administrator."
>
> I've also tried with my MacBook, with the same error message as on the iPhone.
>
> /var/log/auth.log
> -----------------------
> Dec 3 20:57:52 debian pluto[1999]: packet from 91.150.29.228:500: received Vendor ID payload [RFC 3947] method set to=109
> Dec 3 20:57:52 debian pluto[1999]: packet from 91.150.29.228:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] method set to=110
> Dec 3 20:57:52 debian pluto[1999]: packet from 91.150.29.228:500: ignoring unknown Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
> Dec 3 20:57:52 debian pluto[1999]: packet from 91.150.29.228:500: ignoring unknown Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
> Dec 3 20:57:52 debian pluto[1999]: packet from 91.150.29.228:500: ignoring unknown Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
> Dec 3 20:57:52 debian pluto[1999]: packet from 91.150.29.228:500: ignoring unknown Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
> Dec 3 20:57:52 debian pluto[1999]: packet from 91.150.29.228:500: ignoring unknown Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
> Dec 3 20:57:52 debian pluto[1999]: packet from 91.150.29.228:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 110
> Dec 3 20:57:52 debian pluto[1999]: packet from 91.150.29.228:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 110
> Dec 3 20:57:52 debian pluto[1999]: packet from 91.150.29.228:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 110
> Dec 3 20:57:52 debian pluto[1999]: packet from 91.150.29.228:500: received Vendor ID payload [Dead Peer Detection]
> Dec 3 20:57:52 debian pluto[1999]: "PSK"[1] 91.150.29.228 #1: responding to Main Mode from unknown peer 91.150.29.228
> Dec 3 20:57:52 debian pluto[1999]: "PSK"[1] 91.150.29.228 #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
> Dec 3 20:57:52 debian pluto[1999]: "PSK"[1] 91.150.29.228 #1: STATE_MAIN_R1: sent MR1, expecting MI2
> Dec 3 20:57:52 debian pluto[1999]: "PSK"[1] 91.150.29.228 #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): both are NATed
> Dec 3 20:57:52 debian pluto[1999]: "PSK"[1] 91.150.29.228 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
> Dec 3 20:57:52 debian pluto[1999]: "PSK"[1] 91.150.29.228 #1: STATE_MAIN_R2: sent MR2, expecting MI3
> Dec 3 20:57:52 debian pluto[1999]: "PSK"[1] 91.150.29.228 #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
> Dec 3 20:57:52 debian pluto[1999]: "PSK"[1] 91.150.29.228 #1: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.3'
> Dec 3 20:57:52 debian pluto[1999]: "PSK"[1] 91.150.29.228 #1: switched from "PSK" to "PSK"
> Dec 3 20:57:52 debian pluto[1999]: "PSK"[2] 91.150.29.228 #1: deleting connection "PSK" instance with peer 91.150.29.228 {isakmp=#0/ipsec=#0}
> Dec 3 20:57:52 debian pluto[1999]: "PSK"[2] 91.150.29.228 #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
> Dec 3 20:57:52 debian pluto[1999]: "PSK"[2] 91.150.29.228 #1: new NAT mapping for #1, was 91.150.29.228:500, now 91.150.29.228:4500
> Dec 3 20:57:52 debian pluto[1999]: "PSK"[2] 91.150.29.228 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1024}
> Dec 3 20:57:52 debian pluto[1999]: "PSK"[2] 91.150.29.228 #1: Dead Peer Detection (RFC 3706): enabled
> Dec 3 20:57:53 debian pluto[1999]: "PSK"[2] 91.150.29.228 #1: the peer proposed: 188.67.59.220/32:17/1701 -> 192.168.1.3/32:17/0
> Dec 3 20:57:53 debian pluto[1999]: "PSK"[2] 91.150.29.228 #2: responding to Quick Mode proposal {msgid:ac920da3}
> Dec 3 20:57:53 debian pluto[1999]: "PSK"[2] 91.150.29.228 #2: us: 192.168.1.2<192.168.1.2>[+S=C]:17/1701---192.168.1.1
> Dec 3 20:57:53 debian pluto[1999]: "PSK"[2] 91.150.29.228 #2: them: 91.150.29.228[192.168.1.3,+S=C]:17/51482===192.168.1.3/32
> Dec 3 20:57:53 debian pluto[1999]: "PSK"[2] 91.150.29.228 #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
> Dec 3 20:57:53 debian pluto[1999]: "PSK"[2] 91.150.29.228 #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
> Dec 3 20:57:54 debian pluto[1999]: "PSK"[2] 91.150.29.228 #2: Dead Peer Detection (RFC 3706): enabled
> Dec 3 20:57:54 debian pluto[1999]: "PSK"[2] 91.150.29.228 #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
> Dec 3 20:57:54 debian pluto[1999]: "PSK"[2] 91.150.29.228 #2: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP/NAT=>0x07ec4aca <0x04e10fd0 xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=91.150.29.228:4500 DPD=enabled}
> Dec 3 20:58:14 debian pluto[1999]: "PSK"[2] 91.150.29.228 #1: received Delete SA(0x07ec4aca) payload: deleting IPSEC State #2
> Dec 3 20:58:14 debian pluto[1999]: "PSK"[2] 91.150.29.228 #1: ERROR: netlink XFRM_MSG_DELPOLICY response for flow eroute_connection delete included errno 2: No such file or directory
> Dec 3 20:58:14 debian pluto[1999]: "PSK"[2] 91.150.29.228 #1: received and ignored informational message
> Dec 3 20:58:14 debian pluto[1999]: "PSK"[2] 91.150.29.228 #1: received Delete SA payload: deleting ISAKMP State #1
> Dec 3 20:58:14 debian pluto[1999]: "PSK"[2] 91.150.29.228: deleting connection "PSK" instance with peer 91.150.29.228 {isakmp=#0/ipsec=#0}
> Dec 3 20:58:14 debian pluto[1999]: packet from 91.150.29.228:4500: received and ignored informational message
>
>
>
> ------------------------------------------------------------------------------------ IMPLEMENTATION -----------------------------------------------------------
> -------------------------
>
> ====================
> NETWORK TOPOLOGY
> ====================
>
> [Openswan-Server] <--------------> WAN-router <--------------> (Internet) <--------------> my iPad connected via 3G
> 192.168.1.2 192.168.1.1 // 188.67.59.220 91.150.29.228
>
>
> ===============
> SYSTEM DETAILS
> ===============
> - Debian Squeeze v6.0.6-i386
> - OpenSWAN v1:2.6.28+dfsg-5+squeeze1
>
>
>
> ===============
> CONFIGURATION
> ===============
>
> /etc/ipsec.secrets:
> ---------------------------
> 192.168.1.2 %any 0.0.0.0: PSK "test"
>
>
> /etc/ipsec.conf:
> ----------------------
> config setup
> nat_traversal=yes
> virtual_private=%v4:192.168.0.0/16,%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:!10.254.253.0/24
> protostack=netkey
> #protostack=mast # used for SAref + MAST only
> interfaces="%defaultroute"
> oe=off
>
> conn l2tp-psk
> authby=secret
> pfs=no
> auto=add
> # we cannot rekey for %any, let client rekey
> rekey=no
> keyingtries=3
> # Apple iOS doesn't send delete notify so we need dead peer detection
> # to detect vanishing clients
> dpddelay=30
> dpdtimeout=120
> dpdaction=clear
> ikelifetime=8h
> keylife=1h
> # overlapip=yes # for SAref + MAST
> # sareftrack=yes # for SAref + MAST
> type=transport
> left=192.168.1.2
> leftprotoport=17/1701
> #
> # The remote user.
> #
> right=%any
> rightprotoport=17/%any
> rightsubnet=vhost:%priv,%no
> forceencaps=yes
>
>
> /etc/xl2tpd/xl2tpd.conf
> -------------------------------
> [global]
> ; you cannot leave out listen-addr, causes possible wrong src ip on return packets
> listen-addr = 192.168.1.2
> ; ipsec saref = yes ; For SAref + MAST only
> ; debug tunnel = yes
>
> [lns default]
> ip range = 192.168.1.101-192.168.1.110
> local ip = 192.168.1.100
> assign ip = yes
> require chap = yes
> refuse pap = yes
> require authentication = yes
> name = OpenswanVPN
> ppp debug = yes
> pppoptfile = /etc/ppp/options.xl2tpd
> length bit = yes
>
>
> /etc/ppp/options.xl2tpd
> --------------------------------
> ipcp-accept-local
> ipcp-accept-remote
> ms-dns 192.168.1.1
> noccp
> auth
> crtscts
> idle 1800
> mtu 1200
> mru 1200
> nodefaultroute
> debug
> lock
> proxyarp
> connect-delay 5000
>
>
> /etc/ppp/chap-secrets:
> --------------------------------
> greg * "thesecret" *
>
>
> /etc/sysctl.conf
> ----------------------
> net.ipv4.ip_forward = 1
> net.ipv4.conf.default.rp_filter = 0
> net.ipv4.conf.default.accept_source_route = 0
> net.ipv4.conf.all.send_redirects = 0
> net.ipv4.conf.default.send_redirects = 0
> net.ipv4.icmp_ignore_bogus_error_responses = 1
>
>
> ipsec verify
> -----------------
> "
> Version check and ipsec on-path [OK]
> Linux Openswan U2.6.28/K2.6.32-5-686 (netkey)
> Checking for IPsec support in kernel [OK]
> NETKEY detected, testing for disabled ICMP send_redirects [FAILED]
>
> Please disable /proc/sys/net/ipv4/conf/*/send_redirects
> or NETKEY will cause the sending of bogus ICMP redirects!
>
> NETKEY detected, testing for disabled ICMP accept_redirects [FAILED]
>
> Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
> or NETKEY will accept bogus ICMP redirects!
>
> Checking that pluto is running [OK]
> Pluto listening for IKE on udp 500 [OK]
> Pluto listening for NAT-T on udp 4500 [OK]
> Two or more interfaces found, checking IP forwarding [FAILED]
> Checking for 'ip' command [OK]
> Checking for 'iptables' command [OK]
> Opportunistic Encryption Support [DISABLED]
> "
>
>
> WAN-router configurations
> --------------------------------------
> I've configured the router to forward ports 500, 1701, and 4500 to 192.168.1.2.
>
>
>
>
> ------------------------------------------------------------------------------------ IMPLEMENTATION ------------------------------------------------------------------------------------
>
>
>
>
> Thanks guys.
>
> Have a great day,
> //Chris
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
Regards
Dan.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20121204/be4a678d/attachment-0001.html>
More information about the Users
mailing list